RSA Conference Europe 2012 – How to Build a Cyber Intelligence Capability

Stewart Bertram – Cyber Intelligence Team Manager, VeriSign

Talk will cover;

The socio-technical approach to cyber intelligence team design / capability.

The growth of the influence of the intelligence team within the wider business context

Legal and reporting points

So just what is a Socio-technical system?

“an approach to complex organizational work design that recognizes the interaction between people, information and  technology in workplaces”

So how should the new hypothetical cyber intelligence team be made up?

The talk proposes a combination of

–          Computer Science folk

–          Former military / intelligence

–          Social science background / experience

While computer science people are the obvious choice that no one would argue with, what do the other two facets bring?

Military intelligence – Computer insurgency experience, Battle for hearts and minds, human terrain analysis, experience helps them to better know what to look for ..

Social science – An understanding of social interactions and ‘networks’ – how groups of people interact and work together.  This is useful for both understanding the behaviour of your adversary groups, and also understanding how to get buy in from your organisation.

Your team should work to best leverage technology to do the heavy lifting and initial filtering so that they can look at detailed aggregated / fused information.  This allows them to use their skills and experience to make the best decisions and risk assessments.  If your team is spending their time looking at the base information, they will only be able to view a tiny amount of the data and thus you will frequently be surprised.

So, why are we even discussing a cyber-intelligence capability in the first place?  Is Cyber threat posing a greater risk than 10 years ago?

Yes.  Driven by the contextual change to the importance of cyber space to Western Society – we are hugely reliant on IT and the Web for almost all aspects of our lives now and this is only increasing.

Cyber intelligence teams used to exist on the primary of the business or as a sub set of the IT security team.  Increasingly they are, or should be core to the business and driving change across departments including, IT, IT security, HR, Finance etc.

For further reading, the paper #intelligence by Sir David Omand et al is strongly recommended.

We need to ensure a balance is struck between online security and privacy.  Consider also where social media intelligence (SOCMINT) fits into your model;

“SOCMINT is not yet capable of making a decisive contribution to public security and safety.”

“SOCMINT does not fit easily into the existing systems we have developed to ensure intelligence collected can be confidently acted on.”

Consider also Open Source evaluation.

As with any intelligence, you need to consider the quality of the intelligence and the quality of the source.

If you are going to perform any of this directed or semi directed monitoring of social media you need to understand the legal issues surrounding it, and have a legal framework in place within your organisation.

As a closing comment the talk stated;

“If today is the information age then tomorrow will be the intelligence age”

Overall this talk was a little light and glossed over quite a bit, but then it was a huge topic to cover in 50 minutes, and I realised the speaker wrapped up within 30 minutes..  This would definitely have benefited from taking the full allotted time.  However there were several good points raised and definitely things to think about – how would this fit into your organisation?

K

Leave a Reply

Your email address will not be published. Required fields are marked *