Established in 2015, the Cyber Threat Intelligence Integration Center — the newest of the Office of the Director of National Intelligence’s four multi-agency centers — seeks to build a better understanding of foreign cyberthreats to U.S. national interest and to enable informed decision-making.
The goal is to facilitate the sharing of that information with a view to integrated community analysis of cyberthreats and supporting interagency planning while pulling information from network defense intelligence and the law enforcement community, said Lt. Gen. John Bansemer, assistant director of national intelligence partner engagement at ODNI, who spoke Wednesday at the DoDIIS Worldwide Conference.
The bottom line, he said, is that CTIIC integrates a whole-of-government approach against cyber adversaries, and it does this in three ways.
First, it provides awareness of adversary threat activities. During the initial outbreak of the WannaCry ransomware, Tom Bossert, assistant to the president for homeland security and counterterrorism, explained that CTIIC was keeping the government informed of the classified insights and the investigation into the cyberattack.
Second, CTIIC provides analytic integration through collaboration with cyber and non-cyber subject matter experts to integrate community analysis to support decisions on mitigating and countering current and near-term cyberthreats.
Third, Bansemer said, CTIIC provides opportunities or options to help identify the whole-of-government response to cyberthreats that reflect all instruments of national power.
“To summarize, CTIIC pulls together fragments of cyberthreat information produced by the IC [intelligence community] and law enforcement and network defenders in order to connect the dots to allow the U.S. government to put it all into context to allow us to counter or mitigate its effects,” Bansemer said.
Bansemer was sure to point out that CTIIC does not advocate a CTIIC view. It could never produce the community analysis on current threat issues without the trusted and enduring partnerships built with experts in the community, he said.
As it was stood up, Obama administration officials were sure to note it would not be an operational center, collect intelligence, manage incident response efforts or direct investigations.
CTIIC was one of three efforts in cyberspace that Bansemer identified under ODNI. One was the IC IT Enterprise, which he described as a facilitator of strong and effective information sharing in support of the business of intelligence that will establish a common data platform across the IC, enhancing the speed and security and reliability of data transfers and ingestion.
The other was the Intelligence Advanced Research Projects Activity, which is one way the IC thinks about and prepares for the future. It does this, he noted, by investing in high-risk, high-payoff research programs.