The ‘how to’ of intelligence –

evolution of the intelligence cycle

 What this lecture will do
Š Explain the implications for intelligence of the
environmental changes covered in earlier lectures
Š To recap, these are:
„ The diffusion of threat with the end of the Cold War
z Threat is now no longer just military, security or criminal but
often a mixture of all three
z And is often both internal and external in origin
„ The changing role of technology
z has enabled real time or near real time interconnectivity between
users of intelligence (whether decision makers or operational
staff), analysts and collectors
z OSI has given policy makers far more comprehensive sources
 Re-cap: broad implications

Š These two changes together mean that

„ the traditional step-by-step intelligence cycle is no longer applicable
„ Military, law enforcement and security intelligence need to be far more
closely blended
„ One needs to be able to move from warning to action extremely quickly
z Therefore intelligence needs to be in a constant relationship with decision makers and
operational personnel, and
z Since action is often highly localised, local authorities need to be fully involved in planning,
providing and receiving intelligence
„ Intelligence needs to provide a service not only with preventive agencies
(police, security agencies, military) but also consequence management
agencies (police, fire, hospitals, emergency services, utilities, etc)
„ New international cooperation mechanisms are needed. They need to
account for different intelligence cultures and legal frameworks
„ Intelligence is no longer simply a service provider for operations and policy
but is intimately involved in the operations and decision making processes
„ Intelligence is often second-guessed by decision makers and needs to
provide a service to sift and organise vast amounts of OSI
 Sherman Kent and the
intelligence cycle
Š Sherman Kent, in his post-WW 2 book, Strategic
Intelligence for American World Policy,
characterised intelligence as ‘knowledge’,
organisation and activity
„ As discussed in the first lecture
Š He saw the intelligence cycle as part of the activity
phase and was the first to articulate it. He listed
seven distinct phases, which are very close to a
description of the scientific process of analysis
 Kent’s intelligence cycle

1. The appearance of a problem requiring the attention of strategic

intelligence staff - equivalent to the scientific question
2. Analysis of the problem to discover which facets are important to the
business (in Kent’s case the security of the US)
3. Collection of data bearing upon the problem
1. Involving a survey of data in hand
2. And an endeavour to procure new data to fill the gaps
4. Critical evaluation of the data thus assembled with the intention of
finding some sort of ‘inherent meaning’ (a series of possible
hypotheses)
5. More collection of data along the lines of the more promising
hypotheses
6. Establishment of one or more hypotheses as truer than the others –
often referred to as the presentation phase
 Traditional intelligence cycle
Strategic
decision-makers
define
Requirement/act
on finished product

Analysts prepare Intelligence

reports and disseminate managers
to clients based on develop
collected material collection
requirements

Collection
managers
collect
according to
requirement
 The problem

Š As we have seen, in a globalised, technological

world, information is coming at us from all
directions in massive quantities. Players both
within and between organisations are connected in
near real time vertically and horizontally.
Š The problem for intelligence in such a world is to
find technologies, methods and protocols for
managing, analysing, assessing and sharing such
information. The traditional intelligence cycle is
not up to the job. In the words of Robert Clark:
 Clark on the intelligence cycle

Š “. . . the traditional cycle may adequately describe

the structure and function of an intelligence
community, but it does not describe the intelligence
process. In the new world of information
technology, the traditional cycle may be even less
relevant. Informal networks (communities of
interest) increasingly are forming to address the
problem that Kent identified and enable a nonlinear
intelligence process using secure Web technology.”
„ Robert Clark, Intelligence Analysis: A Target-Centric
Approach (Washington DC: CQ Press, 2004) pp17-17.
 Dealing with technology

Š Technology is both a cause of the problem and provides

tools to deal with it
„ Open source information (OSI) provides enormous data streams, but
not all of those data are sound
z It enables policy makers to anticipate or ‘second guess’ intelligence
agencies
Š But intelligence services are required to assess those data and combine them
with more traditional sources like signals intelligence and human intelligence
Š The need to merge multiple data streams requires data warehouses,
‘knowledge management tools’ and search engines over those data bases
„ Vertical and horizontal near real time communications within and
between organisations renders the stage-by-stage concept of the
intelligence cycle meaningless
„ This is, essentially, an information management issue
 ‘Real time’ intelligence cycle
Strategic
decision-makers
define
Requirement/act
on finished product

Intelligence
Analysts prepare
managers
reports based on
OPERATIONS develop
collected
collection
material
requirements

Collection
managers
collect
according to
requirement
 A network and target-centric
approach to intelligence - 1

Needs, new Analysis:

information Gaps, requirements

Problem Information
(customers)
target Sources
(collectors)

Analysis: answers,
Actionable intelligence New information

Problem: how does intelligence select the target?

What of Rumsveld’s known and unknown unknowns?
Source: Clark, Intelligence Analysis, p 18
 A network and target-centric
approach to intelligence - 2
Š This model is networked, inclusive and collaborative rather than
hierarchical and segmented, with all players contributing to the
construction of the model – including the client
Š It helps alleviate the modern problem of information overload because
all players have a concept of what is useful to the construction of the
model
Š Integration assists operations because a good mental model of the target
is essential for operations (he gives the example of a Predator drone
working to identify a BMP full of Taliban in Afghanistan, then calling in
an AC-130.
Š Supports the view of target as system (comprising structure, function,
process)
„ A system is defined by components and the relationship between
components (Clark pp18-21) – thus starting to embrace the
Clauzwitzian paradigm. It is fluid rather than static
Š Knowing where to attack a system is the essence of EBO and ILP
 Problem

Š How do we:
„ Define the intelligence problem;
„ Manage the intelligence process?
Š Despite what Clark says about the virtues of
interconnectedness, we still need a ‘system
of systems’ over the top to make things work
Š And the rest of the lecture will deal with
these issues
Defining the problem
 Rumsveld on threat

The Unknown
As we know,
There are known knowns.
There are things we know we know.
We also know
There are known unknowns.
That is to say
We know there are some things
We do not know.
But there are also unknown unknowns,
The ones we don't know
We don't know.
—Rumsveld, Feb. 12, 2002, Department of Defense news briefing
 Rumsveld in graphics
ROC
car OMG
rebirth That which
? we know we
don’t know
heroin ?

people A/ports Fujianese

smuggling
SIEVs Afghans

major
bank That which we don’t
fraud Know we don’t know
 Rumsveld in steps
1. Organise and assess what you do know
2. Identify from that what you know you don’t know (and
need to know)
3. Develop an ICP for filling those gaps
4. Use what you now know to assess possible ‘unknown’
threat
1. For example encountered in other times or places
2. Or generated by new conditions (drivers)
1. Environmental scan
5. Examine your risks
6. In light of #4 and #5, develop an ICP to fill that gap
 Organise and assess what you
know

menu
Environmental

put
to policy
scan

Initial ICP
problem Agreed
analysis: menu of ICP
scan + existing threat
threat ICP
 The environmental scan
Š Focus down on your business
Š Use counterpart agencies (domestic and international) and OS to assess
threats elsewhere
Š Assess drivers of change relating to the threat environment in:
„ Technology

„ Society (demographics, immigration, social trends)

„ Economy

„ Counterpart support agencies

„ Legal framework

„ How has the region changed

„ How do all the above changes affect the ‘known’ enemy

Š Assess your own capacity (remember Sun Zi)

„ Resources, skills, morale

Š In light of above, determine risk

 The ICP
Š Should identify
„ Gaps in information
„ Counterpart agencies for filling those gaps
„ Personnel and areas in your organisation to capture the information
„ A collection manager for each threat
„ Intelligence sources for specific information needs
„ A timeline for activities
„ A feedback loop for participants
„ A database for information retention
„ Tools for analysis
„ Cross-cutting issues
„ Warning indicators concerning the threat
„ Budget and other resources to do the work
 Evaluating incoming evidence

Š We need to
„ Evaluate the source

z Is the source competent?

z Did the source have the access needed?
z Does the source have a vested interest or bias?
„ Evaluate the means of communication
z becomes ‘x probably is the case’ [see Butler report on Iraq WMD]
Accuracy always decreases with the length of the communication chain
(primary source; secondary source;
z ‘X is a possibility’ becomes ‘x may be true’
„ Evaluate the evidence itself (usually against what is already known)
z Credibility, reliability, inferential force
Š Credibility: fact information; direct information; indirect information
z Clark, Intelligence Analysis, p 101-110
 So-called ‘Admiralty Scale’
Š Reliability (how reliable
is the source?)
„ “A” –always reliable
„ "B" -usually reliable
„ "C" -fairly reliable
„ "D" -not usually reliable
„ "E" -unreliable
„ "F" -reliability cannot be
judged
Š Credibility (how credible
is the evidence?)
„ 1 -Confirmed by Other
Sources
„ 2 -Probably True
„ 3 -Possibly True
„ 4 -Doubtfully True
„ 5 -Improbable
„ 6 -Truth Cannot be
Judged
 Indicators and Warnings
Š They are usually controversial since they are difficult to
identify yet may require sudden and committed executive
action
Š Obviously, they are only any use if they are used
Š They should
„ Be readily identifiable by collection managers
„ Be flexible as the situation evolves
„ Be early enough to enable executive action
„ Be late enough to be interesting to the Executive
„ Be agreed to be indicators by all the stakeholders
z Class: what would be a good indicator for a bird flu pandemic?
z For an impending energy crisis
„ I and W’s are far more difficult to identify for non –traditional
threats than war – witness 9/11
 Ways of capture

Š Open source Š Techint

„ Internet „ Sigint
„ Academic z Phonetap
„ Press z Signals
„ O/S databases z LDs
Š Humint „ Imint
„ Interrogation „ Elint
z Note this can relate both to z Telemetry
the enemy and one’s own z Masint
people Š ‘measurement and
signature intelligence’
„ Under cover (spying)
z TDs
„ Informant
z Remote sensing devices
„ Surveillance
 Ah . . . But I hear you say

Š These methods seem to be sequential rather than

simultaneous and on-going
„ Didn’t you say the sequential intelligence cycle is dead?
Š I did, and it is. The intelligence problems can be
permanently maintained and updated – indeed that
is the core function of intelligence
„ You can even have a collection manager for emerging
and new threats
z And take old threats off the ‘menu’ so that intelligence is not
over-worked to no effect
Š The forthcoming models will show how this can
happen in a managed way
 Information management
models
Š Between organisations
Š Within organisations
 The emerging role of IT
in intelligence integration
Š In the words of Herman (see notes below)
„ The three stages of interoperability, integration and
interdependence are achievable through three
meachanisms
z A blueprint for centralised guidance and
z decentralised execution
z Dedicated funds to support progress in core activities
Š Herman counter-terrorism p 49 [quoting Victor deMarines
‘Exploiting the Internet Revolution’ in Ashton Carter and John
White Managing Defense for the Future (Cambridge, MA/London:
MIT Press 2001)
 Technical protection of data
Rules for sharing:
•All those in organisation X
with access to C have access Organisation x
to B and A
•All those in organisation
X with access to B have access
to A but not to C B
•All members of organisation
X have access to A
•Should a member of organisation X A C
without access to C seek access to an
entity listed in C, the system manager of
C will be alerted
•Some members of organisation
Y (pre-defined) have access to
A but not B and C
•etc
 Some IT tools

Š Types of tools: Š Note: None of the items on

the left is exclusive. For
„ Communication tools example, the AFP’s
„ Data access and PROMIS includes email,
management tools data warehousing and
„ Knowledge- access, case management
and intelligence
management tools
(knowledge) management
„ Process management tools. It dictates process
tools by taking the user through
a series of mandatory steps.
It manages access and
security.
 Data storage and mining

Š Serious ethical issues, mainly to do with

privacy
Š Often involves HOG and this requires very
good management
Š And often a cross-over between intelligence
types and cultures
„ Such as between national security, security and
law enforcement
Data mining setup - 1

S
Each agency
s can go direct into
the warehouse

P p i I
c
S = security
P = police
C = customs
C I = immigration
Data mining setup - 2

Managing
Committee,
filtration
tools
 Some typical filtration rules

Š No agency can know what it is not permitted

to know by the laws that govern it
Š No agency can know what it is not permitted
to know by the laws governing other
agencies
Š No agency can know what it is not permitted
to know by other national laws
 The fusion centre model
Input:
data,
intelligence
P

P - police
C - customs F P C
S - security U
other
I - immigration S C
agencies
I
S S
O
N I
Output:
reports, I
intelligence
The role of fusion – the US
model
 Information management
within organisations
Š Distributed model
„ In which all members of the organisation are involved in developing
information
„ And extracting information/intelligence
Š Centralised model
„ In which specialist intelligence units organise information
„ And extract finished product from it to provide to clients
Š Mixed model
„ In which a specialist intelligence unit extracts intelligence from a
distributed information system
„ Or all members can extract information from a system maintained by
intelligence
 Simple distributed model

P5
P1

P2 P6

Database
P3 P7

P4 P8
 Centralised model
Information in Intelligence out

P1 P4
Intell.
unit
P2 and P5
data
base
Operations Operations
teams teams

external management
 client

Intelligence
product
Mixed model

Intelligence
unit
Specific intelligence

Intelligence
database
Intelligence
unit

External
sources
Organisation

P1

Pn
database
 ‘Use it or lose it’

Š Intelligence producers should not remain isolated from the mainstream

of their organisation
„ If they remain isolated, their intelligence is unlikely to be current or useful
to the user
„ The most famous example of non-use of intelligence is Pearl Harbour
Š Intelligence personnel need a constant relationship with their clients in
policy and operations and a constant feed of information from operations
Š On the other hand, with a decentralised model, unless there is a rigidly
adhered set of rules, intelligence is often subsumed by seemingly more
important activities such as policy or operations
Š This suggests some kind of mixed model is most appropriate
 Targeted
issue
Mixed model - managing
information collection and flows
Provides direction to
Intelligence Management
based on corporate needs and Monitors
Establishes ICPs based
intelligence advice counterpart
on intelligence inputs and
views of Executive, and CM in ops.
appoints a collection and external
manager for each priority
CM1 OCM1 O
Provides intelligence
P
management
Intelligence
CM2 OCM2 E
Executive

for intelligence
management and R

Database/s
strategic intelligence
A
CM3 OCM3
Strategic intelligence

T
I
CM4 OCM4
O
N
Monitors external CM5 OCM5 S
developments

Issues advice to Executive

Conducts environmental External
scans, recommends new
on nature of threat ICPs Environmental scan
based on intelligence inputs
 International sharing of
intelligence

“The merging of ‘domestic’ and ‘foreign’

intelligence is even more complete now
than in earlier, more geographically
constrained campaigns such as those
against the IRA”
Michael Herman,. “Counter-Terrorism, Information
Technology and Intelligence Change”, Intelligence and
National Security, Vol 18, No 4 (winter 03) p43
 Intelligence sharing: old
paradigm
Law international
enforcement
security
international

domestic

shared domestic shared

Intelligence sharing: a new paradigm –
mix and match both domestically and
internationally

Shared
intelligence
 Problems with intelligence
sharing
Š Intelligence is intrinsically difficult to share, and
doubly so internationally
„ For cultural factors
„ Security factors
„ For legal factors
 Between agencies
Š Cultural factors
„ Just as we have different national cultures, we also have
different ‘intelligence’ cultures. These differences can
make it difficult to share and mean the same thing
„ They occur not only between countries, but also between
agency types – ie police share with police but are
reluctant to do so with other agencies. We sometimes
hear reference to the international ‘brotherhood’ of police
z On the latter point, it may be better to liaise between like and
like externally and like and unlike internally
 Security factors

Š Security factors
„ In some jurisdictions there is no separation between
security and military intelligence
z eg Burma’s DDSI
„ Those jurisdictions in which there is a clear demarcation
will be reluctant to share if they think criminal or security
intelligence might be misused for military purposes
z Or, for that matter, criminal intelligence misused for political or
security purposes
 Legal factors

Š Legal factors
„ Privacy
„ Intelligence and human rights; use of death penalty
„ Separation of powers; different legal systems
„ Need for parallel offences
 International law framework for
sharing
Š Extradition treaties and mutual legal assistance treaties
(MLATs) need parallel offences in the sending and
receiving jurisdictions
„ They can often be sensitive due to different cultural attitudes to
crime
Š The United Nations Office on Drugs and Crime (UNODC)
offers a mechanism for international sharing of intelligence
through its Palermo Convention (UN convention against
transnational organised crime, 2000)
„ But this requires that
z Both sides be signatories and states parties
z Both sides have parallel law
Š Interpol
Š Regional and ad hoc mechanisms
 Each national unit
and liaison unit
Europol – is subject to national
an international law in respect of how
fusion centre material is handled

German
terrorism liaison
drugs
UK
immigration Europol UK UK
national
etc database liaison jurisdiction
unit

French
liaison
Legal and
IT ‘firewall’

Strategic analysis unit analyses product according to crime threats

 Interpol
requesting
Š Basically, an international country
policing communication and
NCB
intelligence system
Š Similar in structure to Europol,
in that cutoff is achieved by all
information passing through a
National Central Bureau Interpol
Š There are, in addition, 25 articles
to ensure that Interpol
information is properly handled NCB
Š However, both Europol and
Interpol relate only to criminal receiving
intelligence country
 Implications for intelligence
architecture
USA (target)
travel
Communication
Singapore requirements
(transit)
Shanghai Karachi
PRC Pakistan
Gov Peshawar Govt
Beijing
Thailand
(transit)

Hypothetical intelligence exchange requirements at Beijing Olympics

 Hypothetical cooperative
framework
fire etc
Site Police Crowd
control
formal
FUSION/COORDINATION

Jurisdiction informal
A
F
Provincial/local U
Central police S INTERPOL
NCB I
O
Security intelligence service N
/ B
Military intelligence C
O
Other agencies – customs, O ASEANAPOL
R
Emergency management, D
MOFAT, etc
C
EUROPOL
 Some rules for sharing
Š Internal rules
„ Share unless told otherwise:
never assume the other person
knows what you know
„ Maintain, prioritise and update
a menu of current intelligence
issues and keep it distributed
„ Replicate central office CMs
with regional counterparts
working to the region but
responsible for reporting to the
centre (can be either
intelligence or operations, part
or full-time)
„ Intelligence manager to be on
the main executive committees
„ Intelligence to be provided on a
regular basis including to the
highest level with feedback
provisions
Š External rules
„ Always know and respect the
rules and legal governance of
the counterpart, but not to the
extent of breaching your own
rules and governance
„ Understand the culture and
sensitivities of the counterpart
„ Use effective multilateral means
where they exist (such as
Interpol and Europol)
„ Establish effective liaison
networks – well worth the
investment
„ Use MOUs and other quasi-
legal means
„ Internalise cross-functional
communications (ie go military-
to-military, police-to-police etc)