Gathering overt and covert information and its analysis and evaluation to produce an intelligence product is critical for assessing vulnerability and assuring the survivability of military systems. As traditional intelligence-gathering disciplines cannot address the expeditious assimilation of cyberspace technologies and capabilities into platforms and the subsequent challenges for survivability and vulnerability analysis, cyber intelligence (CYBINT) has emerged as a foundational discipline. This article surveys intelligence gathering relating to system survivability and vulnerability and the role of cybersecurity intelligence.
Characterizing CYBINT as an intelligence product vs. an isolated intelligence- gathering discipline is presented, along with a proposed framework for fusing cybersecurity intelligence sources. This research provides valuable future direction for collecting, analyzing, and assessing cybersecurity intelligence sources for survivability and vulnerability assessment.
SURVIVABILITY AND VULNERABILITY
In the most basic sense, survivability refers to the ability of an object to remain alive or continue to exist. In a defense context, this is specifically referred to as the ability of the system to remain mission-capable after an engagement . An example is the definition of survivability for airborne combat systems as determined via four criteria :
- Detectability – how well, if at all, the system avoids identification.
- Susceptibility – the capability of the system to avoid an attack.
- Vulnerability – the ability of the system to withstand an attack.
- Recoverability – the post-attack impact to the system; specifically, how well the system returns to a functional and fully capable state.
Vulnerability, in the context of defense, refers to the instantaneous or near-instantaneous impact of an attack on a system; specifically, whether there was a realized effect and, if realized, how it affected mission capability . When considering vulnerability, it is often convenient to consider this a construct of susceptibility and vulnerability—how well the system avoids an attack and, if attacked, how well it can withstand that attack .
The constructs of survivability and vulnerability are attack centric. Assessing systems survivability and vulnerability and the effectiveness of these assessments is dependent on how well militaries can identify and test avenues to degrade or eliminate system capability and survivability (attack vectors), either through actual or simulated means. Several attack vectors are often obvious and can be gathered through overt means. Other attack vectors are not readily obvious or even available. Militaries try to protect their offensive and defensive capabilities to maintain strategic, operational, and tactical advantages over adversaries . In these instances, intelligence gathering, analysis, and assessment (the “intelligence cycle,” shown in Figure 1) play a critical role in assessing survivability and vulnerability.
Ideally, the intelligence cycle identifies the greatest number of known attack vectors that threaten survivability and create vulnerability, allowing systems to be designed or modified to decrease (or remove) vulnerability and increase overall survivability [6–8].
Intelligence is the product of collecting and analyzing information for decision-making; in defense, intelligence uses information collected and analyzed to guide and direct the decisions of military commanders. As illustrated in Figure 2, this intelligence process is combined with the commander’s operations process to produce increased situational understanding and better decision-making.
As described in the U.S. Army’s Field Manual 2-0, intelligence gathering and analysis consists of five disciplines :
- Human intelligence (HUMINT) – actively and passively collecting information from persons and media.
- Imagery intelligence (IMINT) – exploiting visual, infrared, laser, radar, and spectral-sensor imagery to identify information.
- Measurement and signature intelligence (MASINT) – using technically derived intelligence to detect, locate, track, identify, or describe characteristics of target objects and sources.
- Signals intelligence (SIGINT) – obtaining information from intercepting and analyzing signals.
- Technical intelligence (TECHINT) – gathering information from collecting and analyzing military equipment and material.
In the Pentagon’s Joint Publication 2-0 , the intent is to combine all the information gathered from these distinct intelligence disciplines into intelligence products. This generates all-source intelligence products with significant amounts of relevant information for commanders .
Fusing information-gathering and analytical efforts has improved dramatically since the siloed U.S. efforts of the Cold War . Most notably, post- 9/11, government agencies dramatically improved their intelligence sharing, increasing the accessibility of disparate intelligence sources for consolidated use. Thus, organizations can ensure that intelligence requirements are obtained from many sources, empowering source identification and uses most capable for the intelligence task and building intelligence reliability and credibility . As such, militaries and governments can perform all-source intelligence fusion through analyzing and assessing all available sources. As the RAND Corporation discussed in 2012, using all-source intelligence is critical to the continued success of military operations. While intelligence-gathering disciplines can be segregated by type of intelligence, the product cannot—the U.S. military must strive to use the largest number of sources possible .
Gathering intelligence and using it as a decision-making tool far predates the advent of computer systems or cybersecurity. Intelligence-gathering tools, techniques, and procedures have long existed and been used for offensive and defensive military and government operations . The traditional practice of intelligence, and its fundamental principles, remains relevant for cybersecurity . In cybersecurity, intelligence is used to generate a resultant product concerning hostile or potentially hostile forces or elements in cyberspace or areas of actual or potential cyberspace operations . The result of intelligence in cybersecurity is a product that informs military commanders for decisions in or involving cyberspace . Commonly referred to as cyber threat intelligence, this is used to research and analyze trends and developments in cyber threats and espionage, enabling militaries or governments to develop preventative measures in advance of the actual threat .
Traditional intelligence in cybersecurity has focused on collecting, analyzing, and assessing information concerning threats to cybersecurity systems . Common intelligence disciplines for cyber threat intelligence are as follows:
- Open-source intelligence (OSINT) – publicly available information about the cyber characteristics of systems or platforms, such as information found in advertising, press releases, requests for proposals, or contract information .
- Social-media intelligence (SOCMINT) – details about cyber posture, configuration, or existence of platforms gathered from social media profiles of individuals or companies involved with the cyber status or posture of a system or platform, commonly through using social engineering .
- HUMINT – cyber information about platform or systems gathered through covert or overt interaction with individuals knowledgeable of or affiliated with the cyber posture or status of systems or platforms .
- TECHINT – scientific and technical information about the cyber equipment used on systems and platforms that describes or identifies the technical capabilities and characteristics of a platform or system .
In line with the intelligence-gathering process, each discipline is used to gather information about cyber threats that exist for a system or platform, either through knowing what attack vectors’ adversaries have or what information they must exploit. Each of these disciplines (potentially) presents actionable intelligence products that can be used by commanders to make decisions about their platform and systems . Using these intelligence disciplines and products has immediate applicability to militaries, informing them about threats and vulnerabilities to platforms and the expected survivability of the system or systems. This critical information is obtained by analyzing and assessing these vulnerabilities.
Any definition of the cyber intelligence-gathering discipline is elusive . Under the premise that SIGINT is gathered from signals and HUMINT is gathered from humans, an emergent simple definition of CYBINT is intelligence gathered from cyberspace. This is problematic, though, given that cyberspace generally refers to “interconnected technology” while no fewer than 28 different definitions of cyberspace exist . One proposed definition is “[the] global and dynamic domain (subject to constant change) characterized by the combined use of electrons and electromagnetic spectrum, whose purpose is to create, store, modify, exchange, share and extract, use, [or] eliminate information and disrupt physical resources” .
The lack of consensus of what comprises cyberspace makes the definition of cyber intelligence equally pervasive. Unlike other intelligence-gathering disciplines, CYBINT is not formally defined in any service-specific or joint doctrine . The idea of cyberspace operations is commonly accepted as the capability of a service to operate and maneuver within its own specific definition of cyberspace; however, there is a distinct lack of definition of how this can be leveraged to deliver CYBINT and how CYBINT can be used to inform and support these operations [25, 26]. Cyberspace presents several unique challenges for continued intelligence and operations. While cyberspace is largely a virtual domain created exclusively by humans, modifications and effects in this domain ultimately manifest physically within areas of operations . The subtle intricacies and predominantly nonlinear nature of cyberspace—designed to allow anything to connect to everything— means seemingly minute or arbitrary changes commonly have impacts inversely proportional to their size and are well out of the militaries’ bounds or foresight. Cyberspace manifests far less as a defined environment and more as a series of complex relationships. Furthermore, its near-instantaneous nature of operations and effects renders the traditional military consideration of time obsolete . While traditional fundamentals of intelligence gathering are applicable to CYBINT, the distance of cyberspace from traditional military areas of operation and lack of alignment of cybersecurity operations with traditional “military operations” makes a futile attempt to define and address CYBINT within the bounds of traditional thinking on intelligence.
CYBINT AS AN INTELLIGENCE PRODUCT
If we adopt a simple definition of CYBINT as intelligence gathered from cyberspace, the grand challenge becomes not only discerning what compromises cyberspace but also addressing potential overlap and conflict with definitions of existing intelligence-gathering disciplines. In SIGINT, signals information has a concrete definition of communications among people (the focus of communications intelligence) or noncommunication electromagnetic signals such as radar (the focus of electronic intelligence). In CYBINT, the cyberspace information cannot be concretely defined. The exact components that make up cyberspace vary widely between operation areas, depend on numerous unknown factors, and can be changed instantaneously with relatively minimal effort [22, 27]. Further, with a lack of consensus on the cyberspace definition, information that would commonly be considered a component of other intelligence-gathering disciplines can easily be defined as a CYBINT component. For example, intercepting signaling channels of digital-communications links to capture information in establishing links between systems is traditionally a practice of SIGINT. Using the “interconnected technology” cyberspace definition and the fact that this intelligence was gathered from connecting two (or more) technological systems brings this intelligence into the realm of CYBINT, as it was arguably gathered from cyberspace. Hence, any information gathered from any technical interconnection could now become CYBINT.
Defining CYBINT based on intelligence sources used is not feasible given the multitude of available sources and substantial variances in these sources. Further, the intelligence gathered from these sources has the potential to be applicable to or part of the core concepts of other intelligence-gathering disciplines. As such, it is unlikely that collecting, analyzing, and assessing CYBINT cannot be accomplished in a way that does not encroach on the practice of other intelligence disciplines. This is evident in the current use of HUMINT in gathering cyber threat intelligence. If a HUMINT collector (a spy) covertly gathers information from a source about a known vulnerability to a cyber system or platform, is this HUMINT or CYBINT? The existence of the intelligence source as human supports assignment to HUMINT, while the applicability of the intelligence to cyberspace operations supports assignment to CYBINT. To a limited extent, this phenomenon is readily evident in all intelligence-gathering disciplines, but the pervasiveness is not similar. While integrating cyberspace into other intelligence operations is a realized doctrinal principle [9, 10, 13], the same cannot be said for integrating other intelligence-gathering disciplines into cyberspace.
Rather than defining CYBINT as simply the collection, analysis, and assessment of cyberspace information, it can instead be defined as the fusion of all intelligence relevant to cyberspace operations—derived also from traditional intelligence-gathering disciplines— into a product that informs military commanders’ decisions about offensive and defensive cyberspace operations. Traditional intelligence-gathering disciplines can continue intelligence-gathering activities in the traditional fashion. The resulting intelligence information or products relevant to cyberspace or cyberspace operations can then be collected and assigned to CYBINT, where the all-source fusion of this information will produce actionable products to address the informational needs of commanders. Figure 3 shows a high-level representation of the use of cyberspace-relevant information from intelligence gathering as the source for CYBINT. Figure 4 illustrates the clear division between the traditional and cyber intelligence processes.
In the cyber intelligence process (shown in blue), the cyberspace-relevant information from the activities of each of the traditional intelligence-gathering disciplines is collated to form cyberspace information. Through the process, this all-source information is fused to produce input for CYBINT; through the application, a CYBINT product is produced. In the traditional process (shown in grey), the five existing and well-defined intelligence-gathering disciplines use the process to produce their intelligence products. Should any of these finalized products contain cyberspace-relevant information, they would be used as additional input to all-source infusion for a CYBINT product.
BENEFITS OF CYBINT AS AN INTELLIGENCE PRODUCT
Through this framework, it is possible to overcome limitations in the definition of and insight into cyberspace and cyberspace operations and, ultimately, the ability to identify and express informational needs. As shown in Figure 5, information needs play a key role in effective decision-making by commanders.
In situations where commanders are unable to express specific informational needs for CYBINT, such needs could dynamically emerge as by-products of existing intelligence disciplines. When commanders have a specific informational need, the relevant intelligence can be specifically identified, sought, and input into CYBINT as part of structured efforts for existing intelligence-gathering disciplines. This would potentially reduce the overall effort for CYBINT information-gathering as some, if not all, of the intelligence gathering occurs organically as part of an already existing process. When CYBINT can emerge organically from existing intelligence disciplines and as part of a structured CYBINT effort, there is opportunity for both greater breadth of coverage, by leveraging existing all-source efforts, and greater depth of coverage, through focused efforts for specific informational needs within these disciplines. Thus, in response to elusive cyberspace and CYBINT definitions, there is no longer a need for a concrete definition of either to collect, analyze, and assess CYBINT for military platforms or systems.
Using CYBINT would enable designing and creating platforms and systems under an approved standard of cyber survivability and vulnerability to evolve as assessed threats change.
The benefit is apparent for survivability and vulnerability—effectively collecting and using CYBINT as part of a decision-making process enables militaries to assess which attack vectors, and associated attacks, are likely for their platforms and systems. Using this information, it is then possible to assess how well the system or platform could avoid detection to prevent executing these attacks; how well the system could avoid the attack or attack vector; how well the system could withstand the attack; and how well, if at all, the system could recover from the attack and return to a functional and capable state. Developmentally, using CYBINT would enable designing and creating platforms and systems under an approved standard of cyber survivability and vulnerability to evolve as assessed threats change.
Key limitations to characterizing CYBINT as a product of all-source intelligence fusion (using emergent or focused cyberspace relevant information) are the current intelligence-gatheringdisciplines and processes. While CYBINT inputs likely exist in these disciplines and processes, there is neither an established process to identify these as part of the analytical process nor the conduit to export them for CYBINT analysis. Further, there is a lack of criteria for establishing cybersecurity relevance in military intelligence and the frameworks for using this information in the overall CYBINT process.
To address this, the U.S. Army Research Laboratory’s (ARL’s) Survivability/ Lethality Analysis Directorate (SLAD) is leading a design-science research study using HUMINT-inspired collection techniques to generate a framework for actionable CYBINT. In addition to improving existing capabilities, the goal of this effort by ARL/SLAD’s Cyber Vulnerability Analysis and Assessment Division–Cybersecurity Branch is proof of concept of developing the conceptual framework supporting this new characterization of CYBINT. Beyond this, further research is necessary in developing the frameworks (taxonomies, criteria, and processes) to fully integrate CYBINT into existing intelligence-gathering disciplines. Future work must address developing a framework for introducing the IMINT, MASINT, SIGINT, and TECHINT disciplines and relevant supporting taxonomies.