The Poor State of Cyber Intelligence

Thursday, August 23, 2012

Jeffrey Carr

296634767383f056e82787fcb3b94864

I recently had the privilege of speaking at a government cyber conference which was sponsored by one of the three-letter agencies and which included analysts from all 16 agencies that comprise the U.S. Intelligence Community (IC).

Besides myself, there were a number of other well-known and well-respected speakers. My session focused on Russia and their technology priorities, but the first question that the moderator asked me had to do with the the fact that I was apparently wrong regarding who created Stuxnet. 

His point in raising that issue was not to embarrass or shame me but to have me talk about how intelligence analysts must not be afraid to be wrong; about how important the role of negative analysis is along with the dangers associated with mirror imaging (i.e., a cognitive trap in which an intelligence analyst imagines that the target thinks like he does). 

Another cognitive trap is target fixation, where an analyst becomes fixated on one hypothesis and only sees the evidence that supports it. I see "cyber intelligence" analysts falling into that trap almost all the time.

Regardless of the problems faced by trained analysts in the IC, the state of cyber intelligence as its practiced by information security practitioners and others who are not trained in the science of rigorous analysis is often exponentially worse.

The word "intelligence" is used to describe everything from a clipping service to threat data. The only thing worse are the marketing pitches promoting what their so-called "cyber intelligence" product will do for the customer - which is everything short of bringing him to orgasm.

Don't call the result of your work analysis if you haven't performed any negative analysis to test your hypothesis. Call it conjecture, or opinion, because that's what it is.

I'm writing a chapter on this topic for my book "Assumption of Breach" and my paper on the same subject will soon be published by the U.S. Air Force so I'm not going to go into further detail here except to say that if cyber intelligence analysts want to do justice to their craft, I encourage them to read Dick Heuer's "Psychology of Intelligence Analysis" (.pdf) and find ways to apply it to their work in the cyber field.

Another excellent resource is "Understanding Rigor in Information Analysis". Right now, between mirror-imaging and target fixation, many cyber intelligence analysts are missing huge gaps in the threat landscape and are doing a great disservice to both their customers and their craft.

Possibly Related Articles:
11859
Network->General
Federal
Government Cyber Security Stuxnet National Security Professional Attribution Analysis Cyber Intelligence
Post Rating I Like this!
Default-avatar
Lisa Simpson Just ask any criminal defense lawyer. The regular police often fixate on "a perp" who may not be guilty and will ignore, discard, or fail to report any evidence that doesn't agree with their theory. It's one of the major reasons that Project Innocence has been so successful. What you're saying is that these cyber-cops are falling to the same trap... If you can solve this for them, perhaps you can solve it for the real-world enforcement agencies.
1345829911
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.