Building a Cyber Intelligence Team

New Infosec Discipline Requires Multidisciplinary Skills
Building a Cyber Intelligence Team
The budding discipline of cyber intelligence, a new approach to analyze situational awareness and provide warnings of cyberthreats, requires multidisciplinary skills to succeed, says the editor of a new report about the nascent field.

Terry Roberts, chair of the Intelligence and National Security Alliance's Cyber Council, says lessons on how to build a cyber intelligence team can be learned from an earlier generation. "In the beginning nuclear age, you brought in people with the technical body of knowledge, then your brought people with a body of knowledge on that particular adversary, the culture, the leadership, and you brought it all together so you would have a 360 view," Roberts says in an interview with Information Security Media Group's Eric Chabrow (transcript below).

"We haven't been doing that in the cyber realm," says Roberts, who edited the alliance's paper, Cyber Intelligence: Setting the Landscape for an Emerging Discipline (see Cyber Intelligence: What Exactly Is It?). "Many non-tech folks say, 'Eh, cyber, it's technical, I have nothing to do with it.' When actually, in cyber intelligence, you need analytical kinds of folks, you need people who understand the network environment who have an operational background. ... The beauty is, it's a lot of the skill sets we have, but it's really more about the approach of how do you integrate those skill sets into an end-to-end process."

In the interview, Roberts discusses the:

  • Difficulties of industry to adapt the highly sophisticated approach the federal intelligence agencies employ to share cyber intelligence.
  • Idea of having a third-party entity that can act as a nexus where cyber intelligence can take place between government and industry.
  • Next steps in further defining the dynamics of the cyber intelligence environment and the need for a cyber intelligence discipline.

Roberts is executive director of the acquisition support program/interagency and cyber at Carnegie Mellon University's Software Engineering Instituting, leadings its customer support for the Department of Defense, the intelligence community and the federal government, with a special focus on network security and acquisition in today's cyber environment and architecture areas.

Before joining SEI, Roberts served as the deputy director of Naval Intelligence, where she led, together with the director of Naval Intelligence, more than 20,000 intelligence and information-warfare military and civilian professionals and managed more than $5 billion in resources, technologies and programs globally, working seamlessly with the entire defense-intelligence and Intelligence-Community senior leadership.

Earlier, Roberts served as the director of requirements and resources for the Office of the Undersecretary of Defense for Intelligence, leading the creation, establishment and implementation of the Military Intelligence Program, in partnership with the Director of National Intelligence, the services, the combat support agencies and the Office of the Secretary of Defense.

An intelligence professional since 1979, Roberts has held many senior intelligence positions. In addition, she has directed, conducted, and enabled intelligence operations globally, with much of this work being focused on the requirements, planning, and implementation of intelligence and communications technologies, software and architectures.

Defining Cyber Intelligence

ERIC CHABROW: First off, define cyber intelligence.

TERRY ROBERTS: I think it's important to understand that when we use the word "intelligence," we're really talking about knowledge, not just information, and we're not necessarily talking about something that has to be classified. When we're talking about intelligence as an approach for the cyber arena, it's really about pulling together all the information that we know, processing it, analyzing it and providing unclassified situational awareness and indications of warning to both government and industry.

CHABROW: What in that is not being done now?

ROBERTS: I would say we're very sophisticated on the government side in the classified arena because of all the great work the Department of Defense and the intel community have done over the last decade. But because it's very high-end and highly classified, it's difficult to disseminate that broadly across the U.S. government and then to industry. What we're not doing is really applying those intelligence techniques and trade craft to the unclassified arena. Think about it this way. Ninety percent of the infrastructure in the cyber arena is owned by industry and 90 percent of the information or data, our activities or cyber activity, is in the unclassified arena, but we're not focusing on that realm in a comprehensive, consistent manner so that we can provide unclassified cyber intelligence to all of industry.

CHABROW: How do we get into the situation where we're not doing that? Is it just because of recent developments with major breaches, things like that which have gained attention? Or are there more serious consequences people are becoming aware of?

ROBERTS: I think there are a lot of good reasons. First of all, it's really a realm that has only existed for a decade. We're still trying to understand how it works, how to talk about it, how to think about it and how to approach it. That's really what this paper is starting to do, because the paper is not meant to be the definitive treatise on the subject. It's really meant to sort of talk about the larger landscape and the infestation of cyber threat dynamics and then start to get us to discuss a more private-public partnership approach that we can put in place. It also doesn't exist because there are still some legal and protocol boundaries to working this across industry. It's very physical to share key timely information from government to industry and from industry to government, but I think there are some real initiatives that we can begin to pilot and work so that we can plow through some of these critical well-blocks that are keeping us from making sort of those changes and improvements.


CHABROW: Is there one roadblock that's more serious than others?

ROBERTS: I have an initiative that we've been working that I'm trying to see if we can get some of these issues. For instance, I think the DIB [Defense Industrial Based] pilot worked that DOD, Cyber Command and OSB had been working on with the Defense Industrial Based partners in the great beginning. It's that idea of starting to share information from government to industry and industry to government. That has been an important step, but then it becomes: how do you set that up in a way that it can scale, so that it's 24x7, so that it's online and so that it's not just limited to the Defense Industrial Base but it can actually help the U.S. industry as a whole? And I think the only way you can do that is truly to have a mechanism like a trusted third-party non-profit agent that acts as that interlocutor between government and industry.

And why is that necessary? Because government, it's difficult for them to share classified information and industry is concerned about sharing information about threats on their networks because their corporate reputation is potentially at risk. There will never be complete trust between government and industry in this realm, but I think you can have a third-party entity that can have the trust of both parties, and can be that nexus where this cyber intelligence can take place. Unclassified cyber intelligence, collection of information, processing of information, unclassified and analytics and reporting then can be shared across industry and government.

CHABROW: Now these third-party entities, I assume there could be more than one.

ROBERTS: Absolutely.

CHABROW: Secondly, could they be really profit-making organizations?

ROBERTS: I don't know if they can be profit-making just because if it's seen as a business, as opposed to a service, their motivation may not be trusted. I think it's critical that they be seen as providing a unique, compelling service to a coalition of the willing. The idea is if they become the place that's known where you can share your information and get benefits back to your company or your agency, and that it's the one place where things seem to be coming together, then I think over time you can grow that coalition into a broader partnership.

CHABROW: Could this be industry-based? I mean, could something like the existing ISACs be used and expanded for this purpose?

ROBERTS: To me there are two levels. There is the information sharing mechanism that exists today, the ISAC (Information Sharing and Analysis Center), the DCCC, US-CERT, some of them government, some of them industry that are critical. What I'm more interested in is the value of that information and that's where cyber intelligence comes in. Just sharing information back and forth really may not be providing you the unique and timely insight that you need. This is where you get back to that trade craft that we use in the intelligence community that could be applied to the unclassified arena, where it's really about the "so what" of that information, the combination of all pieces of information and then what does that mean to providing you insight on how you could prepare your networks, what you should be looking for, how you can better protect them, how we can build more resilient architectures. It's about building that body of knowledge as opposed to maintaining a reactive and just very current issue-oriented approach, meaning that we can't get ahead of the game as we've done in many other areas leveraging intelligence trade craft and the geopolitical realm and the scientific and technical realm. This is really about raising that bar in knowledge and insight, and then you could provide that reporting to the ISACs who can then use their information sharing mechanisms to get it out.

The Government's Role

CHABROW: Is there a role for government in this besides just being a model?

ROBERTS: I think there is. Frankly, there's much that the government is working on to get its own capabilities in place to affectively protect its DOD .mil networks and its interagency .gov networks. There's a lot of work that they're doing in that realm. ... What we often do right now in the cyber realm because of the complicated legal issues that result is we often hit brick walls before we even try something. That's why I like piloting approaches with the lawyers so that you can start doing it at a low level, come across the issues that you need to address and see if it's something that can be worked by directive changes or whether you actually need changes in statute. And government setting up these mechanisms and steering groups, I don't think we have enough permanent bodies that work between government and industry to have these discussions, to set these issues and to run combined initiatives.

CHABROW: Would this be something similar to NSTIC, the trusted internet connection initiative that was announced last spring I believe?

ROBERTS: It is. What I hope it would help us to do is to get out of the ... separate initiatives and also so that you have sort of an umbrella over a body of initiatives because they're all related and connected and we're often not seeing those connections because we're working some of these separately. I think it's similar but hopefully it gives you more of that empirical data on the threat environment, so that you make these decisions on how to have a more assured network environment. You're doing it based on a real body of knowledge and real empirical data, as opposed to anecdotal "this is the last attack, now we need to do this." Again that's sort of a reactive cycle so that we never really catch up.

Skills Needed for Cyber Intelligence

CHABROW: What are some of the skills that would be needed to grow cyber intelligence as a field to battle cyber threats?

ROBERTS: That's a great question. It's actually very multi-disciplinary and it's one of the things that I'm most interested in. In some of our next papers that we're working on, which is in the intelligence community, what we often do is we bring in people from different backgrounds to come at a particular problem. In the beginning of the nuclear age, you brought in people with a technical body of knowledge and then you brought in people with the body of knowledge on that particular adversary, the culture, the leadership, and you brought it all together so that you would have a 360 view.

We haven't been doing that in the cyber realm. Many non-tech folks say, "Eh, cyber, it's technical, I have nothing to do with it." When actually, in cyber intelligence, you need analytical kinds of folks, you need people who understand the network environment who have an operational background. You need people who have a technical background to understand the specifics of particular attacks that stir or the fraud approach or sabotage approach that's being used. And those folks together need to be looking at the data, analyzing it and coming up with the "so what," the impact of what it is that they're seeing today and what that means for the future.

The beauty is, it's a lot of the skill sets we have, but it's really more about the approach of how do you integrate those skill sets into an end-to-end process. And I don't think we define an end-to-end cyber intelligence process that talks about defining the threat sectors, talking and writing about the impacts to the environment, pulling together what the data sets exhibit and gives us insights to that activity, talking about where the gaps are in data that we may not have that we could have.

How do you process that in real-time so that it's not man-power intensive, and then how do you run your analytics? Are there tools and approaches that we have out there today but they aren't being integrated? And then what's the end-to-end reporting mechanism that you need to have, spot reports, trend reports, again all at the unclassified level that you can get out to folks?

Next Steps

CHABROW: What happens next?

ROBERTS: My intent in pulling this team together to write this paper was to make the discussion a little more 360-comprehensive higher level, so that brilliant people in government and industry could be coming together to have these discussions. Hopefully, in our follow-up paper and follow-up forums and discussions, we can start to truly define the dynamics of this environment, the need for a cyber intelligence discipline, not just at the classified level but at the unclassified level, and the need to set up the processes and procedures for doing this work and a private-public partnership that could actually be that nexus between government and industry so that we can make marked improvement, as opposed to incremental improvements. We need to get ahead of the threat and we're not going to do that until we have a more comprehensive approach with the right people, with the right skill sets and the right crafts.

CHABROW: Any time frame on this?

ROBERTS: The good thing is this really isn't rocket science. We have a good technical body of knowledge. We have people with this background. We're actually working some pilots right now where we can prove, disprove or refine some of these approaches. I think within a year or two we could actually have the private-public partnership established with the beginnings of an unclassified cyber intelligence approach.

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.