The ‘how to’ of intelligence – evolution of the intelligence cycle

What this lecture will do
Explain the implications for intelligence of the environmental changes covered in earlier lectures To recap, these are:
The diffusion of threat with the end of the Cold War
Threat is now no longer just military, security or criminal but often a mixture of all three And is often both internal and external in origin

The changing role of technology
has enabled real time or near real time interconnectivity between users of intelligence (whether decision makers or operational staff), analysts and collectors OSI has given policy makers far more comprehensive sources

Re-cap: broad implications
These two changes together mean that
the traditional step-by-step intelligence cycle is no longer applicable Military, law enforcement and security intelligence need to be far more closely blended One needs to be able to move from warning to action extremely quickly
Therefore intelligence needs to be in a constant relationship with decision makers and operational personnel, and Since action is often highly localised, local authorities need to be fully involved in planning, providing and receiving intelligence

Intelligence needs to provide a service not only with preventive agencies (police, security agencies, military) but also consequence management agencies (police, fire, hospitals, emergency services, utilities, etc) New international cooperation mechanisms are needed. They need to account for different intelligence cultures and legal frameworks Intelligence is no longer simply a service provider for operations and policy but is intimately involved in the operations and decision making processes Intelligence is often second-guessed by decision makers and needs to provide a service to sift and organise vast amounts of OSI

Sherman Kent and the intelligence cycle
Sherman Kent, in his post-WW 2 book, Strategic Intelligence for American World Policy, characterised intelligence as ‘knowledge’, organisation and activity
As discussed in the first lecture

He saw the intelligence cycle as part of the activity phase and was the first to articulate it. He listed seven distinct phases, which are very close to a description of the scientific process of analysis

Kent’s intelligence cycle
1. 2. 3. The appearance of a problem requiring the attention of strategic intelligence staff - equivalent to the scientific question Analysis of the problem to discover which facets are important to the business (in Kent’s case the security of the US) Collection of data bearing upon the problem
1. 2.

Involving a survey of data in hand And an endeavour to procure new data to fill the gaps


5. 6.

Critical evaluation of the data thus assembled with the intention of finding some sort of ‘inherent meaning’ (a series of possible hypotheses) More collection of data along the lines of the more promising hypotheses Establishment of one or more hypotheses as truer than the others – often referred to as the presentation phase

Traditional intelligence cycle Strategic decision-makers define Requirement/act on finished product Analysts prepare reports and disseminate to clients based on collected material Intelligence managers develop collection requirements Collection managers collect according to requirement .

information is coming at us from all directions in massive quantities. In the words of Robert Clark: . in a globalised. Players both within and between organisations are connected in near real time vertically and horizontally. assessing and sharing such information.The problem As we have seen. methods and protocols for managing. analysing. The problem for intelligence in such a world is to find technologies. The traditional intelligence cycle is not up to the job. technological world.

” Robert Clark. the traditional cycle may be even less relevant. Informal networks (communities of interest) increasingly are forming to address the problem that Kent identified and enable a nonlinear intelligence process using secure Web technology. the traditional cycle may adequately describe the structure and function of an intelligence community. but it does not describe the intelligence process. . 2004) pp17-17.Clark on the intelligence cycle “. . In the new world of information technology. . Intelligence Analysis: A Target-Centric Approach (Washington DC: CQ Press.

‘knowledge management tools’ and search engines over those data bases Vertical and horizontal near real time communications within and between organisations renders the stage-by-stage concept of the intelligence cycle meaningless This is. essentially.Dealing with technology Technology is both a cause of the problem and provides tools to deal with it Open source information (OSI) provides enormous data streams. an information management issue . but not all of those data are sound It enables policy makers to anticipate or ‘second guess’ intelligence agencies But intelligence services are required to assess those data and combine them with more traditional sources like signals intelligence and human intelligence The need to merge multiple data streams requires data warehouses.

‘Real time’ intelligence cycle Strategic decision-makers define Requirement/act on finished product Analysts prepare reports based on collected material OPERATIONS Intelligence managers develop collection requirements Collection managers collect according to requirement .

Intelligence Analysis.A network and target-centric approach to intelligence . Actionable intelligence Analysis: Gaps.1 Needs. requirements target New information Information Sources (collectors) Problem: how does intelligence select the target? What of Rumsveld’s known and unknown unknowns? Source: Clark. p 18 . new information Problem (customers) Analysis: answers.

then calling in an AC-130.2 This model is networked. It is fluid rather than static Knowing where to attack a system is the essence of EBO and ILP . function. with all players contributing to the construction of the model – including the client It helps alleviate the modern problem of information overload because all players have a concept of what is useful to the construction of the model Integration assists operations because a good mental model of the target is essential for operations (he gives the example of a Predator drone working to identify a BMP full of Taliban in Afghanistan. Supports the view of target as system (comprising structure. process) A system is defined by components and the relationship between components (Clark pp18-21) – thus starting to embrace the Clauzwitzian paradigm. inclusive and collaborative rather than hierarchical and segmented.A network and target-centric approach to intelligence .

Manage the intelligence process? Despite what Clark says about the virtues of interconnectedness.Problem How do we: Define the intelligence problem. we still need a ‘system of systems’ over the top to make things work And the rest of the lecture will deal with these issues .

Defining the problem .

Department of Defense news briefing . 12. 2002.Rumsveld on threat The Unknown As we know. There are known knowns. The ones we don't know We don't know. That is to say We know there are some things We do not know. Feb. —Rumsveld. We also know There are known unknowns. There are things we know we know. But there are also unknown unknowns.

Rumsveld in graphics car rebirth heroin people smuggling ROC OMG ? ? A/ports SIEVs That which we don’t Know we don’t know That which we know we don’t know Fujianese Afghans major bank fraud .

Or generated by new conditions (drivers) 1. Use what you now know to assess possible ‘unknown’ threat 1. In light of #4 and #5.Rumsveld in steps 1. Develop an ICP for filling those gaps 4. Identify from that what you know you don’t know (and need to know) 3. Organise and assess what you do know 2. develop an ICP to fill that gap . Examine your risks 6. For example encountered in other times or places 2. Environmental scan 5.

Organise and assess what you know menu put to policy Environmental scan Initial problem analysis: scan + existing threat Agreed menu of threat ICP ICP ICP .

determine risk . morale In light of above. immigration.The environmental scan Focus down on your business Use counterpart agencies (domestic and international) and OS to assess threats elsewhere Assess drivers of change relating to the threat environment in: Technology Society (demographics. skills. social trends) Economy Counterpart support agencies Legal framework How has the region changed How do all the above changes affect the ‘known’ enemy Assess your own capacity (remember Sun Zi) Resources.

The ICP Should identify Gaps in information Counterpart agencies for filling those gaps Personnel and areas in your organisation to capture the information A collection manager for each threat Intelligence sources for specific information needs A timeline for activities A feedback loop for participants A database for information retention Tools for analysis Cross-cutting issues Warning indicators concerning the threat Budget and other resources to do the work .

secondary source. direct information. indirect information Clark. Intelligence Analysis.Evaluating incoming evidence We need to Evaluate the source Is the source competent? Did the source have the access needed? Does the source have a vested interest or bias? Evaluate the means of communication becomes ‘x probably is the case’ [see Butler report on Iraq WMD] Accuracy always decreases with the length of the communication chain (primary source. p 101-110 . inferential force Credibility: fact information. reliability. ‘X is a possibility’ becomes ‘x may be true’ Evaluate the evidence itself (usually against what is already known) Credibility.

So-called ‘Admiralty Scale’ Reliability (how reliable is the source?) “A” –always reliable "B" -usually reliable "C" -fairly reliable "D" -not usually reliable "E" -unreliable "F" -reliability cannot be judged Credibility (how credible is the evidence?) 1 -Confirmed by Other Sources 2 -Probably True 3 -Possibly True 4 -Doubtfully True 5 -Improbable 6 -Truth Cannot be Judged .

Indicators and Warnings They are usually controversial since they are difficult to identify yet may require sudden and committed executive action Obviously. they are only any use if they are used They should Be readily identifiable by collection managers Be flexible as the situation evolves Be early enough to enable executive action Be late enough to be interesting to the Executive Be agreed to be indicators by all the stakeholders Class: what would be a good indicator for a bird flu pandemic? For an impending energy crisis I and W’s are far more difficult to identify for non –traditional threats than war – witness 9/11 .

Ways of capture Open source Internet Academic Press O/S databases Techint Sigint Phonetap Signals LDs Humint Interrogation Note this can relate both to the enemy and one’s own people Imint Elint Telemetry Masint ‘measurement and signature intelligence’ Under cover (spying) Informant Surveillance TDs Remote sensing devices .

Ah . . But I hear you say These methods seem to be sequential rather than simultaneous and on-going Didn’t you say the sequential intelligence cycle is dead? I did. and it is. The intelligence problems can be permanently maintained and updated – indeed that is the core function of intelligence You can even have a collection manager for emerging and new threats And take old threats off the ‘menu’ so that intelligence is not over-worked to no effect The forthcoming models will show how this can happen in a managed way . .

Information management models Between organisations Within organisations .

MA/London: MIT Press 2001) .The emerging role of IT in intelligence integration In the words of Herman (see notes below) The three stages of interoperability. integration and interdependence are achievable through three meachanisms A blueprint for centralised guidance and decentralised execution Dedicated funds to support progress in core activities Herman counter-terrorism p 49 [quoting Victor deMarines ‘Exploiting the Internet Revolution’ in Ashton Carter and John White Managing Defense for the Future (Cambridge.

Technical protection of data Rules for sharing: •All those in organisation X with access to C have access to B and A •All those in organisation X with access to B have access to A but not to C •All members of organisation X have access to A •Should a member of organisation X without access to C seek access to an entity listed in C. the system manager of C will be alerted •Some members of organisation Y (pre-defined) have access to A but not B and C •etc Organisation x B A C .

It dictates process by taking the user through a series of mandatory steps. case management and intelligence (knowledge) management tools. . the AFP’s PROMIS includes email.Some IT tools Types of tools: Communication tools Data access and management tools Knowledgemanagement tools Process management tools Note: None of the items on the left is exclusive. It manages access and security. For example. data warehousing and access.

security and law enforcement . mainly to do with privacy Often involves HOG and this requires very good management And often a cross-over between intelligence types and cultures Such as between national security.Data storage and mining Serious ethical issues.

1 S s Each agency can go direct into the warehouse P p c i I S = security P = police C = customs I = immigration C .Data mining setup .

2 Managing Committee. filtration tools .Data mining setup .

Some typical filtration rules No agency can know what it is not permitted to know by the laws that govern it No agency can know what it is not permitted to know by the laws governing other agencies No agency can know what it is not permitted to know by other national laws .

intelligence .security I .immigration C other agencies Output: reports.The fusion centre model Input: data.customs S . intelligence P F U S I O N P C S I I S P .police C .

The role of fusion – the US model .

Information management within organisations Distributed model In which all members of the organisation are involved in developing information And extracting information/intelligence Centralised model In which specialist intelligence units organise information And extract finished product from it to provide to clients Mixed model In which a specialist intelligence unit extracts intelligence from a distributed information system Or all members can extract information from a system maintained by intelligence .

Simple distributed model P1 P5 P2 P6 Database P3 P7 P4 P8 .

unit and data base Intelligence out P4 P2 Operations teams external P5 Operations teams management .Centralised model Information in P1 Intell.

Intelligence product Mixed model Intelligence unit Intelligence unit Organisation database External sources P1 Pn Intelligence Specific intelligence database client .

intelligence is often subsumed by seemingly more important activities such as policy or operations This suggests some kind of mixed model is most appropriate . with a decentralised model. unless there is a rigidly adhered set of rules.‘Use it or lose it’ Intelligence producers should not remain isolated from the mainstream of their organisation If they remain isolated. their intelligence is unlikely to be current or useful to the user The most famous example of non-use of intelligence is Pearl Harbour Intelligence personnel need a constant relationship with their clients in policy and operations and a constant feed of information from operations On the other hand.

managing information collection and flows Establishes ICPs based on intelligence inputs and views of Executive. recommends new ICPs CM5 OCM1 O P OCM2 E R A OCM3 T I OCM4 O N OCM5 S Intelligence management Executive Database/s Strategic intelligence Issues advice to Executive on nature of threat based on intelligence inputs External Environmental scan .Provides direction to Intelligence Management based on corporate needs and intelligence advice Mixed model . and external Targeted issue CM1 CM2 CM3 CM4 Monitors external developments Conducts environmental scans. and appoints a collection manager for each priority Provides intelligence for intelligence management and strategic intelligence Monitors counterpart CM in ops.

.International sharing of intelligence “The merging of ‘domestic’ and ‘foreign’ intelligence is even more complete now than in earlier. Vol 18. No 4 (winter 03) p43 . “Counter-Terrorism. more geographically constrained campaigns such as those against the IRA” Michael Herman. Information Technology and Intelligence Change”. Intelligence and National Security.

Intelligence sharing: old paradigm Law enforcement international international security domestic shared domestic shared .

Intelligence sharing: a new paradigm – mix and match both domestically and internationally Shared intelligence .

and doubly so internationally For cultural factors Security factors For legal factors .Problems with intelligence sharing Intelligence is intrinsically difficult to share.

Between agencies Cultural factors Just as we have different national cultures. it may be better to liaise between like and like externally and like and unlike internally . These differences can make it difficult to share and mean the same thing They occur not only between countries. We sometimes hear reference to the international ‘brotherhood’ of police On the latter point. we also have different ‘intelligence’ cultures. but also between agency types – ie police share with police but are reluctant to do so with other agencies.

criminal intelligence misused for political or security purposes .Security factors Security factors In some jurisdictions there is no separation between security and military intelligence eg Burma’s DDSI Those jurisdictions in which there is a clear demarcation will be reluctant to share if they think criminal or security intelligence might be misused for military purposes Or. for that matter.

different legal systems Need for parallel offences .Legal factors Legal factors Privacy Intelligence and human rights. use of death penalty Separation of powers.

2000) But this requires that Both sides be signatories and states parties Both sides have parallel law Interpol Regional and ad hoc mechanisms .International law framework for sharing Extradition treaties and mutual legal assistance treaties (MLATs) need parallel offences in the sending and receiving jurisdictions They can often be sensitive due to different cultural attitudes to crime The United Nations Office on Drugs and Crime (UNODC) offers a mechanism for international sharing of intelligence through its Palermo Convention (UN convention against transnational organised crime.

Europol – an international fusion centre German liaison UK liaison Each national unit and liaison unit is subject to national law in respect of how material is handled terrorism drugs immigration etc Europol database UK national unit UK jurisdiction French liaison Legal and IT ‘firewall’ Strategic analysis unit analyses product according to crime threats .

Interpol Basically. 25 articles to ensure that Interpol information is properly handled However. both Europol and Interpol relate only to criminal intelligence requesting country NCB Interpol NCB receiving country . in addition. an international policing communication and intelligence system Similar in structure to Europol. in that cutoff is achieved by all information passing through a National Central Bureau There are.

Implications for intelligence architecture USA (target) travel Singapore (transit) Shanghai PRC Gov Beijing Thailand (transit) Communication requirements Karachi Pakistan Peshawar Govt Hypothetical intelligence exchange requirements at Beijing Olympics .

Emergency management. MOFAT.Hypothetical cooperative framework Site Police fire Crowd control etc formal FUSION/COORDINATION Provincial/local Central police NCB Security intelligence service Military intelligence Other agencies – customs. etc F U S I O N / C O O R D Jurisdiction A informal INTERPOL B ASEANAPOL C EUROPOL .

prioritise and update a menu of current intelligence issues and keep it distributed Replicate central office CMs with regional counterparts working to the region but responsible for reporting to the centre (can be either intelligence or operations. police-to-police etc) . part or full-time) Intelligence manager to be on the main executive committees Intelligence to be provided on a regular basis including to the highest level with feedback provisions External rules Always know and respect the rules and legal governance of the counterpart.Some rules for sharing Internal rules Share unless told otherwise: never assume the other person knows what you know Maintain. but not to the extent of breaching your own rules and governance Understand the culture and sensitivities of the counterpart Use effective multilateral means where they exist (such as Interpol and Europol) Establish effective liaison networks – well worth the investment Use MOUs and other quasilegal means Internalise cross-functional communications (ie go militaryto-military.

Sign up to vote on this title
UsefulNot useful