As I worked through my massive mental back-log of un-shared thoughts, I realized it might first behoove me to share some insight into how I’ve come think about intelligence in the first place. It’s this basis that underpins how I see the discipline of CTI, so before I go on about why strategic intelligence is important, how to conduct tactical collection, etc etc etc, I feel compelled to offer my own perspective.
What is Intelligence?
Many definitions exist for the term intelligence, none of which seem to satisfy my own experiences in leveraging Cyber Threat Intelligence throughout my career. The majority focus on countries and governments, are bound by some technique, and focus on influencing national policy. Although this may be true for nation-states, such definitions are overly narrow for use in a domain that includes the employment of intelligence for – among other things – threats facing businesses. Even in the narrower contexts I’ve found, governments have struggled to properly characterize this term.
Intelligence is the collecting and processing of that information about foreign countries and their agents which is needed by a government for its foreign policy and for national security, the conduct of non-attributable activities abroad to facilitate the implementation of foreign policy, and the protection of both process and product, as well as persons and organizations concerned with these, against unauthorized disclosure. (Bimfort, 1995)
While his definition addresses a number of deficiencies he observed (including the consistent failure to factor in counterintelligence), it has an undeniably government, and human, slant – no surprise coming from one of the world’s most storied government human intelligence agencies. It’s also quite a mouthful. My experience tells me that simple elegance makes for the most useful definitions. The chronic problem in trying to wrangle a definition of intelligence is perhaps best characterized by the CIA Staff Historian Dr. Michael Warner:
The term is defined anew by each author who addresses it, and these definitions rarely refer to one another or build off what has been written before. (Warner, 2007)
Dr. Warner’s subtext is a challenge to use existing definitions for intelligence, rather than continuously re-inventing them. He goes on to provide a far more comprehensive selection of definitions (including Bimfort’s) selects one, and slightly re-phrases it as follows:
Intelligence is secret, state activity to understand or influence foreign entities. (Warner, 2007)
However well-reasoned this definition was (and it was), it still well misses the mark as a broader term upon which Cyber Threat Intelligence can be defined in my extensive experience. Again one can easily the issue is the scoping of the term to “state activity.”
Lying within many of the attempts I’ve found to define “intelligence” more broadly is a bias toward a particular type of intelligence, and they continue to overwhelmingly focus on geopolitical outcomes. I feel intelligence is more broad than this. “Business intelligence” is a good example of one such use of “intelligence” that has nothing directly to do with nation-state objectives. In all the definitions I’ve seen, there seems to be a suggestion that intelligence is interpreted information and an implication of the use of some form of assessment (or maybe prediction) from this information so as to advance one’s own interests (or that of a group). While that may suffice as a definition for intelligence more broadly, I will not muddy the waters with yet another definition of that word alone. In the end, I feel “intelligence” is too broad by itself to truly capture an art, or discipline. Indeed, I feel it is in the typification of intelligence where the utility of the definition in scoping a field of study is most useful.
Which brings us to “cyber”
Let me make one thing absolutely clear: I have always hated the word “cyber.” I am not alone in this. My former LM-CIRT colleague Dr. Charles Smutz was so frustrated with the egregious use of this prefix, that he expressed his disdain the primary way computer scientists are wont to do – in code: he wrote a tool to calculate the “cyber prefixation score” of a given news article or publication. My own code outlet was in a simple sed script that prefixed cyberevery cyberword cyberwith cybera cybercyber:
Such was my disdain for “cyber,” that in our initial discussions on the topic of developing a class around this je ne sais qoia that was clearly a turning point for information security more broadly, I fought hard to convince SANS’s Rob Lee to adopt “Intel-driven CND” rather than “Cyber Threat Intelligence.” Eventually I caved to Rob’s deeper experience in security more broadly, feeling he was on to something – besides, it was much more accessible a term for practitioners. And so, in 2012 “Cyber Threat Intelligence” was born, and eventually (mercifully, years later) the FOR578 Cyber Threat Intelligence course debuted.
Rob was right. I can’t recall if we explicitly discussed these models and ideas as the emergence of a new type of intelligence analysis, but it became clear in time that that’s almost exactly what it was. In reality, what we were discussing at the time was Cyber Threat Counterintelligence – and this is what most people today are actually speaking of when they talk about CTI. But when one speaks of counterintelligence, it is self-evident there is intelligence as well… whatever that might be.
In any case, it’s clear today that conducting operations to compete over information protection and disclosure in cyberspace (i.e. through the internet) is by its very nature different than other intelligence disciplines. It is, however – by just about any definition – “intelligence.” The only remaining question is how do we articulate all of that?
To the point of a definition
While it may be easy to avoid defining CTI at all, I have seen so many clear manipulations of it by those seeking profit that I am unwilling to let this domain we’ve worked so hard to build be perverted into some unprovably useful (yet highly profitable) bits of useless drivel exploiting that lack of clarity. And while a universal definition of intelligence may forever evade our collective agreement, it is clear that it comes in many forms that are better defined separately. Nevertheless, these forms do carry some common, if undefined, characteristics, approaches and methodologies that transcend these distinctions.
And with all of that finally being said, I offer the following characteristically unconventional definitions:
- I define Cyber Threat Intelligence Operations as actions taken in cyberspace to compromise and defend protected information and capabilities available in that domain;
- I define Cyber Threat Intelligence Analysis as the analysis of those actions and the actors, tools, and techniques behind them so as to support Operations;
- and I define the Cyber Threat Intelligence domain as the union of Cyber Threat Intelligence Operations and Analysis.
This blog will discuss the study of that field, in theory and practice, at every level of abstraction (to be covered in my next post), and any immediately-related topics.
- Bimfort, M. T. A Definition of Intelligence. CIA Center for the Study of Intelligence. 18 Sept 1995. https://www.cia.gov/library/center-for-the-study-of-intelligence/kent-csi/vol2no4/html/v02i4a08p_0001.htm.
- Warner, M. Wanted: A Definition of ‘Intelligence’. CIA Center for the Study of Intelligence. Studies Archives Indexes, vol 46, no 3. 8 May 2007. https://www.cia.gov/library/center-for-the-study-of-intelligence/kent-csi/vol46no3/html/v46i3a02p.htm
(2016-10-02) This post generated some great discussion on Twitter and, in particular, by two of my respected colleagues, Robert M. Lee and Sergio Caltigarone. Sergio states, in short, that “traditional definitions of intelligence are applicable by simply broadening them outside of their state-only constraint,” and a separate definition for CTI isn’t strictly necessary. Robert offers his own (impressively researched and argued) definition: “the process and product resulting from the interpretation of raw data into information that meets a requirement as it relates to the adversaries that have the intent, opportunity and capability to do harm.” We all seem to agree that none of our definitions are exclusive of each other, and are in fact complimentary.
While a new definition may not be necessary, as Sergio suggests, I think a simplified clarification is helpful, particularly in making our field accessible to those less familiar with it (or in defending its bounds to those seeking to exploit ambiguity). Both he and Robert include in their definition both the what and the why. For the sake of simplicity and brevity, I deliberately left this out of mine. I hope to cover the subject of why in a future blog post.