Kevin Coleman

Cyber superiority requires intelligence edge

Challenge lies in blending traditional approaches with modern technology

Cyber intelligence has evolved far beyond technical information about vulnerabilities in systems and software. As far back as the late 1990s when I was the chief strategist at Internet pioneer Netscape, I began to work in the area of cyber intelligence.

The global intelligence community widely recognizes the critical nature of this category of intelligence. Recently, we have witnessed an increased focus placed on cyber intelligence. Few people would dispute the ever-growing threat of cyberattacks and the impact that a successful cyberattack could have on the economy and day-to-day operations of any nation.


Leadership training needed for cyber warfare

Tracking the cyber underground

The best cyber defense rests with cyber intelligence. This is an area that requires increased investment and international recruitment of assets to enhance the existing capabilities of more than 100 intelligence organizations that are developing cyber intelligence capabilities.

The Cyber Command collects a substantial amount of cyber intelligence to detect threats that emanate from the hybrid environment of cyberspace. The move from the current reactive modality to a proactive approach to cyber defense requires a robust cyber intelligence capability. The concepts of cyber intelligence and human intelligence are fundamental to the quest for such capability.

Cyber intelligence is defined as all efforts and activities conducted by or on behalf of an organization that are designed and used to identify, track, measure and monitor digital threat information, data and insights about an adversary’s operations. The effort involves critical or sensitive activities conducted through private networks, computers, electronic equipment, related communications devices and equipment critical to daily operations. It also relates to offensive, defensive and intelligence collection cyber capabilities, in addition to the current and future intentions of the adversary.

As such, cyber intelligence is a strategic priority. Technical cyber intelligence must be augmented by new and some traditional methods and sources used to provide insight and foresight into this complex and multifaceted area. One such traditional method of intelligence collection that is critical to cyber is human intelligence.

Human intelligence is defined as information or data, and it is often designated as classified or confidential. Human intelligence also might include trade or state secrets. The information is usually collected by means of interpersonal contacts with human assets, commonly referred to as a spy, mole, professional or agent. Almost all human intelligence is collected through clandestine means. Unlike some other intelligence collection disciplines, human intelligence operates in both the cyber and physical environments.

Human intelligence information must be applied to generate an accurate and timely picture of the global cyber threat environment. A cyber intelligence analyst speaking on the condition of anonymity told me that, for years now, he has pushed his organization to enhance and fully integrate human intelligence and other sources of intelligence because traditional signals intelligence and cyber intelligence can’t provide a complete picture. Collection and analysis of all-source cyber intelligence now take precedence in many countries, terrorist groups and private-sector businesses around the world.

Human intelligence plays a critical role because, unlike nuclear weapons and other weapons of mass destruction, cyber weapons require far less infrastructure and do not require restricted materials or knowledge that is in limited supply. Therefore, traditional intelligence collection platforms are of limited value. A nation’s ability to understand its adversaries’ cyber capabilities has moved up in priority to that of weapons of mass destruction. To be successful, cyber intelligence must blend more traditional sources of covert information collection — in the physical environment — with modern technology and also establish a reliable collection capability in the online world.

About the Author

Kevin Coleman is a senior fellow with the Technolytics Institute, former chief strategist at Netscape, and an adviser on cyber warfare and security. He is also the author of "Cyber Commander's Handbook." He can be reached by e-mail at:

Reader Comments

Mon, May 9, 2011 ci_tech home

"The best cyber defense rests with cyber intelligence" No sir, it rests with the ability to respond in kind.

Mon, May 9, 2011 ci_tech home

Kevin, just for the record. In 1992, an Army CID agent and I developed and co-hosted the first ever DoD conference on Computer Crime. Me speaking from the intelligence point of view and him from the criminal perspective. This is after a couple of years of dealing with cyber threats to our networks etc....My first endeavors into the cyber threat arena began almost 10 years earlier. Cheers,

Mon, May 9, 2011 ci_tech home

Kevin, your source should give greater consideration to comments they make. "Human intelligence information must be applied to generate an accurate and timely picture of the global cyber threat environment." For HUMINT to be successful in a cyber world, they need to be on the ground in (pick your country) where they can then lay hands on a system being used to attack US assets. Gathering intelligence in a cyber world is not like the good old days where you could meet with an asset to obtain this information, or maybe you can. The reality of the situation is we likely already know the capabilities of our enemies. It then becomes a matter of politics and assigning true attribution to the actor and pulling the cyber trigger to respond in kind. However, if you pull the trigger and you are wrong, the consequences of such an action can be devastating. Cyber Warfare/Terrorism is indeed a serious undertaking, and the issue your "Source" fails to recognize is that state sponsored efforts of cyber warfare can be handed off to a civilian who is properly remunerated, and thus there is an air gap between the two. Likewise, HUMINT assets are very unlikely to detect zero day attacks, nor are they going to be able to be able to provide useful information in a timely manner to preclude the execution of lethal code directed at an US asset/network etc. The best they might be able to do is hear scuttlebutt about a pending attack, but without sufficient information or the code intended to be used for the attack. There is a far greater threat of attack from within our domains AKA: The Insider Threat, where data is lost daily to our adversaries. That is where it was good to see the expulsion of Chinese scientists who are currently collaborating with US agencies. As for training senior leaders on the cyber threat, well I can hardly disagree with this. That said, you are still hard pressed to communicate on the same level with that senior leader, which requires the cyber analyst/intelligence officer to possess the wherewithal to be able to speak in terms our leadership can understand. (Boss we are being attacked from multiple IP addresses on ports 80, 53, 443, and 21). That will most certainly go right over their head. There is also the need for the entire US to completely migrate to IPV6. A feat not yet accomplished by all. Bottom line: HUMINT has a role in the intelligence world. It may well have a place in the cyber world. But....As Rome was not built in a day, this issue will not be solved in a day, nor will it be solved by putting HUMINT assets on the ground in the off chance that they might glean some relevant information to preclude a cyber war. Best wishes in your continued endeavors to solve this problem.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above