McAfee Learnings

Cyber Intelligence

Defining Intelligence

There are many misconceptions about the meaning and application of “intelligence” — not only among the lay public but also within law enforcement. Colloquial uses of the term, such as “Officer Jones collected some good intelligence,” provide an intuitive understanding. These uses, however, lack precision and are unable to account for the diverse applications and rules associated with the intelligence function.

As a primer, there are two broad classes of intelligence, as illustrated in Figure 1-1. The first category is the “discipline” of intelligence, which refers to the set of rules, processes, and lexicon of the intelligence function. This Intelligence Guide is solely about the discipline of intelligence.

Within the framework of the discipline, there are three types of intelligence of concern for the present discussion which include:

  1. Law enforcement (or criminal) intelligence
  2. Homeland Security—also known as “all-hazards”—intelligence
  3. National Security Intelligence.

While there are important similarities across these three categories, there are also distinct differences. These critical factors are discussed throughout this Guide as they specifically relate to state, local, and tribal law enforcement (SLTLE) agencies.

Figure 1.1 Intelligence Analysis of Raw Information

The second broad class is the “application of intelligence,” which deals with knowledge related to a specific crime type. Intelligence analysis that produces information about new methods and indicators in the uses of improvised explosive devices (IED) by jihadists, for example, is the “application of intelligence.” Another illustration would be indicators drawn from an analysis of international financial transactions that are characteristic of a money-laundering enterprise. An essential ingredient for the application of intelligence is an understanding of the nature and constituent elements of the crime phenomenon of concern. For example, if a community is threatened by multi-jurisdictional gang activity that operates as a criminal enterprise, an understanding of the gang culture, signs, symbols, hierarchy, and other gang-specific characteristics is essential for analysts and officers to be effective in combating the crime problem. While the two classes of intelligence are inextricably linked for purposes of training and application, it is nonetheless essential to understand the unique aspects of each. With an understanding of the classes of intelligence, attention will be directed toward the definitions of each.

Law Enforcement Intelligence

This Guide uses definitions based on generally accepted practice and standards by the law enforcement intelligence community at the local, state, and tribal levels. This does not mean that other definitions of terms are wrong, but this approach provides a common understanding of words and concepts as most applicable to the targeted audience of this Guide.

Before defining intelligence, it is essential to understand the meaning of “information” in the context of this process. Information may defined as “pieces of raw, unanalyzed data that identify persons, organizations, evidence, events or illustrates processes that indicate the incidence of a criminal event or witness or evidence of a criminal event. As we will see, information is collected as the currency that produces intelligence.

The phrase “law enforcement intelligence,” used synonymously with “criminal intelligence,” refers to law enforcement’s responsibility to enforce the criminal law. Oftentimes, the phrase is used improperly and, too often, intelligence is erroneously viewed as pieces of information about people, places, or events that can be used to provide insight about criminality or crime threats. It is further complicated by the failure to distinguish among the different types of intelligence.

Diverse Information Collected for Intelligence Analysis

Pieces of information gathered from diverse sources, such as wiretaps, informants, banking records, or surveillance (see Figure 2-1), are simply raw data that frequently have limited inherent meaning.

Intelligence is when a wide array of raw information is assessed for validity and reliability, reviewed for materiality to the issues at question, and given meaning through the application of inductive or deductive logic. Law enforcement intelligence, therefore, is “the product of an analytic process that provides an integrated perspective to disparate information about crime, crime trends, crime and security threats, and conditions associated with criminality.” The need for carefully analyzed, reliable information is essential because both policy and operational decisions are made using intelligence; therefore, a vigilant process must be in place to ensure that decisions are made on objective, informed criteria, rather than on presumed criteria. Often “information sharing” and “intelligence sharing” are used interchangeably by persons who do not understand the subtleties — yet importance — of the distinction. In the strictest sense, care should be taken to use terms appropriately because, as will be seen in later discussions, there are different regulatory and legal implications for “intelligence” than for “information” (See Table 2-1) The subtleties of language can become an important factor should the management of a law enforcement agency’s intelligence records come under scrutiny.

2.1 Comparative Illustrations of Information and Intelligence national security intelligence

In understanding the broad arena of intelligence, some perspective of national security intelligence (NSI) is useful for SLTLE agencies. This primer is meant to familiarize the law enforcement reader with basic terms, concepts, and issues, and is not intended as an exhaustive description.

NSI may be defined as “the collection and analysis of information concerned with the relationship and homeostasis of the United States with foreign powers, organizations, and persons with regard to political and economic factors as well as the maintenance of the United States’ sovereign principles.” NSI seeks to maintain the United States as a free, capitalist republic with its laws and constitutional foundation intact, and identify and neutralize threats or actions that undermine United States sovereign principles.

NSI embodies both policy intelligence and military intelligence. Policy intelligence is concerned with threatening actions and activities of entities hostile to the U.S., while military intelligence focuses on hostile entities, weapons systems, warfare capabilities, and order of battle.
Since the fall of the Soviet Union and the rise of threats from terrorist groups, both policy and military intelligence have evolved to grapple with the character of new threats. The organizations responsible for NSI are collectively known as the Intelligence Community (IC).

The IC is a federation of executive branch agencies and organizations that work within their own specific mission as well as in an integrated fashion to conduct threat assessment and intelligence activities necessary for effective foreign relations and the protection of United States national security.
These activities include the following:

  • Collection of information needed by the President, the National Security Council, the Secretaries of State and Defense, and other Executive Branch officials for the performance of their duties and responsibilities;
  • Production and dissemination of intelligence related to national security and the protection
    of U.S. sovereign principles from interference by foreign entities;
  • Collection of information concerning, and the conduct of activities to protect against, intelligence activities directed against the U.S., international terrorist and international narcotics activities, and other hostile activities directed against the U.S. by foreign powers, organizations, persons, and their agents;
  • Administrative and support activities within the U.S. and abroad that are necessary for the performance of authorized activities such as foreign relations, diplomacy, trade, and the protection of interests of our allies; and
  • Such other intelligence and activities as the President may direct as related to national security and the U.S. relationship with foreign entities.

As seen in the definition and descriptions of NSI, there is no jurisdictional concern for crime.

As a result, constitutional restrictions that attach to criminal cases that law enforcement faces on information collection, records retention, and use of information in a raw capacity do not apply to IC responsibilities where there is no criminal investigation.

Figure 2-3: Law Enforcement and National Security Intelligence Authority Comparison

The lessons learned from this brief review of national security intelligence are threefold:

  1. State, local, and tribal law enforcement officers have no jurisdiction to collect or manage NSI;
  2. Use of NSI in a criminal investigation by a state, local, or tribal law enforcement officer could derail the prosecution of a case because of civil rights protections; and
  3. Use of NSI in a criminal investigation by an SLTLE officer and/or retention of NSI in a records system or in the personal records of an SLTLE officer could open the possibility of civil liability from a Section 1983 lawsuit.

Law Enforcement Intelligence Initiatives in the Post-9/11 Environment

Several important initiatives were spurred by the terrorist attacks of September 11, 2001, that have had a significant and fast effect on the evolution of law enforcement intelligence. The more significant developments occurring during this time are listed in Table 3-2.

In October 2001, about six weeks after the 9/11 attacks, the International Association of Chiefs of Police (IACP) held its annual meeting in Toronto, Ontario, Canada. During this meeting, the Police Investigative Operations Committee discussed the need for SLTLE agencies to re-engineer their intelligence function as well as the need for national leadership to establish standards and direction for SLTLE agencies. From this meeting, the IACP, with funding support from the COPS Office, held the Intelligence Summit in March 2002. The summit developed a series of recommendations, a criminal intelligence sharing plan, and adopted Intelligence-Led Policing.

The Global Justice Information Sharing Initiative (Global), a group funded by the U.S. Office of Justice Programs, was already in existence with the charge of developing processes and standards to efficaciously share information across the criminal justice system. In response to the IACP Intelligence Summit of 2002, Global created a new subgroup, the Global Intelligence Working Group (GIWG). The purpose of the GIWG was to move forward with the summit’s recommendations. The first GIWG product was the National Criminal Intelligence Sharing Plan.

Formally announced at a national signing event in the Great Hall of the U.S. Department of Justice on May 14, 2004, the National Criminal Intelligence Sharing Plan (NCISP) signified an element of intelligence dissemination that is important for all law enforcement officials. With formal endorsements from the DOJ, DHS, and the FBI, the NCISP provided an important foundation on which state, local, and tribal law enforcement agencies could create their own intelligence initiatives. The intent of the plan was to provide SLTLE agencies (particularly those that do not have established intelligence functions) with the necessary tools and resources to develop, gather, access, receive, and share intelligence.

Table 3-2: Significant Post-9/11 Law Enforcement Intelligence Initiatives

The NCISP established a series of national standards that have been formally recognized by the professional law enforcement community as the role and processes for law enforcement intelligence today. The plan is having a significant effect on organizational realignment, information- sharing philosophy, and training in America’s law enforcement agencies.

The NCISP also recognized the importance of local, state, and tribal law enforcement agencies as a key ingredient in the nation’s intelligence process and called for the creation of the Criminal Intelligence Coordinating Council (CICC) to establish the linkage needed to improve intelligence and information sharing among all levels of government. Composed of members from law enforcement agencies at all levels of government, the CICC was formally established in May 2004 to provide advice in connection with the implementation and refinement of the NCISP. Members of the CICC serve as advocates for local law enforcement and support their efforts to develop and share criminal intelligence for the purpose of promoting public safety and securing our nation. Because of the critical role that SLTLE play in homeland security, they must have a voice in the development of policies and systems that facilitate information and intelligence sharing. The CICC serves as the voice for all levels of law enforcement agencies by advising the U.S. Attorney General and the Secretary of Homeland Security on the best use of criminal intelligence as well as the capabilities and limitations of SLTLE agencies related to information sharing.

During the same period these initiatives were occurring, many states and regions somewhat independently were developing multi-jurisdictional intelligence capabilities to maximize the diverse raw information input for analysis and examine potential acts of terrorism that may occur within regions. The units, called “fusion centers,” were embraced by the DHS, which began providing funding to enable some of the centers to operate. The concept of “intelligence fusion” caught on rapidly as an efficient and effective mechanism for developing intelligence products. With recognition that other crimes, such as financial crime and weapons offenses, may have a nexus with terrorism, the centers’ foci broadened to include “all crimes.” Moreover, with the broad mission of the DHS, which was increasingly providing substantial amounts of funding, the fusion centers’ focus broadened further to encompass “all crimes, all hazards, all threats.” Recognizing the benefits of standardization to enhance the quality of work being done by the fusion centers, the GIWG created the Fusion Center Guidelines for developing a series of recommendations and good practices for law enforcement agencies that are participating in the intelligence fusion process. While primarily focusing on criminal intelligence, the Guidelines also give attention to the law enforcement information-sharing relationship with the private sector, as well as public safety issues related to homeland security intelligence.

The Intelligence Process (Cycle) for State, Local, and Tribal Law Enforcement (SLTLE)

Regardless of the type of intelligence, the single function that permeates all activities is the Intelligence Process (also known as the Intelligence Cycle). This process provides mechanisms to ensure the consistent management of information that will be used to create intelligence. This chapter is an overview of the Intelligence Process. Many of the issues introduced here will be discussed in detail in the remaining chapters of this Guide.

The Intelligence Process has been depicted in a variety of ways throughout the intelligence literature. The number of phases in the process may differ, depending on the model used, but the intent of each model of the Intelligence Process is the same:

To have a systemic, scientific, and logical methodology to comprehensively process information to ensure that the most accurate, actionable intelligence is produced and disseminated to the people who provide an operational response to prevent a criminal threat from reaching fruition.

The process applies to all crimes, whether terrorism, drug trafficking, gangs, or any other criminal enterprise. Indeed, the process also helps identify circumstances where there is a nexus between these different types of crimes.

To be consistent with established national standards, the model used in this discussion is the one prescribed in the National Criminal Intelligence Sharing Plan (NCISP). While often depicted as “steps,” in practice the different components of the process are phases, and there is a constant ebb and flow of information between phases as information is processed and shared. The Intelligence Process, therefore, is not a series of independent steps that are mechanically processed in an unbending sequential order; rather, it is a recipe for intelligence and information sharing that will frequently change according to the availability of “ingredients” and the “nutritional needs” of the consumer.

The Model of the Intelligence Process in the NCISP (Figure 4-1) has Six Phases:

1. Planning and Direction. 4. Analysis.
2. Collection. 5. Dissemination.
3. Processing/Collation. 6. Reevaluation.

Each phase may be broken down into sub-processes (Figure 4-2) that collectively contribute to an effective information management and analysis system.

Figure 4-1: Intelligence Process, NCISP

In many ways, the Intelligence Process acts like a radar sweep across a community. The process seeks to identify potential threats, determine the status of suspicious activity, and provide indicators of criminality so that operational units can develop responses.

Here’s an illustration of the ebb and flow of the Intelligence Process: An intelligence bulletin may describe certain indicators. An officer observes behaviors that are consistent with these indicators, collects further information that is processed through the cycle, thereby providing an analyst with more raw data to help refine the analysis.

When a more refined analysis is disseminated to operational units, the likelihood increases of providing more explicit intelligence that operational units may use to prevent a crime or a terrorist attack.

Figure 4-2: Intelligence Process and Sub-processes

As another illustration, an intelligence bulletin describes an emerging threat of Eastern European organized crime operating protection rackets in a major Midwestern city. A police officer working neighborhoods with large populations of Russian immigrants has noticed an increase in thefts and property damage to small businesses largely operated by immigrants. In light of the intelligence bulletin, the officer provides information to the intelligence unit that crimes reported as simple thefts and property destruction within this area of the city may, in reality, be symptoms of “enforcer” activities of Eastern European organized crime-protection schemes. The analyst corroborates the information with practices of the organized crime group in other cities and provides the additional information to officers in a revised bulletin. To be most effective, the Intelligence Process requires this ongoing two-way flow of information.

Planning and Direction

The intelligence function involves the coordination of many activities. Similar to intermeshed gears, there must be a plan for how each moving part will operate in concert with other elements and how the gears will collectively manage a change in the environment. The gears of the Intelligence Process are prioritized and synchronized in the first phase of the cycle:

Planning and Direction

Former FBI Executive Assistant Director for Intelligence Maureen Baginski often stated, “The absence of evidence is not the absence of a threat.” As part of the Planning and Direction process, it is important to recognize not only the threats that have been identified but also dynamic threats in which evidence indicating their presence may appear serendipitously. A threat may emerge within a jurisdiction or region for a wide variety of reasons; therefore, personnel must be trained to be vigilant in looking for evidence of threats (indicators). This, however, must be a pragmatic process.

While there is a common perspective that the Intelligence Process should take an “all- crimes/all-threats approach,” pragmatically, these threats are not “equal” and must be prioritized considering the probability of their presence and the nature of the harm they pose to a community. Threat prioritization is part of the “Direction” component of the first phase. This is done through ongoing threat assessments that are constantly refined by information that is processed through the Intelligence Cycle.

A threat must be assessed on multiple criteria as illustrated in Figure 4-3.

The first threat component is threat identification. When evidence of a threat is identified, the Intelligence Process must assess where the threat lies on a multivariate continuum of probability.

While quantifying a threat would add an element of precision, typically the variables related to a threat can be measured only on an ordinal scale; for example, based on qualitative data a judgment can be made on the relative value of a threat variable on a scale of 1 to 10.

As illustrated in Figure 4-4, the first two variables (A and B) measure the quality of the information.

The second two variables (C and D) measure the probable outcome of the threat. Combined, they provide guidance for decision-making.

A moderate assessment of the quality of information may produce a different operational response as the severity of the threat increases. As severity decreases, a higher quality of information may be desired before an operational response is made. This is basically a method to weigh risk/outcome tradeoffs.

Figure 4-3: Threat Assessment Components for Planning and Direction

The next step is a vulnerability assessment of probable targets. When a threat is identified, the universe of targets is typically narrowed. Regardless of whether the probable number of targets is large or small, some judgments can be made about how vulnerable the targets are. As vulnerability increases so do the seriousness of the threat. As an example, assume that a small group of eco-terrorists plans on fire-bombing the sales inventory of various automobile dealers who sell large trucks. Most dealership sales lots are easily accessible 24 hours a day. As such, their vulnerability increases and so does the threat. In a different scenario, assume that the same group of eco-terrorists plans to fire-bomb tanks at a military installation to protest fuel consumption and damage done to the environment by the tanks traversing their training range. In this case, target vulnerability is low because of the inaccessibility to the tanks on the military base and the ability of tanks to withstand Molotov cocktails should the intruders get near them. As should be apparent, target vulnerability is an important variable in any threat assessment.

Figure 4-4: Simplified Threat Assessment Illustration

Once threats and target vulnerability have been identified, a risk assessment is made. The risk is epitomized by the question: “What is the probable result if the vulnerability is exploited?” In the above illustration, the risk to the automobile dealers may be high and the risk to the military installation may be low; however, before a conclusion may be drawn on risk, more information is needed to corroborate judgments and determine if there are other, previously undiscovered, compounding factors. This process helps define further intelligence requirements—information that needs to be collected to better comprehend the threat.

Essentially, the threat assessment process seeks to make a distinction between whether an intelligence target is “making a threat” or “posing a threat.” This is obviously subjective; hence, as much information as practicable should be collected and analyzed on these three factors. In most instances, there will be insufficient information to make a meaningful assessment of each component of the threat assessment model. As a result, answers to the “requirements” questions will help clarify the threat picture. Obtaining additional information will increase the quality of intelligence by identifying and eliminating the error.

It should also be recognized that previously undefined threats may also emerge. Changes in the character of a community may stimulate new threats, the presence of a particular target may draw a threat, or the threat simply may appear as a result of the combined effect of many factors. The point to note is that law enforcement personnel must be trained to identify behaviors that are more than merely suspicious, record the behaviors with as much detail as possible, and forward this information to the intelligence analysts.

The importance of the threat assessment model in Planning and Direction lies within the ability to maximize resources and operational initiatives for those crimes and circumstances which pose the greatest risk to public safety and security. In many ways, the Intelligence Process looks for images through a lens that is out of focus. The two-way exchange of information helps focus the lens to understand if a threat is present and the degree of risk it poses. The Planning and Direction process constantly monitors changes in the environment and helps define changing priorities as well as new two-way information sharing needs.

Beyond resource issues, Planning and Direction require the identification of threat priorities to focus awareness training for officers on how to recognize all threats. It also requires policy and procedural mechanisms to make the organization sufficiently nimble to respond effectively to the changing threat environment. Just like the Intelligence Process itself, the Planning and Direction phase is characterized by an ebb and flow of information that provides insight so that the evolving threat environment can be managed efficaciously.

Collection

The collection is the gathering of raw information that will be used by analysts to prepare intelligence reports and products. As a way to better envision the Collection phase of the process, law enforcement personnel typically will gather information in five basic forms:
1. A response to intelligence requirements;
2. A response to terrorism or criminal indicators;
3. Suspicious Activity Reports (SAR) of activities observed by or reported to officers;
4. Leads that officers develop during the investigation of unrelated cases; and
5. Tips that may come from citizens, informants, or the private sector.

The response to intelligence requirements is information that is intentionally and specifically sought to answer certain questions. That information may be sought from open sources or may be a product of law enforcement methods, such as interviews, surveillance, undercover operations, or other law enforcement processes. A response to indicators would be law enforcement officers collecting information based on their observation of circumstances or behaviors they recognize because of information they gained from training and/or intelligence bulletins that describe such indicators.

Typically, indicators will include the signs and symbols of criminal activity such as graffiti, the symbol of an extremist group on a wall or a car, or unusual activity at a location that is consistent with threat activity described in an intelligence report. Typically, information collected from SARs is based on behavior observed by law enforcement officers who, relying on their training and experience, believe the individual may be involved in criminal activity in the past or the future, although a specific criminal nexus is not identified.

The term leads refer to information that officers develop about a probable emerging threat that is largely unrelated to the current investigation but comes to light during the inquiry. Tips reflect information that has been observed by citizens and submitted to a law enforcement agency for further inquiry.

The collection process must seek to establish a criminal nexus with any person or organization that is identified in criminal intelligence records. This nexus is referred to as a criminal predicate. The standard for that criminal predicate is reasonable suspicion that is more than a mere suspicion that the identified person is committing or is about to commit a crime. In practice, law enforcement agencies collect information on individuals where no criminal predicate exists. Examples are SARs, tips, and leads. This may appear to be a contradiction, but it is an inherent part of the Intelligence Process that has a remedy. The law enforcement agency has an obligation to determine if there is veracity to the criminal allegations found in SARs, leads, or tips. This is the purpose of the two-tiered “Temporary File” and “Permanent File” records system used for intelligence records. In practice, retention of collected information becomes the critical issue for demonstrating the criminal predicate.

The reader should note that care was taken to specify that the criminal predicate must be established when collecting and retaining information that identifies people or organizations. The critical point to note is that constitutional rights attach when identity is established.

The Intelligence Process will also seek to collect information about crime trends, methods of criminal operations, ideologies of extremists groups, and other non-identifying information that helps describe and explain criminal phenomena. The criminal predicate rule does not apply to these types of information because individuals are not identified.

A final issue of Collection—and the entire Intelligence Process—is operations security (OPSEC). OPSEC focuses on identifying and protecting information that might provide an intelligence target with clues to an inquiry, and thereby enable the target to thwart the inquiry. To protect the integrity of the intelligence inquiry, it is essential to maintain the security of collection sources, methods, and content.

Processing/Collation

This phase of the Intelligence Process, Processing/Collation, has four distinct activities, as illustrated in Figure 4-5. The first is to evaluate raw data from the collection phase to determine its utility for analysis. An assessment should first examine the reliability of the source of the information. Ideally, the individual who was the primary collector should record a statement of reliability. The importance of this assessment relates to the confidence level an analyst will give the information when making judgments during the analysis. The conclusion drawn by an analyst when using information derived from a completely reliable source will be different from a source deemed unreliable.

The next assessment during evaluation examines the validity of the raw information. Validity is epitomized by the question: “Does the information actually portray what it seems to portray?” Validity assessment may be done by the collector and/or the analyst. The collector may believe that if information comes from a reliable source and it is logical, then validity is high. Conversely, the analyst may have competing information that questions the validity. In such cases, the analyst should define intelligence requirements to collect additional information in order to gain the most accurate raw information for a robust analysis. The Intelligence Cycle, therefore, starts over, even though this is only the third phase.

Source reliability and information validity are often initially assessed using the ordinal scales. These rudimentary scales nonetheless provide important fundamental guidelines for intelligence assessments. As such, law enforcement personnel should be trained to provide these assessments when collecting information for the Intelligence Cycle. The next form of evaluation is to assess the method by which the information was collected to ensure that it meets constitutional standards.

Recommendation 6 of the NCISP states:

All parties involved with implementing and promoting the National Criminal Intelligence Sharing Plan should take steps to ensure that the law enforcement community protects individuals’ privacy and constitutional rights within the Intelligence Process.

One of the first issues of information collection is the assessment of the method used to collect the data. When a law enforcement agency is collecting information, it must follow lawful processes; for example, information collected about a person should be consistent with constitutional standards (including the four exceptions to the Fourth Amendment search warrant requirement). The issue of lawful collection methods is important for three reasons: First, it is a constitutional guarantee that law enforcement officers have sworn to uphold; second, if there is a criminal prosecution of the intelligence target, critical evidence could be excluded from trial if the evidence was not collected in a lawful manner; and, third, if a pattern emerges that information about individuals was collected on a consistent basis that does not meet constitutional standards, this may open the agency to civil liability for civil rights violations.

Figure 4-5: Processing and Collation Activities

Not only is this assessment of a professional obligation, it also is particularly important should the intelligence target be prosecuted. Once again, training should seek to ensure that the information was lawfully collected and the facts of the collection are carefully documented.

The third activity in the collation/processing phase is to integrate the new information with existing data. During this process, in consideration of all other information that has been collected, the following questions may be asked:
1. Does it meet the criminal predicate test?
2. Is the information relevant and material (as opposed to being just “interesting”)?
3. Does the information add new questions to the analysis?
4. Does the information need corroboration?
5. Does the information support the working hypotheses of the inquiry or does it suggest a new or alternative hypothesis?

The answers to these questions will help define requirements and directions for the inquiry. This process also includes organizing and indexing the data to standardize the data fields and enhance the ability to make accurate data comparisons.

A final activity during this phase is “deconfliction,” the processor system used to determine whether multiple law enforcement agencies are conducting inquiries into the same person or crime. This is accomplished in several ways, including using deconfliction information systems such as the National Drug Pointer Index (NDPIX) managed by the Drug Enforcement Administration (DEA). The deconfliction process not only identifies if multiple inquiries exist, but a system like NDPIX also notifies each agency involved of the shared interest in the case and provides contact information. This is an information- and intelligence-sharing process that seeks to minimize conflicts between agencies and maximize the effectiveness of the inquiry.

In sum, the Processing/Collation phase of the Intelligence Cycle is important for two reasons:

(1) It seeks to provide quality control of information through the process; and,
(2) It provides important insights into defining intelligence requirements.

Analysis

The analysis is the heart of the Intelligence Process. Entire books have been written on analytic methodologies and the critical thinking process. The intent of the current discussion is not to repeat this information, but to provide some insights into analytic responsibilities that will be of benefit to the intelligence consumer.

The analytic process is essentially the scientific approach to problem-solving. It is the use of established research methodologies—both quantitative and qualitative—that seek to objectively integrate correlated variables in a body of raw data in order to derive an understanding of the phenomena under study. It is synergistic in nature; the completed analysis provides knowledge rather than a simple recitation of facts. The outcome, however, is only as good as (1) The quality of the raw information submitted for analysis; and, (2) The quality of the analysis. Effective training, policy direction, supervision, and an operational plan for the intelligence function are essential for the analytic process to produce robust and actionable intelligence.

The phrase “actionable intelligence” has two fundamental applications for law enforcement. The first is tactical, wherein the output of analysis must provide sufficient explicit information that operational units can develop some type of response. In some cases that response is minimal, such as providing indicators of terrorism or criminal activity for patrol officers to observe. In other cases, it may involve a complex operational activity to make arrests. The second application of actionable intelligence is strategic, describing changes in the threat picture of a jurisdiction or region; that is, the intelligence may describe changes in crime types, crime methodologies, or both.

The output of the analytic process is a report, referred to as an intelligence product. During the course of the analysis, the intelligence analyst will prepare explicit inferences about the criminal enterprise in order to understand its effects. These are typically expressed in the form of conclusions, forecasts, and estimates that are explained in the products.

A conclusion, as the term infers, is a definitive statement about how a criminal enterprise operates, its key participants, and the criminal liability of each. A forecast6 describes the expected implications of the criminal enterprise, the future of the enterprise, changes in the enterprise or its participants, and threats that are likely to emerge from the enterprise. An estimate focuses on monetary effects, changes in commodity transactions, and/or likely future effects of the criminal enterprise; for example, profits from a new criminal enterprise, the economic losses associated with a terrorist attack, or the increase of contraband if new smuggling methods are used.

There are different consumers of intelligence, each of whom has somewhat different needs.

Line officers need to have information that concisely identifies criminal indicators, suspects, addresses, crime methodologies, and vehicles thought to be associated with a criminal enterprise. Administrators and managers need information about the changing threat environment that has implications for the deployment of personnel and expenditure of resources. Analysts need a comprehensive package of information that includes raw data sources, methods, and intelligence requirements. Intelligence reports that contain little more than suppositions, assumptions, rumors, or alternative criminal scenarios are not “actionable.”

Dissemination

An intelligence product has virtually no value unless the system is able to get the right information to the right people in a time frame that provides value to the report’s content.

Dissemination—or information sharing—seeks to accomplish this goal. Many issues could be discussed related to dissemination, including the various intelligence and information records systems, privacy issues, information system security issues, operations security of shared information, the means of dissemination, interoperability issues, and the Global Justice Data Standards. However, the intent of the current discussion is to describe the general philosophy and rules of intelligence dissemination.

Pre-9/11, the general philosophy of intelligence dissemination tended to focus on “operations security;” that is, intelligence records were not widely disseminated out of the concern that critical information would fall into the wrong hands, thereby jeopardizing the inquiry as well as possibly jeopardizing undercover officers, informants, and collection methods. While these issues remain important, the post-9/11 philosophy is radically different. Indeed, law enforcement seeks to place as much information in the hands of as many authorized people who need it to prevent threats from reaching fruition. Basically, the idea is that the more people who receive the information the greater the probability of identifying and interrupting a threat. Perhaps the critical question is, “Who is considered an authorized person?”

Right to Know and Need to Know

Even with this changed philosophy, important rules of dissemination seek:
(1) to protect individuals’ civil rights; and,
(2) to maintain operations security as needed.

To accomplish these goals, the first rules of dissemination provide criteria to determine who should receive the intelligence. The accepted standard has a two-pronged test:

1. Does the individual to whom the information is to be disseminated have the right to know the information? This is determined by the recipient’s official capacity and/or statutory authority to receive the information being sought; and

2. Does the recipient have a bona fide need to know the information? The information to be disseminated is pertinent and necessary to the recipient in order to prevent or mitigate a threat or assist and support a criminal investigation.

Intelligence products that provide information about criminal indicators and methodologies are intended to receive wide distribution so that officers are aware of these factors during the course of their daily activities. As a general rule, it can be assumed that anyone working in law enforcement meets the right-to-know and need-to-know tests for these types of intelligence. However, intelligence reports related to a specific criminal inquiry that identifies individuals or organizations would have a significantly more limited dissemination. While all law enforcement officers would have the right to know this information, only those officers working on some aspect of the inquiry have the need to know the information.

With the changing intelligence philosophy and the recognized need to involve the private sector and non-law enforcement government personnel in the ISE, the application of the right to know and need to know has changed somewhat from the pre-9/11 era. For example, anyone in law enforcement has the right to know intelligence (by virtue of his or her employment). Similarly, a member of the National Guard or a Department of Homeland Security (DHS) intelligence analyst working in a state fusion center would also have the right to know intelligence by virtue of his or her assignment, even though he or she is not a law enforcement employee. In yet a different application, the corporate security director of a nuclear power plant would have the right to know intelligence that is related specifically to the security director’s responsibilities of protecting the plant.

Once again, because of the new intelligence philosophy, a significantly broader range of law enforcement officers have the need to know intelligence. The rationale, as stated previously, is that all officers need to be aware of threats to increase the probability of stopping the threat. The need to know certain intelligence by non-law enforcement personnel should be determined on a case-by-case basis. For example, in all likelihood, there is no need for a DHS analyst to know intelligence related to auto thefts; however, the DHS analyst would need to know the information related to a criminal enterprise smuggling cocaine from Colombia because of the value of communications between the DHS analyst and other federal agencies such as the DEA or Immigration and Customs Enforcement.

Third Agency Rule

Another information-sharing restriction is found in what is commonly called the Third Agency Rule. Essentially, if an officer receives intelligence from an intelligence source (such as a fusion center), that officer cannot disseminate the intelligence to a third party without permission from the original source. As an example, Officer Adam receives intelligence from the Central Fusion Center.

Officer Adam cannot give the intelligence directly to Officer Baker without first gaining permission from the Central Fusion Center. This is a general rule—with some exceptions that will be discussed later—and it will be stated or applied differently between agencies. Consumers of intelligence need to be aware of the local applications of the Third Agency Rule.

There are two types of intelligence: (1) case intelligence; and, (2) intelligence products. Case intelligence identifies people, while intelligence products provide general information about threats and indicators. For case intelligence, it should be assumed that the Third Agency Rule is intact, while for intelligence products, it may be assumed that the Third Agency Rule is waived. Fundamentally, the reason is that when individuals or organizations are not identified in intelligence products, civil rights do not attach. Again, a review of agency policy will determine the exact applications of the rule locally. It should be emphasized that in law enforcement intelligence, both the right-to-know and need- to- know provisions as well as the Third Agency Rule, serve two purposes:

1. To protect individuals’ civil rights; and

2. To maintain operations security of intelligence inquiries.

Chapter Annex 4-1: Federal Bureau of Investigation Intelligence Cycle

This illustration is based on an actual case. It demonstrates the interrelationship between the two types of intelligence.

The FBI Intelligence Cycle

The Federal Bureau of Investigation (FBI) Directorate of Intelligence (DI) has significantly different intelligence responsibilities than state, local, or tribal law enforcement agencies. This difference is a result of its national criminal intelligence responsibilities and the FBI’s national security responsibilities. One model of the Intelligence Cycle is not “better” than the other; rather, they are just slightly different approaches based on different operational responsibilities. The following brief description of the FBI DI Intelligence Cycle will provide an understanding of the FBI’s approach and terminology that can be valuable for State, Local, and Tribal Law Enforcement (SLTLE) personnel when they are communicating with the FBI’s intelligence personnel.

The Intelligence Cycle is the process of developing unrefined data into polished intelligence for use by policymakers. It consists of the six steps described in the following paragraphs:

1. Requirements are identified information needs—what we must know to safeguard the nation. Intelligence requirements are established by the Director of National Intelligence according to guidance received from the President and the National and Homeland Security Advisors. Requirements are developed based on critical information required to protect the United States from national security and criminal threats. The Attorney General and the Director of the FBI participate in the formulation of national intelligence requirements.

2. Planning and Direction is the management of the entire effort, from identifying the need for information to delivering an intelligence product to a consumer. It involves implementation plans to satisfy requirements levied on the FBI, as well as identifying specific collection
requirements based on FBI needs. Planning and direction also is responsive to the end of the cycle, because of current and finished intelligence, which supports decision-making, generates new requirements. The Executive Assistant Director for the National Security Branch leads intelligence planning and direction for the FBI.

3. The collection is the gathering of raw information based on requirements. Activities such as interviews, technical and physical surveillance, human source operation, searches, and liaison relationships collect intelligence.

4. Processing and Exploitation involve converting the vast amount of collected information into a form usable by analysts. This is done through a variety of methods including decryption, language translations, and data reduction. Processing includes entering raw data into databases where the data can be used in the analysis process.

5. Analysis and Production is the conversion of raw information into intelligence. It includes integrating, evaluating, and analyzing available data, and preparing intelligence products. The information’s reliability, validity, and relevance are evaluated and weighed. The information is logically integrated, put into context, and used to produce intelligence. This includes both “raw” and finished intelligence. Raw intelligence is often referred to as “the dots”— individual pieces of information disseminated individually. Finished intelligence reports “connect the dots” by putting information into context and drawing conclusions about its implications.

6. Dissemination—the last step—is the distribution of raw or finished intelligence to the consumers whose needs initiated the intelligence requirements. The FBI disseminates information in three standard formats: Intelligence Information Reports, FBI Intelligence Bulletins, and FBI Intelligence Assessments. FBI intelligence products are provided daily to the Attorney General, the President, and to customers throughout the FBI and in other agencies. These FBI intelligence customers use the information to make operational, strategic, and policy decisions that may lead to the levying of more requirements, thereby continuing the FBI Intelligence Cycle.

The graphic below shows the circular nature of this process, although movement between the steps is fluid. Intelligence uncovered at one step may require going back to an earlier step before moving forward.

Feedback

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment

Michael Clayton wrote: Apr 8, 2019

A complete look of the various government intelligence systems used to accumulate and disseminate useful information for the protection of out nation.