The White House’s new Cyber Threat Intelligence Center is not duplicating, or stealing resources or responsibilities from other agencies in government.
Rather, it’s borrowing a successful model from the counterterrorism world that helped close gaps the government realized in the aftermath of the Sept. 11, 2001 attacks.
Lisa Monaco, the assistant to the President for Homeland Security and Counterterrorism, announced Tuesday the creation of the Cyber Threat Intelligence Center (CTIC) based on the National Counterterrorism Center (NCTC) model.
“Currently no single government entity is responsible for producing coordinated cyber threat assessments, ensuring that information is shared rapidly among existing cyber centers and other elements within our government, and supporting the work of operators and policy makers with time intelligence about the latest cyber threats and threat actors,” Monaco said at the Woodrow Wilson Center in Washington. “The CTIC is intended to fill these gaps. In this vein, CTIC will serve a similar function for cyber as the NCTC does for terrorism — integrating intelligence about cyber threats, providing all source analysis to policy makers and operators and supporting the work of existing federal cyber centers, network defenders and law enforcement communities. The CTIC will not collect intelligence. It will analyze and integrate information already collected under existing authorities.”
Monaco said over the last few years agencies have gotten better in collaborating across government and with the private sector about cyber threats and vulnerabilities. But internal sharing of cyber information needs more help.
Last summer as the rash of cyber attacks grew in the public and private sectors, the White House created a cyber response group (CRG), which is modeled after the counterterrorism security group.
The CRG convened an interagency group of experts and coordinates all elements of the federal response to a cyber threat.
But Monaco said more can be done, and that’s where the CTIC comes in to compliment what other agencies are doing from an operational standpoint.
She said the CTIC’s mission is clear and it will not “perform functions already assigned to other centers. It’s intended to enable them to do their jobs more effectively and, as a result, make the federal government more effective as a whole in responding to cyber threats.”
DNI to oversee new center
The need for the CTIC became clearer over the last year. She said the government is at a crossroads when it comes to cybersecurity — the decisions made today will determine how the nation deals with the cyber threats of the future.
The NCTC model is an obvious one and offers several lessons learned as the White House and the Office of the Director of National Intelligence set up the new cyber center.
“The DNI has authorities under the Terrorism Reform and Prevention Act, that was passed after 9/11, to create intelligence centers specifically for this mission — to integrate and bring all sources of intelligence together,” Monaco said. “As the NCTC does, the CTIC will draw on expertise, intelligence and analysts from other centers and from other government agencies that have a national security responsibility and a cyber responsibility.”
When the Bush administration set up the NCTC in May 2003 as the Terrorist Threat Intelligence Center, it was staffed by what some experts say was a workforce that no one else wanted. Congress codified the NCTC in a year later in the Terrorism Reform and Prevention Act, and overtime it has turned into a valuable coordinator and provider of information.
While this model worked in 2003 and for counterterrorism information sharing, it’s a much different environment today for cyber.
Few would argue about the need for better sharing of cyber data. But many experts believe the Homeland Security Department’s National Cybersecurity and Communications Integration Center (NCCIC) is supposed to promote and coordinate cybersecurity information sharing both internally and externally for the government.
The NCCIC works closely with the FBI and other federal agencies as well as private sector experts such as those from the information sharing and analysis centers.
Monaco said the NCCIC and the new CTIC each will have a key role in the cyber sharing effort.
“Because so much of our critical infrastructure and our infrastructure, period, is in private sector hands, we are relying, in large measure and in significant measure, on information about vulnerabilities and attacks that happen to the private sector,” she said. “So that has a space at least under our proposal, that the President announced last month, which is to say, if you are a company and you find out you’ve been hacked or there has been a breach, provide information to the Department of Homeland Security, to its NCCIC, who is set up to be a network defender and to engage specifically with the private sector. That will then be shared appropriately with the rest of the federal government’s cybersecurity apparatus, to include the new CTIC. CTIC can then pair that private sector information along with classified intelligence and other information we in the government uniquely have. The idea is to get a two-way street going where private sector brings in information, we use it and put it back out.”
The actual process of how these two agencies will work together is unclear. The White House will need to specify this relationship.
The Washington Post reported the CTIC will have a budget of about $35 million and a staff of about 50 people. The NCCIC had a budget of around $12.6 million as of the fiscal 2014 request — the last time DHS specifically highlighted its funding request for the NCCIC.
Response to the White House plan for the CTIC has been mostly optimistic, but most cyber experts want more details.
Christian Beckner, the assistant vice president and deputy director of the George Washington Center for Cyber and Homeland Security, said the CTIC addresses a critical gap in cyber intelligence sharing.
“I do think we need to understand better what is being proposed in terms of what the differences are between cybersecurity related intelligence and counterterrorism related intelligence,” Beckner said. “You have a number of critical differences, most notably the role of the private sector in cybersecurity related information. The private sector is a collector of cybersecurity related threat information, conducts a lot of analysis and is also a target. So that analogy to the NCTC doesn’t necessarily always work as we are thinking about what cybersecurity related intelligence is.”
Beckner, who is a former staff member for the Senate Homeland Security and Governmental Affairs Committee, said the lack of a coordinated approach in terms of assessing cyber threats has been a long-term challenge. He said having a coordinated effort to come to one overarching assessment of either nation state or other criminal organization intentions is more necessary than ever given the destructive and disruptive attacks we’ve seen over the last year.
Other private sector experts also wanted more details, but see promise in this set up.
Sol Cates, the chief security officer for Vormetric, a cybersecurity firm, said to be effective CTIC has to have both a tactical and strategic mission.
Tactically is has to distribute immediate timely, actionable information, and strategically provide longer term guidance to help mitigate risks.”
Cates said he would want to know how information sharing will working, including the use of Web application programming interfaces (APIs) to get the information out quickly. He also asked, “Will intelligence come in the form of simple email that is less timely? How effective will the center be at reducing the “noise” of false positive information so that only real threats come through? ”
He said all these questions will need answers to be sure that the center is effective.
Jeff Williams, the chief technology officer for Contrast Security, another cyber firm, said he’s less optimistic about the CTIC.
“Fundamentally, it sounds like this agency is supposed to coordinate response in ‘near real time’ when there is an attack. But I can’t imagine how they could possibly gather enough data from private companies, even agencies, to effectively do this,” he said. “I’m not convinced that the proposed liability protection wouldn’t be enough incentive to participate. And if they did figure out how to gather the data, the privacy implications are staggering.”
Williams added he’s not sure how the CTIC will make “software better, reduce the number of attackers, lower the number of breaches, or protect people’s sensitive information. I’m pretty sure that it will endanger privacy, and create even more confusion.”