Two New Intel Publications

Posted on 21 March 2011 by


One of the goals of this publication is to help disseminate information to the law enforcement intelligence community. We’re not trying to set up a new book review site, but we have often found blogs that point to new research or publication to be very helpful. So we’re taking the idea out for a spin in what we hope will be a regular feature of the blog – let us know if you find it useful.

This week we’re writing about new reports from the National Academy of Sciences and the Air Force Air University.

The former looks at how we conduct intelligence operations in general, and the latter offers some new thinking about how our nation creates a deterrent to cyber attacks.

We welcome your comments.

Title: Intelligence Analysis for Tomorrow: Advances from the Behavioral and Social Sciences
Author: Committee on Behavioral and Social Science Research to Improve Intelligence Analysis for National Security; National Research Council
Publisher: National Academy of Sciences

We’ve said several times in the short history of this publication that one needn’t make enormous changes in order to have a significant impact: if we can positively impact by even 5% the metrics for success of intelligence operations, or intelligence gathering operations, we have a tremendous impact on issues that save lives.

This report succinctly and elegantly states some of the high-level challenges facing the intelligence community. It should be required reading for anyone with an interest in the process by which intelligence is created, or the sausage-making that sits behind any contemporary intelligence operation regardless of size. The authors highlight fundamental and systemic issues which, even if only half-heartedly addressed by us, can make a difference.

I think that, too often, the intelligence community makes decisions which treat as sacrosanct and permanent issues which are inherently ethereal or dynamic. In June, 2010, I presented at the Financial Information Security Decisions conference a talk on intelligence operations in large financial institutions, and one of the first slides discussed the all-too-common mistake of treating intelligence as a “thing” rather than a process; or that which is provided by a single source or group of known sources rather than a constantly morphing set of conditions and assets which are regularly reviewed for relevance. Similarly, and more specifically, this new report makes several statements which are, as soon as one reads them, obviously correct:

“…[C]urrent practices may undervalue raw cognitive ability (a stable characteristic) and overvalue historical or political area knowledge (a malleable characteristic).”

That is less earth-shattering than this next statement, which we believe is entirely correct but which may rock the worlds of uncreative administrators seeking the presence in a candidate of an arbitrary qualification rather than a skillset complementary to the tasks at hand:

The [Intelligence Community] may need to shift from proxy measures, such as having a college degree, to direct measures of cognitive ability, as there is generally substantial variation in the cognitive abilities of college degree holders even from the same institution. Direct measures with strong psychometric validation are readily available. Ignoring them will cause the IC to lose the opportunity to ensure the highest quality pool of human resources for its needs.

This jibes absolutely with something that a friend, now an intelligence analyst at a federal agency, posed as the very first question he ever asked when we met three years ago: “What’s your skillset?” No beating-around-the-bush, no bullcrap, just a straight-up demand for an accounting of my usefulness to a particular mission. That is the right way to do it.

The overriding point which I take from this, though, is that even seasoned intelligence professionals – career people with the best of intentions – fall victim to the same trap as rank amateurs in the intel game: an intelligence operation is never “done”. It must be constantly reviewed with courage and integrity.

Along the same lines, last week in our conversation with Andy Ellis on the PLI Podcast, Andy mentioned the iterative nature of the balance between what to share and what to hold back in the realm of corporate security. To constantly review the intelligence cycle, we must constantly challenge and examine ourselves. Training, too, is a cycle, not a product.

Training should not be viewed as an impediment to “getting work done,” nor should it be provided only to entry-level personnel. Instead, it must be seen as a career-long commitment, as much a part of the job as preparing analyses or providing guidance to intelligence collectors.

We’re just about to launch a blog post suggesting some concrete ways in which analysts and patrol officers might improve their communication and intelligence sharing. This stems from a discussion in our PLI Podcast with Eric Olson, about how cops’ hunches might be systematically harvested. One of the most important things Dave and I discuss is collaboration and partnership between analysis and patrol; analysis and investigations. We’re calling specifically for more ride-alongs and more informal discussions, which we aver lead to more communication and more formal intelligence sharing.

The NAS report states this very elegantly:

When people with heterogeneous backgrounds work together, their perspectives filter information in different ways, allowing more knowledge and solutions to emerge. Diversity can be sought in subject-matter expertise, functional background, personal experience, and mission perspective. Such sharing allows analyses to be richer and deeper, with better understood strengths and weaknesses, whereas individuals working in isolation are more limited by their assumptions and myopic about the limits to their own knowledge.

The report is free with registration, and we highly recommend reading it.

Title: Retaliatory Deterrence in Cyberspace
Journal: Strategic Studies Quarterly – Spring 2011
Author: Eric Sterner
Publisher: US Air Force Air University

When looking at the problem of cybercrime, I get frustrated. Not because it’s so hard to do defend against it, but because it’s so hard to prosecute a war against those who attack us. It drives me crazy that even with attribution (that ability to say whodunnit), I can’t take that information and kick in a door and kick some ass. And even when we do kick the doors in, we’re often kicking in the wrong doors; those leading to victims or intermediary players.

Now with a more sober look at this topic, Eric Sterner gives a highly interesting overview of US cyber retaliation doctrine: its genesis and current state. I love that Sterner agrees with my basic “Pull-’em-through-the-vent-window” doctrine:

First and foremost, the United States must retaliate for malicious cyber behavior.

Now we can quibble about what that retaliation means. The big issues, of course, are how we retaliate, and who – that is to say, which agency – does it. On the one hand, you don’t want to inflate the value of cybercrime to that of a military conflict. Crime is crime, organized criminal gangs are responsible for financially motivated cyber attacks which are, I’d argue, more frequent, and potentially as societally disruptive as nation-state launched attacks against critical infrastructure.

But at the end of the day, a cyber criminal attacking critical infrastructure for the purposes of extortion or financial market manipulation is as destructive as an enemy nation-state attack against critical infrastructure for a range of reasons. Simply put, if the power plant goes down to an attack, it goes down to an attack. And obviously, nation states have contracted with criminal gangs to effect attacks. To my mind, this is a common enemy. So Sterner’s basic statement about the inappropriateness of a law enforcement response (even at the federal level) is probably spot on:

Today, US officials often consider punishing cyber aggressors
through domestic law enforcement, largely because those means are readily
available. Such tools are entirely inadequate…Other retaliatory options will be needed. Political, economic, and military means must be explored.

On the other hand, because many of the attacks are (as I said above) financial in nature, law enforcement is likely to have a great deal of intelligence on the tactics of the attackers that the military may not possess, or at least, have the intelligence gathered under a different contextual fabric, which itself could lead to different conclusions. Sterner recognizes that a new paradigm is likely needed precisely because the cyber deterrent doesn’t fall neatly into any particular camp.

Sterner does note how the Israeli model clearly differs from that of the US:

…Israel combined threats and actions to change the nature of the conflict in an attempt to create a better situation for itself. This “active deterrence” reflected a combination of the actual use of force and threats of force to achieve its security goals. Doron Almog offers an updated concept, dubbing it “cumulative deterrence.” For him, “cumulative deterrence is based on the simultaneous use of threats and military force over the course of an extended period of conflict.”

This is a great paper which forces intelligence and law enforcement professionals to confront some highly unconfortable issues in a constructive manner.