President Trump issued a memorandum on Oct. 5 requiring the intelligence community to establish an inter-agency information sharing network. Agency heads are required to submit a plan within 270 days. Missing from the memorandum is any mention of existing projects such as the Cyber Threat Intelligence Center (CTIC) or the Intelligence Community IT Enterprise (IC ITE, pronounced ‘eyesight’).
Inter-agency information sharing has been a pressing issue and problem since 9/11 when it was suggested that different agencies had partial information about the terrorist plot, but there was no way to ‘connect the dots’ and see the overall picture. Since then there have been numerous initiatives to improve information sharing — such as the Cybersecurity Information Sharing Act (CISA) and the CTIC and IC ITE projects.
IC ITE is a long-term intelligence community initiative to provide what this new memorandum seems to require. The current strategy document, produced by the Office of the Director of National Intelligence (at that time, James Clapper) states (PDF): “The IC ITE represents a strategic shift from agency-centric information technology (IT) to a common enterprise platform where the Intelligence Community (IC) can easily and securely share technology, information, and capabilities across the Community.” However, the timeframe covered by this document is 2016 to 2020 — and it may be that the new Trump memorandum is seeking to speed the process.
Trump has been a critic of the intelligence community since before his election. It is not clear whether this memorandum is designed to replace the existing projects or merely to hasten their completion. Memoranda are used by presidents in a manner similar to executive orders, and place a similar legal requirement on government agencies. They have been described as ‘an executive order by another name’.
The gist of the memorandum is that the intelligence community must establish a ‘threat actor’ information sharing architecture under guidance from NIST, and present their plan to the president within 270 days. “The Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, in coordination with the Secretary of State, the Secretary of the Treasury, and the Secretary of Energy, shall, through the Assistant to the President for Homeland Security and Counterterrorism, submit to the President a plan to implement this memorandum.”
There is no indication on how the threat sharing is to be implemented; and of course no guarantee that the president will accept the plans. There is, however, a strong concentration on the need to share personal information of potential threat actors. “National security threat actor information,” states the memorandum, “comprises identity attributes and associated information about individuals, organizations, groups, or networks assessed to be a threat to the safety, security, or national interests of the United States that fall into one or more of the categories listed in the annex to this memorandum.”
‘Identity attributes’ are then defined as “Information (including biometric and biographic data) that can be used independently or in combination with other data to identify a specific individual.”
It is the lack of detail that is most worrying. The devil is always in the detail, comments Christopher Bray, SVP at Cylance Inc. The big question, he suggests, is how this can be translated into policy while respecting applicable laws, civil liberties and individual privacy. “These are extremely important questions that need to be crisply defined and addressed within established legal and constitutional frameworks,” he told SecurityWeek. “You only need to think about the clumsy implementation of the ‘no fly list’ and the examples of completely innocent people arbitrarily getting placed on it in error — with lack of a clear process for recourse or getting removed, to see what a minefield this could become if not thought through well.” Will this be implemented into anything meaningful at all, he wonders, or just become ‘policy shelf-ware’ that someone can point to later as having ‘done something’.
Nathan Wenzler, chief security strategist at AsTech, sees nothing that addresses the long-standing problems for information sharing. “The challenge previously is that each of the agencies involved tends to collect information that is very specific to their purposes and it is in that specificity that there is fear that others who possess the data will be able to discern how that data was obtained and collected. This has caused many in the intelligence community to fear the compromise of those data gathering sources, whether human or technological, and has made previous efforts to integrate and share such data nearly impossible.”
Like Bray, he is also concerned about the privacy impact of the memorandum. “The potential for compromise to intelligence sources, the vast privacy concerns that will exist should any U.S. citizen wrongly be targeted in these profiling efforts, and the fact that effectively locating multiple copies of the same data sets in different places means that cyber attackers have more potential targets in which to steal this information means this memorandum creates far more questions than it begins to answer.”
Ross Rustici, senior director, intelligence services at Cybereason, wonders if the memorandum is designed to increase the capability of the CTIC, “which was stood up in the twilight of Obama’s administration. The idea behind the CTIC,” he told SecurityWeek, “was to create a new cyber threat center for cyber. However, because the initial operating capacity was being built as the administration was packing up it never got the full capability or support necessary to be effective.”
However, he also suggests that the memorandum is indicative of the slow progress made to date. It “shows how little the creation of the Director of National Intelligence and the 9/11 Commission has impacted business as usual in the intelligence community. In addition, the focus on ‘threat actors and their networks’ speaks to something beyond sharing data for defending networks. This directive is about increasing the intelligence community’s ability to share all the dots they already have to connect them better.”