It seems everyone is talking cyber these days, whether it’s security- or intelligence-related. John Felker, director of cyber intelligence strategy at Hewlett-Packard, is uniquely positioned to talk about the upcoming challenges of cyber and how agencies and contractors can prepare to meet those obstacles through strategic analysis and risk management.
Felker represents HP as a cyber subject matter expert and co-chairs the Intelligence and National Security Alliance’s Cyber Intelligence Task Force. He co-authored two white papers that focus on current issues in cyber, titled “Operational Levels of Cyber Intelligence” and “Strategic Cyber Intelligence.”
WashingtonExec spoke with Felker about key topics touched upon in the white papers as well as takeaways contractors can put into practice right now.
Felker explained INSA published these papers as a way “to start a wider dialogue about cyber intelligence and what it is in the context of the threat actors at play in the cyber realm.” Previous cyber discussions fell short by focusing more on the ones and zeros, the malware details, and the technicalities involved with cyber intrusions and attacks, he said. By publishing the papers, INSA hopes to broaden the discussion with the idea that contractors and agencies should work on developing more cyber intelligence that seeks not only to understand the tactical details, but also the intentions and capability of threat actors before the trouble begins.
“We wanted to tie the levels of intelligence together and start talking about developing some common lexicon so that when you have issues at the tactical level, in the ones and zeros world, you’re still able to translate that and make leadership at any organization understand what it is that you’re talking about.”
Felker also emphasized that, in many cases, leadership has failed to grasp how important cyber intelligence is from a strategic perspective.
“The task force has seen a number of different instances where there is disconnect between the folks who are on the keyboard doing the crunching, doing the cyber hygiene stuff and trying to prevent attacks, and the leadership; they often don’t speak the same sort of language,” he said. “We wanted to tie the levels of intelligence together and start talking about developing some common lexicon so that when you have issues at the tactical level, in the ones and zeros world, you’re still able to translate that and make leadership at any organization understand what it is that you’re talking about.”
Once this common ground has been reached, leadership is better prepared to use those ones and zeros that have indicated intent on the part of threat actors to make strategic decisions and to plan for the inevitable risks that come along with cyber.
“We look at the intelligence from a strategic perspective as an understanding of what’s out there, what can hurt me,” Felker said. “An example would be a medium size company that has created some great intellectual property, but that faces five other competitors in the marketplace. So we try to include the cyber threat into that discussion. Which top two or three of those competitors have the capability and intention to come into my systems and steal my intellectual property? Understanding who the threat actors are, and what their abilities and intentions may be, can put you in a position to better protect yourself and to make more informed decisions as you walk through your overall risk management process.”
According to Felker, the National Institutes of Standards and Technology is playing an integral role in assessing risk.
“The idea is to put your overall situation in better context by understanding the current situation, situational awareness if you will, of what’s out there relative to your market space and better protecting yourself,” he said. “That information can provide you valuable information as you step through the risk assessment process.”
Intelligence Production and Information Sharing: Important Links
One doesn’t expect to hear the phrase, “open source” in the same sentence as “intelligence gathering,” but Felker insisted most information that can be gathered at the classified level can be obtained through open source methodology.
“It may be a little late, because you don’t necessarily have the sources and methods you may have in the classified environment, but if you do it properly and devote the right resources and the right methodology to it, you can come up with essentially the same information,” he said. “Get what you can, and that’s what intelligence is anyway — collecting up as best you can and then making some informed decisions about what you know and what you’ve collected up. And that’s part of the intelligence production process.”
Felker explained when intelligence is gathered through open source methods, it isn’t limited by classification, and therefore, should not be impeded in the information sharing process.
“That should not be an impediment to information sharing amongst others in your market space, in your critical information sector, or internally in a government, whether it’s state, local or federal, doesn’t matter — it should not be an impediment to that,” he said.
He said such information sharing may not always be the best idea in the commercial world, if it yields a competitive advantage or adversely affects company reputation or stock price, for example. However, if it is done properly, through a medium such as an information sharing and analysis center, that intelligence can be anonymously shared rapidly.
Felker provided the following as an example: “If a company has a decent understanding of where it stands in the market space, and has done a good job of gleaning intelligence from open source, whether internally or having shopped it out to an intelligence provider, then that intelligence can be packaged to the point where it can be shared with others so they don’t experience the same problem that you did.”
That kind of information sharing is crucial in the increasingly interconnected world we live in. “At the end of the day, we’re all in the same boat,” Felker said. “So if something is really nasty and it has the potential to impact lots of people in different sectors in government and commercial, then we may want to find some ways to figure out how to share that rapidly as well and without caveats.”
Readers of INSA’s white paper will have the chance to explore the ideas discussed above and more. For example, no matter how intelligence is obtained and distributed, at the end of the day, the point is to prevent future attacks.
“Instead of being reactive to cyber threat actors that are trying to get into your network, you’re going to be more proactive,” Felker said. “You may go outside the network to understand what they are, and you may be able to stop them from getting in — but you probably won’t. But at least when they hit your wire you’re going to recognize them, you’re going to understand them as an adversary, you’re going to know their capabilities and what threat they pose, and you’re going to be in a much better position to mitigate that threat.”
It goes without saying that the better intelligence you have, the better you can prepare. The point of efforts like INSA’s white papers are to help companies and agencies shore up their essential cyber hygiene processes, including vulnerability protection, critical controls, user awareness and other strategies. And, of course, those processes will yield information that can direct an organization’s overall strategy moving forward.
“If you understand what the threats are out there, you can plan better for those threats and you can properly resources yourself at all levels to make sure you’re in the best position possible,” Felker said.
You can access the white paper, “Operational Levels of Cyber Intelligence,” here, along with the white papers, “Strategic Cyber Intelligence,” here and “Operational Cyber Intelligence” here.
