Software Engineering Institute

July 26, 2013 - For many government agencies and private-sector firms, keeping up with evolving cyber defense technologies and effective response techniques is an ongoing challenge. Yet, in spite of all their hard work, these organizations often overlook an area of cybersecurity that could give them a real edge in the ongoing struggle to protect their data and other assets. What's missing from many cyber-defense strategies is a capability for anticipating potential sources and methods of attacks. This capability is cyber intelligence. 

"Last year, the Office of the Director of National Intelligence (DNI) sponsored an SEI study on how government, industry, and academia perform cyber intelligence," said the SEI's Troy Townsend (pictured). "Before we could conduct that study, we first had to define what we mean by that term. The SEI defines cyber intelligence as the acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities." He added that the purpose of cyber intelligence activities is to offer organizations effective courses of action and enhanced decision making.

Townsend was speaking at the annual Suits and Spooks conference, conducted this year from June 15-16 in La Jolla, California. At the conference, Townsend and SEI colleague Jay McAllister co-presented their research on the state of cyber intelligence. Suits and Spooks brings together members from the 16 agencies in the U.S. intelligence community with experts from a variety of disciplines and organizations in the private sector. Spooks and Suits organizer, the data security firm Taia Global, bills the conference as a forum for frank discussion, challenging perspectives, and collaborative problem solving.

Townsend, a former cyber threat analyst with the Defense Intelligence Agency, now serves as a senior analyst with the SEI's Emerging Technology Center (ETC). The focus of this new SEI unit is to help the SEI's government sponsors stay on the leading edge of technology and to bring innovation to real-world government challenges. 

In his talk at Spooks and Suits, Townsend drew from the ETC's DNI-sponsored report, Cyber Intelligence Tradecraft Project: Summary of Key Findings. Launched in June 2012, the project engaged 6 government agencies and 20 organizations from industry and academia all of whom provided information on their cyber intelligence methodologies, technologies, processes, and training. This baseline data then was benchmarked against a cyber intelligence analytic framework consisting of five functions: environment, data gathering, functional analysis, strategic analysis, and stakeholder reporting and feedback. The aggregated results of the benchmarking led to the report's key findings.

"The prevailing thought on cybersecurity is that hackers cannot be stopped because defenders are disorganized, under-resourced, and unable to identify and analyze key indicators of compromise," said Townsend. "But that doesn't have to be the case." Townsend and fellow ETC senior analyst McAllister both noted that research conducted for the cyber intelligence tradecraft summary indicated organizations are taking action to meet these perceived shortcomings. They outlined what they view as the top five cyber intelligence challenges facing the government today, and also presented the ways in organizations have moved to address these challenges. Citing commentary offered by some of the organizations tapped in the Cyber Intelligence Tradecraft Summary, Townsend and McAllister listed the following top five challenges:

1. "We try to mirror the traditional intelligence cycle." Organizations must overcome stale processes developed in previous eras for a different set of risks.
2. "We consider everything a high-priority threat." Organizations must learn to prioritize threats to a cyber domain in which the impacts of potential threats are not well understood.
3. "Intelligence collection and integration is an absolute mess." Standards must be developed and/or adopted for intelligence collection and integration. These standards must address the prevalence of non-integrated, non-standard intelligence content and delivery approaches.
4. "We hire more and more analysts, but it's not helping." Organizations must learn to make sense of overwhelming amounts of data.
5. "Our cyber intelligence decision makers get their information from CNN." Communicating the importance of "cyber" to leadership removed from the cyber environment or lacking in technical background is often difficult for analysts unused to writing for non-technical audiences.
   

"Last year, the Office of the Director of National Intelligence (DNI) sponsored an SEI study on how government, industry, and academia perform cyber intelligence," said the SEI's Troy Townsend (pictured). "Before we could conduct that study, we first had to define what we mean by that term. The SEI defines cyber intelligence as the acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities." He added that the purpose of cyber intelligence activities is to offer organizations effective courses of action and enhanced decision making.

Townsend was speaking at the annual Suits and Spooks conference, conducted this year from June 15-16 in La Jolla, California. At the conference, Townsend and SEI colleague Jay McAllister co-presented their research on the state of cyber intelligence. Suits and Spooks brings together members from the 16 agencies in the U.S. intelligence community with experts from a variety of disciplines and organizations in the private sector. Spooks and Suits organizer, the data security firm Taia Global, bills the conference as a forum for frank discussion, challenging perspectives, and collaborative problem solving.

Townsend, a former cyber threat analyst with the Defense Intelligence Agency, now serves as a senior analyst with the SEI's Emerging Technology Center (ETC). The focus of this new SEI unit is to help the SEI's government sponsors stay on the leading edge of technology and to bring innovation to real-world government challenges. 

In his talk at Spooks and Suits, Townsend drew from the ETC's DNI-sponsored report, Cyber Intelligence Tradecraft Project: Summary of Key Findings. Launched in June 2012, the project engaged 6 government agencies and 20 organizations from industry and academia all of whom provided information on their cyber intelligence methodologies, technologies, processes, and training. This baseline data then was benchmarked against a cyber intelligence analytic framework consisting of five functions: environment, data gathering, functional analysis, strategic analysis, and stakeholder reporting and feedback. The aggregated results of the benchmarking led to the report's key findings.

"The prevailing thought on cybersecurity is that hackers cannot be stopped because defenders are disorganized, under-resourced, and unable to identify and analyze key indicators of compromise," said Townsend. "But that doesn't have to be the case." Townsend and fellow ETC senior analyst McAllister both noted that research conducted for the cyber intelligence tradecraft summary indicated organizations are taking action to meet these perceived shortcomings. They outlined what they view as the top five cyber intelligence challenges facing the government today, and also presented the ways in organizations have moved to address these challenges. Citing commentary offered by some of the organizations tapped in the Cyber Intelligence Tradecraft Summary, Townsend and McAllister listed the following top five challenges:

1. "We try to mirror the traditional intelligence cycle." Organizations must overcome stale processes developed in previous eras for a different set of risks.
2. "We consider everything a high-priority threat." Organizations must learn to prioritize threats to a cyber domain in which the impacts of potential threats are not well understood.
3. "Intelligence collection and integration is an absolute mess." Standards must be developed and/or adopted for intelligence collection and integration. These standards must address the prevalence of non-integrated, non-standard intelligence content and delivery approaches.
4. "We hire more and more analysts, but it's not helping." Organizations must learn to make sense of overwhelming amounts of data.
5. "Our cyber intelligence decision makers get their information from CNN." Communicating the importance of "cyber" to leadership removed from the cyber environment or lacking in technical background is often difficult for analysts unused to writing for non-technical audiences.