Lexicon

CYBINT

Cyber Intelligence — intelligence on adversary cyber activity, networks, and operators

Audio readout of this entry.

CYBINT — cyber intelligence, sometimes written CYBERINT — is intelligence concerning the cyber activity, capabilities, infrastructure, and intentions of adversary states, criminal networks, and individual threat actors. The category sits across the conventional collection-discipline taxonomy rather than within it: the underlying collection draws on SIGINT (intercepted communications and network traffic), OSINT (publicly reported indicators of compromise, threat-actor reporting, and security-research output), and HUMINT (insider sources within criminal forums and adversary services). The institutional output that the category names is the assessed product downstream of those collections — adversary capability, attribution, intent, infrastructure mapping, and indications-and-warning on impending activity.

The institutional homes of US CYBINT are distributed across the intelligence community and the defence establishment in a way that no single statute resolves. The National Security Agency's Cybersecurity Directorate (established October 2019, consolidating the prior Information Assurance Directorate) holds the foreign-cyber-threat mission. United States Cyber Command (USCYBERCOM, established 2010, elevated to a unified combatant command in 2018) holds the offensive and defensive cyber-operations mission and produces the operational-level intelligence its missions require. The Cybersecurity and Infrastructure Security Agency (CISA, established 2018 within the Department of Homeland Security) holds the domestic critical-infrastructure protection mission and produces the threat intelligence consumed by US private-sector network defenders. The Federal Bureau of Investigation's Cyber Division holds the domestic-investigation and attribution mission for cyber crime and cyber-enabled foreign intelligence operations. Each of these produces what could be called CYBINT against a different mission frame.

The discipline's distinctive operational characteristic is the speed of the underlying terrain. The institutional cycles around adversary cyber activity — capability development, infrastructure deployment, target reconnaissance, exploitation, post-exploitation persistence — operate on timescales of days to weeks rather than the months-to-years cycles around which the conventional collection disciplines were built. The implication for the analytical product is a substantial shift toward continuously-updated indications-and-warning intelligence and away from periodic-publication estimative intelligence. The institutional infrastructure for that shift — the joint indicator-sharing arrangements between CISA, NSA, FBI, and the private-sector Information Sharing and Analysis Centers (ISACs) — has been built across the post-2013 period as the principal operational vehicle for the discipline.

The principal documented cases that define modern CYBINT are the public attribution products: the December 2014 FBI attribution of the Sony Pictures intrusion to North Korea; the December 2016 Joint Analysis Report on Russian state intrusion into US political institutions; the December 2020 disclosure and attribution of the SolarWinds supply-chain compromise to the Russian Foreign Intelligence Service (SVR); the March 2021 attribution of the HAFNIUM Microsoft Exchange exploitation to Chinese state actors; and the post-2022 reporting on the Russian cyber operations adjacent to the Ukraine invasion. Each of these is the public-facing tip of a substantially larger CYBINT institutional product on the same adversary.

See also