Obama’s New Cyber Agency Puts Spies in Charge of Sharing Threat Tips with Agencies

The Obama administration is creating a new agency intended to protect online privacy and secure sensitive data by combing through spies’ threat assessments and sharing them with other federal agencies. 

The new Cyber Threat Intelligence Integration Center, or CTIIC (pronounced See-Tick), will be patterned after the National Counterterrorism Center, an intelligence fusion center stood up in the aftermath of the Sept. 11, 2001, terrorist attacks.

The CTIIC "will not collect intelligence" on citizens or foreigners, but rather "it will analyze and integrate information already collected under existing authorities," Lisa Monaco, assistant to the president for homeland security and counterterrorism, said Tuesday.

The National Security Agency and other authorized agencies will harvest "indicators" -- or the hallmarks of a certain kind of hack -- from email headers, timestamps and other metadata.  

The new agency will sit within the Office of the Director of National Intelligence. It will join a multitude of existing cyber information-sharing hubs -- including the Department of Homeland Security's National Cybersecurity and Communications Integration Center; private sector information sharing and analysis centers; and DNI's own Information Sharing Environment. 

The distinction here seems to be a focus on distributing threat evaluations governmentwide in near real-time.

Monaco said "no single government entity is responsible for producing coordinated cyberthreat assessments” and ensuring information “is shared rapidly” among existing government centers. Cyber NCTC is meant to fill the void. Monaco made the announcement during remarks at the Wilson Center on Tuesday.

Were the new agency around at the time of the Sony hack, it could have played a key role, officials say.

Within 24 hours of learning about the attack, federal officials fed intelligence about the spyware involved to the public so companies could immunize themselves against similar malware, Monaco said. The FBI and NSA have publicly said they also collected this intelligence and shared it with federal partners to help with that outreach.

In that situation, Cyber NCTC would have been responsible for assessing FBI and NSA indicators about the hackers and sharing its analysis with federal partners, so they could release it to the private sector. The agency would have the authority to circulate classified and unclassified material.

"That is the intent," a senior administration official told Nextgov. 

The former head of another existing cyber hub sees the need for some overlap among the various information-sharing organizations.

Cyber NCTC “may not get raw signals intelligence, but it would get the derivatives of that intelligence,” former DHS NCCIC Director Sean McGurk said.

“You strip out the sources and methods which may restrict the handling of the data, and the derivatives of that intelligence could be provided to the other joint intel centers” to produce “actionable intelligence” for the private sector, added McGurk, now vice president at security firm Centripetal Networks.

An escalating number of high-profile hacks against organizations, culminating in the denuding of Sony's corporate and personal data, precipitated the decision to carve out a central cyber intelligence agency, according to officials. 

"Most concerning, perhaps, is the increasingly destructive and malicious nature of cyberattacks, as we saw with Sony Pictures Entertainment last fall," Monaco said. The Sony incident "was a game changer, because it wasn’t about profit – it was about a dictator trying to impose censorship and prevent the exercise of free expression," she added, referring to FBI and NSA allegations that North Korea's communist leader Kim Jong-un was behind the incident.

Cyber NCTC is one piece of the federal response to private sector hacks. About a year ago, the administration released a set of voluntary standards for protecting corporate networks. Last month, it issued a legislative proposal that would mandate a 30-day deadline for hacked companies to notify customers and would provide liability protections to firms that tip off the government about breaches they’ve suffered.

Later this week, at a White House cyber summit at Stanford University, Obama is expected to discuss mechanisms that companies can use to share such information with DHS. 

Monaco said sharing hacker information more broadly must be done “consistent with our fundamental values and in a manner that includes appropriate protections for privacy and civil liberties.”