Chapter 2

What is intelligence?

Abstract

This chapter begins by identifying a useful definition of intelligence before delving into the intelligence cycle and the different types of intelligence. The chapter also discusses the transformation of intelligence into a profession, separated from political influence. It ends by touching on some of the great masters of intelligence throughout the ages.

Keywords

Intelligence
intelligence cycle
operational intelligence
tactical intelligence
strategic intelligence
denial and deception
Sun Tzu
Julius Caesar
George Washington
Bletchley Park
Information in this chapter
Defining Intelligence
The Intelligence Cycle
Types of Intelligence
The Professional Analyst
Denial and Deception
Intelligence Throughout the Ages

Introduction

Intelligence is just starting to come into its own within the realm of cyber security, but intelligence as a discipline has a long history in the world of the military and government. In fact, intelligence has existed since before it was a formalized discipline. As discussed later in this chapter, leaders like Sun Tzu and Julius Caesar had very rigorous and well-documented intelligence processes that they followed. These processes contributed greatly to their success – and allowed other leaders to learn from them.
Likewise, today there are many security teams that, knowingly or unknowingly, engage in many of the best intelligence practices. But most of the time, intelligence practices are haphazardly implemented without an eye to the big picture.
The goal of this chapter is to help the reader understand some of the best intelligence practices outside of the realm of network security. By first understanding the fundamentals of intelligence, as a discipline, organizations can take the best practices and use those practices to improve the effectiveness of the network security teams.
A single chapter is not enough to cover all aspects of the intelligence discipline, or to dive deeply into any one topic. Instead, the hope is to start a discussion about changing the way network security is thought of within an organization and improve the ability of teams to effectively address the most important challenges facing their organization.

Defining intelligence

Despite the fact that the military and governments have engaged in intelligence activities for thousands of years, there is surprisingly little consensus about the definition of intelligence. A quick review of literature shows a range of definitions, none of which seems complete.
The CIA defines intelligence as (CIA, 1999):

Reduced to its simplest terms, intelligence is knowledge and foreknowledge of the world around us — the prelude to decision and action by US policymakers.

On the other hand, the FBI uses the following definition (FBI, 2014):

Simply defined, intelligence is information that has been analyzed and refined so that it is useful to policymakers in making decisions – specifically, decisions about potential threats to our national security.

The Department of Defense (DOD) defines intelligence as (DOD, 2014):

The product resulting from the collection, processing, integration, evaluation, analysis, and interpretation of available information concerning foreign nations, hostile or potentially hostile forces or elements, or areas of actual or potential operations.

The FBI and DOD definitions of intelligence view intelligence as either a product or a process, and there is no doubt those are important parts of the definition, but they are also limiting. The CIA definition is broad, may be even too broad, but it takes into account that intelligence involves understanding the context of the data collected.
The definition of intelligence has been debated in scholarly journals for years. One problem in creating a more focused definition is that different groups have different uses for intelligence. A military commander in the field has different needs than a legislative body attempting to write policy based on intelligence.
No matter the role of the end user for intelligence, intelligence, at its core, is information. However, not all information is intelligence. As Michael Warner (2007) writes in Wanted: A Definition of “Intelligence”: Understanding Our Craft, “For producers of intelligence, however, the equation ‘intelligence = information’ is too vague to provide real guidance in their work.” After his review of the literature, Warner (2007) comes up with the following definition:

Intelligence is secret, state activity to understand or influence foreign entities.

This gets pretty close to a workable definition, but it ignores the fact that not all intelligence is secret. Especially in the age of Google, open source intelligence (OSINT) has become a critical tool in the arsenal of the intelligence analyst.
Gill and Phythian (2012) noticed the same deficiency in Warner’s definition and they expanded on it in their book Intelligence in an Insecure World with the following:

Intelligence is the umbrella term referring to the range of activities – from planning and information collection to the analysis and dissemination – conducted in secret and aimed at maintaining or enhancing relative security by providing forewarning of threats or potential threats in a manner that allows for the timely implementation of a preventive policy or strategy, including, where deemed desirable, covert activities.

Although this definition is longer than Warner’s, it is more complete and it makes an important distinction: what data being collected should be kept secret from the enemy, but the data itself does not necessarily have to be secret.
Even though Gill and Phythian’s proposed definition is among the most complete, there is still a nagging problem with all modern definitions of intelligence: the focus is only on the external. Stepping back from modern definitions for a second, Sun Tzu (2012a), who is often quoted by network security professionals, wrote the following in The Art of War:

Hence the saying: If you know the enemy and know yourself, you need not fear the result of a hundred battles.

A well-run organization cannot have an effective intelligence program without a complete and honest assessment of its own strengths and weaknesses. Not only is that assessment critical, it should be performed on a regular basis – this allows leaders to make informed decisions as to the best preventive policy or strategy.
Without attempting to rewrite the definition of intelligence, keep in mind that knowing what is happening within an organization or even country can be just as important as what is happening outside.

The intelligence cycle

To create a successful intelligence program, an organization needs a framework within which it can operate. A framework helps to establish the ways in which intelligence will be gathered and delivered. It should be open enough to operate in multiple environments and timeframes, and be usable by different groups in the organization. At the same time it should be restrictive enough that it helps push a professional environment with clearly defined roles.
Most organizations use a variation of the intelligence cycle outlined in Figure 2.1 as their framework for building and maintaining an intelligence organization.
image
Figure 2.1 The intelligence cycle.
The intelligence cycle in Figure 2.1 works because it has clearly defined roles built around a specific mission. The model is also portable enough to be used for both large-scale and small-scale missions, often simultaneously. On the one hand, the mission could be “Protect the United States”; it could also be “Determine al-Shabaab’s Weapons Capabilities.” Note, that the two missions are not necessarily mutually exclusive: learning more about the weapons capabilities of the terrorist group al-Shabaab could increase the security of the United States. One intelligence cycle can inform other cycles.
Another important aspect of the intelligence cycle is that is intentionally designed as a circle, because the cycle is continuous. Once the mission has been assigned planning and direction are handled by the organization’s leaders. Data is collected, processed and delivered to an analysis team for review who publish the data to the required parties. The results of the intelligence analysis drives new intelligence requirements which leads the leadership to task the collection team to begin gathering data, and the process continues.
In addition to being a continuous loop, there should also be feedback from different groups within the organization throughout the process. A well-run intelligence organization does not rely on leadership to facilitate communication between the various teams. For intelligence teams to operate effectively, there has to be open communication and information sharing between the teams – teams that are working on the same mission as well as teams that have a different mission.
The intelligence cycle starts, ends, and starts again with planning and direction. The planning and direction team are the managers of the entire intelligence cycle. This phase involves receiving requirements from policy makers or military officials, or building new requirements based on the feedback from previously released intelligence. The team uses the mission and the direction from the consumers of the intelligence to produce intelligence requirements that get passed on the collection team.
The collections team is responsible for carrying out the requirements passed on from the planning and direction. Members of this team are responsible for devising systems that meet the collection needs of the planning and direction teams. There are six different areas of intelligence collection:
SIGINT: Signals intelligence – data collected, usually surreptitiously, from electronic systems.
OSINT: Open source intelligence – publicly available data from news sources, radio, or the Internet.
HUMINT: Human-sourced intelligence – intelligence collected from human sources, wittingly or unwittingly.
IMINT: Imagery intelligence – data collected via images, whether those images are photographs, a radar screen or some other method of representation.
GEOINT: Geospatial intelligence – intelligence gathered from satellite, drones, and other sources that track security-related activity around the planet and derive intelligence from those movements. Often closely associated with IMINT.
MASINT: Measurement and signature intelligence – almost a catchall, MASINT intelligence is derived from sources that do not fall into SIGINT or IMINT, such as radio frequencies.
At this point in the intelligence cycle, no intelligence has been created. Rather, the collections team is responsible for collecting information, with little or no filter applied to the gathered data. The sole responsibility of the collection team is to fulfill the intelligence requirements by gathering as much data as possible and throwing that data to the processing and exploitation team.
The processing and exploitation team is responsible for the first filtering of the data collected by the collections team. This may require translating information, transcribing data, decrypting data, or converting the data into a format that the analysts are able to read. The processing and exploitation team acts as a conduit between collections and analysis, as well as being the first attempt at filtering the amount of data received.
The analysis and production team is responsible for sifting through the raw data gathered by the collections team and building a narrative around an event, activity or group. It is a very challenging job because it often requires piecing together fragments of disparate data collected from a range of sources and determining what is really happening. Analysts are experts in their field and have the ability to take complex situations and information and distill it to the point where a lay audience is able to understand the nuances of an event, group, or action.
The next stage is dissemination. Once intelligence has been produced and gone through the vetting process it is considered finished intelligence (FINTEL for short). FINTEL cannot sit in a vacuum; it must be distributed to the original consumers as well as to other groups that have a need to know the information contained within the FINTEL.
By definition, the intelligence cycle does not end with dissemination of information. Upon receiving FINTEL consumers of that intelligence should have additional questions or requests for refinement of the results. It is these requests that drive additional intelligence requirements that generate new collection requests and push the intelligence cycle. Well-written and well-sourced intelligence often reaches new audiences, which drives new requests, and, ultimately, can improve the scope and capability of the collections team.
As FINTEL from an organization reaches a broader audience the planning team may find themselves receiving requests from consumers who are not well versed in the capabilities of the intelligence team. This often means guiding the requests from these users and helping them form actionable tasks.
Although it is important to remember that the customer is always right, sometimes it is the job of the planning and direction team to push the customer toward “rightness.” An example of this is the often-told story of a professor who was working with graduate students to review survey data gathered from the incoming freshman class. As part of the survey the students had to include their student ID number. The professor asked the graduate students to include the mean, median, and mode of the student ID numbers. The graduate students explained that there was no value in the number, but the professor insisted the results be run and included in their report. The point is that not every request is going to make sense. It is important for the planning and direction team to not only understand which requests don’t make sense, but to be able to explain why those requests don’t make sense so as to prevent wasting the time of already overburdened collection and analyst teams.
There are three types of collection requirements: Critical Information Requirements (CIRs), Priority Information Requirements (PIRs), and Requests for Information (RFIs). CIRs are long-term collection requirements that help define the mission. A CIR can last for years and helps to define and refine the intelligence mission. It also guides the creation of other types of intelligence requests.
The second type of requirement, PIRs, are shorter-term requests that fall within the realm of existing CIRs. They are more narrowly focused, usually around a single aspect of a CIR. They help to paint a complete picture without changing the scope of the CIR.
The last type of requirement is the RFI. RFIs are short-term requests that produce quick answers, sometimes not even in the form FINTEL. They are very narrow in scope, but still must fall in-line with existing CIRs.

Types of intelligence

There are three different types of intelligence that an intelligence organization can produce: strategic, operational, and tactical. FINTEL can address all three types of intelligence in a single report, or it may only address a subset of these types, depending on the requirements and available data.
Each intelligence type serves a different purpose and targets a different audience. When traversing the intelligence cycle it is important to understand who the target audience is for a piece of FINTEL and the report must be geared to the audience. In other words, the intelligence needs to be actionable by the target group.
As Figure 2.2 outlines, the different types are hierarchical in nature with strategic intelligence at the top. Strategic intelligence is concerned with long-term trends surrounding threats, or potential threats to an organization. Strategic intelligence is forward thinking and relies heavily on estimation – anticipating future behavior based on past actions or expected capabilities. Effective strategic intelligence requires analysts with deep subject-matter expertise, as well as willingness to understand and adapt to changes in the adversary environment.
image
Figure 2.2 The intelligence pyramid.
Tactical intelligence is an assessment of the immediate capabilities of an adversary. It focuses on the weaknesses, strengths, and the intentions of an enemy. An honest tactical assessment of an adversary allows those in the field to allocate resources in the most effective manner and engage the adversary at the appropriate time and with the right battle plan.
Operational intelligence is real time, or near real-time intelligence, often derived from technical means, and delivered to ground troops engaged in activity against the adversary. Operational intelligence is immediate, and has a short time to live (TTL). The immediacy of operational intelligence requires that analysts have instant access to the collection systems and be able to put together FINTEL in a high-pressure environment.1
As with the intelligence cycle, the three types of intelligence feed off each other and each has impact on the other types of intelligence. Strategic intelligence drives the requirements for tactical intelligence, which drives the requirements for operational intelligence. A successful operation may change the tactical intelligence picture, and a number of successful operations may change the strategic outlook.

The professional analyst

The importance of the analyst role has been touched on a number of times in this chapter. In an intelligence organization, the analyst is the one who ultimately decides what is and isn’t important to be published as FINTEL. Intelligence failures throughout history have led to many disasters, from losing battles to being taken by complete surprise by major world events. No analyst is perfect, but there are ways that analysts can improve the way they think so as to make more effective decisions with less bias.
A rigorous and disciplined thinking methodology, also known as tradecraft, is a critical linchpin in the intelligence process. But good analysis does not exist in a vacuum. If poor direction drives poor collection systems, leaving analysts with inaccurate or incomplete data, then the analysts will fail. Similarly, if analysts produce FINTEL that is ignored or even squelched by leadership, then it does not serve any purpose. If the leadership within an organization influences the results of the analysis process, it can cause irreparable damage to the reputation of the analysis team or organization, which is worse than ignoring intelligence.
The previous examples all sit outside of the analyst organization and are often outside of the direct control of the analyst team. There are, however, problems directly associated with analyst work, these problems revolve around cognitive bias. A cognitive bias is an error in the processing of information that leads to an incorrect conclusion, a distortion of information or an illogical determination. All humans suffer from cognitive bias; it would be impossible to get through life without some preconceived notion about how events are going to play out, an ability to anticipate the future. The problem is when those preconceived notions remain intact, even when the facts surrounding an event change. Cognitive bias has resulted in disaster for many nations over thousands of years.
In 1977, the CIA famously reported, “…the shah will be an active participant in Iranian life well into the 1980s.” A year later the CIA would also report, “Iran is not in a revolutionary or even a ‘prerevolutionary’ state.” Of course, on January 16, 1979 the Shah of Iran was forced to leave the country and Iran was taken over by religious clerics led by Ayatollah Ruhollah Khomeni (Walton, 2010a).
In fairness to the CIA, no other intelligence agency within the United States picked up on the potential for revolution, despite the fact that protests had been present and growing more vocal for two years prior to the overthrow. This example highlights one of the most dangerous cognitive biases that analysts can succumb to: the paradox of expertise.
The paradox of expertise often impacts the most experienced analysts. Analysts who are experts in a particular field and have spent many years studying a country, group, or individual will often miss or dismiss situational changes because those changes do not fit with the established pattern.
In the case of the Iranian Revolution, the analysts who were monitoring Iran were experts with long successful track records covering activity in Iran, but they were primarily relying on the Shah and his agents in the government and the military for their intelligence. The analysts had little association with the religious leaders or with the population of Iran in general. Because of that limited association, there were very few reports that contradicted what the analysts learned from their sources. What little contradictory reports there were went largely ignored.
Confirmation bias occurs when analysts pay more attention to those indicators that reinforce their beliefs, while discounting those indicators that contradict their beliefs. Confirmation bias is really about the weight assigned to indicators, based solely on whether or not those indicators agree with preconceived notions. For example, if a person is convinced that teenagers today are worse (given some definition of worse) than they were 30 years ago, that person might focus attention on news stories about crimes committed by teenagers and ignore news stories about the overall decline in teen criminal activity. Confirmation bias is especially prevalent in political discussions. Information from entire news outlets can be ignored simply because they are perceived to be too liberal or too conservative.
As with all cognitive biases, confirmation bias is not inherently a bad thing. The ability to judge the reputation of a source and to form a narrative around an event is important. In fact, for analysts this is a critical skill. The danger comes in when an analyst or a group of analysts refuse give serious consideration to competing hypothesis because those hypothesis don’t fit with the current narrative, rather than accepting that the narrative may be changing (Davis, 2008).
One way to combat confirmation bias is to engage in “devil’s advocacy.” Devil’s advocacy, in its simplest form, is the presentation of alternative hypotheses that offer a different, but plausible, explanation for current events. By forcing someone in the organization to adopt and defend multiple explanations, an organization can more fully explore alternative hypotheses and see if they don’t, perhaps, offer a better explanation. For devil’s advocacy to work, the competing narratives must all make sense and they must be rigorously defended. This type of engagement can help to adjust the narrative, sometimes in small ways, but may uncover a completely new narrative.
Another common cognitive bias that analysts succumb to is coherence bias. Coherence bias, sometimes referred to as mirror imaging, is the assumption that the groups or people being analyzed have the same motivations as the analysts. Coherence bias causes the analyst to assign the analyst’s values to the subject of the analysis, which can cause the analyst to overlook vital information. In the example above, prior to the overthrow of the Shah there were reports that the clerics in Iran were amassing increasing amounts of power and with that power demanding the closure of liquor stores and other activities that they did not approve of for religious reasons. Because the analysts were used to living in a secular society, it was hard to imagine that religious leaders could amass as large a following as was being reported. In hindsight, it was clear the clerics were not only able to attract a large number of followers, but the followers had no qualms about living in a country that was, and still is, ruled by religious leaders.
Speaking of hindsight, hindsight bias is another common cognitive bias that plagues analysts. Of course, it does not just impact analysts; undoubtedly some people reading this section are wondering how the analysts could have been so wrong about the situation in Iran when the coming revolution was obvious.
Hindsight bias is more than simply saying, “How could anyone miss this event?” It often involves memory distortion, a phenomenon wherein memories are actually altered to fit the new narrative, most often expressed with the phrase, “I knew it all along.” Hindsight bias can be dangerous because it makes it hard to provide rigorous methodological analysis to past events in order to learn from those events. No analyst is perfect; when mistakes are made it is important to be able to honestly analyze those mistakes and learn from them for future analysis.
Anchoring bias is another challenge facing analysts. Anchoring bias occurs when the analyst relies too heavily on one aspect of the collected data. In anchoring bias, a single piece of data is weighed more heavily than others. Often it is the first piece of intelligence gathered, but it does not need to be. Anchoring bias is a trap that many young analysts are especially susceptible to, but it doesn’t only affect young analysts. Anchoring bias also affects people in the making of everyday decisions. Car dealerships, for example, rely heavily on customers focusing on the monthly payments versus the overall cost of the car or other features.
In the case of the Iranian Revolution, analysts at the CIA were anchored in their belief that the Shah could handle any troubles that arose. All intelligence gathered indicating the rise of the clerics and continued unrest of the population were viewed through the prism of a strong Shah able to easily handle the minor threats. Again, that turned out not be true, but because analysts accepted it as fact that is how they proceeded when producing FINTEL on the situation in Iran.

Denial and deception

As if the job of an intelligence organization is not hard enough, it also has to contend with denial and deception from adversaries. An intelligence organization rarely has a complete picture of the adversary or target. Because of the diminished view, these intelligence organizations rely heavily on indicators – things like troop movements, intercepted communications, and inside information – to produce a complete picture of intelligence.
As mentioned before, intelligence collection does not exist in a vacuum. Adversaries are aware that they are being targeted and will take steps to prevent collection mechanisms or fool those mechanisms.
Denial, as a mechanism, seeks to prevent, or at least degrade, the ability to collect information by adversaries. It generally requires an understanding of the adversaries’ capabilities as well as the ability to subvert those capabilities. Knowing what an adversary is capable of is not effective unless the target can also countermand those capabilities.
Deception involves manipulation collection systems either directly or indirectly. Deception can involve deliberately planting false information within collection systems, but it can also involve planting true but skewed information. The goal of deception is twofold: to spoil the collection systems with tainted information and to sway the thinking the analysts producing the FINTEL, causing the analysts to engage in one of the many forms of cognitive bias through the release of skewed information (Bruce and Bennett, 2008).
Planting false information does not just have to occur within collection systems, baiting is another form of deception that involves using lures to attract users in the target organization. For example, an attacker might place thumb drives with the logo of a tobacco company in an area where smokers from the target organization frequently gather. The employees pick up the thumb drives, take them into the office and plug them into their corporate desktops, not knowing that there is malware loaded on the thumb drive that will self-install upon insertion.
Diluting is another form of deception in a cyber security environment. Dilution is the idea of overwhelming a security team with so many alerts that they do not notice the real attack. This is most often used in the realm of Distributed Denial of Service (DDoS) attacks. A clever attacker will launch a series of DDoS attacks against a target organization, and while the security team is scrambling to deal with the DDoS attacks, the attacker will launch the real attack. A really clever attacker will not even launch the DDoS attack directly; instead the attacker will wait until someone else is launching an attack against the organization the attacker is targeting, or sometimes instigate a group to launch a targeted attack.
Denial and deception (D&D) are powerful tools in the hands of a target and can lead to costly intelligence failures. D&D campaigns are also problematic because, if they are done correctly, they are difficult to detect. Almost all of the time analysts only have a limited view of activity within a target. Taking that limited view and distorting it or denying access to important facts can go unnoticed. To that end, analysts must be cognizant of what they do not know and provide an accurate accounting of the gaps in their knowledge.
One of the largest and most successful D&D campaigns in history was Operation Fortitude, the campaign launched by the Allies to hide the D-Day assault against Germany that helped bring an end to World War II. It is hard to overstate the impressiveness of Operation Fortitude. The idea that the Allies were able to disguise the 156,000-troop assault on five beachheads at Normandy the morning of June 6, 1944 from the Germans until it was too late is a topic that is still written about.2
Operation Fortitude was divided into two parts: Fortitude North and Fortitude South. In its simplest form, the goal of Fortitude North was to convince the Germans that the Allies were attacking Norway, while the goal of Fortitude South was to convince Germany that the Allies were going to launch an attack against Pas-de-Calais, France.
How these operations were carried out was anything but simple. To succeed the Allies deployed a number of deceptions, including the use of double agents and fake troop deployments, which included dummy inflatable troops, sending radio transmissions with false information, and increasing radio activity in the targeted deception regions. All of this was coupled with the fact that the Bletchley Park team in London had access to a working replica of the German Enigma cipher machine. Consequently, the Allies were able to monitor the effectiveness of their deception campaign and adjust accordingly, something very rare in intelligence circles. In addition to the incredible work of the Allies, Operation Fortitude benefitted from the “incompetence” (Erskine and Smith, 2011) of the Abwehr, the German Intelligence Service. Because of infighting with other intelligence groups and a lack of resources, the Abwehr was particularly susceptible to D&D style campaigns.
Today, the use of mathematics in encryption is a given, that was not the case in the 1930s. Although the team at Bletchley Park deserves all the praise that can be delivered to them for the amazing work they did during World War II, it was actually the Polish and French that cracked the Enigma cipher.
In 1932, Poland, concerned about Germany’s rise to power, recruited a team of mathematicians to attempt to break the Enigma cipher. They were given a commercial copy of the Enigma machine and tried to reverse engineer the cipher. They were able to do so, but did not know how the wiring was different from the wiring in the Enigma machines designed for the German army.
That’s where France came in. The French were able to acquire the operating instructions for the German army version of the Enigma as well as two sheets of monthly key settings. Combining the French intelligence with the brilliant work of the Polish mathematicians, the Polish intelligence service was able to break the code.
D&D are critical tools in the arsenal of organization that are being targeted. It is important for organizations to understand how to use D&D effectively, while at the same time have the resources in place to understand when they are being targeted by a D&D campaign.

Intelligence throughout the ages

Intelligence as an independent discipline is a relatively new phenomenon, but intelligence has existed since there was conflict between tribes of early humans. Without knowing it, some of the most famous early leaders have lain out principles of intelligence that are still in use today. Before moving into the realm of cyber threat intelligence, it is important to take a look at some of the lessons from history.

Sun Tzu

No single person has had a bigger impact on the intelligence discipline as Sun Tzu. It is rare to find an intelligence professional who does not have a copy of the Art of War and many can quote directly from it. There is a lot of disagreement surrounding the life of Sun Tzu, but most scholars believe he lived in the fifth century BCE and served as a general to the king of the Wu kingdom. The Art of War is believed to be a compendium of his thoughts on war based on his successes as a general. However, there is some debate as to whether or not The Art of War is solely the work of Sun Tzu, or a compilation of work from many different authors.
Irrespective of the origins of The Art of War, in the book Sun Tzu lays out many strategy and intelligence ideas still followed today. According to Sun Tzu (2012b) there are five aspects to a military campaign:

The art of war, then, is governed by the five constant factors, to be taken into account in one’s deliberations, when seeking to determine the conditions obtaining in the field.

These are: (1) The Moral Law; (2) Heaven; (3) Earth; (4) The Commander; (5) Method and discipline.

When Sun Tzu referred to Moral Law he was talking about politics, ensuring that the kingdom was unified in the activity. Sun Tzu knew that even in a province ruled by a king that without public opinion a war had little chance of success. The people of the kingdom must have confidence in the leaders to wage war effectively, therefore be willing to deal with the dangers and sacrifice that war entails.
Heaven and Earth refer to weather and land. It is important to fully understand the weather patterns of the area a general plans to attack. The German attempt to push toward Moscow over the winter of 1941–1942 is often seen as a prime example of not understanding weather patterns. The German army was simply not equipped to handle a Russian winter and they suffered greatly because of the leaders’ poor planning. It is just as important to understand the terrain that the army will need to traverse. Not only the distance to the enemy forces, but what the terrain looks like. Is it mountainous? Are there valleys? Will troops have to trudge through swampland? Is it wide-open space, or are there places for troops to easily hide? These are all questions a general must ask, and know the answers to, before engaging in battle.
The commander refers to the person leading the troops into battle. According Sun Tzu, the command must be wise, benevolent, sincere, courageous and strict. But it is more than that; Sun Tzu makes a specific distinction between the ruler and the commander and encourages the ruler not to interfere, saying:

He will win who has military capacity and is not interfered with by the sovereign.

The ruler is the one who engages in strategy, who is the voice of and to the people, and who makes the decisions, for the most part, about whom to attack. It is the commander that is responsible for the tactical. The commander ensures that the troops are in the right frame of mind, understands the strengths and weaknesses of the enemy, and plans the battle.
Finally, method and discipline describe the operations side of war. Commanders must ensure that the army is fed, that supply channels are kept clear, that supplies are properly distributed, that promotions and punishments are delivered, and all of the other issues involved in maintaining a well-run military. A well-maintained and disciplined army has a much better chance of succeeding in battle than does a poorly maintained and disciplined one.
Sun Tzu also recognized the importance of D&D in campaigns, writing:

All warfare is based on deception.

Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.

These tactics are still in use today by military commanders and intelligence organizations around the world. Sun Tzu also focused on the other side of intelligence gathering: using indicators to detect enemy movements. With passages like:

The rising of birds in their flight is the sign of an ambuscade. Startled beads indicate that a sudden attack is coming.

Sun Tzu was helping commanders look at ways to determine the location of the enemy without being able to see them.
Sun Tzu also encouraged the use of spies in warfare, writing:

Thus, what enables the wise sovereign and the good general to strike and conquer, and achieve things beyond the reach of ordinary men, is foreknowledge.

Hence it is only the enlightened ruler and the wise general who will use the highest intelligence of his army for the purposes of spying and thereby they achieve great results. Spies are a most important element in water, because on them depends an army’s ability to move.

Sun Tzu devotes an entire section to the discussion of spies, including recommending when to use spies, how to recruit local spies, how to convert enemy spies and delivering false information to known spies.
The Art of War is a short book (less than 60 pages) and an easy read. It is a worthwhile read and useful to think about how the steps outlined by Sun Tzu more than 2500 years ago are still relevant today.

Julius Caesar

Julius Caesar is, without question, one of the greatest military leaders in the history of the world. His successes, combined with his tactical skill and decisiveness, has made him one of the most written about and studied military leaders in history. Although there is no denying that Caesar owes much his success to the strength of the Roman army, at the time the largest professional army the world had ever seen, in his writings he also attributed his success to intelligence gathering.
In his account of the Gallic war, Commentaries on the Gallic War, Caesar (1869) outlined his use of intelligence to better prepare for war with the different regions within Gaul.

Caesar, immediately learning this through his scouts, [but] fearing an ambuscade, because he had not yet discovered for what reason they were departing, kept his army and cavalry within the camp. At daybreak, the intelligence having been confirmed by the scouts, he sent forward his cavalry to harass their rear.

Caesar was cautious, he confirmed his intelligence through multiple sources, whenever possible, and did not act until he was sure he has all of the information. Commentaries on the Gallic War is full of anecdotes of receiving reports from scouts and attempts to recruit spies from within the territories he was attempting to conquer.
Caesar instilled the important of tradecraft on his underlings. As with today’s modern intelligence agencies, it was not enough to simply collect the information. For data to be considered intelligence it had to meet certain standards, Caesar emphasized the importance of weighing sources and understanding what information was trustworthy and what wasn’t.
Caesar also used code to mask his communications. When communicating with Cicero during a war with Nervii, Caesar wrote:

Then with great rewards he induces a certain man of the Gallic horse to convey a letter to Cicero. This he sends written in Greek characters, lest the letter being intercepted, our measures should be discovered by the enemy. He directs him, if he should be unable to enter, to throw his spear with the letter fastened to the thong, inside the fortifications of the camp.

By communicating in Greek, Caesar was able to mask his communication. Sheldon postulates that Caesar also used a monoalphabetic cipher in communication. This means the communiqué would have been translated into Greek and the encoded on top of that (Sheldon, 2005).
Caesar also ran a network of spies within Rome, knowing that understanding what was happening within the city was just as important as what was going on in other countries. Unfortunately for Caesar, he did not receive the most important piece of intelligence in time. Caesar’s network of spies within Rome had collected a list of conspirators against him within the Roman government. Caesar had the list, but had not read it when he was assassinated.
The one final intelligence lesson that can be learned from Caesar is that intelligence has a limited TTL. For intelligence to be effective, it must not only be produced and disseminated in a timely fashion, it also has to be read and acted on by the intelligence consumer. If each of these criteria is not met, then even the most important piece of intelligence is rendered useless.

George Washington

By the time the Revolutionary War started George Washington was no stranger to intelligence. He had served as a scout during the French and Indian War; therefore he was familiar with the benefits of a strong intelligence program. Washington took the lessons he learned during the French and Indian War to establish intelligence capabilities during the Revolutionary War (Walton, 2010b). In fact, Washington set up such a formalized system for intelligence collection and dissemination that he is known as the first Director of Central Intelligence.
Washington relied on intelligence out of necessity. He was facing a larger, well-trained force in his fight against the British and he knew he would need every advantage he could get. His network of spies throughout the colonies were useful not only for tracking the movement of British troops, but also as a conduit for feeding British Troops false information. Washington used his spies to run a number of successful D&D operations against the British.
The most famous spy network created by Washington was the Culper Spy Ring in New York. While Washington oversaw all intelligence activity during the Revolutionary War, he appointed Major Benjamin Tallmadge as the director of Military Intelligence in New York and instructed him to recruit spies. Tallmadge built a network of more than 20 spies in New York. This spy ring was known as the Culper Ring. With Tallmadge serving as their case office, the agents in the Culper Ring reported to Tallmadge only, they did not know each other and they did not communicate with Washington – in fact, Washington did not know who the members of the Culper Ring were. Tallmadge, like Washington, used to identify members of the Culper Ring, he never used their real names in correspondence.
Washington and Tallmadge communicated using a simple code and each leader had a codebook. The code was a numeric substitution cipher wherein common words were replaced with numbers, for example ally was replaced with 25, general with 235, and remittance with 579. There was also a facility to write out words that were not included in the original code using numerical cipher (Allen, 2004).
One reason why Washington was so successful is that he knew the right questions to ask. Washington’s questions were insightful and detailed, and he would ask follow-up questions as needed. This level of specificity is critical to derive effective intelligence and is an area that intelligence consumers often fail at. Intelligence queries are similar to the old programming adage “garbage in, garbage out.” If the right questions are not asked, it is impossible to get the right answer. It becomes incumbent on intelligence professionals to coach the consumers of intelligence to ask the right questions.
Although Washington did believe in the power of intelligence, he never established a formal counterintelligence program, nor did he centralize counterintelligence activities. Instead, he left this to the local commanders who were better equipped to not only gather intelligence through open sources (e.g. innkeepers and the like) but also were better able to identify loyalists and sympathizers to the crown in their own locales. Washington also created the Committee on Detecting and Defeating Conspiracies to close the channels of intelligence in New York, a place rife with Tory spies. John Jay was the first head of the Committee, which became the first counterespionage service in the United States. John Jay later became Chief Justice of the Supreme Court of the United States and was named the father of American counterintelligence by the CIA in 1997.
Washington established a professional intelligence organization that practiced rigorous tradecraft and distributed information on a need-to-know basis. Many of the techniques and methods used by Washington, though primitive, are still used by intelligence agencies today.

Bletchley Park

It is not hyperbole to say that without Bletchley Park, it is likely that World War II would have ended very differently. Winston Churchill famously said, “It was thanks to Ultra that we won the war.” Bletchley Park’s influence did not stop with World War II. The team at Bletchley Park has had a profound influence on intelligence agencies around the world and the American intelligence system is still modeled after team at Bletchley Park. In addition to policy, Bletchley Park has had great influence over the development of technology around the world for the last 70 years. During World War II, the goal of the team at Bletchley Park was to intercept and decode messages from the Axis forces. The team at Bletchley Park not only needed to intercept and transcribe messages, they also needed to be able to break the cipher that the Axis powers were using and get the data into the hands of consumers around the world in a timely manner.
They did this with stunning success. Their successes included breaking the Enigma cipher machine code and keeping the fact that the code had been broken a secret. Colossus, the world’s first electronic computer, was also developed at Bletchley Park during World War II.
In the beginning, recruits to Bletchley Park had no idea what type of activity they would be engaging in and different teams were assigned to “huts,” so that only a few people understood the entire operation (Hinsley and Stripp, 1993).
The process of intercepting transmissions, deciphering the transmissions and disseminating the data was given the codename Ultra. At its peak, the team at Bletchley Park was 8000 strong, about 80% of the workers were women, and deciphering about 4000 messages each day.
One of the biggest challenges faced by those at Bletchley Park was dissemination of information. There were a number of campaigns, such as the German offensive at Ardennes, that could have been dealt with more effectively had the intelligence gathered through Ultra been considered. Because the scope and nature of this type of collection was new to many Allied commanders, it was not always given the prominence it should have been in the analysts’ production of FINTEL.
Commanders who were used to more traditional types of intelligence collection sources had an anchoring bias to those sources and gave them more weight. Fortunately, there were many Allied commanders who did not have this bias and those commanders were able to use data collected at Bletchley Park to launch more effective campaigns.
An early success of Ultra occurred in February 1941. Because of early decryption of Italian army ciphers, Ultra was able to provide information that led to the defeat of the Italian army in North Africa. In March 1941, through crypts collected and decrypted from Italian and German troops, the British navy knew that the Italians intended to attack convoys. The British turned the convoys around and launched an attack against the Italian navy in the Battle of Cape Mattapan. Thanks, in part, to the capabilities of Ultra, the British defeated the Italians and maintained control of the Mediterranean Sea.

Conclusion

The next chapter will start the focus on cyber threat intelligence, but it is important to understand that cyber threat intelligence is not an entirely new field. Instead, it is a field that builds on the thousands of years of accumulated wisdom surrounding intelligence. Many of the things Sun Tzu said about military intelligence 2500 years ago are relevant today both in traditional intelligence organizations and in cyber intelligence organizations.
Just as the leaders in Bletchley Park opened new avenues in intelligence collection, while still applying good tradecraft and adhering to the intelligence cycle, today’s cyber threat intelligence teams are breaking new ground. The goal for these teams should be to continue to expand the realm of intelligence while drawing from history and adopting the best practices of a strong and successful intelligence organization.

References

Allen TB. George Washington, Spymaster: How the Americans Outspied the British and Won the Revolutionary War. Washington, DC: Thomas B Allen National Geographic Society; 2004

Bruce JB, Bennett M. Foreign denial and deception: analytical imperatives. In: George RZ, Bruce JB, eds. Analyzing Intelligence: Origins, Obstacles, and Innovations. Washington, DC: Georgetown University Press; 2008

Caesar, J., 1869. Commentaries on the Gallic War Book II (W.A. McDevitte and W.S. Bohn, Trans.). Harper, New York.

Central Intelligence Agency (CIA), Office of Public Affairs. A Consumer’s Guide to Intelligence. Washington, DC: Central Intelligence Agency; 1999:p. vii

Davis J. Why bad things happen to good analysts. In: George RZ, Bruce JB, eds. Analyzing Intelligence: Origins, Obstacles, and Innovations. Washington, DC: Georgetown University Press; 2008

Department of Defense (DOD), 2014. DOD dictionary of military and associated terms “intelligence”. <http://www.dtic.mil/doctrine/dod_dictionary/data/i/4850.html> (accessed 15.06.14.).

Erskine R, Smith M, eds. The Bletchley Park Codebreakers (Dialogue Espionage Classics). London: Biteback Publishing; 2011

Federal Bureau of Investigation (FBI), Directorate of Intelligence, 2014. Intelligence defined. <http://www.fbi.gov/about-us/intelligence/defined> (accessed 16.07.14.).

Gill P, Phythian M. Intelligence in an Insecure World. second ed. New York: Polity; 2012:p. 7

Hinsley FH, Stripp A, eds. Codebreakers: The Inside Story of Bletchley Park. New York: Oxford University Press; 1993

Sheldon RM. Intelligence Activities in Ancient Rome: Trust in the Gods But Verify. New York: Routledge; 2005:p. 126

Tzu S. The Art of War, (Lionel Giles, Trans.). New York: Polity; 2012:p. 11

Tzu S. The Art of War (Lionel Giles, Trans.). New York: Polity; 2012:p. 3

Walton T. The fall of the shah. Challenges in Intelligence Analysis: Lessons from 1300 BCE to the Present. New York: Cambridge University Press; 2010:pp. 183-187

Walton T. George Washington. Challenges in Intelligence Analysis: Lessons from 1300 BCE to the Present. New York: Cambridge University Press; 2010:pp. 55-59

Warner, M., 2007. Wanted: a definition of “intelligence”: understanding our craft. <https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/csi-studies/studies/vol46no3/article02.html> (accessed 16.07.14.).

1 For additional reading on the different types of intelligence check out George, R.Z., Bruce, J.B. (Eds.), 2008. Analyzing Intelligence: Origins, Obstacles, and Innovations. Georgetown University Press, Washington, DC.

2 For a more detailed account, see Levine, J., 2011. Operation Fortitude: The Story of the Spies and the Spy Operation that Save D-Day. Lyons Press, Guilford, CT.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.222.109.141