Minggu, 21 Oktober 2007

Counterintelligence and the Cyber Threat

Friday I attended an open symposium hosted by the Office of the National Counterintelligence Executive (ONCIX). It was titled Counterintelligence and the Cyber Threat and featured speakers and panels from government, law enforcement, industry, legal, and academic organizations. I attended as a representative of my company because our CSO, Frank Taylor, participated in the industry panel.

If you're not familiar with the term counterintelligence, let me reproduce a section from the OCNIX Web site:

Counterintelligence is the business of identifying and dealing with foreign intelligence threats to the United States. Its core concern is the intelligence services of foreign states and similar organizations of non-state actors, such as transnational terrorist groups. Counterintelligence has both a defensive mission — protecting the nation's secrets and assets against foreign intelligence penetration — and an offensive mission — finding out what foreign intelligence organizations are planning to better defeat their aims.

I also recommend reading the National Counterintelligence Strategy of the United States, 2007 (.pdf) which states:

Our adversaries -- foreign intelligence services, terrorists, foreign criminal enterprises and cyber intruders -- use overt, covert, and clandestine activities to exploit and undermine US national security interests. Counterintelligence is one of several instruments of national power that can thwart such activities, but its effectiveness depends in many respects on coordination with other elements of government and with the private sector.

During the Cold War, our nation's adversaries gained access to vital secrets of the most closely guarded institutions of our national security establishment and penetrated virtually all organizations of the US intelligence and defense communities. The resulting losses produced grave damage to our national security in terms of secrets compromised, intelligence sources degraded, and loves lost, and would have been catastrophic had we been at war.
(emphasis added)

Minor note 1: if we were not at war during the "Cold War," then why is it called a "War"? I believe the people who died fighting would call it a war.

Minor note 2: foreign intelligence services, terrorists, and foreign criminal enterprises are all specific parties. "Cyber intruders" are more often one of those previous parties. Those who perform digital attacks but do not fall into one of those three categories are usually script kiddies or recreational hackers, and should not be explicitly mentioned as counterintelligence targets. My guess is the report considers cyber-instantiated threats to be serious enough to somehow mention explicitly, but not enough intellectual rigor was applied to this sentence (like the Cold War section).

Major note: does the section about penetrating virtually all organizations of the US intelligence and defense communities surprise you? When I attended Air Force intelligence school in 1996-1997, one of our first instructors said:

"Most, if not all of the classified material you will see in your career has already been compromised. However, we have to act as if it's not."

I remembered thinking "What?!?" With hindsight, the more I hear about spies found inside government agencies, the more I understand that statement.

I found the symposium fascinating, so I'd like to share a few thoughts. Dr. Joel Brenner, the National Counterintelligence Executive, provided plenty of noteworthy comments. He said that counterintelligence is not security.


  • A security person sees a hole in a fence and wants to patch it.

  • A CI person sees a hole in a fence and wants to understand who created it, how it is being abused, and if it can be turned into an asset to use against the adversary.


Dr. Brenner said about 140 foreign intelligence surveillance organizations currently target the United States. Three strategic issues are at play:

  1. Threats to sovereign (US) networks, especially in the cyber domain. Dr. Brenner said There is growing acceptance that we face a cyber counterintelligence problem, not a security problem. I agree with this, and will have more to say about it in a future blog entry. He stressed the alteration attack (rather than the disclosure or destrucion attacks) as being the major problem facing US networks.

  2. Acquisition risk, i.e., supply chain risks. Dr. Brenner said we need technically literate lawyers and policymakers to address these risks.

  3. Collaboration, or the lack thereof. Dr. Brenner notes that out current "cooperation model" is a function of our "classification model," resulting in an antiquated system that serves no one well.


One of the most interesting comments was this:

Industry talks risk management but they really do risk acceptance, not risk mitigation.

How true that is!

Chris Inglis, Deputy Director of the NSA and a fellow USAFA grad, used a term I liked with regard to fighting the cyber adversary. He said we need to outmaneuver the adversary, not solve security problems. I love this because it implies "security" can't be "solved," and it provides a reason to review maneuver warfare as a way to counter the adversary.

John McClurg, Vice President for security at Honeywell, described his "validated data" approach to obtaining business buy-in for security initiatives. He collects data to support a security program and presents it to managers as a means to justify his work. This sounds a lot like showing evidence that a business unit is owned or about to be owned. I like this idea and my work with NSM would help provide such data.

Scott O’Neal, Chief Computer Intrusion Section, Cyber Division, FBI, said The adversary is clearly ahead of security. This is a fact we have to accept. This echoes statements I made earlier this year and at other times. The FBI addresses intrusions through three points of view: CT (counterterrorism), CI (counterintelligence) and criminal.

I'll have more to say on this subject in the months ahead.

0 komentar:

Posting Komentar