#RSAC: The Changing Work of the Cyber-Threat Intelligence Community

The need for new approaches to improve cyber-threat intelligence was highlighted by Michelle Flournoy, Co-Founder and Managing Partner of WestExec Advisors, and Avril Haines, Office of the Director of National Intelligence (ODNI), in a keynote session on day one of the RSA Conference 2022.

Flournoy began by observing that “we are living in a very different world from when the US intelligence community was designed,” with “the internet and digital revolution impacting every aspect of our lives.”

Haines, who is the first woman to hold the post of ODNI, concurred and described three trends that have changed the work of the intelligence community.

1) Different rules internationally and domestically for collecting information. “If you want to bring together the threat picture, you have to look across the domestic and the foreign threat space,” said Haines. She noted that while the US critical infrastructure is based domestically, adversaries attacking these assets often operate from abroad.

2) Different legal rules: This is particularly the case when comparing a time of conflict compared to peace. She said: “This question of when you shift from one realm to another is important because it gives you additional response options from an international legal perspective.” Haines added this is also important in developing the “rules of the road” regarding what cyber actions are considered hostile acts.

3) Public-private distinction: A major challenge for federal intelligence agencies is that much of the US critical infrastructure is run by private companies. This makes protecting it more complex, meaning the government needs to ramp up its collaboration with the private sector in really “intense” ways, according to Haines.

Flournoy pointed out that emerging technologies and innovation in cybersecurity were creating opportunities in this field. Despite this, Haines believes it is still getting harder to protect against threats. She noted that we still do not know how to “prevent intrusions into sophisticated networks.”

In addition, Haines explained that there had been a surge in sophisticated threat actors – both nation-state actors and transnational cyber-criminal gangs. Another significant challenge with cybersecurity is maintaining privacy and civil liberties amid growing data availability.

The discussion then moved on to the role and importance of partnerships in the intelligence community. Haines said improvements have been made by federal agencies in this area, but “there is enormous work still to be done.” One key aspect is providing threat intelligence data to potential victims in real-time, allowing them to respond quickly. This is an area agencies like the Cybersecurity and Infrastructure Security Agency (CISA) are improving at, according to Haines.

Another is providing attribution information about specific attacks to foreign partners so they can “come out and say something about it.” Additionally, it is vital for the government to work with industry and academia, where there are huge amounts of knowledge and analysts. “We can stand to learn a lot from others,” she acknowledged.

Flournoy also asked Haines about relevant lessons learned from the cyber dimension of the Russia-Ukraine conflict. Encouragingly, in this war, the “degree of sharing that we have done during this whole process has been extraordinary,” including cyber. This began in the build-up to the conflict, where there was much initial skepticism about Russia invading Ukraine. “We learned a lot in that process and developed mechanisms for sharing,” added Haines.

What’s Hot on Infosecurity Magazine?