Cyber Threat Intelligence: “The Government Doesn’t Have a Monopoly”

Much as intelligence stovepiping challenged U.S. defenses against terrorism in the lead up to 9/11, it is also an ongoing problem within the U.S. government’s cybersecurity efforts.

During the final day of The Cipher Brief’s annual Threat Conference in Sea Island, Ga. CEO and Publisher Suzanne Kelly spoke with two top U.S. cyber officials.

Tonya Ugoretz heads the Cyber Threat Intelligence Integration Center – the federal lead for response to significant cyber incidents by integrating analysis of cyber threat trends and events and sharing it across the U.S. intelligence community to develop options for response.

Marianne Bailey, the deputy national manager of National Security Systems at NSA, is primarily responsible for the protection of critical U.S. government networks such as the Department of Defense.

Tonya Ugoretz, Director of the Cyber Threat Intelligence Integration Center, Office of the Director of National Intelligence

“The government doesn’t have a monopoly on threat intelligence in this space. And so the broader challenge is how do I not only integrate all those varied pieces across the federal cyber community, but also think about how the federal government can partner with the private cybersecurity companies who have that very unique insight that the U.S. government is not going to have. But do so in a way that we protect privacy, protect civil liberties. This is where technology will need to be leveraged so that we can adequately protect, for example, U.S. person information, while also being able to correlate data so that we understand the things that we are seeing in terms of what types of victims are being targeted, what sectors are in are adversaries crosshairs, etc.

“Yesterday, when I heard [former director of the National Counterterrorism Center] Matt Olsen describe the post-9/11 paradigm shift that occurred in terms of counterterrorism information sharing across the government, but also outside government, I really foresee a similar paradigm shift when it comes to cyber in terms of how will we approach this information sharing challenge. It would need to be something beyond the transactional information sharing that we engage in when we talk about having the government take a piece of information, downgrade it, and get it to where it needs to go with the proper amount of context to be useful for the network defender. I don’t think that transactional model scales. So how will we need to do this differently between the public sector and private sector to truly partner.

“I look at specific instances where I see the things that we are talking about here on the stage, and the types of relationships we are talking about were they have been successful. One I would like to mention briefly was the WannaCry ransomware attack. This was a case where very quickly after the attack – which had a global impact, almost every country in the world affected – the private sector pretty quickly was able to say with some amount of confidence that they thought North Korean cyber actors were behind the attack. The U.S. government, the U.S. intelligence community, was right there as well, but with a lower confidence, just because we didn’t have the very diagnostic information needed to be able to say that with a higher level of confidence. But it was information from the private sector that really made the difference for us. This is a case where an organization like CTIIC was doing seemingly small things that makes a difference in bridging these waters.

“Remember that the WannaCry ransomware had a ‘killswitch’ of sorts where it would call out to a URL and make a decision about whether to activate and spread based on the response. There is a private sector company that had data based on its monitoring of global networks that enabled them to pinpoint the moment the attack started, in what was effectively patient zero in the attack. CTIIC played a role by virtue of our relationship with DHS, having detailed leads from there. We were aware that information had been passed to DHS, and got their permission to pass it to the intelligence community. Ultimately, the intelligence community was able to take that a step farther. That is what yielded the high-confidence attribution that [former Advisor to the President for Homeland Security and Counterterrorism] Tom Bossert himself gave, attributing that attack back to North Korea. That attribution, with the intelligence community’s weight behind it then gives policymakers the option to respond. And that is ultimately their decision. So, there are examples where this works.”

Marianne Bailey, Deputy National Manager for National Security Systems, NSA

“I wonder if we are thinking big picture enough when we think about industry and industry’s responsibilities in this space. When we used to talk about supply chain risk management, it used to be asking, where are you buying this chip from? But today we have this global environment and there are very few of our companies that are very truly U.S.-only. Some code is being written somewhere else, or something is being developed somewhere else. And I think we really need to think about that – what are the risks that we are taking by developing these codes in places where it is much cheaper for us to do?

“The other aspect that I have to talk about it is disagreeing with people having responsibility themselves. Ok, sure, some people – most of us should know not to click on phishing. But the average population really does not know this and we shouldn’t necessarily expect them to… we have great software that is stopping these things. We need to keep pushing and pushing for that.

“Two weeks ago, we had an increase in over 10,000 phishing attacks [targeting Department of Defense networks], which could have been a result of the sanctions and indictments. But we had mechanisms in place to protect them. So I think a lot of it is sharing that information. I think we do a pretty good job of doing that, but definitely we need to push to do better.”

Related Articles