Cyber Intelligence-Driven Risk. Richard O. Moore, III
or by controlling access and release of information about their strategy or business processes. The counterintelligence activities are there, but the term or rational connection to that term has not been formally used for cyber activities. We are asking the reader to accept that the CI-DR cyber counterintelligence–type practices are occurring in organizations and to accept our usage of the term as not just a military action or function.
For example, passive cyber counterintelligence measures are designed to conceal, deceive, and deny information to adversaries, whether internal or external. Many businesses today do this by creating shared folders or locations where access is restricted to certain individuals. These folders are created by thinking about the content, the sensitivity, or the regulatory requirements to keep them separate to a select few. However, many businesses have missed the key components of restricting that information by not implementing either concealment or deceptive tactics to protect, restrict, and identify who may be trying to access the information, thereby usually providing a false sense of protection.
Another key objective for formally recognizing and having cyber counterintelligence as part of the CI-DR program is to protect personnel from subversion and acts of hostilities. Again, many organizations have travel security programs for executives and key personnel, implement phishing training and education, have evacuation drills, and provide some type of education for active shooters, etc., but again do not formally embrace the counterintelligence benefit or create formal counterintelligence objectives. An easy formal objective of using counterintelligence could be to protect facilities (i.e. removing signs for data centers or key processing facilities, etc.) and material against sabotage (internal, external, or even competitors). The full measures of counterintelligence can include security of restricted material, personnel security, physical security, security education, communications security, data security, electromagnetic emission security (i.e. Bluetooth, Wi-Fi, NFC, Bonjour, etc.), and censorship.4 The overlooked counterintelligence objective can be useful and provide value to industries such as financial services, manufacturing, utilities, pharmaceuticals, insurance, social media, and many others that are often overlooked as critical infrastructure or social services.
Another key concept we want the reader to understand is that a CI-DR program should not be thought of just as a product, but also as the processes which produce specific needed knowledge in order to make better business decisions. Process activities and capabilities are driven by the need to answer questions that are crucial to both the tactical and strategic interests of the organization or to meet business objectives. A CI-DR program operates in an environment characterized by uncertainty and with it risks that must be understood and reduced by the decision-makers.
NOTES
1 Cyber counterintelligence is a key objective for organizations to have and is built into the CI-DR framework.
2 Using this book can help with building guidelines to help you create a CI-DR program tailored to your organization and help build its charter and boundaries.
3 It is important to identify the formal boundaries for a CI-DR program due to all the interconnective functions and collection methods that a CI-DR program can touch.
4 Organizations and individuals should consider cyber counterintelligence and cyber deception programs if they already have a mature cybersecurity strategy aligned with business objectives.
5 Cyber counterintelligence programs can be tasked with identifying faint digital signals being used in your organization to view information that has been deemed sensitive.
6 A CI-DR program with all of its functions and capabilities can help business leaders gain better decision-making knowledge about running a business today.
NOTES
1 1 US Government, Marine Corps Doctrinal Publication 2-Intelligence, (GAO) 1997.
2 2 Ibid.
3 3 US Government, Marine Corps Doctrinal Publication 2-Intelligence, (GAO) 1997.
4 4 Marine Corps Combat Development Command, Doctrine Division, MCWP 2-14 Counterintelligence, 2 May 2016, https://www.marines.mil/Portals/59/Publications/MCWP%202-6%20W%20Erratum%20Counterintelligence.pdf
CHAPTER 2 Importance of Cyber Intelligence for Businesses
Our knowledge of circumstances has increased, but our uncertainty, instead of having diminished, has only increased. The reason of this is that we do not gain all our experience at once, but by degrees; so our determinations continue to be assailed incessantly by fresh experience; and the mind, if we may use the expression, must always be under arms.
– Carl von Clausewitz, Prussian general
WE READ PREVIOUSLY that the CI-DR™ program has two objectives and a few tasks that create the interactions and the “connective tissue” between both command (leadership) and operations; its primary objective is to support decision-making by reducing uncertainty.1 The traditional intelligence axiom of “knowledge is power” is the goal of the CI-DR program and that knowledge needs to support critical business decisions, specifically in our digital and cyber working environment. As a regularly attending contributor to a few boards of directors and as an advisor to other boards, the one area of concern I continue to identify is that many cybersecurity or IT security programs lack the business risk information with proper analysis when presenting to boards. This analysis and reporting of cyber risk requires the information provided to be articulated for discussion, be clearly understood by business executives, and be able to be debated in business terms with reinforceable facts to support the decisions made. How many readers of this book have been presented with technology vulnerabilities, only to see numbers and not understand the real intent or criticality of the information being presented? A CI-DR program provides businesses with the relevant information needed to make decisions. Do not think of providing vulnerabilities metrics as a negative report, but understand that it needs to be transformed into a report that is informing the business leader that a decision has to be made. That decision can be that we need to update our systems, the technology teams need time to reboot or restore a critical system, or that we will lose revenue due to particular identified compromises in that system. Reporting from cyber metrics to business has to be made clearer to those making decisions, and to those readers who are reporting vulnerabilities. Our CI-DR program cyber intelligence life cycle can be used to support how the functions and capabilities drive decision-making processes. The dissemination portion that produces the reporting or options is done without obfuscation of why those vulnerabilities being reported are important for the business leader to make decisions whether to ignore or action the report. (See Figure 2.1.)
The CI-DR program objectives provide an organization with guidance to assist in building a formal charter for the program, which can build rational processes of how the cyber data enters the life cycle and how analysis processes transform raw data to become “knowledge” and produce appropriate reporting in business terms. There is a ton of reporting being done today around cyber but most of it is done reactively and at the tactical level, meaning no business decisions are being made, and the information being reported is only valuable for use by a chief information security officer (CISO) or chief information officer (CIO) and is only used to make technology risk decisions. While this type of information is still valuable to the technician, as a risk or business leader you can most likely only use these tactical-level metrics and reporting as a way to find key performance indicators. The data or information at this stage in the cyber intelligence life cycle is still raw and provides no indicators of risk or useful information to business leaders.