Insight by LookingGlass

CTIIC is challenging the assumption of cyber information sharing

Erin Joe, the director of the Cyber Threat Intelligence Integration Center (CTIIC), said the Cyber Threat Framework is creating a common lexicon for agencies to understand and discuss potential and real security threats and vulnerabilities.

Lessons on Cyber Safety

It was amazing to me the progress. People came to the call, prepared to discuss exactly what they were seeing, what they did know and what they did not know in terms of the language and the levels consistent with the cyber threat framework. Very quickly, we had a very clear understanding of the incident at hand. So we've definitely used the framework and it's evolved in our ability to use it with clarity and brain speed.

Preparedness Exercises and the CTIIC Workforce

I think that's the encouraging part here is that we’re able to quickly understand in a similar fashion, the things that matter most to decision making, so we can clearly determine is this something we need to provide additional resources to, is this something that's going to be ongoing for a long period of time, is this going to involve significant cleanup efforts, or is this going to disrupt a victims ability to provide services to a wide number of people who are counting on their services all those questions are, we are able to answer faster because of the evolution of our use of this framework.

Cyber Threat Framework and Cyber Threat Trends

One of the major initiatives this year and government is to make sure that we are including the sector specific agencies to the greatest extent possible.

Threat Intelligence Sharing

One really exciting for us is ODNI as an integrator is we have the ability to bring the community together in very important ways.

The FBI and the Homeland Security Department recently issued an alert that hackers from China were trying to steal research and development related to a treatment for the coronavirus.

The mid-May warning said organizations related to the People’s Republic of China “have been observed attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research. The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options.”

Around the same time, agencies across the government held a similar call about another potential cyber threat. Within 15 minutes or so, agencies shared information, understood the dangers and overall had a clear understanding of what they were potentially up against.

This call and the FBI and DHS warning are two of the most recent examples of just how different federal cyber information sharing efforts are today than just five or seven years ago.

Erin Joe, the director of the Cyber Threat Intelligence Integration Center (CTIIC), said she couldn’t offer any insight into the incident at hand, but said the approach and clarity of the discussion was clear immediately.

Joe, who is on detail from the FBI and became the CTIIC director in March 2019, credited the Cyber Threat Framework released in 2012 by the Director of National Intelligence as the reason these calls and alerts have a much greater impact today than ever before. The organization itself started in 2015 under the Obama administration as a way to fill in the gaps of cyber threat information sharing.

“It was amazing to me the progress. People came to the call, prepared to discuss exactly what they were seeing, what they did know and what they did not know in terms of the language and the levels consistent with the cyber threat framework,” Joe said on Ask the CIO, which was sponsored by Looking Glass “Very quickly, we had a very clear understanding of the incident at hand. So we’ve definitely used the framework and it’s evolved in our ability to use it with clarity and brain speed.”

She added that the framework also lets agencies characterize the malicious or suspected dangerous activity in a consistent way, which also lets CTTIC and other agencies see trends or the evolution on the part of the adversaries.

Response time was too slow

Agencies didn’t always start on this common plain when it came to sharing cyber threats.

“Several years ago, when all the various agencies involved would get on this phone call, so that we can get an understanding of an incident, we did not all use the same language,” Joe said. “We did not discuss it in the same way. And at that time, several years ago it would take multiple phone calls before we understood the incident in the same way and before the agencies that had access to critical information understood the questions that they were going to be asked in those calls so that we could increase our response time.”

Joe said the framework also is opening the door to faster decision making.

“I think that’s the encouraging part here is that we’re able to quickly understand in a similar fashion, the things that matter most to decision making, so we can clearly determine is this something we need to provide additional resources to, is this something that’s going to be ongoing for a long period of time, is this going to involve significant cleanup efforts, or is this going to disrupt a victims ability to provide services to a wide number of people who are counting on their services all those questions are, we are able to answer faster because of the evolution of our use of this framework,” she said.

Getting to this common understanding is becoming even more important as CTIIC is working more and more with non-traditional partners.

Joe said CTIIC is working with sector-specific agencies like FEMA or the General Services Administration, which manages a majority of the buildings for civilian agencies.

“One of the major initiatives this year and government is to make sure that we are including the sector specific agencies to the greatest extent possible,” she said. “For example, the scenario may involve something along the lines of a cyber event that would then trigger physical consequences as well as cyber effects or consequences. If that happens, then we have so many different layers of agencies to play a critical role. Sometimes we haven’t interacted all that often or frequently. So this gives us an opportunity to figure those things out.”

She said FEMA, for instance, has the lead responsibility when there’s a physical event to make sure that they oversee the federal response in a particular way.

“Intelligence components don’t typically work with FEMA on a regular basis in cyber. This is something that’s developing. I’m not saying we never work with them, but FEMA is not a common partner,” Joe said. “So how do we partner with FEMA and make sure that we get the information to them?”

Cyber is not just IT, but OT too

GSA is another example of a non-traditional partner.

“GSA is very concerned about any event that could impede our ability to get into these physical locations that so many of us in government report to work at every single solitary day. But yet CTIIC doesn’t necessarily interact with GSA on a regular basis from an intelligence perspective,” she said. “I need to make sure that we are connected with GSA or FEMA or whomever. We do think of them because they do need to know the intelligence that we know and how will that intelligence flow and how can we improve that. So that if there were a cyber event that had physical ramifications. We could connect those parts and pieces faster.”

These non-traditional relationships become even more important as agencies face new and more serious threats, and during the coronavirus pandemic.

Joe said CTIIC continues to see threats against the nation’s critical infrastructure, including the communications and public sectors.

“We can watch what’s happening around the world because if we see something that happens elsewhere we want to learn as much about that as possible so that we can share that here with our country to harden our targets,” she said. “For example, Italy had a cyber event occur in which it affected their Social Security Agency right around the time that their citizens were going to use those services to get COVID-19 benefits. That was something that was in open source that CTIIC took note of and used that information to share with the agencies to say, ‘hey, we need to pay attention. We need to be alert.’”

Additionally, CTIIC is seeing increases in espionage, especially focused on coronavirus research like the FBI and DHS warned against, and the use of ransomware.

“What we see as trends and ransomware are our bad actors criminal actors, typically, whether they do or don’t have connections with nation state actors, but there’s certainly criminal actors increasing their attacks against targets, they believe, are vulnerable and most likely to pay high ransom amounts. Those ransom demands are increasing. We see ransom demands high in the millions of dollars,” Joe said. “The other thing that’s a bit of a twist here is the extortion that’s occurring along with the ransom. So not only are they locking these victims out and demanding ransom, but then they go a step further and they demand additional payments under the threat of releasing information, that they either did steal or ostensibly stole or make the victim believe they stole, out to the public. So that kind of extortion activity gives them yet another way to increase a financial demand. Then finally, there’s ransomware as a service now. So you no longer have to figure out how to conduct your own ransomware attack, you have experts out there that you can hire to do almost any part of that attack for you and sharing the proceeds that’s extremely concerning so the U.S. government.”

Two-way sharing is increasing

Joe said the new and long-time relationships is creating that two-way information sharing highway that is needed to keep up with the threats and vulnerabilities.

She said CTIIC is not just a provider of information, but a consumer too.

“One really exciting for us is ODNI as an integrator is we have the ability to bring the community together in very important ways. Everybody knows the value of networking and that’s no different in this world, but oftentimes in government, it’s very hard for the practitioners who live in the world of analysis every day to be connected to others across government,” she said. “So one of the things that CTIIC did is we co-hosted one of the first forums that’s ever been done where we brought net defenders and cyber threat intelligence experts and those who make decisions, the industry and government all together for multiple days so we could hear from the cyber threat perspective on the intelligence side as well as on the net defense side.”

Joe added that the turnout and participation was overwhelming with hundreds of people showing up in person and virtually.

“This was a first of its kind event that I’m aware of in government and, day after day, we had subject matter experts talking about what they’re seeing,” she said. “The other part that I’m so proud of is we challenged our assumptions and government. In cyber, I think it’s so important to remember to challenge our assumptions. It is really healthy and important after challenging those assumptions we might come up with the same conclusion, but at least we know we’ve examined it carefully.”