1 1 International Electrotechnical Commission, Risk Management – Risk Management Techniques, 2009–2011, www.iec.ch/searchpub 2 2 Financial Services – Information Sharing and Analysis Center, 1999, located on the internet at https://www.fsisac.com/who-we-are 3 3 SEC memo CHAPTER 1 Objectives of a Cyber Intelligence-Driven Risk Program Knowledge must become capability.
– Carl von Clausewitz, Prussian general
ANY FRAMEWORK, methodology, or process has to have objectives and outcomes. The CI-DR™ program strives to achieve two objectives. First, the program provides accurate, timely, and relevant knowledge about cyber adversaries and the digital environment in which it operates. Adversaries within the cyber ecosystem are internal or external. An internal cyber adversary could be an employee, contractor, or someone with an objective and the physical or logical access to information otherwise not known to the public. External cyber adversaries include malicious actors, nation-states, competitors, or even outsourced platforms or processing environments and those employed or influenced there. To achieve the first objective of the CI-DR program, there are four tasks that are required to be performed. First, the program must evaluate the existing cyber conditions, cyber risks, and potential operational losses from cyber events and incidents while taking into account the many internal or external adversarial capabilities holistically. Second, based on existing cyber conditions and cyber capabilities, the program estimates possible cyber adversarial courses of action and provides insight into possible future actions. Third, the program aids in identifying vulnerabilities that could be exploited by adversaries and the operational impact it can have on the organization. Fourth, the program and the “knowledge” created assists in the development and evaluation of the organization's courses of action for decisions based on the first three tasks. The second objective of the CI-DR program is to protect organizations, through cyber counterintelligence activities, intending to deny adversaries valuable information about an organization's situation. These two objectives demonstrate how the CI-DR cyber risk programs support both the exploitative and protective elements necessary to operate in today's digital economy and infrastructure. The program aims to create timely and meaningful images of the situation confronting the decision-maker. CI-DR is the analysis and synthesis of information into knowledge. CI-DR cyber intelligence is “knowledge” that is distinguished from information or data, in that few pieces of information speak for themselves conclusively but must be combined and compared with other pieces of information, analyzed, evaluated, and given meaning.1 Good cyber intelligence does not simply repeat the information that a source may reveal. Rather, it develops this raw material in order to tell us what that information means and identifies the implications for decision-making.2 The two objectives of the CI-DR program are created with simplicity that establishes the boundaries for how the program will operate and the areas in which it will collect information to provide value back to the organization's decision-makers. Additionally, the objectives provide executives and directors with a high-level understanding about what the program goals are, how they can be leveraged, and how they are connected with business leadership, and ultimately what analysis can be expected to support business objectives. The four tasks associated with the first objective provides the initial measurement of whether the options available are feasible or risky. To be able to describe a complete intelligence picture that provides us everything we need to know about a given situation, we would need that description to include knowledge of established conditions that have existed in the past, unfolding conditions as they exist in the present, and conditions which may exist in the future. Our complete image of what has been, what is, and what might be provides us with two classes of intelligence. The first is descriptive cyber intelligence, which describes existing and previously existing conditions. The second class, which attempts to anticipate future possibilities and probabilities, is estimative cyber intelligence.3 This initial measurement does not have to be exact or futuristic, and doesn't have to be either qualitative or quantitative. What it does have to be is factual, and without bias or opinion, specifically when leadership is expecting intelligence and options on a particular subject. Our CI-DR example for this chapter shows how the frame can support a business decision. Suppose a business leader wants to move an application from the organization's on-premises location to having it hosted at an outsourced provider (i.e. software as a service, platform as a service, or infrastructure as a service). The CI-DR program would begin with the analysis and collection of risk information from the current cyber environment as the baseline. A question would be posed to the team by the business leader, such as: “Is it safer to move existing system from on-premises to an externally hosted provider?” Additionally, the CI-DR program would collect and ingest into the CI-DR's cyber intelligence life cycle–specific information, cyber risks, vulnerabilities, cyber threats, costs, regulatory issues, and other relevant information to analyze and evaluate the various options where the leader wants to move the application. The result for this example could provide two or three options for providers and their risk ratings from a cyber intelligence perspective; they would also incorporate those ratings with the financial review of the provider, giving the business decision-maker the impact, risks, and profit or loss financial information for their review. The business leader is now able make better informed decisions about the outcome of their course of action, and to articulate and defend their position to senior leadership or the board of directors. The CI-DR program is not a stand-alone program. Discussed in the upcoming chapters, the program must have the right capabilities and resources available to evaluate the information collected and analyzed, with the ability to provide risks, options, and decision structures that can be generated for any consumer or leader within the organization. The decisions could be as simple as a “go or no-go” comparison chart or as complicated as total costs of ownership, potential losses, potential savings, or increased revenues, all with cyber risks included. The second objective is not overly difficult to implement, but many U.S. commercial businesses are not as familiar with this approach as would military commanders be and maybe a few foreign countries that leverage cyber counterintelligence methods regularly. We can recall from our denial-of-service attack example against the banks in the Introduction that some organizations did leverage cyber counterintelligence and cyber deception methods to move the attacker's mindset into thinking they crippled the bank, thereby having them focus and move on to other targets while the banks resumed operations and returned to online activities that same day. Additionally, while U.S. businesses do protect their information from cyber adversaries in more traditional approaches, the cyber counterintelligence objective is a new concept for many businesses, except for a few of the Fortune 100 organizations. Within the CI-DR functions and capabilities the cyber counterintelligence capability can be used within commercial businesses for mergers and acquisitions, for protecting information systems security strategies, or as part of the overall use of deception technologies or information to gain advantages in proactively identifying what cyber adversaries might be searching for within your networks. Organizations can test their cyber deceptive capabilities through tasks such as “red-teaming” activities. Red-teaming is usually performed by external organizations with the overall objective of gaining access to your facilities, systems, and data, and reporting on physical and digital compromises. The deceptive technologies are useful in validating those activities, as they could lead the testing team to encounter the deception systems and give them false information. Implementing the cyber counterintelligence portion of the CI-DR program will assist organizations in determining reconnaissance activities from adversaries, and assist with appropriate business or technology strategies to counter known cyber adversarial techniques, technologies, and processes. Organizations are performing some type of counterintelligence activity all the time, through marketing, delaying of products based on market research,