One day last May, employees of Britain’s health service logged on to their computers to find a startling discovery: their data had been encrypted, rendering it inaccessible until and unless they paid a ransom to have their data unscrambled and their access to it, returned.
They were the first known victims of the WannaCry attack and in the days that followed, the virus spread rapidly, infecting more than 200,000 computers in more than 150 countries, creating a global crisis.
As the threat rapidly spread from Europe to Russia to China, a U.S. government team that sits within the Cyber Threat Intelligence Integration Center (more affectionately known in acronym-loving circles as CTIIC) brought the concerning developments to the attention of their director, Tonya Ugoretz. As with all significant threats, she remembers the details well.
“That one started to really get our attention on a Friday,” Ugoretz recently told me. “The team became aware of this as it was unfolding and was immediately in touch with other centers, departments and agencies to try to figure out what we knew, what we didn’t know, and what we, as a whole, assessed was happening and what we were doing in response.”
CTIIC’s most urgent task in this case was to integrate information about the emerging threat quickly, share the details with all of their government partners (which span from the Department of Homeland Security to the National Security Agency) and begin to pull together the analysis that encompassed all of what the government knew about the threat, briefing the stakeholders as they figured it out.
“Throughout the weekend, we were writing updates on the U.S. government’s understanding and what we were doing in response,” said Ugoretz. “That was feeding into various meetings that were being held, called by the White House and others, so that, by Monday morning, as folks were coming back into work, they had that up-to-date, integrated picture of what we knew.”
The mission was a success to Ugoretz for two reasons. The first was that the private sector had shared information with DHS, which in turn, shared it with CTIIC, and she had gained approval to share it more broadly with the larger intelligence community. That chain of information sharing provided a valuable piece of the puzzle when it came to the question of attribution.
“In terms of the attribution, it’s often a multistage process where, after an incident occurs, we may have an initial suspicion based on limited information of who might be behind an attack,” explained Ugoretz. “But it takes sometimes months more work of collection and analysis to get greater confidence of that attribution.”
It was that information sharing component that Ugoretz credits with helping to bring the analytic community together to determine with high confidence that North Korea was behind the WannaCry attack.
Information sharing has always been a challenge for government, as highlighted in the 9/11 Commission Report. It was the impetus for the creation of the Office of the Director of National Intelligence, and the National Counterterrorism Center (NCTC), to ensure better coordination and information sharing across all government agencies. So it’s fitting that CTIIC falls under ODNI, not designed to compete with other agencies who have stakes in the cyber realm, but to support them by sharing and coordinating information in faster time.
Ugoretz was working at the National Intelligence Council in 2015 when CTIIC was first imagined, on a portfolio that included transnational organized crime. Her team was also tracking the ways that the cyber environment played into that area. It quickly became obvious to Ugoretz that policymakers were looking for one piece of paper that could tell them what the priority threats were, or – if they were already in the midst of an incident – what the U.S. government was positioned to do about it.
“They knew they could go to NCTC for that on terrorism but, at the time, even though there was great effort going on across the cyber community in the U.S. government, there wasn’t that single integration point that could really bring together all those different lines of effort into one picture of either threats we were assessing or what we were doing in response.”
The actual number of people who work for Ugoretz at CTIIC is classified but is believed to be in the dozens, rendering it a much smaller cousin to its terrorism counterpart at NCTC. But another important distinction is that CTIIC’s success is determined in part by the information sharing of entities that fall outside the U.S. government umbrella: the private sector.
“Cyber is an area where the U.S. government does not have the monopoly of intelligence,” says Ugoretz. “There’s an increasingly capable private cyber security sector who, by virtue of their insight into networks and their clients, have a piece of the puzzle that the U.S. government doesn’t have and because of privacy and civil liberties concerns and how we function as a democracy, the U.S. government won’t have – so that relationship is really critical to how we establish how we are going to share information.”
Going forward, Ugoretz believes that information sharing won’t be able to effectively develop in a purely transactional way, but that the ways in which leaders think about common threats, will dictate a natural need for the government and private sector to work closer together in real-time.
In the three years since Ugoretz took on her role as director, she’s seen nation-states expand their capabilities and, in some cases, their willingness to use cyber operations in support of their objectives.
“To anticipate what we might face from the states that pose the greatest cyber threat to the U.S., we need to look no further than how those states are acting against regional adversaries, such as Russia’s disruption of Ukrainian energy-distribution networks. These regional attacks aren’t just a means of using testing technical tools: they’re also a means of gauging international response. It makes me think of the German bombing of Guernica, Spain in 1937, maybe because I have Picasso’s painting depicting the aftermath of the bombing hanging in my home. At the time, it was an unprecedented purposeful destruction of a civilian population from the air, but it presaged the same type of indiscriminate warfare in WWII,” she said.
Ugoretz holds it up as a reminder to pay close attention to the actions of cyber adversaries against other states. Those actions provide the clues that Ugoretz and CTIIC are seeking about the intent and capabilities of the adversary even if – for now – those capabilities aren’t aimed at the U.S.