Академический Документы
Профессиональный Документы
Культура Документы
ACKNOWLEDGEMENTS
INSA CHAIRMAN
EDITORIAL REVIEW
INSA STAFF
Joe Mazzafro
COPY EDITORS
Beth Finan
Amanda Patino
** Participation on the Task Force/Council or Subcommittee does
not imply personal or official endorsement of the views in the paper
by any members or their respective parent organization(s).
EXECUTIVE SUMMARY
In a September 2013 white paper, The Operational Levels of Cyber
Intelligence, the Intelligence and National Security Alliance (INSA)
proposed definitions for the strategic, operational, and tactical levels of
cyber activity. While there has been much emphasis on tactical cyber
intelligence to help understand the on-the-network cyber-attacks so
frequently in the news, there has been little discussion about the strategic
and operational levels in order to better understand the overall goals,
objectives, and inter-relationships associated with these tactical attacks. As
a result, key consumers such as C-suite executives, executive managers,
and other senior leaders are not getting the right type of cyber intelligence
to efficiently and effectively inform their organizations risk management
programs. This traditionally tactical focus also hampers the capability of the
cyber intelligence function to communicate cyber risks in a way that leaders
can fully interpret and understand.
INTRODUCTION
The flow of intelligence occurs across the strategic, operational, and tactical levels of an
organization. As such, there is no simple demarcation from one level to the next and, as
discussed in the previous INSA white paper, Operational Levels of Cyber Intelligence,
these levels actually overlap in practice. Nonetheless, they provide a useful construct to
aid organizations in directing the appropriate resources and effort toward intelligence
activities that support strategic objectives. This paper will discuss the first, or strategic, level
of intelligence.
There has been much emphasis on tactical cyber intelligence to support the on-the-network
fight, but there has been little discussion about the strategic and operational levels. As
a result, key consumers such as C-suite executives, executive managers, and other senior
leaders may not be getting the right type of cyber intelligence to efficiently and effectively
inform the organizations risk management program. The tactical focus is apparent from the
language used by the U.S. House of Representatives to define cyber threat intelligence as
information in the possession of an element of the intelligence community directly pertaining
to a vulnerability of, or threat to, a system or network of a government or private entity,
including information pertaining to the protection of a system or network... (H.R.3523).
Note the focus on system and network rather than an organizations strategic assets
such as intellectual property, trade secrets, sensitive business information, and other data
that contribute to an organizations competitive advantage, including brand protection. This
traditionally tactical focus also hampers the capability of the cyber intelligence function to
communicate cyber risks in a way that leaders at operational and strategic levels can fully
interpret and understand.
This white paper seeks to demonstrate the centrality of cyber intelligence, specifically strategic
cyber intelligence, to senior leaders risk-informed decision making, ultimately leading to
improved strategy, policy, architecture, and investment.
RSA defines cyber intelligence more broadly as knowledge about cyber adversaries and
their methods combined with knowledge about an organizations security posture against
those adversaries and their methods1 from which situational awareness and/or actionable
intelligence is produced. In RSAs words, actionable intelligence is knowledge that enables
an organization to make decisions and take action.2 The Carnegie Mellon Software
Engineering Institute uses the acquisition and analysis of information to identify, track, and
predict cyber capabilities, intentions and activities that offer courses of action to enhance
decision making3 as its definition of cyber intelligence.
CONCLUSION
The ultimate goal of an organizations strategic cyber intelligence
capability is to reduce risk to the organizations critical mission
and assets of value. To achieve this, organizations must develop
Strategic cyber
and maintain, with the participation of C-suite leaders, information
requirements that orient the intelligence resources to the enterprises
intelligence should
critical mission and business needs. With these in place, the cyber
no longer be solely
intelligence function is positioned to conduct a strategic assessment
of the enterprises threats and vulnerabilities, and to assess potential
the governments
impacts in the event of an incident. These processes enhance the
responsibility.
enterprises understanding of its attack surface, and enable it to
correlate the attack surface with potential threat actors who have
the intent and capability to exploit the organizations vulnerabilities.
In turn, the analysis from this process enables senior leaders to
make informed decisions to proactively defend the enterprises mission and operations. In
addition, for security practitioners, strategic cyber intelligence provides organizations with
the following benefits:
The ability to more effectively assess, quantify the risk to the business, and explain it to
senior management and other key stakeholders
Collaboration and information sharing in a more meaninful manner with members
of law enforcement, defense organizations, the Intelligence Community, and the
information security community of interest at large
Demonstrates an appropriate standard of diligence to auditors, regulators, Boards,
and other stakeholders which should reduce the exposure of the business to regulatory
or legal sanctions
Demonstrates responsible expenditure of security resources by focusing on defending
both what is important to the firm and relevant to the threat.
To succeed in the cyber domain in 2014 and beyond, strategic cyber intelligence will play
a crucial role in defending private companies and government sectors by providing the
necessary intelligence to prevent potential incidents that could cripple our security as well as
our economy.
In the world today, strategic cyber intelligence should no longer be solely the governments
responsibility. To prevent future cyber incidents, the commercial sector, which owns the vast
majority of the cyber infrastructure and the data, must work together with the government
to strengthen cyber intelligence capabilities just as it has historically with other types of
intelligence.
ENDNOTES
Getting Ahead of Advanced Threats. Rep. RSA, The Security Division of EMC, Jan. 2012. Web. <: http://www.emc.com/collateral/industry-overview/cisorpt-2.pdf>.
1
Ibid.
SEI Emerging Technology Center: Cyber Intelligence Tradecraft Project - Summary of Key Findings. Re.p.Carnegie Mellon University. 2013. Web. <:http://
www.sei.cmu.edu/library/assets/whitepapers/citp-summary-key-findings.pdf>.
3
United States. Department of Commerce. Computer Security Division. Special Publication 800-30 Guide to Conducting Risk Assessments. National Institute of
Standards and Technology, Sept. 2012. Web. <:http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf>.
4
United States. Department of Commerce. Computer Security Division. Special Publication 800-39 Managing Information Security Risk Organization, Mission,
and Information System View. National Institute of Standards and Technology, March 2011. Web. <:http://csrc.nist.gov/publications/nistpubs/800-39/SP80039-final.pdf>.
5
Enterprise in this context includes suppliers, partners, and other members of the sector, and of complementary sectors in which the enterprise operates.
The State of Risk-Based Security Management. Rep. U.S. and UK Ponemon Institute, 2013. Web. <http://www.tripwire.com/ponemon/2013/#metrics%20
http://www.tripwire.com/ponemon/2013/#metrics>.
7
U.S. Federal Cybersecurity Operations Team. National Roles and Responsibilities. N.p., n.d. Web. <http://www.americanbar.org/content/dam/aba/
marketing/Cybersecurity/2013march21_cyberroleschart.authcheckdam.pdf>.
8
United States. Government Accountability Office. A Better Defined and Implemented National Strategy Is Needed to Address Persistent Challenges. N.p., 7 Mar.
2013. Web. <:http://www.gao.gov/assets/660/652817.pdf>.
9
Heuer, Richards J. Psychology of Intelligence Analysis. N.p.: Center for the Study of Intelligence, Central Intelligence Agency, 1999. 70. Psychology of
Intelligence Analysis. Center for the Study of Intelligence, Central Intelligence Agency, Mar. 2007. Web. <https://www.cia.gov/library/center-for-the-study-ofintelligence/csi-publications/books-and-monographs/psychology-of-intelligence-analysis/PsychofIntelNew.pdf>.
10
11
Northcutt, Stephen. The Attack Surface Problem. Security Laboratory Defense in Depth Series. SANS Technology Institute, n.d. Web. <:http://www.sans.edu/
research/security-laboratory/article/did-attack-surface>.
12
United States. Department of the Army. Military Operations. TRADOC Pamphlet 525-7-8. N.p.: n.p., n.d. Cyberspace Operations Concept Capability Plan
2016-2028. TRADOC, 22 Feb. 2010. Web. <http://www.fas.org/irp/doddir/army/pam525-7-8.pdf>.
13
United States. Department of Commerce. Computer Security Division. Special Publication 800-39 Managing Information Security Risk Organization, Mission,
and Information Systems View. National Institute for Standards and Technology, Mar. 2011. Web. <http://csrc.nist.gov/publications/nistpubs/800-39/SP80039-final.pdf>.
14
15
2013 Data Breach Investigations Report. Rep. Verizon Enterprise Solutions, 2013. Web.<http://www.verizonenterprise.com/DBIR/2013/>.
16
If an organizations intellectual property is valued at $1,000,000 and it is estimated that in the event of a breach, 25 percent of the data could be exfiltrated
before detection, and then 25 percent is the exposure factor. Multiplying the value of the asset with the exposure factor yields a single loss expectancy (SLE),
which in this case would be $250,000.
17
Assume that it is determined that the organizations intellectual property will likely be successfully exfiltrated once every six months. This equates to an ARO of 2
(i.e., two events in one year). Therefore, the ALE for this example would be $500,000 ($250,000 x 2 = $500,000). With this value in hand, senior leaders
know they can spend up to $500,000 per year to mitigate the risk of a data breach.
18
ABOUT INSA
INSA is the premier intelligence and national security organization
that brings together the public, private and academic sectors to
collaborate on the most challenging policy issues and solutions.
As a non-profit, non-partisan, public-private organization, INSAs
ultimate goal is to promote and recognize the highest standards
within the national security and intelligence communities.
INSA has over 150 corporate members and several hundred
individual members who are leaders and senior executives
throughout government, the private sector and academia.
To learn more about INSA visit www.insaonline.org.