U The United States Cyber Counterintelligence Plan Foreword U U The President s Comprehensive National Qbersecurigz Initiative directs us to secure the cyber networks that make up our governmen 's central nervous system This Cuber Counterinielligence Plan is part of that undertaking and ts seamlessly within the current National Counterintellr gence Strong U Protecting cyberspace requires that we reconsider the entire technical infrastructure involved in electronic communications Protecting it will require a robust public private e 'ort because much of that infrastructure is privately owned Moreover the threats to our cyber operations may be enabled through remote electronic operations or by a human penetration or supply chain operation This Counterinielligence Cyber- Plan is therefore designed to address the hill spectrum of threats U Much of what constitutes counterintelligence or and the many related activities that support counter-intelligence exist in organizations that are not designated as such Counterintelligence is de ned as information gathered and activities conducted to identify deceive exploit disrupt or protect against espionage other intelligence activities sabotage or assassinations conducted for or on behalf of foreign powers foreign organizations or persons or their agents or international terrorist organizations or activities While intelligence agencies all have a CI effort the size of the human and nancial resources focused on the CI business area is often small compared to other mission areas As we embark on a Comprehensive National Cyber Security Initiative we have been proactive and strategic in including CI in the formative stage As the Initiative matures we must remain committed to resourcing as a key aspect of our implementation and we must align resources to each agency according to their responsibilities U We cannot sit back and monitor hostile activities as they come The volume variety and velocity of such activities are too great for such a passive strategy to work and perimetcrs are electronically penetrable even by modaately sophisticated adversaries Moreover hostile cyber activities may be launched from inside network perimeters This strategy therefore calls for a defense-in-depth We will strengthen defenses at the edges of our networks and within our networks building and strengthening electronic strong points where our most important information and system rnctionality resides We will also gather intelligence on the source and nature of hostile cyber activities be rre they come U Foreign cyber penetrations that may receive the most public attention may not be the intrusions of the highest national security concern The fact that we know about an intrusion suggests on its face that the intruder is not operating at the level of covert sophistication of which our most advanced adversaries are capable Sophisticated state- sponsored hostile cyber activities can appear to be invisible because they hide in the noise of continuous activities against U S systems Cleaning the noise out of our systems is MW ii important not only for its own sake but also because doing so will make it easier to nd the most insidious currently invisible hostile cyber activities which are far more dangerous U In the area of cyber connterintelligence this Plan is the beginning of the extended e 'ort that the President called for in his Comprehensive National cybersecurio Initiative In the national interest it must be followed by concerted efforts that extend across the entire government and from one administration to the next Joel F Brenner John S Pistole National Counter-intelligence Executive Deputy Director Federal Bureau of Investigation ibxaj Table of Contents Table of Figures U Table of ables U - The Threat -- - -- I Background U Outline of the Cyber CI Plan - - Cyber Counterintelligence Objectives U OBJECTIVE 1 Detect deter disrupt and mitigate internal and external cyber threats through defensive counter-intelligence measures U 9 Objective I l Detect deter dimtpt and mitigate internal threat U 10 ObjectiVe 1 2 Detect deter disntot and mitigate external threat U 12 Objective 3 2 OBJECTIVE 4 Strengthen collaboration among security law enforcement and counterintelligence elements U 18 Objective ln tse Cl into existing security and law LE incident reporting U 19 Objective 4 2 Employ CL LE methodologies to optimize responses U 19 Objective 4 3 Share Cl information at the lowest clarification possible U 20 Objective 4 4 Establish uniform incident reporting and jbrensic examination requirements 20 OBJECTIVE 5 Conduct all-source analysis In support of the Cyber Cl mission U 21 Objective Conduct Cyber Cl and provide actionable reporting U 22 Objective 5 2 Develop and coordinate cyber damage loss assessments w 22 OBJECTIVE 6 Establish expand Cyber Cl education awareness program and workforce development to integrate connterlntelligenee Into all aspects of cyber operations and analyses U 23 Objective Edtcate and train Cl professionals about the ll spectrum ofcyber threats U 23 Objective 6 2 Expand notional awareness on the threat posed byforetgn admaries U 24 Conclusion U - - 25 Appendix A - Resources U 26 Appendix B Tools radecraft and Technology U - - 35 Appendix C Glossary - -- Assessment of DamagdLoss from Cyber Intrusions U 42 iv 030 1 030 3 Table of Figures U Figure 1 Meat Vectors I igure 2 6 igure 3 6 igure 4 8 Figure 5 45 Table of Tables U Table 1 055mm and Hemmendatious U 4 Table 2 26 Table 3 27 Table 4 31 Table 5 3 Table 6 33 Table 7 959559 34 Table 8 34 WW The Threat U Trusted insiders as well as external adversaries are targeting all aspects of cyberspace - a global domain within the information environment consisting of interdependent networks of information technology infrastructures which include the Internet telecommunications networks computer systems and embedded processors and controllers - for exploitation disruption and potential destruction Threats include vendor and supply chain exploitation remote access operations close access technical operations and insider exploitation Potential damage ranges from theft or alteration of data to denial of service or the destruction of cyber assets Figure I Threat Vectors LI describes access methods that are used to exploit U S Government networks The vendor supply chain threat represents one end of the spectrum where adversarial access can occur anywhere within a broad continuum The other end of the threat spectrum is represented by insider access which typically points to one individual Regardless of where the threat originates the consequence is the same a serious disruption to U S national security and economic stability These threats are explained more fully below Figure 1 Threat Vector U U Source 2004-01 National intelligence Estimate Cyber- Tlueats to the U S Information ln aslrucmre 1 litglairation o the vendor wig ghaiu U Operations to gain advantage control and or access to intelligence information and or infonnation systems through manipulation of hardware and or software by cooperative vendors or unilaterally during any point in the supply chain from system design through installation at the end user site to include servicing and retirement W U Operations to access target information and or information systems through network-based technical means 130 1 meme-rifst MM Ul FBHe Operations involving the witting or unwitting unauthorized use or access to information systems and networks by otherwise trusted agents employees for the purposes of either collection or manipulation Trusted insiders can steal information electronically or facilitate remote access to unprecedented amounts of data and they may be ideally positioned to in ict devastating damage to US Government networks through espionage and or sabotage According to the 2004 e-Crirne Watch Survey in cases where the perpetrator of an electronic crime or intrusion could be identified a considerable number were committed by insiders What the LS should do U Although the U S Government is making strides in seeming government networks and protecting the supply chain determined adversaries will increasingly ada their methods to overcome security constraints U 2004 eCrime Watch Survey conducted by C80 magazine in cooperation with the us Secret Service and CERT Coordination Center 0 1 Background U LI The National Security Presidential Directive 54 I-lomeland Security Presidential Directive 23 directed the Attorney General AG and the Director of National Intelligence DNI to develop a comprehensive Cyber Counterintelligence Cyber CI plan including required resources The AG and DNI delegated this responsibility to the Federal Bureau of Investigation FBI and the O 'rce of the National Counterintelligcnce Executive ONCIX U For the purposes of this plan cyber counterintelligence is de ned as counter-intelligence by any means where a signi cant target or tool of the adversarial activity is a computer computer network embedded processor or controller or the information thereon U The Cyber Cl plan builds on the Presidentially approved National Counte nte igence Strategy of the United States of America 2007 and supports the following National Counter-intelligence Mission and Enterprise Objectives 0 U Exploit and defeat adversarial intelligence activities directed against US interests U Protect the integrity of the us Intelligence System U Provide incisive actionable intelligence to decision makers at all levels LI Protect vital national assets from adversarial intelligence activities U Nepu'alize and exploit adversarial intelligence activities targeting the Armed Forces U Strengthen the counterintelligence cadre 0 U Expand national awareness of adversarial intelligence threats SW The Cyber Cl plan is an integral component of the Comprehensive National cybersecm'mr Initiative CNCI which establishes U S licy slrate de nes and im lemtation actions to secure m- 7 U The Cyber Counterintelligcnce Strategy of 2008 is a critical enabling element of this plan U cybersqu Policy 8 January 2008 5 Flgure 2 The 12 lnterdependent Cybersecurlty Initiatives swans mac Figure 3 The 7 Inter-dependent Strateglc Enabler U The Cyber CI plan calls for unity of effort across the U S Government U To safeguard the privacy and civil liberties of U S citizens residents and organizations each participating organization will operate under its existing authorities and policy security frameworks and will consult with of ces of general counsel and privacy and civil liberties of cers as appropriate to ensure compliance with law and with Attorney General approved guidelines safeguarding U S persons Further all activities contemplated by the Cyber CI Plan will be conducted in accordance with relevant statutes Executive Orders and U S Government regulations governing the ON dissemination of intelligence-related information This will allow the greatest exibility while maintaining a high level of public trust U Proposed Y09-FY13 resources for implementation of the Cyber CI Plan are allocated to ONCIX the Central Intelligence Agency and the Department of Defense See Appendix A for a detailed discussion of the proposed resources and deliverables jams Outline of the Cyber CI Plan UIIFGUG The Cyber CI Objectives are shown in Figure 4 Detect deter disrupt end Internal end externel cyber threete through U 1 1 museum 4 1 2 Detect deter dempt millgete maul threet U W1 WmherI-emmw mam Strengthen eollebomtlon emong eooutlty lew enforcement end elemente on cyber 8 network to actionable Intelligence end Infonnetlon- the government U U5 6000mm tow W U optimize QEEQEZEJ Conduct ell-eoume CI enelyele In euppott of the Cyber Cl mleelon U Eetehllewexpend cyher Cl mane end workforce development to Integrate Cl Into ell eepectl of cyber opentlone end enelylte U us Government U U mm WHWWIMMW unwielmtu U3 W U edvoreerlee hum- U Figure 4 Cyber Cl Plen Objectives mm mm mm Cyber Counterintelligence Objectives U OBJECTIVE 1 Detect deter disrupt and mitigate internal and external cyber threats through defenslve counterintelligenee measures U U S Government networks both unclassi ed and classi ed are constantly targeted by cyber intruders Efforts by foreign intelligence and security servic FISS to in ltrate these networks and ex ltrate sensitive data on a massive scale or to spot assess and recruit U S citizens insiders in carrying out their intelligence missions is well documented Adversaries look to exploit any weakness The U S must stren its defense-in-depth strategy by enhancing perimeter and internal core defenses Network defense assets exist throughout the U S Government as a basic component of network administration While the Cyber CI community does not develop or implement policies procedures or tools related to network defse and information assmanee - that is beyond its scope it does investigate cyber incidents support operations against hostile cyber activities produce damage assessments and prepare threat assessments or reports To better support defensive measures the CI eommuni must ex and on those traditional mission sets and add others The following sub-objectives will contribute to the success of Objective 1 Objective 1 1 Detect deter disrupt and mitigate internal threat mm U Per Appendix B these tools will be catalogued and shared as appropriate U See Appendix B MW 10 W1 W3 ll MO The insider threat is not limited to US Government agencies and organizations private industry is also at risk To gain access to classi ed or sensitive US Government information includin information in the critical Compounding the problem private industry has less stringent incident reporting and network-monitoring requirements than US Government WW agencies and may be disinclined to share this type of information for nancial and legal liability reasons The Cyber CI community in coordination with the Department of Homeland Security DHS will engage its industry partners to improve the understanding of the insider threat and will share knowledge of current best practices and emerging technologies to audit and monitor systems and networks Outreach personnel will ensure their corporate partners are aware that an unclassi ed version of the current economic espionage report is available for download at index ht1m Objective 1 2 Detect deter disrupt and mitigate external threat U M0 M8 OBJECTIVE 2 Ex objective responds to the taskin outlined in the and aligns with the National Counterinte igence Strategy Mission U This plan is called for in paragraph 49 or NSPo-Mmsro-zs TOP-SEERETHS-I-H-NGFORN- 12 W0 W3 Objective 1 #13939 The following sub-objectives will contribute to the success of Objective 2 Objective 2 1 U i M0 M0 W1 W3 0b active 2 2 WE-70W 1 14 M0 MGR-5W W3 Oblective 2% SHE g6 W0 W0 Objective aligns with the Narional Counter-intelligence Strarey s 30 3 Mission Objective 4 This Objective also links to CNCI Initiative 1 U The globalization of business has increased the role of international companies and foreign vendors in the U S IT supply chain Fiscal savings derived from outsourcing Services such as life cycle maintenance have driven many U S rms to outsource activities to foreign companies W1 0 5686 - The CI threat to the supply chain can occur at any stage of a product s lifecycle from design to manufacture from distribution to maintenance or retirement U The following sub-objectives will contribute to the success of Objective 3 Objective 3 1 53 Ill mm chimes-2 m OBJECTIVE 4 Strengthen collaboration among security law enforcement and elements on cyber and network issues to increase actionable intelligence reporting and information-sharing throughout the government U This Objective aligns with the National Counterintelligence Strategy s Mission Objective 2 3 U The cuss provides a forum for the discussion of policy issues sets national policy and rmmulgates direction operational procedures and guidance for the security of national security systems U for Lilizgrle Risk Mtigation or National Security Systems in the Era of Globalization 10 July 2006 MW 18 0730 1 0730 3 The movement of sensitive information onto U S networks will continue to increase at an exponential rate The security risk continuum is exceptionally broad and the risk posed by etwor an computer security alone are not enough to keep us inbrests secure To enhance the integrity ofU S networks and the information that resides on them the U5 Government needs to strengthen collaboration among security law enforcement and counterintelligence elements on cyber and network issues This will require actionable intelligence reporting and information-sharing U The following sub-objectives will contribute to the success of Objective 4 Objective Infuse Cl into misting sec-orig and law enforcement LE incident reporting processes to trigger CI-exploitable activities U l Objective 4 2 Employ Cl LE and cybersecurtor methodologies to optiqu LS Government responses to cyber inc-idem U - W1 Objective 4 3 Share CI information at the to west classi cation possible to maximize the breadth of the LS Government's response to qber threats 2 U To produce useful information for our cybersecurity and CI customers it is critical to maintain the lowest possible classi cation level suitable to the subject while protecting sources and methods Whenever practical the Cyber CI community will institutionalize the use of tear lines to separate CI collection methods and analysis from public domain material It is critical that vital information be disseminated as broadly and rapidly as possible even at the expense of greater detail The Cyber CI community will deveIOp requirements for Initiative 8 Improve Notional Cyber Education and Expertise to ensure that analytical training modules include a segment on how to balance classi cation requirements and the responsibility to provide requirement when sharing Cl information pertinent to cybersecurity Classi cation does not always imply criticality Unclassi ed intelligence can be extremely valuable when shared with LE and other partners so that it may have a greater impact on cybersecurity throughout the US Government Objective 4 4 Establish uniform incident reporting and forensic examination requirements for private sector entities contractors think tanks academic See US lntelliimee Community Information Sharing Strategy 22 Petran 2008 MW 20 institutions that provide classified and or Controlled Unclassified Information C0025 support to the LS Government U OBJECTIVE 5 Conduct all-source counterintelligence analysis in support of the Cyber CI mission U This Ob'ective aligns with the National Counter-intelligence Strotey s objective 2 This Ob'ective also links to CNCI Initiative 5 the National Qber Seen rity Center UIFFOHG The dif culty of bein able to rapidly and reliably attribute The Cyber CI mission requires data ision and analysis from multiple sources including LE cybersecurity and CI community information in order to All-source CI analysis and cyber damage assessments are essential to determine and contribute to the success of the Cyber CI mission even if 5 U Controlled unclassi ed information term replaced sensitive but unclassi ed term per White House Designation and Sharing of Controlled Unclassi ed memo 7 May 2008 MW 21 WW 3 assessments are tentative Policy makers will need to make decisions quickly despite not having a perfect answer U The following sub-objectives will contribute to the success of meeting Objective 5 Objective 5 1 Conduct Cyber CI analysis and provide actionable reporting U W6 Objective 5 2 Develop and coordinate cyber damage loss ossasments covering the impact of significant intrusions and iessous Ieornedfrom Cyber Cl activities U January 31 2008 TOP-SEW 22 U OBJECTIVE 6 Establish expand Cyber Cl education awareness programs and workforce development to integrate counterlntelligence Into all aspects of cyber operations and analyses U This Objective aligns with the National Counteriutelligence Strategyfs Enterprise Objectives 2 and 3 Objective also links to CNCI Initiative 8 United States must improve its technical cyber skills to prevail in cyberspace Cybersecurity training and education will cover the spectrum from the need for general awareness on the part of each government employee to the unique needs of law enforcement intelligence the military homeland security and other mission managers The Cyber CI community will develop requirements for CNCI Initiative 8 for development of education and awareness programs to enable the cyber workforce to understand and more effectively integrate the Cyber CI mission throughout government cyber and CI programs UHF-OHS The creation of a government training and education program that integrates counterintelligence in all aspects of computer network and cybersecurity operations should result in more effective and agile Cyber CI activities Increasing awareness of the cyber threat and mitigation mechanisms to protect against those threats - U The following sub-objectives will contribute to the success of Objective 6 Objective Educate and train CI professionals about theful spectrum of cyber threats to US interests U The ONCE-published documents These community-coordinated documents will be used when integrating cyber 23 WW speci c training into existing counter-intelligence training programs As universal cyber competencies are validated they will be re ected in updated editions of the above documents To ensure long-term success the Cl workforce must enhance and continually re 'esh its cyber expertise and impart this knowledge throughout CI analytic operational and investigative agencies and departments Objective 6 2 Expand national awarenas on the threat posed by foreign adversaries in cyberspace w Guided by existing U S cyber-related training and education programs the Cyber CI community will deve10p Cyber CI modules for integration into national cyber curriculums These modules will expose government cyber professionals to the broad range of CI threats that exist in cyberspace and help them mitigate those risks in their day-to-day operations Outreach and awareness efforts to non-1C agencies the private sector and academia will complement Cyber CI training efforts and will contribute to a more informed understanding of the cyber threat in the government acquisition community Outreach to the private sector will be conducted by the Sector Speci c Agencies as established by the NIPP Given the wide range onyber CI customers system administrators users owners hardware and software developers lawyers procurement of cers and intelligence collectors the Cyber CI community will develop training appropriate to user and identi reference materials to be used for each user class Conclusion U U These objectives chart the Cyber CI community's planning and operations activities and will provide the requirements for task prioritization and programmatic planning The ONCIX in consultation with the National Counterintelligence Policy Board and the Of ce of the Director of National Intelligence will oversee implementation of the objectives through an integrated connterintelligence community effort using resources identi ed in Appendix A U The Cyber CI community acknowledges that each U S department or agency with cybersecurity andlor cyber CI responsibilities operates under legal authorities and policy guidelines relevant to its speci c mission This plan is not intended to intrude on those responsibilities or to redirect an organizntion s cyber CI operations Mind tl that no single entity can adequately address this threat in its entirety the intent is rather to capitalize on each organization s unique capabilities so that the U S can respond to cyber CI threats with a coordinated approach U The CI tools and techniques that will he deveIOped as a result of this plan will be inherently sensitive and any compromise will negate their effect Accordingly this plan acknowledges the need to properly protect these tools and techniques using established Intelligence Comnnmity sectuity procedures and protocols 46W Appendix A Resources U U The table below is a summary of FY09- 13 resources needed by Agency to implement and oversee the deliverables outlined in The United States Govemment- Wide Cyber ounterimelligence Plan Table 2 Summary of laurel- SIM U FY08 Funds There are no funds available for FY08 Current activities are being conducted with base funding U Spending Plan Breakdown by Organization ONCIX U ONCLX will provide a detailed spend plan once the Cyber CI Plan is approved In the interim the summary below by function is how ONCIX will utilize its proposed FY09 and FY i0 funds The activities are linked to the deliverables identi ed in Table ll U Policy Maintain existing policies and update Cyber Cl policies procedures standards and guidance to address requirements for the USO Cyber Cl community Ensure the Cyber Cl Plan is consistent with other USG cyber policies strategies and implementation plans U Training Qytreach Develop requirements for Cyber Cl training Identify appropriate cyber competencies for counterintelligence professionals Formulate a Communication Strategy focusing on Cyber Cl outreach efforts and marketing to ensure stakeholder engagement and communication is consistent with the National Counte ntelligence Strategy of the United States of America and all pertinent USG working groups mm my IE 3U W1 W3 U CIA mum m WW OX3 U DOD mum mn ll - I I 130 3 Personnel Staff Table 7 3d Appendix B Tools Tradecraft and Technology U m- U The- working group will accomplish the following 36 WEEK-SW -'l ecimologr Requirements 3 2 Technical Requlrements for Document Tagging Tracking and Locating TTL Tools and Technology Initiative 7 Inltiative 9 U II 0 l 37 BA Technical Requirements for Department or Agency-speci c and 1C TSIISCI Fabric Enterprise-wide Audit Sharing U Inlelh'gmce Authorization Acr ar Fiscal Year 2009 Classi ed Annex 39 B 5 Technical Requirements for Supply Chain Tools and Technology U 3 6 U Cyber Identi cation Friend or Foe 4 Appendix C Assessment of Damage and Loss from Cyber Intrusions U What is a damage or loss assessment U U Cyber damage or loss aSSessments are systematic comprehensive reviews of intantional and or inadvertent compromises of sensitive or classi ed information Such assessments build on incident reporting and can cover single incidents or the combined effects loss or lessons learned from a combination or series of incidents To be effective loss assessments must be timely and should produce outputs in phases Outputs shOuld include mitigation recommendations both for short term response actions as well as long term Options and implications The customers of a cyber loss assessment are the owners custodians and users of the data as well as network operators and defenders and those building knowledge bases on adVersarial capabilities and tactics Since the length of time for completing a loss assessment will vary based on the scope of the intrusion and the quantity of data compromised it is essential to provide interim assessments until the reviewing authority determines that no further actions are warranted U A cyber damage or loss assessment is different from a security law enforcement or inspector general investigation Rather than focusing on who did what in violation of which regulation cyber loss assessments use that information as context and background in a more focused examination of the effects caused by the intrusion They are conducted with the prupose of identifying how the network in question Was affected and what information including but not limited to sources methods operations equipment facilities locations plans strategies technologies or programs was compromised The assessments include analysis of the consequences of such exposure U National level assessments must address both the damage a compromise has in icted on individual U S GoVernment departments and agencies as well as the broader implications for national security At the national level loss assessments are likely to address additional factors such as the impact of loss and compromised information on an adversary s ability to deny or deceive the collection efforts of the U S intelligence community and or to feed false or misleading information to U S policymakers Bene ts of conducting a loss assessment U U By highlighting broad vulnerabilities loss assessments can have far reaching effects on organizational policies and programs They should contribute to on-going analysis of cyber adversarial capabilities tradecra and intentions At a minimum by providing managerial security and operational lessons learned they may help prevent similar disclosures in the future Additionally by helping understand how losses occurred assessments can reduce rrther waste of U S Government resources lessen the risks to U S national security protect the lives of U S citizens and protect intelligence sources Loss assessment U U There are number of steps required for a cyber loss assessment starting with the recognition that an incident has occurred While there are clearly some initial and time- dependent steps portions of the methodology are not inherently linear and could easily and Optimally be pursued in parallel The following paragraphs provide an overview of the necessary process and or methodology to conduct a loss assessment While each loss assessment will be unique Figure 5 Assessment of Loss om cyher Intmsions provides exemplar issues to pursue How did we know U As an initial step it is important to consider how we became aware of an intrusion This will help isolate the data sets necessary for analysis and establish a baseline of what we know about an incident or series of incidents Again not all cyber intrusions merit a loss assessment Organizations should establish criteria to determine whether an in depth loss assessment should be undertaken beyond incident reporting While a single intrusion might not warrant an assessment a series of intrusions could meet the necessary criteria Cross-incident or cumulative assessments could be initiated where a speci c incident or series of incidents suggest continued on-going adversarial operations or offer the chance to develop lessons learned 'om comparing or aggregating incidents and the associated loss or effects Subject matter experts are needed to evaluate the affected system to determine if criteria for initiation of a loss assessment are present and or if other affected systems must be reviewed to enable a comprehensive analysis Where did the incident occur U The affected network or networks need to be identi ed and their nature or purpose understood This will enable decision makers to determine what sets of expertise will be needed to examine any loss A preferred approach for loss assessments would call for a standing response group with ad-hoe action teams to address speci c incidents U The quality of cyber loss assessments both from a technical as well as from a systems impact perspective depends largely on forensics analysis of the impacted electronic media It is understood that a complete forensics analysis is necessary to ascertain intruder methodology and to identify what system was compromised as a result of the intrusion Critical to an effective assessment is and comprehensive access to data What was the time 'ame of the incident U The assessment should determine when the attack occurred and how long the incident lasted Who was responsible for the incident U Throughout the assessmt information should be gathered to accurately attribute the source of the attack While this could be considered a parallel objective to determining loss attribution of the attacker is critical to gauging the risk caused by a Speci c compromise MGR-BMW How did the intruder accomplish the attack U The assessment must address what tools tactics and techniques were used and should identify any vulnerabilities in technOIOgy processes and policies that were exploited An immediate priority for analysis should be placed on identifying indications of an imminent attack Analysis of adversarial cyber operations and capabilities as well as prior reviews and recommendations also should be included trends and indicators in cyber threat behavior and activity that might allow opportunities to identify attribute disrupt or otherwise stop the intruder s activities Why did the intruder take the action U Included in the assessment should be analytic conclusions about the adversary's intentions motives strategy speci c targeting etc and whether the intruder might use the compromised information to advance his own research and development or related capabilities and Operations What type of activity occurred during the intrusion U The loss assessment should catalogue the information that was compromised and whether the data was exposed altered and or estimated from the network In addition analysis of the impact on current and future related programs needs to be incorporated Any effects on the network such as denial of service or degradation of service need to be factored into the overall analysis What is the impact ofthe loss U The assessment should include an analysis of the overall severity of the loss It should provide mitigation recommendations based on knowledge of the network and its enterpriSe architecture and connectivity with other trusted networks Recommendations on the urgency for further loss assessment activities also should be included along with the likelihood of future incidents of a similar nature and the identi cation of speci c issues needed for follow-on assessment or investigation Assessment of Loss from Cybar lntruslons Figure 5 Assessment of Loss from Cyher Intrusions Dime Other Considerations U U Loss assessments are unliker to generate good news for program managers and could consequently be bureaucratically unpOpular It follows that direct high-level support will be essential to establish and execute this kind of capability Furthermore depending on the severity of the loss program managers may be required to change program direction U By their very nature these assessments wili expose vulnerabilities and weaknesses and have implications for future operations planning and resourcing Assessment ndings and recommendations should be classi ed and or compartmented accordingly consistent with the nature of the networks operations and information involved Glossary U COMPUTER NETWORK ATTACK CNA Sj-Actions taken through the use of computer networks to disrupt deny degrade manipulate or destroy computers computer networks or information residing in computers and computer networks Source COMPUTER NETWORK DEFENSE CND SiActions taken to protect monitor analyze detect and respond to unauthorized activity within US Government information systems and computer networks Source JTF-GNO COMPUTER NETWORK EXPLOITATION CNE Actions conducted through the use of computer networks to gather data om target or adversary automated information systems or networks Source COUNTERINTELLIGENCE CI U Information gathered and activities conducted to identify deceive exploit disrupt or protect against espionage other intelligence activities sabotage or assassinations conducted for or on behalf of foreign powers foreign organizations or persons or their agents or international terrorist organizations or activities Source E0 12333 CYBER COUNTERINTELLIGENCE Cyher CI U For the purposes of this plan Cyber Counterintelligce is de ned as counterintelligence by any means where a signi cant target or tool of the adversarial activity is a computer computer network embedded processor or controller or the information thereon CYBER CI ANALYSIS U The study of the organization capabilities intentions and tradecra of Foreign Intelligence and Security Services and non-state actors including foreign terrorist organizations and insider threat activities CYBER CI COMMUNITY U Includes all US Government agencies that have cybersecurity and or counterintelligence missions as de ned in The National Counterintelli ence tin Plan 200 CI Conununi 'ci ants CYBER INCIDENT U Any attempted or successful access to ex ltration of manipulation of or impairment to the integrity con dentiality security or availability of data an application or an information system without lawful authority Source NSPD- CYBER THREAT INVESTIGATION U Any actions taken within the United States consistent with applicable law and presidential guidance to determine the identity location intent motivation capabilities alliances funding or methodologies of one or more cyber threat groups or individuals Source CYBERSECURITY U Prevention of damage to protection of and restoration of computers electronic communications systems electronic communication services wire communication and electronic communication including information contained therein to ensure its availability integrity authentication con dentiality and non-repudiation Source CYBERSPACE U The interdependent network of information technology infrastructures and which includes the Internet telecommunications networks computer systems and embedded processors and controllers in critical industries Source NSPD- FEDERAL AGENCIES U Executive agencies as de ned in section 105 of Title 5 USC and the us Postal Service but not GAO Source para The executive departments in Title 5 include State Treasury Defense Justice Interior Agriculture Commerce Labor HHS HUD Transportation Energy Education and Veterans Affairs We also include contractors and their networks who support these Executive Departments INFORMATION SYSTEM U A discrete set of information resources organized for the collection processing maintenance use sharing dissemination or disposition of information Source INTRUSION U Unauthorized access to a federal government or critical infrastructure network information system or application Source SECURE U To defend and protect both military and civilian government-owned networks Source STATE Ind LOCAL GOVERNMENT U When used in a geographical sense have the meanings ascribed to them in section 2 of the Homeland Security Act of 2002 Section 101 of title 6 United Stator Code Source US-CERT U The United States Computer Emergency Readiness Team in the National Cybersecurity Division of the Department of Homeland Security DI-IS Source