The recent news about formation of the Cyber Threat Intelligence Integration Center (CTIIC), which, according to a DoD News report, will analyze and integrate information already collected under existing authorities, piqued our interest. So much so, we wanted to speak with Keith Rhodes to get his take on it.
Keith has almost 30 years helping government and industry make the right decisions when it comes to mission performance, risk assessment and assurance. He was the first chief technology officer for the Government Accountability Office and recently served as chief technologist for QinetiQ North America (now Vencore). Today, Keith is a partner at Florida-based Innovative Space Technologies (IST) and he provided us his thoughts on the CTIIC.
Q: Please tell us about your company and what you do?
A: IST is a small research and development (R&D) company headquartered in Florida that provides consulting resources for technology development, maturation and commercialization. Our clients are in the aerospace, defense, energy and emerging technology markets. IST transitions R&D (both basic and applied) efforts from government, academic and industry partners to mature technology offerings. Additionally, IST is developing several, multi-year partnerships to enable these R&D opportunities via local community economic development. Our research staff at IST consists of consultants and additional resources, as needed, such as faculty and students from local communities and throughout the United States. The permanent staff is all current practitioners in their areas of expertise, averaging 25 plus years of successful R&D projects.
Q: What is your initial reaction to the new cyber agency?
A: The announcement and accompanying articles all point to the spate of companies that have been attacked and breached as being the impetus for this new Center. The evidence shows that the President asked what seems to be a normal set of questions. What happened? Who did it? What’s the damage? However, he ended up with six different answers to each of his questions, which clearly shows that the analysis of cyber events and the translation of them into useful threat assessments is not adequate.
People argue the new Center will be just another place where data go to die; that it is redundant because we have the NSA and DHS and FBI and other cyber units within departments and agencies. I would, however, posit that the new Center should be a chance for defining and applying a stable, repeatable, standard and understandable (by the non-technical decision-makers) explanation of the best answer to a senior official’s question(s). We do that with all other forms of evidence and intelligence. Should we not want the same for events in the virtual world, as well?
Q: What needs to happen for this to work?
A: We all need to realize that a consensus on threat alone is not enough. In the example above, the President was trying to understand risk, part of which is based on threat, but much more is needed to give a complete answer.
Risk is comprised of the following:
- Threat: An adversary with opportunity and intent
- Vulnerability: A weakness in the system
- Impact: The value of the system being breached
There is always a threat, but its virulence matters. Was this random or targeted? What’s the skill level of the attackers? Are the attacks tied to a virtual team? Did they have a plan?
Also, we need to understand whether the attack shows a common weakness not seen before, which leaves many more systems vulnerable, or whether this was a known attack mode for which there is a fix.
Finally, we need to know what data was compromised and its importance. Was this for extortion or theft or identities or competitive intelligence?
With that information, a useful application of countermeasures can be determined. This would include government and industry partnerships that need to be in place to make the countermeasures work.
As soon as all parties involved understand what their role is with regard to risk, the Center will be positioned to have an immediate impact.
Q: How can industry help make this happen?
A: Industry must be very clear that a business case is required in order to work with the U.S. government. Businesses need revenue to survive. If they are going to share with the U.S. government, the U.S. government has to be a trustworthy partner. To show good faith, the U.S. government has to make the first move.
If this new Center is to be effective, one of its primary roles should be to answer the President’s questions, as well as a company’s questions, and not with a bunch of bureaucracy. If the information is helpful, good companies will reciprocate. If the information is not useful, then no harm done. And if the information is useful and the company doesn’t reciprocate, then stop answering their questions.
As a final point, in my experience, I have found that while many think they can go it alone, a team-oriented approach is better. Thus, at the risk of sounding like a Pollyanna, the Center is truly long overdue. And, I would hope that when clear threat intelligence comes out of the Center, it goes to boardrooms as well as the oval office.
Q: Lastly, what do you like to do in your free time?
A: I ride my urban sport bike whenever I get the chance. If that’s not in the cards, my colleagues and I like to go to movies and argue about the scientific plausibility of what is portrayed.
Keith Rhodes is a partner at IST, LLC and a research scientist with more than 30 years of experience both in and out of government.