The 5×5—Cross-community perspectives on cyber threat intelligence and policy
A core objective of the Atlantic Council’s Cyber Statecraft Initiative is to shape policy in order to better secure users of technology by bringing together stakeholders from across disciplines. Cybersecurity is strengthened by ongoing collaboration and dialogue between policymakers and practitioners, including cyber threat intelligence analysts. Translating the skills, products, and values of these communities between each other can be challenging but there is prospective benefit, as it helps drive intelligence requirements and keeps policymakers abreast of the latest developments and realities regarding threats. For younger professionals, jumping from one community to another can appear to be a daunting challenge.
We brought together five individuals with experience from both the worlds of cyber threat intelligence and cyber policy to share their experiences, perspectives on the dynamics between the two communities, and advice to those interested in transitioning back and forth.
#1 What’s one bad piece of advice you hear for threat intelligence professionals interested in making a transition to working in cyber policy?
Winnona DeSombre Bernsen, nonresident fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council:
“I have not heard bad pieces of advice specifically geared toward threat intelligence professionals, but I was told by someone once that if I wanted to break into policy, I could not focus on cyber. This is mostly untrue: the number of cyber policy jobs in both the public and the private sectors are growing rapidly, because so many policy problems touch cybersecurity. Defense acquisition? Water safety? Civil Rights? China policy? All of these issues (and many more!) touch upon cybersecurity in some way. However, cyber cannot be your only focus! As most threat intelligence professionals know, cybersecurity does not operate in a vacuum. A company’s security protocols are only as good as the least aware employee, and a nation-state’s targets in cyberspace usually are chosen to further geopolitical goals. Understanding the issues that are adjacent to cyber in a way that creates sound policy is important when making the transition.”
Sherry Huang, program fellow, Cyber Initiative and Special Projects, William and Flora Hewlett Foundation:
“I would not count this as advice, but the emphasis on getting cybersecurity certifications that is persistent in the cyber threat intelligence community is not directly helpful to working in the cyber policy space. Having technical knowledge and skills is always a plus, but in my view, having the ability to translate between policymakers and technical experts is even more valuable in the cyber policy space, and there is not a certification for that.”
Katie Nickels, nonresident senior fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council; director of intelligence, Red Canary:
“I think there is a misconception that to work in cyber policy, you need to have spent time on Capitol Hill or at a think tank. I have found that to be untrue, and I think that misconception might make cybersecurity practitioners hesitant to weigh in on policy matters. The way I think of it is that cyber policy is the convergence of two fields: cybersecurity and policymaking. Whichever field is your primary one, you will have to learn about the other. Practitioners can absolutely learn about policy.”
Christopher Porter, nonresident senior fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council:
“When intelligence professionals think about policy work, they often experience a feeling of personal control—‘now I get to make the decisions!’ So there is a temptation to start applying your own pet theories or desired policy outcomes and start working on persuasion. That is part of it, but in reality policymaking looks a lot like intelligence work in one key aspect—it is still a team sport. You have to have buy-in from a lot of stakeholders, many of whom will have different perspectives or intellectual approaches to the same problem. Even if you share the same goal, they may have very different tools. So just as intelligence is a team sport, policymaking is too. That is a reality that is not reflected in a lot of academic preparation, which emphasizes theoretical rather than practical policymaking.”
Robert Sheldon, director of public policy & strategy, Crowdstrike:
“I sometimes hear people treating technical career paths and policy career paths as binary–and I do not think that is the direction that we are headed as a community. People currently working in technical cybersecurity disciplines, including threat intelligence, should consider gaining exposure to policy work without fully transitioning and leaving their technical pursuits behind. This is a straightforward way to make ongoing, relevant contributions to a crowded cyber policy discourse.”
#2 What about working in threat intelligence best prepared you for a career in cyber policy, or vice versa?
Desombre Bernsen: “Threat intelligence gave me two key skills: the first is the ability to analyze a large-scale problem. Just like threat intelligence analysts, cyber policymakers must look through large systems to find chokepoints and potential vulnerabilities, while also making sure that the analytic judgments one makes about the system are sound. This skill enables one to craft recommendations that best fit the problem. The second skill is the ability to tailor briefings to different principal decisionmakers. Threat intelligence is consumed by network defenders and C-suite executives alike, so understanding at what level you are briefing is key. A chief information security officer does not care about implementing YARA rules, just like a network defender does not want their time wasted with a recommendation on altering their company-wide phishing policies. Being able to figure out what the principal cares about, and to tailor recommendations to the audience best able to action on them is applicable to the cyber policy field as well. When briefing a company or government agency, knowing their risk tolerance and organization mission, for example, helps tailor the briefing to help them understand what they can do about the problem.”
Huang: “Being a cyber threat intelligence analyst gave me exposure to a wide variety of issues that are top of mind for government and corporate clients. In a week, I could be writing about nation-state information operations, briefing clients on cybersecurity trends in a certain industry, and sorting through data dumps on dark web marketplaces. Knowing a bit about numerous cyber topics made it easier for me to identify interest areas that wanted to pursue in the cyber policy space and, more importantly, allows me to easily understand and interact with experts on different cyber policy issue areas, which is helpful in my current role.”
Nickels: “The ability to communicate complex information in an accessible way is a skill I learned from my threat intelligence career that has translated well to policy work. Threat intelligence is all about informing decisions, so there are many overlaps with writing to inform policy.”
Porter: “In Silicon Valley, it is typical to have a position like ‘chief solutions architect.’ I have spent most of my career in intelligence being the ‘chief problems architect.’ It is the nature of the job to look for threats, problems, and shortcomings. Policymakers have the inverse task—to imagine a better future and build it, even if that is not the path we are on currently. But still, I think policymakers need to keep in mind how their plans might fail or lead to unintended consequences. When it comes to cybersecurity, new policies almost never eliminate a threat, they only change its shape. Much like the end to Ghostbusters, you get to choose the kind of problem you are going to face, but not whether or not you face one. Anyone with a background in intelligence will be ready for that step, where you have to imagine second- and third-order implications beyond the first-order effect you are seeking to have.”
Sheldon: “Working as an analyst early in my career taught me a lot about analytical methods and rigor, evidence quality, and constructing arguments. Each of these competencies apply directly to policy work.”
#3 What realities of working in the threat intelligence world do you believe are overlooked by the cyber policy community?
Desombre Bernsen: “The cyber policy community has not yet realized that threat intelligence researchers and parts of the security community themselves—similarly to high level cyber policy decisionmakers—are targets of cyberespionage and digital transnational repression. North Korea, Russia, China, and Iran have all targeted researchers and members of civil society in cyberspace. Famously, North Korea would infect Western vulnerability researchers, likely to steal capabilities. In addition, threat intelligence researchers lack the government protections many policymakers have. Researchers that publicly lambast US adversaries can be targeted and threatened online by state-backed trolls. Protections for these individuals are few and far between—CISA just this year rolled out a program for protecting civil society members targeted by transnational repression, so I hope it gets expanded soon.”
Huang: “Most of the time, threat intelligence analysts (at least in the private sector) do not hear from clients after a report has gone out and do not have visibility into whether their analysis and recommendations are helpful or have real-world impact. Feedback, whether positive or constructive, can help analysts fine-tune their craft and improve future analysis.”
Nickels: “I think the cyber policy community largely considers threat intelligence to be information to be shared about breaches, often in the form of indicators like IP addresses. While that can be one aspect of it, they may not recognize that threat intelligence analysts consider much more than that. Broadly, threat intelligence is about using an understanding of how cyber threats work to make decisions. Under that broad definition, cyber policymakers have a significant need for threat intelligence—if policymakers do not know how the threats operate, they cannot determine how to create policies to help organizations better protect against them.”
Porter: “There are aspects of the work—such as attribution—that are more reliable and not as difficult as imagined. Conversely, there are critical functions, like putting together good trends data or linking together multiple different pieces of evidence, that can be very difficult and time-intensive but seem simple to those outside the profession. So there is always a little bit of education that needs to take place before getting into a substantive back-and-forth, where the cyber intelligence community needs to explain a little bit about how they are doing their work, and the strengths and limitations of that so that everyone has the same assumptions and understands one another’s perspective.”
Sheldon: “The policy community sometimes lacks understanding of the sources and methods that threat intelligence practitioners leverage in their analysis. This informs the overall quality of their work, the skill needed to produce it, timeliness, extensibility, the possibility for sharing, and so on. All of these are good reasons for the two communities to talk more about how they do their work.”
More from the Cyber Statecraft Initiative:
#4 What is the biggest change in writing for a threat intelligence audience vs. policymakers?
Desombre Bernsen: “The scope is much broader. Threats to a corporate system are confined largely to the corporate system itself, but the world of geopolitics has far more players and many more first- and second-order effects of the policies you recommend.”
Huang: “Not having to be as diligent about confidence levels! Jokes aside, it is similar in that being precise in wording and being brief and to the point are appreciated by both audiences. However, I do find that a policy audience often cares more about the forward-looking aspect and the ‘so what?’”
Nickels: “The biggest difference is that when writing for policymakers, you are expected to express your opinion! As part of traditional intelligence doctrine, threat intelligence analysts avoid injecting personal opinions into their assessments and try to minimize the effects of their cognitive biases. Intelligence analysts might write about potential outcomes of a decision, but should not weigh in on which decision should be made. However, policymakers want to hear what you recommend. It can feel freeing to be able to share opinions, and it remains valuable to try to hedge against cognitive biases because it allows for sounder policy recommendations.”
Porter: “Threat intelligence professionals are going to be very interested in how the work gets done, as the culture—to some degree—borrows from academic work, in terms of rewarding reproducibility of results and sharing of information. But, strictly speaking, policymakers do not care about that. Their job is to link the findings in those reports to the broader strategic context. One really only need to show enough of how the intelligence work was done to give the policymaker confidence and help them use the intelligence appropriately without understating or overstating the case. The result is that for policy audiences you end up starting from the end of the story—instead of a blog post or white paper building up to a firm conclusion, you talk about the conclusion and, depending on the level of technical understanding and skepticism on the part of the policymaker, may or may not get into the story of how things were pieced together at all.”
Sheldon: “Good writing in both disciplines has much in common. Each should be concise, include assertions and evidence, provide context, and make unknowns clear. But there are perhaps fewer ‘product types’ relevant to core threat intelligence consumers and, in some settings, analysts can assume some fundamental knowledge base among their audience.”
#5 Where is one opportunity to work on policy while still in industry that most people miss?
Desombre Bernsen: “You absolutely can work on policy issues while working in threat intelligence! I cannot just choose one, but I highly recommend searching for non-resident fellowship programs in think tanks (ECCRI, Atlantic Council, etc.), speaking at conferences on threat trends and their policy implications, and doing more policy through corporate threat wargaming internally.”
Huang: “Volunteering at conferences that involve the cyber policy community, such as Policy@DEF CON and IGF-USA. These are great opportunities to support policy-focused discussions and to have deeper interactions with peers in the cyber policy space.”
Nickels: “In the United States, one commonly missed opportunity is to reach out to elected representatives with opinions on cybersecurity legislation. Cybersecurity practitioners can also be on the lookout for opportunities to provide comments that help shape proposed regulations affecting the industry. For example, the Commerce Department invited public comments to proposed changes to the Wassenaar Arrangement around export controls of security software, and cybersecurity practitioners weighed in on how they felt the changes would influence tool development.”
Porter: “That will vary greatly from company to company; almost universally though, you will have the opportunity to help your colleagues and future generations by providing mentorship and career development opportunities. Personnel is policy, so in addition to thinking about particular policies you might want to shape, think also about how you can shape the overall policymaking process by helping others make the most of their talents. It will take years, but, in the long run, those are the kinds of changes that are most lasting.”
Sheldon: “Regardless of your current role, you can read almost everything relevant to the policy discourse. National strategies, executive orders, bills, commission and think tank reports, and so on are all publicly available. Unfortunately, many in the policy community are only skimming, but reading these sources deeply and internalizing them is a great basis to distinguish yourself in a policy discussion. Also, there are more opportunities than ever to read and respond to Requests for Comment from the National Institute of Standards and Technology and other government agencies, and these frequently include very technical questions.”
Simon Handler is a fellow at the Atlantic Council’s Cyber Statecraft Initiative within the Digital Forensic Research Lab (DFRLab). He is also the editor-in-chief of The 5×5, a series on trends and themes in cyber policy. Follow him on Twitter @SimonPHandler.
The Atlantic Council’s Cyber Statecraft Initiative, part of the Atlantic Council Technology Programs, works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.