Intelligence Cell Defends Cyberspace

August 2008
By Maryann Lawlor
E-mail About the Author

Austere Challenge exercise participants test computer networks and communications systems in the command post at Grafenwoehr, Germany. Computers have become central to all the armed services to conduct most activities from training to operations, and the 5th Signal Command, U.S. Army Europe’s Cyber-Threat Intelligence Cell is responsible for helping ensure that networks stay up and running.
Analysts’ expertise defines cyberthreats.

A small yet dedicated cadre of network and intelligence experts is helping keep the U.S. Army’s network safe in Europe—and by extension, worldwide—by ferreting out the bad guys in cyberspace. This unique group of civilian soldiers characterizes the threat by examining how adversaries ping and attempt to infiltrate networks, and then it seeks to find their motives. Rather than simply identifying the techniques enemies employ, the group provides the service with the context surrounding attacks so cyberwarriors are better prepared to defend the Army’s information infrastructure.

The Cyber-Threat Intelligence Cell is part of the 5th Signal Command under the auspices of U.S. Army Europe, Mannheim, Germany, but the seeds for the cell were sown at U.S. European Command (EUCOM). A group of analysts at the combatant command began recommending information condition changes based on threats, adjusting the condition level of networks in much the same way that changes to force protection take place. This became the foundation of EUCOM’s Network Warfare Center, which was created in 2005 and comprised representatives from the intelligence; operations; and command, control, communications and computers sectors.

While visiting the center, Col. William H. Brady, USA, the 5th Signal Command’s G-2 at the time, saw the value in analyzing network threat conditions and decided that his organization, which is essentially the network command for the Army in Europe, could use the same insights. Upon returning to the 5th Signal Command, he began the process to establish the Cyber-Threat Intelligence Cell.

Robert Hembrook, the current deputy G-2 at 5th Signal Command, was working for the J-2 at EUCOM when Col. Brady visited the combatant command and was part of the command’s group analyzing network threat conditions. Hembrook now oversees the 5th Signal Command’s Cyber-Threat Intelligence Cell, which today comprises two Army civilians and one contractor. Eventually, the staff will consist of four Army civilians and one contractor, he adds, with an even mix of intelligence analysts and network experts.

Soldiers are not part of the cell because they do not possess the skills, Hembrook notes. “There is no MOS [military occupational specialty] that teaches what we do. Cell members have all built their skills and characteristics out of their own knowledge and abilities, and they have an aptitude for it. There is no place that you can go to learn this,” he says.

While network defenders explore the who, what, where and when of a network attack, members of the Cyber-Threat Intelligence Cell try to figure out the why, Hembrook explains. The group analyzes incidents and other data and then characterizes patterns of information. While they are not on duty 24 hours a day, seven days a week, cell members are provided with information that is as little as seconds old, he allows.

According to Hembrook, the 5th Signal Command’s Cyber-Threat Intelligence Cell is one of a kind. “At our level, there’s nobody doing what we do. There’s no intel analysis being done at EUCOM or at any other level nor at any of the other services. There are higher-level agencies back inside the Beltway that have intel analysis dedicated to this task, but they’re given a worldwide mission. So that’s what makes us unique. We look at worldwide incidents, but we look at them through the lens of what it means to us at 5th Signal Command and to U.S. Army Europe, and by extension EUCOM and wherever else,” he maintains.

This may not be the case for long. In the past two years, five combatant commands, two U.S. Navy fleets, U.S. Air Force Europe and several federal government agencies have visited the cell to observe, he adds.

The cell does not set policy, Hembrook notes. It is the Army’s job to set policies, to ensure people are trained and educated about information assurance, to follow through to make sure Army personnel adhere to network rules and to reprimand those who do not. “None of that takes into consideration what the bad guys are doing, and the bad guys have a vote,” he states.

Cell members write their assessments with the average warfighter in mind. They avoid using technical terms that only computer experts comprehend because network specialists already grasp the dangers to the information infrastructure. “They understand that we’re in a world of hurt. We’ve got to get it out to the average tactical formation and strategic formation commander. Whether he or she is wearing an oak leaf or an eagle or a star, we say, ‘Sir/ma’am, this is important to you and here’s why. Trust me on this one,’” Hembrook explains.

To create its reports, the cell looks for unique, new or different activity on its own networks. It also reviews anomalous activities on other organizations’ networks and then warns Army commanders that the same could occur on theirs.

In addition to gathering information about adversarial attacks, the cell takes a look at what is going on inside the Army’s network. For example, if cell members observe a computer connecting to an address that it should not access, they want to know why. Or if activity on a computer usually consists of normal Web surfing and suddenly shifts to transferring huge amounts of data to a location outside of the U.S. Defense Department, cell members attempt to determine the cause.

The Cyber-Threat Intelligence Cell operates from the unassuming Funari Barracks in Mannheim, Germany.
To arrive at its conclusions, the cell depends on commercial technologies that have been tailored to its needs. For the most part, the work involves sifting through massive amounts of information. “It’s the ability to sift through it and more importantly to know what you’re looking for. There are a lot of people who have spent a lot of time in the computer science world trying to figure out how to manipulate data. But knowing what you’re looking at is the first step to being able to manipulate it properly,” Hembrook explains.

Because the cell operates within the 5th Signal Command, and the command is the primary operator of networks for the Army in Europe, it has a fairly unprecedented span of control, he notes. “We can see more things going on, we can correlate across a larger swath, but that also commensurately means we have a larger swath to take care of,” he adds.

Like any intelligence organization, the insight the cell provides to commanders is only as good as the information its members receive or collect. Ignorance of this fact frustrates Hembrook at times, especially when members of the intelligence community are held accountable for breaches in security. “We do the best we can with what we have,” he states.

Hembrook’s nearly 20 years of experience as a signals intelligence analyst allows him a fairly in-depth perspective on the threats to the network, and his work with the Cyber-Threat Intelligence Cell confirms his own observations. What he observes could cause even some computer addicts to disconnect from the Internet and unplug their computers.

From an outside-attack perspective, the threats are either loud and obvious or fairly quiet and insidious, he says. The former includes spear phishing, a technique in which hackers obtain the information they need to send out spam to a specific audience, customers of a particular bank, for example. “Primarily what we’re seeing is the usual spam from people who are trying to steal account numbers, get into a banking account, steal identities or steal credit card information. But it wouldn’t surprise me to see people doing it for reasons other than monetary gain,” Hembrook relates. While he would not elaborate about the other reasons, Hembrook does assert that hackers—particularly those set on stealing identities and credit card information—are growing more aggressive and bold.

Quiet and insidious threats are from hackers who spend a great amount of time reviewing code to figure out how to break into networks quietly to launch an attack that opens a back door or installs a key logger or some other malware. Once inside the network, they sit silently and listen for long periods of time and “learn a lot,” Hembrook says. “They don’t spend a lot of time banging against your door yelling for you, but yet they’re out there, and you’ve got to wonder what it is they’re trying to get from you,” he adds.

But outside hackers are not Hembrook’s only concern; he also is bothered by the threat from within the Army, specifically the lack of respect some soldiers have for their computers. Inadvertently, warfighters fail to secure their own systems, a careless action that can cost millions of dollars to repair, Hembrook says. And although Army regulations outline some of the consequences for such actions, few are enforced, which irritates Hembrook.

And, sloppiness in the treatment of military computer systems is only one of the threats Hembrook has observed. Social networking technologies in some cases have become an open field where soldiers unwittingly reveal information that could be ammunition in an enemy’s hands.

“Web 2.0 is not official government business, so therefore people have no business using a government computer for taking part in it. That said, what you do from your home computer is whatever you do from your home computer, and it gobsmacks me—and you can quote me on that—my jaw hits the floor when I see the kind of personal information that people give away on Web 2.0 sites or in places like Facebook or Google Earth or any of these other places. People just get in there and are operation security nightmares. They argue with each other about where things are located or who’s in charge of what. A lot of it is swagger and bragging rights, but they’re compromising information that the bad guys can use to target us by putting it out there. And commanders are charged with the responsibility of making sure this isn’t happening, but then who has the time to check every blog and every Web posting and every Web site?” he points out.

Even in his frustration, Hembrook acknowledges that personnel who inadvertently share sensitive information cannot always be 100 percent to blame for security shortfalls. “I really feel for my brothers in the Information Assurance Program Management Office because they’re trying really hard to educate people, but it’s lost in the noise among all the other stuff, such as: Have you done your No FEAR Act training? Have you done your sexual harassment law training? Have you done your dental record scrub? Have you done your medical record scrub? Have you done your promotion packet? Have you done your annual training for this? Have you done your training for that? So it just becomes part of the background noise,” he says.

And Hembrook is optimistic when he sees the attention being paid to network defense. Military and government leaders have realized that patching network holes and fixing vulnerabilities will not make the problem go away. “We’ve realized with social engineering, phishing attacks and other threats that the attackers are smarter than that, and it’s not just a matter of patching vulnerabilities. We’ve got to educate the work force, and we have to invest the money in it,” he says.

In the future, in addition to increasing the size of the team, the Cyber-Threat Intelligence Cell plans to spend time explaining to other members of the network operations and network defense community the value it brings to protecting information systems. Hembrook believes these communities need to increase their collaboration and information sharing particularly about shortcomings they have found or mistakes they have made.

“I don’t want to pass people and say, ‘Look at how bad you are.’ Who cares about that? What I want to do is enable people to learn from other people’s mistakes so they don’t have to make the same ones. We can all work together on this by saying, ‘This happened to me. Have you seen anything like this? We think that this may be where they’re going to next. We think this is why they’re doing it. We think this is the type of stuff they’re going to do to us.’ If we could interchange that information in a useful way—and that doesn’t mean build another portal or build another Web site or host another conference—that means picking up the phone or getting out of your chair and going to the people who do it and talking to them. Then maybe we can make some progress and better progress,” he says.

Web Resource
5th Signal Command:


Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.