We hear the word “cyber” thrown around left and right. Its use has flooded the conversation about threats, activities, and opportunities in cyberspace to the point of diminished utility. So, what exactly do people mean when they say “cyber intelligence”? It is useful to distinguish between strategic and tactical intelligence, as well as cyber intelligence for the government versus intelligence for private industry.
Strategic cyber intelligence is “knowledge about cyber adversaries and their methods combined with knowledge about an organization’s security posture against those adversaries and their methods” from which situational awareness and/or actionable intelligence is produced. Notably, this definition includes both cyber attacks and cyber defense. Both of these areas are closely intertwined. Astute observers will realize that this definition applies to both government and private sector entities. For the government, cyber intelligence is predominantly aimed against state-backed adversaires, with intelligence concerning private non-state actors closely following. With this intelligence, government organizations can efficiently and effectively shore up their digital defenses. Regarding commercial entities cyber intelligence concerns attacks eminiting from both non-state and state-backed actors with predominately economic motivations. Private industry also uses this intelligence to harden its defenses.
The National Intelligence Strategy defines cyber intelligence as the collection, processing, analysis, and dissemination of information from all sources of intelligence on foreign actors’ cyber programs, intentions, capabilities, research and development, tactics, and operational activities and indicators; their impact or potential effects on national security, information systems, infrastructure, and data; and network characterization, or insight into the components, structures, use, and vulnerabilities of foreign information systems. They also define cyber intelligence to detect and understand cyber threats to inform and enable national security decision making, cybersecurity and cyber effects operations. This definition includes both strategic and tactical intelligence, and includes the provision for all source collection and analysis. It is important to note that human sources (HUMINT) as well as intercepted communications (SIGINT) can provide valuable input to cyber intelligence.
Additionally, INSA also provides the following questions for senior leadership to consider when making strategic decisions: 1.) What is the organization’s critical information requirements? 2.) What information about the potential adversary are needed 3.) What security posture is in place related to your organization’s assets of value? These three sets of intelligence form the basis of starting the strategic planning process.
On the other hand, Tactical cyber intelligence is influence by real-time monitoring of systems and networking. Tactical cyber intelligence is data that influences day to day decision making. For example, SIEM systems and network traffic monitors serve as sentries that scan network activity, looking for anomalous data that may signify a cyber attack or espionage operation. This intelligence informs the decision making of system admins and watch officers who can take mitigating action. Tactical cyber intelligence for the government and commercial space is very similar. The main differences include the adversaries faced and their capabilities, as well as the mitigation and defensive measures available for use. Critically, the military and intelligence community maintain the capability for “active defense”, whereas private industry shies away from the practice for fear of legal repercussions.
Some of the top cyber threats that we face today are aimed at small businesses, healthcare facilities, public sector entities, and food services. The threat actors to the United States in cyberspace are Russia, China, Iran and North Korea. Other threats come from terrorists groups like ISIS, Hezbollah and HAMAS. It cannot be understated that cyber criminals and vandals continue to constitute a voluminous and impactful threat to U.S. cyberspace as they develop increasingly sophisticated techniques, tactics, and procedures. In the future, AI and machine learning will introduce advanced capabilities for cyber operations. Just as AI is used to enhance cyber defenses, AI and machine learning can produce advanced botnets and malware payloads.
State and non-state actors use digital technologies to achieve economic and military advantage, foment instability, increase control over content in cyberspace, and achieve other strategic goals often faster than our ability to understand the security implications and mitigate potential risks. To advance national objectives, customers increasingly rely upon the IC to provide timely, actionable intelligence and deeper insights into current and potential cyber threats and intentions. Cyber intelligence is extremely important to collect, especially as these threats are not going away.