The NCTC and cyber threat intelligence: the limits of analogy
White House Homeland Security Advisor Lisa Monaco made a speech on Tuesday at the Wilson Center announcing plans to establish a new Cyber Threat Intelligence Integration Center (CTIIC), conceived explicitly to play the role with respect to cybersecurity that the National Counterterrorism Center (NCTC) plays in the counterterrorism domain, and serve as the principal integrator of all-source intelligence on cybersecurity threats. The White House has not yet released its formal memorandum announcing the CTIIC, but additional details on it are available in stories in the Washington Post and Federal Computer Week, and CCHS Senior Fellow Ron Marks wrote a post on it yesterday.
My initial reaction to this proposal is one of caution and uncertainty, in large part because of the inherent limits in making an analogy between counterterrorism-related intelligence and cyber threat-related intelligence. While there are some areas of commonality, the following four differences are significant:
1. A primary motivating factor for the creation of the NCTC was to establish an entity that would bridge the domestic-foreign divide, as the 9/11 Commission clearly explained in Chapter 13 of its report. There is a different kind of domestic-foreign divide in cyber threat intelligence, but it as much a function of technology as it is of law, due to the use by cyber threat actors of proxy servers, anonymity networks, and related tools, which make it increasingly difficult to determine whether a cyber attack originates from within the United States or in another country.
2. The collection, analysis and dissemination of counterterrorism-related intelligence is primarily a government function, carried out by agencies such as the CIA, FBI, NSA, DHS, and others. The private sector role in this process is limited, and a large share of analysis is produced at the TS-SCI level. By contrast in the cyber domain, private sector companies play a very significant (arguably co-equal) role with the government in the collection, analysis, and dissemination of cyber threat-related information, and often release their findings publicly and with a great deal of detail.
3. Counterterrorism-related intelligence efforts are primarily focused on the disruption and prevention of terrorist attacks. Cyber threat intelligence efforts are focused partially on the disruption and prevention of cyber attacks, but they also address post-cyber incident requirements to support response, mitigation and attribution.
4. Counterterrorism-related intelligence is focused on finding the limited number of meaningful data points within a vast sea of data: the so-called “signal to noise” challenge. By contrast, in the area of cybersecurity-related intelligence there is a much greater “signal” of potential threats, given that the hundreds of thousands of cyber incidents taking place each day. The challenge is thus transformed from “signal to noise” to “signal overload” – what should be prioritized when there are thousands of potential threats each day?
Given these distinctions between the two domains, it is important that any decision to establish an “NCTC for cybersecurity” needs to be carried out carefully, with the new CTIIC being organized and staffed in a way that adopts the most relevant attributes of NCTC (e.g. its access to all relevant terrorism-related intelligence, and its role in developing and coordinating finished intelligence products for senior policy makers) but also is different in critical ways.
For example, given the role of the private sector in cyber threat analysis, CTIIC may want to consider finding creative ways to integrate private sector and other non-governmental analysts into its activities. And CTIIC should strive to operate at a lower default level of classification than NCTC does, given the private sector’s critical role in cyber threat intelligence.