The Obama Administration is creating a new agency - the Cyber Threat Intelligence Integration Center (CTIIC). This new agency is supposed to be tasked with doing forensic analysis of data handed to them by companies who have been victims of cyberattacks. The aim is for the CTIIC to have access to the resources of multiple cyberintelligence agencies and will be able to use the shared information from these agencies (National Security Agency (NSA), Federal Bureau of Investigation (FBI), Central Intelligence Agency (CIA), US Cyber Command (CYBERCOM), The Office of the Director of National Intelligence (ODNI), Office of Intelligence and Analysis (I&A), Bureau of Intelligence and Research (INR), Office of Terrorism and Financial Intelligence (TFI), Defense Intelligence Agency (DIA), National Reconnaissance Office (NRO), The FBI National Security Branch (NSB)) to make more accurate and faster responses to threats.
The aim is to create an entity that is able share intelligence information between these agencies in order to garner better responses to cyberthreats. It is the same goal that the Department of Homeland Security was supposed to do for organizing intelligence data to counteract threats, but in cyberspace.
The problems with the formation of the Cyber Threat Intelligence Integration Center are many:
- 11 Intelligence Agencies working on cybersecurity apparently isn't enough. (Not including the military ones) It is hard to justify ratcheting up even more bureaucracy when there are multiple agencies tasked with this sort of defense already. Spending additional millions to "organize" the data that does not actually create any protection and only allows the government to point fingers at the perpetrators and how they broke in is not effective.
- There are glaring imbalances with offensive and defensive operations within our agencies. The NSA creates security holes through programs like BULLRUN, and then hackers find ways to break into systems and we create agencies to defend against security holes. We literally have agents creating holes, and other agencies filling in the same holes. Even worse, the NSA's budget is heavily slanted toward offensive operations and not defensive. The budget to explore for new holes, and the budget to create new holes, is much larger than the budget to fill holes in.
- Companies are not being held accountable for major security breaches. Let's be honest, this new agency is a response to the Sony hack. Sony has a horrible track record with cybersecurity. They knew their systems were vulnerable and were slow to act on fixes. This is not the first time Sony has been mired in a hack where millions of customers data were lost, and security is still lax at Sony. We need privacy laws that punish companies for leaking critical customer and employee information. This will create legal disincentive to under-spend on security resources, and to take the results of security audits seriously.
- Sony was not hacked by North Korea. This "news" was circulated based on a rumor by a blogger. Later forensic analysis showed that it was almost certainly an employee inside of the company that assisted a group of hackers on the outside, and that this was a typical cybersecurity breach that could have been prevented by better policies.
- This only intensifies the privacy debate. Some of the programs collecting this data might be outright illegal, and the methods that are being used to build cases would be textbook cases of parallel construction. If you are having a case tried against you, and evidence is falling from the sky from "classified" sources, there is nothing stopping evidence from being tampered with or outright falsified. Furthermore, exonerating evidence can be withheld from a trial for "national security reasons" and be used to convict the innocent.
It is in response to an event of negligence masqueraded as a cyberattack by a state actor. It is a waste of money and manpower. It doesn't increase the level of protection for companies. It doesn't correct any of the core issues surrounding these large hacks. (low IT-security budgets, no data privacy laws, pitting intelligence departments against one another, running an offensive cyberwar that spends more on offense than defense)
It is just a giant waste.