The importance of the intelligence cycle in any kind of investigation cannot be understated and it should be understood by information security researchers involved in OSINT investigations.
The real difference between intelligence analysts in various fields is their expertise, focus, statutory powers, and access to diverse classifications of information. Generally, the tools of the trade and associated budget increase with priorities and the perceived importance of the target. Clearly, the CIA has a range of resources and access to classified information the average OSINT(i) investigator or law enforcement intelligence analyst only dreams of.
This shouldn’t trivialise the work undertaken by effective OSINT investigators, cyber intelligence analysts, support staff or other intelligence officers. Even the CIA would not be as effective without access to work done by these researchers in addition to their own OSINT capabilities. Look at the importance of OSINT investigators in the current climate of securing infrastructure or combating the theft of corporate secrets. Everything is connected, and you never know when information that may appear trivial can lead to something greater.
Practical Use Of The Intelligence Cycle
There are numerous definitions of the intelligence cycle and its use during OSINT-led cyber investigations, so instead of rehashing, I will focus on a simple real-life example. The instance involves the practical application of parts of the intelligence cycle in an early law enforcement environment, but the concept is applicable to budding OSINT investigators. I highly recommend reading a series of excellent articles on this site by Sinwindie, beginning with The OSINT Intelligence Cycle Part 1 for detailed advice from a cyber intelligence analyst.
During the early days of introducing the intelligence concept to mainstream police, it was refreshing to receive a visit from a bright and dedicated officer named Julia(ii). Julia had recently graduated from the academy and was displaying a capable enthusiasm sometimes missing in the recruiting process at the time.
While attending a domestic violence disturbance Julia had spoken to a woman, who had been abused by her partner and during the interview, she obtained detailed particulars of the suspect. Many early police computer systems were not designed to effectively record all relevant information, so huge amounts of important data fell through the cracks or were lost among the noise of basic offence details. I was using a new advanced computer system designed to securely store intelligence for serious criminal offences, so it piqued my interest when Julia mentioned the victim’s partner was planning to commit bank hold-ups in the future. There was no evidence of a planning phase for a crime, but the tenacious and resourceful young officer was determined, so she completed an intel report as advised and I processed it accordingly.
Approximately six months later I was appointed to the ego Squad, aka the armed holdup division, this time trying to convince the supposedly elite crime fighters of the value of sharing closely guarded secrets with the resident intelligence analyst. Luckily, some of the team members remembered calling upon me for help during violent situations in an earlier police role before I swapped barbells for keyboards. Consequently, members of the division were split on whether to trust the new intel analyst, or whether the whole idea was a waste of time. Fortunately, the head of the team, Cedric, was smart, educated, and aware of the value of quality intelligence analysis. Unfortunately for me, this led to the frustration of the self-appointed (in his own mind) squad leader, Fred.
Only a few weeks after starting in the armed robbery team there was a report of a bank hold-up just over the state border and the registration number of the vehicle was spotted. Knowing that most bank robbers used stolen vehicles as getaway cars I quickly entered the registration number into the intelligence system to see what I could find. I anticipated this to be the first of a protracted process of a myriad of searches and hard work, a practice all too familiar to OSINT investigators.
The intelligence system revealed a wealth of information, like a restricted Facebook for intel officers, and surprisingly, the author of the intel report was Julia from the start of this article. The intelligence officer who had entered the record was me in my previous intel position! A lot of the early intel officers did not believe in menial tasks like data entry, but it was a crucial function in the intelligence process. Links and relationships to vehicles, property, and assets, in addition to reliability and classification of information and other factors, had to be entered manually, so many intel officers avoided this duty. I was also part of a small user group set up to provide direction and improvement to this state database, so I was fully aware of its ability. Later, intelligence officers were appointed administrative assistants for data entry and other functions as offices expanded.
I became excited over the potential to prove the worth of intel (and especially me) in the ego squad and I thought, “shit, has this idiot used his own car in the bank hold up?” After numerous routine checks, which led to dead ends, I gave the super cops the address after about 15 minutes of frantic work. The address was the one given by the domestic violence victim to Julia and was only recorded on the intel system. The boss of the division turned to the disbeliever and said, “I told you it worked!”
There was still the likelihood that the address was unreliable, but it was the only lead available, especially during urgent circumstances. The boys looked at each other while grabbing their shotguns and car keys, with expressions of “surely it can’t be that easy?” It was that easy, as the cops were waiting in the armed robber’s driveway when he drove home with ninety grand stashed under his seat and wisely did not put up a fight. Unfortunately, it wasn’t this easy for me during the ongoing ego wars within the division…but that’s another story.
The Intelligence Cycle
The above example was used in intelligence courses to demonstrate the process to officers in training. The definition of the intelligence cycle has many variations, but it was at one point: collection, evaluation, collation, analysis, and dissemination of information. Collection and collation can be merged, as they are largely synonymous(iii). The cycle can be seen in this simple example and experienced intelligence analysts and OSINT investigators largely use the modern version of this procedure automatically. Sinwindie describes (via his series of articles mentioned earlier) the cycle as: Planning and direction, collection, processing raw intelligence and, analysis and production.(iv)
I prefer to keep the evaluation part of the cycle because the foundations of intelligence become dubious if this step is overlooked. The most unsuccessful operation I ever supported was based on a “reliable informant” known to a high-ranking detective. Regrettably, this officer turned out to be crooked(v) and was probably using his informant to punish others through the police raids. This cop was so confident, he played many games throughout his untouchable and lucrative career.
I will use the old intelligence cycle definition to crudely demonstrate the process used in the example described above. Note, the effective field officer completes a mini-intelligence cycle when collecting the initial information prior to distribution to the intelligence analyst, whether they are aware of it or not. Therefore, the intelligence cycle is usually primarily a team effort, unless the intel analyst completes their own surveillance or informant interviews. Even when an intelligence analyst performs all the functions of an operation there are others behind any open source or restricted information obtained.
1. collection – The suspects details were collected by a diligent officer during a routine domestic dispute. Many officers may disregard the information or record it ineffectually
2. evaluation – the information was evaluated to assess its importance and reliability then classified appropriately by the officer and later verified by the intelligence analyst
3. collation – the information was recorded by the officer then organised by the intelligence analyst
4. analysis – the data was analysed to determine its value in relation to combating serious and/or organised crime and recorded properly (for future dissemination)
5. dissemination – the address of the suspect was given to the officers in a timely manner to assist the investigation of a serious crime.(vi)
It should be noted that the analysis phase prior to dissemination was expedited due to the urgency of the request and trust in prior analysis was obviously high due to it being my own work. In practice each analyst has their own style and informants’ reliability and motivation differ. A good analyst should be able to make a reasonable judgment on the accuracy of the information after viewing all available supporting data. Regardless of these variables, I found time and time again, that methodically processing data from all angles was a time-tested formula that resulted in targeting and supporting numerous arrests of key criminals.
In this instance the planning phase, from the modern definition of the intelligence cycle, was undertaken within the general objectives of the intelligence office unless a specific operation was commenced. In this simple example, the production phase is limited to the original report by the officer and the recording of the information after input from other processes.
During specific operations, production could include complex tactical or strategic assessments, link diagrams and other material delivered during the dissemination phase of the cycle, sometimes via briefings to large groups. The use of the intelligence cycle may also be a simple request by an officer to “find out what they have on target X” in an internal email request. The cycle is still used but, on a basis limited to the priority of the request while considering the overall workload. I envisage OSINT investigators use similar processes during their investigations and I suggest looking at the excellent work by Sinwindie again.
As for Julia, she later became a successful detective and intelligence analyst who contributed greatly to the state. Sadly, she confided in me about being persistently harassed by several males in her team. During this time, she broke down crying, saying she finally reported it to a (male) superior officer and “surprisingly”, nothing was done. She later resigned but not before her angry groom had an altercation with one of the police at her wedding. Ironically, Fred’s demise in later years came from his own domestic violence offence where he was eventually booted out of the force.
This is a simple example of the practical application of an important procedure which many police and OSINT investigators take for granted during their day-to-day activities. Investigators fortunate to be involved in this and similar types of work can potentially assist or be primarily responsible for numerous impactful investigations, hopefully without the bent cops, harassment, and bad weddings.
(i) OSINT (open-source intelligence) is the process of collecting information from sources available to the public to assist in the production of intelligence relevant to a specific investigation.
(ii) The name of the officer has been changed to protect her privacy and the police terminology used during this example has been obfuscated to avoid narrowing down the location. The names of the other officers have also been changed.
(iii) The intelligence process must include feedback to be more effective and evaluation is also sometimes described in this part of the cycle as per the following publication: Rethinking the intelligence cycle for the private sector
(iv) The U.S. intelligence careers government website has a similar description: How intelligence works and an article on the FBI law enforcement bulletin website by a supervisory intelligence analyst at the FBI Academy describes an alternative definition of the intelligence cycle: Intelligence-Led Policing for Law Enforcement Managers
(vi) Requests for access to intelligence should be accompanied by official requests outlining the relevancy of the information to the investigation.