Today comes the announcement of the new Cyber Threat Intelligence Integration Center. Its reported mission: sharing intelligence and coordinating responses to major attacks. If this sounds familiar it’s because we’ve done this before. It was called the NIPC and it was started in part because the U.S. had suffered a rash of major computer security incidents and inter-governmental coordination and response had been found lacking. NIPC was widening a trail blazed by InfraGard but because it was designed, built and staffed by bureaucrats (in the best possible use of the word) the promise of the idea never lived up to reality.
NIPC didn't last long. Originally housed and hosted by the FBI, it got punted to DHS and eventually devolved as other agencies amped up their own cyber security awareness and capabilities.
NIPC wasn't the only activity designed to try and improve the sharing of information and establish relationships to help deal with cyber threats. ISACs were formed about the same time as the NIPC. DOD-centric organizations have the DCISE. All of these efforts have a couple of things in common that preclude their being runaway successes:
- Bureaucracy. This is the government. It can’t be helped. But guess who doesn't operate like a bureaucracy? The bad guys.
- Borrowed Labor. Any “community” activity has to be staffed by people from elsewhere. People from places with their own agendas.
- Competing Mindsets. Spooks are going to want to wait and watch; cops are going to want to collect and prosecute. Industry – if they will even be allowed to participate in any meaningful way – just wants the pain to stop. What do we do? Whatever the person in the room with the most political juice that day says to do.
- It’s an Intelligence Activity. CTIIC is an ODNI baby. In case you haven’t been paying attention, U.S. intelligence agencies are not exactly high on everyone’s trust list (fair judgement or not). You know what intelligence activities don’t do very well? Share. They never have and press releases notwithstanding they never will. They’re intelligence agencies. That's not an indictment, simply a statement of fact.
I am eternally optimistic, but there is nothing to indicate that CTIIC is going to have any less a dismal end as NIPC. What could improve our national awareness of and response to digital threats?
- Non-governmental leadership. You can point to attacks against governmental agencies, but the main victims here are in the private sector. The Air Force doesn't make F-35s; the Army doesn't make M1 tanks. Far more of this nation’s treasure has been lost to various adversaries over .com than .mil or .gov.
- A non-threatening home. Commerce, for example. An FFRDC if you must. As long as it is an intelligence activity it will always be viewed with suspicion (merited or not) and it will always do anything but share.
- Light-weight. We’re talking about data. Data that should be as accessible to as many people as possible as quickly as possible. Data goes in - validate, deconflict, anonymize, format - data goes out. There should be far more CPUs than humans in this activity. Like, in ratios you find in data centers.
- Unclassified. If not, what’s the point? Only companies with a representative who can pass a poly are worth talking to? No one is attacked in isolation. Attackers share, beg, borrow and steal code, tactics, techniques and procedures. They don’t have classification because it would impede their ability to kick our ***es. If you’re not sharing with entire markets, with the full vertical, you’re basically the “cyber” equivalent of an anti-Vaxxer, and promoting all the evils that will befall the community through your actions.