Cyber threat agency navigates growing pains

The White House's plan for fusing cyber intelligence after the massive hack of Sony Pictures Entertainment got off to a rocky start. The Obama administration reportedly gave the House Permanent Select Committee on Intelligence little to no notice before announcing the Cyber Threat Intelligence Integration Center in February, irking lawmakers and possibly contributing to an inter-branch disagreement over the fiscal 2016 intelligence authorization bill.

Several months later, the agency turf battles that appeared ready to unfold have been quieted, and there is agreement on Capitol Hill on the need for CTIIC, according to an administration official involved in standing up the agency.

President Barack Obama ordered CTIIC to be housed at the Office of the Director of National Intelligence, with a goal of having the center fully running by the end of fiscal 2016. The initial plan was to give CTIIC a staff of about 50, drawn from personnel from the CIA, Department of Homeland Security, FBI and National Security Agency, among other agencies.

While there may have been some initial skepticism about CTIIC from DHS officials who run their own cyber threat center, any such skepticism has dissipated, according to the administration official, who spoke on the condition of anonymity.

"I think we've turned the corner with [DHS] where they feel like they're one of the key customers now," the official said.

DHS officials were initially worried by the announcement of CTIIC "because they were afraid it would replace or supplant" DHS' National Cybersecurity and Communications Integration Center, said James Lewis, a senior fellow at the Center for Strategic and International Studies who speaks regularly with administration officials on cybersecurity. A former DHS official who is in touch with staff from that agency's National Protection and Programs Directorate echoed that same concern.

CTIIC, however, is meant to be wholly different from NCCIC. The former is an inward-facing intelligence mechanism, while the latter is charged with disseminating cyberthreat information to the private sector. The omnibus package that Obama signed into law last week includes cybersecurity legislation that solidifies NCCIC's lead role in the public-private exchange of cyberthreat data. Meanwhile, administration officials say there is a clear need for a new clearinghouse for cyberthreat intelligence, a point made painfully clear by the Sony Pictures hack and its aftermath.

There was no one-stop shop the president could turn to when looking to assign blame for the digital dismemberment of the film studio. As Lewis put it, administration officials "couldn't get a coherent intelligence picture," and DHS lacks the kind of actionable intelligence needed.

National Security Council staff has been overwhelmed by the sheer volume of cyber-related analysis they have had to compile in an era of high-profile breaches, according to current and former officials.

"There's a degree of integration that's occurring on my staff that really should not be occurring," White House cybersecurity coordinator Michael Daniel said the day after CTIIC was announced. "It needs to come in to us that way. I think that CTIIC will be a great force multiplier in this space."

CTIIC is meant to fuse analyses from several cyber centers, including NCCIC, the National Security Agency's Threat Operations Center, and the FBI's National Cyber Investigative Joint Task Force.

Those cyber centers are still maturing, and CTIIC "is like a natural 2.0 in the evolution of that process," said the administration official involved in CTIIC's standup.

CTIIC will also focus on improving the U.S. government's confidence level in attributing cyber intrusions to specific actors – and standardize the language for discussing attribution, the official said: "There's a lot of work to be done just standardizing the vocabulary, and the common operating picture, [which] is the key to CTIIC, is what's lacking now."

The new cyber agency has a director and a deputy, but the official declined to name them. An ODNI spokesman said that announcement will be coming soon. CTIIC's new offices are at the Liberty Crossing Intelligence campus in McLean, Va, which also hosts ODNI and the National Counterterrorism Center.

While the administration was getting its ducks in a row, a lack of short-term funding from Capitol Hill complicated CTIIC's launch, according to the official. Appropriators did not meet an administration request for reprogramming in fiscal 2015 funding to help get the center prepped for an Oct. 1 standup, the official said. CTIIC is today functioning in a limited capacity, Inside Cybersecurity reported last month.