The Intelligence Studies Essay: CTIIC---Learning from the Choices and Challenges that Shaped the National Counterterrorism Center

Steve Slick
Wednesday, March 4, 2015, 10:30 AM
Update:  After this essay was written, but before it was posted, the White House issued a memo and accompanying Fact Sheet further elaborating on its plans for CTIIC.  For commentary on how those documents relate to the original essay, see this post. A Cyber Threat Intelligence Integration Center (CTIIC) established by the Director of National Intelligence in response to a presidential directive can play a valuable role integrating and assessing cyber threat data available to the government in support of policymaking and operational res

Published by The Lawfare Institute
in Cooperation With

Update:  After this essay was written, but before it was posted, the White House issued a memo and accompanying Fact Sheet further elaborating on its plans for CTIIC.  For commentary on how those documents relate to the original essay, see this post. A Cyber Threat Intelligence Integration Center (CTIIC) established by the Director of National Intelligence in response to a presidential directive can play a valuable role integrating and assessing cyber threat data available to the government in support of policymaking and operational responses. The CTIIC director, preferably an intelligence professional, should be appointed by the DNI and report exclusively through him to the White House where CTIIC’s assessments and expertise would inform, but not supplant, interagency policy deliberations. The president’s order should direct relevant cabinet officers to support CTIIC by sharing relevant information, detailing expert staff, and helping the center overcome foreseeable technological challenges. CTIIC’s assessments will be structurally flawed until its analysts can routinely access threat information now available only in the private sector. The DNI should integrate the functions of the National Intelligence Officer for Cyber into CTIIC to enhance its long-range analysis and designate the CTIIC director as the IC’s Mission Manager to ensure the adequacy of collection and other resources devoted to cyber targets. The choices made while designing and standing up CTIIC should be informed by the many hard lessons learned during the National Counterterrorism Center’s (NCTC) short, but eventful, history. Introducing CTIIC Last Tuesday, President Obama’s Homeland Security Advisor Lisa Monaco announced the administration’s intent to establish CTIIC within the Office of the DNI. Monaco explained that CTIIC would promote information sharing on cyber threats between government agencies, integrate available intelligence, perform all-source analysis, and support policymakers as well as agencies with operational roles defending against and responding to cyber attacks. She added that CTIIC would not collect new information or otherwise encroach on the missions of existing cyber centers at DHS, FBI, NSA, CIA, and elsewhere in the government. Monaco said the new center, modeled on NCTC, would fulfill the president’s State of the Union pledge to ensure “our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism.” News articles and blog posts reporting the announcement were generally positive, and offered additional context on the planned center. The Washington Post reported that the CTIIC proposal had emerged from a recent study by the White House’s Cybersecurity Coordinator comparing the government’s counterterrorism and cyber defense practices. Support for a new center apparently grew along with frustration by policymakers at the government’s inability to reach timely consensus on the sponsorship, goals, and impact of last Thanksgiving’s attack on the Sony Pictures Entertainment network. Post sources added that the new center would have a modest budget of $35 million and staff complement of 50, and would be formally established by a presidential “memorandum.” The need to improve information sharing and the government’s response to cyber incidents was acknowledged in the administration’s 2009 Cyberspace Policy Review. Notwithstanding significant investment in watch centers, new offices, and technology, no one appears satisfied with the government’s current ability to deter, detect and defend against attacks on our digital infrastructure. Progress addressing this multifaceted challenge will depend on many factors, but long-term success will invariably require the government to collect, evaluate, and present accurate intelligence on the burgeoning cast of malign actors in cyberspace and their evolving arsenal. The idea of a national center focused on cyber threats has been discussed in intelligence circles for years, but establishing one now is both timely and appropriate. Timely because the threat is compounding daily and appropriate because the decision to launch a new government bureaucracy appears to have been taken as a last resort after the existing organizations proved unable to work effectively together. Looking to NCTC as a model for the new CTIIC is also sensible, although Monaco correctly acknowledged that there were important differences in the intelligence challenges posed by terrorists and hackers. NCTC serves as a clearinghouse for information on terrorism, produces coordinated threat assessments, and supports the White House in coordinating responses to active plots. Today’s NCTC, however, is not the same institution imagined by its many architects or even the same office described in the statute and directives that define its mission. Rather, NCTC is the product of diverse --- often contradictory --- visions, difficult policy choices, and stiff real-world challenges it has confronted over a decade (plus) of existence. In drafting a presidential directive on CTTIC (and possibly negotiating in the future with Congress on a legislative charter), choices will be required concerning the center’s mission and authorities, relationship with the ODNI, Intelligence Community (IC) and non-IC agencies, its role in supporting or assuming functions now performed by the White House, and the means to secure qualified intelligence and technical staff. NCTC’s experience offers useful lessons on all of these topics. TTIC: NCTC’s Predecessor NCTC was established by executive order in late August 2004, but the center was actually built on a strong existing foundation of the Terrorist Threat Integration Center (TTIC) that had been operating for more than a year under the supervision of the Director of Central Intelligence (DCI). President Bush had unveiled TTIC in his 2003 State of the Union address, principally as a vehicle to improve the integration of terror threat information gathered overseas with that collected by the FBI and other agencies in the U.S. - - a shortcoming widely understood to have contributed to the government’s failure to detect and prevent the September 11, 2001 attacks. White House officials optimistically declared in early 2003 that CIA’s Counterterrorism Center (CTC) and the FBI’s Counterterrorism Division (CTD) would shortly relocate to a single facility together with TTIC, and that the new center would have no operational role and therefore required no new statutory authorities. In Blinking Red, former Bush administration official Michael Allen recounts the hurried but intense interagency tussle that preceded TTIC’s launch. CIA sought to protect the operational prerogatives of CTC, an organization that already included representatives of the FBI, Department of Defense (DOD), and other agencies engaged in counterterrorism. CIA insisted that the new center’s name not include “intelligence” or “analysis,” the latter term reserved for the specialized craft practiced on an “all-source” basis exclusively by CIA’s Directorate of Intelligence. TTIC’s mission was narrowly limited to consolidating information and integrating threat reports. TTIC’s first (and only) director John Brennan recalled in interviews the enormous challenge of acquiring --- leave aside integrating --- data that eventually flowed into TTIC on 26 different government networks. In its early days, TTIC was also forced to compete for experienced analysts with CIA, FBI, and other agencies that were already strapped in handling their own responsibilities. Of course, CIA/CTC and FBI/CTD never co-located their front offices or key operational components with TTIC, and TTIC’s successor (NCTC) was later codified in statute and assigned all-source intelligence analysis as one of its principal responsibilities. The 9/11 Commission’s NCTC The report of the congressionally-chartered National Commission on Terror Attacks Upon the United States (9/11 Commission) was submitted to President Bush and simultaneously published in late July 2004, quickly achieving bestseller status. The 9/11 Commission concluded that our counterterrorism effort required greater unity and recommended creating a new post of National Intelligence Director (NID) and an enhanced NCTC built on the foundation of TTIC. The 9/11 Commission’s NCTC proposal called for an organization housed along with the NID in the Executive Office of the President (EOP). The new center would be led by a presidentially appointed director and charged with two missions: strategic intelligence and joint operational planning. NCTC’s planning mission, according to the 9/11 commissioners, would replicate the Joint Staff’s J-2 and J-3 functions in a civilian joint counterterrorism command. To avoid infringing on the statutory authorities of DOD, CIA, and FBI, the 9/11 Commission defined “joint planning” as assigning lead responsibilities to agencies and closely tracking the execution of assigned tasks. Not by accident, the 9/11 Commission’s admittedly “entrepreneurial” NCTC recommendation tracked closely a design favored by former National Security Advisor and then-Chairman of the President’s Foreign Intelligence Advisory Board, Brent Scowcroft. Scowcroft had been asked by President Bush early in his first term (and before the 9/11 attacks) to study the IC and recommend changes to improve U.S. intelligence. After the Democratic Party’s 2004 presidential nominee John Kerry publicly endorsed all of the 9/11 Commission’s recommendations, the next opportunity to weigh in on NCTC belonged to President Bush. NCTC and the Bush Administration Under mounting political pressure, and after hasty consultations with his senior national security advisors, President Bush declared his support for a “strong” NID and the establishment of NCTC. The NCTC concept endorsed by the Bush administration in early August 2004 centered on analyzing and integrating threat intelligence from foreign and domestic sources and serving as the government’s “knowledge bank” on terrorists and terror groups. The 9/11 Commission’s proposed planning function was scaled back to “supporting the development of government action plans.” President Bush’s NCTC would not be part of the EOP. While the Bush administration did not endorse the 9/11 Commission’s operational planning role for NCTC, administration officials did announce plans to hand off to NCTC the functions of the Counterterrorism Security Group (CSG), a high-level interagency group that met (and still meets) to receive updates on active plots and to track steps being taken across government to disrupt planned attacks. The White House convened a series of interagency meetings in August 2004 regarding implementation of the 9/11 Commission’s recommendations. These sessions frequently pitted advocates for an empowered NID and an NCTC against others who sought to defend traditional departmental chains of command. President Bush’s late August order establishing NCTC authorized the center (in addition to its intelligence functions) to conduct “strategic operational planning for counterterrorism activities” and to assign operational responsibilities to lead agencies but not to “direct the execution of operations.” NCTC’s director under the Bush order would be appointed by the DCI, with a seemingly odd additional requirement that the president approve the DCI’s choice. The DCI was unambiguously instructed to exercise “authority, direction, and control” over NCTC and its director. A legislative proposal containing the main elements of the president’s executive order on NCTC was sent to Capitol Hill, where legislation was advancing in both chambers to establish a NID, NCTC, and to implement other reforms recommended by the 9/11 Commission. The Congress, IRTPA, and NCTC Through the fall 2004 campaign season, President Bush’s reelection, and well into a lame duck legislative session, multiple committees in the House and Senate debated provisions in draft intelligence reform legislation. The Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) emerged from conference negotiations between senators Susan Collins and Joe Lieberman --- the leaders of the Senate’s Government Affairs Committee, both of whom strongly supported the 9/11 Commission’s recommendations --- and Speaker of the House Dennis Hastert, who was caught between the administration’s demands for action and an armed services committee chairman bent on defending to the hilt the prerogatives of the Secretary of Defense and military commanders. While the IRTPA’s NCTC provisions closely track those in the Bush administration’s executive order, the final bill unsurprisingly added a requirement that the NCTC director be appointed by the president and confirmed by the Senate. The IRTPA also codified a unique dual reporting chain requiring NCTC’s director to report to the DNI (the NID’s new title) regarding the center’s intelligence functions, but directly to the president on strategic operational planning. The IRTPA also established within ODNI a National Counterproliferation Center (NCPC) with responsibilities concerning weapons proliferation similar to those conferred on NCTC for terrorism. The IRTPA’s NCPC provisions were silent on how the center’s director would be selected, and also included a waiver allowing the president to choose not to establish an NCPC if he deemed such a center unnecessary. The IRTPA (in a legally superfluous gesture) also authorized the DNI to create additional national intelligence centers to address priority topics. The WMD Commission: A Final (and Skeptical) View of NCTC, NCPC, and Intelligence Centers After the IRTPA was signed into law, but before ODNI opened for business, the White House received the report of an executive branch advisory panel charged with examining U.S. intelligence, in particular regarding proliferation in the aftermath of flawed pre-war intelligence assessments of Iraq’s weapons of mass destruction (WMD) program. The so-called “WMD Commission” recognized that its report was submitted too late to impact significantly the major restructuring of the IC, but this Commission nonetheless offered wide-ranging recommendations, including on the question of national intelligence centers. The WMD Commission recommended that the president establish an NCPC but not assign that center the same strategic operational planning mission given to NCTC. The WMD Commission’s proposal for NCPC described a small center to coordinate, but not conduct, intelligence analysis on proliferation and to develop collection strategies in the manner of an IC “mission manager” for proliferation. The WMD Commission report questioned the wisdom of assigning NCTC’s director potentially incompatible intelligence and policy roles, as well as his dual reporting chain. More generally, the WMD commissioners listed the hazards of creating national intelligence centers. Such centers discouraged competitive analysis, instigated turf battles with existing agencies, and created new stovepipes that would inhibit information sharing, according to the commissioners. The Bush administration accepted these WMD Commission recommendations and directed the DNI to establish an NCTC along these lines. Establishing CTIIC: Imminent Choices and Foreseeable Challenges Mission, Status, and Authorities: The White House’s announcement offered few details on the nature of the new cyber intelligence center. A forthcoming presidential directive will presumably address questions concerning its mission, responsibilities, legal status, and the authorities of the center and its director as well as the nature of their relationship with the White House, DNI, IC, and non-IC agencies. CTIIC’s overly descriptive title signals that the center will initially be assigned only a modest mission focused on consolidating and integrating available information on cyber threats in the mold of NCTC’s predecessor, TTIC. If CTIIC’s mission is limited to intelligence functions (e.g. sharing and analyzing threat information, preparing assessments for policymakers and other agencies, clearing information to be shared with state and local governments and the private sector), the DNI has ample authority to establish the center. The DNI is authorized to establish, operate, and direct new national intelligence centers by both the IRTPA and Executive Order 12333 (as amended in 2008). Any formal action by the president would be designed to enhance the stature of the center and harvest any political benefit from taking action on a high-profile national security issue. There is no obvious need for the president to appoint the head of a small national intelligence center, and allowing the DNI to select (and terminate) this official would reinforce the DNI’s leadership of our national intelligence enterprise. Assigning CTIIC a role in shaping or implementing national policies on cyber security or assigning operational tasks to other agencies may require legislative action, and would foreseeably trigger defensive reactions by NSA/CyberCom, FBI, DHS, CIA, and other turf conscious bureaucracies. NCTC’s strategic operational planning mission has always been constrained by the center’s limited access to information on CIA and DOD activities under Titles 50 and 10, respectively, of the U.S. Code. The NCTC director’s dual reporting chain has likely generated more friction with key counterterrorism stakeholders than it has conferred real national security gains. Targeted leaks in the aftermath of the failed Christmas 2009 bombing of a Northwest Airlines aircraft revealed an unconstructive amount of tension between the DNI, CIA director, NCTC director, and White House counterterrorism officials. CTIIC will not likely travel the same uneven path to adolescence as did NCTC, but the White House may not get the final say on the mission and authorities of the new cyber intelligence center. While Congress has a disappointing record of legislating on cyber security, it is foreseeable that the intelligence oversight committees will attempt to codify a charter for the CTIIC even in the context of the annual intelligence authorization bill rather than as part of more comprehensive cyber security legislation. Relationship with the White House and NSC/Interagency Process: In its endorsement of the 9/11 Commission’s NCTC recommendation, the Bush administration described how the new center would take over the CSG’s functions by providing a current and shared operational picture and by monitoring how agencies executed disruption tasks assigned by the president, NSC, or CSG. In practice, the White House-chaired CSG was always engaged and directing the government’s response to significant terror threats. The political risks to a sitting president were simply too high to delegate hands-on management of an acute terror threat incident to any group outside the White House. NCTC played an essential role updating and assessing new threat information and monitoring actions between CSG meetings but NCTC never replaced the CSG. NCTC continues to extend and temporarily supplement the small NSC counterterrorism staff during high threat periods. The analogy being drawn between terror and cyber threats is useful but imperfect. Serious terror threats to the homeland or U.S. citizens abroad are all too regular but still only intermittent. The level and intensity of cyber threats to the U.S. and its interests, however, are nearly constant with spikes caused when new attackers, tools, or targets appear on the scene. The CTIIC can contribute to improved policy responses merely by consolidating and storing information in a retrievable format, crafting integrated assessments, and providing situational awareness to policymakers during an incident without assuming any role in making policy, devising operational plans, or grading other agencies’ performance. Competition for Mission and Talent: It would be an understatement to observe that TTIC and NCTC were not warmly welcomed by more established government institutions with counterterrorism missions. The lead role assumed by the DCI and CIA in shaping, staffing, and supervising TTIC could be explained as much by institutional self-preservation as a sincere interest in improving information sharing and threat analysis. In reality, unconstrained sharing of threat information and improved cooperation across the “foreign-domestic divide” had become the norm within days of the 9/11 attacks. A certain amount of tension based on the perceived competition for mission space and scarce analytic talent has dogged NCTC since its founding. From CIA’s perspective, the Agency was working at full capacity to detect and disrupt possible 9/11 follow-on attacks, to find and neutralize al-Qa’ida’s leaders, and to support the invasion and occupation of Iraq when it was asked to assign experienced officers to a new intelligence center to perform analytic work already underway in CTC. By 2006, when Mike Hayden transitioned from principal deputy DNI to CIA director, media reports described an open “food fight” between CIA and NCTC over “lanes in the road” and the allocation of skilled analysts. Because of his credibility with both warring camps, Hayden was able to settle the issues relatively swiftly by decree, and that general arrangement appears to have held. CTIIC’s first leaders will also confront a significant technical challenge not unlike the one faced by John Brennan and his successors at NCTC. After clearing the legal, procedural, and privacy hurdles to gain access to government information on cyber threats, CTIIC can look forward to a multi-year project to integrate information from disparate systems into a searchable database configured to support intelligence analysis. The DNI and CTIIC’s director will heavily depend, at least at the outset, on information, analytic talent, and technical support from NSA, FBI, DHS, and CIA. Incomplete Information and Inaccurate Assessments: Intelligence analysis, by definition, compels practitioners to reach judgments based on incomplete information. All-source analysis, once an exclusive CIA franchise, is now practiced more broadly in the IC because of technology and increased information sharing. On most national security topics, the information gathered by U.S. IC collection agencies, combined with open sources, adequately supports reliable intelligence judgments. Assessing cyber threats, however, presents a distinct challenge. The Internet’s basic design allows actors to conceal their identities, or even attribute their actions to others. IC collection of cyber threat data is structurally limited to the extent it excludes the large body of relevant information that Americans, U.S. businesses, and other private organizations choose not to volunteer to the government. The Homeland Security Advisor acknowledged this handicap last week and repeated the Obama administration’s appeal to Congress to pass legislation that promotes greater sharing of threat information between the government and private sectors. Expectations for the completeness and precision of CTIIC’s analytic assessments should remain modest until this structural handicap is overcome. If CTIIC will be tasked to conduct all-source analysis of cyber threats, and not simply integrate agency views, the center will need to handle a large volume of sensitive U.S. Person and privileged commercial information. The disclosures by former NSA contractor Edward Snowden significantly eroded the public’s overall confidence in the IC, but the civilian ODNI --- in partnership with DHS and the FBI --- can likely demonstrate an ability to consolidate, store, and analyze cyber threat data while safeguarding privacy. Finally, the respective roles of DHS and the FBI in dealing with domestic counterparts on cyber threats should be clarified. The failure to do so in the counterterrorism area contributed to the prolonged rivalry between DHS fusion centers and FBI joint terrorism task forces concerning primary relationships with state, local, and tribal entities. In turn, CTIIC can serve as the single authorized source of threat warnings to be shared (by DHS or FBI) outside the U.S. government, thereby protecting against charges of inconsistency, favoritism, or conferring unfair commercial advantage. Steven Slick is the Director of the Intelligence Studies Project at the University of Texas-Austin and a former CIA Clandestine Service officer who served as the NSC’s Senior Director for Intelligence Programs and Reform from 2005-2009. He can be reached at The essay’s text was approved by CIA’s Publication Review Board.

Steve Slick is a clinical professor at the LBJ School of Public Affairs and directs the Intelligence Studies Project at the University of Texas at Austin. He was a member of CIA’s clandestine service, and served as a special assistant to President George W. Bush and the NSC’s Senior Director for Intelligence Programs and Reform.

Subscribe to Lawfare