Sunday, October 21, 2007

Counterintelligence and the Cyber Threat

Friday I attended an open symposium hosted by the Office of the National Counterintelligence Executive (ONCIX). It was titled Counterintelligence and the Cyber Threat and featured speakers and panels from government, law enforcement, industry, legal, and academic organizations. I attended as a representative of my company because our CSO, Frank Taylor, participated in the industry panel.

If you're not familiar with the term counterintelligence, let me reproduce a section from the OCNIX Web site:

Counterintelligence is the business of identifying and dealing with foreign intelligence threats to the United States. Its core concern is the intelligence services of foreign states and similar organizations of non-state actors, such as transnational terrorist groups. Counterintelligence has both a defensive mission — protecting the nation's secrets and assets against foreign intelligence penetration — and an offensive mission — finding out what foreign intelligence organizations are planning to better defeat their aims.

I also recommend reading the National Counterintelligence Strategy of the United States, 2007 (.pdf) which states:

Our adversaries -- foreign intelligence services, terrorists, foreign criminal enterprises and cyber intruders -- use overt, covert, and clandestine activities to exploit and undermine US national security interests. Counterintelligence is one of several instruments of national power that can thwart such activities, but its effectiveness depends in many respects on coordination with other elements of government and with the private sector.

During the Cold War, our nation's adversaries gained access to vital secrets of the most closely guarded institutions of our national security establishment and penetrated virtually all organizations of the US intelligence and defense communities. The resulting losses produced grave damage to our national security in terms of secrets compromised, intelligence sources degraded, and loves lost, and would have been catastrophic had we been at war.
(emphasis added)

Minor note 1: if we were not at war during the "Cold War," then why is it called a "War"? I believe the people who died fighting would call it a war.

Minor note 2: foreign intelligence services, terrorists, and foreign criminal enterprises are all specific parties. "Cyber intruders" are more often one of those previous parties. Those who perform digital attacks but do not fall into one of those three categories are usually script kiddies or recreational hackers, and should not be explicitly mentioned as counterintelligence targets. My guess is the report considers cyber-instantiated threats to be serious enough to somehow mention explicitly, but not enough intellectual rigor was applied to this sentence (like the Cold War section).

Major note: does the section about penetrating virtually all organizations of the US intelligence and defense communities surprise you? When I attended Air Force intelligence school in 1996-1997, one of our first instructors said:

"Most, if not all of the classified material you will see in your career has already been compromised. However, we have to act as if it's not."

I remembered thinking "What?!?" With hindsight, the more I hear about spies found inside government agencies, the more I understand that statement.

I found the symposium fascinating, so I'd like to share a few thoughts. Dr. Joel Brenner, the National Counterintelligence Executive, provided plenty of noteworthy comments. He said that counterintelligence is not security.

  • A security person sees a hole in a fence and wants to patch it.

  • A CI person sees a hole in a fence and wants to understand who created it, how it is being abused, and if it can be turned into an asset to use against the adversary.

Dr. Brenner said about 140 foreign intelligence surveillance organizations currently target the United States. Three strategic issues are at play:

  1. Threats to sovereign (US) networks, especially in the cyber domain. Dr. Brenner said There is growing acceptance that we face a cyber counterintelligence problem, not a security problem. I agree with this, and will have more to say about it in a future blog entry. He stressed the alteration attack (rather than the disclosure or destrucion attacks) as being the major problem facing US networks.

  2. Acquisition risk, i.e., supply chain risks. Dr. Brenner said we need technically literate lawyers and policymakers to address these risks.

  3. Collaboration, or the lack thereof. Dr. Brenner notes that out current "cooperation model" is a function of our "classification model," resulting in an antiquated system that serves no one well.

One of the most interesting comments was this:

Industry talks risk management but they really do risk acceptance, not risk mitigation.

How true that is!

Chris Inglis, Deputy Director of the NSA and a fellow USAFA grad, used a term I liked with regard to fighting the cyber adversary. He said we need to outmaneuver the adversary, not solve security problems. I love this because it implies "security" can't be "solved," and it provides a reason to review maneuver warfare as a way to counter the adversary.

John McClurg, Vice President for security at Honeywell, described his "validated data" approach to obtaining business buy-in for security initiatives. He collects data to support a security program and presents it to managers as a means to justify his work. This sounds a lot like showing evidence that a business unit is owned or about to be owned. I like this idea and my work with NSM would help provide such data.

Scott O’Neal, Chief Computer Intrusion Section, Cyber Division, FBI, said The adversary is clearly ahead of security. This is a fact we have to accept. This echoes statements I made earlier this year and at other times. The FBI addresses intrusions through three points of view: CT (counterterrorism), CI (counterintelligence) and criminal.

I'll have more to say on this subject in the months ahead.


jbmoore said...

Are you sure about the difference between security and counterintelligence? It's like saying a security person is a mechanic and an (counter)intelligence person is a systems analyst. Both a systems analyst and a "mechanic" are systems administrators. The latter troubleshoots problems and fixes them. The former figures out what causes the most problems and builds a system or architects a solution to prevent the problem from ever occurring again. A security person who doesn't use intelligence to find out why problems keep reoccurring and develops a solution to mitigate the issue is running the Red Queen's race, running in place to keep up. It's futile and it's stupid. Intelligent people figure out the most efficient way to do something to minimize their efforts.

Except for the Navy having their communications compromised by John Walker, the two most damaging spies in US history worked counterintelligence in the CIA and FBI. That tells you that:
1. there aren't enough paranoid people in counterintelligence,
2. there aren't enough competent people in counterintelligence in the US, and
3. if people wanted the problem fixed, it'd be fixed, but then they wouldn't have any jobs. Incentives should be decoupled from job security to an extent. In other words, it's okay if you figure out a way to eliminate your own job because we'll keep a place for you anyway.

If the security guy is doing his job, the counterintelligence guy wouldn't have any holes to stake out. The latter would have to create his own baited traps and monitoring methods.

Industry is really about risk responsibility avoidance. People accept risks all the time (you have to), but they either don't acknowledge them as risks or they avoid responsibility after the risky event has occurred. Witness bad coding and the lack of responsibility for writing bad code built into software license EULAs. If we built buildings the way we write software code, no building would stand for long. Close to perfect code can be written or all our fly-by-wire aircraft would never fly for long. Why are security investigators and bad guys basically performing QA testing on software these days? The proper incentives aren't there to design the software properly in the first place.

Rob Lewis said...


With statements like "With hindsight, the more I hear about spies found inside government agencies, the more I understand that statement", it would seem like you are giving greater recognition to the "insider threat". :)

Richard Bejtlich said...


About "counterintelligence is not security," I didn't write that I said that. I wrote that Dr. Brenner said that. I will have more to say on the topic in a future post, anyway.


I have never dismissed the insider threat. I think it is overplayed. As far back as February 2005 I wrote:

My personal opinion is that rogue insiders have the potential to cause the most damage, but the frequency with which they appear and cause havoc is lower than people think.

jbmoore said...


I gave no attribution, but then you gave no disagreement. Was your silence an endorsement of Dr. Brenner's point of view?
I agree that industry and government practice risk acceptance, but both practice responsibility avoidance more. No one was disciplined for the Robert Hanssen affair within the FBI ( ), but one of the men who thought Hanssen was the mole was accused of being the mole himself. Hanssen was also an FBI cybersecurity expert. From actions such as lobbying of Congress to defang transparency laws over data loss or theft, banks silence over online banking losses, and people's acceptance of poorly written software for personal and business use, the problems we face are fundamental and due mainly to poor software design and manufacture. The incentives are backwards. You don't buy a house built without locks on the doors and an alarm system these days, but we do that with software all the time.


Anonymous said...

There's plenty of risk transfer going on, too, Rich. This is best done, of course, via the legislative branch.

Lobbyists are well-paid for a reason.

Anonymous said...
This comment has been removed by a blog administrator.
Richard Bejtlich said...

One of you directly sent me this comment:

"Industry talks risk management but they really do risk acceptance, not risk mitigation."

I'm confused by this statement. Risk Management is about a continuous cycle with the goal of reducing (mitigating) risk. We cannot eliminate risk, we can only reduce it. Part of the process is determining how much risk we are willing to accept, then putting in process and controls to reach that point. I would say 'risk acceptance' is a part of risk management, and there is nothing wrong with that.

Yes, the point of the quote is that a real risk management strategy would -- at some point -- include elements of risk mitigation along with risk acceptance. The thesis proposed by the NCIX is that people do far too much risk acceptance, and hardly any risk mitigation, as part of their risk management strategy.