Information vs Intelligence
In 2002, I led one of the FBI’s first cyber intelligence case. Note the word intelligence.
Financially motivated hackers were on the rise and credit card account takeovers were dominating the news. A plan was developed that involved having a group of agents with the help of sources both in and out of jail infiltrate the online marketplace for stolen data. We had special offices, worked special hours and were given the ability to buy stolen data and report it to the victim companies. We were under extreme oversight and by FBIHQ and DOJ.
Our focus was international hacking groups. Where were they based how they communicated and how they profited.
For the FBI, an agency that was 99% reactive in its approach to addressing crime, this was cutting edge because of the goal of the operation.
Our case, call it AC, was not designed to find and arrest the hackers. It was an intelligence operation.
The mission was to identify and understand. The intelligence gathered would later be used by other groups both with the FBI and at other agencies to seek indictments and affect arrests but our names were never to be attached to that intelligence.
During the operation we quickly learned the difference between information and intelligence. Information leads to intelligence but it is not the same thing.
Intelligence requires active and ongoing analysis and understanding. What each interaction means and how it connects to a larger picture based on the information collected. But the larger picture is only part of it, the smaller picture as in how each victim industry is impacted is equally important.
Intelligence comes with a “So What Factor,” it identifies why one group should be concerned while another might not be concerned. Some call this “actionable intelligence” but I disagree because intelligence does not always require an action be taken, in fact often it requires that you sit still and wait.
The intelligence from our operation was instrumental in making cases against a number of international hackers.
I share this because of the near daily inundation of cyber threat discussions and the recent focus on information sharing.
Information is not Intelligence and Information Sharing is not Intelligence Sharing.
Don’t get me wrong, there is a need for raw information but most are not equipped to deal with “raw” data. It’s a wo/man-power and skill set issue.
It appears that many of the information sharing groups/firms simply provided regurgitated versions of data provided from various sources. There is little focus on making it industry specific. Nor is there focus on making the information understandable or usable.
If there is intelligence shared it is overarching, dulled and scatter-shot. It is not audience specific.
The focus seems to be on “look how good we are, we found a new exploit/vulnerability/glitch in a system” The why should we care or what should we do or even who this really impacts is often lost in the race to say we found it first and everyone should be afraid of it.
It’s time we shift the focus and by we, I mean private companies and not governmental agencies.
No company in their right mind is ever going to say “Use us because we are more secure than them.” An announcement like that guarantees an onslaught of attacks.
Equally, pooling resources and open sharing will also never happen. Companies will not expose themselves in that way. Putting aside the potential reputation and commercial harm of disclosure, the regulatory risk is enormous.
What is needed are intelligence sharing groups. The group members should be publicly known but the data provided does not track back to them. The groups should be industry focused and limited There needs to be a third party responsible for the collection, analysis, and distribution control that has no vote in membership. And data distribution has to be highly controlled and tracked.
Only when companies have anonymity to provide and receive true intelligence in return with no regulatory risk, will intelligence sharing be an effective tool in addressing cyber concerns.
Full disclosure: These are my opinions and may not be those of my employer. Also I have been working on creating the third party business tasked with collecting, cleaning, analyzing and distributing intelligence for Intelligence Sharing Groups. Reception of the idea has been great but adoption is weak. “Ill only do it if X, Y and Z do it” Not sure if its misery loves company or fear of finding out what they don’t know. Time will tell.