What are the prospects for the Cyber Threat Intelligence Integration Center?

Last week we learned that the federal government plans to create a Cyber Threat Intelligence Integration Center (CTIIC). There is some confusion about the purpose of this agency, especially as it relates to the National Cybersecurity and Communications Integration Center (NCCIC) and the United States Computer Emergency Readiness Team (US-CERT). While I am not a proponent of creating more government agencies, I will explain the rationale behind the new agency. I will also explain why I think the new agency may have a difficult time establishing legitimacy for itself, thereby diminishing its effectiveness.

Concerns about the CTIIC

Commentators have noted the similarity between the new CTIIC and the older NCCIC, founded in 2009. Some may view CTIIC as just the latest in a long line of cyber agencies created by the government. For example, within NCCIC, one finds US-CERT, established in September 2003. The federal government created US-CERT as a partnership between the Department of Homeland Security and the “original” CERT, a government-sponsored unit known as CERT/CC, housed at Carnegie Mellon University. The Defense Advanced Research Projects Agency created CERT/CC in 1988, following the Morris Worm incident.

Each of these units—CERT/CC, US-CERT, NCCIC, and now CTIIC—support cybersecurity by creating information products for government constituents as well as other consumers. The concern with CTIIC, however, is the perception that it duplicates the mission of NCCIC and older units. According to the NCCIC website, the organization “shares information among the public and private sectors” and “is a 24×7 cyber situational awareness, incident response, and management center that is a national nexus of cyber and communications integration for the Federal Government, intelligence community, and law enforcement.”

Lisa Monaco, assistant to the president for homeland security and counterterrorism, introduced CTIIC in these terms, at a speech at the Wilson Center: “CTIIC will serve a similar function for cyber as the National Counterterrorism Center does for terrorism—integrating intelligence about cyber threats; providing all-source analysis to policymakers and operators; and supporting the work of the existing Federal government Cyber Centers, network defenders, and local law enforcement communities.  The CTIIC will not collect intelligence—it will analyze and integrate information already collected under existing authorities.”

At the Cyber Security Summit at Stanford University last week, the president also couched CTIIC’s mission with similar language: “Just like we do with terrorist threats, we’re going to have a single entity that’s analyzing and integrating and quickly sharing intelligence about cyber threats across government so we can act on all those threats even faster.”

Differentiating CTIIC from NCCIC

In my opinion, the comments by Monaco and President Obama justify criticism for mission overlap with NCCIC and other centers. Thankfully, Cybersecurity Coordinator Michael Daniels clarified the CTIIC role at a recent meeting of the Information Security and Privacy Advisory Board. Daniels welcomes CTIIC as a means to relieve pressure on his National Security Council staff. They will be free to evaluate and coordinate intelligence, instead of “interpreting raw signals.” Daniels said “there’s a degree of integration that’s occurring on my staff that really should not be occurring. It needs to come into us that way.”

CTIIC will perform that integration, according to Daniels, relying on about 25 permanent CTIIC employees and 25 “detailees” from the intelligence community. Daniels noted “at least in our conception right now, the staffing of the center will be government, because it’s primarily not designed to interact with the private sector on a daily ongoing basis.”

These remarks, combined with a close reading of Monaco’s statements, provide several points for differentiation with NCCIC:

  • First, despite the focus by the administration and Congress on sharing threat intelligence, CTIIC is not designed to interface with the private sector. Unlike NCCIC, whose office space houses representatives from the private sector, CTIIC is a government-only initiative.
  • Second, CTIIC is clearly an arm of the intelligence community, unlike NCCIC, which works within the Department of Homeland Security.
  • Third, CTIIC is an integration office; it doesn’t “collect” information, at least according to the intelligence community definition. Unfortunately, this final point may undermine CTIIC’s capability and perhaps its legitimacy.

A comparison with US-CERT is illustrative. The NCCIC website says that US-CERT “develops timely and actionable information for distribution to federal departments and agencies, state and local governments, private sector organizations, and international partners.” For many years, critics of US-CERT pointed out that the organization did little more than repackage and republish security bulletins produced by private sector entities. Worse, it did so days after the original notifications. This is a common problem with organizations that exist merely to “evaluate and coordinate intelligence.”

More recently, however, US-CERT has worked to deploy and monitor the so-called Einstein program, which is a network intrusion detection and prevention platform, across non-intelligence community, non-Department of Defense federal government networks. The NCCIC website calls this effort the “National Cybersecurity Protection System, which provides intrusion detection and prevention capabilities to covered federal departments and agencies.” As a result of this program, US-CERT has a chance to serve an original and more useful defensive role beyond its “information recycling” reputation. Through direct network visibility and analysis, US-CERT will be in a stronger position to fulfill its intended mission. Accordingly, NCCIC benefits from US-CERT’s growing primary experience and the on-site participation of private sector representatives.

The challenge ahead for CTIIC

Reports indicate that CTIIC is trying to solve a different problem than NCCIC, which could create unique barriers to success for the new center. A Washington Post story indicated, “the Sony incident provided the final impetus for the new center.” Monaco had a key role, asking intelligence agencies about the impact of the incident and the actors responsible. The Post reported the reply: “She got back six views. All pointed to North Korea, but they differed in the degree of certainty. The key gap: No one was responsible for an analysis that integrated all the agency views.”

Monaco eventually tasked the FBI to produce the final attribution report. This process worked because the FBI had the investigatory experience and connections to provide a credible intelligence product that was sufficient to meet the president’s requirements. In the future, writing the final report will likely be the CTIIC’s job.

Given that CTIIC will be a coordinating agency, separated from hands-on analysis duties, I worry that it will lack the legitimacy and perhaps the capability to fulfill its mission. The best way to avoid this fate may be to keep the size of the permanent party members of CTIIC to a minimum and rely on detailees to apply recent analytical skills from their respective agencies. The job of providing sound cyber intelligence products and attribution to the government is important. CTIIC’s leader should learn from the experiences of older agencies to avoid their mistakes and capitalize on their successes.

More TechTank posts available here