Signature-based Intelligence Resulted In Tragedy: A Lesson For Cyber Intel Consumers

The New York Times reported yesterday that a drone strike mean't to kill four Al Qaeda terrorists also killed two hostages that no one knew were there. This tragedy also revealed that drone operators rely upon signatures to form a "guesstimate" of the target.
In Pakistan, unlike elsewhere in the world, the White House permits the C.I.A. to carry out drone strikes without knowing the identities of the people the agency is trying to kill. These “signature strikes,” based on patterns of behavior rather than intelligence about specific people, have been criticized in the past as generating a higher number of civilian deaths.
I've written before about the problems that stem from our over-reliance on signals intelligence versus human intelligence in the world of cyber security. The commercial cyber security intelligence sector relies almost exclusively upon technical indicators, and those that claim they don't usually confuse collecting data from forum postings in public hacker forums with actually building relationships with blackhat hackers (the latter is human intelligence, the former isn't).

Fortunately, the worst that can happen to consumers of bad cyber intelligence is that they'll mis-allocate resources and/or develop terrible foreign policy initiatives. It's unlikely that any lives will be lost, thank goodness.

However this news story by the New York Times serves as an apt and timely reminder that cyber threat intelligence based upon "signatures" alone must be subjected to vetting by other sources and always treated with a high degree of skepticism. Bad things happen when your intelligence is unreliable, and for many of today's cyber intelligence purveyors - it frequently is.

Comments