Cybersecurity and Deterrence

Analytic Superiority, Public-Private Cooperation and the Future of U.S. Foreign Intelligence

By David Kris
Friday, May 17, 2019, 10:18 AM

After years of focusing on counterterrorism, a mainly kinetic threat, the U.S. intelligence community must now adapt to a long-term cyber struggle with nation-state adversaries. This struggle includes election interference and other socio-political disruption, cyber sabotage, theft of secrets, and competition in emerging technologies such as quantum computing and 5G wireless communications. To succeed against these threats, the intelligence community must shift its approach in two related ways. First, it must focus on analytic superiority as well as cryptographic superiority—terms that I explain below but that basically require a shift in emphasis from accessing data to managing and using data. Second, to achieve analytic superiority, the intelligence community must develop stronger partnerships with the private sector and academia, and a broader base of external support with the American people.

Analytic Superiority

From the Revolutionary War through the 1980s, a key challenge for American spies and eavesdroppers was cryptographic superiority—gaining access to other governments’ secrets while protecting those of the U.S. This would involve, for example, finding communications channels, data repositories and persons with access to information; stealing information from or through them; and (where necessary) breaking encryption. There was also a counterintelligence aspect to cryptographic superiority, which was focused mainly on preventing the adversary from doing the same things to the U.S. The United States sought Soviet ciphers, order of battle, and military technology and strategic plans, and tried to prevent the Soviets from obtaining American information. This was, and still is, an important part of intelligence tradecraft.

In the internet age, with expanding digital networks and the increasing volume, velocity and variety (V3) of digital data, the main challenge shifted from finding information to being overwhelmed by it. Locating and exploiting (or concealing and protecting) individual pieces of valuable data remained the focus, but intelligence analysts now had to filter and find the needle in the haystack. Cryptographic superiority thus evolved to include tools, techniques and practices designed to manage this haystack problem. As Michael Hayden, former director of the National Security Agency (NSA) and the Central Intelligence Agency (CIA), testified to Congress in 2005, using a different metaphor, the “more success you have with regard to collection, the more you’re swimming in an ocean of data,” and so the intelligence community had to develop new technology “to help us deal with masses of information and to turn it into usable things for American decisionmakers.” This led to the era of early pattern recognition, such as collecting metadata in bulk and then “contact chaining” one or two “hops” out from a person of interest—for example, identifying a suspected al Qaeda terrorist, tracking his communications to identify his interlocutors, and then tracking their communications to map a terrorist network.

The evolution has continued. Today the key challenge is not just larger haystacks, but larger and more numerous hayfields of disaggregated and sometimes fuzzy data—both a qualitative and quantitative change from the early internet age. The premium is now on making connections between and among seemingly unrelated bits of information, both public and nonpublic, and discerning latent patterns in data sets that are too large for humans to examine alone. In addition to maintaining cryptographic superiority, which involves gaining access to usable data, the intelligence community now must improve its analytic superiority—the ability to exploit and extract useful insights from enormous amounts of scattered data.

As always, there is also a counterintelligence side to analytic superiority: The intelligence community must also prevent adversaries from “poisoning” data with misinformation or otherwise corrupting our ability to extract insights. For example, as the intelligence community has recognized, an artificial intelligence system for use in autonomous vehicles that is “learning to distinguish traffic signs” by reviewing large sets of known images “can be given just a few additional examples of stop signs with yellow squares on them, each labeled ‘speed limit sign.’ If the AI were deployed in a self-driving car, an adversary could cause the car to run through the stop sign just by putting a sticky note on it.” Analytic superiority includes protecting against efforts like this in the context of intelligence and defense-related activity. For the foreseeable future, America’s intelligence success will depend largely on prevailing in this contest.

Building Partnerships and Support

Acting alone, the intelligence community cannot achieve analytic superiority or meet the new cyber challenges. It needs to develop better and stronger partnerships, and a base of support, with the private sector and others. This is true for at least four reasons.

First, much of the cyber battle space—the networks and servers where critical data transit and reside, and where we compete with intelligence adversaries—is owned and operated by the private sector. The Trump administration’s brief and wildly unsuccessful exploration of a government-owned 5G wireless network shows that this will likely remain the case indefinitely. The Defense Department’s $10B JEDI program, which will involve private-sector cloud hosting of critical Pentagon information and warfighting applications, represents the future.

Second, in part because they own the battle space, private-sector companies have far better access than the intelligence community to certain data, including information from governments and other critical foreign intelligence. For defense, offense, deception and intelligence, the intelligence community needs stronger partnerships, under law and protective of customer privacy, with companies ranging from government contractors and subcontractors to communications and internet backbone providers.

Third, nongovernmental entities have developed analytic tools and capacities that in certain areas are as good as or better than those used by the intelligence community. In his 2005 testimony, Hayden described a meeting he had held with “several leaders of industry ... very well-known folks in the American IT and computing industry,” about the NSA’s efforts to manage the haystack problem. The industry leaders’ response, he said, was “whoa, that’s bigger than anything we do,” leading him to conclude that there “is no other element out there in American society that is dealing with volumes of data in this dimension.”

That is pretty clearly no longer the case. The private sector has fostered tremendous innovation in the linking and exploitation of V3 digital data, often using artificial intelligence and machine learning. Analytically, the private sector has also progressed dramatically: Attribution of malware by academics and cybersecurity companies, for example, is now far more common and credible than it was just a few years ago. Meanwhile, the intelligence community struggles to overcome a bias against software developed elsewhere and to adopt agile practices in its own development operations.

Fourth, politically, the country has largely abandoned the paradigm of intelligence oversight that depended on deference to congressional intelligence committees and leadership. This has required the intelligence community to build support with rank and file members of Congress, the news media, expert validators (including Lawfare contributors) who help explain intelligence activities to a wider audience, and the American people. Accelerated by crises from the Church Report to 9/11 to Edward Snowden, intelligence oversight has evolved from essentially nothing (1947-1976), to secret proxy oversight through elite members of Congress (1976-2013), to something closer to ordinary political accountability (2013 to present). A broader set of congressional overseers requires the intelligence community to build a broader base of legislative and public support. A critical challenge for the intelligence community will be to adapt to this environment without abandoning factual rigor or embracing self-serving propaganda or politicization, and to manage the associated pressures for greater transparency.

***

At present, relations between the intelligence community and the private sector are at a low ebb. In many ways, this is the most significant long-term fallout from Snowden’s disclosures—more important than the exposure of any particular source or method. Faced with the disclosures, the Obama administration pivoted to what Acting Secretary of Commerce Cameron Kerry described as “a stronger message on privacy while dialing back the emphasis on security.” That and other factors led American providers to go further in the same direction and emphasize their independence from the U.S. government in an effort to build trust with potential European data and cloud service customers. President Trump’s flamboyantly ambivalent relationship with intelligence surveillance and the intelligence community, and his disdain for the rule of law, have done nothing to strengthen relations or restore trust. Meanwhile, however, U.S. adversaries enjoy fruitful partnerships with the private sector, including through Dark Web exchanges and in joint ventures of the sort described in the special counsel’s indictment of the Russian Internet Research Agency.

The first moves toward stronger partnerships must come from the government. It must prove that it can be a reliable and reasonable partner with the private sector, and that it understands the importance of protecting civil liberties and the rule of law. It must demonstrate that cooperation with the intelligence community can be a feature, not a bug, for commercial offerings. This may be more possible as the Snowden revelations recede and the public gains increasing awareness of foreign governmental threats such as Chinese cyber theft, Russian election interference, and Iranian and North Korean hacking and sabotage. But it will not occur without bold leadership and determined efforts from the intelligence community to reestablish credibility, build external support and promote the partnerships it needs to fulfill its mission. A unilateralist approach is doomed to fail.