The ‘how to’ of intelligence – evolution of the intelligence cycle

What this lecture will do
Explain the implications for intelligence of the environmental changes covered in earlier lectures To recap, these are:
The diffusion of threat with the end of the Cold War
Threat is now no longer just military, security or criminal but often a mixture of all three And is often both internal and external in origin

The changing role of technology
has enabled real time or near real time interconnectivity between users of intelligence (whether decision makers or operational staff), analysts and collectors OSI has given policy makers far more comprehensive sources

Re-cap: broad implications
These two changes together mean that
the traditional step-by-step intelligence cycle is no longer applicable Military, law enforcement and security intelligence need to be far more closely blended One needs to be able to move from warning to action extremely quickly
Therefore intelligence needs to be in a constant relationship with decision makers and operational personnel, and Since action is often highly localised, local authorities need to be fully involved in planning, providing and receiving intelligence

Intelligence needs to provide a service not only with preventive agencies (police, security agencies, military) but also consequence management agencies (police, fire, hospitals, emergency services, utilities, etc) New international cooperation mechanisms are needed. They need to account for different intelligence cultures and legal frameworks Intelligence is no longer simply a service provider for operations and policy but is intimately involved in the operations and decision making processes Intelligence is often second-guessed by decision makers and needs to provide a service to sift and organise vast amounts of OSI

Sherman Kent and the intelligence cycle
Sherman Kent, in his post-WW 2 book, Strategic Intelligence for American World Policy, characterised intelligence as ‘knowledge’, organisation and activity
As discussed in the first lecture

He saw the intelligence cycle as part of the activity phase and was the first to articulate it. He listed seven distinct phases, which are very close to a description of the scientific process of analysis

Kent’s intelligence cycle
1. 2. 3. The appearance of a problem requiring the attention of strategic intelligence staff - equivalent to the scientific question Analysis of the problem to discover which facets are important to the business (in Kent’s case the security of the US) Collection of data bearing upon the problem
1. 2.

Involving a survey of data in hand And an endeavour to procure new data to fill the gaps


5. 6.

Critical evaluation of the data thus assembled with the intention of finding some sort of ‘inherent meaning’ (a series of possible hypotheses) More collection of data along the lines of the more promising hypotheses Establishment of one or more hypotheses as truer than the others – often referred to as the presentation phase

Traditional intelligence cycle Strategic decision-makers define Requirement/act on finished product Analysts prepare reports and disseminate to clients based on collected material Intelligence managers develop collection requirements Collection managers collect according to requirement .

analysing. methods and protocols for managing. Players both within and between organisations are connected in near real time vertically and horizontally. information is coming at us from all directions in massive quantities. technological world. The traditional intelligence cycle is not up to the job. In the words of Robert Clark: . The problem for intelligence in such a world is to find technologies.The problem As we have seen. assessing and sharing such information. in a globalised.

the traditional cycle may adequately describe the structure and function of an intelligence community. 2004) pp17-17. . but it does not describe the intelligence process.” Robert Clark. Informal networks (communities of interest) increasingly are forming to address the problem that Kent identified and enable a nonlinear intelligence process using secure Web technology. In the new world of information technology. Intelligence Analysis: A Target-Centric Approach (Washington DC: CQ Press. the traditional cycle may be even less relevant.Clark on the intelligence cycle “. . .

‘knowledge management tools’ and search engines over those data bases Vertical and horizontal near real time communications within and between organisations renders the stage-by-stage concept of the intelligence cycle meaningless This is. but not all of those data are sound It enables policy makers to anticipate or ‘second guess’ intelligence agencies But intelligence services are required to assess those data and combine them with more traditional sources like signals intelligence and human intelligence The need to merge multiple data streams requires data warehouses.Dealing with technology Technology is both a cause of the problem and provides tools to deal with it Open source information (OSI) provides enormous data streams. an information management issue . essentially.

‘Real time’ intelligence cycle Strategic decision-makers define Requirement/act on finished product Analysts prepare reports based on collected material OPERATIONS Intelligence managers develop collection requirements Collection managers collect according to requirement .

new information Problem (customers) Analysis: answers. requirements target New information Information Sources (collectors) Problem: how does intelligence select the target? What of Rumsveld’s known and unknown unknowns? Source: Clark.A network and target-centric approach to intelligence . Intelligence Analysis.1 Needs. p 18 . Actionable intelligence Analysis: Gaps.

Supports the view of target as system (comprising structure.2 This model is networked. inclusive and collaborative rather than hierarchical and segmented. process) A system is defined by components and the relationship between components (Clark pp18-21) – thus starting to embrace the Clauzwitzian paradigm. function. then calling in an AC-130.A network and target-centric approach to intelligence . It is fluid rather than static Knowing where to attack a system is the essence of EBO and ILP . with all players contributing to the construction of the model – including the client It helps alleviate the modern problem of information overload because all players have a concept of what is useful to the construction of the model Integration assists operations because a good mental model of the target is essential for operations (he gives the example of a Predator drone working to identify a BMP full of Taliban in Afghanistan.

we still need a ‘system of systems’ over the top to make things work And the rest of the lecture will deal with these issues . Manage the intelligence process? Despite what Clark says about the virtues of interconnectedness.Problem How do we: Define the intelligence problem.

Defining the problem .

2002. We also know There are known unknowns. Department of Defense news briefing . That is to say We know there are some things We do not know. There are things we know we know. Feb. There are known knowns. —Rumsveld. The ones we don't know We don't know. But there are also unknown unknowns.Rumsveld on threat The Unknown As we know. 12.

Rumsveld in graphics car rebirth heroin people smuggling ROC OMG ? ? A/ports SIEVs That which we don’t Know we don’t know That which we know we don’t know Fujianese Afghans major bank fraud .

Identify from that what you know you don’t know (and need to know) 3. Develop an ICP for filling those gaps 4. Use what you now know to assess possible ‘unknown’ threat 1. Environmental scan 5. develop an ICP to fill that gap . Or generated by new conditions (drivers) 1. For example encountered in other times or places 2. Examine your risks 6. In light of #4 and #5. Organise and assess what you do know 2.Rumsveld in steps 1.

Organise and assess what you know menu put to policy Environmental scan Initial problem analysis: scan + existing threat Agreed menu of threat ICP ICP ICP .

skills. social trends) Economy Counterpart support agencies Legal framework How has the region changed How do all the above changes affect the ‘known’ enemy Assess your own capacity (remember Sun Zi) Resources.The environmental scan Focus down on your business Use counterpart agencies (domestic and international) and OS to assess threats elsewhere Assess drivers of change relating to the threat environment in: Technology Society (demographics. morale In light of above. determine risk . immigration.

The ICP Should identify Gaps in information Counterpart agencies for filling those gaps Personnel and areas in your organisation to capture the information A collection manager for each threat Intelligence sources for specific information needs A timeline for activities A feedback loop for participants A database for information retention Tools for analysis Cross-cutting issues Warning indicators concerning the threat Budget and other resources to do the work .

reliability. inferential force Credibility: fact information. secondary source. p 101-110 . direct information. Intelligence Analysis. ‘X is a possibility’ becomes ‘x may be true’ Evaluate the evidence itself (usually against what is already known) Credibility.Evaluating incoming evidence We need to Evaluate the source Is the source competent? Did the source have the access needed? Does the source have a vested interest or bias? Evaluate the means of communication becomes ‘x probably is the case’ [see Butler report on Iraq WMD] Accuracy always decreases with the length of the communication chain (primary source. indirect information Clark.

So-called ‘Admiralty Scale’ Reliability (how reliable is the source?) “A” –always reliable "B" -usually reliable "C" -fairly reliable "D" -not usually reliable "E" -unreliable "F" -reliability cannot be judged Credibility (how credible is the evidence?) 1 -Confirmed by Other Sources 2 -Probably True 3 -Possibly True 4 -Doubtfully True 5 -Improbable 6 -Truth Cannot be Judged .

Indicators and Warnings They are usually controversial since they are difficult to identify yet may require sudden and committed executive action Obviously. they are only any use if they are used They should Be readily identifiable by collection managers Be flexible as the situation evolves Be early enough to enable executive action Be late enough to be interesting to the Executive Be agreed to be indicators by all the stakeholders Class: what would be a good indicator for a bird flu pandemic? For an impending energy crisis I and W’s are far more difficult to identify for non –traditional threats than war – witness 9/11 .

Ways of capture Open source Internet Academic Press O/S databases Techint Sigint Phonetap Signals LDs Humint Interrogation Note this can relate both to the enemy and one’s own people Imint Elint Telemetry Masint ‘measurement and signature intelligence’ Under cover (spying) Informant Surveillance TDs Remote sensing devices .

Ah . . and it is. The intelligence problems can be permanently maintained and updated – indeed that is the core function of intelligence You can even have a collection manager for emerging and new threats And take old threats off the ‘menu’ so that intelligence is not over-worked to no effect The forthcoming models will show how this can happen in a managed way . . But I hear you say These methods seem to be sequential rather than simultaneous and on-going Didn’t you say the sequential intelligence cycle is dead? I did.

Information management models Between organisations Within organisations .

The emerging role of IT in intelligence integration In the words of Herman (see notes below) The three stages of interoperability. integration and interdependence are achievable through three meachanisms A blueprint for centralised guidance and decentralised execution Dedicated funds to support progress in core activities Herman counter-terrorism p 49 [quoting Victor deMarines ‘Exploiting the Internet Revolution’ in Ashton Carter and John White Managing Defense for the Future (Cambridge. MA/London: MIT Press 2001) .

Technical protection of data Rules for sharing: •All those in organisation X with access to C have access to B and A •All those in organisation X with access to B have access to A but not to C •All members of organisation X have access to A •Should a member of organisation X without access to C seek access to an entity listed in C. the system manager of C will be alerted •Some members of organisation Y (pre-defined) have access to A but not B and C •etc Organisation x B A C .

It manages access and security. . It dictates process by taking the user through a series of mandatory steps. case management and intelligence (knowledge) management tools. data warehousing and access.Some IT tools Types of tools: Communication tools Data access and management tools Knowledgemanagement tools Process management tools Note: None of the items on the left is exclusive. the AFP’s PROMIS includes email. For example.

Data storage and mining Serious ethical issues. mainly to do with privacy Often involves HOG and this requires very good management And often a cross-over between intelligence types and cultures Such as between national security. security and law enforcement .

Data mining setup .1 S s Each agency can go direct into the warehouse P p c i I S = security P = police C = customs I = immigration C .

filtration tools .2 Managing Committee.Data mining setup .

Some typical filtration rules No agency can know what it is not permitted to know by the laws that govern it No agency can know what it is not permitted to know by the laws governing other agencies No agency can know what it is not permitted to know by other national laws .

security I .immigration C other agencies Output: reports.police C . intelligence P F U S I O N P C S I I S P . intelligence .The fusion centre model Input: data.customs S .

The role of fusion – the US model .

Information management within organisations Distributed model In which all members of the organisation are involved in developing information And extracting information/intelligence Centralised model In which specialist intelligence units organise information And extract finished product from it to provide to clients Mixed model In which a specialist intelligence unit extracts intelligence from a distributed information system Or all members can extract information from a system maintained by intelligence .

Simple distributed model P1 P5 P2 P6 Database P3 P7 P4 P8 .

Centralised model Information in P1 Intell. unit and data base Intelligence out P4 P2 Operations teams external P5 Operations teams management .

Intelligence product Mixed model Intelligence unit Intelligence unit Organisation database External sources P1 Pn Intelligence Specific intelligence database client .

their intelligence is unlikely to be current or useful to the user The most famous example of non-use of intelligence is Pearl Harbour Intelligence personnel need a constant relationship with their clients in policy and operations and a constant feed of information from operations On the other hand.‘Use it or lose it’ Intelligence producers should not remain isolated from the mainstream of their organisation If they remain isolated. unless there is a rigidly adhered set of rules. with a decentralised model. intelligence is often subsumed by seemingly more important activities such as policy or operations This suggests some kind of mixed model is most appropriate .

and appoints a collection manager for each priority Provides intelligence for intelligence management and strategic intelligence Monitors counterpart CM in ops. and external Targeted issue CM1 CM2 CM3 CM4 Monitors external developments Conducts environmental scans.managing information collection and flows Establishes ICPs based on intelligence inputs and views of Executive.Provides direction to Intelligence Management based on corporate needs and intelligence advice Mixed model . recommends new ICPs CM5 OCM1 O P OCM2 E R A OCM3 T I OCM4 O N OCM5 S Intelligence management Executive Database/s Strategic intelligence Issues advice to Executive on nature of threat based on intelligence inputs External Environmental scan .

International sharing of intelligence “The merging of ‘domestic’ and ‘foreign’ intelligence is even more complete now than in earlier. “Counter-Terrorism.. Vol 18. Intelligence and National Security. No 4 (winter 03) p43 . Information Technology and Intelligence Change”. more geographically constrained campaigns such as those against the IRA” Michael Herman.

Intelligence sharing: old paradigm Law enforcement international international security domestic shared domestic shared .

Intelligence sharing: a new paradigm – mix and match both domestically and internationally Shared intelligence .

and doubly so internationally For cultural factors Security factors For legal factors .Problems with intelligence sharing Intelligence is intrinsically difficult to share.

These differences can make it difficult to share and mean the same thing They occur not only between countries. we also have different ‘intelligence’ cultures. We sometimes hear reference to the international ‘brotherhood’ of police On the latter point.Between agencies Cultural factors Just as we have different national cultures. it may be better to liaise between like and like externally and like and unlike internally . but also between agency types – ie police share with police but are reluctant to do so with other agencies.

for that matter. criminal intelligence misused for political or security purposes .Security factors Security factors In some jurisdictions there is no separation between security and military intelligence eg Burma’s DDSI Those jurisdictions in which there is a clear demarcation will be reluctant to share if they think criminal or security intelligence might be misused for military purposes Or.

Legal factors Legal factors Privacy Intelligence and human rights. use of death penalty Separation of powers. different legal systems Need for parallel offences .

International law framework for sharing Extradition treaties and mutual legal assistance treaties (MLATs) need parallel offences in the sending and receiving jurisdictions They can often be sensitive due to different cultural attitudes to crime The United Nations Office on Drugs and Crime (UNODC) offers a mechanism for international sharing of intelligence through its Palermo Convention (UN convention against transnational organised crime. 2000) But this requires that Both sides be signatories and states parties Both sides have parallel law Interpol Regional and ad hoc mechanisms .

Europol – an international fusion centre German liaison UK liaison Each national unit and liaison unit is subject to national law in respect of how material is handled terrorism drugs immigration etc Europol database UK national unit UK jurisdiction French liaison Legal and IT ‘firewall’ Strategic analysis unit analyses product according to crime threats .

in that cutoff is achieved by all information passing through a National Central Bureau There are. both Europol and Interpol relate only to criminal intelligence requesting country NCB Interpol NCB receiving country . 25 articles to ensure that Interpol information is properly handled However. an international policing communication and intelligence system Similar in structure to Europol.Interpol Basically. in addition.

Implications for intelligence architecture USA (target) travel Singapore (transit) Shanghai PRC Gov Beijing Thailand (transit) Communication requirements Karachi Pakistan Peshawar Govt Hypothetical intelligence exchange requirements at Beijing Olympics .

MOFAT. Emergency management. etc F U S I O N / C O O R D Jurisdiction A informal INTERPOL B ASEANAPOL C EUROPOL .Hypothetical cooperative framework Site Police fire Crowd control etc formal FUSION/COORDINATION Provincial/local Central police NCB Security intelligence service Military intelligence Other agencies – customs.

part or full-time) Intelligence manager to be on the main executive committees Intelligence to be provided on a regular basis including to the highest level with feedback provisions External rules Always know and respect the rules and legal governance of the counterpart. police-to-police etc) .Some rules for sharing Internal rules Share unless told otherwise: never assume the other person knows what you know Maintain. but not to the extent of breaching your own rules and governance Understand the culture and sensitivities of the counterpart Use effective multilateral means where they exist (such as Interpol and Europol) Establish effective liaison networks – well worth the investment Use MOUs and other quasilegal means Internalise cross-functional communications (ie go militaryto-military. prioritise and update a menu of current intelligence issues and keep it distributed Replicate central office CMs with regional counterparts working to the region but responsible for reporting to the centre (can be either intelligence or operations.

Sign up to vote on this title
UsefulNot useful