Be Offensive Cyber CI that is passive and defensive will fail. We cannot hunker down in a defensive mode and wait for things to happen. We are spending far too much money on signature-based solutions, incident response, event monitoring, and other purely defensive measures to protect our sensitive data. That is not how we have been hurt in recent years. Cyber espionage is destroying us. Our Cyber CI mindset should be relentlessly offensive. We need to go after our Cyber CI adversaries. They are not prepared for this. It is not cost effective for many of them to defend.
Honor Your Professionals The truth is that Cyber CI staff are not popular and in most cases, do not even exist. You may see them today as information security risk analysts. They are not always welcome when they walk in. They usually bring bad news and news that does not lead to an arrest for those of that mindset (see - detect - arrest - all after the fact). They are easy marks to criticize when things go wrong. Their successes are their failures. If they catch someone infiltrating the infrastructure, they are roasted for having taken so long. If they are not catching anyone, why not? What have they done with all that money they spent on Cyber CI? It is no-win. To date, not much of anything is being spent on Cyber CI. It is all being spent on defensive devices and procedures. We are punch drunk and do not even know it. We are in the ring with dozens of adversaries but can only focus on one at a time.
Own the Street Any Cyber CI program worthy of the name has to be able to engage the opposition on the Internet, the field of play for cyber espionage. And when we do go to the street/Internet, we have to be the best service there. This means and any all protocols of the street. We need to have a strong offensive presence in all protocols, solutions, Web 2.0, and news non-inclusively. If they are on Twitter and Facebook, so are we. In fact, we should not wait for our adversaries to be there but establish a cyber beachhead as soon as the technology is available. If we are beaten on the street, it is worse than not having been there at all. Establishing street creds builds a following. A following can be leveraged in cyber CI crowdsourcing. Get involved in the IRCs of various groups. Participate in their discussions. Join their ranks.
Know your History I find it inconceivable that any Cyber CI practitioner today could ply his or her trade without an in-depth knowledge of the Moonlight Maze, Titan Rain, Aurora, Byzantine Hades, and all the latest hacking and cyber espionage cases from EMC and Citi to Sony and Lockheed Martin. Examine every hack. Review each nation-states cyber warfare doctrine.
Do Not Ignore Analysis Online operators do not make good analysts. A good Cyber CI program will recruit and train true cyber security analysts in sizable numbers. I do not think it would be excessive as a rule of thumb in a top-notch Cyber CI service to be evenly divided between operators and analysts.
Wonderful things happen when good analysts in sufficient numbers pore over our OSINT reports, presence lists, IRC chats, audio and video transcripts, Geotagging, blogs, and Web 2.0 data. They find the clues, make the connections, and focus our efforts in the areas that will be most productive.
Do Not Be Parochial Cyber CI is so difficult, even in the best of circumstances, that the only way to do it is together. We should not let personalities, or jealousies, or turf battles get in the way of our common cyber mission. Our colleagues in our peer companies and organizations are as dedicated, professional, hardworking, and patriotic as we are, and they deserve our respect and cooperation. The best people I have known in my career have been Cyber CI people, regardless of their organizational affiliation. So let us be collegial working together sharing the embarrassing moments under proper agreements.
Train Your People Cyber CI is a conglomerate of several disciplines and skills. A typical operation, for example, might include analysts, cyber security specialists, HUMINT specialists, cyber defense technical experts, language experts, ethical hackers, religious experts, and programmers. Each area requires its own specialized training curriculum. It takes a long time to develop Cyber CI specialists, and that means a sustained investment in Cyber CI training. We are just scratching the surface in this area and have a long way to go. Moving to a balance between offensive and defensive measures is a first step since 99% of our efforts are defensive in nature.
Do Not Be Shoved Aside When necessary, a Cyber CI service has to impose itself on the organizations and groups it is assigned to protect (if in fact they even recognize the value you bring). A Cyber CI professional who is locked out or invited in only when it is convenient to the host cannot do his or her job. In most cases today, we research issues after the fact as incident response and handling only to prevent the issue from happening again. Not to leverage the intelligence gained to learn more about your adversary beating them at their own game on the street is a travesty. Review, fix the defenses and forget the intelligence. Not a way to keep the adversaries at bay.
My advice to Cyber CI colleagues has always been this: “If you are blocked by some senior, obtuse, anti-Cyber CI officer (even the CISO), go around him/here or through him/her by going to higher management. In addition, document all instances of denied access, lack of cooperation, or other obstruction to carrying out your Cyber CI mission. If not, when something goes wrong, as it likely will in that kind of situation, you in Cyber CI will take the blame.”
Do Not Stay too Long Sensible and productive Cyber CI needs lots of ventilation and fresh thinking. There should be constant flow through. Non-Cyber CI staff should be brought in regularly on rotational tours. I also believe it is imperative that a good Cyber CI service build in rotational assignments outside Cyber CI for its Cyber CI specialists. They should go spend time with the operators or with the other groups they are charged to protect learning every facet of the game. In fact, we may be best served to have them spend time early in their careers in these fields observing all activities as they analyze. This side by side on the job training can serve us well. They will gain a respect for all surrounding functions. They will come back refreshed, smarter, and less likely to fall into the nether world of professional Cyber CI: the school of doublethink, the us-against-them mindset, the nothing-is-what-it-seems syndrome, personal biases, staleness in critical thinking, or the wilderness of mirrors. They will produce better product.
Never Give Up The tenth and last commandment is the most important. What if Master Splynter had quit after a few months instead of persisting for over two years? What if, in my own experience, we had stopped developing personas and infiltrating websites? Would we have such a strong knowledge of our targets as we do today? The information not provided can fill volumes. The unknown can and will hurt you. The short history of Cyber CI is already full of such examples. If you doubt me, look at all the breaches at attrition.org. These are only the ones reported. These are but a fraction of what actually occurs. And what occurs and is discovered is still unknown. Do we need more evidence of our cyber defensive failures to be convinced? Be persistent and don't let those who 'fake it til they make' stand in the way of real progress. Reach out to your peers. Share the information. Drive towards offensive cyber operations. Our adversaries do not operate under any rules of engagement nor do they believe in some sort of Internet Geneva Convention.