Longtime readers of this column may recall that I wrote about Rob Rosenberger in 2003 as he was heading for duty in the Iraq war. Rob runs SecurityCritics.org and I’m always happy to receive articles from him. Here’s an interesting piece that he sent me as part of a correspondence with a colleague; he has very kindly allowed us to publish this edited version.

* * *

There is a growing market for cyber-intelligence among companies, governments, and militaries. But there is also an old saying in the intelligence community: "Bad intel is worse than no intel at all."

Are you getting bad cyber intelligence? Is there some sort of litmus test we can apply?

The answer is yes: there is a simple two-part litmus test for any intelligence product.

First, does your cyber-intelligence include dossiers on key members of the computer-security-industrial complex? Second, does your intelligence analysis reveal important issues that are embarrassing or even taboo?

Intelligence firms must never dismiss the need for dossiers on the good guys. Why? Because we cannot know our own strengths and weaknesses until we know those of our allies. The CIA keeps a dossier on Britain's Air Chief Marshall Sir Glenn Torpy - and Britain's MI5 keeps a dossier on Air Force Chief of Staff General T. Michael Moseley.

As a computer-security expert, you probably know a lot about the bad guys. But what do you really know about your antivirus vendor? What do you really know about your Web proxy vendor? Do you really know why renowned expert Jimmy Kuo left McAfee for Microsoft?

Ask your cyber-intelligence vendor for a detailed dossier on your antivirus vendor. Ask for a dossier on renowned antivirus expert Costin Raiu. If your vendor keeps dossiers only on the bad guys, then they've failed the first part of the litmus test.

Now let's discuss the second part of the litmus test. Suppose you obtain a dossier on your antivirus vendor. Do they license their antivirus technology from another company? Does it reveal embarrassing or even taboo activities at the firm? Does the dossier offer detailed biographies on major research and development team members? Does it provide a comprehensive bibliography for source information? Does the dossier plagiarize another agency's research?

M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.