President Obama asked the Director of National Intelligence in February 2015 to create the Cyber Threat Intelligence Integration Center (CTIIC). “The CTIIC will be a national intelligence center focused on ‘connecting the dots’ regarding malicious foreign cyber threats to the nation and cyber incidents affecting U.S. national interests, and on providing all-source analysis of threats to U.S. policymakers,” according to the White House press release. “The CTIIC will also assist relevant departments and agencies in their efforts to identify, investigate, and mitigate those threats.”
Since the February announcement, cyberthreat intelligence has catapulted into the topic du jour, including taking up a respectable percentage of the schedule at this year’s RSA Conference.
What is cyberthreat intelligence?
The term cyberthreat intelligence surfaced in tech media in 2009-2010 around the same time big data and data mining were becoming buzzwords. Definitions of cyberthreat intelligence abounded, and most were patterned after military-speak. Eventually, the industry settled on descriptions similar to the following two. The first from Gartner’s Rob McMillan:
“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
Dave Shackleford in the SANS paper Who’s Using Cyberthreat Intelligence and How? offered a slightly different take:
“The idea behind cyber-threat intelligence is to provide the ability to recognize and act upon indicators of attack and compromise scenarios in a timely manner. While bits of information about attacks abound, cyber-threat intelligence recognizes indicators of attacks as they progress, in essence putting these pieces together with shared knowledge about attack methods and processes.”
The key takeaways appear to be “actionable advice” and in a “timely manner.”
Is the CTIIC needed?
Cyberthreat intelligence is important, we can all agree, but there is some question as to whether the CTIIC will duplicate what an existing agency — the National Cybersecurity and Communications Integration Center (NCCIC) — already does. The following is an overview of the NCCIC’s charter:
“The National Cybersecurity and Communications Integration Center (NCCIC) is a 24×7 cyber situational awareness, incident response, and management center that is a national nexus of cyber and communications integration for the Federal Government, intelligence community, and law enforcement.
“The NCCIC shares information among the public and private sectors to provide greater understanding of cybersecurity and communications situational awareness of vulnerabilities, intrusions, incidents, mitigation, and recovery actions.”
Richard Bejtlich, a well-respected security expert, in his Brookings article What are the prospects for the Cyber Threat Intelligence Integration Center? offers to clarify the government’s position. “While I am not a proponent of creating more government agencies, I will explain the rationale behind the new agency,” he writes. “I will also explain why I think the new agency may have a difficult time establishing legitimacy for itself because of that diminishing its effectiveness.”
To start, Bejtlich explains that NCCIC, US-CERT (a subdivision of NCCIC), and now CTIIC will all support cybersecurity by creating information products for government constituents and other consumers. Next, Bejtlich cites President Obama at a recent cybersecurity and consumer protection summit, “Just like we do with terrorist threats, we’re going to have a single entity [CTIIC] that’s analyzing and integrating and quickly sharing intelligence about cyber threats across government so we can act on all those threats even faster.”
Bejtlich then provides a second source by quoting Lisa Monaco, assistant to the president for homeland security and counterterrorism, during a speech at the Wilson Center:
“CTIIC will serve a similar function for cyber as the National Counterterrorism Center does for terrorism — integrating intelligence about cyber threats; providing all-source analysis to policymakers and operators; and supporting the work of the existing Federal government Cyber Centers, network defenders, and local law enforcement communities. The CTIIC will not collect intelligence — it will analyze and integrate information already collected under existing authorities.”
Due to the acronym overload, please keep in mind that Monaco was referring to the National Counterterrorism Center and not the National Cybersecurity and Communications Integration Center we are discussing in this post.
What makes the CTICC different?
Having pointed out the similarities, Bejtlich, then details the difference between the two agencies, referring to this FCW article where Adam Mazmanian writes about a recent meeting of the Information Security and Privacy Advisory Board. At the meeting, Cybersecurity Coordinator Michael Daniels mentions he welcomes CTIIC as a means to relieve pressure on his National Security Council staff, as they will get intelligence instead of raw data.
Mazman quotes Daniels as saying, “There’s a degree of integration that’s occurring on my staff that really should not be occurring. It needs to come into us that way. I think that [the Cyber Threat Intelligence Integration Center] will be a great force multiplier in this space.”
At this year’s RSA Conference there was a session called “Gumshoes Part Deux — Security Investigative Journalists Speak Out.” It was an interesting panel discussion featuring several prominent journalists who cover IT security. Of particular note was a comment by Brian Krebs (Krebs on Security), “Failure to share information in a timely way causes a lot of problems.”
Krebs mirrors what President Obama and Ms. Monaco suggest as the reason CTIIC is needed. However, I am curious why creating another government agency is better than re-tasking and adding staff to an existing agency that has most if not all the intelligence pieces in house already.
Bejtlich has an additional concern, “Given that CTIIC will be a coordinating agency, separated from hands-on analysis duties, I worry that it will lack the legitimacy and perhaps the capability to fulfill its mission.”
Note: TechRepublic, CNET, ZDNet, and Tech Pro Research are CBS Interactive properties.