“Why acquire secrets if you can’t keep them,” asks Jim Richberg, the national intelligence manager for cyber.
To help lock those secrets away, the intelligence community is developing a new, comprehensive cyber posture that will emphasize the improved defense of networks and how the United States can leverage cyber as a national power, Richberg told Fifth Domain during a September interview, acknowledging the posture is still a work in progress.
The posture is one of six pillars for the Intelligence Community’s new strategic vision.
“If you hear about it in public it’s ‘Who’s in charge?’ I think that is a total misnomer,” Sue Gordon, principal deputy director of national intelligence, said during a presentation at the GEOINT symposium in April. “We really have to address the cyber attack and the cyber posturing that is happening to us every day and help this administration figure out the response we need.”
Richberg said intelligence leaders are starting with the defensive posture, in part because the community has now recognized that it needs to do a better job of defending its networks. This means identifying what data the intelligence community cares the most about protecting, what are the vulnerabilities the community must correct and how do intelligence agencies create comprehensive situational awareness of the threats attacking its networks.
Richberg said it wasn’t readily apparent to him that there was a common understanding of what the cyber problem or even the process was.
This led him to devise what he calls Richberg’s simple model of cyber threat intelligence. This differs from the classic model of tasking, collecting, processing, exploiting and disseminating information.
Under his model, once a malicious cyber activity occurs, he posits a series of questions: do analysts or organizations see or detect it, can they collect and make sense of it, can they make actionable reporting and share that with other entities, do others use that reporting and how can they provide feedback within this process?
“If we get better at putting actionable information through the pipeline, that should start translating into greater velocity and actually making the information itself more useful to a broader set of customers,” he said.
Richberg described the second component of the posture as examining how the United States then can position itself for strategic and tactical response. In order to develop offensive measures, it has to start with the same analytic process he described for defending the network. Richberg said this involves a whole-of-government approach in which the only response to a cyber attack is not another cyber attack.
If an adversary is forced to use cyber, it’s probably because that strategy was favorable to them over another, he said.
“Why do you want to couch your response on terrain that’s favorable to them? Play to your own strength. Reserve using cyber for a place and time and purpose of your own choosing,” he added. “if you’re talking about using cyber offensively, talking about using it when it makes sense to you, which is not necessarily in response to something cyber done against you. It’s a tool of national power and use it as such rather than just as something that’s responsive to tit for tat.”