About this time last year I discussed my thoughts on Counterintelligence (CI) and Computer Network Defense (CND). My basic proposition then was that CND is materially identical (or – more precisely – a monomorphism) to a restriction of CI to Cyber activities.
I think that I was way to hesitant in making this claim. After many more time spent on threat and risk modeling I am more leaning to something along these lines – Any form of effective CND has a meaningful CI program as necessary prerequisite [1]:
CND ⇒ CI
So, what does that mean, really? This is obviously a significantly stronger assertion that the earlier one: Last year I argued that there methods and TTPs for effective CND have to be similar to CI, as applied to the cyber domain. At this time, I think this is way too restrictive, since any form of organizational defense (not only CND) does require a more less effective CI program to address some of the most pertinent problems such as e.g. the Insider Threat:
Malicious insiders act often with authorized or tolerated access similar to what an engaged defender would do. The most fundamental difference is the intent for accessing assets, which is in the case of the malicious insider guided by personal motives, including personal gain, revenge, and similar. From a traditional CND sensor perspective, the insider’s activity will look similar to other access.
If we therefore want to address some of these advanced threats to operational environments we need to be able to interpret actions based on their intentions, hence the need for engaging CI in a CND (or any other defensive program).
[1] While the opposite is not true, it still should be noted that CI can benefit greatly from other Computer Network Operations (CNO) and Information Operations (IO) in general.