«Table of Contents Table of Contents What is Intelligence? Intelligence or Counterintelligence Criminal Intelligence and Crime Analysis Data Types and ...»
Intelligence as an Investigative Function
CPP, CISSP, CSS, CPO, MBA
Intelligence as an Investigative Function Page 1
Table of Contents
Table of Contents
What is Intelligence?
Intelligence or Counterintelligence
Criminal Intelligence and Crime Analysis
Data Types and Sources
Open Source Data
Closed Source Data
Hidden in Plain Sight
Need to know, Right to know, and Third-party information sharing
Open Source Collections
Closed Source Collections
Analysis – Getting the most out of the information
Data Mining Software
Specialized Analysis Software
Training and Certifications
Sample Threat Assessment 12
Sample Practice Scenarios:
About the Authors
Intelligence as an Investigative Function Page 2 In our society today we hear regular mention in the news about “intelligence.” Unfortunately, many of those mentioning it are relatively unaware of the nature of “intelligence” or the role it plays in national defense, law enforcement, and security operations. Although intelligence is most commonly thought of in terms of national security, conjuring up images of CIA agents in trench coats standing in the shadows and spy-satellites relentlessly recording an adversary’s every action, it is none the less an important part of both law enforcement and private protection operations. So then what is intelligence, where does it come from, how is it used, and why is it important to an investigator? How can an investigator gain an understanding of the skills necessary for intelligence operations and what legal concerns exist for these activities?
First, how does intelligence relate to investigations and vice-versa? Intelligence and investigations utilize many of the same skills and techniques. Both utilize inductive and deductive reasoning to reach conclusions, but the single biggest difference is likely to be the nature of those conclusions. An investigator must present facts as they are received and discovered, while avoiding making final assumptions concerning culpability, liability or fault (Dempsey, 2003). All of these must ultimately be established by a legal or quasi-legal process, and may be based largely on the investigator’s work. An Intelligence Analyst must present their information with conclusions based on the information obtained. Analysts may be expected to provide probabilities that an event will happen at some point in the future. So another inherent difference is the purpose of the final product. An investigation report will most often be presented to a finder of fact, such as a jury, arbitrator, referee, and so on. However, intelligence reports will most often be provided to decision-makers to help guide future actions. In law enforcement, a well-formed intelligence function will help guide investigative activity by analyzing crime trends in the jurisdiction and any migrating activities heading toward the jurisdiction. In the National Security realm intelligence affects foreign policy and how nations interact. In the private sector intelligence is used for understanding the business environment, including the competition, and for improving protection efforts. For the sake of conceptual continuity concerning the private sector, we will not discuss competitive intelligence in any depth1, although it follows the same process, but instead we will consider only protective or enforcement intelligence operations.
To better understand our discussion and how it is presented here, there are a few distinctions that must be made concerning intelligence, who creates it and who consumes it. There are many reasons for collecting intelligence, with just a few being: national security, law enforcement, protective operations, and business or economic competition. Both government agencies and private entities may conduct collection efforts for any of these purposes with the most significant differences being their available resources and the different legal restrictions that each face.
With this in mind we will focus our discussion on law enforcement and protective operations.
However just as with investigations, it is not the context as it is the process that makes for worthwhile intelligence efforts.
Intelligence as an Investigative Function Page 3
Intelligence is a product created through the process of collecting, collating, and analyzing data, for dissemination as usable information that typically assesses events, locations or adversaries, to allow the appropriate deployment of resources to reach a desired outcome.2 Nearly every agency and textbook offers a different definition of intelligence; however they tend to agree on one point. Analysis! Intelligence cannot be called intelligence without analysis.
And herein is the single greatest difference between intelligence and investigations. Whereas an investigator will certainly analyze the facts of an investigation he or she should not provide any speculation outside of the facts. Conversely, the value of an intelligence analyst is not realized until they make such inferences. We cannot count on any one piece of data explicitly spelling out the intentions of a person or group, nor can we expect all relevant facts to be disclosed prior to anyone’s actions. As such, it takes an analyst to make an inference based on the available information as to the adversary’s future actions. To illustrate this let’s consider the relationship between data, information and intelligence.
Data is the fundamental building block of intelligence. It is the phone number gleaned from caller ID; the quote from a newspaper, all of the vehicles in your rear view mirror during a trip, the network firewall log, or the snippet of conversation overhead on a bus ride. Data is literally all around us constantly. It is precisely because of the disorganized nature of all of this data that before it can be very useful it must be developed into intelligence. With our relatively newfound ability to acquire, share, store and retrieve information through the Internet and our other networked information systems, the problem is often no longer whether we have the data we need but whether we can distinguish it from the rest of the available data.
Information is data usable or applicable to the current context. In other words, information is what remains after everything that is irrelevant is discarded. It is the phone number gleaned from caller ID and matched with a person known to dislike us or our charge, the presence of the same vehicle in your rear view mirror for much of a trip, or the portion of the firewall log identifying the specific IP address of our attacker. Information is the data that we will use as we refine our forecasts, predictions and estimates.
If an intelligence analyst were an
artist then the data would be the canvas, paints and brushes; the information would be the painted image, but the description of the finished image is the intelligence. The analyst does not create the intelligence; he or she interprets the information and provides an analysis as to its meaning. Just as the placing of the different colors and textures of paint are what the artist creates with the supplies available. In the truest sense an analyst will work with the information that is provided and not be involved in data collection. This can be found more often within government agencies; however in the private sector, where budgets, productivity, and investment return are deciding factors, the analyst is often required to be directly involved with collection efforts. This should not be discouraging since quite often private efforts are more narrowly focused and general involvement may add excitement to the work. A government analyst may be required to work with data and information acquired through many sources, while in the private sector there may only be a handful of researchers and other sources. Now let’s consider a few relevant distinctions before we move on to data collection.
Intelligence or Counterintelligence Even though the term counterintelligence is not used nearly as much by the media, it plays a significant role in an overall intelligence program. Loosely defined, counterintelligence is monitoring and interdicting your adversary’s ability to monitor and interdict your operations.
These are the “spy catchers” of national security programs. The role of counterintelligence is generally separated from intelligence in national security settings, but in the realm of law enforcement and private security any separation would be based on available resources. In some instances this may be not possible at all. The importance of discussing counterintelligence here is the recognition that any techniques of gathering information, legal and illegal, may be used against you and your organization. An extremely well developed counterintelligence program is capable of “feeding” disinformation directly to an adversary’s collection efforts while being aware of what “true” information has been collected. This creates phenomenal dangers to operations, and so the importance of protecting your own collection program and organization from hostile collection and infiltration should not be understated. The best collection program in one organization can be undermined by a strong counterintelligence effort in another organization when the analysis process is ultimately contaminated. Remember it is not safe to assume that your adversary will adopt as high an ethical threshold as you and your organization, so appropriate precautions should be taken to guard your organization from hostile collection efforts. This includes Competitive Intelligence in the business realm, which is used by businesses to gain information on their competitor’s products and services. That topic is beyond our scope here but should be considered one reason why an adversary would want confidential business information. For more information specific to competitive intelligence visit The Society of Competitive Intelligence Professionals’ website (www.scip.org) 3. Typically the programs and efforts used for preventing information leakage are referred to as Operations Security or OPSEC4. As we discuss the role of intelligence within protection programs and law enforcement also consider the parallel role of counterintelligence.
Intelligence as an Investigative Function Page 5 Criminal Intelligence and Crime Analysis Within Law Enforcement there are at least two different fields of analysis. The most common are criminal intelligence and crime analysis. Although the two are often grouped together in many settings and discussions, there are subtle differences. Crime analysis consists of the techniques and processes for studying crime patterns and trends, their affect on a jurisdiction, and any law enforcement response. Criminal intelligence, however, is more concerned with people, organizations and any relationships between them (IACA, 2005). Our discussion will continue to focus on the use of intelligence, rather than the specific organizational role of the analyst. Due to the similarity of the tools that may be used for either purpose, and that both work toward identifying future criminal events, a distinction will not be made here.5
Data Types and Sources
Data, the fundamental building block of intelligence, is collected via “sources” which can be broadly classified into two groups, open source and closed source. Open sources are those generally available to the public and closed sources typically are not available to the public. The concept is simple enough. From this, many may believe that closed source information is what everyone needs, and in some instances that may be true, however the bulk of intelligence is often derived from open sources. It may be hard to believe that a great deal of information is obtained through public sources. Open source information is more readily available, but its limitations are found in tight knit planning groups, criminal operations, and within classified government activities where public releases are not common. This should not indicate that open source information is not useful in these situations. Let’s consider this more closely.
It is important to note some of the legal differences in the United States between law enforcement intelligence and intelligence activities in the private sector. As a direct result of abuses over the last several decades, particularly during the Vietnam era, there have been several rulings concerning how law enforcement agencies are allowed to gather intelligence, for what purposes, and how these records must be maintained. In short law enforcement agencies may only collect intelligence on individuals or groups based on a criminal predicate or an articulated belief that future criminal actions will be committed. Agencies may not collect information based on race, ethnicity, political beliefs, religion, or other lawful characteristics (Carter, 2004).
Protecting civil liberties is an essential government responsibility in a free society, and as such collection efforts must be based on a “criminal predicate.” In the private sector, however, information collection is limited only by imagination, and by few legal constraints. These legal restraints most often deal with wiretap/eavesdropping laws, lying to government or financial institutions, and unlawfully acquiring protected credit data. There are other restrictions as well, and involved in collection efforts should be familiar with all state and local laws. Private investigators often have greater leeway in what information they may collect and how they may collect it. Whereas Law enforcement, in collecting information, takes the risk that its efforts may be attacked by civil libertarians when, for example, attempting to gain access to library circulation records. A private investigator, on the other hand, may be able to gain information through a phone call depending on local legal constraints and their personality.