Editor’s note: This article is part of a series, “Full-Spectrum: Capabilities and Authorities in Cyber and the Information Environment.” The series endeavors to present expert commentary on diverse issues surrounding US competition with peer and near-peer competitors in the cyber and information spaces. Read all articles in the series here.

Special thanks to series editors Capt. Maggie Smith, PhD of the Army Cyber Institute and MWI fellow Dr. Barnett S. Koven.


Cyber is Ubiquitous

Global interconnectedness through cyberspace is an irreversible and all-encompassing fact of life that presents a multitude of benefits, as well as risks. The degree to which cyberspace and its vulnerabilities have permeated our lives is readily on display at various hacker conferences where white-hat hackers patiently try to gain root access to sample medical devices normally used in hospitals, industry experts discuss the process of remediating cyber vulnerabilities in domestic election infrastructure while other presenters talk about the current market for “zero days,” and experts explain dynamic evolution of the cyber insurance market. As our lives are on a seemingly irreversible glide path to becoming more interconnected, the likelihood of malicious foreign and domestic behavior in cyberspace similarly increases.

The United States—its public and private sectors—finds itself at a crossroads: we must improve our understanding of elusive, ever-changing threats, while simultaneously remaining agile in our capability to identify and respond to them. Such an approach requires the means to disseminate information rapidly to reduce the impact and increase timely awareness of these events. This paper lays out how the Office of the Director of National Intelligence (ODNI) can build on this mission by briefly examining the critical intelligence community integration role it was assigned when it was originally formed, reviewing the Cyberspace Solarium Commission’s recommendations for the US government, and providing ideas for and examples of how ODNI, with other agencies, can effectively realize these recommendations.

Significant Foreign Cyber Threats

The ODNI’s Annual Threat Testimony (ATA) for 2021 highlights the increasingly sophisticated and persistent foreign cyber threats to the United States. These encompass a wide range of activities and actors that almost certainly require a whole-of-government effort to halt the theft of trade secrets and personally identifiable and other proprietary information, as well as malicious cyber activities that directly or indirectly damage industry, hurt economies, disrupt financial stability, and hold at risk physical and digital critical infrastructure. The most notable threats to the United States stem from China, Russia, Iran, and North Korea. These countries are enhancing their capabilities to target US and allied forces and their cyber capabilities may even weaken conventional deterrence. In 2021 alone SolarWinds, Hafnium, and the recent ransomware attack against Colonial Pipeline demonstrated a continued diversity in targeting, tactics, and sophistication. More broadly the US government, small businesses, the global financial system, human rights activists, and even the entertainment industry have not been immune from malicious foreign cyber activity. Moreover, ODNI’s ATA highlights that aggressive behavior by foreign cyber actors threatens US national security. The seemingly unfettered pace of these developments—as in the case of North Korea’s cyber activities for example—“raises the prospect of more destructive and disruptive activity.”

The 2021 ATA calls out the threats posed by specific nations. It notes that Russia is considered the “top cyber threat” that continues to target critical infrastructure in the United States and in allied and partner countries. China is cited as a “prolific and effective cyber-espionage threat” that also “possesses substantial cyber-attack capabilities” that, at a minimum, can cause localized, temporary disruptions of critical infrastructure. Both Iran and North Korea are called out as significant threats whose cyber capabilities have—in the case of Tehran—already targeted critical infrastructure. Meanwhile, Pyongyang is cited as having the expertise to cause limited disruptions of some critical infrastructure and has already targeted financial and cryptocurrency exchanges worldwide. With regard to nonstate actors, the ATA explains that some foreign cybercriminals targeting the United States may maintain relationships with other countries that offer them safe haven or benefit from their activity.

A Multifaceted, Whole-of-Government Approach

Multiple US government departments and agencies, including the Department of Defense, FBI, Cybersecurity & Infrastructure Security Agency (CISA), and the intelligence community (IC), have overlapping missions aimed at improving cyber threat identification, cyber defense, and efforts to slow, stop, and deter cyber threats. Yet greater coordination and synchronization of effort are required to align ongoing, mutually supportive, and reinforcing efforts across these agencies. These should incorporate the effective use of diplomatic messaging and outreach, the imposition of sanctions and law enforcement actions, and—equally important—persistent US government engagement in cyberspace focused on degrading adversary capabilities. This type of approach also simultaneously requires enhanced fusion of shared data from foreign intelligence sources along with, among other things, information obtained from the private sector.

Although relatively small in size in comparison to other agencies, ODNI is postured to help fill parts of this overall critical role. Since its inception ODNI’s mission has been to support interagency cooperation within the IC, while also serving as one of many sources of timely information. ODNI’s National Cyber Executive, as well as other ODNI offices and the National Counterintelligence Center, are empowered with complementary functions to integrate their respective communities.

A Way Forward: The Cyberspace Solarium Commission Report

The increased intensity of foreign cyber threats, which have obtained national-level attention, was the impetus for convening a diverse group of cyber experts led by bicameral, bipartisan chairs in 2019. The Cyberspace Solarium Commission, as it became known, was established to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber-attacks of significant consequence.” The commission’s report provided a series of recommendations that, in total, call for an enhanced, streamlined interagency approach to preempting and responding to cyber threats and intrusions. It further recommended that ODNI’s Cyber Threat Intelligence Center (formed in 2015 and later merged in 2020 with the National Intelligence Manager for Cyber to form the Office of the National Cyber Executive) strengthen cyber integration within the IC, FBI, CISA, and the Department of Defense. The report calls for these departments and agencies to work to “ensure systems, processes and the human element of collaboration and integration are fully brought to bear in support of the critical infrastructure cybersecurity and resilience mission.”

In addition, the commission’s report notes that ODNI’s National Cyber Executive can support consolidating analysis and improving US government attribution analysis. This includes working with the Department of Homeland Security and FBI, who partner with the private sector. Improved attribution analysis entails producing assessments that pull together multiple streams of information—from sector-specific agencies, IC entities, the commercial cybersecurity sector, and others—with the goal of uncovering the culprits behind malicious cyber activity directed against the United States. The report also notes that ODNI will assist in creating assessment timelines, coordinating working groups, and collaborating on the development of “an attribution-decision rubric.”

ODNI’s Historic Mission Has Current Applications to Cyber

ODNI was created in the aftermath of the 9/11 terrorist attacks. This tragedy revealed nascent interagency bottlenecks to information sharing, intelligence reporting, and intelligence analysis. Prior to the attacks, counterterrorism efforts were segmented between domestic law enforcement and foreign intelligence. Barriers existed to coordinating across the national, state, tribal, and local levels, thereby inhibiting the availability of information to produce all-source analysis. To an extent, ODNI has addressed these challenges. In 2010, Director of National Intelligence Dennis Blair reported that ODNI had “made considerable progress toward breaking down the information-sharing, technical, and cultural barriers across the Intelligence Community that were identified in the wake of the September 11th attacks.”

ODNI, it can be argued, has thus far been successful because it is uniquely positioned to facilitate an interagency approach in support of critical national security objectives. It can accomplish this because Congress has previously provided the director of national intelligence (DNI) with a number of discrete authorities and duties. In particular, the DNI serves as the principal advisor to the president, the National Security Council, and the Homeland Security Council for intelligence matters related to national security. The DNI is also responsible for—among other things—establishing objectives and priorities for collection, analysis, production, and dissemination of national intelligence; ensuring maximum availability of, and access to, intelligence information within the IC; and ensuring the most accurate analysis of intelligence is derived from all sources to support national security needs.

Information sharing continues to be critically important in dealing with cyber threats but challenges still exist in the timeliness, availability, sharing, and diversity of information sources. ODNI can help foster an IC-wide culture that fuses data and analysis from multiple agencies including sector-specific agencies. In this capacity the organization’s value includes obtaining timely downgrades of information and melding geopolitical and technical analysis into threat assessments. Aligning cyber threat intelligence with ongoing defense/remediation and countering efforts can achieve key national security objectives.

ODNI and its National Cyber Executive are also poised to create synergies within the organization and the IC, the broader US government, and foreign partners. The organization’s mission—manifest in part in Intelligence Community Directive 900 (ICD-900) and other DNI documents—supports this role by enabling multifaceted collaboration in the following areas: 1) integration of intelligence analysis and reporting, 2) integration of information/data (i.e., wider sharing of varying data sources to enhance insights), 3) integration of mission (within ODNI, within the IC, and with non-IC US government departments and agencies), and 4) budget authorities. The former three areas are the focus of the subsequent section.

ICD-900 and ODNI’s Integration Function

ICD-900, “Integrated Mission Management,” provides the basis for ODNI’s internal structure. This directive details an organization composed of regional and functional national intelligence managers, and senior intelligence experts (i.e., national intelligence officers). It also underscores the need for incorporating counterintelligence and intelligence collection expertise. These functional roles are intended to minimize duplication of effort, afford access to intelligence and intelligence-related information, and empower the DNI to remediate any impasses that would preclude sharing of information across the IC. The national intelligence managers also help set the strategic guidance by outlining broad priorities through what are known as the Unified Intelligence Strategies. These orient and guide intelligence collection and analytic activities to satisfy customers’ information needs. All of these functions are critical in the realm of cyber because they help streamline potentially disparate efforts, enhance information sharing, and provide strategic guidance.

Supporting Interagency Analytic Integration

An example of the ODNI National Cyber Executive’s analytic integration role occurred in December 2020, as the FBI, CISA, and ODNI became aware of a significant cybersecurity threat—SolarWinds. In response, these agencies formed a cyber unified coordination group to coordinate a whole-of-government response. The FBI served as the lead entity investigating and gathering intelligence in order to attribute, pursue, and disrupt threat actors engaged in malicious cyber activities. CISA took immediate action issuing an emergency directive instructing federal civilian agencies to disconnect or power down affected SolarWinds Orion products from their networks. ODNI—in its role leading intelligence support to related activities—marshaled all of the IC’s relevant resources to support this effort and share information across the USG.

Strategic Analysis & Threat Reporting

The National Intelligence Council (NIC) and the ODNI National Cyber Executive are engaged in complementary missions for intelligence analysis and integration. The NIC is the IC’s center for long-term strategic analysis; it serves as a bridge between the intelligence and policy communities, a source of deep substantive expertise on intelligence issues, and a facilitator of IC collaboration and outreach. It is staffed by senior experts on a range of regional and functional issues.

The National Cyber Executive does not collect intelligence nor is it operational but instead provides current cyber threat intelligence that supports the work of other centers and agencies. The Cyber Threat Intelligence Summary (CTIS)—a report produced by the ODNI National Cyber Executive—integrates inputs from various agencies including those responsible for network defense, the IC, law enforcement, incident responders, and nongovernment sources. Members of the CTIS team build on their baseline understanding of foreign cyber threats to US national interests by working in conjunction with federal cyber centers and departments and agencies. The purpose of its community-based analysis is to incorporate a wide set of expertise (i.e., cyber, regional, technical, etc.) thereby providing policymakers with a broader context for understanding cyber threats.

Developing Tools to Aid Public Attribution

The National Cyber Executive staff also helps to lead a community of analysis on foreign cyber threats working to build consensus for the attribution of foreign cyber threats. These efforts may, in turn, be guided by a proposed cyber threat framework to enable consistent categorization and characterization of cyber threat events, and to identify trends or changes in the activities of cyber adversaries. In short, this rubric captures the adversary lifecycle from preparation of cyber operations to the creation of effects and consequences from theft or disruption. This tool may be useful in improving attribution analysis.

DNI Helps Synergizes Effort, Supports Integrated Approach in Response to Foreign Cyber Threats

ODNI’s formation sprung from the need for more comprehensive sharing and access to information. Now, more than ever, this is needed to tackle the challenges the United States faces from persistent foreign adversaries in cyberspace who continue to use cyber espionage and cyberattacks for malicious ends. Mission integration—bringing together the many moving parts of cyber across ODNI and the IC while working with the rest of the US government—is one of ODNI’s core missions. It can result in strengthening unity of effort and synchronization of actions. This effort spans various ODNI functional and regional national intelligence managers and ODNI centers and invokes some of the organization’s critical roles (e.g., counterintelligence, foreign influence, analysis of intelligence collection) to address three critical cyber needs: 1) improved insights on foreign cyber actors’ tactics, techniques, and procedures by means of intelligence collection and the use of commercial data and other information sources; 2) support to the FBI, CISA, and other entities promoting resilience and cyber defense; and 3) a strengthened interagency approach to countering and reducing the threat from foreign cyber adversaries.

An agile response requires nothing less than the streamlined integration of analysis, information, and US government and private sector efforts. ODNI does not stand alone in this fight; rather it integrates efforts across the interagency to ensure a whole-of-government approach to cybersecurity. In this regard, ODNI is well positioned to continue to support senior policymakers including the soon-to-be created Office of the National Cyber Director.

Ken Mangin is a foreign policy and national security expert with nearly twenty years’ experience in the US federal government. He currently serves as an interagency cyber coordinator in the Office of the Director of National Intelligence, where he has facilitated responses to foreign cyber threats.

The views expressed are those of the author and do not reflect the official position of the United States Military Academy, Department of the Army, Department of Defense, US government, or any organization with which the author is affiliated.

Image credit: Christiaan Colen (adapted by MWI)