Feds seek centralized threat analysis with CTIIC

The Obama administration, seeking to increase the quantity and quality of its cyber intelligence and enhance its ability to respond quickly to cyber attacks, will create a new Cyber Threat Intelligence Integration Center (CTIIC). Lisa Monaco, the Assistant to the President for Homeland Security and Counterterrorism, formally announced the creation of the new agency on February 10 during a Director’s Forum at the Wilson Center entitled “Cyber Threats and Vulnerabilities: Securing America’s Most Important Assets.” The new Center will not perform data collection, but instead will aggregate and analyze data collected by the numerous other government entities (and, potentially, private sector firms as well). With this specialized role, the administration is positioning CTIIC as complementary, not duplicative, to existing functions across government that conduct various cybersecurity activities. The new Center will be under the direction of the Director of National Intelligence – an organizational positioning likely driven at least in part by the need to include cyber-attack response within its sphere of operations. No civilian agency (even DHS) holds the authority to launch proactive or reactive attacks against cyber adversaries, but these capabilities both exist and are authorized for the U.S. Cyber Command and other specialized branches of the military and intelligence community.

The potential for “mission confusion” certainly exists in the federal government. There is already a National Cybersecurity and Communications Integration Center (NCCIC) within the Department of Homeland Security and a National Cybersecurity Center of Excellence (NCCOE) at NIST. The former, like the U.S. Computer Emergency Readiness Team (US-CERT) it manages, focuses its attention largely on security threats and vulnerabilities applicable to the U.S. government, although private sector organizations are certainly able to communicate with NCCIC and benefit from its analysis. The NCCOE, in contrast, serves businesses with information about security solutions leveraging commercially available technology. There are of course numerous programs with a role in cybersecurity and defense — including the FBI, NSA, DHS, DoD, CIA, and other civilian, military, and intelligence agencies.

What seems to be different about the newly proposed center is the intention to address state actors (Monaco specifically mentioned China, Russia, Iran, and North Korea) and non-state-based hacking groups like Anonymous. Historically, private sector organizations have been reluctant to either share threat and attack information with the federal government or to subject themselves to government regulations and oversight. With the notable exception of companies with roles in critical infrastructure sectors like energy and transportation and those in closely regulated industries such as health care and financial services, private sector firms have few federal obligations to publicize anything that happens within their computing environments. Although almost all states have enacted some type of regulation requiring companies to notify individuals if their personal information is compromised in a security breach, these rules generally do not mandate full disclosure of the nature of any successful attacks or the vulnerabilities that were exploited. Monaco noted during her speech that during the Sony Pictures incident, the government quickly shared cyber threat information in the form of attack signatures with private sector firms so that they could update their defenses and, presumably, try to avoid falling victim to a similar attack. The administration clearly would like more communication from the private sector in these areas that it currently gets. A neutral observer might accurately suggest that private sector organizations are likely to reach out to the government and share information only when they have been compromised and need help, but not as a routine preventative defense practice. Not everyone accepts the implied assertion that the government has better or more complete information than private security researchers, but the definitive attribution the administration made in naming North Korea as responsible for the Sony hack seemed to indicate that the government had more evidence to go on than any of the security analysts that came to different conclusions.

During the delivery of her prepared remarks, Monaco offered a simple rationale for the new center: “Currently, no single government entity is responsible for producing coordinated cyber threat assessments, ensuring that information is shared rapidly among existing cyber centers and other elements within our government, and supporting the work of operators and policy makers with timely intelligence about the latest cyber threats and threat actors.”

In a Q&A session following the speech, Monaco responded to a specific question from the event moderator regarding recent criticism that the CTIIC is nothing more than another layer of government bureaucracy and is, simply, unnecessary. She reaffirmed the administration’s position that there is a critical gap in current government analytical and information sharing capabilities. The goal for the administration is more complete and more rapidly produced actionable intelligence regarding threats. It remains to be seen whether the Center will be able to overcome the reluctance of individual agencies and programs to hand over their information to the Center, but the administration continually cites the positive example of the National Counterterrorism Center formed in response to the 9/11 attacks.

There is almost unquestionably a logical argument to be made that an existing agency working in the cybersecurity realm – perhaps DHS or NSA – could simply have their scope of responsibility expanded instead of creating a wholly new piece of the federal organization structure. It is far from clear, however, that effecting a change in mission for an existing agency would be any easier to bring about than carving out a newly defined one. For instance, the updated Federal Information Security Modernization Act (FISMA) passed with bipartisan support at the end of 2014 divides security oversight among multiple agencies, giving most operational security responsibilities to DHS. But FISMA only applies to federal executive agencies (not to the legislative or judicial branches of government let alone the private sector) and it also exempts many aspects of military and intelligence operations because it does not apply to “national security systems.” The administration’s take is that coordinated analysis of threat and attack information from all available sources is a crucial but missing piece in the government’s strategy to more effectively address cyber threats.