"Cyber Intelligence" Doesn't Mean What You Think It Does or Does It?




Confusing title?

Absolutely.

But that is exactly the case in terms of what cyber intelligence means to different people. At the very least it means two very different things. For a techinical cyber security professional, it means indicators of compromises, network infrastructure, and malware characteristics. For someone from a more traditional intelligence background, it refers to how specific actions in cyberspace and cyber capabilities impact the larger strategic picture For example, does a single or series of network intrusions signify a criminal enterprise or a concentrated campaign to take down a network for some larger purpose. While there is obvious overlap and in some cases the former definition does fall into the latter, more often than not there is not a good match and the process is more akin to putting a square peg into a round hole.


This is not necessarily a new phenomenon. Tactical military intelligence and strategic intelligence produces the same friction. Much like in cyber intelligence, having a weapon or a capability doesn't necessarily translate into using it or using it a conventional manner. These different levels of understanding require separate approachs. At the same time, we also have to avoiding the stovepiping that so commonly occurs in the intelligence process. To make matters worse, techincal cyber intelligence is a specialist skill with a fairly steep learning curve that continues to change as the threat landscape evolves. For this reason, many people who need to understand cyber threats and the larger picture remain ignorant or detached from "cyber intelligence" as a cybersecurity professional understands it.

In order to bridge this gap and to create a more cohesive "cyber intelligence" picture, it is time to fix our terminology and move on from this basic confusion by stop trying to call two things the same thing. As a more traditional intelligence professional, my inclination is to cling to the terms as I know them but this is simply not practical. The fact of the matter is that the techincal definition is the one that has stuck and is more broadly understood. For this reason, I propose that that the time now is figure out a different lexicon for how cyber impacts the larger strategic picture and to start using it.

So this leads us to the hard part - what do we call cyber intelligence as we understand it if we can't call it cyber intelligence?