Operational Levels of Cyber Intelligence
Cyber intelligence is a complex, as yet undefined, multifaceted approach to framing, thinking about, and reacting to cyber adversarial activity. Many discussions emphasize the complexity of the cyber operational domain, the speed in which activity and operations take place, and the supposed inherent advantage of the attacker. By beginning to define the overall environment and the problem set in manageable operational levels and emphasizing the importance of integrating sound and time-tested intelligence thinking and methodology into the equation, it becomes easier to address the problem. With this methodology, one can better understand and anticipate the adversaries’ actions and intent in order to provide the needed and appropriate intelligence at the right time for each level of operation. Understanding, even at a basic level, the cyber “lay of the land” should also help illustrate the need for cyber intelligence analysts to know far more than just network functionality. To understand how to support operational level requirements, cyber intelligence analysts will need to understand the human element, what they intend, how they plan, coordinate and execute, and what motivates them towards action or inaction. To support their organization’s strategic goals, some analysts will find it necessary to understand the intricacies of current and past geopolitical events, the competitive business landscape, international politics or, in some cases, domestic politics and the agendas of niche interest groups. Understanding the adversary, whether a nation-state, a business competitor or a criminal organization, understanding one’s operational/business environment, understanding one’s own exposure (threats and vulnerabilities), and having a clear sense of what is most valuable within one’s network, are critical factors in determining resource allocation, analysis of risk and determination of the path an organization will take to achieve its mission. Intelligence is meant to help reduce uncertainty for the decision maker and prevent surprise. Clearly there are more decision makers involved than those in the network operations center. The challenge now is to enable the decision makers, at all levels, to fully understand what information is needed and how to work with their cyber intelligence team to collect it, integrate it and make it accessible to those who must act upon it to thwart malicious network activity.