The principle of synergy, or the whole being greater than the sum of its parts, dates back to Aristotle and has been reincarnated numerous times throughout history. One of its most famous iterations was recently articulated in a 2006 Harvard Business Review article by business scholar and executive Michael E. Porter as “creating shared value.”
Used in a vast variety of contexts, synergy and shared-value concepts also fully apply to threat intelligence. It is nearly a universal consensus that to be of optimal value, threat knowledge must be shared. Pooling intelligence information will bring governments and industries on par with global threat actors, the latter of which often share tools, tactics, and related data. However, despite the recognized need for operationalized information-sharing, the factors needed to make this counterintelligence tool succeed are being hindered by doctrinal and operational disputes that prevent critical communication among stakeholders.
What Is Threat Intelligence?
Threat intelligence consists of the following critical components:
- Monitoring intelligence sources for notifications, alerts, and early-warning indicators
- Collecting intelligence relevant to the organization’s threat profile
- Identifying threat actors and their tactics, techniques, and procedures
- Communicating with internal and external stakeholders
- Integrating with the IT organizational ecosystem
Failures in communication are weakening the other important components of the cyberintelligence sharing matrix. Not all information sources are available to be monitored, and therefore, not all relevant information is collected. Accordingly, extant threat actors remain unidentified during the identification phase, which results in inadequate information for IT organizations to integrate within their ecosystems, leading to suboptimal security performance. Not all data is being shared, and what is has only been selectively sent to chosen recipients.
In summary, the sharing of relevant intelligence “that is both meaningful and actionable to address the full life cycle of R3 [readiness, response, and resiliency] remains a key challenge . . . even in the midst of an abundance of intelligence-sharing and collaboration initiatives within the security community.” Fortunately, some progress is finally being made on these initiatives to create a cooperative information-sharing environment.
The government and technology industry may soon pool threat information resources, leveraging synergy in its collection and deployment. Both government-industry and industry-to-industry cooperation is developing, and further collaboration remains a top priority.
The Cyber Intelligence Sharing and Protection Act, which was first introduced in February 2011 and initially failed, has been revived in various iterations each subsequent year, including in January 2015. The act is still pending. In February 2015, President Barack Obama signed an executive order compelling the director of national intelligence to create the Cyber Threat Intelligence Integration Center (CTIIC). According to a White House press release, the center focuses on “connecting the dots regarding malicious foreign cyberthreats to the nation and cyber incidents affecting U.S. national interests, and on providing all-source analysis of threats to U.S. policymakers.”
Progress has been slow on the CTIIC as the scope of its authority is weighed. While the bill passed in the House, the Senate has clashed with White House over the National Defense Authorization Act, which removes the cyberthreat-sharing provisions from the proposed law. The CTIIC is a government-only piece of the cyberintelligence-sharing network that also includes the National Cyber Investigative Joint Task Force, whose mission includes maintaining extensive partnerships with the industry, the private sector and the National Cybersecurity and Communications Integration Center, which also includes private-sector participation. The CTIIC is expected to remedy insufficient government resources and promote faster cooperation. Accordingly, its funding is vital to the overall government-industry information-sharing arena.
Before the ink was even dry on February’s CTIIC executive order, experts were questioning whether such a government-industry information-sharing initiative would work. Indeed, there seems to be an implicit “do as I say, not as I do” atmosphere pervading the implementation of shared threat data. According to Infosecurity Magazine, information vendors are jealously guarding their information “to the detriment of the wider community,” even though they and the rest of the technology community say they overwhelmingly support sharing, as CIO Today reports.
A wide array of private-interest alliances, which formed before and during these governmental machinations, are striving to increase the sharing of threat knowledge. Some of these alliances, such as the National Council of Information Sharing and Analysis Centers, aim to “provide users with accurate, actionable, and relevant information” through standardization. These standards include the Structured Threat Information Expression, a language for threat knowledge sharing, and the Trusted Automated Exchange of Indicator Information, a common transport protocol. Both of these were discussed extensively in February during the massive press that surrounded the CTIIC executive order.
However, despite these signs of progress, Enterprise Strategy Group research reported on by Security Week found that only 37 percent of more than 300 surveyed IT professionals actually share internally driven threat intelligence with other companies or Information Sharing and Analysis Centers. Contrast this sharing percentage against 80 percent of respondents in a Symantec survey, who indicated shared information would have helped thwart an attack. While discouraging, perhaps these numbers are just evidence of inevitable growing pains regarding a cooperative risk intelligence environment. The information security community recognizes there is much to gain by creating shared value and participating in a whole that is greater than the sum of its individual threat intelligence parts.