The formal organizational integration of intelligence and cyber personnel is making a difference in better cyber defense, an Air Force official said this week.
The creation of 16th Air Force – which merged two numbered Air Forces combining cyber, intelligence surveillance, reconnaissance, electronic warfare and information operations – is providing greater context for defensive cyber operations and network defense, Col. Lamont Atkins, commander of the 567th Cyberspace Operations Group, said Sept. 15 at the Virtual Air, Space and Cyber Conference.
Better intelligence for defensive cyber versus offensive cyber has been a constant struggle dating back years. The Department of Defense had to create defensive cyber operations from scratch while there was a bit of a template for offense that came from the intelligence world.
Atkins said enabling intelligence for defensive cyber operations is one of the most critical aspects to empower cyber protection teams, the defensive cyber teams each service provides to U.S. Cyber Command, especially in what defensive officials describe as the competition phase of warfare in which adversaries are constantly probing networks.
Intelligence has to be baked into the planning cycle from the beginning, he said, in order to better understand adversary capability and intent.
“With that strategic level of understanding, we compare that with scoped operational intel at a functional level that highlights the most dangerous advanced persistent threat to the assigned terrain in this new emerging environment,” he explained. “Only then can our cyber protection teams conduct threat-focused, intel-driven hunt operations that are based on behavioral heuristics instead of data indicators of compromises that change rapidly and by evolving and sophisticated adversaries.”
The 16th Air Force merger helps clear up biases regarding the importance of ingraining intelligence from the start, he added.
The merger has also made offensive teams more robust by formalizing the integration of intelligence personnel and cyber personnel on the same team.
Atkins said to make better use of intelligence to drive defensive cyber operations, defensive cyber teams need assistance from industry to both identify appropriate data sources and integrate them to drive planning early in the process.
He also explained teams are working through how to use data analytics through various echelons, which he admits will likely take a few months, if not over a year, to build.
Working through industry, he said, may shrink that timeline.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.