Why Teaching Cyber Intelligence is Important

Abstract

Cyber threats are a constant in our networked world. Infrastructure such as electrical power and telecommunications are often cited as targets of cyberattacks but in the post-COVID world, health and economic systems have been increasingly targeted by malicious actors. In this paper, I will define cyber intelligence and provide examples for how it is collected and used by governments and the private sector and what traits, core competencies and skills are required by the workforce. Examples of how cybersecurity, information security, cyber intelligence, and intelligence are taught in academia will be highlighted. Reasons why cyber intelligence is more important than ever in a post-pandemic world will be delineated.

Cyber Intelligence

Sun Tzu’s adage from 2,500 years ago is just as relevant today and applies to cyber intelligence: “Know the enemy and know yourself; in a hundred battles you will never be in peril. When you are ignorant of the enemy, but know yourself, your chances of winning and losing are equal. If ignorant both of the enemy and of yourself, you are certain in every battle to be in peril” (Tzu, 1971, p. 84).

I realized early in my military intelligence career the importance of cyber intelligence. I knew then that cyber intelligence would be the intelligence of the future, which is today. Before I begin discussing the importance of teaching cyber intelligence, we must first understand what cyber intelligence is.

There are many definitions for cyber intelligence. I define cyber intelligence as intelligence (the intelligence function) conducted in, through, and for cyberspace (“the online world of computer networks and especially the Internet” (Merriam-Webster, 2022)). The primary focus should be on the cyber threat actors (CTAs), the person behind the keyboard, and their intentions, capabilities, tools, tactics, techniques, and procedures. From the existing definitions of cyber intelligence I prefer the 2014 National Intelligence Strategy definition, “the collection, processing, analysis, and dissemination of information from all sources of intelligence on foreign actors’ cyber programs, intentions, capabilities, research and development, tactics, and operational activities and indicators; their impact or potential effects on national security, information systems, infrastructure, and data; and network characterization, or insight into the components, structures, use, and vulnerabilities of foreign information systems” (ODNI, 2014, p.8). Cyber intelligence is represented across the three levels of intelligence: strategic, operational, and tactical. Some have included a fourth level of cyber intelligence, technical (Mavroeidis, 2021), but I consider technical intelligence as part of tactical intelligence. Cyber threat intelligence and (CTI) and cyber counterintelligence (CCI) are two main subcomponents of cyber intelligence.

Cyber threat intelligence (CTI). CTI is a main subcomponent of cyber intelligence and is “actionable and provides relevant, accurate, contextual, and timely knowledge regarding an organization’s attack surface, including defensive measures” (Mavroeidis, 2021). CTI usually consists of identifying indicators of compromise (IOCs), which are signatures identified as malicious that should be blocked, quarantined, or monitored to secure the network. The one thing missing from the cyber intelligence definition and not clearly delineated in the CTI definition is that we must know and understand our networks, systems, information, and data as well as the cyber threat actors’ networks, systems, information, data, intentions, capabilities, tactics, techniques, and procedures (TTPs).

Cyber counterintelligence (CCI). CCI is another main subcomponent of cyber intelligence. CCI is “measures to identify, penetrate, or neutralize foreign operations that use cyber means as the primary tradecraft methodology, as well as foreign intelligence service collection efforts that use traditional methods to gauge cyber capabilities and intentions” (Busch, 2018). Cyber espionage is a major concern, whether it is stealing government secrets or theft of intellectual property.

Cyber intelligence is relatively a new field of study and career path. Although it is often considered a subcomponent of cybersecurity, it is also a standalone field of study and career path. Cyber intelligence has three primary functions: It can be conducted for 1) Defensive purposes, e.g., cybersecurity and defensive cyber operations,

2) Offensive purposes, e.g., offensive cyber operations and cyberattacks, and 3) Intelligence purposes, e.g., intelligence collection and cyber espionage. Some confuse cyber intelligence with open-source intelligence (OSINT) (collecting and analyzing publicly available data) or signals intelligence (SIGINT) (collecting and analyzing digital and other electronic signals). There is overlap between cyber intelligence and these two intelligence disciplines, but the goals and therefore the products are different for these three intelligence disciplines.

Cyber intelligence in cyberspace is conducted the same way it is conducted in the other domains: air, land, sea, and space. In other words, the intelligence cycle is the same for all five domains (“intelligence is intelligence”). Unlike the other domains, the cyber domain, cyberspace, is manmade. Inherently, this means we have more control over this domain and therefore should be able conduct more intelligence in this domain. Although conducting intelligence in the domains of air, land, sea, and space is important, cyberspace has quickly become the most important domain for conducting intelligence.

Cyber intelligence is collected by a variety of means. One method that every entity can employ is collecting intelligence from their own network. Data and information on networks such as phishing emails, network and log anomalies, IOCs, malware, viruses, etc. can be collected for cyber intelligence purposes. The private sector primarily collects cyber intelligence outside of their own network by conducting OSINT. Governments have other means besides OSINT, such as SIGINT, and other “INTs”, to collect cyber intelligence. Many organizations subscribe to CTI feeds, which usually consist of IOCs and other technical threat information, to assist with their cyber intelligence.

Why Cyber Intelligence is Important

Now that we understand what cyber intelligence is (and is not), we must appreciate why cyber intelligence is important. You need to look no further than the daily news to realize the importance of cyber intelligence. On a regular basis there is a cyberattack that makes international news. Whether the cyberattack is against a nation, e.g., Ukraine (2022), or an entity, e.g., International Committee of the Red Cross (ICRC) (2022), and this trend has increased during the COVID-era. Not only have the cyberattacks increased (30,000 cyberattacks between December 31, 2019 and April 14, 2020) (Fichtenkamm et al, 2022), but the proportion of unseen malware (“zero days” or novel attacks) increased from 20% before the pandemic to 35% during the pandemic (Nabe, 2022). This increase in number of attacks using “zero days” infers that cybercriminals will exploit pandemics when they occur. Health and economic systems have increasingly become targets of cybercriminals and nation states. Fichtenkamm et al (2002, p.2) stated, “cybercriminals may have been the only decision makers who believed the early pandemic environment provided them with any chance to shape the future with their actions.” Below I identified some of the major cyberattacks that occurred since the pandemic began.

Some of the cyberattacks listed were directly because of the COVID-era we have experienced. Several of those cyberattacks were conducted to steal COVID-related data, e.g., vaccine data, or to take advantage of the pandemic work situation, e.g., the switch to virtual/remote work (“work from home”), which exposed many new cybersecurity vulnerabilities. Most organizations were not prepared for transitioning work to employees’ homes, especially for an extended period of time (Fichtenkamm et al, 2022).

From 2019, some of the major international cyberattacks include:

Adobe Inc.

• Ancestry.com

• Android

Apple

• Capital One

• Cognyte

• Crypto firm Bitmart

ElasticSearch

• Facebook

• Instagram International Committee of the Red Cross

• LinkedIn

• Log4j

Marriott International

• Microsoft

• Microsoft Exchange servers

Mobile TeleSystems

MongoDB

• NEC Networks, LLC

Nintendo

• Ransomware

• Socialarks server

• SolarWinds

Stripchat database

• TikTok

• View Media

YouTube

• Zynga

From 2019, some of the major country-specific cyberattacks include:

Ministry of Health (Brazil)

• Personnel database (Brazil)

• Revenue agency (Bulgaria)

• Saskatchewan Liquor & Gaming Authority (Canada)

• Vastaamo (Finland)

• Government email infrastructure (India)

• Raychat (Iran)

• Health Service Executive (Ireland)

Luas (Ireland)

• Local Government (Italy)

• Panasonic (Japan) Media companies (Norway) Bykea (Pakistan)

• Khyber Pakhtunkhwa police (Pakistan)

National Health Information Center (Slovakia)

• Public websites (Sri Lanka) Visitor database (Thailand) Government websites (Ukraine)

• Harris Federation (UK)

Colonial Pipeline (US)

• Quest Diagnostics (US)

• T-Mobile (US)

WaWa (US)

Below is a list of some of the topics that currently affect and will affect cyber intelligence into the future: 5G/6G and Beyond

• Artificial Intelligence (AI)

• Autonomous Vehicles

• Biotechnology

Climate Change

• “Computer Analysts” (e.g., Augmenting Intelligence Using Machines (AIM))

• Cryptocurrency

• Deep Fakes

• Drones/ Unmanned Arial Vehicles/Systems (UAVs/Ss)

Emerging Technologies

• Fake News

Global Warming

• Industrial Control Systems (ICS)

• Internet of Things (IoT) Machine Learning (ML)

• Pandemics

• Quantum Computing Space Activities

Virtual Reality (VR)/Augmented Reality (AR)

Why Teaching Cyber Intelligence is Important

The importance of teaching cyber intelligence cannot be overstated. The current cyber threat landscape, partially described above, justifies the need for teaching cyber intelligence. Cyber intelligence is utilized to produce an accurate cyber threat landscape, which assists with cybersecurity, preventing and mitigating cyberattacks, and to support offensive actions and intelligence collection.

The cyber intelligence job market also is a major indicator of the need for cyber intelligence education. There are hundreds of thousands of cyber intelligence-related job openings worldwide. A simple job search for terms such as cyber intelligence, cyber threat intelligence, cyber threat analyst, cyber analyst, cybersecurity analyst, infosec analyst, IT analyst, data analyst, security analyst, etc. results in thousands of job openings. According to CyberSeek.org, an online site that provides real-time supply and demand of the US cybersecurity job market, as of August 22, 2022, there were 194,017 cybersecurity-related analyst (cyber intelligence-related) positions available in the US (NICE, 2022).

As stated, the international community needs more intelligence professionals who understand cyberspace. We have three primary options to accomplish this feat: 1) teach current intelligence professionals about cyberspace, e.g., networks, systems, information, data, and how they work together; 2) teach cyber professionals, e.g., cybersecurity and IT personnel, how to conduct intelligence; or 3) teach non-intelligence and non-cyber professionals about cyberspace and intelligence together, i.e., cyber intelligence. Teaching cyber intelligence should be applied in all three options. The cyber intelligence analyst traits, core competencies and skills desired are provided in Figure 1 below.

Cybersecurity and Cyber Intelligence Education in the US

The US National Security Agency (NSA)/Department of Homeland Security (DHS) Center of Academic Excellence (CAE) in Cybersecurity program has rigorous requirements for universities and colleges to become a CAE in defense, research, or cyber operations. The NSA/DHS CAEs in Cybersecurity went from seven colleges and universities in 1999 to over 300 today (NICE, 2019). This represents the commitment the US has taken to increasing cybersecurity education.

There has also been an increase in schools offering cyber intelligence degrees or courses since I started teaching cyber intelligence in 2014, when there were less than a half dozen colleges and universities in the US with a cyber intelligence-related degree program. Today there are more than two dozen colleges and universities with cyber intelligence-related degree programs.

Table 1 below provides an example of degree levels, operational levels, pedagogical approaches, and certifications associated with cyber intelligence. For example, at the undergraduate level the focus should be on the tactical and operational levels of intelligence, primarily the technical aspects of cyber intelligence education, and the correlating certifications are the CyberSecurity Analyst Plus (CySA+), GIAC Cyber Threat Intelligence (GCTI), and Cyber Threat Intelligence Analyst (CTIA). For the graduate student, the focus should be on the operational and strategic levels of intelligence, as well as the technical and theoretical aspects of cyber intelligence, and the correlating certifications are the Certified Information Systems Security Professional (CISSP) and the Certified Information Security Manager (CISM) (NOTE: at this time there are no high-level cyber intelligence-specific certifications). Finally, at the doctorate level, the focus should be on the strategic level of intelligence, primarily on the theory of cyber intelligence. Currently there are no corresponding degrees or certifications at this level.

Examples of Curriculum for Cyber Intelligence Courses

Table 2 below displays some of the courses that may be in the following degree programs: cybersecurity, information security, intelligence, and cyber intelligence. Cyber intelligence curriculum should merge the cybersecurity-related (technical) courses and the intelligence-related (non-technical) courses, or, at a minimum, some aspects of these courses. You can see the possible overlap of courses between these four degree programs. For example, the data network/systems course is a course that would be in cybersecurity, information security, and cyber intelligence degree programs. Another example, the structured analytic techniques course is a course that would be in intelligence and cyber intelligence degree programs.

The concept is simple, combine courses from cybersecurity and intelligence degree programs, and create cyber intelligence courses, in order to build cyber intelligence degree programs.

One of the main topics in my cyber intelligence courses is actionable intelligence. For me, actionable intelligence is providing the Who, Where, When, Why, What, How, So what, and possible Solution(s) (W5HSS). The who is the cyber threat actor (CTA) conducting cyber activities, e.g., advanced persistent threats (APTs). APTs are the most common CTA and pose the greatest threats in cyberspace. The where is the CTA’s target(s), e.g., financial institution or healthcare institution. The when is the time/planned time of cyber activity. The why is the CTA’s intention(s), e.g., cyber espionage or ransom. The what is the CTA’s tactics, techniques, and procedures (TTPs) used/to be used, e.g., phishing email or distributed denial of service (DDoS). The how is the CTA’s tool(s)/technology used/to be used, e.g., remote access trojan (RAT) or ransomware. The so what is the impact or possible effect, e.g., cost of compromise. The possible solution(s) are measures to prevent, mitigate, or resolve the cyber activity, e.g., encrypt data or install backup data. The so what and possible solution(s) are situational dependent and would be tailored to the given situation.

Nation-Statesponsored Org.

Criminal

Lone Wolf

Terrorist

Hacktivist

Hacker

Script Kiddie

Insider

Government

Millitary

Defense Contractor

Critical Infrastructure

R&D/Labs

Universities

Financial Sector

Civil Services Companies Individuals

Espionage

Intellegence

Crime

Fraud

Theft Terror

Hacktivism

Vandalism

Mischief Revenge

Social Engineering

Phishing Techniques

Physical Access

Wireless Access

Hacking Tools

Password Crackers

Malware

Keyloggers

Phone Email

Websites

Servers

Routers

Hashes

Phone Numbers

Email Addresses

Social Media Information

Note: The When, So what, and possible Solution(s) of the W5HSS for actionable intelligence are deliberately missing from the table. The When is when the event occurred or will occur. The So what and possible Solution(s) are provided by the analyst along with any predictive analysis.

Diamond Model . A common method used in the cybersecurity industry to display most of the information for cyber events, CTAs/APTs, etc., is to use the Diamond Model (see Figure 2). The Adversary is the who, Victim is the where, Capabilities is the what, Infrastructure and Technical Axis is the how, and the Socio-Political Axis is the why. The when, so what, and possible solution(s) are missing from the Diamond Model. These missing elements can be added to the Diamond Model if displayed on a slide (slide format is commonly how the Diamond Model is displayed). Diamond Models can be created based on cyber events, CTAs/APTs, types of targets, etc. These Diamond Models can be employed as references for future cyber events.

Conclusion

Teaching cyber intelligence is more important now than ever as we transitioned from the Cold War to the Code War. We have learned how vulnerable we are based on the number, size, and type of cyberattacks, e.g., ransomware, compromises, breaches, stolen intellectual property, etc. that have occurred over recent years. We also learned cyber threat actors will take advantage of pandemics and other world events, especially when work shifts to the home. We determined cyber intelligence is needed for defensive purposes; to anticipate (prevent), triage (mitigate), and to recuperate (recover) from cyberattacks. We also learned the importance of cyber intelligence for offensive and intelligence purposes. Finally, I provided some topics that should be taught in cyber intelligence programs and courses along with methods for teaching cyber intelligence.

References

1. Busch, B. (2018). Cyber counterintelligence (CCI). Tampa, FL, USA.

2. Cyber Intelligence Task Force (2015). Cyber intelligence: Preparing today’s talent for tomorrow’s threats. Washington, DC: Intelligence and National Security Alliance.

3. Fichtenkamm, M., Burch, G., & Burch, J. (2022, April 12). Cybersecurity in a COVID-19 world: Insights on how decisions are made. Retrieved from ISACA Journal: https://www.isaca.org/resources/isaca-journal/ issues/2022/volume-2/cybersecurity-in-a-covid-19-world

4. Gary, S., & Borum, R. (2017). Evolving Cyber Intelligence. In D. Van Puyvelde, & A. F. Brantly, US national cybersecurity: International politics, concepts, and organization (pp. 123-139). New York, NY: Routledge.

5. Mavroeidis, V. (2021). Towards automated threat-informed cyberspace defense. Oslo: University of Oslo.

6. Merriam-Webster. (2022, July 14). Cyberspace. Retrieved from Merriam-Webster: https://www.merriam-webster.com/dictionary/cyberspace

7. Nabe, C. (2022, August 23). The impact of COVID-19 on cybersecurity. Retrieved from Deloitte: https://www2. deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html

8. National Initiative for Cybersecurity Education. (2019). NICE Conference Update 2019. Phoenix, AZ: National Institute of Standards and Technology.

9. NICE (2022, August 22). Cybersecurity supply/demand heat map. Retrieved from CyberSeek: https://www. cyberseek.org/heatmap.html

10. Office of the Director of National Intelligence (2014). The National Intelligence Strategy of the United States of America. Washington, DC: ODNI.

11. Tzu, S. (1971). The art of war