Tonya Ugoretz, the director of the Cyber Threat Intelligence Integration Center (CTIIC), said the center is maturing to meet the assorted needs of government from senior executives to chief information security officers to program and mission leaders.
“As an integration center, everything we’re doing is in partnership with the rest of the community and that includes our analyses. We are not adding another voice to the many agencies who may publish analyses on cyber threat issues. What we are integrating is the intelligence community’s coordinated assessment of cyber threat issues,” Ugoretz said on Ask the CIO. “Analytically, when decision makers want to know what do we collectively assess is going on, who do we collectively assess is behind something, CTIIC is the one who brings together the community on cyber threat issues to provide that integrated assessment. That doesn’t mean we are watering it down to a lowest common denominator that everyone can agree on. What it means is we bring the community together and we are very clear and transparent about what we can agree on and with what level of confidence. But also importantly what we disagree on and why, and what are the gaps in our understanding that collectively as a community we can address to help us increase our confidence in what we assess.”
Ugoretz said the first year of the CTIIC focused on filling the gaps in the sharing of cyber threat intelligence and building the relationships across government.
President Barack Obama created the CTIIC in February 2015. By September, the center launched its initial efforts with Ugoretz as director and a host of detailees from across the intelligence, Defense and civilian agency communities.
Ugoretz said the CTIIC has been building capacity across its three lines of business:
Building awareness—CTIIC is taking the sharing of information further than just making sure someone sees the information, but actually understands what it means. “When we identify new threat information that we feel is significant, we have to ensure we are explaining to customers why we are highlighting it. We do that by working very extensively with our partners in other cyber centers to add context,” she said. “Our analysts anticipate and address those questions on the front end. They really work the phones. They reach out and coordinate with all their counterparts within the community. What we do is build products that address all those questions so we are not only highlighting new threat information, but we’re also saying ‘here’s a way to think about it and here’s how to place it in a broader context so you see where it fits in the bigger story.’”
Integrating analysis—The center is trying to break the habit of looking at cyber information in isolation. Ugoretz said threats and vulnerabilities are best understood if agencies also understand the motivations, intent and capabilities of the cyber hackers. “Our analysts look at working with a very broad community of counterparts in the U.S. intelligence community who look not only at technical information and cyber specific activity, but they also work with regional analysts, leadership analysts and people who understand the geopolitical context in which these state actors are acting and in that way through our analysis, try to give a fuller picture of what’s happening,” she said. The CTIIC also helps coordinate information when the government is responding to a cyber attack. The President’s policy directive 41 issued in July details where the center fits in when the government responds to a cyber incident.
Identifying opportunities—The line of business continues down a similar path as integrating analysis where the CTIIC broadens the view of a cyber incident. Ugoretz said the center will help the White House and Defense Department understand the options in responding to an attack. “The goal is to help inform decision making so pulling all those inputs together and presenting them in a way what leads to what we call ‘decisionable decisions.’ What’s challenging too in this newer field of cybersecurity is to always have decision makers feel comfortable thinking through what will be the impact of this action,” she said.
As the CTIIC enters its second year, Ugoretz said she has several goals, including ensuring the staff is documenting its processes and they are as effective and efficient as possible.
“We are already thinking ahead because we are a multi-agency center and we do have a proportion of detailees so how do we do succession planning, how do we pass down institutional knowledge and how do we clearly document our processes, and even some of these things that we do and don’t do that we’ve all internalized here, but may not be written down on a piece of paper?” she said. “Another is expanding our ability to reach more customers with our work. Right now as we’ve been growing, we’ve been focusing on doing a version of a product and trying to put that out. But as we build capacity and have more resources in terms of personnel and production and the whole tail that helps support all the important pieces of producing quality analytic products, we want to look at how do we reach other parts of the community who may not have access at their desktops to highly classified information or who work other functional or regional missions that aren’t specifically cyber, but who would benefit from knowing this activity that maybe the actor they follow in another context is doing.”
Ugoretz said the CTIIC did a lot of outreach in year one and will do even more in year 2 to reach that broader community.
Another second year priority relates back to PPD 41 and information sharing to make sure the right agencies have the right data to make cyber related decisions.
Ugoretz said the center also will continue to work on a common taxonomy called the cyber threat framework, and metrics.
“We want to ensure we in the community and hopefully outside the community aren’t using different terminology when we are describing different types of activity by threat actors. Hopefully what that will enable us to do is compare apples to apples and do some meaningful trend analysis over time so that we can see when we do get questions about whether activity is increasing or decreasing or if things are moving in a certain way, we can give really well informed answers to those questions,” she said. “We have counterparts in the Office of the National Intelligence Manager for cyber here at ODNI who have really been the lead within the community and with partners in pushing this concept forward. They are developing a framework that will be available publicly at the unclassified level that hopefully folks can use and I don’t think there’s any assumption that it’s one size fits all.”