On Thursday, September 27, the Atlantic Council hosted a stand-out panel discussion on the history of all-source cyber intelligence. The discussion was moderated by CTOvision editor and Crucial Point LLC founder and CTO Bob Gourley, who also has extensive cyber intelligence experience as the former Defense Intelligence Agency CTO and Director of Intelligence (J2) of Joint Task Force Computer Network Defense (JTF-CND). The panel was filled with a diverse group of cyber and intelligence veterans, each with their own experiences. The panel consisted of Rear Admiral Samuel J. Cox, Director of Intelligence (J2) for US Cyber Command, Matt Devost, President and CEO of FusionX with decades of experience as an intelligence and security entrepreneur, Jason Healey, Director of the Cyber Statecraft Initiative and former Director for Cyber Infrastructure Protection at the White House, and Sean Kanuck, National Intelligence Officer for Cyber Issues.
Gourley opened by explaining that we cannot tell the full story of cyber without its history. He brought up the poignant example of the cyber “wake up call” that we seem to hear every few years. Willis Ware was writing about computer security for RAND since the 1960s, and 1988 Morris Worm was regarded as a cybersecurity wake up call back in 1988. Policymakers and defenders, however, have been declaring wake-up calls every few years since, including but not limited to 1999 for Solar Sunrise, 2000 for Moonlight Maze, 2009 for Buckshot Yankee, and 2011 for WikiLeaks. Gourley called this phenomenon “cyber threat amnesia” and hopes that events like this will help us learn from our history so that we heed past wake up calls rather than continuously hitting the snooze button.
As the principal investigator for the Cyber Conflict Studies Association’s cyber history book, Jay Healey has been looking carefully at the history of cyber conflict and intelligence. The national importance of all-source intelligence for cyber has been steadily rising, as Bob Gourley, the first person in charge of cybersecurity all-source intelligence, held the position as an O5 in the Navy, while Sam Cox, also present, now holds the same position for Cyber Command as a two-star. Healey also pointed out that we have extensive history to study, and that cyber isn’t as new as many claim, with Cuckoo’s Egg, a cyber attack against a national laboratory, occurring all the way back in 1986, giving us over 25 years of cyber history. Even the term “digital Pearl Harbor,” which politicians regularly predict in the near future, was first used in 1991. In the Air Force, Healey studied air campaigns dating back to the World Wars and learned valuable lessons, but for cyber he found that we dismiss events only a few years old. One important lesson that we can learn from historic cyber attacks is that, despite the sensationalism about attacks occurring at the speed of light, there is plenty of warning before a major attack as it tends to be tied to a nation state’s campaign. Estonia, for example, had two weeks of advanced notice before Russia’s historic attack on their information infrastructure. Another lesson is that, at the national security level, there is no real attribution problem. As major attacks have tended to be part of a national campaign, tracing the precise hackers may be difficult but it’s usually clear which government you need to call if you want the attacks to stop.
Matt Devost continued with the theme of lessons we can learn from the past. All of the early victories against cyber attacks and espionage came from humans rather than software and algorithms, indicating that we need parallel development for the human angle, not just technical collection. Another lesson learned is on the value of information sharing and collaboration. That means that the government must share more threat information with the private sector rather than just collecting from it. That way, threat awareness becomes common and stops being a differentiatior for corporations, who now try to keep it to themselves.
Sean Kanuck, former CIA information warfare analyst and White House intelligence fellow and now the first National Intelligence Officer for Cyber Issues at the Office of the Director of National Intelligence, described what has and hasn’t changed over his time in cyber. Most of the questions we’re still asking, such as what qualifies as use of force and what requires national defense, haven’t evolved in the last 10 to 15 years. What has changed, however, is that such questions have finally reached the level of a national discussion. Cyber is now being debated on the floors of the House and Senate and makes front page news. As Sean noted, everybody now agrees that the fire alarm is ringing, though some heard it 15 years ago. With that consensus, we are now looking at each other asking where the stairwell might be. Kanuck also commented on the future, saying that we now need to develop strategic level discourse. To develop cyber strategy, however, analysts must do their homework and learn the history.
Sam Cox spoke last about the historic role of Cyber Command in all-source cyber intelligence. Traditionally, there were four groups dealing with cyber, the operators who maintained the infrastructure and the defenders, who were at a low classification level and had little access to intelligence, as well as the exploiters and attackers, who operated in a highly classified environment and rarely communicated with the others. With Cyber Command, these groups can finally collaborate and share information. RADM Cox also agreed with Sean on warning time, but noted that in order to identify what’s abnormal, we need more insight into our networks so that we know what’s normal. Cox also noted that following the laws of armed conflict in cyber poses a major challenge, as minimizing collateral damage and fratricide is much harder than simply striking like malicious actors.