Review of Confronting the Evolving Global Security Landscape: Lessons from the Past and Present

Max G. Manwaring, PhD, is a retired professor of military strategy at the Strategic Studies Institute of the U.S. Army War College (USAWC), where he has held the General Douglas MacArthur Chair of Research. His recent publication Confronting the Evolving Global Security Landscape: Lessons from the Past and Present shares empirical-research-based theories informed by case studies that describe the complexity of modern-day threats to the security of nations and the global system as a whole rather than according to dated theoretical frameworks.

How to Understand the Current Moment

The present-day global security situation is characterized by an unconventional spectrum of conflict that no one from the traditional Westphalian school of thought would recognize or be comfortable with. In addition to conventional attrition war conducted by easily recognized military forces of another nation-state, we see something considerably more complex and ambiguous. Regardless of any given politically correct term for war or conflict, all state and nonstate actors involved in any kind of conflict are engaged in one common political act – that, war. The intent is to control and/or radically change and government and to institutionalize the acceptance of the aggressor’s objectives and values. It is important to remember that these “new” actors and “new” types of battlefields are being ignored or, alternatively, they are considered too complicated and ambiguous to deal with. Yet they seriously threaten the security, stability, development, and well-being of all parts of the global community.

Change and Development within the Inter/National Security Concept

Stability is a concept that has sometimes been confused with security. Often these terms are used synonymously and are defined as the protection of territory and people. Threats against stability/security include direct military threats as well as offensive/defensive aggression supported by propaganda, information, moral warfare, and a combination of other types of conflict that might include, but are not limited to, psychological war, financial war, trade war, cyber war, diplomatic war, narco-criminal-war, and guerrilla war. There are no ways or means that cannot be combined with others.

These terms, however, are not the same. Security is better thought of as the foundational element that enables national and international socioeconomic-political development and includes the task of generating “responsible governance”.

In 1996, the secretary general of the United Nations, Boutros Boutros-Ghali, described the most important dialectic at work in the post-Cold War world as globalization and fragmentation. As a consequence of his research in the field he introduced two new types of threats. These included:

(1) A new set of players that includes insurgents, transnational criminal organizations, private armies, militias, and gangs that are taking on roles that were once reserved for nation-states.

(2) indirect and implicit threats to stability and human well-being such as unmet political, economic, and social expectations.

This broadened concept of security ultimately depends on eradication of the causes, as well as the perpetrators, of instability.

A New Sociology of Security

These new global developments and the emergence of new players and practices in the global security arena dictate a new sociology of security and redefinition of the major characteristics of contemporary socioeconomic-political conflict. A few of these defining characteristics include the followings:

The center of gravity is no longer an easily identifiable military force. It is now leadership and public opinion – and the fight takes place among the people, not on a conventional battlefield.
The broadened concept of security (responsible sovereignty) ultimately depends on the eradication of causes, as well as perpetrators, of instability.
The primary objective of security is no longer the control of sovereign territory and the people in it. The strategic objective is to capture the imagination of the people and the will of their leaders – thereby winning a public opinion trial of relative moral strength.
The principal tools of contemporary conflict are now the proactive and coercive use of words, images, symbols, perceptions, ideas, and dreams.
War is now total in terms of scope, method, objective, and time.
There are the following three rules: (1) only the foolish fight fair; (2) there are no rules; and (3) the only viable morality within the anarchy of the world disorder is national self-interest.

The Peace-Security Paradigm

The fulfilment of a holistic, population-centric, legitimate governance and stability-security equation for national and global security consists of three principal elements. They are derived from the independent variable that define security (i.e., S). These three primary elements are as follows: (1) the coercive capacity to provide a culturally acceptable level of personal and collective stability (i.e., M), (2) the ability to generate socioeconomic development (i.e., E), and (3) the political competence and rectitude to develop a type of governance to which a people can relate and support (i.e., PC). It is heuristically valuable to portray the formula among these elements in a mathematical formula: S = (M+ E) X (PC)

This peace-security equation was developed from the SWORD model (a.k.a. the Manwaring Paradigm) and warrants high confidence that the findings are universal and explain much of the reality of the contemporary conservative environment.

Five Components of a Legitimate Government

Free, fair, and frequent selection of political leavers
The level of participation in or acceptance of the political process
The level of perceived government corruption
The level of perceived individual or collective well-being
The level of regime acceptance by the major social institutions

These key indicators of moral legitimacy are not exhaustive, but they statistically explain a high percentage of the legitimacy phenomenon and provide the basic architecture for the actions necessary to assist governments in their struggle to survive, develop, and prosper. The degree to which a political actor efficiently manages a balanced mix of these five variables enables stability, development, political competence, security, acceptance, and sustainable peace, or the reverse.

The Quintuple Threat to Security

There are five threats that when combined pose a grave danger to the security of a nation’s sovereignty. These are domains that external threats and, potentially, their internal partners will seek to damage. These include:

Undermining the ability of the government to perform its legitimizing functions.
Significantly changing a government’s foreign, defense or other policies.
Isolating religion or racial communities from the rest of the host nation’s society and replacing traditional state authority with alternative governance (e.g. ideological, plutocratic, criminal or religious).
Transforming socially isolated human terrain into “virtual states” within the host state, without a centralized bureaucracy or easily identified military or police forces.
Conducting low-cost actions calculated to maximize damage, minimize response, and display carefully staged media events that lead to the erosion of the legitimacy and stability of a targeted state’s political-economic-social system.

Each of the above elements, when combined and sustained over time leads to the inability of a nation to maintain peace and security.

Linear-Analytic Case Study Elements

Research applying these methods will frequently find that the study of only a few sharply contrasting instances can produce a wealth of new insights as it produces an enhanced understanding of the architecture of successful and unsuccessful strategies – or best/worst practices – in dealing with complex contemporary hybrid conflicts.

With this information, the strategic and analytical commonalities and recommendations can be determined that are relevant to each case examined, as well as the larger general security phenomenon.

The standard approach to such case studies is to include the following three elements: Issue and Context, Fundings and Outcome, Conclusions and Implications.

The case studies which Manwaring then covers include the following:

Lessons from Italy (1968 – 1983) and Western Sahara (1975 – Present)
Lessons from Somalia (1992 – 1993) and Bosnia (1992 – 1998)
Lessons from Argentina (1960 – Present) and Mexico (1999 – Present)
Lessons from Vietnam (1959 – 1975) and Algeria (1954 – 1962)
Lessons from Malaya (1948 – 1960) and El Salvador (1979 – 1992)
Lessons from Venezuela (1998 – Present and Uruguay (1962 – 2005)
The Proxy War against the Soviet 40^th Army in Afghanistan

Conclusion

From the aforementioned cases a large number of insights on the nature of global security are able to be developed. Perhaps most importantly – in understanding the new nontraditional and greatly enlarged security arena, one must be organizationally and cognitively prepared to deal with proxies as well as other unconventional players operating across the entire spectrum of conflict.

Strong empirical evidence illustrates that the essence of any given contemporary threat situation must be to co-opt, persuade, control, and/or compel an adversary’s public opinion and political leadership to accept one’s will. That defines war. The origins of this form of ‘protracted struggle’ originates largely within the canon of Marxist thought.

Lenin articulated the contemporary political vision within which many nonstate and state actors operate. He taught that anyone wishing to force radical political-economic-social change and compel an opponent to accede to his or her will must organize, equip, train, and employ a body of small political agitator groups. His intent was straightforward. If these unconventional and clandestine individuals of statecraft succeed in helping to tear apart the fabric on which a targeted enemy rests, the instability and violence they create can serve as the “midwife of a new social order.”

This has a number of implications that are important both for an enlightened electorate and political operatives should consider when deliberating and legislating about the contemporary global security arena. Most importantly, this includes understanding that the root causes of insecurity are rooted in economic and social issues and that the way in which to assess risks to security is to look at the individuals and groups engaged in activities defined as threats to the peace-security paradigm.

Review of Race to the Bottom: Uncovering the Secret Forces Destroying American Public Education

Race to the Bottom: Uncovering the Secret Forces Destroying American Public Education by Luke Rosiak is a journalistic account of a network of radical political activists, unions with leadership captured by leftist ideology, bureaucrats that value their own interests above that of their constituents, and philanthropy organizations that use racist rhetoric to fundamentally upend the American education system and to indoctrinate students with political views which are empirically false. The stories about people across several school districts illustrates how powerful national and regional interests have captured local government and used their power to implement busing systems that was neither desired by residents nor benefitted students academic performance, to promote lesson plans that promote leftist ideology, to alter government’s border lines to financially benefit housing developers, and to transform the personal dysfunction of mentally troubled individuals into a social contagion. At the core of these efforts is a push towards “equity” and “anti-racism” – which Rosiak masterfully demonstrates are floating signifiers that can be mobilized for contradictory and counter-productive policy changes that are often passed due to most citizens being uninformed and disempowered actors in a local political setting.

Race to the Bottom covers numerous professional organizations and consultancies such as the American Educational Research Association (AERA), PolicyLink, Pacific Education Group (PEG), and the National Education Association (NEA) and how they work in collaboration with teachers’ unions and the Democratic Socialists of America

Chapter One, Cheating Math, shows how school districts across the country were engaged in deceptive practices to artificially inflate the test scores, passing rates, and enrollments numbers of students while also lowering the standards involved in demonstrations of subject area mastery to ensure that they had statistics which made them appear to be “highly effective”. Students in Montgomery County, Maryland that had failed the state-mandated exams to pass were not just given an alternative project to complete as an equivalent but were given worksheets filled out in advance so they had to do nothing. At Ballou in Washington D.C., students that were truant for more than three months – which meant according to district policy that they should be automatically failed – nevertheless still graduated. In Los Angeles, out of school suspensions decreased by 1/3 over a seven year period – leading to a major jump in the rate which teachers quit and in-class time was disrupted by small groups of poorly behaved students that knew discipline options were limited. The sections on the elimination of standards requirements, the alteration of their calculation, or the reduction of their importance were also disturbing. In the name of restorative justice and equity, the denominator for “good academic work” was drastically reduced.

Chapter Two, The Mathematician, is framed with a concerned parent seeking data to help him understand why the school district – and those around him – that his child was in was doing so poorly and getting stonewalled by the state Department of Education. This shows to highlight how the vast educational bureaucracy operates together to hide what’s actually going on in the classroom and the board rooms which decide what is “accomplished” and what is “proficient” from parents. Close examination of the minutes of labor union resolutions hints at the extent to which these groups have transitioned from being organizations concerned about workplace conditions to political bodies directed by the radicals that have captured the leadership positions. An example of this is found at the annual NEA conference in July 2019:

“…one of the first actions union delegates took was voting down a motion to “rededicate itself to the pursuit of increased student learning in every public school in America by putting a renewed emphasis on quality education.” Instead, it approved motions to “involve educators, students, and communities in the discussion around support for reparations”; to blame the United States for destabilizing Central America, therefor causing a flood of immigrants, and to “incorporate the concept of ‘White Fragility’ into NEA trainings/staff development”.

https://ra.nea.org/business-item/20109-nbi-002

https://ra.nea.org/business-item/20109-nbi-025

https://ra.nea.org/business-item/20109-nbi-118

https://ra.nea.org/business-item/20109-nbi-011

The reason why so many teachers might be ignorant of these developments is hinted at in an earlier section of this chapter. The results of aggregate test results show that those seeking graduate degrees in education had the lowest math and verbal reasoning scores.

Chapter Three, School Board, focuses on how down-ballot elections for school boards that received little media coverage were targeted by individuals that frequently had no children, were funded primarily by outside individuals and groups, were leftist/progressive/Islamist activists that employed by activist organizations – such as Media Matters or New Ventures Fund, and sought to change established educational standards towards indoctrination.

Karl Frisch, Elaine Tholen, Karen Keys-Gamarra, Abrar Omeish, Rachna Sizemore Heizer, are just several of those shown to pursue a political agenda. Heizer is even described as carrying a copy of Howard Zinn’s A People’s History of the United States when she was sworn into the school board in December of 2019. While the funding comes from outside networks, so too does the campaign infrastructure for their election. Rather than engaging parents of students going door to door for outreach regarding candidates that they believe would be best for their children, unions, gay pride clubs at nearby college campuses, and national interest groups funded by billionaire Michael Bloomberg became involved. Once empowered, these activists show themselves to be incompetent, self-serving, and political in a viral manner: people that are competent and serve the students and community resign rather than follow orders which will not offer meaningful learning experiences for children. They sought to cut advanced academic programs – even when racial considerations were resulting in black students being placed into higher-level classes in which they were underperforming. Their election also becomes a way to promote activists whose work and policies aligns with their worldview rather than what’s best for children. One example of this is Ibram X. Kendi receiving $20,000 from school board funds for a one-hour Zoom speech. The most disturbing example shown, however, is how these activist school board members and the teacher’s unions united against the CDC guidelines that suggested schools reopen and used refused to use funds intended to go to PPE to promote the notion that the DOE was “underfunding” schools. While clearly not a comprehensive picture of all educational labor union activity – it’s clear from the accounts shared here how they’ve turned into highly politicized instruments of power rather than an organ for collective bargaining between employer and employee.

Chapter Four, Riots, highlights Glenn Singleton’s Pacific Education Group – an educational consulting group that “has made millions implanting radical ideas into K-12 school through his trademarked Courageous Conversation programming (Rosiak 64). The costs of his training and the extent to which this company is able to impact lesson plans and hiring decisions is shocking – with some principals at schools quitting in protest rather than allowing what they see to be a toxic set of principles to be disseminated in their schools. In St. Paul, Edina, and other locales disciplinary rules change to ensure disruptive students face no repercussions for their behavior and academic standards are lowered and redirected to topics that openly promote leftist indoctrination within the student body.

Chapter Five, Don Quixote, opens with a journalistic account parsed from court documents about Tracy Hammond. She starts off as a housewife who, after numerous online exchanges with a convicted child molester who she eventually marries turns into a masochist, an anarchist and radical atheist who claims a Hispanic heritage that her parents say is fabricated would come to wield immense power in the Seattle School Board system. The power she wields, notably, continues the trend mentioned above: a heightened focus on ‘ethnic’ and ‘racial’ issues – such as the creation of ‘math ethnic studies’ – and the decreased ability of students to pass standardized exams required to demonstrate subject area mastery. Rosniak chronicles the life of this morbidly obese activist who was the Regional Teacher of the Year up until she was later deemed a racial fraud like Rachel Dolezal and fired from her job. He shows how the small network she formed was able to build a significant footing within the school bureaucracy, to link up with outside funders (the NAACP), and then push for changes oriented to her vision of “social justice” while at the same time attacking anyone that questioned the value of these equity initiatives. Reports published by the educational think tank Brightbeam, notably, came to show that the more progressive the policies the worst the achievement gap.

Chapter Six, Critical Race Theory, provides an account of how Critical Race Theory was repackaged as equity and how activists were successful in clandestinely adding its tenants to school curriculums in several school districts – such as Loudon County, Virginia. Michelle Thomas, who would become the NAACP brand president in Loudon in 2018, was the “pastor” leading the charge in her district. Pastor is in quotations as while she wore the collar of someone in the clergy, she has no theological training and despite claims of a connection to American slaves – she is the daughter of Jamaican immigrants. It’s these people – with tenuous connections to the racial communities they claim to serve which act in a manner that could be categorized as over-compensation and that have dubious ethics (The ‘black owned’ business which Thomas once ran sub-contracted out all of the work to white-owned firms, i.e. was a mere intermediary, and she previously had an arrest warrant for her arrest for passing bad-checks). During her leadership a poorly researched report written by Kenya Savage, the leader of a group operating in the school system called the Minority Student Achievement Advisory Committee, ispromoted by Katrecia Nolen, Wendy Caudle Hodge, Lara Profitt, Zerell Johnson-Welch, and other pro-CRT activists which is then used to demand the district to pay over $500,000 for school staff training. Some of those advocating for the necessity of the training, notably, were heads of companies that received money from these and related contracts.

This training sought to promote the view that “whiteness” was inherently “anti-black” and is noticeably silent about Hispanic students – despite being a demographic that was nearly double the population of blacks in schools. These equity projects, in essence, exploited administrators’ and school board members’ fears of being deemed “racist” for not supporting an initiative to fill the pockets of themselves and their friends. This allowed activists to promote force the school district to promote ethnic studies that, essentially, promoted the notion that capitalism was inherently racist, that it ought to be overcome, and that liberal notions such as the neutrality of law were nothing more than a sham to perpetuate racial injustice.

The following nine chapters continue with similar accounts as those described above. The details of educator organizations that have been captured by radicals, how these groups partner with activist cliques seeks to change school policy as well as private firms which rely upon such actors to change regulations to their benefit or obtain contracts are truly disturbing. Rosniak traces how many of the people now pushing for these changes have long histories of radical activism which goes back to the New Left and who now receive funding from people like Michael Bloomberg, whose wealth is in large part a product of his connections to the Chinese Communist Party. The section on government-funded lobbying – wherein groups are paid to train students to essentially function as the radical activist wing of the democratic party – is also worth further examination. While this book does not apply intelligence analysis to develop a larger picture of all the efforts of those described, the book does present a compelling series of accounts of the extent to which radicals are seeking to lay the groundwork for Cultural Revolution-style changes in the U.S. and is thus highly recommended.

Review of The Antifa: Stories From Inside the Black Bloc

The Antifa: Stories From Inside the Black Bloc by Jack Posobiec, a former naval intelligence officer whose area specialization is the Chinese Communist Party. Published by Calamo Press in 2021, a publishing house that lists only seven other books besides The Antifa.

Since leaving active duty, Jack Posobiec has produced documentaries and books of analysis on Leftist organizations in the United States. The book is not framed not as an intelligence briefing or comprehensive, book-length account but as an overview. Posobiec states:

“The information contained in this book and its appendices serve only as an introductory summary of the scope and breadth of this network, which operates cells in numerous regions across Western Europe and North America, and is growing increasingly tactical.”

The Introduction of the book presents a largely perspective, one that matches the tenor of his Twitter account – the U.S. intelligence community is self-serving in their approach to public engagements – serving power above truth – and have a worldview that is inappropriately self-assured – they are blind to the negative long term impact of their support of time-bound parties over timeless verities.

The Antifa provides a broad intellectual history of the ideology, intelligence collection activities, and reportage – opening in the U.S. and then covering groups in Europe such as the Red Army Fraction in Germany amongst a few other leftist terrorist groups later shown to have been given financial support by the Soviet Union following the fall of the U.S.S.R. and brief opening of its government archives.

I’ll first present the praiseworthy elements of the book and then the blameworthy.

Creditable

Posobiec cites a good number of events and actors to legitimize the goal of the work as being an introductory summary.

Posobies writes in a shorthand about Antifa’s conceptual trajectory that is far less nuanced than Mark Bray’s Anti-Fascist Handbook – and yet his openly dismissive criticism of the illiberalism of Antifa doesn’t miss the mark. Whereas Bray, due to his political sympathies, propounds sophistries on how rights enumerated by the U.S. constitution (i.e. Free Speech) are, essentially, ‘tricks’ of the capitalist class to enforce their rule – Posobiec reports that they are out-of-power totalitarians who hope to organize themselves in such a way that they can soon restrict speech on a wide variety of topics. The efforts to indoctrinate anti-legal values – i.e. illegal migrants are legal, police are criminal, people should only be allowed to organize themselves if their goals support socialism – are covered only in brief, but the examples provided do highlight their policies.

Similarly, the section contrasting core “Boogaloo boys” values, attitudes, beliefs, and actions with those of the traditional conservatives, shows how incorrect some journalists’ assessments of them as being “creatures of the right” have been.

Posobiec’s direct account of Antifa’s intimidation and violence is both journalistic and autobiographic. As it enables to give an extended internal perspective of someone that is ‘sieged’ by a group of protestors simply for having a belief (i.e. the outcome of the elections was good) or that is giving an ‘on the ground’ account of someone within a “Cop-Free Zone” makes for compelling reading. In such instances it’s practicable to see how Antifa feeds into elements of fascism, criminality, and illicit drug culture. Posobiec’s a talented writer, so these sections on the authoritarian and anti-social elements of the Antifa worldview are presented in a manner that effectively combines the serious with the humorous.

Criticisms

While the overview given on Antifa’s positions is correct, I believe a more extended delineation of their policy positions would have been beneficial for characterizing them as militant utopians. This would have benefitted the books by not only establishing that this is a network that seeks to undermine the U.S. Constitutional order but that can also be exploited by enemies of the State.

Posobiec’s description of Antifa’s historical trajectory in the U.S. relies upon events widely covered rather than examining the period which he correctly cites as formative. In the closing chapter titled Outlook Assessment, Posobiec provides a concise and accurate history:

“The extremist movement’s growth has been fueled first by the increase in globalization in the 1990s; financial capitalism in the 2000s, and later by the spread of international populism in the late 2010s… social medial platforms have permitted the vast spread of antifascist ideology, recruitment, organization, and crowdfunding across state and international borders in ways never before possible (Posobiec 2021).

And yet in the introduction Posobiec periodizes Antifa as beginning in the 2016 campaign trail at Hilary’s DNC and Trump’s election. There is no rationale given for this claim.

Though the book describes the connection of modern anti-systemic thought and activism to CrimethInc. and Black Lives Matter, he makes no mention of the leaders within these two networks. This is important as it answers the question: “What were the groups involved in the J20 protest actions doing during the lead-up to the Battle in Seattle?”

From that vantage point, we’d see that these groups were practicing street protest tactics, engaging in training exercises for non-violent protest, and building trust with one another at various gatherings, as well as learning how to do media work, fund-raise, and network at conferences. Looking backward we see the leaders of these networks are(1) linked to the World Social Forum movement and (2) the WSF was founded to achieve goals advanced by the international communist movement generally and the Cuban and Venezuelan governments specifically, and (3) Antifa’s “seeds” were first planted at Common Ground – wherein meetings between Anarchists, ex-Black Panther Party members and other types of radicalized lead to a qualitatively different form of struggle within the U.S. and that whereas mass protests “welcoming committees” were once staged the RNC AND the DNC, now it is only the former.

Because of this short-term periodization Posobiec instead highlights efforts by the Kurdish YPG to attract ideologically-motivated volunteers to fight in Syria. While impactful, it was not formative in the same degree that Cuba’s and Venezuela’s material and organizational support have had on the contemporary U.S. left.

Another issue is that as a whole, however, coverage of activities is episodic rather than comprehensive and they are not processed in a manner for intelligence analysis.

But it does weaken the conclusion of the book.

The chapter titled Black Block as well as the Appendix contains a list of protest activities undertaken by CrimethInc. and Black Lives Matter – however the numerous in-person conventions, conferences, consultations, cultural-events, forums, encuentros, speaking engagements, etc. linked to these networks are absent. While Posobiec’s conclusion is mostly true – these were “dry runs” for Occupy Wall Street – the full scope of the sundry political networks involved in Antifa and BLM remains hidden and the full scope of activities remains correctly categorized [hybrid warfare] but poorly argued (Posobiec 85).

This is significant as in the closing chapters Domestic Terrorists and Outlook Assessment argue that the organizational trajectory of Antifa means it ought to be viewed as a greater threat to be countered through legal action. Though the purpose of this book is stated to be for introductory purposes and not to present such a “case” this closing section doesn’t feel inappropriate – the arguments themselves for this within the section aren’t bad – however the evidence cited and organized doesn’t provide sufficient cause to justify “intelligence collection, communication intercepts, and financial asset tracking and seizure”. This doesn’t mean he’s wrong, just that he’s wrapping up with a conclusion on the subject rather than an outline for how other researchers should work towards building an all-source database for use in intelligence development on this subject. Given the book’s line of argument, this is needed to achieve what is argued for in the concluding chapters.

Review of BLM: The Making of a New Marxist Revolution

The first chapter of BLM: The Making of a New Marxist Revolution titled The Founding v. Slavery, author Mike Gonzalez presents a summary refutation of several important claims linked to the 1619 Project. This rebuttal citing numerous subject area experts and primary sources highlights how the overarching argument put forward by texts which were later disseminated along with lesson plans to schools was a weapon with which to indoctrinate and not a historical work with which to instruct honestly about the past. This section contrasting Commentary and History sets the tone for subsequent chapters, highlighting how the former is often shaped for use as a weapon by the left and the latter is an aegis with which to defend society. While Mike Gonzalez does overlook several important elements about BLM, this book is truly a masterful accounting of how much of the rhetoric used as a cudgel by BLM activists are variations of what was said before by Soviet-inspired Communist activists in the U.S.

The second chapter, The Soviets’ Failed Infiltration, details the period following shortly after the 1917 Revolution in Russia. During this period of cultural renaissance for Blacks in Harlem, efforts were made by Communists to claim themselves as the true representative of the political interests of Blacks. Communists and fellow travelers defined themselves in opposition to other popular, capitalist movements, such as Marcus Garvey’s Universal Negro Improvement Associate. And yet they repeatedly sought to infiltrate it and gain control over this organization and others like it. This strategy along with many of the policy positions – such as the separation of the Southern portion of the United States under a separate government called New Africa – taken by these groups often originated from deliberative bodies in Moscow.

As Harold Cruse details at greater length in The Crisis of the Negro Intellectual, these were not tactics and policies able to mobilize many rank-and-file workers or activists. Outside of a few committed bodies of radical cadres that better established black civil organizations shunned, it merely had the effect of – to paraphrase Cruse – aesthetically and intellectually castrating many potentially brilliant minds. Gonzalez continues by highlighting the close relationship between organizations such as the Black Liberation Army and International Labor Defense, a Communist Party front organization, and Cuba – which was actively collaborating with the Soviet Union. The goal of these groups was to foment racial strife and dissension in manners that would benefit the interest of both of these parties (Domestic and international Communist Parties). From a regional perspective Hammer and Hoe: Alabama Communists During the Great Depression describes this politics in more detail – and how leading up to and during the Second World War the Soviet Union discouraged this behavior so that the Communists were recognized as “supporters” of the fight against Nazi Germany.

The third chapter, Then The 1960s Happened, covers the period after the War and the end of the Popular Front. It shows a political return to anti-racist discourse, as well as a new focus on anti-sexism and anti-imperialism, understood to also relate to the experience of blacks in America. Stockley Carmichael, former leader of SNCC, and a pan-African communist, is invited to Cuba after promoting this view in London and later tells audiences in Havana that they are preparing urban guerrilla forces.

Highlighting the intellectual linkages between these events from the 1960s and the present, Gonzalez cites SNCC’s letter which functioned to pass the torch from them to BLM and highlights how: “Opal Tometi, known for touring Caracas and praising Nicolas Maduro’s dictatorship in exchange for his support, is hardly the first radical black leader to tour the Caribbean in search of like-minded dictators.” (Gonzalez 63). After highlighting how the Cuban Revolution was a model which inspired the Weathermen Underground leftist terrorist group, how the Cuban government provided assistance and sanctuary to Black Liberation Army members that were wanted for major crimes, and how members of these organizations have since turned from armed conflict to subversion, the reader enters the near-present.

At 25 pages Chapter 4, titled BLM, is the book’s shortest chapter. It does, however, highlight how BLM is part of a decentralized transnational network of activists who seek to develop revolutionary conditions within the U.S. through policy initiatives, organized conflict, and positive media coverage. Gonzalez cites Armed Conflict Location and Event Data (ACLED) and Bridging Divides Initiative (BDI) research which shows that BLM was involved in 95% of the then 633 incidents recently coded as riots in the U.S and claimed they were one of the main factors for the “heightened risk of political violence and instability going into the 2020 election”. Brief biographies are given of the founders and a few leaders of BLM, along with their background on their religious upbringing and family history. Gonzalez describes how Opal Tometi, who comes from a Liberation Theology background, wrote “something akin to a manifesto titled “Black North American Solidarity Statement with the Venezuelan People” (Gonzalez 85). Several other examples showing BLM’s linkages to the international Communist movement are also shared.

This section is where my main criticism of the book emerged – there is no identification of the fact that these individuals and many of the groups Gonzalez cites – i.e. Causa Justa, FRSO, PUEBLO, etc. – participated in the United States Social Forum. It’s one thing to say that these are people for whom “Maduro is a model to follow in the United States” (Gonzalez 94). It is a whole other thing to use intelligence processes and products to highlight how these people participated in organizational and strategic knowledge transfer events that were first ideated in Caracas at the World Social Forum and that had multiple Venezuelan government officials in attendance at these events.

This is important as it enables verification and expansion of significant conjectures made by Gonzalez – such as his claim that “given the great assortment of small and large Marxist associations that the three would call on [to promote BLM], we can quickly figure out how the hashtagged message was amplified and by whom.” (Gonzalez 95). Given Venezuela’s sympathetic view toward BLM, and Venezuela’s alliance with China and Russia, and that all three have social media operations to influence Twitter – this means that three states antagonistic to the U.S. government have the means, motive, and opportunity to support BLM in their online operations. This means that all the other groups which were part of the Social Forum had the means, motive, and opportunity to claim the BLM flag as their own. Both of these factors can be used to explain BLM’s “virality”. Regardless of this criticism, further relevant details of the official BLM network and its affiliate’s connections to the pan-Africanist movement are described, which then serves to transition to a discussion on the money involved.

Chapter 5, titled Follow The Money, illustrates how the fiscal sponsors of the movement have ties to long-established foundations and financial support networks which are led by people with past or present associations with Communist regimes in Beijing, Caracas, Havana, and Managua as well as older liberal organizations that have seemingly been captured. The citation of numerous amounts of money distributed is at times shocking. There are, however, no charts that show this and it’s not clear the methodology used – meaning there could be gaps between what’s said and what is actually raised. Because of this lack of charts and network maps – and this is a systemic problem within the subject area literature on leftist groups in the U.S. – it decreases the effectiveness of the intuitively correct claims made about how these networks are classifiable as 4^th generation warfare actors. It also explains why criticism of BLM is more difficult than that of their primarily white allies, Antifa.

Chapter 6, How Antifa Became the Safe Space, highlights several issues such as elected politicians running interference in criminal investigations and district attorneys refusing to prosecute political cases. The examples given show that the Network Contagion Research Institute’s claim that “The need for regular, reliable and responsible reporting with methods such as those used in this briefing with similar computational techniques is now imperative.” is perhaps an understatement (Gonzalez 139). After all, without a comprehensive account of what’s going on at a national level, journalistic accounts are such “local” stories that can’t provide a full picture of how these financial and political support networks are able to impact society. Antifa, because of its lack of a clear organizational leadership structure, is able to be criticized because it’s not able to politically mobilize according to methods traditional to representative democracy.

Chapter 7, Schooling the Revolution, is very insightful for showing how it is that activists have been able to incorporate radical communist and race essentialist perspectives into instructional material. Through the use of networks affiliated with the Zinn Educational Project, and Black Lives Matter at School National Steering Committee, teachers are forced to go through training sessions skin to the Red Guard struggle sessions in Mao’s Cultural Revolution, and the curriculum transitions from subject area knowledge to the creation of “proper” political views. Gonzalez highlights “Former Weatherman Bill Ayer’s stomach-churning praise for Hugo Chavez’s communist indoctrination of Venezuelan children at a 2006 meeting in Caracas” and highlights how the promotion of sexual libertinism to children matches the work of George Lukacs, the former Educational and Cultural Commissioner of Soviet Hungary – but unfortunately doesn’t unpack this even more to cover how so many of the policies that he cites are verbatim those that have been implemented in Venezuela (Gonzalez 160).

On the whole, the book is very insightful in presenting a picture of the actual strategies, tactics, techniques and aims of the Black Lives Matter Movement. The scope of it’s organization isn’t holistic nor is the extent of its network affiliates and efforts fully mapped. However, as an advanced account of the organization and its affiliated activity, it’s a worthy contribution to the literature.

Notes on Information Collection FM 3-55

PIR. Indicator. SIR. NAI. Start. Time. Stop. BRIGADE. DIV. CORPS. Theater. Shadow. Prophet. HCT. Scouts. IMINT. SIGINT. IMINT/SAR. COMINT. ELINT. GMTI/DMTI. MASINT. 1. (PIR 1) Name or Description of the Anticipated Threat Activity. Question or Statement for the collector to answer/report that will support answering the PIR. -Note: you may have multiple Indicators and SIR for each PIR. NAI # When collection begins. When collection will end. 2. (PIR 2) X= Capable = Tasked R= Requested. X.

Preface

Although this is the first edition of field manual (FM) 3-55, the concepts are not new. Many who read this FM will recognize that it is a culmination of decades of refinement. In this manual, the term information collection is introduced as the Army’s replacement for intelligence, surveillance, and reconnaissance (also known as ISR). ISR is a joint term, for which the Army revised to meet Army needs.

Introduction

A nuanced understanding of the situation is everything. Analyze the intelligence that is gathered, share it, and fight for more. Every patrol should have tasks designed to augment understanding of the area of operations and the enemy. Operate on a “need to share” rather than a “need to know” basis. Disseminate intelligence as soon as possible to all who can benefit from it.

General David H. Petraeus, U.S. Army

Military Review

The Army currently has no unified methodology or overall plan to define or establish how it performs or supports information collection activities at all echelons. This publication clarifies how the Army plans, prepares, and executes information collection activities within or between echelons.

This manual emphasizes three themes. First, foundations of information collection that demonstrate information collection activities are a synergistic whole, with emphasis on synchronization and integration of all components and systems. Second, commanders and staff have vital responsibilities in information collection planning and execution, with emphasis on the importance of the commander’s role. Finally, the planning requirements and assessing success of information collection is measured by its contributions to the commander’s understanding, visualization, and decisionmaking abilities.

With the exception of cyberspace, all operations will be conducted among the people and outcomes will be measured in terms of effects on populations. This increases the complexity of information collection planning, execution, and assessment, requiring a deeper level of situational understanding from commanders.

Commanders drive information collection activities through their choice of critical information requirements and through mission command in driving the operations process. Commanders visualize, describe, direct, lead, and assess throughout the operations process with understanding as the start point. Intelligence preparation of the battlefield assists them in developing an in-depth understanding of the enemy and the operational environment. They then visualize the desired end state and a broad concept of how to shape the current conditions into the end state. Commanders describe their visualization through the commander’s intent, planning guidance, and concept of operations in order to bring clarity to an uncertain situation. They also express gaps in relevant information as commander’s critical information requirements. The challenge is for information collection activities to answer those requirements with timely, relevant, and accurate intelligence that enables commanders to make sound decisions.

Chapter 1
Foundations of Information Collection

This chapter presents the basics of information collection. It begins with the definition and purpose of information collection. It then discusses the information collection processes. Lastly, the chapter discusses primary information collection tasks and missions.

DEFINITION

1-1. Knowledge is the precursor to effective action, whether in the informational or physical domain. Knowledge about an operational environment requires aggressive and continuous operations to acquire information. Information collected from multiple sources and analyzed becomes intelligence that provides answers to commander’s critical information requirements.

1-2. Commanders have used to provide intelligence to reduce the inherent uncertainty of war. Achieving success in today’s conflicts demands extraordinary commitment to reducing this uncertainty.

1-3. Information collection is an activity that synchronizes and integrates the planning and employment of sensors and assets as well as the processing, exploitation, and dissemination of systems in direct support of current and future operations. This activity implies a function, mission, or action as well as the organization that performs it.

1-4. At the tactical level, reconnaissance, surveillance, security, and intelligence missions or operations are the primary means by which a commander plans, organizes, and executes shaping operations that answer the commander’s critical information requirements and support the decisive operation.

1-5. The intelligence and operations staffs work together to collect, process, and analyze the information the commander requires concerning the enemy, other adversaries, climate, weather, terrain, population, and other civil considerations that affect operations. Intelligence relies on reconnaissance, security, intelligence operations, and surveillance for its data and information. Conversely, without intelligence, commanders and staffs do not know where or when to conduct reconnaissance, security, intelligence operations, or surveillance. The usefulness of the data collected depends upon the processing and exploitation common to these activities.

1-6. Commanders integrate information collection to form an information collection plan that capitalizes on different capabilities. Information collection assets provide data and information. Intelligence is the product resulting from the collection, processing, integration, evaluation, analysis, and interpretation of available information concerning foreign nations, hostile or potentially hostile forces or elements, or areas of actual or potential operations. The term is also applied to the activity which results in the product and to the organizations engaged in such activity

Intelligence informs commanders and staffs where and when to look. Reconnaissance, security, intelligence operations, and surveillance are the ways—with the means ranging from national and joint collection capabilities to individual Soldier observations and reports. The end is intelligence that supports commander’s decisionmaking. The result—successful execution and assessment of operations—depends upon the effective synchronization and integration of the information collection effort.

1-7. These activities of information collection support the commander’s understanding and visualization of the operation by identifying gaps in information, aligning assets and resources against them, and assessing the collected information and intelligence to inform the commander’s decisions. They also support the staff’s integrating processes during planning and execution. The direct result of the information collection effort is a coordinated plan that supports the operation.

PURPOSE

1-8. Information collection activities provide commanders with detailed, timely, and accurate intelligence, enabling them to visualize threat capabilities and vulnerabilities, and to gain situational understanding. Information collected from multiple sources and analyzed becomes intelligence that provides answers to commander’s critical information requirements as part of an evolving understanding to the area of operations. These activities contribute to the achievement of a timely and accurate common operational picture (COP).

1-9. Effective information collection activities—

Provide relevant information and intelligence products to commanders and staffs.
Provide combat information to commanders.
Contribute to situational awareness and facilitates continuous situational understanding.
Generate a significant portion of the COP vertically and horizontally among organizations, commanders, and staffs.
Support the commander’s visualization, permitting more effective mission command.
Answer the CCIRs.
Facilitate and are facilitated by the intelligence preparation of the battlefield (IPB).
Support effective, efficient, and accurate targeting.
Decrease risk for the unit.

1-10. Commanders and staffs continuously plan, task, and employ collection assets and forces to collect information. They request information and resources through higher echelons as needed. This information and intelligence enable commanders to make informed decisions that are translated into action.

1-11. Information collection planning is crucial to mission success. The four fundamentals in effectively planning, synchronizing, and integrating information collection activities are—

The commander drives the information collection effort.
Effectiveinformationcollectionsynchronizationandintegrationrequiresfullstaffparticipation.
Conducting information collection requires a collection capability, either organic or augmented by nonorganic resources.
Conducting information collection requires an analytical capability to analyze and produce actionable intelligence.

1-12. Commanders must be involved in the information collection planning process by quickly and clearly articulating their CCIRs to the staff. This enables the staff to facilitate the commander’s visualization and decisionmaking by focusing on the CCIRs.

1-14. Conducting information collection activities requires an organic collection capability, either organic or augmented by nonorganic resources. Acquiring the required information to answer the requirements encompasses the efforts of reconnaissance, security, surveillance, intelligence operations, and the skills of Soldiers. All the activities that contribute to developing continuous knowledge about the area of operations are considered information collection activities. Planners must understand all collection assets and resources available to them and the procedures to request or task collection from those assets, resources, and organizations.

1-15. Conducting these activities requires an analytical capability to interpret information and produce actionable intelligence. The analyst’s ability to employ critical thinking and use multiple sources during intelligence analysis reduces uncertainty and helps solve problems that could not be resolved via a single source of information. This requires staff sections to understand the capabilities and limitations of assets to collect and report. The staff must also establish reporting guidelines to the collection assets.

INFORMATION COLLECTION PROCESS

1-16. Information collection is the acquisition of information and the provision of this information to processing elements. This process performs the following tasks:

Plan requirements and assess collection.
Task and direct collection.
Execute collection.

PLAN REQUIREMENTS AND ASSESS COLLECTION

1-17. The intelligence staff (in collaboration with the operations officer and the entire staff) receives and validates requirements for collection, prepares the requirements planning tools, recommends collection assets and capabilities to the operations staff, and maintains synchronization as operations progress.

TASK AND DIRECT COLLECTION

1-18. The operations officer (based on recommendations from the staff) tasks, directs, and when necessary re-tasks the information collection assets.

EXECUTE COLLECTION

1-19. Executing collection focuses on requirements tied to the execution of tactical missions (such as reconnaissance, surveillance, security, and intelligence operations) based on the CCIRs. Collection activities acquire information about the adversary and the area of operations and provide that information to intelligence processing and exploitation elements. Typically collection activities begin soon after receipt of mission and continue throughout preparation and execution of the operation. They do not cease at conclusion of the mission but continue as required. This allows the commander to focus combat power, execute current operations, and prepare for future operations simultaneously.

1-20. The subtasks are—

Establish technical channels and provide guidance.
Collect and report information.
Establish a mission intelligence briefing and debriefing program.

Establish Technical Channels and Provide Guidance

1-21. This subtask includes providing and conducting technical channels to refine and focus the intelligence disciplines’ information collection tasks. It coordinates the disciplines’ assets when operating in another unit’s area of operations.

1-23. Technical channels refer to supervision of intelligence operations and disciplines. Technical channels do not interfere with the ability to task organic intelligence operations assets. It ensures adherence to existing policies or regulations by providing technical guidance for intelligence operations tasks contained within the information collection plan.

1-24. Technical channels also involve translating tasks into the specific parameters used to focus the highly technical intelligence operations collection or the legally sensitive aspects of signals intelligence collection as well as human intelligence military source operations and counterintelligence tasks. Technical channels provide the means to meets the overall commander’s intent for intelligence operations. Technical channels include but are not limited to defining, managing, or guiding the use of specific intelligence assets or identifying critical technical collection criteria (such as technical indicators and recommending collection techniques or procedures).

Collect and Report Information

1-25. This task involves collecting and reporting information in response to collection tasks. Collection assets collect information and data about the threat, terrain and weather, and civil considerations for a particular area of operations (AO) and area of interest. A successful information collection effort results in the timely collection and reporting of relevant and accurate information, which supports the production of intelligence or combat information.

Collect

1-26. As part of the collection plan, elements of all units obtain information and data concerning the threat, terrain and weather, and civil considerations within the AO. Well-developed procedures and carefully planned flexibility to support emerging targets, changing requirements, and the need to support combat assessment is critical. Once staffs collect the information, they process it into a form that enables analysts to extract essential information and produce intelligence and targeting data. Once Solders collect the information, it is processed into a form that enables analysis. Collected and processed information is provided to the appropriate units, organizations, or agencies for analysis or action. This analyzed information forms the foundation of running estimates, targeting data, intelligence databases, and intelligence.

Report

1-27. Collection assets must follow standard operating procedures (SOPs) to ensure staffs tag reports with the numbers of the tasks they satisfy. Simultaneously, SOPs ensure assets understand and have a means of reporting important but unanticipated information. Collection assets reporting may convey that collection occurred, but the unit did not observe any activity satisfying the information collection task, which may be a significant indicator. As a part of reporting, the staff tracks which specific collection task originates from which intelligence requirement Such tracking ensures the staff provides the collected information to the original requester and to all who need the information. Correlating reporting to the original requirement and evaluating reports is key to effective information collection. The staff tracks the progress of each requirement and cross-references incoming reports to outstanding requirements.

PRIMARY INFORMATION COLLECTION TASKS AND MISSIONS

1-29. Information collection encompasses all activities and operations intended to gather data and information that, in turn, are used to create knowledge and support the commander’s requirements, situational understanding, and visualization. Commanders maximally achieve information collection when they care carefully employ all the collection tasks and missions together in an operation. This appropriate mix of collection tasks and missions helps satisfy as many different requirements as possible. It also ensures that the operations and intelligence working group does not favor or become too reliant on one particular unit, discipline, or system. The Army has four tasks or missions it primarily conducts as a part of the information collection plan:

Security operations.
Intelligence operations.

RECONNAISSANCE

1-30. Reconnaissance is those operations undertaken to obtain, by visual observation or other detection methods, information about the activities and resources of an enemy or adversary, or to secure data concerning the meteorological, hydrographical or geographical characteristics and the indigenous population of a particular area (FM 3-90). Reconnaissance primarily relies on the human dynamic rather than technical means. Reconnaissance is a focused collection effort. A combined arms operation, reconnaissance is normally tailored to actively collect information against specific targets for a specified time based on mission objectives.

1-31. Units perform reconnaissance using three methods: dismounted, mounted, and aerial (each can be augmented by sensors). Successful and effective units combine these methods. To gain information on the enemy or a particular area, units can use passive surveillance, technical means, and human interaction, or they can fight for information.

1-32. Reconnaissance produces information concerning the AO. Staffs perform reconnaissance before, during, and after other operations to provide information used in the IPB process. Commanders perform reconnaissance to formulate, confirm, or modify a course of action (COA). Reconnaissance provides information that commanders use to make informed decisions to confirm or modify the concept of operations. This information may concern the enemy, the local population, or any other aspect of the AO. Commanders at all echelons incorporate reconnaissance into their operations.

1-33. Reconnaissance identifies terrain characteristics, enemy and friendly obstacles to movement, and the disposition of enemy forces and civilians so that commanders can maneuver forces freely with reduced risk. Reconnaissance prior to unit movements and occupation of assembly areas is critical to protecting the force and preserving combat power. It also keeps U.S. forces free from contact as long as possible so that they can concentrate on the decisive operation.

Reconnaissance Objective

1-34. Commanders orient their reconnaissance by identifying a reconnaissance objective within the AO. The reconnaissance objective is a terrain feature, geographic area, enemy force, or specific civil considerations about which the commander wants to obtain additional information. The reconnaissance objective clarifies the intent of the reconnaissance by specifying the most important result to obtain from the reconnaissance mission. Every reconnaissance mission specifies a reconnaissance objective. Commanders assign reconnaissance objectives based on commander’s critical information requirements, reconnaissance asset capabilities, and reconnaissance asset limitations. The reconnaissance objective can be information about a specific geographical location (such as the cross-country trafficability of a specific area), a specific enemy activity to be confirmed or denied, a specific enemy element to be located or tracked, or specific civil considerations (such as critical infrastructure).

1-35. Commanders may need to provide additional detailed instructions beyond the reconnaissance objective (such as specific tasks to be performed or the priority of tasks). They do this by issuing additional guidance to their reconnaissance units or by specifying these instructions in the tasks to subordinate units in the operation order. For example, if a unit S-2 concludes that the enemy is not in an area and the terrain appears to be trafficable without obstacles, the commander may direct the reconnaissance squadron to conduct a zone reconnaissance mission with guidance to move rapidly and report by exception any terrain obstacles that will significantly slow the movement of subordinate maneuver echelons.

Reconnaissance Fundamentals

1-36. The seven fundamentals of reconnaissance are—

Ensure continuous reconnaissance.
Do not keep reconnaissance assets in reserve.
Orient on the reconnaissance objective.
Report information rapidly and accurately.
Retain freedom of maneuver.
Gain and maintain enemy contact.
Develop the situation rapidly.

Ensure Continuous Reconnaissance

1-37. The commander conducts reconnaissance before, during, and after all operations. Before an operation, reconnaissance focuses on filling gaps in information about the enemy, specific civil considerations, and the terrain. During an operation, reconnaissance focuses on providing the commander with updated information that verifies the enemy’s composition, dispositions, and intentions as the battle progresses. This allows commanders to verify which COA the enemy is actually adopting and to determine if the plan is still valid based on actual events in the AO. After an operation, reconnaissance focuses on maintaining contact with the enemy forces to determine their next move and collecting information necessary for planning subsequent operations.

1-38. Reconnaissance assets, like artillery assets, are never kept in reserve. When committed, reconnaissance assets use all their resources to accomplish the mission. This does not mean that all assets are committed all the time.

Orient on the Reconnaissance Objective

1-39. The commander uses the reconnaissance objective to focus the unit’s reconnaissance efforts. Commanders of subordinate reconnaissance elements remain focused on achieving this objective, regardless of what their forces encounter during the mission.

Report Information Rapidly and Accurately

1-40. Reconnaissance assets acquire and report accurate and timely information on the enemy, civil considerations, and the terrain over which operations are to be conducted. Information may quickly lose its value. Reconnaissance units report exactly what they see and, if appropriate, what they do not see. Seemingly unimportant information may be extremely important when combined with other information. Negative reports are as important as reports of enemy activity. Reconnaissance assets must report all information, including a lack of enemy activity; failure to report tells the commander nothing. The unit communications plan ensures that unit reconnaissance assets have the proper communication equipment to support the integrated information collection plan.

Retain Freedom of Maneuver

1-41. Reconnaissance assets must retain battlefield mobility to successfully accomplish their missions. If these assets are decisively engaged, reconnaissance stops and a battle for survival begin. Reconnaissance assets must have clear engagement criteria that support the maneuver commander’s intent. Initiative and knowledge of both the terrain and the enemy reduce the likelihood of decisive engagement and help maintain freedom of movement. Prior to initial contact, the reconnaissance unit adopts a combat formation designed to gain contact with the smallest possible friendly element. This provides the unit with the maximum opportunity for maneuver and enables it to avoid decisively engaging the entire unit. The IPB process can identify anticipated areas of likely contact to the commander.

Gain and Maintain Enemy Contact

1-42. Once a unit conducting reconnaissance gains contact with the enemy, it maintains that contact unless the commander directing the reconnaissance orders otherwise or the survival of the unit is at risk. This does not mean that individual scout and reconnaissance teams cannot break contact with the enemy. The commander of the unit conducting reconnaissance is responsible for maintaining contact using all available resources. The methods of maintaining contact can range from surveillance to close combat. Surveillance, combined with stealth, is often sufficient to maintain contact and is the preferred method. Units conducting reconnaissance avoid combat unless it is necessary to gain essential information, in which case the units use maneuver (fire and movement) to maintain contact while avoiding decisive engagement.

Develop the Situation Rapidly

1-43. When a reconnaissance asset encounters an enemy force or an obstacle, it must quickly determine the threat it faces. For an enemy force, it must determine the enemy’s composition, dispositions, activities, and movements, and assess the implications of that information. For an obstacle, the reconnaissance asset must determine the type and extent of the obstacle and whether it is covered by fire. Obstacles can provide information concerning the location of enemy forces, weapons capabilities, and organization of fires. In most cases, the reconnaissance unit developing the situation uses actions on contact.

Reconnaissance Forms

1-44. The four forms of reconnaissance are—

Route reconnaissance.
Zone reconnaissance.
Area reconnaissance.
Reconnaissance in force.

Route Reconnaissance

1-45. Route reconnaissance focuses along a specific line of communications (such as a road, railway, or cross-country mobility corridor). It provides new or updated information on route conditions (such as obstacles and bridge classifications, and enemy and civilian activity along the route). A route reconnaissance includes not only the route itself, but also all terrain along the route from which the enemy could influence the friendly force’s movement. The commander normally assigns this mission to use a specific route for friendly movement.

Zone Reconnaissance

1-46. Zone reconnaissance involves a directed effort to obtain detailed information on all routes, obstacles, terrain, enemy forces, or specific civil considerations within a zone defined by boundaries. Obstacles include both existing and reinforcing, as well as areas with chemical, biological, radiological, and nuclear (CBRN) contamination. Commanders assign zone reconnaissance missions when they need additional information on a zone before committing other forces in the zone. Zone reconnaissance missions are appropriate when the enemy situation is vague, existing knowledge of the terrain is limited, or combat operations have altered the terrain. A zone reconnaissance may include several route or area reconnaissance missions assigned to subordinate units.

Area Reconnaissance

1-47. Area reconnaissance focuses on obtaining detailed information about the enemy activity, terrain, or specific civil considerations within a prescribed area. This area may include a town, a neighborhood, a ridgeline, woods, an airhead, or any other feature critical to operations. The area may consist of a single point (such as a bridge or an installation). Areas are normally smaller than zones and not usually contiguous to other friendly areas targeted for reconnaissance. Because the area is smaller, units conduct an area reconnaissance more quickly than a zone reconnaissance.

Reconnaissance in Force

1-48. A reconnaissance in force is an aggressive reconnaissance conducted as an offensive operation with clearly stated reconnaissance objectives. A reconnaissance in force is a deliberate combat operation designed to discover or test the enemy’s strength, dispositions, reactions, or to obtain other information. Battalion-sized task forces or larger organizations usually conduct a reconnaissance in force.

Reconnaissance Focus, Reconnaissance Tempo, and Engagement Criteria

1-49. Commanders decide what guidance they will provide to shape the reconnaissance and surveillance effort. In terms of guidance, reconnaissance tempo and engagement criteria most closely apply organic reconnaissance elements. Reconnaissance focus can also be generally applied to surveillance assets, but in the specific sense of focusing a reconnaissance mission, it more closely applies to reconnaissance.

Reconnaissance Focus

1-50. Reconnaissance focus, combined with one or more reconnaissance objectives, helps to concentrate the efforts of the reconnaissance assets. The commander’s focus for reconnaissance usually falls in three general areas: CCIRs, targeting, and voids in information. The commander’s focus enables reconnaissance units to prioritize taskings and narrow their scope of operations.

1-51. Commanders use a reconnaissance pull when they do not know the enemy situation well or the situation changes rapidly. Reconnaissance pull fosters planning and decisionmaking based on changing assumptions into confirmed information. The unit uses initial assumptions and CCIRs to deploy reconnaissance assets as early as possible to collect information for developing COAs. The commander uses reconnaissance assets to confirm or deny initial CCIRs prior to deciding on a COA or maneuver option, thus pulling the unit to the decisive point on the battlefield.

1-52. Commanders use a reconnaissance push once committed to a COA or maneuver option. The commander pushes reconnaissance assets forward, as necessary, to gain greater visibility on specific named area of interest (NAI) to confirm or deny the assumptions on which the COA is based. Staffs use the information gathered during reconnaissance push to finalize the unit’s plan.

Reconnaissance Tempo

1-53. Tempo is the relative speed and rhythm of military operations over time with respect to the enemy. In terms of reconnaissance, tempo not only defines the pace of the operation, but also influences the depth of detail the reconnaissance can yield. Commanders establish time requirements for the reconnaissance force and express those requirements in a statement that describes the degree of completeness, covertness, and potential for engagement they are willing to accept. Commanders use their guidance on reconnaissance tempo to control the momentum of reconnaissance. Reconnaissance tempo is expressed as rapid or deliberate and forceful or stealthy.

1-54. Rapid operations and deliberate operations provide a description of the degree of completeness required by the commander. Rapid operations are fast paced, are focused on key pieces of information, and entail a small number of tasks. They describe reconnaissance that personnel must perform in a time- constrained environment. Deliberate operations are slow, detailed, and broad-based. They require the accomplishment of numerous tasks. The commander must allocate a significant amount of time to conduct a deliberate reconnaissance.

1-55. Forceful and stealthy operations provide a description of the level of covertness that the commander requires. Units conduct forceful operations without significant concern about being observed. Mounted units or combat units serving in a reconnaissance role often conduct forceful operations. In addition, forceful operations are appropriate in stability operations where the threat is not significant in relation to the requirement for information. Units conduct stealthy operations to minimize chance contact and prevent the reconnaissance force from being detected. They often are conducted dismounted and require increased allocation of time for success.

Engagement Criteria

1-56. Engagement criteria establish minimum thresholds for engagement (lethal and nonlethal). They clearly specify which targets the reconnaissance element is expected to engage and which it will hand off to other units or assets. For example, nonlethal contact identifies engagement criteria for tactical questioning of civilians and factional leaders. This criterion allows unit commanders to anticipate bypass criteria and to develop a plan to maintain visual contact with bypassed threats.

SURVEILLANCE

1-57. Surveillance is the systematic observation of aerospace, surface, or subsurface areas, places, persons, or things, by visual, aural, electronic, photographic, or other means (JP 3-0). Surveillance involves observing an area to collect information.

1-58. In the observation of a given area, the focus and tempo of the collection effort primarily comes from the commander’s intent and guidance. Surveillance involves observing the threat and local populace in a NAI or targeted area of interest (TAI). Surveillance may be conducted as a stand-alone mission, or as part of a reconnaissance mission (particularly area reconnaissance). Elements conducting surveillance must maximize assets, maintain continuous surveillance on all NAIs and TAIs, and report all information rapidly and accurately.

1-59. Surveillance tasks can be performed by a variety of assets (ground, air, sea, and space), means (Soldier and systems), and mediums (throughout the electromagnetic spectrum).

1-60. Generally, surveillance is considered a “task” when performed as part of a reconnaissance mission. However, many Army, joint, and national systems are designed specifically to conduct only surveillance. These are surveillance missions. Army military intelligence organizations typically conduct surveillance missions. Reconnaissance units can conduct surveillance tasks as part of reconnaissance, security, or other missions. The commonality of reconnaissance and surveillance is observation and reporting.

1-61. Surveillance is distinct from reconnaissance. Surveillance is tiered and layered technical assets collecting information. Often surveillance is passive and may be continuous.

the purpose of reconnaissance is to collect information, not initiate combat. Reconnaissance involves many tactics, techniques, and procedures throughout the course of a mission. An extended period of surveillance may be one of these. Commanders complement surveillance with frequent reconnaissance. Surveillance, in turn, increases the efficiency of reconnaissance by focusing those missions while reducing the risk to Soldiers.

1-62. Both reconnaissance and surveillance involve detection, location, tracking, and identification of entities in an assigned area and gaining environmental data, but they are not executed in the same way. During reconnaissance, collection assets are given the mission to find specific information by systematically checking different locations within the area. During surveillance, collection assets watch the same area, waiting for information to emerge when an entity or its signature appears.

Surveillance Characteristics

1-64. Effective surveillance—

Maintains continuous observations of all assigned NAIs and TAIs.
Provides early warning.
Identifies, tracks, and assesses key targets.
Provides mixed, redundant, and overlapping coverage.

Maintains Continuous Surveillance of All Assigned Named Areas of Interest and Targeted Areas of Interest

1-65. Once the surveillance of a NAI or TAI commences, units maintain it until they complete the mission or the higher commander terminates the mission. Commanders designate the receiver of the information and the means of communication.

Provides Early Warning

1-66. Surveillance aims to provide early warning of an enemy or threat action. Together with IPB, commanders use information collection to ascertain the enemy or threat course of action and timing. They then orient assets to observe these locations for indicators of threat actions. Reporting must be timely and complete.

Detects, Tracks, and Assesses Key Targets

1-67. Surveillance support for targeting includes detecting, tracking, and assessing those key targets. Surveillance support to targeting includes detecting and tracking desired targets in a timely, accurate manner. Clear and concise tasks must be given so the surveillance systems can detect a given target. Target tracking is inherent to detection. Mobile targets must be tracked to maintain a current target location. Once a target is detected, targeting planning cells must also consider the need to track targets. Tracking targets— such as moving, elusive, low contrast targets (to include individuals)—requires a heavy commitment of limited information collection assets and resources. Assessing key targets pertains to the results of attacks on targets. This helps commanders and staffs determine if their targeting objectives were met.

Provides Mixed, Redundant, and Overlapping Coverage

1-68. Commanders integrate the capabilities of limited assets to provide mixed, redundant, and overlapping coverage of critical locations identified during planning. The intelligence and operations staff work together to achieve balance. Commanders and staff continuously assess surveillance results to determine any changes in critical locations requiring this level of coverage.

Surveillance Types

1-69. The types of surveillance are zone, area, point, and network. Note: Forms of reconnaissance, as opposed to types of surveillance, are associated with maneuver units and missions.

Zone Surveillance

1-70. Zone surveillance is the temporary or continuous observation of an extended geographic zone defined by boundaries. It can be associated with but is not limited to a TAI or a NAI. Zone surveillance covers the widest geographical area of any type of surveillance. Multiple assets, including airborne surveillance assets and radar with wide coverage capabilities, are typically employed in zone surveillance.

Area Surveillance

1-71. Area surveillance is the temporary or continuous observation of a specific prescribed geographic area. It can be associated with, but is not limited to, a TAI or NAI. This area may include a town, a neighborhood, ridgeline, wood line, border crossing, farm, plantation, cluster or group of buildings, or other manmade or geographic feature. Unlike area reconnaissance, it does not include individual structures (such as a bridge or single building). Ground-mounted surveillance systems are particularly useful in area surveillance.

Point Surveillance

1-72. Point surveillance is the temporary or continuous observation of a place (such as a structure), person, or object. This can be associated with, but is not limited to, a TAI or a NAI. It is the most limited in geographic scope of all forms of surveillance. Point surveillance may involve tracking people. When surveillance involves tracking people, the “point” is that person or persons, regardless of movement and location. Tracking people normally requires a heavier commitment of assets and close coordination for handoff to ensure continuous observation.

Network Surveillance

1-73. Network surveillance is the observation of organizational, social, communications, cyberspace, or infrastructure connections and relationships. Network surveillance can also seek detailed information on connections and relationships among individuals, groups, and organizations, and the role and importance of aspects of physical or virtual infrastructure (such as bridges, marketplaces, and roads) in people’s lives. It can be associated with but is not limited to a TAI or a NAI.

SECURITY OPERATIONS

1-74. Security operations are shaping operations that can take place during all operations. Reconnaissance is a part of every security operation. Other collection assets provide the commander with early warning and information on the strength and disposition of enemy forces. The availability of information collection assets enables greater flexibility in the employment of the security force.

1-75. Security operations aim to protect the force from surprise and reduce the unknowns in any situation. A commander undertakes these operations to provide early and accurate warning of enemy operations, to provide the force being protected with time and maneuver space to react to the enemy, and to develop the situation to allow the commander to effectively use the protected force. Commanders may conduct security operations to the front, flanks, and rear of their forces.

The main difference between security operations and reconnaissance is that security operations orient on the force or facility being protected, while reconnaissance is enemy, populace, and terrain oriented.

1-76. The five forms of security operations commanders may employ are screen, guard, cover, area security, and local security.

1-77. Successful security operations depends upon properly applying the following five fundamentals:

Provide early and accurate warning.
Provide reaction time and maneuver space.
Orient on the force or facility to be secured.
Perform continuous reconnaissance.
Maintain enemy contact.

1-78. To properly apply the fundamental of “perform continuous reconnaissance,” the security force aggressively and continuously seeks the enemy, interacts with the populace, and reconnoiters key terrain. It conducts active area or zone reconnaissance to detect enemy movement or enemy preparations for action and to learn as much as possible about the terrain. The ultimate goal is to detect the enemy’s COA and assist the main body in countering it.

INTELLIGENCE OPERATIONS

1-79. Intelligence operations align intelligence assets and resources against requirements to the collect information and intelligence to inform the commander’s decisions. Conducting intelligence operations requires an organic collection and analysis capability. Those units without resources must rely on augmentation from within the intelligence enterprise for intelligence. Although the focus is normally on tactical intelligence, the Army draws on both strategic and operational intelligence resources. Each intelligence discipline provides the commander specific technical capabilities and sensors. Because of the unique capabilities and characteristics of intelligence operations, these capabilities and sensors require specific guidance through technical channels. The Army’s intelligence disciplines that contribute to intelligence operations are—

Human intelligence.
Geospatial intelligence.
Measurement and signature intelligence.
Signals intelligence.
Technical intelligence.

Counterintelligence

1-80. Counterintelligence counters or neutralizes intelligence collection efforts by foreign intelligence and security services and international terrorist organizations. It does this through collection, counterintelligence investigations, operations, analysis, production, and functional and technical services. Counterintelligence includes all actions taken to detect, identify, track, exploit, and neutralize the multidiscipline intelligence activities of friends, competitors, opponents, adversaries, and enemies. It is the key intelligence community contributor to protect U.S. interests and equities. Counterintelligence helps identify essential elements of friendly information (EEFI) by identifying vulnerabilities to threat collection and actions taken to counter collection and operations against U.S. forces.

Human Intelligence

1-81. Human intelligence is a category of intelligence derived from information collected and provided by human sources (JP 2-0). This information is collected by a trained human intelligence collector, from people and their associated documents and media sources. Units use the collected information to identify threat elements, intentions, composition, strength, dispositions, tactics, equipment, personnel, and capabilities.

Geospatial Intelligence

1-82. Title 10, U.S. Code establishes geospatial intelligence. Geospatial intelligence is the exploitation and analysis of imagery and geospatial information to describe, assess, and visually depict physical features and geographically referenced activities on the Earth.

Measurement and Signature Intelligence

1-83. Measurement and signature intelligence is technically derived intelligence that detects, locates, tracks, identifies, or describes the specific characteristics of fixed and dynamic target objects and sources. It also includes the additional advanced processing and exploitation of data derived from imagery intelligence and signals intelligence collection.

Signals Intelligence

1-84.Signals intelligence is produced by exploiting foreign communications systems and noncommunications emitters. Signals intelligence provides unique intelligence and analysis information in a timely manner.

Technical Intelligence

1-85. Technical intelligence is intelligence derived from the collection and analysis of threat and foreign military equipment and associated materiel.

Chapter 2
Commander and Staff Responsibilities

This chapter examines the roles, knowledge, and guidance of the commander in information collection activities. The commander’s involvement facilitates an effective information collection plan that is synchronized and integrated within the overall operation. This chapter then discusses the role of the staff. Lastly, this chapter discusses contributions from working groups.

THE ROLE OF THE COMMANDER

2-1. Commanders understand, visualize, describe, direct, lead, and assess operations. Understanding is fundamental to the commander’s ability to establish the situation’s context. Understanding involves analyzing and understanding the operational or mission variables in a given operational environment. It is derived from applying judgment to the common operational picture through the filter of the commander’s knowledge and experience.

2-2. Numerous factors determine the commander’s depth of understanding. Information from information collection and the resulting intelligence products prove indispensable in assisting the commander in understanding the area of operations (AO). Formulating commander’s critical information requirements (CCIRs) and keeping them current also contribute to this understanding. Maintaining understanding is a dynamic ability; a commander’s situational understanding changes as an operation progresses.

2-3. The commander must be involved in information collection planning. The commander directs information collection activities by—

Asking the right questions to focus the efforts of the staff.

Knowing the enemy. Personal involvement and knowledge have no substitutes.

Stating the commander’s intent clearly and decisively designating CCIRs.

Understanding the information collection assets and resources to exploit their full effectiveness.

2-4. Commanders prioritize collection activities primarily through providing their guidance and commander’s intent early in the planning process. Commanders must—

Personally identify and update CCIRs.
Ensure CCIRs are tied directly to the scheme of maneuver and decision points.
Limit CCIRs to only their most critical needs (because of limited collection assets).
Aggressively seek higher echelons’ collection of, and answers to, the information requirements.
Ensure CCIRs include the latest time information is of value (LTIOV) or the event by which the information is required.

2-5. The commander may also identify essential elements of friendly information (EEFI). The EEFI are not part of the CCIRs; rather they establish friendly information to protect, not enemy information to obtain.

2-6. Commanders ensure that both intelligence preparation of the battlefield (IPB) and information collection planning are integrated staff efforts. Every staff member plays an important role in both tasks.

2-7. Information collection planning and assessment must be continuous. Commanders ensure they properly assign information collection tasks based on the unit’s abilities to collect. Therefore, commanders match their information requirements as to not exceed the information collection and analytical ability of their unit.

2-8. Commanders assess operations. Commanders ensure collection activities provide the information needed. Timely reporting to the right analytical element at the right echelon is critical to information collection activities. Commanders continuously assess operations throughout the planning, preparation, and execution phases. The commander’s involvement and interaction enable the operations and intelligence officers to more effectively assess and update collection activities. The commander’s own assessment of the current situation and progress of the operation provides insight on what new information is needed and what is no longer required. The commander communicates this to the staff to assist them in updating CCIRs.

COMMANDER’S NEEDS

2-9. Staffs synchronize and integrate information collection activities with the warfighting functions based on the higher commander’s guidance and decisions. Commanders’ knowledge of collection activities enables them to focus the staff and subordinate commanders in planning, preparing, executing, and assessing information collection activities for the operation.

2-10. Commanders must understand the overall concept of operations from higher headquarters to determine specified and implied tasks and information requirements. There are a finite number of assets and resources for information collection activities. Commanders communicate this as guidance for planners and the staff.

2-11. Extended areas of operations, the necessity to conduct missions and develop information and intelligence over large areas, and extended time spans can surpass the organic capabilities of a unit. Commanders must be able to deal effectively with many agencies and organizations in the area of operations to help enable the unit to perform information collection activities. One of the essential aspects to this is terminology. When dealing with non-U.S. Army personnel and organizations, commanders ensure those involved understand the terms used and provide or request clarification as needed.

COMMANDER’S GUIDANCE

2-12. Commanders play a central role in planning primarily by providing guidance. This should include specific guidance for collection assets and required information. Commanders consider risks and provide guidance to the staff on an acceptable level of risk for information collection planning. The commander issues formal guidance at three specific points in the process:

Initial guidance following receipt of mission.
Commander’s planning guidance following mission analysis to guide course of action (COA) development.
Final planning guidance after the COA decision but before the final warning order (WARNO).

INITIAL GUIDANCE

2-13. After a unit receives a mission, the commander issues initial guidance. (FM 5-0 provides detailed information on the initial guidance.) The initial guidance accomplishes several things. It—

l Begins the visualization process by identifying the tactical problem (the first step to problem solving).
l Defines the area of operations. This presents a common operational picture for the commander and staff in seeing the terrain, including the populace.
l Develops the initial commander’s intent, specifically key tasks (including tasks for reconnaissance), decisive point, and end state.
l Challengesincludeanyguidanceforspecificstaffsections.
l

2-14. For information collection planning, the initial guidance includes— l Initialtimelineforinformationcollectionplanning.
l Initialinformationcollectionfocus.
l Initialinformationrequirements.

l Authorizedmovement.
l Collectionandproductdevelopmenttimeline.

2-15. The initial WARNO can alert information collection assets to begin collection activities to begin at this time. If this is the case, the initial WARNO includes—

Named areas of interest (NAIs) to be covered.
Collection tasks and specific information requirements to be collected.
Precise guidance on infiltration method, reporting criteria and timelines, fire support and casualty evacuation plan.

COMMANDER’S PLANNING GUIDANCE

2-16. The commander issues the commander’s planning guidance during the mission analysis step of the MDMP, following the approval of the restated mission and mission analysis brief. Part of the commander’s planning guidance is directly related to collection activities—the initial CCIRs and information collection guidance. The guidance for planning should contain sufficient information for the operations officer to complete a draft information collection plan. As a minimum, the commander’s planning guidance includes—

Current CCIRs.
Focus and tempo.
Engagement criteria.
Acceptable risk to assets.

2-17. The commander issues the initial commander’s intent with the commander’s planning guidance. The staff verifies the draft information collection plan is synchronized with the commander’s intent assesses any ongoing information collection activities, and recommends changes to support the commander’s intent, CCIRs, and concept of operations.

FINAL PLANNING GUIDANCE

2-18. After the decision briefing, the commander determines a COA the unit follows and issues final planning guidance. Final planning guidance includes—

Any new CCIRs, including the LTIOV.

ROLE OF THE STAFF

2-19. The staff must function as a single, cohesive unit—a professional team. Effective staff members know their respective responsibilities and duties. They are also familiar with the responsibilities and duties of other staff members.

2-21. The G-2 (S-2) must work in concert with the entire staff to identify collection requirements and implement the information collection plan. The intelligence staff determines collection requirements, (based upon inputs from the commander and other staff sections) develops the information collection matrix with input from the staff representatives, and continues to work with the staff planners to develop the information collection plan. The G-2 (S-2) also identifies those intelligence assets and resources— human intelligence, geospatial intelligence, measurement and signature intelligence, or signals intelligence—which can provide answers to the CCIRs.

2-22. The G-2X (S-2X) (hereafter referred to as the 2X) is the doctrinal term used to refer to the counterintelligence and human intelligence operations manager who works directly for the G-2 (S-2). The term also refers to the staff section led by the 2X.

2-24. The other members of the staff support the operations process. Through the conduct of the planning process, staffs develop requirements that are considered for inclusion as CCIRs and into the information collection plan. Staffs also monitor the situation and progress of the operation towards the commander’s desired goal. Staffs also prepare running estimates. A running estimate is the continuous assessment of the current situation used to determine if the current operation is proceeding according to the commander’s intent and if planned future operations are supportable (FM 5-0). Staffs continuously assess how new information might impact conducting operations. They update running estimates and determine if adjustments to the operation are required. Through this process, the staffs ensure that the information collection plan remains updated as the situation changes and requirements are answered or new requirements developed.

OPERATIONS AND INTELLIGENCE WORKING GROUP

2-29. At division and higher echelons, there are dedicated cells responsible for information collection planning. At battalion and brigade, there are no designated cells for information collection planning, this function is provided by the operations and intelligence staffs. Depending on the availability of personnel, the commander may choose to designate an ad hoc group referred to as an operations and intelligence working group. Because the primary staff officers’ responsibilities cannot be delegated, the staff—chief of staff or executive officer—should direct and manage the efforts of this working group to achieve a fully synchronized and integrated information collection plan.

2-30. Unit standard operating procedures and battle rhythms determine how frequently an operations and intelligence working group meets. This working group should be closely aligned with both the current operations and future operations (or plans) cells to ensure requirements planning tools are properly integrated into the overall operation plan. These planning tools should also be nested in the concepts for plans.

2-32. The working group aims to bring together the staff sections to validate requirements and deconflict the missions and taskings of organic and attached collection assets. Input is required from each member of the working group. The output of the working group is validation of outputs. This includes the following:

An understanding of how the enemy is going to fight.
A refined list of requirements.
Confirmation of the final disposition of all collection assets.
Review of friendly force information requirements, priority intelligence requirements (PIRs), and EEFI.
Validation of outputs of other working groups (for example, fusion and targeting working groups).
Review and establish critical NAIs and targeted areas of interest (TAIs).

2-33. The working group meeting is a critical event. Staffs must integrate it effectively into the unit battle rhythm to ensure the collection effort provides focus to operations rather than disrupting them. Preparation and focus are essential to a successful working group. All representatives, at a minimum, must come to the meeting prepared to discuss available assets, capabilities, limitations, and requirements related to their functions. Planning the working group’s battle rhythm is paramount to conducting effective information collection operations. Staffs schedule the working group cycle to complement the higher headquarters’ battle rhythm and its subsequent requirements and timelines.

2-34. The G-3 (S-3) (or representative) comes prepared to provide the following:

The current friendly situation.
Current CCIRs.
The availability of collection assets.
Requirements from higher headquarters (including recent fragmentary orders or taskings).
Changes to the commander’s intent.
Changes to the task organization.
Planned operations.

FUSION WORKING GROUP

2-37. Typically, brigade and above form a fusion working group. This working group aims to refine and fuse the intelligence between the command and its subordinate units. The output of this working group provides the intelligence staff with refinements to the situation template and the event template. The working group also refines existing PIRs and recommends new PIRs to the operations and intelligence working group. Additionally the working group reviews requirements to ensure currency.

TARGETING WORKING GROUP

2-38. The purpose of the targeting working group is to synchronize the unit’s targeting assets and priorities. For the staff, supporting the planning for the decide, detect, and assess (known as D3A) activities of the targeting process requires continuous updating of IPB products (such as situation templates and COA matrixes). The targeting working group considers targeting related collection and exploitation requirements. It also recommends additional requirements to the operations and intelligence working group. Staffs articulate these requirements as early in the targeting process as possible to support target development and other assessments.

2-39. Information collection support to target development takes the decide, detect, deliver, and assess methodology and applies this to the development of targets. Units using other targeting techniques—like find, fix, finish, exploit, assess, disseminate (known as F3EAD) or find, fix, track, target, engage, and assess (known as F2T2EA)—require no adaptation to the information collection support to targeting process. Nominations for request to current and future tasking orders as well as refinements to the high- value target lists are outputs of this working group.

2-40. The results of these working groups form the basis of the requests for information collection as well as products used by the intelligence staff in the creation of requirements planning tools. The operations staff integrates these tools in the creation of the information collection plan.

Chapter 3

Planning Requirements for and Assessing Information Collection

This chapter describes planning requirements for and assessing information collection for information collection activities. It discusses considerations for commanders for information collection planning. Then it discusses the support information collections provides to personnel recovery. It then covers the military decisionmaking process and information collection planning. Lastly, this chapter discusses assessing information collection activities.

THE OPERATIONS PROCESS AND INFORMATION COLLECTION

3-1. Commanders direct information collection activities by approving commander’s critical information requirements (CCIRs) and through driving the operations process. The success of information collection is measured by its contribution to the commander’s understanding, visualization, and decisionmaking. The operations process and information collection activities are mutually dependent. Commanders provide the guidance and focus that drive both by issuing their commander’s intent and approving CCIRs. The activities of information collection occur during all parts of the operation providing continuous information to the operations process.

3-2. Throughout the operations process, commanders and staffs use integrating processes to synchronize the warfighting functions to accomplish missions. Information collection activities, as well as intelligence preparation of the battlefield (IPB) are among these integrating processes. Synchronization is the arrangement of action in time, space, and purpose to produce maximum relative combat power at a decisive place and time. This collaborative effort by the staff, with the commander’s involvement, is essential for synchronizing information collection with the overall operation. Planning, preparing, executing, and assessing information collection activities is a continuous cycle whose time frame depends on the echelon, assets engaged, and the type of operation.

3-3. Conducting information collection activities consists of various staff functions; planning, collection, processing and exploitation; analysis and production; dissemination and integration; and evaluation and feedback. It should focus on the commander’s requirements. The purpose of these staff functions is to place all collection assets and resources into a single plan in order to capitalize on the different capabilities. The plan synchronizes and coordinates collection activities within the overall scheme of maneuver.

INFORMATION COLLECTION PLANNING CONSIDERATIONS

3-4. The information collection plan synchronizes activities of the information collection assets to provide intelligence to the commander required to confirm course of action selection and targeting requirements. The intelligence staff, in coordination with the operations staff, ensures all available collection assets provide the required information. They also recommend adjustments to asset locations, if required.

3-5. To be effective, the information collection plan must be based on the initial threat assessment and modified as the intelligence running estimate changes. Other staff sections’ running estimates may contain requirements for inclusion into the information collection plan. Additionally, the plan must be synchronized with the scheme of maneuver and updated as that scheme of maneuver changes. Properly synchronized information collection planning begins with the development and updating of IPB (threat characteristics, enemy templates, enemy course of action statements, and, most importantly, an enemy event template or matrix). Properly synchronized information collection planning ends with well-defined CCIRs and collection strategies based on the situation and commander’s intent.

THE MDMP AND INFORMATION COLLECTION PLANNING

3-7. Information collection planning is embedded in the military decisionmaking process (MDMP) and depends extensively on all staff members thoroughly completing the IPB process. Information collection planning starts with receipt of the mission (which could be a warning order). Information collection directly supports the development of intelligence and operations products used throughout the decision- making process. At each step in the MDMP, the staff must prepare certain products used in the plan and prepare phases of the operations process as described below.

3-8. Information collection activities are continuous, collaborative, and interactive. Several of the outputs from the various MDMP steps require the collaboration of the staff, especially the intelligence and operations staffs. The information collection plan cannot be developed without constant coordination among the entire staff. At every step in the MDMP, the intelligence staff must rely on input from the entire staff and cooperation with the operations staff to develop information collection products that support the commander’s intent and maximize collection efficiency for each course of action under consideration.

RECEIPT OF MISSION

3-9. Before receipt of the mission, the intelligence staff generates intelligence knowledge in anticipation of the mission. In addition to the knowledge already available, the intelligence staff uses intelligence reach and requests for additional information to higher headquarters to fill in the information gaps in the initial intelligence estimate.

3-10. When a mission is received, the commander and staff shift their efforts to describing the operational environment using mission variables and begin preparations for the MDMP. Commanders provide their initial guidance to the staff. The staff uses it to generate the initial information collection tasks to units and transmits it as part of the first warning order. In their guidance, commanders state the critical information required for the area of operations.

3-11. During the receipt of mission step, the staff gathers tools needed for the MDMP, begins the intelligence estimate, updates running estimates, and performs an initial assessment of the time available to subordinate units for planning, preparation, and execution. Since information collection assets are required early, the staff needs sufficient preparation time to begin sending information that the commander needs.

3-12.

The information collection outputs from this step are—

The commander’s initial information collection guidance.
Intelligence reach tasks.
Requests for information to higher headquarters.
Directions for accessing on-going or existing information collection activities or joint ISR.
The first warning order (WARNO) with initial information collection tasks.

MISSION ANALYSIS

3-13. When mission analysis begins, the staff should have the higher headquarters plan or order and all available products. The staff adds their updated running estimates to the process. The initial information collection tasks issued with the first WARNO may yield information to be analyzed and evaluated for relevance to mission analysis. The commander provides initial guidance that the staff uses to capture the commander’s intent and develop the restated mission.

Analyze the Higher Headquarters Order

3-14. During mission analysis, the staff analyzes the higher headquarters order to extract information collection tasks and constraints such as limits of reconnaissance. The order also contains details on the availability of information collection assets from higher echelons and any allocation of those assets to the unit.

Perform Intelligence Preparation of the Battlefield

3-15. IPB is one of the most important prerequisites to information collection planning. During IPB, staffs develop several key products that aid information collection planning. Those products include—

Threat characteristics.
Terrain overlays.
The weather effects matrix.
Enemy situational templates and course of action statements.
The enemy event template and matrix.
The high-payoff target list.
An updated intelligence estimate including identified information-gaps.

3-16. These products aid the staff in identifying—

Information gaps that can be answered by existing collection activities, intelligence reach, and requests for information to higher echelons. The remaining information gaps are used to develop requirements for information collection.
Threat considerations that may affect planning.
Terrain effects that may benefit, constrain, or limit the capabilities of collection assets.
Weather effects that may benefit, constrain, or negatively influence the capabilities of collection assets.
Civil considerations that might affect information collection planning.

3-17. The most useful product for information collection planning for the intelligence officer is the threat event template. Once developed, the threat event template is a key product in the development of the information collection plan. Likely threat locations, avenues of approach, infiltration routes, support areas, and areas of activity become named areas of interest (NAIs) or targeted areas of interest (TAIs) on which collection assets focus their collection efforts. Indicators, coupled with specific information requirements and essential elements of information (EEFI), provide collection assets with the required information on which units identify and report. FM 2-01.3 contains additional information on the IPB process and products.

3-18. As the staff completes mission analysis, the intelligence staff completes development of initial collection requirements. These collection requirements form the basis of the initial information collection plan, requests for collection support, and requests for information to higher and lateral units. When the mission analysis is complete, staffs have identified intelligence gaps, and planners have an initial plan on how to fill those gaps. Additionally, the operations officer and the remainder of the staff thoroughly understand the unit missions, tasks, and purposes.

Determine Specified, Implied, and Essential Tasks

3-19. The staff also identifies specified, implied, and essential information collection tasks. Specified tasks are directed toward subordinate units, systems, sensors, and Soldiers. Implied tasks determine how a system or sensor is initialized for collection. Essential information collection tasks are derived from specified and implied tasks. They are the focus of the information collection effort.

Review Available Assets

3-20. The staff must review all available collection assets, effectively creating an inventory of capabilities to be applied against collection requirements. Building the inventory of assets and resources begins with annex A of the higher headquarters order. The staff takes those assets attached or under operational control of the unit and adds those resources available from higher echelons and those belonging to adjacent units that might be of assistance. The higher headquarters order should specify temporary or permanent operating locations and the air tasking order details for aerial assets.

3-21. While reviewing the available collection assets, the staff evaluates the collection assets according to their capability and availability. First, the staff measures the capabilities of the collection assets. They must know and address the practical capabilities and limitations of all unit organic assets.

Determine Constraints

3-34. When determining constraints, the staff considers legal, political, operational, and rules of engagement constraints that might constrain reconnaissance, security, intelligence operations, and surveillance. The staff must consider planning constraints such as limits of reconnaissance, earliest time information is of value, and not earlier than times. In some cases, the commander may impose constraints on the use of certain collection assets. In other cases, system specific constraints—such as the weather, crew rest, or maintenance cycle limitations—may impose limits the staff must consider.

Identify Critical Facts and Assumptions

3-35. When staffs identify critical facts and assumptions, they identify critical facts and assumptions pertinent to information collection planning that they will use later in course of action (COA) development. For example, a critical fact might be that imagery requests may take 72 to 96 hours to fulfill or that the human intelligence effort requires significant time before a good source network is fully developed.

3-36. Developing assumptions for planning include the availability and responsiveness of organic assets and resources from higher echelons. For example, the staff might use a certain percentage (representing hours) of unmanned aircraft system support available on a daily basis, weather and maintenance permitting.

Perform Risk Assessment

3-37. When performing a risk assessment, the staff considers the asset’s effectiveness versus the protection requirements and risk to the asset. For example, placing a sensor forward enough on the battlefield that it can return valuable data and information may put the asset at high risk of being compromised, captured, or destroyed. The calculus of payoff versus loss will always be determined by mission variables and the commander’s decision.

3-38. In some cases, friendly forces may reveal a collection capability by taking certain actions. If it is important to keep a collection capability concealed, then the staff carefully considers every lethal or nonlethal action based on current intelligence.

Determine Initial CCIRs and EEFI

3-39. Determining initial CCIRs and EEFI is the most important prerequisite for information collection planning. The staff refines the list of requirements they derive from the initial analysis of information available and from intelligence gaps identified during IPB. They base this list on higher headquarters tasks, commander’s guidance, staff assessments, and subordinate and adjacent unit requests for information.

3-40. The staff then nominates these requirements to the commander to be CCIRs and EEFI. Commanders alone decide what information is critical based on their experience, the mission, the higher commander’s intent, and input from the staff. The CCIRs are the primary focus for information collection activities.

Develop the Initial Information Collection Plan

3-41. The initial information plan is crucial to begin or adjust the collection effort to help answer requirements necessary in developing effective plans. The initial information collection plan sets information collection in motion. Staffs may issue it as part of a WARNO, a fragmentary order, or an operation order. As more information becomes available, staffs incorporate it into a complete information plan to the operation order.

3-42. At this point in the MDMP, the initial information plan has to be generic because the staffs have yet to develop friendly COAs. The basis for the plan is the commander’s initial information collection guidance, the primary information gaps identified by the staff during mission analysis, and the enemy situational template developed during IPB. (Chapter 4 contains additional information on tasking and directing collection assets.)

3-43. The intelligence staff creates the requirements management tools for the information collection plan. The operations staff is responsible for the information collection plan. During this step, the operations and intelligence staff work closely to ensure they fully synchronize and integrate information collection activities into the overall plan.

3-44. The operations officer considers several factors when developing the initial information collection plan, including—

Requirements for collection assets in follow-on missions.
The time available to develop and refine the initial information collection plan.
The risk the commander is willing to accept if information collection missions are begun before the information collection plan is fully integrated into the scheme of maneuver.
Insertion and extraction methods for reconnaissance, security, surveillance, and intelligence units.
The communications plan for transmission of reports from assets to tactical operations centers.
The inclusion of collection asset locations and movements in to the fire support plan.
The reconnaissance handover with higher or subordinate echelons.
The sustainment support.
Legal support requirements.

Develop Requests for Information and Requests for Collection or Support

3-45. Submitting a request for information to the next higher or lateral echelon is a method for obtaining information not available with organic information collection assets. Units enter requests for information into a request for information management system where all units can see them. Hence, analysts several echelons above the actual requester become aware of the request and may be able to answer it.

3-46. When the unit cannot satisfy a collection requirement with its own assets, the intelligence staff composes and submits a request for information to the next higher echelon (or lateral units) for integration within its own information collection plan. At each echelon, the requirement is validated and a determination made as to whether or not that echelon can satisfy the requirement. If that echelon cannot satisfy the requirement, it is passed to the next higher echelon.

Develop and Synchronize Production Requirements

3-48. Intelligence staffs develop and synchronize production requirements to provide timely and relevant intelligence analysis and products to commanders, staff, and subordinate forces. Staffs use the unit’s battle rhythm as a basis for determining the daily, weekly, and monthly analytical products. The intelligence staff then designs an analytical and production effort to answer the CCIRs and meet the commander’s need for situational understanding and the staff’s need for situational awareness.

3-49. Intelligence production includes analyzing information and intelligence. It also includes presenting intelligence products, assessments, conclusions, or projections regarding the area of operations and threat forces in a format that aids the commander in achieving situational understanding. Staffs devote the remainder of the analytical effort to processing, analyzing, and disseminating data and information.

3-50. Commanders and staffs measure the success of the analytical and production effort by the products provided and their ability to answer or satisfy the CCIRs, intelligence requirements, and information requirements. For the purposes of the intelligence warfighting function an intelligence requirement is a type of information requirement developed by subordinate commanders and staff (including subordinate staffs) that requires dedicated collection.

COURSE OF ACTION DEVELOPMENT

3-51. Using the continually updated IPB products and the enemy situation template, the intelligence staff must integrate information collection considerations to develop friendly COAs. In many cases, the information collection considerations for each COA are similar depending on the characteristics of the friendly COA.

3-52. The operations and intelligence staffs must collaborate on information collection considerations to support each COA developed. The staff works to integrate its available resources into an integrated plan. Intelligence and operations staffs focus on the relationship of collection assets to other friendly forces, the terrain and weather, and the enemy.

3-53. The development of NAIs and TAIs based upon suspected enemy locations drive the employment of collection assets. The staff considers how to use asset mix, asset redundancy, and asset cueing to offset the capabilities of the various collection assets.

3-54. During COA development, the staff refines and tailors the initial CCIRs for each COA. Technically, these are initial requirements for each course of action. Later in the MDMP, once a COA is approved, the commander approves the final CCIR, and the staff publishes it.

COURSE OF ACTION ANALYSIS (WAR-GAMING)

3-55. The intelligence staff records the results of COA analysis and uses that information to develop the requirements planning tools. The entire staff uses the action-reaction-counteraction process to move logically through the war-gaming process. These events have a bearing on the assets recommended for tasking to the operations staff.

ORDERS PRODUCTION

3-56. Orders production is putting the plan into effect and directing units to conduct specific information collection tasks. The staff prepares the order by turning the selected COA into a clear, concise concept of operations and supporting information. The order provides all the information subordinate commands need to plan and execute their operations. However, this is not the first time subordinate commanders and their staffs have seen this data. Within the parallel and collaborative planning process, planners at all echelons have been involved in the orders process.

ASSESS INFORMATION COLLECTION ACTIVITIES

3-57. Assessment guides every operations process activity. Assessment is the continuous monitoring and evaluation of the current situation, particularly the enemy, and progress of an operation. Assessing information collection activities enables the operations and intelligence staffs to monitor and evaluate the current situation and progress of the operation. The desired result is to ensure all collection tasks are completely satisfied in a timely manner.

3-58. Staffs begin assessing information collection task execution with monitoring and reporting by collection assets as they execute their missions. Staffs track reporting to determine how well the information collection assets satisfy their collection tasks. The desired result is relevant information delivered to the commander before the latest time information is of value.

Chapter 4
Tasking and Directing Information Collection

Commanders direct information collection activities by approving requirements and through mission command in driving the operations process. This chapter describes the tasking and directing of information collection assets. It discusses how the staff finalizes the information collection plan and develops the information collection overlay. It then discusses the development of the information collection scheme of support. Lastly it discusses re-tasking assets.

TASK AND DIRECT INFORMATION COLLECTION

4-1. The operations staff integrates collection assets through a deliberate and coordinated effort across all warfighting functions. Tasking and directing information collection is vital to control limited collection assets. During task and direct information collection, the staff recommends redundancy, mix, and cue, as appropriate. The process of planning information collection activities begins once requirements are established, validated, and prioritized. Staffs accomplish tasking information collection by issuing warning orders, fragmentary orders, and operation orders. They accomplish directing information collection assets by continuously monitoring the operation. Staffs conduct re-tasking to refine, update, or create new requirements.

FINALIZE THE INFORMATION COLLECTION PLAN

4-2. To finalize the information collection plan, the staff must complete several important activities and review several considerations to achieve a fully synchronized, efficient, and effective plan. The information collection plan also applies to the rapid decisionmaking and synchronization process. Updating information collection activities during the execution and assessment phases of the operations process is crucial to the successful execution and subsequent adjustments of the information collection plan. The information collection plan is implemented through execution of asset tasking. The tasking process provides the selected collection assets with specific, prioritized requirements. When collection tasks or requests are passed to units, the staff provides specific details that clearly define the collection requirements. These requirements identify—

What to collect—specific information requirements and essential elements of information.
Where to collect it—named areas of interest and targeted areas of interest.
When and how long to collect.
Why to collect—answer commander’s critical information requirements.

4-3. The information collection plan is an execution order and should be published in the five-paragraph operation order (OPORD) format as a warning order (WARNO), an OPORD, or a fragmentary order (FRAGO). Staffs use the information collection plan for tasking, directing, and managing of collection assets (both assigned and attached assets) to collect against the requirements. The operations officer tasks and directs information collection activities. The intelligence staff assists the staff in the development of the information collection plan by providing the requirement planning tools. (Refer to TC 2-01 and ATTP 2-01 on how the requirement planning tools are developed.) Staffs—

Integrate the information collection plan into the scheme of maneuver.
Publish annex L (information collection) to the OPORD that tasks assets to begin the collection effort.
Ensure that the information collection plan addresses all of the commander’s requirements, that assigned and attached assets have been evaluated and recommended for information collection tasks within their capabilities, and that collection tasks outside the capabilities of assigned and attached assets have been prepared as requests for information to appropriate higher or lateral headquarters.
Publish any FRAGOs and WARNOs associated with information collection.

DEVELOP THE INFORMATION COLLECTION OVERLAY

4-6. The staff may issue an information collection overlay depicting the information collection plan in graphic form as an appendix or annex L to the OPORD.

DEVELOP THE INFORMATION COLLECTION SCHEME OF SUPPORT

4-8. The information collection scheme of support includes the planning and execution of operations and resources to support the Soldiers and units who perform information collection. This support includes fires, movement, protection, and sustainment (logistics, personnel services, health services support, and other sustainment related functions). The staff prepares the initial scheme of support. The operations officer approves the plan and tasks units.

PROVIDE SUPPORT TO SITE EXPLOITATION

4-10. Site exploitation is systematically searching for and collecting information, material, and persons from a designated location and analyzing them to answer information requirements, facilitate subsequent operations, or support criminal prosecution.

4-11. Site exploitation consists of a related series of activities to exploit personnel, documents, electronic data, and material captured, while neutralizing any threat posed by the items or contents. Units conduct site exploitation using one of two techniques: hasty and deliberate. Commanders chose the technique based on time available and the unit’s collection capabilities.

MONITOR OPERATIONS

4-12. Staffs track the progress of the operation against the requirements and the information collection plan. The operation seldom progresses on the timelines assumed during planning and staff war-gaming. The staff watches for changes in tempo that require changes in reporting times, such as latest time information is of value (LTIOV). The intelligence and operations staffs coordinate any changes with all parties concerned, including commanders and appropriate staff sections.

CORRELATE REPORTS TO REQUIREMENTS

4-13. Correlating information reporting to the original requirement and evaluating reports is key to effective requirements management. This quality control effort helps the staff ensure timely satisfaction of requirements. Requirements management includes dissemination of reporting and related information to original requesters and other users.

4-14. To correlate reports, the staff tracks which specific collection task originates from which requirement to ensure the original requester and all who need the collected information actually receive it. For efficiency and timeliness, the staff ensures production tasks are linked to requirements. This allows the staff to determine which requirements have been satisfied and which require additional collection.

4-15. The staff address the following potential challenges:

Large volumes of information that could inundate the intelligence analysis section. The intelligence staff may have trouble finding the time to correlate each report to a requirement.
Reports that partially satisfy a number of collection tasks. Other reports may have nothing to do with the collection task.
Reported information that fails to refer to the original task that drove collection.
Circular reporting and spam or unnecessary message traffic that causes consternation and wastes valuable time.

SCREEN REPORTS

4-16. The staff screens reports to determine whether the collection task has been satisfied. In addition, the staff screens each report for the following criteria:

Relevance. Does the information actually address the tasked collection task? If not, can the staff use this information to satisfy other requirements?
Completeness. Is essential information missing? (Refer to the original collection task.)
Timeliness. WastheassetreportedbytheLTIOVestablishedintheoriginaltask?
Opportunities for cueing. Can this asset or another asset take advantage of new information to increase the effectiveness and efficiency of the overall information collection effort? If the report suggests an opportunity to cue other assets, intelligence and operations staffs immediately cue them and record any new requirements in the information collection plan.

4-17. Information collection assets do not submit reports that simply state nothing significant to report. These reports may convey that collection occurred, but no activity satisfying the information collection task was observed, which may be a significant indicator. Nothing significant to report is by no means a reliable indicator of the absence of activity.

PROVIDE FEEDBACK

4-18. The staff provides feedback to all collection assets on their mission effectiveness and to analytic sections on their production. Normally the mission command element of that unit provides this feedback. Feedback reinforces whether collection or production satisfies the original task or request and provides guidance if it does not. Feedback is essential to maintaining information collection effectiveness and alerting leaders of deficiencies to be corrected.

4-19. As the operation continues, the intelligence and operations staffs track the status of each collection task, analyze reporting, and ultimately satisfy requirements. They pay particular attention to assets not producing required results, which may trigger adjustments to the information collection plan. During execution, the staff assesses the value of the information from collection assets as well as develops and refines requirements to satisfy information gaps.

4-20. When reporting satisfies a requirement, the staff relieves the collection assets of further responsibility to collect against information collection tasks related to the satisfied requirement. The operations officer, in coordination with the intelligence staff, provides additional tasks to satisfy emerging requirements. The operations staff notifies—

Collection assets and their leadership of partially satisfied requirements to continue collection against, of those collection tasks that remain outstanding, and what remains to be done.

4-21. By monitoring operations, correlating reports to requirements, screening reports, and providing feedback, the staff ensures the most effective employment of collection assets.

UPDATE THE INFORMATION COLLECTION PLAN

4-22. Evaluation of reporting, production, and dissemination identifies updates for the information collection plan. As the current tactical situation changes, staffs adjust the overall information collection plan to synchronize collection tasks, optimizing collection and exploitation capabilities. They constantly update requirements to ensure that information gathering efforts are synchronized with current operations while also supporting future operations planning. As collected information answers requirements, the staff updates the information collection plan.

4-23. The steps in updating the information collection plan are—

Cue assets to other collection requirements.
Eliminate satisfied requirements.
Develop and add new requirements.
Re-task assets.
Transition to the next operation.

4-24. The steps in updating information collection taskings are collaborative efforts by the intelligence and operations staff. Some steps predominately engage the intelligence staff, others the operations staff. Some steps may require coordination with other staff sections, and others may engage the entire operations and intelligence working group.

Maintain Information Collection Activities Synchronized to Operations

4-25. As execution of the commander’s plan progresses, the staff refines decision point timeline estimates used when the information is required.

Cue Assets to Other Collection Requirements

4-26. The intelligence and operations staffs track the status of collection assets, cueing and teaming assets together as appropriate to minimize the chance of casualties. For example, if a Soldier reports the absence of normal activity in a normally active market area, the staff could recommend redirecting an unmanned aircraft system or other surveillance means to monitor the area for a potential threat.

Eliminate Satisfied Requirements

4-27. During its evaluation of the information collection plan, the staff identifies requirements that were satisfied. The staff eliminates satisfied requirements and requirements that are no longer relevant, even if unsatisfied. When a requirement is satisfied or no longer relevant, the intelligence staff eliminates it from the information collection plan and updates any other logs or records.

RE-TASK ASSETS

4-28. The staff may issue orders to re-task assets. This is normally in consultation with the intelligence officer and other staff sections. Re-tasking is assigning an information collection asset with a new task and purpose.

DEVELOP AND ADD NEW REQUIREMENTS

4-29. As the operation progresses and the situation develop, commanders generate new requirements. Intelligence staff begins updating the requirements planning tools. The intelligence staff prioritizes new requirements against remaining requirements. The intelligence staff consolidates the new requirements with the existing requirements, reprioritizes the requirements, evaluates resources based upon the consolidated listing and priorities, and makes appropriate recommendations to the commander and operations officer.

TRANSITIONS

4-30. A transition occurs when the commander decides to change focus from one type of military operation to another. Updating information collection tasking may result in a change of focus for several collection assets. As with any other unit, collection assets may require rest and refit—or lead time for employment— to transition from one mission or operation to another effectively.

Appendix A

Information Collection Assets

This appendix discusses information collection assets available to Army commanders for the planning and execution of collection activities. This appendix discusses those assets by level, phase, and echelon. Lastly, this chapter discusses the network-enabled information collection.

BACKGROUND

A-1. An information collection capability is any human or automated sensor, asset, or processing, exploitation, and dissemination system that can be directed to collect information that enables better decisionmaking, expands understanding of the operational environment, and supports warfighting functions in decisive action. Factors—a unit’s primary mission, typical size area of operations (AO), number of personnel, and communications and network limitations—significantly impact what sensors, platforms, and systems are fielded.

MONITOR THE TACTICAL PLAN

A-3. Staffs ensure the collection activities remain focused on the commander’s critical information requirements (CCIRs). They continuously update staff products and incorporate those products into the running estimates and common operational picture (COP). Lastly, they quickly identify and report threats and decisive points in the AO.

STRATEGIC

A-5. National and theater-level collection assets provide tactical forces updates before and during deployment. Theater-level shaping operations require actionable intelligence including adversary centers of gravity and decision points, as well as the prediction of adversary anti-access measures. Space-based resources are key to supporting situational awareness during deployment and entry phases because they—

Monitor protection indicators.
Provide warning of ballistic missile launches threatening aerial and sea ports of debarkation and other threats to arriving forces.
Provide the communications links to forces enroute.
Provide meteorological information that could affect operations.

OPERATIONAL

A-6. The intelligence staff requests collection support with theater, joint, and national assets. Respective collection managers employ organic means to cover the seams and gaps between units. These means provide the deploying tactical force the most complete portrayal possible of the enemy and potential adversaries, the populace, and the environmental situation upon entry. The operational-level intelligence assets operate from a regional focus center. This regional focus center (located in the crisis area) assumes primary analytical overwatch for the alerted tactical maneuver elements.

NETWORK-ENABLED INFORMATION COLLECTION

A-42. The networking of all joint force elements creates capabilities for unparalleled information sharing and collaboration and a greater unity of effort via synchronization and integration of force elements at the lowest echelons. Distributed Common Ground System (Army) (DCGS-A) provides a network-centric, enterprise intelligence, weather, geospatial engineering, and space operations capabilities to maneuver, maneuver support, and sustainment organizations at all echelons from battalion to joint task forces. The DCGS-A is being implemented to integrate intelligence tasking, collection, processing, and dissemination capabilities across the Army and joint community. The purpose of DCGS-A is to unite the different systems across the global information network. DCGS-A is the Army’s primary system for—

Receipt of and processing select information collection asset data.
Control of select Army sensor systems.
Fusion of sensor data and information.
Direction and distribution of relevant threat, terrain, weather, and civil considerations products and information.
Facilitation of friendly information and reporting.

Appendix B

The Information Collection Annex to the Operation Order

This appendix provides instructions for preparing Annex L (Information Collection) in Army plans and orders. It provides a format for the annex that can be modified to meet the requirements of the base order and operations, and an example information collection plan. Refer to ATTP 5-0.1 for additional guidance on formatting and procedures.

ANNEX L (INFORMATION COLLECTION)

B-1. The information collection annex clearly describes how information collection activities support the offensive, defensive, and stability or defense support of civil authorities operations throughout the conduct of the operations described in the base order. See figure B-1. It synchronizes activities in time, space, and purpose to achieve objectives and accomplish the commander’s intent for reconnaissance, surveillance, and intelligence operations (including military intelligence disciplines).

Appendix C

Joint Intelligence, Surveillance, and Reconnaissance

The Army conducts operations as part of a joint force. This appendix examines joint intelligence, surveillance, and reconnaissance activities as part of unified action. It discusses the joint intelligence, surveillance, and reconnaissance doctrine, resources, planning systems, considerations, and organizations.

UNIFIED ACTION

C-1. Unified action is the synchronization, coordination, and/or integration of the activities of governmental and nongovernmental entities with military operations to achieve unity of effort (JP 1). It involves the application of all instruments of national power, including actions of other government agencies and multinational military and nonmilitary organizations. Combatant as well as subordinate commanders use unified action to integrate and synchronize their operations directly with the activities and operations of other military forces and nonmilitary organizations in their area of operations.

C-2. Army forces operating in an operational area are exposed to many non-U.S. Army participants. Multinational formations, host-nation forces, other government agencies, contractors, and nongovernmental organizations are all found in the operational area. Each participant has distinct characteristics, vocabulary, and culture, and all can contribute to situational understanding. Commanders, Soldiers, and all who seek to gather information have much to gain by being able to work with and leverage the capabilities of these entities. The Army expands the joint intelligence, surveillance, and reconnaissance (ISR) doctrine (contained in JP 2-01) by defining information collection as an activity that focuses on answering the commander’s critical information requirements (see paragraph 1-3).

CONCEPTS OF JOINT INTELLIGENCE, SURVEILLANCE, AND RECONNAISSANCE

C-3. Joint ISR is an intelligence function, and its collections systems are intelligence assets and resources under the control of the J-2. This is different from Army information collection. Joint ISR does not include reconnaissance and surveillance units. Joint usage of reconnaissance and surveillance refers to the missions conducted by predominately airborne assets. Two key concepts impact how Army conducts joint ISR in the joint operations area: integration and interdependence.

INTEGRATION

C-4. The Army uses integration to extend the principle of combined arms to operations conducted by two or more Service components. The combination of diverse joint force capabilities generates combat power more potent than the sum of its parts. This integration does not require joint command at all echelons; however, it does require joint interoperability at all echelons.

INTERDEPENDENCE

C-5. The Army uses interdependence to govern joint operations and impact joint ISR activities. This interdependence is the purposeful reliance by one Service’s forces on another Service’s capabilities to maximize the complementary and reinforcing effects of both. Army forces operate as part of an interdependent joint force. Areas of interdependence that directly enhance Army information collection activities include—

Joint command and control. Integrated capabilities that—

Gain information superiority through improved, fully synchronized, integrated ISR, knowledge management, and information management.
Share a common operational picture.
Improve the ability of joint force and Service component commanders to conduct operations.

Joint intelligence. Integrated processes that—

Reduce unnecessary redundancies in collection asset tasking through integrated ISR.
Increase processing and analytic capability.
Facilitate collaborative analysis.
Provide global intelligence production and dissemination.
Provide intelligence products that enhance situational understanding by describing and assessing the operational environment.

C-6. Other Services also rely on Army forces to complement their capabilities, including intelligence support, detainee and prisoner of war operations, and others.

JOINT INTELLIGENCE, SURVEILLANCE, AND RECONNAISSANCE DOCTRINE

C-7. JP 2-01 governs joint ISR doctrine. The joint force headquarters in the theater of operations govern operational policies and procedures specific to that theater. Army personnel serving in joint commands must be knowledgeable of joint doctrine for ISR. Army personnel involved in joint operations must understand the joint operation planning process. The joint operation planning process focuses on the interaction between an organization’s commander and staff and the commanders and staffs of the next higher and lower commands. The joint operation planning process continues throughout an operation.

JOINT INTELLIGENCE, SURVEILLANCE, AND RECONNAISSANCE PLANNING SYSTEMS

C-13. Two joint ISR planning systems— the collection management mission application and the Planning Tool for Resource, Integration, Synchronization, and Management (PRISM)—help facilitate access to joint resources. In joint collection management operations, the collection manager, in coordination with the operations directorate, forwards collection requirements to the component commander exercising tactical control over the theater reconnaissance and surveillance assets. A mission tasking order goes to the unit selected to be responsible for the collection operation. At the selected unit, the mission manager makes the final choice of specific platforms, equipment, and personnel required for the collection operations based on operational considerations such as maintenance, schedules, training, and experience. The collection management mission application is used by the Air Force. It is a web-centric information systems architecture that incorporates existing programs sponsored by several commands, Services, and agencies. It also provides tools for recording, gathering, organizing, and tracking intelligence collection requirements for all disciplines. PRISM, a subsystem of collection management mission application, is a Web-based management and synchronization tool used to maximize the efficiency and effectiveness of theater operations. PRISM creates a collaborative environment for resource managers, collection managers, exploitation managers, and customers.

JOINT INTELLIGENCE, SURVEILLANCE, AND RECONNAISSANCE CONCEPT OF OPERATIONS

C-16. The counterpart to the joint ISR plan is the joint ISR concept of operations, which is developed in conjunction with operational planning. The joint ISR concept of operations is based on the collection strategy and ISR execution planning, and is developed jointly by the joint force J-2 and J-3. The joint ISR concept of operations addresses how all available ISR assets and associated tasking, processing, exploitation, and dissemination infrastructure, to include multinational or coalition and commercial assets, are used to answer the joint force’s intelligence requirements. It identifies asset shortfalls relative to the joint force’s validated priority intelligence requirements (PIRs). It requires periodic evaluation of the capabilities and contributions of all available ISR assets in order to maximize their efficient utilization, and to ensure the timely release of allocated ISR resources when no longer needed by the joint force. JP 2-01 chapter 2 discusses the concept of operations in detail.

NATIONAL INTELLIGENCE, SURVEILLANCE, AND RECONNAISSANCE RESOURCES AND GUIDELINES

C-17. Within the context of the National Intelligence Priorities Framework, the concept of ISR operations may be used to justifying requests for additional national ISR resources. National collection resources are leveraged against national priorities. Intelligence officers must remember that these assets are scarce and have a multitude of high-priority requirements.

NATIONAL INTELLIGENCE SUPPORT TEAMS

C-18. National intelligence support teams (NISTs) are formed at the request of a deployed joint or combined task force commander. NISTs are comprised of intelligence and communications experts from Defense Intelligence Agency, Central Intelligence Agency, National Geospatial-Intelligence Agency, National Security Agency, and other agencies as required to support the specific needs of the joint force commander. Defense Intelligence Agency is the executive agent for all NIST operations. Once on station, the NIST supplies a steady stream of agency intelligence on local conditions and potential threats. The needs of the mission dictate size and composition of NISTs.

C-19. Depending on the situation, NIST personnel are most often sent to support corps- or division-level organizations. However, during recent operations in Operation Iraqi Freedom and Operation Enduring Freedom, national agencies placed personnel at the brigade combat team level in some cases.

PLANNING AND REQUESTS FOR INFORMATION SYSTEMS

C-20. Several national databases and Intelink Web sites contain information applicable to the intelligence preparation to the battlefield process and national ISR planning. Commanders and their staff should review and evaluate those sites to determine the availability of current data, information, and intelligence products that might answer intelligence or information requirements.

REQUIREMENTS MANAGEMENT SYSTEM

C-21. The requirements management system provides the national and Department of Defense imagery communities with a uniform automated collection management system. The requirements management system manages intelligence requirements for the national and Department of Defense user community in support of the United States’ imagery and geospatial information system.

The requirements management system determines satisfaction of imagery requests, can modify imagery requests based on input from other sources of intelligence, and provides analytical tools for users to exploit.

C-22. The generated messages of the requirements management system are dispatched for approval and subsequent collection and exploitation tasking. The system is central to current and future integrated imagery and geospatial information management architectures supporting national, military, and civil customers.

C-23. Nominations management services provide the coordination necessary to accept user requirements for new information. These services aggregate, assign, and prioritize these user requirements. Nominations management services also track requirement satisfaction from the users.

NATIONAL SIGNALS INTELLIGENCE REQUIREMENTS PROCESS

C-24. The national signals intelligence requirements process (NSRP) is an integrated and responsive system of the policies, procedures, and technology used by the intelligence community to manage requests for national-level signals intelligence products and services. The NSRP replaced the previous system called the national signals intelligence requirement system.

C-25. The NSRP establishes an end-to-end crypto-logic mission management tracking system using information needs. Collectors of signals intelligence satisfy tactical through national-level consumer information needs based on NSRP guidance. The NSRP improves the consumer’s ability to communicate with the collector by adding focus and creating a mechanism for accountability and feedback.

GUIDELINES FOR ACCESSING NATIONAL RESOURCES FOR INFORMATION

C-29. Depending upon local procedures and systems available, the Army intelligence officer may use various means to submit a request for information. The guidelines below assist in accessing national-level resources to answer the request for information—

Know the PIRs and identify gaps that exist in the intelligence database and products.
Know what collection assets are available from supporting and supported forces.
Understand the timeline for preplanned and dynamic collection requests for particular assets.

Identify collection assets and dissemination systems that may help answer the commander’s PIRs.
Ensure liaison and coordination elements are aware of PIRs and timelines for satisfaction. Ensure PIRs are tied to specific operational decisions.
During planning, identify collection requirements and any trained analyst augmentation required to support post-strike battle damage assessment or other analysis requirements.
Plan for cueing to exploit collection platforms.

JOINT INTELLIGENCE, SURVEILLANCE, AND RECONNAISSANCE CONSIDERATIONS

C-30. Communication and cooperation with other agencies and organizations in the joint operations area can enhance ISR collection efforts, creating sources of information with insights not otherwise available. Commanders must understand the respective roles and capabilities of the civilian organizations in the joint operations area to coordinate most effectively. Civilian organizations have different organizational cultures and norms. Some organizations may work willingly with Army forces while others may not. Some organizations are particularly sensitive about being perceived as involved in intelligence operations with the military. Some considerations in obtaining the valuable information these organizations may have access to are—

Building a relationship—this takes time, effort, and a willingness to schedule time to meet with individuals.
Patience—it is best not to expect results quickly and to avoid the appearance of tasking other agencies to provide information.
Reciprocity—U.S. forces often can provide assistance or support that facilitate cooperation.
Mutual interests—other organizations may have the same interests as U.S. forces (such as increased security).
Trust—it should be mutual. At a minimum, organizations trust U.S. forces will not abuse the relationship and that the information is provided in good faith.

C-31. Commanders cannot task civilian organizations to collect information. However, U.S. government intelligence or law enforcement agencies normally collect or have access to information as part of their operations. These organizations may benefit by mutual sharing of information, and can be an excellent resource.

INTERGOVERNMENTAL AND NONGOVERNMENTAL ORGANIZATIONS

C-39. In addition to working with U.S. government agencies, unified action involves synchronizing joint or multinational military operations with activities of other government agencies, intergovernmental organizations, nongovernmental organizations, and contractors. These organizations may have significant access, specialized knowledge, or insight and understanding of the local situation because of the nature of what they do. These organizations vary widely in their purposes, interests, and ability or willingness to cooperate with the information-gathering activities of U.S. forces. It is often preferable to simply cultivate a relationship that enables the exchange of information without revealing specific requirements.

Notes on ‘Intelligence Essentials for Everyone’

Notes on Intelligence Essentials for Everyone

By Lisa Krizan

JOINT MILITARY INTELLIGENCE COLLEGE WASHINGTON, DC
June 1999

INTELLIGENCE ESSENTIALS FOR EVERYONE

Preface

The “importance of understanding” has become almost an obsession with significant portions of American business. There remain, however, many companies that attempt to operate as they traditionally have in the past — placing great faith in the owner’s or man- ager’s judgment as to what is required to remain competitive.

In this paper, the author has articulated clearly the fundamentals of sound intelligence practice and has identified some guidelines that can lead toward creation of a solid intelligence infrastructure. These signposts apply both to government intelligence and to business. Good intelligence should always be based on validated requirements, but it may be derived from a wide variety of sources, not all of which are reliable.

Understanding the needs of the consumer and the sources available enable an analyst to choose the correct methodology to arrive at useful answers. The author has laid out in clear, concise language a logical approach to creating an infrastructure for government and business. Every system will have flaws but this discussion should help the reader minimize those weaknesses. It is an important contribution to the education of government and business intelligence professionals.

James A. Williams, LTG, U.S. Army (Ret.) Former Director, Defense Intelligence Agency

Foreword

Decades of government intelligence experience and reflection on that experience are captured in this primer. Ms. Krizan combines her own findings on best practices in the intelligence profession with the discoveries and ruminations of other practitioners, including several Joint Military Intelligence College instructors and students who preceded her. Many of the selections she refers to are from documents that are out of print or have wrongly been assigned to a dustbin.

This primer reviews and reassesses Intelligence Community best practices with special emphasis on how they may be adopted by the private sector. The government convention of referring to intelligence users as “customers” suggests by itself the demonstrable similarities between government intelligence and business information support functions.

The genesis for this study was the author’s discovery of a need to codify for the Intelligence Community certain basic principles missing from the formal training of intelligence analysts. At the same time, she learned of requests from the private sector for the same type of codified, government best practices for adaptation to the business world. As no formal mechanism existed for an exchange of these insights between the public and private sectors, Ms. Krizan developed this paper as an adjunct to her Master’s thesis, Benchmarking the Intelligence Process for the Private Sector. Her thesis explores the rationale and mechanisms for benchmarking the intelligence process in government, and for sharing the resultant findings with the private sector.

Dr. Russell G. Swenson, Editor and Director, Office of Applied Research

PROLOGUE: INTELLIGENCE SHARING IN A NEW LIGHT

Education is the cheapest defense of a nation.

— Edmund Burke, 18th-century British philosopher

National Intelligence Meets Business Intelligence

This intelligence primer reflects the author’s examination of dozens of unclassified government documents on the practice of intelligence over a period of nearly seven years. For the national security Intelligence Community (IC), it represents a concise distillation and clarification of the national intelligence function. To the private sector, it offers an unprecedented translation into lay terms of national intelligence principles and their application within and potentially outside of government.1 Whereas “intelligence sharing” has traditionally been a government-to-government transaction, the environment is now receptive to government-private sector interaction.

The widespread trend toward incorporating government intelligence methodology into commerce and education was a primary impetus for publishing this document. As eco- nomic competition accelerates around the world, private businesses are initiating their own “business intelligence” (BI) or “competitive intelligence” services to advise their decisionmakers. Educators in business and academia are following suit, inserting BI concepts into professional training and college curricula

Whereas businesses in the past have concentrated on knowing the market and making the best product, they are shifting their focus to include knowing, and staying ahead of, competitors. This emphasis on competitiveness requires the sophisticated production and use of carefully analyzed information tailored to specific users; in other words, intelligence. But the use of intelligence as a strategic planning tool, common in government, is a skill that few companies have perfected.

The Society of Competitive Intelligence Professionals (SCIP), headquartered in the Washington, DC area, is an international organization founded in 1986 to “assist members in enhancing their firms’ competitiveness through a greater… understanding of competitor behaviors and future strategies as well as the market dynamics in which they do business.” SCIP’s code of conduct specifically promotes ethical and legal BI practices. The main focus of “collection” is on exploiting online and open-source information services, and the theme of “analysis” is to go beyond mere numerical and factual information, to interpretation of events for strategic decisionmaking.

Large corporations are creating their own intelligence units, and a few are successful at performing analysis in support of strategic decisionmaking. Others are hiring BI contractors, or “out-sourcing” this function. However, the majority of businesses having some familiarity with BI are not able to conduct rigorous research and analysis for value-added reporting. According to University of Pittsburgh professor of Business Administration John Prescott, no theoretical framework exists for BI. He believes that most studies done lack the rigor that would come with following sound research-design principles. By his estimate, only one percent of companies have a research-design capability exploitable for BI applications.7 At the same time, companies are increasingly opting to establish their own intelligence units rather than purchasing services from BI specialists. The implication of this trend is that BI professionals should be skilled in both intelligence and in a business discipline of value to the company.

The private sector can therefore benefit from IC expertise in disciplines complementary to active intelligence production, namely defensive measures. The whole concept of openness regarding intelligence practices may hinge upon the counter-balancing effect of self-defense, particularly as practiced through information systems security (INFOSEC) and operations security (OPSEC).9 Because the IC seeks to be a world leader in INFOSEC and OPSEC as well as intelligence production, defensive measures are an appropriate topic for dialogue between the public and private sectors.

The U.S. government INFOSEC Manual sums up the relationship between offense and defense in a comprehensive intelligence strategy in this way:

In today’s information age environment, control of information and information technology is vital. As the nation daily becomes more dependent on networked information systems to conduct essential business, including mili- tary operations, government functions, and national and international eco- nomic enterprises, information infrastructures are assuming increased strategic importance. This has, in turn, given rise to the concept of information warfare (INFOWAR) — a new form of warfare directed toward attacking (offensive) or defending (defensive) such infrastructures.10

Giving citizens the tools they need to survive INFOWAR is one of the IC’s explicit missions. This intelligence primer can assist that mission by offering a conceptual and practical “common operating environment” for business and government alike.

Assessing and Exchanging Best Practices

In documenting the essentials of intelligence, this primer is an example of benchmark- ing, a widely used process for achieving quality in organizations,

Benchmarking normally assesses best professional practices, developed and refined through experience, for carrying out an organization’s core tasks.An additional aim of benchmarking is to establish reciprocal relationships among best-in-class parties for the exchange of mutually beneficial information. Because the IC is the de facto functional leader in the intelligence profession, and is publicly funded, it is obligated to lead both the government and private sector toward a greater understanding of the intelligence discipline.

In the mid-1990s, as national intelligence agencies began to participate in international benchmarking forums, individuals from the private sector began to request practical information on the intelligence process from IC representatives. The requestors were often participants in the growing BI movement and apparently sought to adapt IC methods to their own purposes. Their circumspect counterparts in the government were not prepared to respond to these requests, preferring instead to limit benchmarking relationships to common business topics, such as resource management.

Demand in the private sector for intelligence skills can be met through the application of validated intelligence practices presented in this document. Conversely, the business- oriented perspective on intelligence can be highly useful to government intelligence professionals. As a BI practitioner explains, every activity in the intelligence process must be related to a requirement, otherwise it is irrelevant. Government personnel would benefit from this practical reminder in every training course and every work center. In the private sector, straying from this principle means wasting money and losing a competitive edge.

Curriculum exchanges between private sector educators and the IC are encouraged by legislation and by Congressional Commission recommendations,17 yet little such formal exchange has taken place.

For example, the 1991 National Security Education Act (P.L. 102-183), the 1993 Government Performance and Results Act (P.L. 103-62), and the Congressional Report of the Commission on the Roles and Capabilities of the U.S. Intelligence Community, Preparing for the 21st Century: An Appraisal of U.S. Intelligence (Washington, DC: GPO, 1 March 1996), 87.

Whereas government practitioners are the acknowledged subject-matter experts in intelligence methodology, the private sector offers a wealth of expertise in particular areas such as business management, technology, the global marketplace, and skills training. Each has valuable knowledge to share with the other, and experience gaps to fill. On the basis of these unique needs and capabilities, the public and private sectors can forge a new partnership in understanding their common responsibilities, and this primer may make a modest contribution toward the exchange of ideas.

The following chapters outline validated steps to operating an intelligence service for both the government and the private sector. In either setting, this document should prove useful as a basic curriculum for students, an on-the-job working aid for practitioners, and a reference tool for experienced professionals, especially those teaching or mentoring others. Although the primer does not exhaustively describe procedures for quality intelligence production or defensive measures, it does offer the business community fundamental concepts that can transfer readily from national intelligence to commercial applications, including competitive analysis, strategic planning and the protection of proprietary information. Universities may incorporate these ideas into their business, political science, and intelligence studies curricula to encourage and prepare students to become intelligence practitioners in commerce or government.

PART I INTELLIGENCE PROCESS

[I]ntelligence is more than information. It is knowledge that has been specially prepared for a customer’s unique circumstances. The word knowledge highlights the need for human involvement. Intelligence collection systems produce… data, not intelligence; only the human mind can provide that special touch that makes sense of data for different customers’ requirements. The special processing that partially defines intelligence is the continual collection, verification, and analysis of information that allows us to understand the problem or situation in actionable terms and then tailor a product in the con- text of the customer’s circumstances. If any of these essential attributes is missing, then the product remains information rather than intelligence.18

Captain William S. Brei, Getting Intelligence Right: The Power of Logical Procedure, Occasional Paper Number Two (Washington, DC: Joint Military Intelligence College, January 1996), 4.

According to government convention, the author will use the term “customer” to refer to the intended recipient of an intelligence product — either a fellow intelligence ser- vice member, or a policy official or decisionmaker. The process of converting raw information into actionable intelligence can serve government and business equally well in their respective domains.

The Intelligence Process in Government and Business

Production of intelligence follows a cyclical process, a series of repeated and interrelated steps that add value to original inputs and create a substantially transformed product. That transformation is what distinguishes intelligence from a simple cyclical activity.

In government and private sector alike, analysis is the catalyst that converts information into intelligence for planners and decisionmakers.

Although the intelligence process is complex and dynamic, several component functions may be distinguished from the whole. In this primer, components are identified as Intelligence Needs, Collection Activities, Processing of Collected Information, Analysis and Production.

These labels, and the illustration below, should not be interpreted to mean that intelligence is a unidimensional and unidirectional process. “[I]n fact, the [process] is multidimensional, multi- directional, and — most importantly — interactive and iterative.”

The purpose of this process is for the intelligence service to provide decisionmakers with tools, or “products” that assist them in identifying key decision factors.

A nation’s power or a firm’s success results from a combination of factors, so intelligence producers and customers should examine potential adversaries and competitive situations from as many relevant viewpoints as possible. A competitor’s economic resources, political alignments, the number, education and health of its people, and apparent objectives are all important in determining the ability of a country or a business to exert influence on others. The eight subject categories of intelligence are exhaustive, but they are not mutually exclusive. Although dividing intelligence into subject areas is useful for analyzing information and administering production, it should not become a rigid formula.

Operational support intelligence incorporates all types of intelligence by use, but is produced in a tailored, focused, and timely manner for planners and operators of the supported activity.

How government and business leaders define their needs for these types of intelligence affects the intelligence service’s organization and operating procedures. Managers of this intricate process, whether in government or business, need to decide whether to make one intelligence unit responsible for all the component parts of the process or to create several specialized organizations for particular sub-processes.

Functional Organization of Intelligence

The national Intelligence Community comprises Executive Branch agencies that produce classified and unclassified studies on selected foreign developments as a prelude to decisions and actions by the president, military leaders, and other senior authorities.

Private sector organizations use open-source information to produce intelligence in a fashion similar to national authorities. By mimicking the government process of translating customer needs into production requirements, and particularly by performing rigorous analysis on gathered information, private organizations can produce assessments that aid their leaders in planning and carrying out decisions to increase their competitiveness in the global economy. This primer will point out why private entities may desire to transfer into their domain some well-honed proficiencies developed in the national Intelligence Community. At the same time, the Intelligence Community self-examination conducted in these pages may allow government managers to reflect on any unique capabilities worthy of further development and protection.

PART II
CONVERTING CUSTOMER NEEDS INTO INTELLIGENCE REQUIREMENTS

The articulation of the requirement is the most important part of the process, and it seldom is as simple as it might seem. There should be a dialogue concerning the requirement, rather than a simple assertion of need. Perhaps the customer knows precisely what is needed and what the product should look like. Perhaps… not. Interaction is required: discussion between ultimate user and principal producer. This is often difficult due to time, distance, and bureaucratic impediments, not to mention disparities of rank, personality, perspectives, and functions.

Defining the Intelligence Problem

Customer demands, or “needs,” particularly if they are complex and time-sensitive, require interpretation or analysis by the intelligence service before being expressed as intelligence requirements that drive the production process. This dialog between intelligence producer and customer may begin with a simple set of questions, and if appropriate, progress to a more sophisticated analysis of the intelligence problem being addressed.

The “Five Ws” — Who, What, When, Where, and Why — are a good starting point for translating intelligence needs into requirements. A sixth related question, How, may also be considered. In both government and business, these questions form the basic frame- work for decisionmakers and intelligence practitioners to follow in formulating intelligence requirements and devising a strategy to satisfy them.

This ability to establish a baseline and set in motion a collection and production strategy is crucial to conducting a successful intelligence effort. Too often, both producers and customers waste valuable time and effort struggling to characterize for themselves a given situation, or perhaps worse, they hastily embark upon an action plan without determining its appropriateness to the problem. Employing a structured approach as outlined in the Taxonomy of Problem Types can help the players avoid these inefficiencies and take the first step toward generating clear intelligence requirements by defining both the intelligence problem and the requisite components to its solution.

Intelligence Problem Definition A Government Scenario

The Severely Random problem type is one frequently encountered by the military in planning an operational strategy. This is the realm of wargaming. The initial intelligence problem is to identify all possible outcomes in an unbounded situation, so that commanders can generate plans for every contingency. The role of valid data is relatively minor, while the role of judgment is great, as history and current statistics may shed little light on how the adversary will behave in a hypothetical situation, and the progress and outcome of an operation against that adversary cannot be predicted with absolute accuracy. There- fore, the analytical task is to define and prepare for all potential outcomes. The analytical method is role playing and wargaming: placing oneself mentally in the imagined situation, and experiencing it in advance, even to the point of acting it out in a realistic setting. After experiencing the various scenarios, the players subjectively evaluate the outcomes of the games, assessing which ones may be plausible or expected to occur in the real world. The probability of error in judgment here is inherently high, as no one can be certain that the future will occur exactly as events unfolded in the game. However, repeated exercises can help to establish a measure of confidence, for practice in living out these scenarios may enable the players to more quickly identify and execute desired behaviors, and avoid mistakes in a similar real situation.

A Business Scenario

The Indeterminate problem type is one facing the entrepreneur in the modern telecommunications market. Predicting the future for a given proposed new technology or product is an extremely imprecise task fraught with potentially dire, or rewarding, consequences. The role of valid data is extremely minor here, whereas analytical judgments about the buying public’s future — and changing — needs and desires are crucial. Defining the key factors influencing the future market is the analytical task, to be approached via the analytical method of setting up models and scenarios: the if/then/else process. Experts in the proposed technology or market are then employed to analyze these possibilities. Their output is a synthesized assessment of how the future will look under various conditions with regard to the proposed new product. The probability of error in judgment is extremely high, as the deci- sion is based entirely on mental models rather than experience; after all, neither the new product nor the future environment exists yet. Continual reassessment of the changing fac- tors influencing the future can help the analysts adjust their conclusions and better advise decisionmakers on whether, and how, to proceed with the new product.

Generating Intelligence Requirements

Once they have agreed upon the nature of the intelligence problem at hand, the intelligence service and the customer together can next generate intelligence requirements to drive the production process. The intelligence requirement translates customer needs into an intelligence action plan. A good working relationship between the two parties at this stage will determine whether the intelligence produced in subsequent stages actually meets customer needs.

As a discipline, intelligence seeks to remain an independent, objective advisor to the decisionmaker. The realm of intelligence is that of “fact,” considered judgment, and prob- ability, but not prescription. It does not tell the customer what to do to meet an agenda, but rather, identifies the factors at play, and how various actions may affect outcomes. Intelligence tends to be packaged in standard formats and, because of its methodical approach, may not be delivered within the user’s ideal timeframe. For all these reasons, the customer may not see intelligence as a useful service.

Understanding each other’s views on intelligence is the first step toward improving the relationship between them. The next step is communication. Free interaction among the players will foster agreement on intelligence priorities and result in products that decisionmakers recognize as meaningful to their agendas, yet balanced by rigorous analysis.

Types of Intelligence Requirements

Having thus developed an understanding of customer needs, the intelligence service may proactively and continuously generate intelligence collection and production requirements to maintain customer-focused operations. Examples of such internally generated specifications include analyst-driven, events-driven, and scheduled requirements.

Further distinctions among intelligence requirements include timeliness and scope, or level, of intended use. Timeliness of requirements is established to meet standing (long- term) and ad hoc (short-term) needs. When the customer and intelligence service agree to define certain topics as long-term intelligence issues, they generate a standing requirement to ensure that a regular production effort can, and will, be maintained against that target. The customer will initiate an ad hoc requirement upon realizing a sudden short- term need for a specific type of intelligence, and will specify the target of interest, the coverage timeframe, and the type of output desired.

The scope or level of intended use of the intelligence may be characterized as strategic or tactical. Strategic intelligence is geared to a policymaker dealing with big-picture issues affecting the mission and future of an organization: the U.S. President, corporate executives, high-level diplomats, or military commanders of major commands or fleets. Tactical intelligence serves players and decisionmakers “on the ground” engaged in current operations: trade negotiators, marketing and sales representatives, deployed military units, or product developers.

Ensuring that Requirements Meet Customer Needs

Even when they follow this method of formulating intelligence requirements together, decisionmakers and their intelligence units in the public and private sectors may still have an incomplete grasp of how to define their needs and capabilities — until they have evaluated the resultant products.

customer feedback, production planning and tasking, as well as any internal product evaluation, all become part of the process of defining needs and creating intelligence requirements.

Whether in business or government, six fundamental values or attributes underlie the core principles from which all the essential intelligence functions are derived. The corollary is that intelligence customers’ needs may be defined and engaged by intelligence professionals using these same values.

Interpretation of these values turns a customer’s need into a collection and production requirement that the intelligence service understands in the context of its own functions. However, illustrating the complexity of the intelligence process, once this is done, the next step is not necessarily collection.

Rather, the next stage is analysis. Perhaps the requirement is simply and readily answered — by an existing product, by ready extrapolation from files or data bases, or by a simple phone call or short desk note based on an analyst’s or manager’s knowledge.

consumers do not drive collection per se; analysts do — or should.

PART III COLLECTION

The collection function rests on research — on matching validated intelligence objectives to available sources of information, with the results to be transformed into usable intelligence. Just as within needs-definition, analysis is an integral function of collection.

Collection Requirements

The collection requirement specifies exactly how the intelligence service will go about acquiring the intelligence information the customer needs. Any one, or any of several, players in the intelligence system may be involved in formulating collection requirements: the intelligence analyst, a dedicated staff officer, or a specialized collection unit.

In large intelligence services, collection requirements may be managed by a group of specialists acting as liaisons between customers and collectors (people who actually obtain the needed information, either directly or by use of technical means). Within that requirements staff, individual requirements officers may be dedicated to a particular set of customers, a type of collection resource, or a specific intelligence issue. This use of col- lection requirements officers is prevalent in the government. Smaller services, especially in the private sector, may assign collection requirements management to one person or team within a multidisciplinary intelligence unit that serves a particular customer or that is arrayed against a particular topic area.

the requirements management function entails much more than simple administrative duties. It requires analytic skill to evaluate how well the customer has expressed the intelligence need; whether, how and when the intelligence unit is able to obtain the required information through its available collection sources; and in what form to deliver the collected information to the intelligence analyst.

Collection Planning and Operations

One method for selecting a collection strategy is to first prepare a list of expected target evidence.

The collection requirements officer and the intelligence analyst for the target may collaborate in identifying the most revealing evidence of target activity, which may include physical features of terrain or objects, human behavior, or natural and man- made phenomena. The issue that can be resolved through this analysis is “What am I looking for, and how will I know it if I see it”?

Increasingly sophisticated identification of evidence types may reveal what collectible data are essential for drawing key conclusions, and therefore should be given priority; whether the evidence is distinguishable from innocuous information; and whether the intelligence service has the skills, time, money and authorization to collect the data needed to exploit a particular target. Furthermore, the collection must yield information in a format that is either usable in raw form by the intelligence analyst, or that can be converted practicably into usable form.

Finally, upon defining the collection requirement and selecting a collection strategy, the intelligence unit should implement that strategy by tasking personnel and resources to exploit selected sources, perform the collection, reformat the results if necessary to make them usable in the next stages, and forward the information to the intelligence production unit. This aspect of the collection phase may be called collection operations management. As with requirements management, it is often done by specialists, particularly in the large intelligence service. In smaller operations, the same person or team may perform some or all of the collection-related functions.

In comparison to the large, compartmentalized service, the smaller unit will likely experience greater overall efficiency of operations and fewer bureaucratic barriers to customer service. The same few people may act as requirements officers, operations managers and intelligence analysts/producers, decreasing the likelihood of communication and scheduling problems among them. This approach may be less expensive in terms of infrastructure and logistics than a functionally divided operation.

careful selection and assignment of personnel who thrive in a multidisciplinary environment will be vital to the unit’s success, to help ward off potential worker stress and overload. An additional pitfall that the small unit should strive to avoid is the tendency to be self-limiting: overreliance on the same customer contacts, collection sources and methods, analytic approaches, and production formulas can lead to stagnation and irrelevance. The small intelligence unit should be careful to invest in new initiatives that keep pace with changing times and customer needs.

Collection Sources

The range of sources available to all intelligence analysts, including those outside of government, is of course much broader than the set of restricted, special sources available only for government use.

four general categories serve to identify the types of information sources available to the intelligence analyst: people, objects, emanations, and records.

Strictly speaking, the information offered by these sources may not be called intelligence if the information has not yet been converted into a value-added product. In the government or private sector, collection may be performed by the reporting analyst or by a specialist in one or more of the collection disciplines.

The collection phase of the intelligence process thus involves several steps: translation of the intelligence need into a collection requirement, definition of a collection strategy, selection of collection sources, and information collection. The resultant collected information must often undergo a further conversion before it can yield intelligence in the analysis stage.

PART IV PROCESSING COLLECTED INFORMATION

From Raw Data to Intelligence Information

No matter what the setting or type of collection, gathered information must be pack- aged meaningfully before it can be used in the production of intelligence. Processing methods will vary depending on the form of the collected information and its intended use, but they include everything done to make the results of collection efforts usable by intelligence producers. Typically, “processing” applies to the techniques used by government intelligence services to transform raw data from special-source technical collection into intelligence information.

While collectors collect “raw” information, certain [collection] disciplines involve a sort of pre-analysis in order to make the information “readable” to the average all-source analyst.

Another term for processing, collation, encompasses many of the different operations that must be performed on collected information or data before further analysis and intel- ligence production can occur. More than merely physically manipulating information, collation organizes the information into a usable form, adding meaning where it was not evident in the original. Collation includes gathering, arranging, and annotating related information; drawing tentative conclusions about the relationship of “facts” to each other and their significance; evaluating the accuracy and reliability of each item; grouping items into logical categories; critically examining the information source; and assessing the meaning and usefulness of the content for further analysis. Collation reveals information gaps, guides further collection and analysis, and provides a framework for selecting and organizing additional information.

Examples of collation include filing documents, condensing information by categories or relationships, and employing electronic database programs to store, sort, and arrange large quantities of information or data in preconceived or self-generating patterns. Regardless of its form or setting, an effective collation method will have the following attributes:

Be impersonal. It should not depend on the memory of one analyst; another person knowledgeable in the subject should be able to carry out the operation.
Not become the “master” of the analyst or an end in itself.
Be free of bias in integrating the information.
Be receptive to new data without extensive alteration of the collating criterion.

Evaluating and Selecting Evidence

To prepare collected information for further use, one must evaluate its relevance and value to the specific problem at hand. An examination of the information’s source and applicability to the intelligence issue can determine whether that information will be further employed in the intelligence production process. Three aspects to consider in evaluating the relevance of information sources are reliability, proximity, and appropriateness.

Reliability of a source is determined through an evaluation of its past performance; if the source proved accurate in the past, then a reasonable estimate of its likely accuracy in a given case can be made.

Proximity refers to the source’s closeness to the information. The direct observer or participant in an event may gather and present evidence directly, but in the absence of such firsthand information, the analyst must rely on sources with varying degrees of proximity to the situation. A primary source passes direct knowledge of an event on to the analyst. A secondary source provides information twice removed from the original event; one observer informs another, who then relays the account to the analyst. Such regression of source proximity may continue indefinitely, and naturally, the more numerous the steps between the information and the source, the greater the opportunity for error or distortion.

Appropriateness of the source rests upon whether the source speaks from a position of authority on the specific issue in question. As no one person or institution is an expert on all matters, the source’s individual capabilities and shortcomings affect the level of validity or reliability assigned to the information it provides regarding a given topic.

Plausibility refers to whether the information is true under any circumstances or only under certain conditions, either known or possible. Expectabilityis assessed in the context of the analyst’s prior knowledge of the subject. Support for information exists when another piece of evidence corroborates it — either the same information from a different source, or different information that points to the same conclusion.

PART V ANALYSIS

Analysis is the breaking down of a large problem into a number of smaller problems and performing mental operations on the data in order to arrive at a conclusion or a generalization. It involves close examination of related items of information to determine the extent to which they confirm, supplement, or contradict each other and thus to establish probabilities and relationships.

Analysis is not merely reorganizing data and information into a new format. At the very least, analysis should fully describe the phenomenon under study, accounting for as many relevant variables as possible. At the next higher level of analysis, a thorough explanation of the phenomenon is obtained, through interpreting the significance and effects of its elements on the whole. Ideally, analysis can reach successfully beyond the descriptive and explanatory levels to synthesis and effective persuasion, often referred to as estimation.

The purpose of intelligence analysis is to reveal to a specific decisionmaker the underlying significance of selected target information. Frequently intelligence analysis involves estimating the likelihood of one possible outcome, given the many possibilities in a particular scenario.

The mnemonic “Four Fs Minus One” may serve as a reminder of how to apply this criterion. Whenever the intelligence information allows, and the customer’s validated needs demand it, the intelligence analyst will extend the thought process as far along the Food Chain as possible, to the third “F” but not beyond to the fourth.

Types of Reasoning

Objectivity is the intelligence analyst’s primary asset in creating intelligence that meets the Four Fs Minus One criterion. More than simply a conscientious attitude, objectivity is “a professional ethic that celebrates tough-mindedness and clarity in applying rules of evidence, inference, and judgment.”

Four basic types of reasoning apply to intelligence analysis: induction, deduction, abduction and the scientific method.

Induction. The induction process is one of discovering relationships among the phenomena under study.

In the words of Clauser and Weir:

Induction is the intellectual process of drawing generalizations on the basis of observations or other evidence. Induction takes place when one learns from experience. For example, induction is the process by which a person learns to associate the color red with heat and heat with pain, and to generalize these associations to new situations.

Induction occurs when one is able to postulate causal relationships. Intelligence estimates are largely the result of inductive processes, and, of course, induction takes place in the formulation of every hypothesis. Unlike other types of intellectual activities such as deductive logic and mathematics, there are no established rules for induction.

Deduction. “Deduction is the process of reasoning from general rules to particular cases. Deduction may also involve drawing out or analyzing premises to form a conclusion.

Deduction works best in closed systems such as mathematics, formal logic, or certain kinds of games in which all the rules are clearly spelled out.

However, intelligence analysis rarely deals with closed systems, so premises assumed to be true may in fact be false, and lead to false conclusions.

Abduction. Abduction is the process of generating a novel hypothesis to explain given evidence that does not readily suggest a familiar explanation. This process differs from induction in that it adds to the set of hypotheses available to the analyst. In inductive reasoning, the hypothesized relationship among pieces of evidence is considered to be already existing, needing only to be perceived and articulated by the analyst.

In abduction, the analyst creatively generates an hypothesis, then sets about examining whether the available evidence unequivocally leads to the new conclusion. The latter step, testing the evidence, is a deductive inference.

Examples of abductive reasoning in intelligence analysis include situations in which the analyst has a nagging suspicion that something of intelligence value has happened or is about to happen, but has no immediate explanation for this conclusion. The government intelligence analyst may conclude that an obscure rebel faction in a target country is about to stage a political coup, although no overt preparations for the takeover are evident. The business analyst may determine that a competitor company is on the brink of a dramatic shift from its traditional product line into a new market, even though its balance sheet and status in the industry are secure. In each case, the analyst, trusting this sense that the time is right for a significant event, will set out to gather and evaluate evidence in light of the new, improbable, yet tantalizing hypothesis.

Scientific Method. The scientific method combines deductive and inductive reasoning: Induction is used to develop the hypothesis, and deduction is used to test it. In science, the analyst obtains data through direct observation of the subject and formulates an hypothesis to explain conclusions suggested by the evidence.

Methods of Analysis

Opportunity Analysis. Opportunity analysis identifies for policy officials opportunities or vulnerabilities that the customer’s organization can exploit to advance a pol- icy, as well as dangers that could undermine a policy.60 It identifies institutions, interest groups, and key leaders in a target country or organization that support the intelligence customer’s objective; the means of enhancing supportive elements; challenges to positive elements (which could be diminished or eliminated); logistic, financial, and other vulnerabilities of adversaries; and activities that could be employed to rally resources and support to the objective.

Jack Davis notes that in the conduct of opportunity analysis,

[T]he analyst should start with the assumption that every policy concern can be transformed into a legitimate intelligence concern. What follows from this is that analysts and their managers should learn to think like a policy- maker in order to identify the issues on which they can provide utility, but they should always [behave like intelligence producers]. … The first step in producing effective opportunity analysis is to redefine an intelligence issue in the policymaker’s terms. This requires close attention to the policymaker’s role as “action officer” – reflecting a preoccupation with getting things started or stopped among adversaries and allies…. It also requires that analysts recog- nize a policy official’s propensity to take risk for gain….[P]olicymakers often see, say, a one-in-five chance of turning a situation around as a sound invest- ment of [organizational] prestige and their professional energies….[A]nalysts have to search for appropriate ways to help the policymaker inch the odds upward – not by distorting their bottom line when required to make a predic- tive judgment, or by cheerleading, but by pointing to opportunities as well as obstacles. Indeed, on politically sensitive issues, analysts would be well advised to utilize a matrix that first lists and then assesses both the promising and discouraging signs they, as objective observers, see for… policy goals…. [P]roperly executed opportunity analysis stresses information and possibili- ties rather than [explicit] predictions.

Jack Davis, The Challenge of Opportunity Analysis (Washington, DC: Center for the Study of Intelligence, July 1992)

Linchpin Analysis. Linchpin analysis is one way of showing intelligence managers and policy officials alike that all the bases have been touched. Linchpin analysis, a color- ful term for structured forecasting, is an anchoring tool that seeks to reduce the hazard of self-inflicted intelligence error as well as policymaker misinterpretation.

Analogy. Analogies depend on the real or presumed similarities between two things. For example, analysts might reason that because two aircraft have many features in com- mon, they may have been designed to perform similar missions. The strength of any such analogy depends upon the strength of the connection between a given condition and a specified result.

In addition, the analyst must consider the characteristics that are dissimilar between the phenomena under study. The dissimilarities may be so great that they ren- der the few similarities irrelevant.

One of the most widely used tools in intelligence analysis is the analogy. Analogies serve as the basis for most hypotheses, and rightly or wrongly, underlie many generalizations about what the other side will do and how they will go about doing it.

Thus, drawing well-considered generalizations is the key to using analogy effectively. When postulating human behavior, the analyst may effectively use analogy by applying it to a specific person acting in a situation similar to one in which his actions are well documented…

Customer Focus

As with the previous stages of the intelligence process, effective analysis depends upon a good working relationship between the intelligence customer and producer.

The government intelligence analyst is generally considered a legitimate and necessary policymaking resource, and even fairly junior employees may be accepted as national experts by virtue of the knowledge and analytic talent they offer to high level customers. Conversely, in the private sector, the intelligence analyst’s corporate rank is generally orders of magnitude lower than that of a company vice-president or CEO. The individual analyst may have little access to the ultimate customer, and the intelligence service as a whole may receive little favor from a senior echelon that makes little distinction between so-called intelligence and the myriad of other decisionmaking inputs. When private sector practitioners apply validated methods of analysis geared to meet specific customer needs, they can win the same kind of customer appreciation and support as that enjoyed by government practitioners.

Statistical Tools

Additional decisionmaking tools derived from parametric or non-parametric statistical techniques, such as Bayesian analysis, are sometime used in intelligence.

Analytic Mindset

Customer needs and collected information and data are not the only factors that influence the analytic process; the analyst brings his or her own unique thought patterns as well. This personal approach to problem-solving is “the distillation of the intelligence analyst’s cumulative factual and conceptual knowledge into a framework for making estimative judgments on a complex subject.”

Categories of Misperception and Bias

Evoked-Set Reasoning: That information and concern which dominates one’s thinking based on prior experience. One tends to uncritically relate new information to past or current dominant concerns.

Prematurely Formed Views: These spring from a desire for simplicity and stability, and lead to premature closure in the consideration of a problem.

Presumption that Support for One Hypothesis Disconfirms Others: Evidence that is consistent with one’s preexisting beliefs is allowed to disconfirm other views. Rapid closure in the consideration of an issue is a problem.

Inappropriate Analogies: Perception that an event is analogous to past events, based on inadequate consideration of concepts or facts, or irrelevant criteria. Bias of “Representativeness.”

Superficial Lessons From History: Uncritical analysis of concepts or events, superficial causality, over-generalization of obvious factors, inappropriate extrapolation from past success or failure.

Presumption of Unitary Action by Organizations: Perception that behavior of others is more planned, centralized, and coordinated than it really is. Dismisses accident and chaos. Ignores misperceptions of others. Fundamental attribution error, possibly caused by cultural bias.

Organizational Parochialism: Selective focus or rigid adherence to prior judgments based on organizational norms or loyalties. Can result from functional specialization. Group-think or stereotypical thinking.

Excessive Secrecy (Compartmentation): Over-narrow reliance on selected evidence. Based on concern for operational security. Narrows consideration of alternative views. Can result from or cause organizational parochialism.

Ethnocentrism: Projection of one’s own culture, ideological beliefs, doctrine, or expectations on others. Exaggeration of the causal significance of one’s own action. Can lead to mirror-imaging and wishful thinking. Parochialism.

Lack of Empathy: Undeveloped capacity to understand others’ perception of their world, their conception of their role in that world, and their definition of their interests. Difference in cognitive contexts.

Mirror-Imaging: Perceiving others as one perceives oneself. Basis is ethnocentrism. Facilitated by closed systems and parochialism.

Ignorance: Lack of knowledge. Can result from prior-limited priorities or lack of curiosity, perhaps based on ethnocentrism, parochialism, denial of reality, rational-actor hypothesis (see next entry).

Rational-Actor Hypothesis: Assumption that others will act in a “rational” manner, based on one’s own rational reference. Results from ethnocentrism, mirror-imaging, or ignorance.

Denial of Rationality: Attribution of irrationality to others who are perceived to act outside the bounds of one’s own standards of behavior or decisionmaking. Opposite of rational-actor hypothesis. Can result from ignorance, mirror-imaging, parochialism, or ethnocentrism.

Proportionality Bias: Expectation that the adversary will expend efforts proportionate to the ends he seeks. Inference about the intentions of others from costs and consequences of actions they initiate.

Willful Disregard of New Evidence: Rejection of information that conflicts with already-held beliefs. Results from prior policy commitments, and/or excessive pursuit of consistency.

Image and Self-Image: Perception of what has been, is, will be, or should be (image as subset of belief system). Both inward-directed (self-image) and outward-directed (image). Both often influenced by self-absorption and ethnocentrism.

Defensive Avoidance: Refusal to perceive and understand extremely threatening stimuli. Need to avoid painful choices. Leads to wishful thinking.

Overconfidence in Subjective Estimates: Optimistic bias in assessment. Can result from premature or rapid closure of consideration, or ignorance.

Wishful Thinking (Pollyanna Complex): Hyper-credulity. Excessive optimism born of smugness and overconfidence.

Best-Case Analysis: Optimistic assessment based on cognitive predisposition and general beliefs of how others are likely to behave, or in support of personal or organizational interests or policy preferences.

Conservatism in Probability Estimation: In a desire to avoid risk, tendency to avoid estimating extremely high or extremely low probabilities. Routine thinking. Inclination to judge new phenomena in light of past experience, to miss essentially novel situational elements, or failure to reexamine established tenets. Tendency to seek confirmation of prior- held beliefs.

Worst-Case Analysis (Cassandra Complex): Excessive skepticism. Reflects pessimism and extreme caution, based on predilection (cognitive predisposition), adverse past experience, or on support of personal or organizational interests or policy preferences.

Because the biases and misperceptions outlined above can influence analysis, they may also affect the resultant analytic products. As explained in the following Part, analysis does not cease when intelligence production begins; indeed, the two are interdependent. The foregoing overview of analytic pitfalls should caution intelligence managers and analysts that intelligence products should remain as free as possible from such errors of omission and commission, yet still be tailored to the specific needs of customers.

PART VI PRODUCTION

The previously-described steps of the intelligence process are necessary precursors to production, but it is only in this final step that functionality of the whole process is achieved. Production results in the creation of intelligence, that is, value-added actionable information tailored to a specific customer. In practical terms, production refers to the creation, in any medium, of either interim or finished briefings or reports for other analysts, or for decisionmakers or policy officials.

In government parlance, the term “finished” intelligence is reserved for products issued by analysts responsible for synthesizing all available sources of intelligence, resulting in a comprehensive assessment of an issue or situation, for use by senior analysts or decisionmakers.

Analysts within the single-source intelligence agencies consider any information or intelligence not issued by their own organization to be “collateral.”

Similar designations for finished intelligence products may apply in the business world. Particularly in large corporations with multidisciplinary intelligence units, or in business intelligence consulting firms, some production personnel may specialize in the creation of intelligence from a single source, while others specialize in finished reporting. For example, there may be specialists in library and on-line research, “HUMINT” experts who conduct interviews and attend conferences and trade shows, or scientists who per- form experiments on products or materials. The reports generated by such personnel may be considered finished intelligence by their intended customers within subdivisions of the larger company. The marketing, product development, or public relations department of a corporation may consume single-source intelligence products designed to meet their indi- vidual needs. Such a large corporation may also have an intelligence synthesis unit that merges the reports from the specialized units into finished intelligence for use in strategic planning by senior decisionmakers. Similarly, in the intelligence consulting firm, each of the specialized production units may contribute their reports to a centralized finished intelligence unit which generates a synthesized product for the client.

Emphasizing the Customer’s Bottom Line

The intelligence report or presentation must focus on the results of the analysis and make evident their significance through sound arguments geared to the customer’s interests. In short, intelligence producers must BLUF their way through the presentation — that is, they must keep the “Bottom Line Up Front.”

It is often difficult for… intelligence [producers] to avoid the temptation to succumb to the Agatha Christie Syndrome. Like the great mystery writer, we want to keep our readers in suspense until we can deliver that “punch line.” After we have worked hard on this analysis… we want the reader to know all the wonderful facts and analytical methods that have gone into our conclusions…. Most readers really will not care about all those bells and whistles that went into the analysis. They want the bottom line, and that is what intelligence professionals are paid to deliver.

James S. Major, The Style Guide: Research and Writing at the Joint Military Intelligence College

Some customers are “big picture” thinkers, seeking a general overview of the issue, and guidance on the implications for their own position and responsibilities. An appropriate intelligence product for such a customer will be clear, concise, conclusive, and free of jargon or distracting detail.Conversely, some customers are detail-oriented, seeing themselves as the ultimate expert on the subject area. This type of customer needs highly detailed and specialized intelligence to supplement and amplify known information.

Anatomy of an Intelligence Product

Whether it is produced within the government, or in the business setting, the basic nature of the intelligence product remains the same. The analyst creates a product to document ongoing research, give the customer an update on a current issue or situation, or provide an estimate of expected target activity. In general terms, the product’s function is to cover one or more subject areas, or to be used by the customer for a particular application.

Content

Determination of product content is done in close cooperation with the customer, sometimes at the initiative of one or the other, often in a cycle of give-and-take of ideas. Formal intelligence requirements, agreed upon by both producer and customer in advance, do drive the production process, but the converse is also true. The intelligence unit’s own self-concept and procedures influence its choice of which topics to cover, and which aspects to emphasize. As a result, the customer comes to expect a certain type of product from that unit, and adjusts requirement statements accordingly. In addition, the intelligence process may bring to light aspects of the target that neither the producer nor customer anticipated. When the parties involved have a close working relationship, either one may receive inspiration from interim products, and take the lead in pursuing new ways to exploit the target.

Often, this dialogue centers around the pursuit of new sources associated with known lucrative sources.

The basic orientation of the intelligence product toward a particular subject or application is also determined by the producer-customer relationship. Frequently, the intelligence service will organize the production process and its output to mirror the customer organization. Government production by the single-source intelligence agencies is largely organized geographically or topically, to meet the needs of all-source country, region, or topic analysts in the finished-intelligence producing agencies, such as DIA or the National Counterintelligence Center.

In terms of intended use by the customer, both business and government producers may generate intelligence to be applied in the current, estimative, operational, research, science and technology, or warning context. Serendipity plays a role here, because the collected and analyzed information may meet any or all of these criteria.

Features

Three key features of the intelligence product are timeliness, scope, and periodicity. Timeliness includes not only the amount of time required to deliver the product, but also the usefulness of the product to the customer at a given moment. Scope involves the level of detail or comprehensiveness of the material contained in the product. Periodicity describes the schedule of product initiation and generation.

In intelligence production, the adage “timing is everything” is particularly apt. When a customer requests specific support, and when actionable information is discovered through collection and analysis, the resultant intelligence product is irrelevant unless the customer receives it in time to take action — by adapting to or influencing the target entity. Timeliness therefore encompasses the short-term or long-term duration of the production process, and the degree to which the intelligence itself proves opportune for the customer.

It is important to remember that many users of intelligence have neither the time nor the patience to read through a voluminous study, however excellent it may be, and would much prefer to have the essential elements of the analysis set down in a few succinct paragraphs

Analysts may proactively generate products to meet known needs of specific customers, or they may respond to spontaneous customer requests for tailored intelligence. Furthermore, “analysts, as experts in their fields, are expected to initiate studies that address questions yet unformulated by [customers].” By selecting from available source material, and determining when to issue an intelligence product, analysts have the potential to influence how their customers use intelligence to make policy decisions.

Packaging

Government intelligence products are typically packaged as highly structured written and oral presentations, including electrical messages, hardcopy reports, and briefings.

The format of the intelligence product, regardless of the medium used to convey it, affects how well it is received by the customer. Even in a multimedia presentation, the personal touch can make a positive difference. Therefore, the degree of formality, and the mix of textual and graphical material should match the customer’s preferences.

Many customers prefer written analyses, often in the form of concise executive summaries or point papers; some will ask for an in-depth study after consuming the initial or periodic assessment.

producers should be aware of the potential pitfalls of relying on the executive summary to reach key customers. If the product does not appeal to the executive’s staff members who read it first, it may never reach the intended recipient.

Customer

In addition to understanding the customer’s intelligence requirements, the producer may benefit from an awareness of the relationship between the customer organization and the intelligence service itself.

The intelligence producer selects the product content and format to suit a specific individual or customer set. However, the producer should beware of selecting material or phraseology that is too esoteric or personal for a potential wide audience. Intelligence products are official publications that become official records for use by all authorized personnel within the producer and customer organizations. They should focus on the primary customer’s needs, yet address the interests of other legitimate players. Sometimes, when the producer is struggling with how to meet the needs of both internal and external customers, the solution is to create two different types of products, one for each type of customer. Internal products contain details about the sources and methods used to generate the intelligence, while external products emphasize actionable target information. Similarly, the producer adjusts the product content and tone to the customer’s level of expertise.

Finally, the number of designated recipients is often determined by the sensitivity of the intelligence issue covered in the product. If the intelligence is highly sensitive… then only the few involved persons will receive the report. A routine report may be broadly distributed to a large customer set. Thus, the choice of distribution method is more a marketing decision than a mechanical exercise. Successful delivery of a truly useful intelligence product to a receptive customer is the result of communication and cooperation among all the players.

Customer Feedback and Production Evaluation

The production phase of the intelligence process does not end with delivering the prod- uct to the customer. Rather, it continues in the same manner in which it began: with dialogue between producer and customer.

If the product is really to be useful for policy-making and command, dis- semination involves feedback, which is part of the marketing function…. Ide- ally, the “marketer” who delivers the product is the same individual who accepts and helps to refine the initial requirement.

Intelligence producers need feedback from end-users. If producers do not learn what is useful and not useful to customers, they cannot create genuine intelligence. Internal review procedures that focus on the format and style of intelligence products are not sufficient for producers to judge their performance; they must hear from customers on the intelligence value of their work.

Feedback procedures between producers and customers should include key questions, such as: Is the product usable? Is it timely? Was it in fact used? Did the product meet expectations? If not, why not? What next? The answers to these questions will lead to refined production, greater use of intelligence by decisionmakers, and further feedback sessions. Thus, production of intelligence actually generates more requirements in this iterative process. Producers and managers may use the framework developed by Brei and summarized below as an initial checklist for evaluating their own work, and as a basis for formal customer surveys to obtain constructive feedback.

Producers also need performance feedback from their own managers. Useful aspects of such an internal evaluation may include whether the output met the conditions set down by customers and producers in formal intelligence requirements, whether the intelligence was indeed used by customers, and whether the product resulted from a high standard of analytic quality.

To establish a formal internal review process for monitoring the quality of analysis in intelligence products, managers could select experienced analysts to serve on a rotating basis as “mindset coaches” — reviewing assessments for issues of mindset, uncertainty, and policy utility, or consider pairing with another production division to swap personnel for this activity. As a rule, the less the critical reader knows about the substance of the paper the more he or she will concentrate on the quality of the argumentation.

Managers make key decisions that mirror the intelligence process and make production possible. In conjunction with customers, managers determine what customer set the intelligence unit will serve; what sources it will exploit; what types of intelligence it will produce; and what methods of collection, processing, analysis, production, customer feedback, and self-evaluation it will use.

PART VII MANAGING THE INTELLIGENCE PROCESS

The Role of Management

Another discipline integral to the intelligence profession — but worthy of special consideration in this context — is that of management. The effective administration and direction of intelligence activities can be regarded as the epitome of intelligence professionalism. Just as an untutored civilian cannot be expected competently to command [a military unit], so an untrained or inexperienced layperson cannot be expected effectively to direct [an intelligence operation]. But mastery of professional intelligence skills does not, in itself, ensure that a person is able to direct intelligence functions competently; expertise in administrative techniques and behavioral skills is also essential to managerial effectiveness. Some facility in these areas can be acquired through experience, but a professional level of competence requires familiarity with the principles and theories of management, and leadership.

George Allen, “The Professionalization of Intelligence,” in Dearth and Goodden, 1995, 37.

supervisors and managers have a particular responsibility for ensuring the professional development of their subordinates. When all the members of the intelligence unit are competent, then the effectiveness of the group increases. Enabling subordinates also frees managers to thoroughly plan and administer the intelligence operation, instead of redoing the work of production personnel.

Organizing the Intelligence Service

In the national Intelligence Community, federal laws form the basis for a centrally coordinated but functionally organized system.

The unifying principle across government intelligence missions is the basic charter to monitor and manage threats to national interests and to the intelligence service itself. In both the national Intelligence Community and the business community, managers may make a distinction between self-protective intelligence activities and competitive intelligence activities.

Threat analysis in the business environment depends on the open exchange of information between companies, as it is widely recognized that no one benefits from other companies encountering unnecessary risk or danger to their personnel.

On the other hand, at the corporate level, competitive business intelligence relies on the protection or discovery of important corporate data. In the public security environment, diplomatic security and force protection for a government’s own citizens, and for personnel in multilateral operations, is in the best interests of all. Conversely, foreign capabilities assessment operates in the context of a zero-sum game among countries, with potential winners and losers of the tactical advantage.

When the very survival of a corporation or country is at stake vis-a-vis other players in their respective environments, a global or strategic model applies. At this level, strategic warning intelligence takes center stage in the government security setting, and its counter- part — strategic scenario planning — achieves value in the private sector.

The alternative to taking global or strategic intelligence action is to allow threats to emerge and to bring company or government officials to the realm of crisis management. There, fundamental government or business interests are at stake, and the outcome is more likely to be left to the vagaries of impulse and chance than to the considered judgment and actions of corporate or government leaders.

Managing Analysis and Production

Intelligence managers in government and industry need to decide how to organize the pro- duction process just as they need to determine the structure of the intelligence service as a whole. Typical methods of assigning analysts are by target function, geographical region, technical subject, or policy issue. The intelligence service may task analysts to concentrate on one type of source information, or to merge all available sources to produce “finished” intelligence or estimates.

Some industries will need analysts to specialize in certain technical subject areas or complex issues, while large corporations may assign intelligence analysts to each of several departments such as Research or Product Development. Small independent intelligence services may require personnel to perform all the functions of the intelligence process from needs assessment to production and performance evaluation. In that case, analysts might be assigned to a particular customer account rather than a specific topic area.

Furthermore, managers can take the initiative in transforming intelligence into a proactive service. Managers who are isolated from the intelligence customer tend to monitor the quantity of reports produced and level of polish in intelligence products, but not the utility of the intelligence itself.

But policy officials will seek information and judgment from the source that provides it at the lowest personal cost, including the mass media, no matter how much money the intelligence organization is spending to fund analysis on their behalf. Thus, managers need to learn to ask for and accept opportunity analysis included in intelligence products, not remove it as inappropriate during the review process.

Evaluating the Intelligence Process

Beyond organizing and monitoring intelligence production, an additional management responsibility is to evaluate the intelligence service’s overall mission performance. From the manager’s perspective, intelligence products are not the only output from the intelligence process; therefore, products are not the only focus of rigorous self-evaluation.

In the course of its operations, the intelligence unit expends and generates significant amounts of financial and political capital. Careful examination of this commodity flow may yield key insights into pro- cess improvement. Internal review procedures may thus include measures of how well the intelligence service and its components organize their work, use funds, allocate materiel and human resources, and coordinate with parent and customer organizations, all from the self- interested perspective of the intelligence service itself.

To assist them in this effort, managers may evaluate the sub-processes and interim products of the Needs Definition, Collection, Processing, Analysis, and Production phases of the intelligence process in terms of Brei’s Intelligence Values: Accuracy, Objectivity, Usability, Relevance, Readiness, and Timeliness.

Seeing the members of the intelligence service as customers of management, and of each other, can enable managers to create a work culture in which each person’s needs and talents are respected and incorporated into the organization’s mission.

PART VIII
PORTRAIT OF AN INTELLIGENCE ANALYST

The efficacy of the intelligence process described in the foregoing chapters depends upon personnel who are both able and willing to do the specialized work required. Through the findings of several government studies, this section presents the ideal characteristics of the central figure in value-added production — the intelligence analyst. According to these studies, the successful intelligence analyst brings to the discipline certain requisite knowledges and abilities, or has a high aptitude for acquiring them through specialized training; is able to perform the specific tasks associated with the job; and exhibits personality traits compatible with intelligence analysis work.

Cognitive Attributes

An individual’s analytic skill results from a combination of innate qualities, acquired experience, and relevant education. Psychologists call these mental faculties cognitive attributes, and further divide them into two types: abilities (behavioral traits, being able to perform a task) and knowledges (learned information about a specific subject).

According to a recent formal job analysis of selected intelligence analysts conducted by the NSA Office of Human Resources Services, important cognitive abilities for intelligence analysis include written expression, reading comprehension, inductive reasoning, deductive reasoning, pattern recognition, oral comprehension, and information ordering.

Unlike the abilities categories, areas of knowledge for government intelligence specialists do not necessarily apply to their private sector counterparts. The formal job study of government intelligence analysts revealed that knowledge of military-related and technical subjects, not surprisingly, was prevalent among the individuals in the research group.

Performance Factors

Seven intelligence analysis performance categories:

Data Collection – Research and gather data from all available sources.

Data Monitoring – Review flow of scheduled incoming data.

Data Organizing – Organize, format, and maintain data for analysis and technical report generation.

Data Analysis – Analyze gathered data to identify patterns, relationships, or anomalies.

Data Interpretation/Communication – Assign meaning to analyzed data and communicate it to appropriate parties.

Computer Utilization – Use computer applications to assist in analysis. Coordination – Coordinate with internal and external organizations.

This concise inventory echoes the intelligence process and illustrates the complexity of the intelligence analyst’s job. It also serves as a blueprint for managers as they design intelligence organizations and individual personnel assignments. In particular, the analyst’s job description should reflect these expected behaviors for purposes of recruitment, selection, placement, training, and performance evaluation

Research at the Joint Military Intelligence College (JMIC) demonstrates that intelligence professionals exhibit a pattern of personality traits that sets them apart from the U.S. population as a whole. In this regard, intelligence professionals are no different from many others, for every profession has its own distinct pattern of personality traits. A significant percentage (21 percent) of those who choose to pursue employment in national security intelligence tend to express the following behavior preferences: orientation to the inner world of ideas rather than the outer world of things and people, tendency to gather factual information through the senses rather than inspiration, proclivity to make decisions on the basis of logic rather than emotion, and an eagerness to seek closure proactively instead of leaving possibilities open. In contrast, researchers found that people who exhibit the opposite set of personality traits are almost non-existent among intelligence professionals.

the most frequently occurring type among the respondents to the JMIC survey exhibit the traits I, S, T and J.

Because people tend to be satisfied and productive in their work if their own personalities match the corresponding behaviors suitable to their jobs, this research tying personality traits to the intelligence profession can help individuals consider their general suitability for certain types of intelligence work.

PART IX DEFENSIVE MEASURES FOR INTELLIGENCE

[A]s information becomes more and more a factor of production, of tangible worth for its own sake, the value of the special knowledge that is the essence of intelligence will command a higher price in the global information age marketplace than will the generally available knowledge. Therein lies the most ancient and, at the same time, the most modern challenge to the future of intelligence — protecting it.

— Goodden, in Dearth and Goodden, 415.

Beyond Intelligence Process: Protecting the Means and the Results

An intelligence organization’s openness about its validated intelligence methods is of course tempered by self-defense considerations.

In light of the tendency to overlook OPSEC and INFOSEC implementation, the remainder of this section develops an instructional overview of the basic information that government and business personnel should know to protect their activities from unauthorized exploitation. Indeed, for the health of U.S. commerce and national security activities, everyone needs user-friendly information on how to protect proprietary information.

Operations Security

OPSEC is essential to the intelligence function in both the national security and business environments. OPSEC denies adversaries information about one’s own operational capabilities and intentions by identifying, controlling, and protecting indicators associated with the planning and conduct of those operations and other related activities.

An adversary is not necessarily a belligerent enemy: In OPSEC terms, an adversary is any entity that acts against one’s own interest or actively opposes one’s own goals.

Countermeasure options to prevent an adversary from exploiting these factors include: eliminating the indicators altogether, concealing indicator activities, disguising indicator activities, and staging deceptive (false) activities.

Information Systems Security

Information Systems Security (INFOSEC) refers to the protection of information that an organization uses and produces in the course of its operations. Today, this means protecting complex electronic networks. Government and business depend upon computerized systems for everything from banking, communications, and data processing to physical security and travel reservations. To the casual observer, INFOSEC may seem the domain of a few technical specialists, or the exclusive concern of the military or intelligence agencies. But INFOSEC is the responsibility of everyone who has ever used a tele- phone, computer, or automatic bank teller machine.

Each intelligence organization and activity must tailor its INFOSEC measures particular technologies and operational practices, weighing the costs of such measures against their value in safeguarding the mission.

INFOSEC for Everyone

The national authorities for INFOSEC described above evolved out of the need to protect the fundamental role of information in a democratic society and market economy. They help strike the balance between free exchange of information and privacy, and between free enterprise and regulation. Government-sponsored information policy and technology set the standards upon which nearly every facet of public and private life is based. Citizens receive basic services through government-created or -regulated information infrastructure, including automatic payroll deposit to employee bank accounts, cellular telephone service, electronic commerce via the Internet, air and rail traffic control, emergency medical services, and electrical power supply.

Such services contribute not only to the citizen’s quality of life, but to the very functioning of the nation. Information is the lifeblood of society and the economy. Imagine the chaos that would reign if the government, the military, banks, businesses, schools, and hospitals could not communicate reliably. Life would come to a halt.

Government expertise in information technology and policy has made it the authority specifically on protecting intelligence operations. The private sector may also benefit from this expertise by applying INFOSEC measures in business intelligence.

EPILOGUE

This primer has reviewed government intelligence production practices in building-block fashion. It has also explored the defensive measures comprising information security and operations security, which are integral to all the building blocks, and are equally applicable to private businesses and government organizations. Finally, the primer has drawn a cognitive, behavioral and personality profile of the central figure in intelligence production — the intelligence analyst. In the spirit of benchmarking, this document invites a reciprocal examination of best practices that may have been developed by private businesses, and of principles that may have been derived from other academic studies of intelligence-related processes.

Although this effort reflects a government initiative, in fact the government Intelligence Community may receive the greater share of rewards from benchmarking its own process. Potential benefits to the Community include an improved public image, increased self-awareness, more efficient recruitment through more informed self-selection by candidates for employment, as well as any resultant acquisition of specialized information from subject matter experts in the business and academic communities.

Notes on Open-Source Intelligence ATP 2-22.9

Preface

ATP 2-22.9 establishes a common understanding, foundational concepts, and methods of use for Army open- source intelligence (OSINT). ATP 2-22.9 highlights the characterization of OSINT as an intelligence discipline, its interrelationship with other intelligence disciplines, and its applicability to unified land operations.

This Army techniques publication—

Provides fundamental principles and terminology for Army units that conduct OSINT exploitation.
Discusses tactics, techniques, and procedures (TTP) for Army units that conduct OSINT exploitation.
Provides a catalyst for renewing and emphasizing Army awareness of the value of publicly available information and open sources.
Establishes a common understanding of OSINT.
Develops systematic approaches to plan, prepare, collect, and produce intelligence from publicly available information from open sources.

Introduction

Since before the advent of the satellite and other advanced technological means of gathering information, military professionals have planned, prepared, collected, and produced intelligence from publicly available information and open sources to gain knowledge and understanding of foreign lands, peoples, potential threats, and armies.

Open sources possess much of the information needed to understand the physical and human factors of the operational environment of unified land operations. Physical and human factors of a given operational environment can be addressed utilizing publicly available information to satisfy information and intelligence requirements and provide increased situational awareness interrelated with the application of technical or classified resources.

The world is being reinvented by open sources. Publicly available information can be used by a variety of individuals to expand a broad spectrum of objectives. The significance and relevance of open-source intelligence (OSINT) serve as an economy of force, provide an additional leverage capability, and cue technical or classified assets to refine and validate both information and intelligence.

As an intelligence discipline, OSINT is judged by its contribution to the intelligence warfighting function in support of other warfighting functions and unified land operations.

Chapter 1

Open-Source Intelligence (OSINT) Fundamentals

DEFINITION AND TERMS

1-1. Open-source intelligence is the intelligence discipline that pertains to intelligence produced from publicly available information that is collected, exploited, and disseminated in a timely manner to an appropriate audience for the purpose of addressing a specific intelligence and information requirement (FM 2-0). OSINT also applies to the intelligence produced by that discipline.

1-2. OSINT is also intelligence developed from the overt collection and analysis of publicly available and open-source information not under the direct control of the U.S. Government. OSINT is derived from the systematic collection, processing, and analysis of publicly available, relevant information in response to intelligence requirements. Two important related terms are open source and publicly available information:

Open source is any person or group that provides information without the expectation of privacy––the information, the relationship, or both is not protected against public disclosure. Open-source information can be publicly available but not all publicly available information is open source. Open sources refer to publicly available information medium and are not limited to physical persons.
Publicly available information is data, facts, instructions, or other material published or broadcast for general public consumption; available on request to a member of the general public; lawfully seen or heard by any casual observer; or made available at a meeting open to the general public.

1-3. OSINT collection is normally accomplished through monitoring, data-mining, and research. Open- source production supports all-source intelligence and the continuing activities of the intelligence process (generate intelligence knowledge, analyze, assess, and disseminate), as prescribed in FM 2-0. Like other intelligence disciplines, OSINT is developed based on the commander’s intelligence requirements.

CHARACTERISTICS

1-4. The following characteristics address the role of OSINT in unified land operations:

Provides the foundation. Open-source information provides the majority of the necessary background information on any area of operations (AO). This foundation is obtained through open-source media components that provide worldview awareness of international events and perceptions of non-U.S. societies. This foundation is an essential part of the continuing activity of generate intelligence knowledge.

Answers requirements. The availability, depth, and range of publicly available information enables organizations to satisfy intelligence and information requirements without the use or support of specialized human or technical means of collection.
Enhances collection. Open-source research supports surveillance and reconnaissance activities by answering intelligence and information requirements. It also provides information (such as biographies, cultural information, geospatial information, and technical data) that enhances and uses more technical means of collection.
Enhances production. As part of a multidiscipline intelligence effort, the use and integration of publicly available information and open sources ensure commanders have the benefit of all sources of available information to make informative decisions.

THE INTELLIGENCE WARFIGHTING FUNCTION

1-5. The intelligence warfighting function is composed of four distinct Army tactical tasks (ARTs):

Intelligence support to force generation (ART 2.1).
Support to situational understanding (ART 2.2).
Perform intelligence, surveillance, and reconnaissance (ART2.3).
Support to targeting and information superiority (ART 2.4).

1-6. The intelligence warfighting function is the related tasks and systems that facilitate understanding of

the operational environment, enemy, terrain, weather, and civil considerations (FM 1-02). As a continuous process, the intelligence warfighting function involves analyzing information from all sources and conducting operations to develop the situation. OSINT supports each of these ARTs.

Publicly available information is used to—

Support situational understanding of the threat and operational environment.
Obtain information about threat characteristics, terrain, weather, and civil considerations.
Generate intelligence knowledge before receipt of mission to provide relevant knowledge of the operational environment.
Rapidly provide succinct answers to satisfy the commander’s intelligence requirements during intelligence overwatch.
Develop a baseline of knowledge and understanding concerning potential threat actions or intentions within specific operational environments in support of the commander’s ongoing intelligence requirements.
Generate intelligence knowledge as the basis for Army integrating functions such as intelligence preparation of the battlefield (IPB). IPB is designed to support the staff estimate and the military decision-making process (MDMP).
Most intelligence requirements are generated as a result of the IPB process and its interrelation with MDMP.
Support situation development—a process for analyzing information and producing current intelligence concerning portions of the mission variables of enemy, terrain and weather, and civil considerations within the AO before and during operations (see FM 2-0). Situation development—

Assists the G-2/S-2 in determining threat intentions and objectives.
Confirms or denies courses of action (COAs).
Provides an estimate of threat combat effectiveness.

Support information collection. Planning requirements and assessing collection analyzes information requirements and intelligence gaps and assists in determining which asset or combination of assets are to be used to satisfy the requirements.

THE INTELLIGENCE PROCESS

1-9. The intelligence process consists of four steps (plan, prepare, collect, and produce) and four continuing activities (analyze, generate intelligence knowledge, assess, and disseminate). Just as the activities of the operations process (plan, prepare, execute, and assess) overlap and recur as the mission demands, so do the steps of the intelligence process. The continuing activities occur continuously throughout the intelligence process and are guided by the commander’s input.

1-10. The four continuing activities plus the commander’s input drive, shape, and develop the intelligence process. The intelligence process provides a common model for intelligence professionals to use to guide their thoughts, discussions, plans, and assessments. The intelligence process results in knowledge and products about the threat, terrain and weather, and civil considerations.

1-11. OSINT enhances and supports the intelligence process and enables the operations process, as described in FM 2-0. The intelligence process enables the systematic execution of Army OSINT exploitation, as well as the integration with various organizations (such as joint, interagency, intergovernmental, and multinational).

THE PLANNING REQUIREMENTS AND ASSESSING COLLECTION PROCESS

1-12. Information collection informs decisionmaking for the commander and enables the application of combat power and assessment of its effects. Information collection is an activity that synchronizes and integrates the planning and operation of sensors, assets, as well as the processing, exploitation, and dissemination of systems in direct support of current and future operations (FM 3-55). This is an integrated intelligence and operations function. For Army forces, this activity is a combined arms operation that focuses on priority intelligence requirements (PIRs) while answering the commander’s critical information requirements (CCIRs).

1-13. Information collected from multiple sources and analyzed becomes intelligence that provides answers to commanders’ information requirements concerning the enemy and other adversaries, climate, weather, terrain, and population. Developing these requirements is the function of information collection:

A commander’s critical information requirement is an information requirement identified by the commander as being critical to facilitating timely decisionmaking. The two key elements are friendly force information requirements and priority intelligence requirements (JP 3-0).
A priority intelligence requirement is an intelligence requirement, stated as a priority for intelligence support, which the commander and staff need to understand the adversary or the operational environment (JP 2-0).
A friendly force information requirement is information the commander and staff need to understand the status of friendly force and supporting capabilities (JP 3-0).

1-14. The planning requirements and assessing collection process involves six continuous, nondiscrete activities. These activities and subordinate steps are not necessarily sequential and often overlap. The planning requirements and assessing collection process supports the staff planning and operations processes throughout unified land operations.

THE MILITARY DECISIONMAKING PROCESS

1-15. Upon receipt of the mission, commanders and staffs begin the MDMP. The military decisionmaking process is an iterative planning methodology that integrates the activities of the commander, staff, subordinate headquarters, and other partners to understand the situation and mission; develop and compare courses of action; decide on a course of action that best accomplishes the mission; and produce an operation plan or order for execution (FM 5-0).

1-16. During the second step of the of the MDMP, mission analysis, commanders and staffs analyze the relationships among the mission variables—mission, enemy, terrain and weather, troops and support available, time available, civil considerations (METT-TC)—seeking to gain a greater understanding of the—

Operational environment, including enemies and civil considerations.
Desired end state of the higher headquarters.
Mission and how it is nested with those of the higher headquarters.
Forces and resources available to accomplish the mission and associated tasks.

1-17. Within the MDMP, OSINT assists in enabling the planning staff to update estimates and initial assessments by using publicly available information and open sources. Major intelligence contributions to mission analysis occur because of IPB.

INTELLIGENCE PREPARATION OF THE BATTLEFIELD

1-18. Intelligence preparation of the battlefield is a systematic process of analyzing and visualizing the portions of the mission variables of threat, terrain, weather, and civil considerations in a specific area of interest and for a specific mission. By applying intelligence preparation of the battlefield, commanders gain the information necessary to selectively apply and maximize operational effectiveness at critical points in time and space (FM 2-01.3).

1-19. IPB was originally designed to support the MDMP and troop leading procedures, but it can also be incorporated into other problem-solving models like design and red teaming. OSINT plays a significant and integral part during IPB in satisfying intelligence and information requirements indicated during the MDMP in support of unified land operations. The indicators that can be satisfied using OSINT during IPB include but are not limited to—

1-20. IPB is used primarily by commanders and staffs as a guide to evaluate specific datasets in order to gain an understanding of a defined operational environment. Prior to operations, an examination of national, multination partner, joint, and higher echelon databases is required to determine if the information requested is already available. As operations commence, new intelligence and information requirements are further identified as a result of battlefield changes. Publicly available information and open sources, when produced and properly integrated in support of the all-source intelligence effort, can be used to satisfy intelligence and information requirements.

Chapter 2

Planning and Preparation of the OSINT Mission

Directly or indirectly, publicly available information and open sources form the foundation for all intelligence when conducting operations. This foundation comes from open-source media components that provide worldview awareness of international events and perceptions of non-U.S. societies. This awareness prompts commanders to visualize a plan. Planning occurs when intelligence and information requirements are identified and means are developed as to how they will be satisfied.

SECTION I – PLANNING OSINT ACTIVITIES

2-1. The plan step of the intelligence process consists of the activities that identify pertinent information requirements and develop the means for satisfying those requirements and meeting the commander’s desired end state. As an aspect of intelligence readiness, planning for OSINT exploitation begins before a unit receives an official order or tasking as part of the generate intelligence knowledge continuing activity of the intelligence process.

2-2. The focus of OSINT research prior to deployment is determined and directed by the commander’s guidance. Sustained and proactive open-source research using basic and advanced Internet search techniques plays a critical role in understanding AOs through foundational knowledge required for unit readiness and effective planning. Research during planning for possible missions provides insight into how nontraditional military forces, foreign military forces, and transnational threats have operated in similar AOs. Prior to deployment, organizations with dedicated OSINT missions can also be resourced to satisfy intelligence and information requirements.

2-3. After a unit receives a mission, the focus of OSINT research is further refined based on the AO in which the unit operates. OSINT supports the continuous assessment of unified land operations during planning. Effective research and planning ensure commanders receive timely, relevant, and accurate intelligence and information to accomplish assigned missions and tasks. The MDMP and IPB driven by the intelligence process frame the planning of OSINT exploitation. OSINT is integrated into planning through the four steps of the IPB process:

Define the operational environment.
Describe environmental effects on operations.
Evaluate the threat.
Determine threat COAs.

DEFINE THE OPERATIONAL ENVIRONMENT

2-4. When assessing the conditions, circumstances, and influences in the AO and area of interest, the intelligence staff examines all characteristics of the operational environment. There are preexisting publicly available inputs that can be used to identify significant variables when analyzing the terrain, weather, threat, and civil considerations. At the end of step one of the IPB process, publicly available information and open sources can be used to support the development of the AO assessment and area of interest assessment.

DESCRIBE ENVIRONMENTAL EFFECTS ON OPERATIONS

2-5. When analyzing the environmental effects on threat and friendly operations, publicly available information and open sources can be used to describe the—

Physical environment (terrestrial, air, maritime, space, and information domains).
Civil considerations.

2-6. Combine the evaluation of the effects of terrain, weather, and civil considerations into a product that best suits the commander’s requirements. At the end of the second step of IPB, publicly available information and open sources can be used to better inform the commander of possible threat COAs and products and assessments to support the remainder of the IPB process.

EVALUATE THE THREAT

2-7. Step three of the IPB process is to evaluate each of the significant threats in the AO. If the staff fails to determine all the threat factions involved or their capabilities or equipment, or to understand their doctrine and tactics, techniques, and procedures (TTP), as well as their history, the staff will lack the intelligence needed for planning. At the end of step three of IPB, publicly available information and open sources can provide the majority of the information required to identify threat characteristics, as well as provide possible information needed to update threat models.

DETERMINE THREAT COURSES OF ACTION

2-8. Step four of the IPB process is to identify, develop, and determine likely threat COAs that can influence accomplishment of the friendly mission. The end state of step four is to replicate the set of COAs available to the threat commander and to identify those areas and activities that, when observed, discern which COA the threat commander has chosen. At the end of step four of IPB, publicly available information and open sources can be used to determine indicators adopted by the threat commander.

SECTION II – PREPARATION OF OSINT ACTIVITIES

2-9. The reliance on classified databases has often left Soldiers uninformed and ill-prepared to capitalize on the huge reservoir of unclassified information from publicly available information and open sources,

OSINT EXPLOITATION

2-10. When preparing to conduct OSINT exploitation, the areas primarily focused on are—

Public speaking forums.
Public documents.
Public broadcasts.
Internet Websites.

PUBLIC SPEAKING FORUMS

2-11. Acquiring information at public speaking forums requires close coordination to ensure that any overt acquisition is integrated and synchronized with the information collection plan and does not violate laws prohibiting the unauthorized collecting of information for intelligence purposes.

2-13. The operation order (OPORD), TTP, or unit standard operating procedures (SOPs) should describe how the unit that is tasked with the public speaking forum mission requests, allocates, and manages funds to purchase digital camera and audio recording equipment along with the computer hardware and software to play and store video-related data.

PUBLIC DOCUMENTS

2-14. Organizations within an AO conduct document collection missions. Once collected, documents are analyzed and the information is disseminated throughout the intelligence community. Before executing any OSINT exploitation related to collecting public documents, it is important to—

Coordinate document collection, processing, and analysis activities across echelons.
Identify the procedure to deploy, maintain, recover, and transfer hardcopy, analog, and digital media processing and communications equipment.
Identify academic and commercial-off-the-shelf (COTS) information services that are already available for open-source acquisition, processing, and production.

2-15. The OPORD, TTP, or unit SOPs should describe how the unit requests, allocates, and manages funds for—

Document collection and processing services.
Purchasing books, dictionaries, images, maps, newspapers, periodicals, recorded audio and video items, computer hardware, digital cameras, and scanning equipment.
The cost of subscribing to newspapers, periodicals, and other readable materials.

2-16. For more detailed information on public documents and document exploitation, see TC 2-91.8.

PUBLIC BROADCASTS

2-17. The DNI OSC collects, processes, and reports international and regional broadcasts. This enables deployed organizations to collect and process information from local broadcasts that are of command interest. Before exploiting OSINT related to public broadcasts, it is important to—

Coordinate broadcast collection, processing, and production activities with those of the OSC.
Identify the procedure to deploy, maintain, recover, and transfer radio and television digital media storage devices and content processing and communications systems.
Identify Internet collection and processing resources to collect on television or radio station- specific Web casts.

INTERNET WEB SITES

2-19. Information collected, processed, and produced from Internet Web sites supports unified land operations. Before exploiting OSINT related to Internet Web sites—

Coordinate Internet collection, processing, and analysis activities across echelons.
Identify the procedure to deploy, maintain, recover, and transfer computers and associated communications and data storage systems.
Coordinate with G-6/S-6 for access to the INTELINK-U network or approved commercial Internet service providers that support open-source acquisition, processing, storage, and dissemination requirements.
Coordinate with G-6/S-6 to develop a list of authorized U.S. and non-U.S. Internet Websites for official government use, open-source research, and non-U.S. Internet Web sites restricted to selected authorized personnel engaged in OSINT exploitation.
Identify academic and COTS information services that are already available for open-source information acquisition, processing, and production.

PREPARATION CONSIDERATIONS

2-21. Preparing for OSINT exploitation also includes—

Establishing an OSINT architecture.
Prioritizing tasks and requests.
Task-organizing assets.
Deploying assets.
Assessing completed operations.

ESTABLISHING AN OSINT ARCHITECTURE

2-22. OSINT contributes to establishing an intelligence architecture, specifically ART 2.2.2, Establish Intelligence Architecture. Establishing an intelligence architecture comprises complex and technical issues that include sensors, data flow, hardware, software, communications, communications security materials, network classification, technicians, database access, liaison officers, training, and funding. A well-defined and -designed intelligence architecture can offset or mitigate structural, organizational, or personnel limitations. This architecture provides the best possible understanding of the threat, terrain and weather, and civil considerations. An established OSINT architecture incorporates data flow, hardware, software, communications security components, and databases that include

Conducting intelligence reach. Intelligence reach is a process by which intelligence organizations proactively and rapidly access information from, receive support from, and conduct direct collaboration and information sharing with other units and agencies, both within and outside the area of operations, unconstrained by geographic proximity, echelon, or command (FM 2-0).
Developing and maintaining automated intelligence networks. This task entails providing information systems that connect assets, units, echelons, agencies, and multinational partners for intelligence, collaborative analysis and production, dissemination, and intelligence reach. It uses existing automated information systems, and, when necessary, creates operationally specific networks.

Establishing and maintaining access. This task entails establishing, providing, and maintaining access to classified and unclassified programs, databases, networks, systems, and other Web-based collaborative environments for Army forces, joint forces, national agencies, and multinational organizations.
Creating and maintaining databases. This task entails creating and maintaining unclassified and classified databases. Its purpose is to establish interoperable and collaborative environments for Army forces, joint forces, national agencies, and multinational organizations. This task facilitates intelligence analysis, reporting, production, dissemination, sustainment, and intelligence reach.

Operational and Technical Open-Source Databases

2-23. OSINT exploitation requires access to databases and Internet capabilities to facilitate processing, storage, retrieval, and exchange of publicly available information. These databases are resident on local area networks (LANs), the World Wide Web (WWW), and the Deep Web (see appendix C for additional information). To support unified land operations, OSINT personnel use evaluated and analyzed publicly available information and open sources to populate information databases such as—

- Operational information databases, which support the correlation of orders, requests, collection statuses, processing resources, and graphics.
- Technical information databases, which support collection operations and consist of unprocessed text, audio files, video files, translations, and transcripts.

Open-Source Collection Acquisition Requirement–Management System

2-24. The primary open-source requirements management operational information and technical information database is the Open-source Collection Acquisition Requirement-Management System (OSCAR-MS). OSCAR-MS is a Web-based service sponsored by the Office of the Assistant Deputy Director of National Intelligence for Open Source (ADDNI/OS) to provide the National Open Source Enterprise (NOSE) with an application for managing open-source collection requirements. OSCAR-MS links OSINT providers and consumers within the intelligence community down to the brigade combat team (BCT) level. Personnel at the BCT level access OSCAR-MS via the SECRET Internet Protocol Router Network (SIPRNET) in order to submit requests for information to the Department of the Army Intelligence Information Services (DA IIS) request for information portal. The goal of the OSCAR-MS is to automate and streamline ad hoc open-source collection requirements by—

- Providing useful metrics to understand OSINT requirements.
- Allowing the digital indexing and tagging of submitted and completed open-source products to be searchable in the Library of National Intelligence.
- Providing for local control of administrative data such as unit account management, local data tables, and local formats.
- Allowing simple and flexible formats that employ data base auto-population.
- Using complete English instead of acronyms, computer codes, and other non-intuitive shortcuts.
- Allowing linkages between requirements, products, and evaluations.
- Enablingintegrationofopen-sourceusersforcollaborationbetweenagencies.
- Reducingrequirementduplicationthroughcustomersdirectlycontributingtoexistingrequirements.

PRIORITIZING TASKS AND REQUESTS

2-26. The G-2/S-2 and G-3/S-3 staffs use commander guidance and primary intelligence requirements to complete the information collection plan. The plan is used to assign tasks to subordinate units or submit requests to supporting intelligence organizations to achieve the desired information collection objectives. Embodied in the information collection plan, these tasks describe how the unit––

Requests collection and production support from joint, interagency, intergovernmental, and multinational organizations.
Task-organizes and deploys organic, attached, and contracted collection, processing, and production assets.
Conducts remote, split-based, or distributed collection, processing, and production.
Requests and manages U.S. and non-U.S. linguists based on priority for support, mission-specific skills, knowledge requirements (such as language, dialect, and skill level), clearance level, and category.

2-27. When developing information collection tasks for subordinate units, the G-2/S-2 and G-3/S-3 staffs use the task and purpose construct for developing task statements to account for—

Who is to execute the task?
What is the task?
When will the task begin?
Where will the task occur?

DEPLOYING ASSETS

2-29. Deployment of publicly available assets—

Supports the scheme of maneuver.
Supports the commander’s intent.
Complies with unit SOPs.

2-30. The deployment of assets generally requires a secure position, with network connectivity to the Internet, in proximity to supporting sustainment, protection, and communications resources.

ASSESSING COMPLETED OPERATIONS

2-31. Typical guidelines used to assess operations are—

Monitoring operations.
Correlating and screening reports.
Disseminating and providing a feedback mechanism.

SECTION III – PLANNING AND PREPARATION CONSIDERATIONS

2-33. Planning and preparation considerations when planning for OSINT exploitation include—

Open-source reliability.
Open-source information content credibility.
Compliance.
Operations security(OPSEC).
Classification.
Coordination.
Deception and bias.
Copyright and intellectual property.
Linguist requirements.
Machine foreign language translation (MFLT) systems.

OPEN-SOURCE RELIABILITY

2-34. The types of sources used to evaluate information are—

Primary sources.
Secondary sources.

2-35. A primary source refers to a document or physical object that was written or created during the time under study. These sources are present during an experience or time period and offer an inside view of a particular event. Primary sources—

Are generally categorized by content.
Is either public or private.
Is also referred to as an original source or evidence.
In fact, are usually fragmentary, ambiguous, and difficult to analyze. The information contained in primary sources is also subject to obsolete meanings of familiar words.

2-36. Some types of primary sources include—

- Original documents (excerpts or translations) such as diaries, constitutions, research journals, speeches, manuscripts, letters, oral interviews, news film footage, autobiographies, and official records.
- Creative works such as poetry, drama, novels, music, and art.
- Relics or artifacts such as pottery, furniture, clothing, artifacts, and buildings.
- Personal narratives and memoirs.
- Person of direct knowledge.

2-37. A secondary source interprets, analyzes, cites, and builds upon primary sources. Secondary sources may contain pictures, quotes, or graphics from primary sources. Some types of secondary sources include publications such as—

Journals that interpret findings.
Magazine articles.

Note. Primary and secondary sources are oftentimes difficult to distinguish as both are subjective in nature. Primary sources are not necessarily more of an authority or better than secondary sources. For any source, primary or secondary, it is important for OSINT personnel to evaluate the report for deception and bias.

2-38. Open-source reliability ratings range from A (reliable) to F (cannot be judged) as shown in table 2-1. A first-time source used in the creation of OSINT is given a source rating of F. An F rating does not mean the source is unreliable, but OSINT personnel have no previous experience with the source upon which to base a determination.

OPEN-SOURCE INFORMATION CONTENT CREDIBILITY

2-39. Similar to open-source reliability, credibility ratings range from one (confirmed) to eight (cannot be judged) as shown in table 2-2. If the information is received from a first-time source, it is given a rating of eight and, like the reliability ratings scale, does not mean the information is not credible but that OSINT personnel have no means to verify the information.

COMPLIANCE

2-40. In accordance with EO 12333, DOD 5240.1-R, and AR 381-10, procedure 2, Army intelligence activities may collect publicly available information on U.S. persons only when it is necessary to fulfill an assigned function.

CLASSIFICATION

2-42. AR 380-5 states that intelligence producers “must be wary of applying so much security that they are unable to provide a useful product to consumers.” This is an appropriate warning for OSINT personnel where concern for OPSEC can undermine the ability to disseminate inherently unclassified information. Examples of unclassified information being over-classified are—

Reported information found in a foreign newspaper.
Message from a foreign official attending an international conference.

2-43. AR 380-5 directs that Army personnel will not apply classification or other security markings to an article or portion of an article that has appeared in a newspaper, magazine, or other public medium. Final analysis of OSINT may require additional restrictions and be deemed controlled unclassified information or sensitive but unclassified information.

COORDINATION

2-44. During planning, the G-2/S-2 and G-3/S-3 staff must ensure that OSINT missions and tasks are synchronized with the scheme of maneuver. Acquiring open-source information may compromise the operations of other intelligence disciplines or tactical units. Open-source acquisition that is not synchronized may also result in the tasking of multiple assets and the improper utilization of forces and equipment, adversely affecting the ability of nonintelligence organizations, such as civil affairs, military police, and public affairs, to accomplish assigned missions and tasks. Conversely, overt contact with an open source by nonintelligence organizations can compromise OSINT missions and tasks and lead to the loss of intelligence.

DECEPTION AND BIAS

2-45. Deception and bias is a concern in OSINT exploitation. OSINT exploitation does not normally acquire information by direct observation of activities and conditions within the AO. OSINT exploitation relies mainly on secondary sources to acquire and disseminate information. Secondary sources, such as government press offices, commercial news organizations, and nongovernmental organizations spokespersons, can intentionally or unintentionally add, delete, modify, or otherwise filter the information made to the general public. These sources may also convey one message in English with the intent to sway U.S. or international perspectives and a different non-English message for local populace consumption. It is important to know the background of open sources and the purpose of the public information in order to distinguish objectives, factual information, identify bias, or highlight deception efforts against the reader and the overall operation.

2-46. Copyright is a form of protection, for published and unpublished works, provided by Title 17, United States Code (USC), to authors of “original works of authorship,” including literary, dramatic, musical, and artistic works. Intellectual property is considered any creation of the mind and includes, but is not limited to—

Musical works and compositions.
Artistic displays.
Words or phrases.
Symbols and designs.

LINGUIST REQUIREMENTS

2-49. The ability to gather and analyze foreign materials is critical in OSINT exploitation. The effective use and employment of linguists, both civilian and military, facilitates this activity. The areas of the highest criticality of required foreign language skills and knowledge proficiency are—

Transcription. Both listening and writing proficiency in the source language are essential for an accurate transcript. A transcript is extremely important when English language skills of the OSINT personnel are inadequate for authoritative or direct translation from audio or video into English text.
Translation. Bilingual competence is a prerequisite for translations. Linguists must be able to—
- Read and comprehend the source language.
- Write comprehensibly in English.
- Choose the equivalent expression in English that fully conveys and best matches the meaning intended in the source language.
l Interpretation. Bilingual competence is a prerequisite for interpretation. Linguists must be able to—
- Hear and comprehend the source language.
- Speak comprehensibly in English.
- Choose the equivalent expression in English that fully conveys and best matches the meaning intended in the source language.

SECTION IV – MANNING THE OSINT SECTION

2-66. OSINT personnel that comprise the OSINT section within the intelligence staff section can consist of both intelligence and nonintelligence individuals with the technical competence, creativity, forethought, cultural knowledge, and social awareness to exploit open sources effectively. The designation of OSINT personnel to satisfy requirements, missions, and tasks is generally identified by commanders and task- organized through organic assets (intelligence personnel, nonintelligence personnel, U.S. and non-U.S. contractor personnel, or linguists) in support of unified land operations.

OSINT SECTION DUTIES

2-67. The duties of the OSINT section are to—

Monitor operations. This ensures responsiveness to the current situation and to anticipate future acquisition, processing, reporting, and synchronization requirements.
Correlate reports. Reports (written, verbally, or graphically) should correlate classified reports through OSINT validation.
Screen reports. Information is screened in accordance with the CCIRs and commander’s guidance to ensure that pertinent and relevant information is not overlooked and the information is reduced to a workable size. Screening should encompass the elements of timeliness, completeness, and relevance to satisfy intelligence requirements.
Disseminate intelligence and information. Satisfied OSINT requirements are disseminated to customers in the form of useable products and reports.
Cue. Effective cueing by OSINT to more technical information collection assets, such as human intelligence (HUMINT) and counterintelligence (CI) improves the overall information collection effort by keeping organizations abreast of emerging unclassified information and opportunities as well as enabling the use of a multidiscipline approach to confirm or deny information by another information source, collection organization, or production activity.
Provide feedback. An established feedback mechanism is required to the supported commander or customer on the status of intelligence and information requirements.

OSINT SECTION AT THE BRIGADE COMBAT TEAM LEVEL

2-68. Each combatant command may have a task-organized OSINT cell or section to some varying degree in scope and personnel. At the tactical level of operations, it is commonplace for commanders to create OSINT cells from organic intelligence personnel to satisfy intelligence requirements.

2-70. As displayed in figure 2-1, personnel comprising the OSINT section at the BCT level include—

Section leader.
Requirements manager.
Situation development analyst.
Target development analyst.

SECTION LEADER

2-71. The section leader—

Is the primary liaison and coordinator with the BCTS-2.
Provides supervisory and managerial capacity oversight.
Sets the priority of tasks.
Monitors ongoing intelligence support required by the BCT S-2.
Ensures that all OSINT products are included in the planning for current and future operations.

REQUIREMENTS MANAGER

2-72. The requirements manager—

Ensures that situation development and target development support the overall efforts of the section.
Verifies the availability of collection assets.
Performs quality control for situation development and target development products.
Supervises the receipt, analysis, and dissemination of OSINT products.

SITUATION DEVELOPMENT ANALYST

2-73. The situation development analyst—

Monitors publicly available information and open sources in order to ensure the most accurate common operational picture.
Analyzes information and produces current intelligence about the operational environment, enemy, terrain, and civil considerations before and during operations.
Refines information received on threat intentions, objectives, combat effectiveness, and potential missions.
Confirms or denies threat COAs based on publicly available indicators.
Provides information to better understand the local population in areas that include, but are not limited to—
Tribal affiliations.
Political beliefs.
Religious tenets.
Key leaders.
Support groups.
Income sources.

TARGET DEVELOPMENT ANALYST

2-74. The target development analyst—

Identifies the components, elements, and characteristics of specific targets, both lethal and nonlethal.
Identifies civil and other non-target considerations within the AO.
Provides publicly available information on threat capabilities and limitations.

TASK ORGANIZATION CONSIDERATIONS

2-75. When task-organizing the OSINT section to satisfy intelligence and information requirements, units must consider—

Mission command.
Collecting and processing.
Computer systems.

MISSION COMMAND

2-76. Dedicated mission command personnel are needed in order to provide management and oversight of OSINT exploitation to ensure continued synchronization with maneuver elements, tasks, and requests.

ACQUISITION

2-77. Due to the volumes of publicly available information, acquisition through established information collection activities and systems are necessary in order to ensure that open-source information is not lost or misplaced that could provide essential and necessary mission-related information. Publicly available information acquired from open sources should be reported in accordance with established unit SOPs.

COLLECTING AND PROCESSING

2-78. OSINT properly integrated into overall collection plans during operations are used to satisfy CCIRs. In order to access the full array of domestic and foreign publicly available information, the processing of materials oftentimes requires OSINT support to personnel operating in the areas of document exploitation (DOCEX).

Chapter 3

Collecting OSINT

Due to the unclassified nature of publicly available information, those engaging in OSINT collection activities can begin researching background information on their assigned area of responsibility long before the issuance of an official military deployment order while generating intelligence knowledge. IPB, an integrating process for Army forces, is the mechanism identifying intelligence and information requirements that can be satisfied utilizing publicly available information and open sources.

COLLECTING PUBLICLY AVAILABLE INFORMATION

3-1. Publicly available information and open-source research, applied as an economy of force, is an effective means of assimilating authoritative and detailed information on the mission variables (METT-TC) and operational variables (political, military, economic, social, information, infrastructure, physical environment, time [PMESII-PT]). The compilation of unanswered intelligence and information requirements determined at the conclusion of the MDMP and IPB are exercised through the commander’s input. Commander’s input—

Is expressed in the terms of describe, visualize, and direct.
Is the cornerstone of guidance used by OSINT personnel.
Validates intelligence and information requirements.

3-2. Commander’s input is expressed as CCIRs and categorized as friendly force information requirements (FFIRs) and PIRs. Continuous research and processing methods, coupled with the commander’s input and intelligence and information requirements, OSINT personnel collect publicly available information for exploitation. The collect step of the intelligence process involves collecting, processing, and reporting information in response to information collection tasks. Collected information is the foundation of intelligence databases, intelligence production, and situational awareness.

3-3. OSINT is integrated into planning through the continuous process of IPB. Personnel engaging in OSINT exploitation must initiate collection and requests for information to satisfy CCIRs to the level of detail required. Collecting open-source information comprises four steps, as shown in figure 3-1 on page 3-2:

Identify information and intelligence requirements.
Categorize intelligence requirements by type.
Identify source to collect the information.
Determine collection technique.

IDENTIFY INFORMATION AND INTELLIGENCE REQUIREMENTS

3-4. Intelligence and information gaps are identified during the IPB process. These gaps should be developed and framed around the mission and operational variables in order to ensure the commander receives the information needed to support all lines of operations or lines of effort. As information and intelligence are received, OSINT personnel update IPB products and inform the commander of any relevant changes. OSINT needs clearly stated information and intelligence requirements to effectively focus acquisition and production and should be incorporated into collection plans in order to satisfy these requirements.

3-5. Intelligence requirements that need to be satisfied can extend beyond the scope of OSINT, resulting in gaps. OSINT is subject to information and intelligence gaps that need to be satisfied using other appropriate methods to close those gaps.

3-6. IPB is used to classify intelligence and information requirements by type based on mission analysis and friendly COAs. OSINT personnel provide input during this step. Two important related terms that work in concert with OSINT are private information and publicly available information:

Private information comprises data, facts, instructions, or other material intended for or restricted to a particular person, group, or organization. Intelligence requirements that require private information are not assigned to OSINT sections. There are two subcategories of private information:
- Controlled unclassified information requires the application of controls and protective measures, for a variety of reasons (that is, sensitive but unclassified or for official use only).
- Classified information requires protection against unauthorized disclosure and is marked to indicate its classified status when produced or disseminated.
Publicly available information comprises data, facts, instructions, or other material published or broadcast for general public consumption; available on request to a member of the general public; lawfully seen or heard by any casual observer; or made available at a meeting open to the general public.

IDENTIFY SOURCE TO COLLECT INFORMATION

3-7. Identifying the source is part of planning requirements and assessing collection plans. The two types of sources used to collect information are confidential sources and open sources:

Confidential sources comprise any persons, groups, or systems that provide information with the expectation that the information, relationship, or both are protected against public disclosure. Information and intelligence requirements that require confidential sources are not assigned to OSINT sections.
Open sources comprise any person or group that provides information without the expectation of copyright or privacy—the information, the relationship, or both is not protected against public disclosure. Open sources include but are not limited to—
Courseware, dissertations, lectures, presentations, research papers, and studies in both hardcopy and softcopy covering subjects and topics on economics, geography (physical, cultural, and political-military), international relations, regional security, and science and technology.
Government agencies and nongovernmental organizations. Databases, posted information, and printed reports on a wide variety of economic, environmental, geographic, humanitarian, security, and science and technology issues.
Commercial and public information services. Broadcasted, posted, and printed news on current international, regional, and local topics.
Libraries and research centers. Printed documents and digital databases on a range of topics.
Individuals and groups. Handwritten, painted, posted, printed, and broadcasted information on subjects and topics on art, graffiti, leaflets, posters, tattoos, and Web sites.
Gray literature. Materials and information that are found using advanced Internet search techniques on the Deep Web consisting of technical reports, scientific research papers, and white papers.

DETERMINE COLLECTION TECHNIQUE

3-8. Collection implies gathering, by a variety of means, raw data and information from which finalized intelligence is then created or synthesized, and disseminated. Collected information is analyzed and incorporated into all-source and other intelligence discipline products. These products are disseminated per unit SOPs, OPORDs, other established feedback mechanism, or intelligence architecture. These techniques confirm the presence of planned targets and provide a baseline of activity and information on sources within the AO for further development and future validation. When gathering information, the utilized technique includes specific information requests, objectives, priorities, timeframe of expected activity, latest (or earliest) time the information is of value (LTIOV), and reporting instructions.

3-9. Open-source information that satisfies a CCIR is disseminated as quickly as possible to the commander and other staff personnel per unit SOPs or OPORDs. OSINT can use unintrusive collection techniques to cue more technical collection assets. Collection techniques, depending on operation complexities, can enhance the chances of satisfying intelligence and information requirements.

3-10. Open-source acquisition of information and intelligence requirements are assigned to OSINT personnel. Open-source collection includes the acquisition of material in the public domain. The extent to which open-source collection yields valuable information varies greatly with the nature of the target and the subject involved. The information might be collected by individuals who buy books and journals, observe military parades, or record television and radio programs.

RESEARCH

3-11. After determining the collection technique, OSINT personnel conduct research to satisfy intelligence and information requirements.

DETERMINE RESEARCH QUESTION

3-15. Research begins with the determination of a research question expressed in the form of CCIRs regarding a given topic. In OSINT exploitation, the research question can be based on the mission variables (METT-TC) and operational variables (PMESII-PT). The research question is refined through the development of information and intelligence requirements to be satisfied. Those requirements that are not satisfied are included in the planning requirements and assessing collection plan where more technical means of collection can be utilized.

DEVELOP RESEARCH PLAN

3-16. Different facets of a question may be expressed as information and intelligence requirements. These requirements form the basis for the research plan. A research plan can use both field research and practical research. The plan consists of—

Identification of information sources (both primary and secondary).
Description of how to access those sources.
Format for compiling the data.
Research methodology.
Dissemination format.

IMPLEMENT RESEARCH PLAN

3-17. Utilizing open-source media—the means of sending, receiving, and recording information— components, and associated elements (see table 3-1), OSINT personnel implement a research plan. The primary media used to implement a research plan include—

Public speaking forums.
Public documents.
Public broadcasts.
Internet Websites.

Public Speaking Forums

3-18. OSINT personnel conduct research by attending public speaking forums such as conferences, lectures, public meetings, working groups, debates, and demonstrations. Attending these and similar events are opportunities to build relationships with nonmilitary professionals and organizations. Intelligence personnel require a thorough understanding of the local culture and laws to ensure any collection activities are unintrusive and do not violate local customs or laws, such as the Chatham House Rule.

Public Documents

3-20. When acquiring public documents, OSINT personnel must be aware of the local environment and use a technique that is unintrusive and appropriate for the situation. These techniques include but are not limited to—

Photographing and copying documents available in public forums such as town halls, libraries, and museums.
Finding discarded documents in a public area such as streets, markets, and restrooms.
Photographing documents in public areas such as banners, graffiti, and posters.
Purchasing documents directly from street vendors, newspaper stands, bookstores, and publishers.
Purchasing documents through a third party such as a wholesale distributor or book club.
Receiving documents upon request without charge from the author, conferences, trade fairs, direct mail advertising.

Public Broadcasts

3-21. Regional bureaus of the DNI OSC collect on regional and international broadcast networks in accordance with open-source information and intelligence requirements. Coverage of regional and international broadcasts enables OSINT personnel and organizations to use assets from already identified sources. The four techniques used to acquire information of public broadcasts are—

Spectrum search. Searching the entire spectrum to detect, identify, and locate all emitters to confirm overall activity. This search provides an overview of the amount and types of activities and where they are located in the spectrum.
Band search. Searching a particular segment of the spectrum to confirm overall activity. By limiting the size of the search band, the asset can improve the odds of acquiring a signal.
Frequency search. Searching for radio or television frequencies.
Program search. Searching for radio or television programs. Programs vary by type, content characteristics, and media format. Program surveillance verifies and expands upon initial results.

Internet Web Sites

3-23. The four steps to acquire information on Internet Web sites are—

Plan Internet search.

Conduct Internet search.

Refine Internet search.

Record results.

Chapter 4

Producing OSINT

The Army operates in diverse environments around the world. This diversity requires proper use of publicly available information and open sources in the production of OSINT. Given the volume of existing publicly available information and the unpredictability of requests for information and intelligence requirements, OSINT personnel engaging in open-source exploitation must be fluidly aware of and flexible when producing OSINT. Effective production ensures that commanders and subordinates receive timely, relevant, and accurate intelligence. OSINT personnel produce OSINT by evaluating, analyzing, reporting, and disseminating intelligence as assessments, studies, and estimates.

CATEGORIES OF INTELLIGENCE PRODUCTS

4-1. After receiving a mission through the MDMP and commander’s intent—expressed in terms of describe, visualize, and direct—intelligence and information requirements are identified. Personnel engaging in OSINT exploitation typically gather and receive information, perform research, and report and disseminate information in accordance with the categories of intelligence products. (See table 4-1.) OSINT products are categorized by intended use and purpose. Categories can overlap and some publicly available and open-source information can be used in more than one product.

EVALUATE INFORMATION

4-2. Open sources are overt and unclassified. Due to these aspects of publicly available information and open sources, deception, bias, and disinformation are of particular concern when evaluating sources of information during OSINT exploitation. Information is evaluated in terms of—

Information reliability and credibility.

COMMUNICATIONS

4-3. A simple communications model is typically two-way and consists of six parts:

Intended message.
Speaker(sender).
Speaker’s encoded message.
Listener(receiver).
Listener’s decoded message.
Perceived message.

4-4. The speaker and listener each have different perspectives and aspects of communications (as shown in table 4-2 on page 4-4). There are great challenges facing communicators as the message becomes encoded by the speaker and decoded by the listener.

4-5. Communications during public speaking engagements are often difficult to evaluate given the myriad of elements that can prevent a successfully transmitted message. Given the multiple elements taken simultaneously, public speaking events are subjective and can be misunderstood.

4-6. The speaker has an intended message through a verbal, nonverbal, vocal, or visual media channel or combination thereof. Within communications, the areas typically involved in preventing the true intent of the message are the sending method, environment, and receiving method. Having an understanding of these areas generally yields a greater success rate between the speaker and listener.

4-8. Speakers communicate verbally and nonverbally based on their beliefs, emotions, or goals.

It is important to understand the differences in communication styles, how they are interpreted by an audience in order to effectively communicate the message intended and avoid misunderstandings. Evaluating information acquired through public speaking venues can be challenging based on these factors. Using the table to compare these types of communication can assist collection personnel in determining the influences surrounding communicators and predicting how the messages may be perceived.

INFORMATION RELIABILITY AND CREDIBILITY

4-9. OSINT personnel evaluate information with respect to reliability and credibility. It is important to evaluate the reliability of open sources in order to distinguish objective, factual information; bias; or deception. The rating is based on the subjective judgment of the evaluator and the accuracy of previous information produced by the same source.

4-10. OSINT personnel must assess the reliability and the credibility of the information independently of each other to avoid bias. The three types of sources used to evaluate and analyze received information are—

Primary sources. Have direct access to the information and conveys the information directly and completely.
Secondary sources. Conveys information through intermediary sources using the vernacular and summarizes or paraphrases information.
Authoritative sources. Accurately reports information from the leader, government, or ruling party.

PROCESS INFORMATION

4-14. Process is an information management activity: to raise the meaning of information from data to knowledge (FM 6-0). The function of processing, although not a component of the intelligence process, is a critical element in the analyzing and producing of OSINT. Publicly available information answers intelligence and information requirements. Based on the type of information received, it must be processed before being reported and disseminated as finalized OSINT. Intelligence personnel transform publicly available information and open sources into a form suitable for processing by—

Transcribing and translating.

DIGITIZING

4-15. OSINT personnel create a digital record of documents by scanning or taking digital photographs. Pertinent information about the document must be annotated to ensure accountability and traceability. Digitization enables the dissemination of the document to external databases and organizations, as well as enables the use of machine translation tools to screen documents for keywords, names, and phrases.

ANALYSIS OF MEDIA SOURCES

4-20. Analysis of the media is the systematic comparison of the content, behavior, patterns, and trends of organic media organizations and sources of a country. Analysis of the media as an activity was developed and based on methods and experience gained during OSINT exploitation against authoritarian political systems during the World War II and Cold War eras where media was government-controlled. Publicly available information and open sources must be analyzed for proper inclusion in OSINT processing. OSINT personnel weigh media analysis against set criterion. These criterions assist OSINT personnel to discern facts, indicators, patterns, and trends in information and relationships. This involves inductive or deductive reasoning to understand the meaning of past events and predict future actions.

4-21. Comparison of trends in the content of individual media with shifts in official policy suggests that some media continues to mirror the dominant policy line. By establishing a track record for media that is vulnerable to external and internal pressure to follow the central policy line, OSINT personnel can identify potential policy shifts. Comparison of what is said and what is not said against the background of what others are saying and what has been said before is the core of media source analysis.

4-22. Media source analysis is also important in semi-controlled and independent media environments. In media environments where both official and nonofficial media are present, official media may be pressured to follow the central policy line. Analyzing media in these environments must encompass both the journalist and commentator level. It is important to establish the track record of such individuals to discover access to insider information from parts of the government or being used by officials to float policies.

4-23. The three aspects of media source analysis are—

Media control.
Media structure.
Media content.

Media Control

4-24. Analyzing media environments in terms of media control requires awareness by intelligence personnel of how different elements of the media act, influence, and are of intelligence value. Careful examination of the differences in how media is handled in different types of environments can provide insight into domestic and foreign government strategies. Media environments are categorized as—

Government-controlled.

Control over the media is centralized.
The dominant element of control is the government and higher tiers of political leadership.
Governments use censorship mechanisms to exercise control over media content prior to dissemination of information.

Semi-controlled.

Control over the media is semi-centralized.
Government’s exercise and promote self-censorship by pressuring media managers and journalists prior to dissemination of information.

Independent.

Control over the media is decentralized.
Governments may regulate allocation of broadcast frequencies, morality in content, ownership in media markets, and occasionally apply political pressure against media or journalists.
Economic factors, norms of the journalist profession, the preferences of people who manage media, and the qualities of individual journalists who report or comment on the news all influence or control media content.

4-25. All media environments are controlled to some degree and therefore easier to perform media source analysis. The challenge for OSINT personnel is to determine the level, factors, and elements (see table 4-3) that elites, institutions, or individuals exercise control, how much power each possesses, and what areas are of interest to satisfy intelligence and information requirements.

Media Structure

4-26. Media structure encompasses attributes of media material. There are structural elements that affect the meaning and significance of the content of the item and are often as important as the content itself. Analysis of these elements uncovers insights into the points of view of personnel in government-controlled, semi-controlled, and independent environments to establish the structure of media elements.

4-27. The media structural elements are—

Selection, omission, and slant.
Hierarchy of power.
Media type.

Selection, Omission, and Slant

4-28. Selection of media items is a fundamental editorial decision at the core of news reporting. Selection includes media manager decisions about which stories are covered, which stories are not covered, and which slant (viewpoint), images, and information should be included, emphasized, deemphasized, or omitted in a news item.

Hierarchy of Power

4-29. All political systems involve a hierarchy of power (see table 4-4) that logically follows official statements issued by elements in corresponding hierarchy of authoritativeness. Authoritativeness is the likelihood that the views expressed in the statement represent the dominant viewpoint within the political system. The hierarchy is obvious at the political level—a statement by the prime minister trumps a statement by a minister. In other cases, the hierarchy may not be so obvious—a speech by the party chairman is more authoritative than the head of state.

Format

4-30. Format consists of how media is produced and disseminated for public consumption. Format can be in the form of a live news report, a live interview, or a prerecorded report or interview that gives individuals more opportunity to influence the context delivered to consumers.

Media Type

4-31. Television is the medium with the largest potential audience in media environments and has a significant impact in shaping the impressions of the general viewing public. Television has replaced radio as the main source of news except in media environments where poverty prevents mass access to television. Fewer people may get information from newspapers and Internet news Web sites, but these people may be richer, better educated, and more influential than the general television audience. Specialized print publications and Internet Web sites reach a still smaller audience, but the audience will likely include officials and experts who that have influence on policy debates and outcomes.

Prominence

4-32. Questions to consider pertaining to prominence of media stories are—

Does the story appear on the frontpage of newspapers or on the homepage of news Websites?
How much space is the story given?
In what order does the story appear in the news broadcast?
Is it featured in the opening previews of the newscast?
How frequently is the story rebroadcast on subsequent newscasts or bulletins?
How much airtime did it get?

Dissemination

4-33. Attention to patterns of dissemination of leader statements is important in government-controlled media environments. Leaders communicate publicly in a variety of ways such as formal policy statements, formal interviews, and impromptu remarks. By comparing the volume of media attention given to a statement, determination is made to whether the statement was intended to be taken as a pronouncement of established policy or merely as an ad hoc, uncoordinated expression prompted by narrow contextual or temporal conditions.

Timing

4-34. OSINT personnel have traditionally paid close attention to the timing of the appearance of information in the media as the information corresponds to the news cycle. A news cycle is the process and timing by which different types of media sources obtain information, incorporate or turn the information into a product, and make the product available to the public.

Media Content

4-35. Understanding the significance of media content can enhance the value of media source analysis. Media content encompasses the elements of—

Manifest content.
Latent content.

Manifest Content

4-36. Manifest content is the actual words, images, and sounds conveyed by open sources. One of the most important forms of media source analysis involves the careful comparison of the content of authoritative official statements to identify the policies or intentions represented. Governments, political entities, and actors use statements and information released to the media to strengthen, support, and promote policies.

4-37. Manifest content analysis of authoritative public statements is an effective tool to discern leadership intentions and attitudes. Manifest content, in order to be effective, consists of the following:

Esoteric communications or “reading between the lines” are public statements whose surface meaning (manifest content) does not reveal the real purpose, meaning, or significance (latent content) of the author. Esoteric communication is particularly evident in political systems with strong taboos against public contention or in cases where sensitive issues are at stake. Esoteric communication is more formalized in some media environments than in others but is common in all political communications.
Multimedia content analysis considers elements of content beyond the words used such as facial expressions, voice inflections of leaders giving a speeches or while being interviewed, or the reading of a script by a news broadcaster all provide indicators about the views of a subject or topic. These indicators assist to determine whether a statement was seriously considered, intended to be humorous, or simply impromptu.
Historical or past behavior of open sources must be considered. Influences such as media outlet, journalist, newsmaker, or news broadcaster are factors beyond immediate control. Other issues such as time pressures, deadlines, or technical malfunctions, may also affect the content or context of public information. Analysts’ judgments about source behavior must be made with careful consideration of previous behavior.

Latent Content

4-38. Latent content refers to the hidden meaning of a thought. Latent content can reveal patterns about the views and actions of the media controllers. These patterns and rules come from the unstated content that provides the underlying meaning of media content and behavior. When a pattern of content is changed, inference of a change in the viewpoint of the controller or a change in the balance of power among different controlling elements has occurred.

REPORT AND DISSEMINATE INFORMATION

4-39. Intelligence and information requirements satisfied through publicly available information and open sources should be immediately reported and disseminated in accordance with unit SOPs that are generally centered on intelligence requirements, information criticality, and information sensitivity.

4-40. Finalized OSINT serves no purpose unless it is timely, accurate, and properly disseminated to commanders and customers in a useable form. Reporting and disseminating a finalized OSINT product that satisfies intelligence and information requirements include but are not limited to—

Single discipline or multidiscipline estimates or assessments.
Statements of facts.
Evaluations of threat capabilities and limitations.
The threat’s likely COAs.

REPORTING GUIDELINES AND METHODS

4-41. Effective dissemination creates a mechanism of feedback in order to assess usefulness and predict or assess future intelligence and information requirements. The objective in reporting and disseminating intelligence and information is to provide relevancy to support conducting (planning, preparing, executing, and assessing) operations.

4-42. The basic guidelines in preparing products for reporting and disseminating information are—

- Timely. Information should be reported to affected units without delay for the sole purpose of ensuring the correct format.
- Relevant. Information must contribute to the answering of intelligence requirements. Relevant information reduces collection, organization, and transmission times.
- Complete. Prescribed formats and SOPs ensure completeness of transmitted information.

4-43. The three reporting methods used to convey intelligence and information are—

- Written. Methods include formats (spot reports), tactical reports (TACREPs), or information intelligence reports (IIRs).
- Graphic. Web-based report dissemination is an effective technique to ensure the widest awareness of written and graphical information across echelons. OSINT personnel can collaborate and provide statuses of intelligence requirements through Web sites. Information can also be uploaded to various databases to support future open-source missions and operations.
- Verbal and voice. The most common way to disseminate intelligence and information verbally is through a military briefing. Based on the criticality, sensitivity, and timeliness of the information, ad hoc and impromptu verbal communication methods are the most efficient to deliver information to commanders.

REPORTING AND DISSEMINATION CONSIDERATIONS

4-49. When reporting and disseminating OSINT products, considerations include but are not limited to—

Classification. When creating products from raw information, write-to-release at the lowest classification level to facilitate the widest distribution of the intelligence. Use tearline report formats to facilitate the separation of classified and unclassified information for users operating on communications networks of differing security levels. Organizations with original classification authority or personnel with derivative classification responsibilities must provide subordinate organizations and personnel with a security classification guide or guidance for information and intelligence derived from publicly available information and open sources in accordance with the policy and procedures in AR 380-5.

Feedback-mechanism development. E-mail, postal addresses, rating systems, and survey forms are mechanisms that OSINT personnel can use in order to understand the information requirements for customers.

Intellectual property identification. Identify intellectual property that an author or an organization has copyrighted, patented, or trademarked taken to preserve rights to the information. OSINT exploitation does not involve the selling, importing, or exporting of intellectual property. OSINT personnel engaging in exploitation should cite all sources used in reported and disseminated products. When uncertain, OSINT personnel should contact the supporting SJA office before reporting and disseminating a finalized OSINT product.

Use of existing dissemination methods, when and if possible. Creating new dissemination methods can at times complicate existing dissemination methods.

Analytical pitfalls. Analysts need to be cognizant that there are pitfalls when reporting and disseminating OSINT. The errors, referred to as fallacies (omission and assumption), are usually committed accidentally although sometimes they are deliberately used to persuade, convince, or deceive. Analysts must also be aware of hasty generalization, false cause, misuse of analogies and languages, biases (cultural, personal, organizational, cognitive), and hindsight. (For more information on analytical pitfalls, see TC 2-33.4.)

Appendix A

Legal Restrictions and Regulatory Limitations

Publicly available information and open sources cover a wide array of areas. Exploring, assessing, and collecting publicly available information and open sources has the potential to adversely affect organizations that execute OSINT missions. In some regards, OSINT missions could involve information either gathered against or delivered by U.S. persons. Given the scope of OSINT and its applicability within the intelligence community, having a firm awareness of intelligence oversight and its regulatory applications is necessary.

EXECUTIVE ORDER 12333

A-3. EO 12333 originated from operations that DOD intelligence units conducted against U.S. persons involved in the Civil Rights and anti-Vietnam War movements. DOD intelligence personnel used overt and covert means to collect information on the political positions of U.S. persons, retained the information in a nationwide database, and disseminated the information to law enforcement authorities.

A-4. The purpose of EO 12333 is to enhance human and technical collection techniques, the acquisition of foreign intelligence, and the countering of international terrorist activities conducted by foreign powers especially those undertaken abroad, and the acquisition of significant foreign intelligence, as well as the detection and countering of international terrorist activities and espionage conducted by foreign powers. Accurate and timely information about the capabilities, intentions, and activities of foreign powers, organizations, and subordinate agents is essential to informed national defense decisions. Collection of such information is a priority objective, pursued in a vigorous, innovative, and responsible manner that is consistent with the U.S. Constitution and applicable laws and principles.

INTERPRETATION AND IMPLEMENTATION

A-5. AR 381-10 interprets and implements EO 12333 and DOD 5240.1-R. AR 381-10 enables the intelligence community to perform authorized intelligence functions in a manner that protects the constitutional rights of U.S. persons. The regulation does not authorize intelligence activity. An Army intelligence unit or organization must have the mission to conduct any intelligence activity directed against U.S. persons. In accordance with the Posse Comitatus Act (Section 1385, Title 18, USC), the regulation does not apply to Army intelligence units or organizations when engaged in civil disturbance or law enforcement activities without prior approval by the Secretary of Defense.

ASSIGNED FUNCTIONS

A-6. Based on EO 12333, the assigned intelligence functions of the Army are to—

Collect, produce, and disseminate military-related foreign intelligence as required for execution of responsibility of the Secretary of Defense.
Conduct programs and missions necessary to fulfill departmental foreign intelligence requirements.
Conduct activities in support of DOD components outside the United States in coordination with the Central Intelligence Agency (CIA) and within the United States in coordination with the Federal Bureau of investigation (FBI) pursuant to procedures agreed upon by the Secretary of Defense and the Attorney General.
Protect the security of DOD installations to include its activities, property, information, and employed U.S. persons by appropriate means.
Cooperate with appropriate law enforcement agencies to protect employed U.S. persons, information, property, and facilities of any agency within the intelligence community.
Participate with law enforcement agencies to investigate or prevent clandestine intelligence activities by foreign powers or international terrorists.
Provide specialized equipment, technical knowledge, or assistance to U.S. persons for use by any department or agency, or, when lives are endangered, to support local law enforcement agencies.

ARMY REGULATION 381-10

A-7. AR 381-10 enables any Army component to perform intelligence functions in a manner that protects the constitutional rights of U.S. persons. It also provides guidance on collection techniques used to obtain information for foreign intelligence and CI purposes. Intelligence activity is not authorized by this regulation.

A-13. AR 381-10 does not authorize the collection of any information relating to a U.S. person solely because of personal lawful advocacy of measures opposed to government policy as embodied in the First Amendment to the U.S. Constitution. The First Amendment states that Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.

RETENTION OF U.S. PERSON INFORMATION

A-14. Retention refers only to maintaining information about U.S. persons that the Army intelligence component can retrieve by the person’s name or other personal identifying data. AR 381-10, procedure 3, describes the kinds of U.S. person information that an Army intelligence component may knowingly retain without the individual’s consent.

DISSEMINATION OF U.S. PERSON INFORMATION

A-19. Disseminate, an information management activity, refers to communicating relevant information of any kind from one person or place to another in a usable form by any means to improve understanding or to initiate or govern action (FM 6-0). In other words, dissemination is the delivery of intelligence to users in a suitable form with application of the intelligence to appropriate missions, tasks, and functions.

QUESTIONABLE INTELLIGENCE ACTIVITY

A-20. Questionable intelligence activity occurs when intelligence operations potentially violate—

Laws.
EOs.
Presidential directives.
DOD or Army policies.

A-21. Intelligence personnel should report questionable intelligence activity through the chain of command, the inspector general, or directly to the Assistant to the Secretary of Defense for Intelligence Oversight in accordance with AR 381-10. The following are examples of questionable intelligence activity on improper collecting, retaining, or disseminating of U.S. person information:

Collecting and gathering information about U.S. domestic groups not connected with a foreign power or international terrorism.
Producing and disseminating intelligence threat assessments containing U.S. person information without a clear explanation of the intelligence purpose for which the information was collected.
Collecting and gathering U.S. person information for force protection purposes without determining if the intelligence function is authorized.
Collecting and gathering U.S. person information from open sources without a logical connection to the mission of the unit.

Appendix B

Cyberspace Internet Awareness

Intelligence and nonintelligence personnel conducting open-source research must be aware of the digital operational environment by minimizing and reducing cyber “footprints,” practicing effective cyber OPSEC, utilizing safe online surfing techniques and habits, and understanding that embedded metadata can be contained in documents.

CYBERSPACE SITUATIONAL AWARENESS AND CYBER SECURITY

B-1. More than any other intelligence discipline, research involving publicly available information and open sources could unintentionally reveal CCIRs.

In the areas of computer information assurance and Internet security, internet awareness is needed in order to be effective, aggressive, and to successfully conduct open-source research and exploitation. Unjustified Internet Web- site restrictions have the potential to severely impede acquiring and the subsequent processing, reporting, and disseminating of publicly available information and open sources.

B-2. Awareness is the beginning of effective cyber security. Computers transmit machine specifications such as operating system, type of version of each enabled program, security levels, a history of Web sites visited, cookie information, user preferences, IP addresses, enabled languages, and referring URL when searching the Internet. Visitors are frequently redirected to alternate Web sites based on search criterion, location, language, and time the search is conducted.

B-3. The Internet is described as a “network of networks” due to the hundreds of thousands of interconnected networks consisting of millions of computers. Computers and users connected to the Internet are identified by a system-specific IP address that designates location. The IP address serves as the address where transferred information and datum is delivered. The concern therein rests in the understanding that while visiting nonstandard or questionable Internet Web sites in accordance with official duties, sensitive unit information could inadvertently be revealed.

B-5. Cyber situational awareness is the knowledge of friendly, neutral, and threat relevant information regarding activities in and through cyberspace and the electromagnetic spectrum (FM 1-02). Cyberspace and cyber security involve increasing cyber situational awareness by—

Identifying threat operations to determine the effect on friendly operations and countermeasures.
Determining how to use cyberspace to gain support from friendly and neutral entities.
Determining how to gain, maintain, and exploit technical and operational advantages.

B-7. URL information from the previous Web site visited is frequently an OPSEC issue and it identifies characteristics and interests of the user. While necessary for an effective research, the use of specific and focused search terms have potential OPSEC implications.

B-8. All actions on a Web site are logged and saved. The information is saved and linked to what is referred to as cookie data. User actions include but are not limited to—

Words typed in search parameter fields.
Drop-down menu choices.
Web site movement patterns such as changing domain name or Web site address.

B-9. On many Web sites, information that the user provides or fills in becomes part of the Web site and is searchable. Key information to avoid sharing includes but is not limited to—

Military plans.
Operations.
Exercises.
Maps and charts.
Locations.
Schedules.
Equipment vulnerabilities, capabilities, and shortfalls.
Names and related numbers:
- Telephone numbers.
- Birth dates.
- Identification numbers.

B-10. Traditional and irregular threats are disruptive in nature and use the cyberspace domain to conduct operations against the Army. These threats are innovative, networked, and technologically adept. These threats capitalize on emerging technologies to establish and maintain a cultural and social advantage leveraging areas, to include but not limited to mission command, recruiting, logistics, fund raising and laundering, IO, and propaganda.

B-11. When engaged in OSINT exploitation utilizing computer systems and Internet usage, cyberspace awareness assessments should be developed and cover areas including but not limited to network vulnerabilities, network threats (physical and virtual), and future risks.

Appendix C

Basic and Advanced Internet Search Techniques

The ability to search the Internet is an essential skill for open-source research and acquisition. The Internet, considered a reconnaissance and surveillance research tool, provides access to Web sites and databases that hold a wide range of information on current, planned, and potential areas of operation. The exponential growth in computer technology and the Internet has placed more publicly available information and processing power at the fingertips of Soldiers than ever before. A body of knowledge on culture, economics, geography, military affairs, and politics that was once inaccessible to some degree, now rest in the hands of high school and college students—future leaders of the Army.

OPEN-SOURCE DATABASES, SOFTWARE, AND TOOLS

C-26. There are numerous COTS software applications, tools, and databases that are searchable using query words for research. Search engines used for research include but are not limited to—

Google Scholar. Google Scholar provides a simple way to broadly search for scholarly literature. From one place, searches expand across many disciplines and sources that include articles, theses, books, and abstracts. Google Scholar helps locate relevant work across the world of scholarly research.

Spokeo. Spokeo specializes in organizing people-related information (names, addresses, phone numbers) from phone books, social networks, marketing lists, business Web sites, and other public sources. Spokeo uses algorithms to piece together data into coherent profiles.

Blog Pulse. BlogPulse is an automated trend discovery system for blogs by applying machine- learning and natural language processing techniques.

Pipl. Pipl query engine helps locate Deep Web pages that cannot be found on regular or standard search engines. Pipl uses advanced language-analysis and ranking algorithms to retrieve the most relevant information about an individual.

Monitter. Monitter is a browser-based Twitter search engine. Monitter displays three constantly updated keyword searches parallel to each other in your browser.

Maltego. Maltego is a forensic application that offers data-mining and gathering of information into packaged representations. Maltego allows the identification of key relationships between information and identify previously unknown relationships.

Notes on Intelligence Analysis ATP 2-33.4

Notes on Intelligence Analysis ATP 2-33.4

Preface

ATP 2-33.4 provides fundamental information to a broad audience, including commanders, staffs, and leaders, on how intelligence personnel conduct analysis to support Army operations. It describes the intelligence analysis process and specific analytic techniques and information on the conduct of intelligence analysis performed by intelligence personnel, especially all-source analysts, across all intelligence disciplines. Additionally, ATP 2-33.4 describes how intelligence analysis facilitates the commander’s decision making and understanding of complex environments.

The principal audience for ATP 2-33.4 is junior to midgrade intelligence analysts conducting intelligence analysis. This publication provides basic information on intelligence analysis for commanders, staffs, and other senior military members.

ATP 2-33.4 readers must have an understanding of the following:

Intelligence doctrine described in ADP2-0 and FM2-0.
Collection management described in ATP 2-01.
Intelligence preparation of the battlefield (IPB) described in ATP2-01.3.
Operational doctrine described in ADP3-0 and FM3-0.
Joint targeting described in JP 3-60.

Introduction

ATP 2-33.4 discusses doctrinal techniques—descriptive methods for performing missions, functions, or tasks as they apply to intelligence analysis. ATP 2-33.4—

Describes the intelligence analysis process.
Discusses structured analytic techniques and the methods for implementing them.
Describes unique considerations related to intelligence analysis.

Intelligence analysis is central to intelligence. It is the basis for many staff activities, including planning, and occurs across the entire Army. Among other results, analysis facilitates commanders and other decision makers’ ability to visualize the operational environment (OE), organize their forces, and control operations to achieve their objectives. To understand the role of intelligence analysis, intelligence professionals must understand how intelligence analysis corresponds with other staff processes, especially the military decision- making process and information collection (including collection management).

The introductory figure on pages xii and xiii displays the intelligence analysis process and shows how intelligence analysis fits with the other staff processes to facilitate the commander’s understanding:
- The commander’s initial intent, planning guidance, and priority intelligence requirements (PIRs) drive the collection management plan.
- The entire staff, led by the intelligence and operations staffs, develops the information collection plan that results in reporting.
- All-source intelligence is based on information from all intelligence disciplines, complementary intelligence capabilities, and other available sources, such as reconnaissance missions, patrol debriefs, and security operations.
- Information collected from multiple sources moves through the intelligence analysis process, resulting in intelligence.
- The intelligence staff conducts all-source analysis and produces timely, accurate, relevant, predictive, and tailored intelligence that satisfies the commander’s requirements and facilitates the commander’s situational understanding and the staff’s situational awareness.

Chapter 9 discusses managing long-term analytical assessments, also referred to as analytic design, to ensure the analytical effort is properly focused and carefully planned and executed, and analytical results are communicated effectively to the requestor.

PART ONE

Fundamentals

Chapter 1

Understanding Intelligence Analysis

INTELLIGENCE ANALYSIS OVERVIEW

1-1. Analysis is the compilation, filtering, and detailed evaluation of information to focus and understand that information better and to develop knowledge or conclusions. In accordance with ADP 6-0, information is, in the context of decision making, data that has been organized and processed in order to provide context for further analysis. Information generally provides some of the answers to the who, what, where, when, why, and how questions. Knowledge is, in the context of decision making, information that has been analyzed and evaluated for operational implications (ADP 6-0). Knowledge assists in ascribing meaning and value to the conditions or events within an operation. Analysis performed by intelligence personnel assists in building the commander’s knowledge and understanding. ADP 6-0 provides an in-depth discussion on how commanders and staffs process data to progressively develop their knowledge to build and maintain their situational awareness and understanding.

1-3. Intelligence analysis is a form of analysis specific to the intelligence warfighting function. It is continuous and occurs throughout the intelligence and operations processes. Intelligence analysis is the process by which collected information is evaluated and integrated with existing information to facilitate intelligence production. Analysts conduct intelligence analysis to produce timely, accurate, relevant, and predictive intelligence for dissemination to the commander and staff. The purpose of intelligence analysis is to describe past, current, and attempt to predict future threat capabilities, activities, and tactics; terrain and weather conditions; and civil considerations.

1-4. Army forces compete with an adaptive enemy; therefore, perfect information collection, intelligence planning, intelligence production, and staff planning seldom occur. Information collection is not easy, and a single collection capability is not persistent and accurate enough to provide all of the answers. Intelligence analysts will be challenged to identify erroneous information and enemy deception, and commanders and staffs will sometimes have to accept the risk associated with incomplete analysis based on time and information collection constraints.

1-5. Some unique aspects of intelligence analysis include—
- The significant demand on analysts to compile and filter vast amounts of information in order to identify information relevant to the operation.
- The need for analysts to clearly separate confirmed facts from analytical determinations and assessments.
- Insight into how the physical environment (terrain, weather, and civil considerations) may affect operations.
- The ability to assess complex situations across all domains and the information environment.

1-7. Intelligence analysis comprises single-source analysis and all-source analysis.

Single-source and all-source intelligence capabilities include but are not limited to—

Single-source analytical elements:
- Brigade combat team (BCT) human intelligence (HUMINT) analysis cell.
- Division signals intelligence cell.
- Corps counterintelligence analysis cell.
- Brigade through corps geospatial intelligence cells.
All-source analytical elements:
- Battalion intelligence cell.
- Brigade intelligence support element (also known as BISE).
- Division analysis and control element (ACE).
- Corps ACE.
- Theater army ACE.
- National Ground Intelligence Center (NGIC).

SINGLE-SOURCE ANALYSIS

1-8. Single-source collection is reported to single-source analytical elements. Single-source analytical elements conduct continuous analysis of the information provided by single-source operations. Following single-source analysis, analytical results are disseminated to all-source analytical elements for corroboration, to update the common operational picture, and to refine all-source intelligence products. A continuous analytical feedback loop occurs between all-source analytical elements, single-source analytical elements, and collectors to ensure effective intelligence analysis.

1-9. Several portions of this publication apply to single-source analysis, especially the intelligence analysis process in chapter 2 and the analytic techniques in chapters 4 through 6. Specific doctrine on single-source analysis is contained in the following publications:

Intelligence disciplines:

For counterintelligence analysis, see ATP 2-22.2-1, Counterintelligence Volume I: Investigations, Analysis and Production, and Technical Services and Support Activities, chapter 4.
For HUMINT analysis, see FM 2-22.3, Human Intelligence Collector Operations, chapter 12.
For open-source intelligence analysis, see ATP 2-22.9, Open-Source Intelligence, chapters 1, 2, and 3.
For signals intelligence analysis, see ATP 2-22.6-2, Signals Intelligence Volume II: Reference Guide, appendix G.

ALL-SOURCE ANALYSIS AND PRODUCTION

1-10. Various all-source analytical elements integrate intelligence and information from all relevant sources (both single-source and other information collection sources) to provide the most timely, accurate, relevant, and comprehensive intelligence possible and to overcome threat camouflage, counterreconnaissance, and deception.

The intelligence staff is integrated with the rest of the staff to ensure they have a thorough understanding of the overall operation, the current situation, and future operations. Additionally, all-source analytical elements often corroborate their analytical determinations and intelligence products through access to and collaboration with higher, lower, and adjacent all-source analytical elements.

1-11. All-source intelligence analysts use an array of automation and other systems to perform their mission. (See appendix A.) From a technical perspective, all-source analysis is accomplished through the fusion of single-source information with existing intelligence in order to produce intelligence. For Army purposes, fusion is consolidating, combining, and correlating information together (ADP 2-0). Fusion occurs as an iterative activity to refine information as an integral part of all-source analysis and production.

1-12. With the vast amounts of information and broad array of all-source intelligence capabilities, the G-2/S-2 provides the commander and staff with all-source intelligence. All-source intelligence products inform the commander and staff by facilitating situational understanding, supporting the development of plans and orders, and answering priority intelligence requirements (PIRs), high-payoff targets (HPTs), and other information requirements.

1-13. The G-2/S-2 can use single-source intelligence to support the commander and staff. In those instances, it is best to first send that single-source intelligence to the all-source analytical element to attempt to quickly corroborate the information. Corroboration reduces the risk associated with using that single-source intelligence by comparing it to other information reporting and existing intelligence products. Following corroboration and dissemination of the intelligence to the commander and staff, the all-source analytical element incorporates the single-source intelligence into the various all-source intelligence products and the threat portion of the common operational picture.

CONDUCTING INTELLIGENCE ANALYSIS

1-15. The goal of intelligence analysis is to provide timely and relevant intelligence to commanders and leaders to support their decision making. Intelligence analysis requires the continuous examination of information and intelligence about the threat and significant aspects of the OE. To be effective, an intelligence analyst must—

Understand and keep abreast of intelligence doctrine.
Maintain complete familiarity on all aspects of the threat, including threat capabilities, doctrine, and operations.
Have knowledge on how to account for the effects of the mission variables (mission, enemy, terrain and weather, troops and support available, time available, and civil considerations [METT-TC]) and operational variables (political, military, economic, social, information, infrastructure, physical environment, and time [PMESII-PT]) on operations.
Thoroughly understand operational doctrine (especially FM 3-0, Operations), operational and targeting terminology, and operational symbology.

1-16. Analysts conduct intelligence analysis to ultimately develop effective intelligence. They do this by applying the basic thinking abilities (information ordering, pattern recognition, and reasoning) and critical and creative thinking, all described in appendix B. FM 2-0 describes the characteristics of effective intelligence as accurate, timely, usable, complete, precise, reliable, relevant, predictive, and tailored. Beyond those characteristics, intelligence analysts must also understand the six aspects of effective analysis:

Embracing ambiguity.
Understanding intelligence analysis is imperfect.
Meeting analytical deadlines with the best intelligence possible.
Thinking critically.
Striving to collaborate closely with other analysts.
Adhering to analytic standards as much as possible.

EMBRACING AMBIGUITY

1-17. Intelligence personnel must accept and embrace ambiguity in conducting analysis as they will never have all the information necessary to make certain analytical determinations. Intelligence analysts will be challenged due to the constantly changing nature of the OE and the threat and to the fog of war—all imposed during large-scale ground combat operations, creating complex, chaotic, and uncertain conditions.

1-18. Analysts operate within a time-constrained environment and with limited information. Therefore, they may sometimes produce intelligence that is not as accurate and detailed as they would prefer. Having both an adequate amount of information and extensive subject matter expertise does not guarantee the development of logical or accurate determinations. To be effective, analysts must have—

A detailed awareness of their commander’s requirements and priorities.
An understanding of the limitations in information collection and intelligence analysis.
A thorough knowledge of the OE and all aspects of the threat.
Expertise in applying the intelligence analysis process and analytic techniques.

1-19. The effective combination of the aforementioned bullets provides intelligence analysts with the best chance to produce accurate and predictive intelligence and also to detect threat denial and deception efforts. To adequately account for complexity and ambiguity, intelligence analysts should continually identify gaps in their understanding of the OE and the threat, and factor in those gaps when conducting intelligence analysis.

ANALYTICAL IMPERFECTION

1-20. Given the ambiguity, fog of war, and time-constraints, intelligence analysts must accept imperfection. As much as possible, analysts should attempt to use validated facts, advanced analytic techniques, and objective analytical means. However, using them and providing completely objective and detailed analytical determinations may be challenging, especially during tactical operations. Analysts should also consider that logical determinations are not necessarily facts.

1-21. When presenting analytical determinations to the commander and staff, intelligence personnel must ensure they can answer the so what question from the commander’s perspective. Additionally, they should clearly differentiate between what is relatively certain, what are reasonable assumptions, and what is unknown, and then provide the degree of confidence they have in their determination as well as any significant issues associated with their analysis. This confidence level is normally subjective and based on—

The collection asset’s capability (reliability and accuracy).
Evaluation criteria.
The confidence in the collected data.
The analyst’s expertise and experience.
Intelligence gaps.
The possibility of threat deception.

1-22. Intelligence analysts should be prepared to explain and justify their conclusions to the commander and staff. Over time, the all-source analytical element should learn the most effective way to present analytical determinations to the commander and staff. A deliberate and honest statement of what is relatively certain and what is unknown assists the commander and staff in weighing some of the risks inherent in the operation and in creating mitigation measures.

MEETING ANALYTICAL DEADLINES

1-23. Analysts must gear their efforts to the time available and provide the best possible intelligence within the deadline.

CRITICAL THINKING

1-24. Intelligence analysts must know how to arrive at logical, well-reasoned, and unbiased conclusions as a part of their analysis. Analysts strive to reach determinations based on facts and reasonable assumptions. Therefore, critical thinking is essential to analysis. Using critical thinking, which is disciplined and self- reflective, provides more holistic, logical, ethical, and unbiased analyses and determinations. Applying critical thinking assists analysts in fully accounting for the elements of thought, the intellectual standards, and the traits of a critical thinker.

COLLABORATION

1-25. Commanders, intelligence and other staffs, and intelligence analysts must collaborate. They should actively share and question information, perceptions, and ideas to better understand situations and produce intelligence. Collaboration is essential to analysis; it ensures analysts work together to achieve a common goal effectively and efficiently.

1-26. Through collaboration, analysts develop and enhance professional relationships, access each other’s expertise, enhance their understanding of the issues, and expand their perspectives on critical analytical issues. Collaboration is another means, besides critical thinking, by which intelligence analysts avoid potential pitfalls, such as mindsets and biases, and detect threat denial and deception efforts.

ADHERING TO ANALYTIC STANDARDS

1-27. As much as possible, the conclusions reached during intelligence analysis should adhere to analytic standards, such as those established by the Director of National Intelligence in Intelligence Community Directive (ICD) 203, to determine the relevance and value of the information before updating existing assessments.

INTELLIGENCE ANALYSIS AND COLLECTION MANAGEMENT

1-28. While collection management is not part of intelligence analysis, it is closely related. Analysis occurs inherently throughout collection management, and intelligence analysts must understand the information collection plan.

1-29. Collection management is a part of the larger information collection effort. Information collection is an integrated intelligence and operations function.

The collection management process comprises the following tasks:

Develop requirements.
Develop the collection management plan.
Support tasking and directing.
Assess collection.
Update the collection management plan.

1-30. The intelligence warfighting function focuses on answering commander and staff requirements, especially PIRs, which are part of the commander’s critical information requirements. Intelligence analysis for a particular mission begins with information collected based on commander and staff requirements (which are part of collection management); those requirements are usually developed within the context of existing intelligence analysis.

Together, these two activities form a continuous cycle—intelligence analysis supports collection management and collection management supports intelligence analysis.

1-31. Intelligence analysis and collection management overlap or intersect in several areas. While not all inclusive, the following includes some of these areas:

The all-source intelligence architecture and analysis across the echelons are important aspects of planning effective information collection. To answer the PIR and present the commander and staff with a tailored intelligence product, there must be adequate time. Collection management personnel must understand the all-source intelligence architecture and analysis across the echelons and consider those timelines.
Collection management personnel depend on the intelligence analysis of threats, terrain and weather, and civil considerations in order to perform the collection management process. Intelligence preparation of the battlefield (IPB) often sets the context for collection management:
- Intelligence analytical gaps are the start points for developing requirements.
- All-source analysts and collection management personnel must understand the threat COAs and how to execute those COAs as reflected in the situation templates.
- Event templates and event matrices are the start points for developing subsequent collection management tools.
All-source analysts and collection management personnel—
- Use and refine threat indicators during the course of an operation.
- Mutually support and track threat activities relative to the decide, detect, deliver, and assess (also called D3A) functions of the targeting methodology.
- Must confer before answering and closing a PIR.
The effectiveness of intelligence analysis is an integral part of assessing the effectiveness of the information collection plan during collection management.

1-32. A disconnect between intelligence analysis and collection management can cause significant issues, including a degradation in the overall effectiveness of intelligence support to the commander and staff. Therefore, intelligence analysts and collection management personnel must collaborate closely to ensure they understand PIRs, targeting and information operations requirements (when not expressed as PIRs), threat COAs and other IPB outputs, the current situation, and the context/determinations surrounding current threat activities.

THE ALL-SOURCE INTELLIGENCE ARCHITECTURE AND ANALYSIS ACROSS THE ECHELONS

1-33. All-source analysis, collaboration, and intelligence production occur both within and between echelons. Intelligence analysts not only integrate the broad array of information collected and intelligence produced at their echelon, but they also collaborate across the various echelons and the intelligence community to benefit from the different knowledge, judgments, experience, expertise, and perceptions—all invaluable to the analytical effort.

1-34. At the different echelons, based on a number of factors, the intelligence staff and supporting all-source analytical element are divided into teams to support the various command posts and to perform the various all-source analytical tasks. There is no standard template on how best to structure the all-source analytical effort.

1-37. While the fundamentals of intelligence analysis remain constant across the Army’s strategic roles, large-scale ground combat operations create some unique challenges for the intelligence analyst. (See table 1-1.) The fluid and chaotic nature of large-scale ground combat operations will cause the greatest degree of fog, friction, uncertainty, and stress on the intelligence analysis effort. Army forces will have to fight for intelligence as peer threats will counter information collection efforts, forcing commanders to make decisions with incomplete and imperfect intelligence. These realities will strain all-source analysis.

1-38. Over the past 20 years, the Nation’s peer threats have increased their capabilities and gained an understanding of United States (U.S.) and allied operations. According to ADP 3-0, a peer threat is an adversary or enemy able to effectively oppose U.S. forces worldwide while enjoying a position of relative advantage in a specific region. Peer threats—

Can generate equal or temporarily superior combat power in geographical proximity to a conflict area with U.S. forces.
May have a cultural affinity to specific regions, providing them relative advantages in terms of time, space, and sanctuary.
Generate tactical, operational, and strategic challenges in order of magnitude more challenging militarily than other adversaries.
Can employ resources across multiple domains to create lethal and nonlethal effects with operational significance throughout an OE.
Seek to delay deployment of U.S. forces and inflict significant damage across multiple domains in a short period to achieve their goals before culminating.

1-40. As in all operations, intelligence drives operations and operations support intelligence; this relationship is continuous. The commander and staff need effective intelligence in order to understand threat centers of gravity, goals and objectives, and COAs. Precise intelligence is also critical to target threat capabilities at the right time and place and to open windows of opportunity across domains. Commanders and staffs must have detailed knowledge of threat strengths, weaknesses, equipment, and tactics to plan for and execute friendly operations.

1-42. One of the ultimate goals of intelligence analysis is to assist the unit in identifying and opening an operational window of opportunity to eventually achieve a position of relative advantage. Opening a window of opportunity often requires a significant amount of intelligence analysis in order to achieve a high degree of situational understanding. This will be difficult as friendly forces are often at a disadvantage in conducting information collection against the threat.

1-43. The staff must thoroughly plan, find creative solutions, and collaborate across echelons to overcome information collection challenges. Once friendly forces have an open window of opportunity to execute information collection, intelligence analysts will receive more information and should be able to provide timely and accurate intelligence products, updates, and predictive assessments. This timely and accurate intelligence can then assist friendly forces in opening subsequent windows of opportunity to reach positions of relative advantage.

1-44. Facilitating the commander and staff’s situational understanding of the various significant aspects of the OE is challenging. Intelligence analysis must address important considerations across all domains and the information environment as well as support multi-domain operations. Intelligence analysis must include all significant operational aspects of the interrelationship of the air, land, maritime, space, and cyberspace domains; the information environment; and the electromagnetic spectrum. Intelligence analysts use information and intelligence from the joint force, U.S. Government, the intelligence community, and allies to better understand and analyze the various domains and peer threat capabilities.

INTELLIGENCE ANALYSIS DURING THE ARMY’S OTHER STRATEGIC ROLES

1-45. As part of a joint force, the Army operates across the strategic roles (shape OEs, prevent conflict, prevail in large-scale ground combat, and consolidate gains) to accomplish its mission to organize, equip, and train its forces to conduct sustained land combat to defeat enemy ground forces and to seize, occupy, and defend land areas.

Chapter 2
The Intelligence Analysis Process

2-1. Both all-source and single-source intelligence analysts use the intelligence analysis process. The process supports the continuous examination of information, intelligence, and knowledge about the OE and the threat to generate intelligence and reach one or more conclusions. The application of the analytic skills and techniques assist analysts in evaluating specific situations, conditions, entities, areas, devices, or problems.

2-2. The intelligence analysis process includes the continuous evaluation and integration of new and existing information to produce intelligence. It ensures all information undergoes a criterion-based logical process, such as the analytic tradecraft standards established by ICD 203, to determine the relevance and value of the information before updating existing assessments.

2-3. The intelligence analysis process is flexible and applies to any intelligence discipline. Analysts may execute the intelligence analysis process meticulously by thoroughly screening information and applying analytic techniques, or they may truncate the process by quickly screening collected information using only basic structured analytic techniques. The process becomes intuitive as analysts become more proficient at analysis and understanding their assigned OE. The intelligence analyst uses collected information to formulate reliable and accurate assessments.

THE PHASES OF THE INTELLIGENCE ANALYSIS PROCESS

2-4. The phases of the intelligence analysis process are interdependent. (See figure 2-1 on page 2-2.) Through time and experience, analysts become more aware of this interdependence. The phases of the intelligence analysis process are—

Screen (collected information): Determining the relevance of the information collected.
Analyze: Examining relevant information.
Integrate: Combining new information with current intelligence holdings to begin the effort of developing a conclusion or assessment.
Produce: Making a determination or assessment that can be disseminated to consumers.

2-5. To successfully execute the intelligence analysis process, it is critical for analysts to understand the PIRs and other requirements related to the current OE and mission. This understanding assists analysts in framing the analytic problem and enables them to separate facts and analytical judgments.

Analytical judgments form by generating hypotheses—preliminary explanations meant to be tested to gain insight and find the best answer to a question of judgment.

SCREEN COLLECTED INFORMATION

2-7. During the execution of single-source intelligence or all-source analysis, analysts continuously filter the volume of information or intelligence received through the continuous push and pull of information. It is during the screen phase that analysts sort information based on relevancy and how it ties to the analytical questions or hypotheses they developed to fill information gaps. They do this by conducting research and accessing only the information that is relevant to their PIRs, mission, or time.

2-8. Time permitting, analysts research by accessing information and intelligence from databases, the internet (attributed to open-source information), collaborative tools, broadcast services, and other sources such as automated systems. This screening enables analysts to focus their analytical efforts on only the information that is pertinent to their specific analytic problem.

ANALYZE

2-9. Analysts examine relevant information or intelligence using reasoning and analytic techniques, which enable them to see information in different ways and to reveal something new or unexpected. It may be necessary to gain more information or apply a different technique, time permitting, until a conclusion is reached or a determination is made.

2-10. Analysts also analyze the volume of information based on the information source’s reliability and the information accuracy, as screening information is continuous. This occurs when analysts receive information they immediately recognize as untrue or inaccurate based on their knowledge or familiarity with the analytic problem. Analysts should not proceed with the analysis when there is a high likelihood that the information is false or part of a deception, as this may lead to inaccurate conclusions. False information and deception are more prevalent today with the proliferation of misinformation commonly found in social media readily available on the internet.

2-11. Analysts may decide to retain or exclude information based on results from the screen phase. While the excluded information may not be pertinent to the current analytical question, the information is maintained in a unit repository as it may answer a follow-on question from a new analytical question.

2-12. During operations, intelligence analysts must consider information relevancy, reliability, and accuracy to perform analysis:

Relevancy: Analysts examine the information to determine its pertinence about the threat or OE. Once the information is assessed as relevant, analysts continue with the analysis process.
Reliability: The source of the information is scrutinized for reliability. If the source of the information is unknown, the level of reliability decreases significantly.
Accuracy: Unlike reliability, accuracy is based on other information that can corroborate (or not) the available information. When possible, analysts should obtain information that confirms or denies a conclusion in order to detect deception, misconstrued information, or bad data or information. Additionally, when possible, analysts should characterize their level of confidence in that conclusion.

2-13. There are marked differences in evaluating the accuracy of information between higher and lower echelons. Higher (strategic) echelons have more sources of information and intelligence than lower (tactical) echelons, giving higher echelons more opportunities to confirm, corroborate, or refute the accuracy of the reported data. The role of higher echelons in evaluating the credibility (or probable truth) of information differs from its role in evaluating the reliability of the source (usually performed best by the echelon closest to the source).

2-14. Information is evaluated for source reliability and accuracy based on a standard system of evaluation ratings for each piece of information, as indicated in table 2-1; reliability is represented by a letter and accuracy by a number. Single-source intelligence personnel assign the rating, and it is essential for all-source personnel to understand the evaluation of validated intelligence sources.

2-15. Reliable and accurate information is integrated into the analytical production. Data that is less reliable or accurate is not discarded; it is retained for possible additional screening with other established information or if new requirements arise that are relevant to existing data.

INTEGRATE

2-16. As analysts reach new conclusions about the threat activities during the analyze phase, they should corroborate and correlate this information with prior intelligence holdings using reasoning and analytic techniques. Analysts determine how new information relates to previous analytical conclusions. New information may require analysts to alter or validate initial conclusions. Analysts must continue to evaluate and integrate reliable and accurate information relevant to their mission.

2-17. Analysts resume the analysis based on questions (hypotheses) they established during the screen and analyze phases. At this point, analysts begin to draw conclusions that translate into an initial determination that is likely to require additional analysis and, in certain instances, additional collection. They employ the analytic tradecraft standards to assess probabilities and confidence levels; they employ the action-metrics associated with analytical rigor to draw accurate conclusions. However, some of these conclusions may present alternative COAs not previously considered during IPB. These COAs must be presented to the commander and staff because they might have operational implications.

2-18. Hypotheses are tested and often validated during the integrate phase and become the basis for analytical production. To properly validate the hypotheses, analysts must demonstrate analytical rigor to determine the analytical sufficiency of their conclusions and be willing to present those points that prove the accuracy of their assessment.

PRODUCE

2-19. Intelligence and operational products are mutually supportive and enhance the commander and staff’s situational understanding. Intelligence products are generally categorized by the purpose for which the intelligence was produced. The categories can and do overlap, and the same intelligence and information can be used in each of the categories. JP 2-0 provides an explanation for each of the categories:

Warning intelligence.
Current intelligence.
General military intelligence.
Target intelligence.
Scientific and technical intelligence.
Counterintelligence.
Estimative intelligence.
Identity intelligence.

2-20. Intelligence analysis results in the production and dissemination of intelligence to the commander and staff. Intelligence analysts produce and maintain a variety of products tailored to the commander and staff and dictated by the current situation, standard operating procedures (SOPs), and battle rhythms.

Note. When disseminating intelligence products, intelligence analysts must recognize when intelligence information at a higher classification is essential for the commander’s awareness. Intelligence analysts and the intelligence staff must adhere to all appropriate U.S. laws, DOD regulations, classification guidelines, and security protocols.

The classification of U.S. intelligence presents a challenge in releasing information during multinational operations although sharing information and intelligence as much as possible improves interoperability and trust. Commanders and staffs should understand U.S. and other nations’ policies about information sharing, since the early sharing of information (during planning) ensures effective multinational operations.

2-21. An analyst’s ultimate goal is finding threat vulnerabilities and assisting the commander and staff in exploiting those vulnerabilities—despite having answered the commander’s PIR. If the intelligence analysis does not answer the commander’s PIR, the analyst should reexamine the guidance, consider recommending different collection strategies, and review information previously discarded as nonessential.

2-22. In tactical units, analysts must understand that their adjacent and especially their subordinate units may have degraded communications. In those cases, analysts at each echelon must develop their own conclusions and assessments and should use their unit’s primary, alternate, contingency, and emergency (known as PACE) plan to facilitate continuous dissemination of their products and assessments.

Chapter 3

All-Source Analytical Tasks

3-1. Through the application of the all-source analytical tasks, intelligence analysis facilitates commanders and other decision makers’ ability to visualize the OE, organize their forces, and control operations to achieve their objectives. The all-source analytical tasks are—

Generate intelligence knowledge.
Perform IPB.
Provide warnings.
Perform situation development.
Provide intelligence support to targeting and information operations.

3-2. In any operation, both friendly and threat forces will endeavor to set conditions to develop a position of relative advantage. Setting these conditions begins with generate intelligence knowledge, which provides relevant knowledge about the OE that is incorporated into the Army design methodology and used later during other analytical tasks.

3-3. The continuous assessment of collected information also mitigates risk to friendly forces while identifying opportunities to leverage friendly capabilities to open a window of opportunity. Analysis presents the commander with options for employing multiple capabilities and gaining a position of relative advantage over the threat.

3-4. For each all-source analytical task, the challenge for the intelligence analyst is understanding the unique requirements and considerations based on the situation, operational echelon, and specific mission.

3-5. There are many forms of analysis associated with unique operational activities. One important example of these types of activities is identity activities, which result in identity intelligence. Identity intelligence is the intelligence resulting from the processing of identity attributes concerning individuals, groups, networks, or populations of interest (JP 2-0). Identity activities are described as a collection of functions and actions conducted by maneuver, intelligence, and law enforcement components. Identity activities recognize and differentiate one person from another to support decision making. Identity activities include—

The collection of identity attributes and physical materials.
The processing and exploitation of identity attributes and physical materials.
All-source analytical efforts.
The production of identity intelligence and DOD law enforcement criminal intelligence products.
The dissemination of those intelligence products to inform policy and strategy development,

operational planning and assessment, and the appropriate action at the point of encounter.

GENERATE INTELLIGENCE KNOWLEDGE (ART 2.1.4)

3-6. Generate intelligence knowledge is a continuous task driven by the commander. It begins before receipt of mission and enables the analyst to acquire as much relevant knowledge as possible about the OE for the conduct of operations. Information is obtained through intelligence reach, research, data mining, database access, academic studies, intelligence archives, publicly available information, and other information sources, such as biometrics, forensics, and DOMEX.

3-7. Generate intelligence knowledge includes the following five tasks, which facilitate creating a foundation for performing IPB and mission analysis:

Develop the foundation to define threat characteristics: Analysts create a database of known hostile threats and define their characteristics in a general location. Analysts can refine and highlight important threats through functional analysis that can be prioritized later during steps 3 and 4 of the IPB process.
Obtain detailed terrain information and intelligence: Analysts describe the terrain of a general location and categorize it by environment type. For example, desert and jungle environments have distinguishing characteristics that can assist in analyzing terrain during step 2 of the IPB process.
Obtain detailed weather and weather effects information and intelligence: Analysts describe the climatology of a general location and forecast how it would affect future operations. Analysts should rely on the Air Force staff weather officer of their respective echelons to assist in acquiring weather support products, information, and knowledge. If the staff weather officer is not readily available, analysts should use publicly available information and resources. Information regarding climatology characteristics can assist in analyzing weather effects during step 2 of the IPB process.
Obtain detailed civil considerations information and intelligence: Analysts identify civil considerations (areas, structures, capabilities, organizations, people, and events [ASCOPE]) within a general location. Analysts can refine this information further when they receive a designated area of interest and can assist in determining how civil considerations will affect friendly and threat operations during step 2 of the IPB process.
Complete studies: Although analysts do not have a specific operation, mission, or area of responsibility when generating intelligence knowledge, they can compile information into products based on the commander’s guidance. This supports the commander’s visualization and completes studies for dissemination. Completed studies or products include country briefs, written assessments, or graphics. These products inform the commander and staff on current and historic situations that may affect future operations when a mission is received.

PERFORM INTELLIGENCE PREPARATION OF THE BATTLEFIELD (ART 2.2.1)

3-8. Analytical support begins during the MDMP. The military decision-making process is an iterative planning methodology to understand the situation and mission, develop a course of action, and produce an operation plan or order. Commanders use the MDMP to visualize the OE and the threat, build plans and orders for extended operations, and develop orders for short-term operations within the framework of a long-range plan. During the mission analysis step of the MDMP, intelligence analysts lead the IPB effort; however, they cannot provide all of the information the commander requires for situational understanding. Other staff sections or supporting elements assist in producing and continuously refining intelligence products tailored to the commander’s requirements and the operation.

3-9. As analysts begin the IPB process, they should have a general understanding of their OE based on intelligence produced and acquired when generating intelligence knowledge. IPB is a four-step process:

Step 1—Define the OE. The intelligence staff identifies those significant characteristics related to the mission variables of enemy, terrain and weather, and civil considerations that are relevant to the mission. The intelligence staff evaluates significant characteristics to identify gaps and initiate information collection. During step 1, the AO, area of interest, and area of influence must also be identified and established.
Step 2—Describe environmental effects on operations. The intelligence staff describes how significant characteristics affect friendly operations. The intelligence staff also describes how terrain, weather, civil considerations, and friendly forces affect threat forces. The entire staff determines the effects of friendly and threat force actions on the population.
Step 3—Evaluate the threat. Evaluating the threat is understanding how a threat can affect friendly operations. Step 3 determines threat force capabilities and the doctrinal principles and tactics, techniques, and procedures that threat forces prefer to employ.
Step 4—Determine threat COAs. The intelligence staff identifies and develops possible threat COAs that can affect accomplishing the friendly mission. The staff uses the products associated with determining threat COAs to assist in developing and selecting friendly COAs during the COA steps of the MDMP. Identifying and developing all valid threat COAs minimize the potential of surprise to the commander by an unanticipated threat action.

PROVIDE WARNINGS (ART 2.1.1.1)

3-10. Across the range of military operations, various collection assets provide early warning of threat action. As analysts screen incoming information and message traffic, they provide the commander with advanced warning of threat activities or intentions that may change the basic nature of the operation. These warnings enable the commander and staff to quickly reorient the force to unexpected contingencies and to shape the OE.

3-11. Analysts can use analytic techniques and their current knowledge databases to project multiple scenarios and develop indicators as guidelines for providing warning intelligence. An indicator is, in intelligence usage, an item of information which reflects the intention or capability of an adversary to adopt or reject a course of action (JP 2-0). Analysts project future events and identify event characteristics that can be manipulated or affected. Characteristics that cannot be manipulated or affected should be incorporated into unit SOPs as warning intelligence criteria.

PERFORM SITUATION DEVELOPMENT (ART 2.2.2)

3-12. Intelligence analysis is central to situation development, as it is a process for analyzing information and producing current intelligence concerning the relevant aspects of the OE within the AO before and during operations. Analysts continually produce current intelligence to answer the commander’s requirements, update and refine IPB products, and support transitions to the next phase of an operation.

3-13. Analysts continually analyze the current situation and information to predict the threat’s next objective or intention. During step 3 of the IPB process, analysts compare the current situation with their threat evaluations to project multiple scenarios and develop indicators.

Understanding how the threat will react supports the planning of branches and sequels, affording the commander multiple COAs and flexibility on the battlefield during current operations. For example, observing a threat unit in a defensive posture may indicate an offensive operation within a matter of hours.

Providing this information to the commander enables the staff to pursue a different COA that can place friendly units in a better position of relative advantage. The commander may use a flanking maneuver on the threat since it is in a relatively stationary position, hindering the future offensive operation.

PROVIDE INTELLIGENCE SUPPORT TO TARGETING AND INFORMATION OPERATIONS (ART 2.4)

3-14. Targeting is the process of selecting and prioritizing targets and matching the appropriate response to them, considering operational requirements and capabilities.

3-15. Intelligence analysis, starting with the IPB effort, supports target development and target detection:
- l Intelligence analysis support to target development: Target development involves the systematic analysis of threat forces and operations to determine high-value targets (HVTs) (people, organizations, or military units the threat commander requires for successful completion of the mission), HPTs (equipment, military units, organizations, groups, or specific individuals whose loss to the threat contributes significantly to the success of the friendly COA), and systems and system components for potential engagement through maneuver, fires, electronic warfare, or information operations.
- l Intelligenceanalysissupporttotargetdetection:Intelligenceanalystsestablishproceduresfor disseminating targeting information. The targeting team develops the sensor and attack guidance matrix to determine the sensors required to detect and locate targets. Intelligence analysts incorporate these requirements into the collection management tools, which assist the operations staff in developing the information collection plan.
3-16. Information operations is the integrated employment, during military operations, of information-

related capabilities in concert with other lines of operation to influence, disrupt, corrupt, or usurp the decision- making of adversaries and potential adversaries while protecting our own (JP 3-13). Intelligence support to military information operations pertains to the collection of information essential to define the information environment, understand the threat’s information capabilities, and assess or adjust information-related effects. Continuous and timely intelligence is required to accurately identify the information environment across the physical, informational, and cognitive dimensions, including the operational variables (PMESII-PT). Intelligence support to military information operations focuses on the following:

Aspects of the information environment that influence, or are influenced by, the threat.
Understanding threat information capabilities.
Understanding the methods by which messages are transmitted and received in order to assess the cognitive reception and processing of information within the target audience.
Assessing information-related effects (target audience motivation and behavior, measure of effectiveness, and information indicators of success or failure).

PART TWO

Task Techniques

Chapter 4

Analytic Techniques

OVERVIEW

4-1. Intelligence analysts use cognitive processes and analytic techniques and tools to solve intelligence problems and limit analytical errors. The specific number of techniques and tools applied depends on the mission and situation.

4-2. The following distinguishes between a technique, tool, and method:

Technique is a way of doing something by using a special knowledge or skill. An analytic technique is a way of looking at a problem, which results in a conclusion, assessment, or both. A technique usually guides analysts in thinking about a problem instead of providing them with a definitive answer as typically expected from a method.
Tool is a component of an analytic technique that facilitates the execution of the technique but does not provide a conclusion or assessment in and of itself. Tools facilitate techniques by allowing analysts to display or arrange information in a way that enables analysis of the information. An example of a tool is a link diagram or a matrix. Not all techniques have an associated tool.
Method is a set of principles and procedures for conducting qualitative analysis.

APPLYING STRUCTURED ANALYTIC TECHNIQUES

4-3. Structured analysis assists analysts in ensuring their analytic framework—the foundation upon which they form their analytical judgments—is as solid as possible. It entails separating and organizing the elements of a problem and reviewing the information systematically. Structured analytic techniques provide ways for analysts to separate the information into subsets and assess it until they generate a hypothesis found to be either feasible or untrue. Structured analytic techniques—

Assist analysts in making sense of complex problems.
Allow analysts to compare and weigh pieces of information against each other.
Ensure analysts focus on the issue under study.
Force analysts to consider one element at a time systematically.
Assist analysts in overcoming their logical fallacies and biases.
Ensure analysts see the elements of information. This enhances their ability to identify correlations and patterns that would not appear if not depicted outside the mind.
Enhance analysts’ ability to collect and review data. This facilitates thinking with a better base to derive alternatives and solutions.

4-4. Applying the appropriate structured analytic technique assists commanders in better understanding and shaping the OE. One technique may not be sufficient to assist in answering PIRs; therefore, analysts should use multiple techniques, time permitting. For example, determining the disposition and composition of the threat in the OE is like attempting to put the pieces of a puzzle together. Employing multiple analytic techniques facilitates the piecing of the puzzle, thus creating a clearer picture.

4-5. For thorough analysis, analysts should incorporate as many appropriate techniques as possible into their workflow. Although this may be more time consuming, analysts become more proficient at using these techniques, ultimately reducing the amount of time required to conduct analysis. The exact techniques and tools incorporated, as well as the order in which to execute them, are mission- and situation-dependent. There is no one correct way to apply these techniques as each analyst’s experience, preference, and situation are influencing factors.

4-6. Analysts can apply structured analytic techniques in the analyze and integrate phases of the intelligence analysis process to assist them in solving analytic problems. The analytic problem can vary depending on the echelon or mission.

4-7. The vast amount of information that analysts must process can negatively affect their ability to complete intelligence assessments timely and accurately; therefore, analysts should be proficient at using both manual and automated methods to conduct structured analysis. Additionally, analysts conduct analysis from varying environments and echelons in which the availability of automation and network connectivity may not be fully mission capable.

Chapter 5
Basic and Diagnostic Structured Analytic Techniques

SECTION I – BASIC STRUCTURED ANALYTIC TECHNIQUES

5-1. Basic structured analytic techniques are the building blocks upon which further analysis is performed. They are typically executed early in the intelligence effort to obtain an initial diagnosis of the intelligence problem through revealing patterns. The basic structured analytic techniques described in this publication are—

Sorting technique: Organizing large bodies of data to reveal new insights.
Chronologies technique:
- Displaying data over time.
- Placing events or actions in order of occurrence.
- Linearly depicting events or actions.
Matrices technique:
- Organizing data in rows and columns.
- Comparing items through visual representation.
Weighted ranking technique:
- Facilitating the application of objectivity.
- Mitigating common cognitive pitfalls.
Link analysis technique: Mapping and measuring relationships or links between entities.
Event tree and event mapping techniques: Diagramming hypotheses-based scenarios.

5-2. These techniques—
Improve assessments by making them more rigorous.
Improve the presentation of the finished intelligence in a persuasive manner.

Provide ways to measure progress.
Identify information gaps.
Provide information and intelligence.

SORTING

5-3. Sorting is a basic structured analytic technique used for grouping information in order to develop insights and facilitate analysis. This technique is useful for reviewing massive data stores pertaining to an intelligence challenge. Sorting vast amounts of data can provide insights into trends or abnormalities that warrant further analysis and that otherwise would go unnoticed. Sorting also assists in reviewing multiple categories of information that when divided into components presents possible trends, similarities, differences, or other insights not readily identifiable.

5-4. Method. The following steps outline the process of sorting:

Step1: Arrange the information into categories to determine which categories or combination of categories might show trends or abnormalities that would provide insight into the problem being studied.

Step 2: Review the listed facts, information, or hypotheses in the database to identify key fields that may assist in uncovering possible patterns or groupings.

Step 3: Group those items according to the schema of the categories defined in step 1.

Step 4: Choose a category and sort the information within that category. Look for any insights, trends, or oddities.

Step 5: Review (and re-review) the sorted facts, information, or hypotheses to determine alternative ways to sort them. List any alternative sorting schema for the problem. One of the most useful applications of this technique is sorting according to multiple schemas and examining results for correlations between data and categories. For example, analysts identify from the sorted information that most attacks occurring on the main supply route also occur at a specific time.

5-5. A pattern analysis plot sheet is a common analysis tool for sorting information. It can be configured to determine threat activity as it occurs within a specified time. The pattern analysis plot sheet is a circular matrix and calendar. Each concentric circle represents one day and each wedge in the circle is one hour of the day.

CHRONOLOGIES

5-7. A chronology is a list that places events or actions in the order they occurred; a timeline is a graphical depiction of those events. Analysts must consider factors that may influence the timing of events. For example, the chronological time of events may be correlated to the lunar cycle (moonset), religious events, or friendly patrol patterns. Timelines assist analysts in making these types of determinations.

5-8. Method. Creating a chronology or timeline involves three steps:
- Step 1: List relevant events by the date or in order each occurred. Analysts should ensure they properly reference the data.
- Step 2: Review the chronology or timeline by asking the following questions:
  - What are the temporal distances between key events? If lengthy, what caused the delay? Are there missing pieces of data that may fill those gaps that should be collected?
  - Did analysts overlook pieces of intelligence information that may have had an impact on the events?
  - Conversely, if events seem to happen more rapidly than expected, is it possible that analysts have information related to multiple-event timelines?
  - Are all critical events necessary and shown for the outcome to occur?
  - What are the intelligence gaps?
  - What are indicators for those intelligence gaps?
  - What are the vulnerabilities in the timeline for collection activities?
  - What events outside the timeline could have influenced the activities?
- Step 3: Summarize the data along the line. Sort each side of the line by distinguishing between types of data. For example, depict intelligence reports above the timeline and depict significant activities below the timeline. Multiple timelines may be used and should depict how and where they converge.

5-9. Timelines are depicted linearly and typically relate to a single situation or COA. Multilevel timelines allow analysts to track concurrent COAs that may affect each other. Analysts use timelines to postulate about events that may have occurred between known events. They become sensitized to search for indicators, so the missing events are found and charted. Timelines may be used in conjunction with other structured analytic techniques, such as the event tree technique (see paragraph 5-22), to analyze complex networks and associations.

5-10. Figure 5-3 illustrates a time event chart, which is a variation of a timeline using symbols to represent events, dates, and the flow of time. While there is great latitude in creating time event charts, the following should be considered when creating them:

Depict the first event as a triangle.
Depict successive events as rectangles.
Mark noteworthy events with an X across the rectangles.
Display the date on the symbol.
Display a description below the symbol.
If using multiple rows, begin each row from left to right.

MATRICES

5-11. A matrix is a grid with as many cells as required to sort data and gain insight. Whenever information can be incorporated into a matrix, it can provide analytic insight. A matrix can be rectangular, square, or triangular; it depends on the number of rows and columns required to enter the data. Three commonly used matrices are the—

Threat intentions matrix—assists in efficiently analyzing information from the threat’s point of view based on the threat’s motivation, goals, and objectives. (See paragraph 5-14.)
Association matrix—identifies the existence and type of relationships between individuals as determined by direct contact.
Activities matrix—determines connections between individuals and any organization, event, entity, address, activity, or anything other than persons.

5-12. A key feature of the matrices analytic technique is the formulation of ideas of what may occur when one element of a row interacts with the corresponding element of a column. This differs from other matrices, such as the event matrix (described in ATP 2-01.3), in which the elements of the columns and rows do not interact to formulate outcomes; the matrix is primarily used to organize information. Table 5-3 briefly describes when to use the matrices technique, as well as the value added and potential pitfalls associated with using this technique.

5-13. Method. The following steps outline the process for constructing a matrix (see figure 5-4):

Step1: Draw a matrix with enough columns and rows to enter the two sets of data being compared.
Step 2: Enter the range of data or criteria along the uppermost horizontal row and the farthest left vertical column leaving a space in the upper left corner of the matrix.
Step3: In the grid squares in between, annotate the relationships, or lack thereof, in the cell at the intersection between two associated data points.
Step 4: Review the hypotheses developed about the issue considering the relationships shown in the matrix; if appropriate, develop new hypotheses based on the insight gained from the matrix.

5-14. The following steps pertain to the threat intentions matrix technique (see figure 5-4): column.

Step1: Enter the decision options believed to be reasonable from the threat’s viewpoint along the farthest left vertical column.

Step 2: Enter the objectives for each option from the threat’s viewpoint in the objectives column.

Step 3: Enter the benefits for each option from the threat’s viewpoint in the benefits column.

Step 4: Enter the risks for each option from the threat’s viewpoint in the risks column.

Step 5: Fill in the implications column, which transitions the analyst from the threat’s viewpoint to the analyst’s viewpoint. Enter the implications from the threat’s viewpoint and then add a slash (/) and enter the implications from the analyst’s viewpoint.

Step 6: Enter the indicators from the analyst’s viewpoint in the indications column. This provides a basis for generating collection to determine as early as possible which option the threat selected.

WEIGHTED RANKING

5-15. The weighted ranking technique is a systematic approach that provides transparency in the derivation and logic of an assessment. This facilitates the application of objectivity to an analytic problem. To simplify the weighted ranking technique, this publication introduces subjective judgments instead of dealing strictly with hard numbers; however, objectivity is still realized. This technique requires analysts to select and give each criterion a weighted importance from the threat’s viewpoint. Analysts use the criticality, accessibility, recuperability, vulnerability, effect, and recognizability (also called CARVER) matrix tool to employ this technique to support targeting prioritization. (See ATP 3-60.) The insight gained from how each criterion affects the outcome allows for a clear and persuasive presentation and argumentation of the assessment.

5-16. Weighted ranking assists in mitigating common cognitive pitfalls by converting the intelligence problem into a type of mathematical solution. The validity of weighting criteria is enhanced through group discussions, as group members share insights into the threat’s purpose and viewpoint; red hat/team analysis can augment this technique. Weighted ranking uses matrices to compute and organize information.

5-17. Method. The following steps describe how to accomplish a simplified weighted ranking review of alternative options:

Step1: Create a matrix and develop all options and criteria related to the analytical issue. Figure5-5 depicts the options as types of operations and the criteria as the five military aspects of terrain (observation and fields of fire, avenues of approach, key terrain, obstacles, and cover and concealment [OAKOC]).
Step2: Label the left, upper most column/row of the matrix as options and fill the column with the types of operations generated in step 1.
Step3: List the criteria (OAKOC) generated in step1in the top row with one criterion per column.
Step 4: Assign weights and list them in parentheses next to each criterion. Depending on the number of criteria, use either 10 or 100 points and divide them based on the analyst’s judgment of each criterion’s relative importance. Figure 5-5 shows how the analyst assigned the weights from the threat’s perspective to the OAKOC factors using 10 points.
Step 5: Work across the matrix one option (type of operation) at a time to evaluate the relative ability of the option to satisfy the corresponding criterion from the threat’s perspective. Using the 10-point rating scale, assign 1 as low and 10 as high to rate each option separately. (See figure 5-5 for steps 1 through 5.)
Step 6: Work across the matrix again, one option at a time, and multiply the criterion weight by the option rating and record this number in each cell. (See figure 5-6.)

LINK ANALYSIS

5-18. Link analysis, often known as network analysis, is a technique used to evaluate the relationships between several types of entities such as organizations, individuals, objects, or activities. Visualization tools augment this technique by organizing and displaying data and assisting in identifying associations within complex networks. Although analysts can perform link analysis manually, they often use software to aid this technique.

5-19. Analysts may use link analysis to focus on leaders and other prominent individuals, who are sometimes critical factors in the AO. Analysts use personality files—often obtained from conducting identity activities using reporting and biometrics, forensics, and DOMEX data—to build organizational diagrams that assist them in determining relationships between critical personalities and their associations to various groups or activities. This analysis is critical in determining the roles and relationships of many different people and organizations and assessing their loyalties, political significance, and interests.

5-20. Method. The following steps describe how to construct a simple link analysis diagram:

Step 1: Extract entities and the information about their relationships from intelligence holdings that include but are not limited to biometrics, forensics, and DOMEX information.

Step 2: Place entity associations into a link chart using link analysis software or a spreadsheet or by drawing them manually:

- Use separate shapes for different types of entities, for example, circles for people, rectangles for activities, and triangles for facilities. (See figure 5-7 on page 5-10.)
- Use colored and varying types of lines to show different activities, for example, green solid lines for money transfers, blue dotted lines for communications, and solid black lines for activities. This differentiation typically requires a legend. (See figure 5-7 on page 5-10.)

Step 3: Analyze the entities and links in the link chart.

Step 4: Review the chart for gaps, significant relationships, and the meaning of the relationships based on the activity occurring. Ask critical questions of the data such as—

Which entity is central or key to the network?
Who or what is the initiator of interactions?
What role does each entity play in the network?
Who or what forms a bridge or liaison between groups or subgroups?
How have the interactions changed over time?
Which nodes should be targeted for collection or defeat?

Step 5: Summarize what is observed in the chart and draw interim hypotheses about the relationships.

5-21. The three types of visualization tools used in link analysis to record and visualize information are—

Link diagram.
Association matrix.
Activities matrix.

EVENT TREE

5-22. The event tree is a structured analytic technique that enables analysts to depict a possible sequence of events, including the potential branches of that sequence in a graphical format. An event tree works best when there are multiple, mutually exclusive options that cover the spectrum of reasonable alternatives. It clarifies the presumed sequence of events or decisions between an initiating event and an outcome. Table 5-6 briefly describes when to use the event tree technique, as well as the value added and potential pitfalls associated with this using technique. The following are pointers for analysts using the event tree technique:

Use this technique in conjunction with weighted ranking, hypothesis-review techniques, and subjective probability to gain added insights.
Leverage the expertise of a group of analysts during the construction of an event tree to ensure all events, factors, and decision options are considered.

5-23. Method. The following outlines the steps for creating event trees (see figure 5-10):

Step 1: Identify the intelligence issue/problem (antigovernment protest in Egypt).
Step 2: Identify the mutually exclusive and complete set of hypotheses that pertain to the intelligence issue/problem (Mubarak resigns or Mubarak stays).
Step 3: Decide which events, factors, or decisions (such as variables) will have the greatest influence on the hypotheses identified in step 2.
Step 4: Decide on the sequencing for when these factors are expected to occur or affect one another.
Step 5: Determine the event options (Mubarak stays—hardline, reforms, some reforms) within each hypothesis and establish clear definitions for each event option to ensure collection strategies to monitor events are effective.
Step6: Construct the event tree from left to right. Each hypothesis is a separate main branch. Start with the first hypothesis and have one branch from this node for each realistic path the first event can take. Proceed down each event option node until the end state for that subbranch is reached. Then move to the next hypothesis and repeat the process.
Step7: Determine what would indicate a decision has been made at each decision point for each option to use in generating an integrated collection plan.
Step 8: Assess the implications of each hypothesis on the intelligence problem.

THE BASICS OF ANALYTIC DESIGN

9-4. Managing long-term analytical assessments is accomplished by performing seven analytic design steps, as shown in figure 9-1 on page 9-2:

Step 1: Frame the question/issue.
Step 2: Review and assess knowledge.
Step 3: Review resources.
Step 4: Select the analytic approach/methodology and plan project.
Step 5: Develop knowledge.
Step 6: Perform analysis.
Step 7: Evaluate analysis.

EVENT MAPPING

5-24. The event mapping technique uses brainstorming to assist in diagraming scenarios/elements stemming from analyst-derived hypotheses. Scenarios/Elements are linked around a central word or short phrase representing the issue/problem to be analyzed.

5-25. Event mapping scenarios/elements are arranged intuitively based on the importance of the concepts, and they are organized into groups, branches, or areas. Using the radial diagram format in event mapping assists in mitigating some bias, such as implied prioritization, anchoring, or other cognitive biases derived from hierarchy or sequential arrangements.

5-26. Method. The following outlines the steps for applying event maps (see figure 5-11):

Step 1: Place the word or symbol representing the issue/problem to be analyzed in the center of the medium from which the event map will be constructed.

Step 2: Add symbols/words to represent possible actions/outcomes around the central issue/problem.

Step 3: Link the possible actions/outcomes to the central issue or problem. If desired, use colors to indicate the major influence the link represents. For example, use green for economic links, red for opposition groups, or purple for military forces. Colors may also be used to differentiate paths for ease of reference.

Step4: Continue working outward, building the scenario of events into branches and sub branches for each hypothesis in detail.

Step 5: If ideas end, move to another area or hypothesis.
Step 6: When creativity wanes, stop and take a break. After the break, return and review the map and make additions and changes as desired.

Step7: As an option, number the links or decision points for each hypothesis. On a separate piece of paper, write down the evidence for each number to be collected that would disprove that link or decision. Use the lists for each number to develop an integrated collection strategy for the issue/problem.

SECTION II – DIAGNOSTIC STRUCTURED ANALYTIC TECHNIQUES

5-27. Diagnostic structured analytic techniques make analytical arguments, assumptions, and/or intelligence gaps more transparent. They are often used in association with most other analytic techniques to strengthen analytical assessments and conclusions. The most commonly used diagnostic techniques are—

Key assumptions check technique: Reviewing assumptions that form the analytical judgments of the problem.
Quality of information check technique:
- Source credibility and access.
- Plausibility of activity.
- Imminence of activity.
- Specificity of activity.
Indicators/Signposts of change technique:
- Identifying a set of competing hypotheses.
- Creating lists of potential or expected events.
- Reviewing/Updating indicator lists.
- Identifying most likely hypotheses.

5-30. Method. Checking for key assumptions requires analysts to consider how their analysis depends on the validity of certain evidence. The following four-step process assists analysts in checking key assumptions:

Step 1: Review what the current analytic line of thinking on the issue appears to be:
- What do analysts think they know?
- What key details assist analysts in accepting that the assumption is true?
Step 2: Articulate the evidence, both stated and implied in finished intelligence, accepted as true.
Step 3: Challenge the assumption by asking why it must be true and is it valid under all conditions. What is the degree of confidence in those initial answers?
Step 4: Refine the list of key assumptions to contain only those that must be true in order to sustain the analytic line of thinking. Consider under what circumstances or based on what information these assumptions might not be true.

5-31. Analysts should ask the following questions during this process:

- What is the degree of confidence that this assumption is true?
- What explains the degree of confidence in the assumption?
- What circumstances or information might undermine this assumption?
- Is a key assumption more likely a key uncertainty or key factor?
- If the assumption proves to be wrong, would it significantly alter the analytic line of thinking? How?
- Has this process identified new factors that require further analysis?

QUALITY OF INFORMATION CHECK

5-32. Weighing the validity of sources is a key feature of any analytical assessment. Establishing how much confidence analysts have in their analytical judgments should be based on the information’s reliability and accuracy. Analysts should perform periodic checks of the information for their analytical judgments; otherwise, important analytical judgments may become anchored to poor-quality information.

5-33. Determining the quality of information independent of the source of the information is important in ensuring that neither duly influences the other. Not understanding the context in which critical information has been provided makes it difficult for analysts to assess the information’s validity and establish a confidence level in the intelligence assessment. A typically reliable source can knowingly report inaccurate information, and a typically unreliable source can sometimes report high-quality information. Therefore, it is important to keep the two reviews—source and information—separate.

This technique—

Provides the foundation for determining the confidence level of an assessment and clarity to an analyst’s confidence level in the assessment.
Provides an opportunity to catch interpretation errors and mitigate assimilation or confirmation bias based on the source:
- Assimilation bias is the modification and elaboration of new information to fit prior conceptions or hypotheses. The bias is toward confirming a preconceived answer.
- Confirmation bias is the conditions that cause analysts to undervalue or ignore evidence that contradicts an early judgment and value evidence that tends to confirm already held assessments.
Identifies intelligence gaps and potential denial and deception efforts

5-34. Method. For an information review to be fully effective, analysts need as much background information on sources as is possible. At a minimum, analysts should perform the following steps:

Step 1: Review all sources of information for accuracy; identify any of the more critical or compelling sources. (For example, a human source with direct knowledge is compelling.)
Step 2: Determine if analysts have sufficient and/or strong collaboration between the information sources.
Step 3: Reexamine previously dismissed information considering new facts or circumstances.
Step 4: Ensure any circular reporting is identified and properly flagged for other analysts; analysis based on circular reporting should also be reviewed to determine if the reporting was essential to the judgments made. (For example, a human source’s purpose for providing information may be to deceive.)
Step 5: Consider whether ambiguous information has been interpreted and qualified properly.(For example, a signals intelligence transcript may be incomplete.)
Step 6: Indicate a level of confidence analysts can place on sources that may likely figure into future analytical assessments.

Note. Analysts should consciously avoid relating the source to the information until the quality of information check is complete. If relating the source to the quality of information changes the opinion of the information, analysts must ensure they can articulate why. Analysts should develop and employ a spreadsheet to track the information and record their confidence levels in the quality of information as a constant reminder of the findings.

INDICATORS/SIGNPOSTS OF CHANGE

5-36. The indicators/signposts of change technique is primarily a diagnostic tool that assists analysts in identifying persons, activities, developments, or trends of interest. Indicators/Signposts of change are often tied to specific scenarios created by analysts to help them identify which scenario is unfolding. Indicators/Signposts of change are a preestablished set of observable phenomena periodically reviewed to help track events, spot emerging trends, and warn of unanticipated change. These observable phenomena are events expected to occur if a postulated situation is developing. For example, some of the observable events of a potential protest include—

The massive gathering of people at a specific location.
People’s rallying cries posted as messages on social media.
An adjacent country’s aggressive national training and mobilization drills outside of normal patterns.

5-37. Analysts and other staff members create a list of these observable events and the detection and confirmation of these indicators enable analysts to answer specific information requirements that answer PIRs. Collection managers often use these lists to help create an intelligence collection plan.

5-38. This technique aids other structured analytic techniques that require hypotheses generation as analysts create indicators that can confirm or deny these hypotheses. Analysts may use indicators/signposts of change to support analysis during all operations of the Army’s strategic roles and to assist them in identifying a change in the operations.

5-39. Method. Whether used alone or in combination with other structured analysis, the process is the same. When developing indicators, analysts start from the event, work backwards, and include as many indicators as possible. The following outlines the steps to the indicators/signposts of change technique:

Step 1: Identify a set of competing hypotheses or scenarios.
Step 2: Create separate lists of potential activities, statements, or events expected for each hypothesis or scenario.
Step 3: Regularly review and update the indicator lists to see which are changing.
Step 4: Identify the most likely or most correct hypothesis or scenario based on the number of changed indicators observed.

Chapter 6
Advanced Structured Analytic Techniques

SECTION I – CONTRARIAN STRUCTURED ANALYTIC TECHNIQUES

6-1. Contrarian structured analytic techniques challenge ongoing assumptions and broaden possible outcomes. They assist analysts in understanding threat intentions, especially when not clearly stated or known. Contrarian techniques explore the problem from different (often multiple) perspectives. This allows analysts to better accept analytic critique and grant greater avenues to explore and challenge analytical arguments and mindsets. Proper technique application assists analysts in ensuring preconceptions and assumptions are thoroughly examined and tested for relevance, implication, and consequence.

6-2. The contrarian structured analytic techniques described in this publication are—

Analysis of competing hypotheses (ACH) technique: Evaluating multiple hypotheses through a competitive process in order to reach unbiased conclusions and attempting to corroborate results.
Devil’s advocacy technique: Challenging a single, strongly held view or consensus by building the best possible case for an alternative explanation.
Team A/Team B technique: Using separate analytic teams that contrast two (or more) strongly held views or competing hypotheses.
High-impact/Low-probability analysis technique: Highlighting an unlikely event that would have major consequences if it happened.
What if? analysis technique: Assuming an event has occurred with potential (negative or positive) impacts and explaining how it might happen.

ANALYSIS OF COMPETING HYPOTHESES

6-3. Analysts use ACH to evaluate multiple competing hypotheses in order to foster unbiased conclusions. Analysts identify alternative explanations (hypotheses) and evaluate all evidence that will disconfirm rather than confirm hypotheses. While a single analyst can use ACH, it is most effective with a small team of analysts who can challenge each other’s evaluation of the evidence.

6-4. ACH requires analysts to explicitly identify all reasonable alternatives and evaluate them against each other rather than evaluate their plausibility one at a time. ACH involves seeking evidence to refute hypotheses. The most probable hypothesis is usually the one with the least evidence against it, not the one with the most evidence for it. Conventional analysis generally entails looking for evidence to confirm a favored hypothesis.

6-5. Method. Simultaneous evaluation of multiple competing hypotheses is difficult to accomplish without using tools. Retaining these hypotheses in working memory and then assessing how each piece of evidence interacts with each hypothesis is beyond the mental capabilities of most individuals. To manage the volume of information, analysts use a matrix as a tool to complete ACH. (See figure 6-1.) The following outlines the steps used to complete ACH:

Step 1: Identify the intelligence problem.

Step 2: Identify all possible hypotheses related to the intelligence problem.

Step 3: Gather and make a list of all information related to the intelligence problem.

Step 4: Prepare a matrix with each hypothesis across the top and each piece of information down the left side.

Step 5: Determine if each piece of information is consistent or inconsistent with each hypothesis.

Step 6: Refine the matrix. Reconsider the hypotheses and remove information that has no diagnostic value.

Step 7: Draw tentative conclusions about the relative likelihood of each hypothesis.

Step 8: Analyze if conclusions rely primarily on a few critical pieces of information.

Step 9: Report conclusions.

Step 10: Identify milestones for future observation that may indicate events are taking a different course than expected.

DEVIL’S ADVOCACY

6-6. Analysts use the devil’s advocacy technique for reviewing proposed analytical conclusions. They are usually not involved in the deliberations that led to the proposed analytical conclusion. Devil’s advocacy is most effective when used to challenge an analytic consensus or a key assumption about a critically important intelligence question. In some cases, analysts can review a key assumption and present a product that depicts the arguments and data that support a contrary assessment. Devil’s advocacy can provide further confidence that the current analytic line of thought will endure close scrutiny.

Devil’s advocacy can lead analysts to draw one of three conclusions:

Analysts ignored data or key lines of argument that undermine their analysis and should restart the analysis process.
The analysis is sound, but more research is warranted in select areas.
Key judgments are valid, but a higher level of confidence in the bottom-line judgments is warranted.

6-7. Method. The following outlines the steps for the devil’s advocacy technique:

- Step 1: Present the main analytical conclusion.
- Step 2: Outlinethemainpointsandkeyassumptionsandcharacterizetheevidencesupportingthe current analytical view.
- Step 3: Select one or more assumptions that appear the most susceptible to challenge.
- Step 4: Review the data used to determine questionable validity, possible deception, and the existence of gaps.
- Step 5: Highlight evidence that supports an alternative hypothesis or contradicts current thinking.
- Step 6: Present findings that demonstrate flawed assumptions, poor evidence, or possible deception.

6-8. Analysts should consider the following when conducting the devil’s advocacy technique:

Sources of uncertainty.
Diagnosticity of evidence.
Anomalous evidence.
Changes in the broad environment.
Alternative decision models.
Availability of cultural expertise.
Indicators of possible deception.
Information gaps.

TEAM A/TEAM B

6-9. Team A/Team B is a process for comparing, contrasting, and clarifying two (or more) equally valid analytical assessments. Multiple teams of analysts perform this process, each working along different lines of analysis. Team A/Team B involves separate analytic teams that analyze two (or more) views or competing hypotheses. Team A/Team B is different from devil’s advocacy, which challenges a single dominant mindset instead of comparing two (or more) strongly held views. Team A/Team B recognizes that there may be competing, and possibly equally strong, mindsets on an issue that needs to be clarified. A key requirement to ensure technique success is equally experienced competing mindsets. This mitigates unbalanced arguments.

6-10. Method. The following steps outlines the steps of the team A/team B technique (see figure 6-2):

Step 1: Identify the two (or more) competing hypotheses.
Step 2: Form teams and designate individuals to develop the best case for each hypothesis.

Step 3: Review information that supports each respective position.
Step 4: Identify missing information that would support or bolster the hypotheses.
Step 5: Prepare a structured argument with an explicit discussion of—

Key assumptions.
Key evidence.
The logic behind the argument.

Step 6: Set aside the time for a formal debate or an informal brainstorming session.

Step 7: Have an independent jury of peers listen to the oral presentation and be prepared to question the teams about their assumptions, evidence, and/or logic.

Step 8: Allow each team to present its case, challenge the other team’s argument, and rebut the opponent’s critique of its case.

Step 9: The jury considers the strength of each presentation and recommends possible next steps for further research and collection efforts.

HIGH-IMPACT/LOW-PROBABILITY ANALYSIS

6-11. The high-impact/low-probability analysis technique sensitizes analysts to the potential impact that seemingly low-probability events could have on U.S. forces. New and often fragmentary data suggesting that a previously unanticipated event might occur is a trigger for applying this technique.

6-12. Mapping out the course of an unlikely, yet plausible event may uncover hidden relationships between key factors and assumptions; it may also alert analysts to oversights in the analytic line of thought. This technique can augment hypotheses-generating analytic techniques.

6-13. The objective of high-impact/low-probability analysis is exploring whether an increasingly credible case can be made for an unlikely event occurring that could pose a major danger or open a window of opportunity.

6-14. Method. An effective high-impact/low-probability analysis involves the following steps:

Step1: Define the high-impact outcome clearly. This will justify examining what may be deemed a very unlikely development.
Step 2: Devise one or more plausible pathways to the low-probability outcome. Be precise, as it may aid in developing indicators for later monitoring.
Step 3: Insert possible triggers or changes in momentum if appropriate (such as natural disasters, sudden key leader health problems, or economic or political turmoil).
Step 4: Brainstorm plausible but unpredictable triggers of sudden change.
Step 5: Identify a set of indicators for each pathway that help anticipate how events are likely to develop and periodically review those indicators.
Step 6: Identify factors that could deflect a bad outcome or encourage a positive one.

“WHAT IF?” ANALYSIS

6-15. “What if?” analysis is a technique for challenging a strong mindset that an event will not occur or that a confidently made forecast may not be entirely justified. “What if?” analysis is similar to high-impact/low- probability analysis; however, it does not focus on the consequences of an unlikely event. “What if” analysis attempts to explain how the unlikely event might transpire. It also creates an awareness that prepares analysts to recognize early signs of a significant change.

6-16. “What if” analysis can also shift focus from asking whether an event will occur to working from the premise that it has occurred. This allows analysts to determine how the event might have happened. This technique can augment hypotheses-generating analytic techniques using multiple scenario generation or ACH. “What if?” analysis shifts the question from “How likely is the event?” to the following:

- How could the event possibly occur?
- What would be the impact of the event?
- Has the possibility of the event happening increased?

6-17. Like other contrarian techniques, “what if?” analysis must begin by stating the conventional analytic line of thought and then stepping back to consider alternative outcomes that are too important to dismiss no matter how unlikely.

6-18. Method. The “what if?” analysis steps are similar to the high-impact/low-probability analysis steps once analysts have established the event itself:

Step 1: Assume the event has happened.
Step2: Select some triggering events that permitted the scenario to unfold to help make the “what if?” more plausible (for example, the death of key leader, a natural disaster, an economic or political event that might start a chain of other events).
Step 3: Develop a chain of reasoning based on logic and evidence to explain how this outcome could have occurred.
Step 4: Think backwards from the event in concrete ways, specifying what must occur at each stage of the scenario.
Step 5: Identify one or more plausible pathways to the event; it is likely that more than one will appear possible.
Step 6: Generate an indicators/signposts of change list to detect the beginnings of the event.
Step 7: Consider the scope of positive and negative consequences and their relative impact.
Step 8: Monitor the indicators developed periodically.

SECTION II – IMAGINATIVE STRUCTURED ANALYTIC TECHNIQUES

6-19. Imaginative structured analytic techniques assist analysts in approaching an analytic problem from different and multiple perspectives. This technique also broadens analysts’ selection of potential COAs, thus reducing the chance of missing unforeseen outcomes. Imaginative techniques facilitate analysts’ ability to forecast events and generate ideas creatively. Additionally, the proper application of imaginative techniques can assist in identifying differences in perspectives and different assumptions among analytic team members. The most commonly used imaginative techniques are—

Brainstorming technique: Generating new ideas and concepts through unconstrained groupings.
Functional analysis technique:

Identifying threat vulnerabilities through knowledge of threat capabilities.
Identifying windows of opportunity and threat vulnerabilities.

Outside-in thinking technique: Identifying the full range of basic factors and trends that indirectly shape an issue.
Red hat/team analysis technique: Modeling the behavior of an individual or group by trying to replicate how a threat would think about an issue.

BRAINSTORMING

6-20. Brainstorming is a widely used technique for stimulating new thinking; it can be applied to most other structured analytic techniques as an aid to thinking. Brainstorming is most effective when analysts have a degree of subject matter expertise on the topic of focus.

6-21. Brainstorming should be a very structured process to be most productive. An unconstrained, informal discussion might produce some interesting ideas, but usually a more systematic process is the most effective way to break down mindsets and produce new insights. The process involves a divergent thinking phase to generate and collect new ideas and insights, followed by a convergent thinking phase for grouping and organizing ideas around key concepts.

6-22. Method. As a two-phase process, brainstorming elicits the most information from brainstorming participants:

Phase1—Divergent thinking phase:

Step 1: Distribute a piece of stationery with adhesive and pens/markers to all participants. Typically, a group of 10 to 12 people works best.
Step 2: Pose the problem in terms of a focal question. Display it in one sentence on a large easel or whiteboard.
Step 3: Ask the group to write down responses to the question, using key words that will fit on the small piece of stationery.
Step 4: Stick all of the notes on a wall for all to see—treat all ideas the same.
Step 5: When a pause follows the initial flow of ideas, the group is reaching the end of its collective conventional thinking, and new divergent ideas are then likely to emerge. End phase 1 of the brainstorming after two or three pauses.

Phase2—Convergent thinking phase:

Step 6: Ask group participants to rearrange the notes on the wall according to their commonalities or similar concepts. Discourage talking. Some notes may be moved several times as they begin to cluster. Copying some notes is permitted to allow ideas to be included in more than one group.

Step 7: Select a word or phrase that characterizes each grouping or cluster once all of the notes have been arranged.

Step 8: Identify any notes that do not easily fit with others and consider them as either isolated thoughts or the beginning of an idea that deserves further attention.

Step 9: Assess what the group has accomplished in terms of new ideas or concepts identified or new areas that require more work or further brainstorming.

Step 10: Instruct each participant to select one or two areas that deserve the most attention. Tabulate the votes.

Step 11: Set the brainstorming group’s priorities based on the voting and decide on the next steps for analysis.

FUNCTIONAL ANALYSIS USING CRITICAL FACTORS ANALYSIS

6-23. Critical factors analysis (CFA) is an overarching analytic framework that assists analysts in identifying threat critical capabilities, threat critical requirements, and threat critical vulnerabilities that they can integrate into other structured analytic techniques. This assists friendly forces in effectively identifying windows of opportunity and threat vulnerabilities. At echelons above corps, CFA assists in identifying threat centers of gravity that friendly forces can use for operational planning:

- Critical capability is a means that is considered a crucial enabler for a center of gravity to function as such and is essential to the accomplishment of the specified or assumed objective(s) (JP 5-0).
- Critical requirement is an essential condition, resource, or means for a critical capability to be fully operational (JP 5-0).
- Critical vulnerability is an aspect of a critical requirement which is deficient or vulnerable to direct or indirect attack that will create decisive or significant effects

6-24. To conduct CFA successfully, identify threat critical capabilities. The more specific the threat critical capability, the more specificity analysts can apply to threat critical capabilities, requirements, and vulnerabilities. CFA is more effective when conducted by a team of experienced analysts. Additionally, structured brainstorming can amplify this technique. Analysts can determine windows of opportunity by identifying the common denominator or entity that encompasses those identified threat critical capabilities, requirements, and vulnerabilities.

6-25. Method. The following outlines those steps necessary to conduct CFA (see figure 6-3 on page 6-10):

Step 1: Create a quad-chart. Identify a specific threat mission objective.
Step 2: Identify all threat critical capabilities that are essential to achieve the threat mission objective and input in the top-right quadrant of the chart. (Threat must be able to achieve X.)
Step 3: Identify all threat critical requirements—conditions or resources integral to critical capabilities developed in step 1—and input in the bottom-right quadrant of the chart. (To achieve X, the threat needs Y.)
Step 4: Identify all threat critical vulnerabilities—elements related to threat critical requirements developed in step 2 that appear exposed or susceptible (at risk)—and input in the bottom-left quadrant of the chart. (The threat cannot lose Z.)
Step 5: Analyze the chart to determine the windows of opportunity by identifying the common denominator (or entity) that encompasses those identified threat critical capabilities, requirements, and vulnerabilities and input in the top-left quadrant of the chart.
Step 6: Identify all listed critical factors that friendly forces can directly affect to identify potential targets or topics for further collection.

OUTSIDE-IN THINKING

6-26. The outside-in thinking technique assists analysts in identifying the broad range of factors, forces, and trends that may indirectly shape an issue—such as global, political, environmental, technological, economic, or social forces—outside their area of expertise, but that may profoundly affect the issue of concern. This technique is useful for encouraging analysts to think critically because they tend to think from inside out, focusing on factors most familiar in their specific area of responsibility.

6-27. Outside-in thinking reduces the risk of missing important variables early in the analysis process; it should be the standard process for any project that analyzes potential future outcomes. This technique works well for a group of analysts responsible for a range of functional and/or regional issues.

6-28. Method. The following outlines those steps of outside-in thinking (see figure 6-4):

Step 1: Identify the topic of study.
Step 2: Brainstorm all key factors (operational variables [PMESII-PT]) that could impact the topic.

Step 3: Employ the mission variables (METT-TC) to trigger new ideas.
Step 4: Focus on those key factors over which a commander can exert some influence.
Step 5: Assess how each of those factors could affect the analytic problem.
Step 6: Determine whether those factors can impact the issue based on the available evidence.

RED HAT/TEAM ANALYSIS

6-29. The red hat/team analysis technique facilitates analysts’ modeling of threat behavior by attempting to formulate ideas on how the threat would think about an issue. Red hat/team analysis is also a type of reframing technique performed by analysts attempting to solve an intelligence problem by using a different perspective. They attempt to perceive threats and opportunities as would the threat in order to categorize the threat. Categories include but are not limited—

Command and control.
Movement and maneuver.

6-31. Method. The following outlines the steps to conduct red hat/team analysis:

Step 1: Identify the situation and ask how the threat would respond to the situation.
Step 2: Emphasize the need to avoid mirror imaging. Define the cultural and personal norms that would influence the threat’s behavior (use operational variables [PMESII-PT]/civil considerations [ASCOPE] and threat characteristics, threat doctrine, and threat intentions matrices as aids).
Step 3: Develop first-person questions that the threat would ask about the situation.
Step 4: Present results and describe alternative COAs the threat would pursue.

Note. Some publications differentiate between red hat analysis and red team analysis, while others describe them as being the same. When differentiated, red team analysis is categorized as a contrarian technique. For this publication, the two techniques are synonymous.

PART THREE
Intelligence Analysis Considerations

Chapter 7
Analytic Support to Army Forces and Operations

OVERVIEW

7-1. Although the intelligence analysis process does not change, the tasks performed by intelligence analysts differ significantly based on the echelon, the supported functional element, the Army strategic role, and the specific mission. As with many tasks, the most significant factor affecting analysis is time. Time includes both the amount of time to analyze a problem and the timeliness of the final analytical assessment to the decision maker.

ANALYSIS ACROSS THE ECHELONS

7-3. Intelligence analysts conduct analysis during combat operations to support Army forces at all echelons. The commander’s need for the continuous assessment of enemy forces focuses intelligence analysis. The analytical output of the intelligence warfighting function assists commanders in making sound and timely decisions. Analysts must understand at which points in an operation the commander needs specific PIRs answered in order to support upcoming decision points. This understanding assists analysts in creating a timeline for conducting analysis and identifying when information is no longer of value to the commander’s decision making.

7-4. Analytical elements at NGIC and at echelons above corps focus primarily on strategic- to operational- level analytic problems, analytical elements at the corps level focus on both tactical- and operational-level analytic problems, and analytical elements at echelons below corps focus on tactical-level analytic problems. The strategic, operational, and tactical levels of warfare assist commanders—informed by the conditions of their OEs—in visualizing a logical arrangement of forces, allocating resources, and assigning tasks based on a strategic purpose:

Strategic level of warfare is the level of warfare at which a nation, often as a member of a group of nations, determines national or multinational (alliance or coalition) strategic security objectives and guidance, then develops and uses national resources to achieve those objectives (JP 3-0). At the strategic level, leaders develop an idea or set of ideas for employing the instruments of national power (diplomatic, informational, military, and economic) in a synchronized and integrated fashion to achieve national objectives.
Operational level of warfare is the level of warfare at which campaigns and major operations are planned, conducted, and sustained to achieve strategic objectives within theaters or other operational areas (JP 3-0). The operational level links the tactical employment of forces to national and military strategic objectives, focusing on the design, planning, and execution of operations using operational art. (See ADP 3-0 for a discussion of operational art.)
Tactical level of warfare is the level of warfare at which battles and engagements are planned and executed to achieve military objectives assigned to tactical units or task forces (JP 3-0). The tactical level of warfare involves the employment and ordered arrangement of forces in relation to each other.

NATIONAL AND JOINT ANALYTIC SUPPORT

7-5. Intelligence analysis support to national organizations and the joint force focuses on threats, events, and other worldwide intelligence requirements.

THEATER ARMY

7-6. At the theater army level, intelligence analysis supports the combatant commander’s operational mission requirements by enabling the theater command to apply capabilities to shape and prevent potential threat action. Theater army-level analytical activities include but are not limited to—

Supporting theater campaign plans.
Developing expertise to analyze threat characteristics within a region.
Long-term analysis of a region and/or country that enables warning intelligence of imminent threat ground operations.
Detailed analysis of multi-domain specific requirements.
Serving as the Army’s interface to national and joint support for operational and tactical forces.

7-7. Analysts assigned to the theater army-level all-source intelligence cell can expect to work with other Services as well as other nations. Analytical assessment support to future operations focuses on threat activities, intent, and capabilities beyond 168 hours within a designated global region assigned to the combatant commander.

SUPPORT TO FUNCTIONAL ELEMENTS

7-12. The Army is committed to providing intelligence support across most unique functional elements. Although all of these elements perform IPB and collection management, the intelligence analysis requirements for these elements vary significantly based on the commander’s designated mission; therefore, when assigned, intelligence analysts must learn the mission-specific intelligence analysis requirements for their functional element.

ANALYSIS ACROSS THE ARMY’S STRATEGIC ROLES

7-13. Intelligence analysts must consider all intelligence requirements for operations to shape, prevent, prevail in large-scale ground combat, and consolidate gains.

SHAPE OPERATIONAL ENVIRONMENTS
PREVENT CONFLICT
PREVAIL IN LARGE-SCALE GROUND COMBAT
OFFENSIVE AND DEFENSIVE OPERATIONS IN LARGE-SCALE GROUND COMBAT
CONSOLIDATE GAINS
- Consolidate Gains Through Stability Operations

7-23. A stability operation is an operation conducted outside the United States in coordination with other instruments of national power to establish or maintain a secure environment and provide essential governmental services, emergency infrastructure reconstruction, and humanitarian relief (ADP 3-0). In stability operations, success is measured differently from offensive and defensive operations. Time may be the ultimate arbiter of success: time to bring safety and security to an embattled populace; time to provide for the essential, immediate humanitarian needs of the people; time to restore basic public order and a semblance of normalcy to life; and time to rebuild the institutions of government and market economy that provide the foundations for enduring peace and stability. (See ADP 3-07 for information on stability operations.)

7-24. The main difference between stability operations and other decisive action is the focus and degree level of analysis required for the civil aspects of the environment. Unlike major combat—an environment dominated by offensive and defensive operations directed against an enemy force—stability operations encompass various military missions, tasks, and activities that are not enemy-centric.

7-25. Constant awareness and shared understanding of civil considerations (ASCOPE) about the environment are crucial to long-term operational success in stability operations. Analysts should classify civil considerations into logical groups (tribal, political, religious, ethnic, and governmental). Intelligence analysis during operations that focus on the civil population requires a different mindset and different techniques than an effort that focuses on defeating an adversary militarily.

7-26. Some situations (particularly crisis-response operations) may require analysts to focus primarily on the effects of terrain and weather, as in the case of natural disasters, including potential human-caused catastrophes resulting from natural disasters.

Chapter 8
Analysis and Large-Scale Ground Combat Operations

OVERVIEW

8-1. In future operations, intelligence analysis considerations should include a combination of factors (or elements) that analysts must understand to support the commander. Multi-domain operation considerations differ by echelon. These considerations have their greatest impact on Army operations during large-scale ground combat.

8-2. Situation development enables commanders to see and understand the battlefield in enough time and detail to make sound tactical decisions. Situation development assists in locating and identifying threat forces; determining threat forces’ strength, capabilities, and significant activities; and predicting threat COAs. Situation development assists commanders in effectively employing available combat resources where and when decisive battles will be fought, preventing commanders from being surprised.

8-3. Commanders and staffs require timely, accurate, relevant, and predictive intelligence to successfully execute offensive and defensive operations in large-scale ground combat operations. The challenges of fighting for intelligence during large-scale ground operations emphasize a close interaction between the commander and staff, since the entire staff supports unit planning and preparation to achieve situational understanding against a peer threat.

Since each echelon has a different situational understanding of the overarching intelligence picture, the analytical focus differs from one echelon to another.

9-3. Long-term analytical assessments are produced using a deliberate and specific execution of the intelligence analysis process over a longer period of time that closely complies with the Intelligence Community Analytic Standards (to include the analytic tradecraft standards) established in ICD 203. This form of analysis includes the careful management of the overall effort, dedicating significant resources to the effort (for example, analysis is conducted by an analytic team), executing various iterations of analysis, and applying advanced structured analytic techniques within the effort.

THE BASICS OF ANALYTIC DESIGN

9-4. Managing long-term analytical assessments is accomplished by performing seven analytic design steps, as shown in figure 9-1 on page 9-2:

Step 1: Frame the question/issue.
Step 2: Review and assess knowledge.
Step 3: Review resources.
Step 4: Select the analytic approach/methodology and plan project.
Step 5: Develop knowledge.
Step 6: Perform analysis.
Step 7: Evaluate analysis.

FRAME THE QUESTION/ISSUE

9-5. Properly framing the question greatly increases the chance of successful long-term analysis. The analytic team starts with understanding the requestor’s requirement by identifying relevant topics and issues that break down into a primary question that can be analyzed. Framing the question includes refining and scoping the question to carefully capture the requestor’s expectations, mitigate bias, craft an objective analytic question, and develop subquestions. This step results in an initial draft of the primary intelligence question and is followed by reviewing and assessing existing knowledge.

REVIEW AND ASSESS KNOWLEDGE

9-6. Reviewing and assessing knowledge involves an overlap of the analytical effort with collection management. Step 2 includes reviewing available information and intelligence, the collection management plan, and results of on-going intelligence collection, as well as identifying information gaps.

REVIEW RESOURCES

9-7. After understanding what knowledge is available and identifying information gaps, the next step is reviewing available resources, such as tools, personnel, and time.

SELECT THE ANALYTIC APPROACH/METHODOLOGY AND PLAN PROJECT

9-8. Using the results of steps 1 through 3, the analytic team finalizes the primary intelligence question and subquestions, selects the analytic approach/methodology, and develops a project plan. The analytic approach/methodology includes the specific analytic techniques, who will perform each technique, and the sequence of those techniques to ensure analytic insight and mitigate bias.

DEVELOP KNOWLEDGE

9-9. Developing knowledge is the last step before performing analysis. Although discussed as a separate step in the process, developing knowledge occurs continually throughout the process. The analytic team gathers all relevant intelligence and information through ongoing collection, intelligence reach, and internal research.

PERFORM ANALYSIS

9-10. Steps 1 through 5 set the stage for the deliberate execution of analytic techniques, to include adjusting the project plan, if necessary, and assessing the analytical results using the context that was developed while framing the question/issue.

EVALUATE ANALYSIS

9-11. Evaluating analysis, the final step of the process, results in the final analytical results and associated information necessary to make a presentation to the requestor. Evaluating analysis includes assessing the analytical results and the impact of analytic gaps and unconfirmed assumptions, performing analysis of alternatives, and assigning a confidence level to the analytic answer.

COLLABORATION DURING ANALYTIC DESIGN

9-12. Collaboration is critical to long-term analytical assessments and occurs between different stakeholders across the intelligence community. This collaboration ensures a diversity of perspective and depth in expertise that is impossible through any other means. Four specific areas in which collaboration is invaluable are—

Bias mitigation: Analytic teams with diverse backgrounds and different perspectives can effectively identify and check assumptions, interpret new information, and determine the quality of various types of information.
Framing/Knowledge review: Analytic teams can engage early in the process to build context, craft analytic questions, share information sources, and develop analytical issues.
Methodology building: Analytic teams assess the credibility of the analytic approach and clarity of the argument through various means, including peer reviews.
Perform analysis: Analytic teams can perform various analytic techniques, identify hypotheses, and analyze alternatives as a group to improve the quality of the analytical effort.

TRANSITIONING FROM THE ANALYTIC DESIGN PROCESS TO PRESENTING THE RESULTS

9-13. Managing long-term analytical assessments includes not only presenting an analytic answer but also a confidence level to the answer and alternative hypotheses or explanations for gaps and uncertainty. During evaluate analysis, the last step of the process, the analytic team decides whether the question requires more analysis, and therefore, whether the assessment is exploratory or authoritative and ready to present to the requestor. If the results are ready for presentation, the analytic team deliberately prepares to present those results. Transitioning from long-term analysis to presenting the analytic answer includes stepping back from that analysis, reviewing the assessment, and clarifying the relevance of the analytical results. Then the analytic team determines—

What is the message: The message characterizes whether the assessment is authoritative or exploratory and includes the “bottom line” of the assessment. Additionally, the assessment includes any shifts in analysis that occurred over time, any impacts on the requestor (decisions and future focus areas), the confidence level, alternative hypotheses, and indicators.
What is the analytical argument: The analytic team develops an outline for logically progressing through the analytical assessment. An argument map is a useful tool to ensure a logical analytical flow during the presentation and to ensure the message is easily understood. The team may use basic interrogatives (who, what, when, where, why, and how) or a similar tool to capture the critical elements of the message to present to the requestor.
What are critical gaps and assumptions: Gaps and assumptions identified during the evaluate analysis step become limitations to the certainty of the analytical assessment, and, in some cases, drive future analytical efforts. The analytic team may insert gaps and assumptions within the message and clearly discuss the level of impact on the assessment (for example, in the source summary statement or in the “bottom line” statement).
What reasonable analytical alternatives remain: For authoritative assessments, answering the questions “what if I am wrong” and “what could change my assessment” provides analysis of alternatives that should be included in the assessment to explain what remains uncertain.
What product or products should be presented: Determine the best format for the presentation that facilitates the discussion of the argument. If it is exploratory analysis, the format should allow the analytic team to effectively describe the new understanding of the topic and its relevance to the requestor. The team should consider the following when choosing the format: requestor preference, specific tasking/requirement, complexity of the argument, urgency/time constraints, and potential interest of others.

CROSSWALKING ANALYTIC DESIGN WITH TACTICAL INTELLIGENCE ANALYSIS

9-14. Tactical intelligence analysis and analytic design have similarities but also differ in a number of ways. Tactical operations are often chaotic and time-constrained, and therefore, driven by specific commander-centric requirements (for example, PIRs and targeting requirements). The commander and staff plan and control operations by employing several standard Army planning methodologies, including but not limited to the Army design methodology, the MDMP, and Army problem solving.

Analytic design to tactical intelligence analysis crosswalk

Step 1: Frame the question/ issue

Step 2: Review and assess knowledge

Step 3: Review resources

Step 4: Select analytic approach/methodology and plan project

Step 5: Develop knowledge

Step 6: Perform analysis

Step 7: Evaluate analysis

Appendix A

Automation Support to Intelligence Analysis

AUTOMATION ENABLERS

A-1. Many different automation and communications systems are vital to intelligence analysis; they facilitate real-time collaboration, detailed operational planning, and support to collection management. Software updates and emerging technologies continue to improve current intelligence analysis systems to operate more effectively in garrison and in deployed environments.

A-2. Automation processing capabilities and tools readily available on today’s computers enable the intelligence analysis process. The software or related programs in current automation systems allow intelligence analysts to screen and analyze significantly more data than in previous years. The development of analytical queries, data management tools, and production and dissemination software enhances the intelligence analysis process, facilitating the commander’s situational understanding and timely decision making across all echelons.

A-3. Automation is crucial to intelligence analysis; there are four aspects for analysts to consider:

Automation is a key enabler to the processing and fusion of compatible information and intelligence, but the individual analyst remains essential in the validation of any assessment.
The analyst must still be heavily involved in building specific queries, analyzing the final assessment, and releasing intelligence.
Automation relies on the cyberspace domain, which requires extensive defensive actions to ensure data is not corrupted from collection to dissemination. Deception and corruption within the cyberspace domain are likely occurrences; therefore, they require monitoring by both cyberspace experts and intelligence analysts.
Automation relies on available communications to receive, assess, and disseminate information across the command at all echelons. During periods of disrupted or degraded communications, the intelligence analyst must understand and may have to execute intelligence analysis without the aid of automation.

DISTRIBUTED COMMON GROUND SYSTEM-ARMY

A-4. All communications, collaboration, and intelligence analysis within the intelligence warfighting function are facilitated by the DCGS-A—the intelligence element of Army command and control systems and an Army program of record.

The following highlights some of the most significant tools across the phases of the intelligence analysis process:

Screen:

Axis Pro/Link Diagram is a software product used for data analysis and investigations that assists in mapping and understanding threat networks comprising threat equipment, units, facilities, personnel, activities, and events.
Threat Characteristics Workstation provides tools to develop and manage threat characteristics, track battle damage assessments (BDAs), and create doctrinal and dynamic situation templates. The workstation also allows analysts to create graphic and written comparisons of threat capabilities and vulnerabilities, which are included in the intelligence estimate.
MovINT Client provides an integrated, temporal view of the battlefield, and aggregates air- and ground-force locations, moving target intelligence, aircraft videos, sensor points of interest, and target locations.

Analyze:

SOCET GXP (also known as Softcopy Exploitation Toolkit Geospatial Exploitation Product), an advanced geospatial intelligence software solution, uses imagery from satellite and aerial sources to identify, analyze, and extract ground features, allowing for rapid product creation.
Terra Builder/Explorer provides professional-grade tools for manipulating and merging imagery and elevation data of different sizes and resolutions into a geographically accurate terrain database. It also allows analysts to view, query, analyze, edit, present, and publish geospatial data.
Text Extraction allows analysts to quickly extract information from reports, associate elements with relationships, and identify existing matches in the database.
ArcGIS (also known as Arc Geographic Information System) allows analysts to visualize, edit, and analyze geographic data in both two- and three-dimensional images and has several options for sharing with others.

Integrate:

Multifunction workstation interface, a customizable interface that streamlines workflow, supports the commander’s operations by providing accurate and timely intelligence and analysis to support Army forces.
ArcGIS. (See description under Analyze.)
Google Earth, a geo-browser that accesses satellite and aerial imagery, ocean bathymetry, and other geographic data of a network, represents the Earth as a three-dimensional globe.

Produce:

Office 2013 is a suite of productivity applications that includes Microsoft Word, Excel, PowerPoint, Outlook, OneNote, Publisher, Access, InfoPath, and Link.
Multifunction workstation interface. (See description under Integrate.)
i2 Analyst Notebook is a software product used for data analysis and investigation. It is part of the Human Terrain System, an Army program that embeds social scientists with combat brigades.

A-5. DCGS-A, like any automation system, is subject to software updates, including changes to the current hardware as well as lifecycle replacements. As such, future versions may include greater analytical cross discipline and domain collaboration and improved interoperability with command and control systems and knowledge management components.

Appendix B
Cognitive Considerations for Intelligence Analysts

OVERVIEW

Analytic skills are the ability to collect, visualize, and examine information in detail to make accurate analytical conclusions. Analytic skills enable Army Soldiers to complete simple and complex tasks; they enable intelligence analysts to use deliberate thought processes to examine a situation critically and without bias.

THE INTELLIGENCE ANALYST

Intelligence analysis support to any operation involves separating useful information from misleading information, using experience and reasoning, and reaching an assessment or conclusion based on fact and/or sound judgment. The conclusion is based on the intelligence analyst’s—

Experience, skill, knowledge, and understanding of the operation.
Knowledge of the various intelligence disciplines.
Knowledge of information collection.
Understanding of the threats within an OE.
In-depth understanding of the threat’s military and political structure.

The intelligence personnel conducting the analysis of information and intelligence use basic to advanced tradecraft skills and tools and integrated automated programs to sort raw forms of data and information and apply research skills to formulate an assessment. Analysts are responsible for the timely dissemination and/or presentation (proper writing and presentation techniques) of known facts and assumptions regarding the OE to the commander and staff. There are established tradecraft standards that direct the individual or group of analysts to ensure the analysis meets a common ethic to achieve analytical excellence.

Intelligence analysts follow guidelines, such as the ICD 203 Intelligence Community Analytic Standards, that promote a common ethic for achieving analytical rigor and excellence and personal integrity in analytical practices. (See appendix C.) Additionally, they must build their foundational understandings and integrate their learned skills—critical thinking and embracing ambiguity. Intelligence analysts must be willing to change their determinations over time. Training, knowledge, and experience further develop analysts’ expertise, as these aspects are essential in helping analysts deal with the uncertain and complex environments.

The OE is complex, and the threat attempts to hide its objectives, intent, and capabilities when possible. Therefore, intelligence analysts embrace ambiguity, recognize and mitigate their own or others’ biases, challenge their assumptions, and continually learn during analysis. To assist in mitigating some of the uncertainty associated with conducting intelligence analysis, analysts should increase their proficiency in using analytic techniques and tools, including automated analytic tools and systems, to identify gaps in their understanding of the OE. Furthermore, to be effective, intelligence analysts must have a thorough understanding of their commanders’ requirements and the intelligence analysis process (see chapter 2), which directly contributes to satisfying those requirements.

BASIC THINKING ABILITIES

Army intelligence personnel are required to use basic thinking abilities and complex skills to analyze information. These skills relate to an analyst’s ability to think. Intelligence analysis focuses primarily on thinking. Intelligence analysts must continually strive to improve the quality of their thinking to support the commander’s requirements. The three basic thinking abilities for intelligence analysis are

Information ordering.
Pattern recognition.

INFORMATION ORDERING

Information ordering is the ability to follow previously defined rules or sets of rules to arrange data in a meaningful order. In the context of intelligence analysis, this ability allows analysts, often with technology’s assistance, to arrange information in ways that permit analysis, synthesis, and a higher level of understanding. The arrangement of information according to certain learned rules leads analysts to make conclusions and disseminate the information as intelligence. However, such ordering can be inherently limiting—analysts may not seek alternative explanations because the known rules lead to an easy conclusion.

PATTERN RECOGNITION

Humans detect and impose patterns on apparently random entities and events in order to understand them, often doing this without awareness. Intelligence analysts impose or detect patterns to identify relationships, and often to infer what they will do in the future. Pattern recognition lets analysts separate the important from the less important, even the trivial, and conceptualize a degree of order out of apparent chaos. However, imposing or seeking patterns can introduce bias. Analysts may impose culturally defined patterns on random aggregates rather than recognize inherent patterns, thereby misinterpreting events or situations.

REASONING

Reasoning is what allows humans to process information and formulate explanations in order to assign meaning to observed actions and events. The quality of any type of reasoning is based on how well analysts’ analytic skills have been developed, which occurs through practice and application. Improving analytic skills occurs by implementing individual courses of study and organizational training strategies.

There are four types of reasoning that guide analysts in transforming information into intelligence:

Deductive reasoning is using given factual information or data to infer other facts through logical thinking. It rearranges only the given information or data into new statements or truths; it does not provide new information. Therefore, deductive reasoning is, “If this is true, then this is also true.”
Inductive reasoning is looking at given factual information or data for a pattern or trend and inferring the trend will continue. Although there is no certainty the trend will continue, the assumption is it will. Therefore, inductive reasoning is, “Based on this trend, this is probably true.”
Abductive reasoning is similar to inductive reasoning since conclusions are based on probabilities or “guessing.” Therefore, abductive reasoning is, “Because this is probably true, then this may also be true.”
Analogical reasoningisamethodofprocessinginformationthatreliesonananalogytocompare the similarities between two specific entities; those similarities are then used to draw a conclusion—the more similarities between the entities, the stronger the argument.

Note. Of the four types of reasoning, only deductive reasoning results in a conclusion that is always true. However, during the conduct of intelligence analysis, this statement can be misleading. During operations, there are few situations in which both a rule is always true and there is adequate collection on the threat to apply deductive reasoning with certainty.

Even in the best of circumstances, inductive, abductive, and analogical reasonings cannot produce conclusions that are certain. All of the types of reasoning rely on accurate information, clear thinking, and freedom from personal bias and group thinking.

CRITICAL AND CREATIVE THINKING

Combining good analytic techniques with an understanding of the requirements, area knowledge, and experience is the best way of providing accurate, meaningful assessments to commanders and leaders. However, subject matter expertise alone does not guarantee the development of logical or accurate conclusions. Intelligence analysts apply critical thinking skills to provide more holistic, logical, ethical, and unbiased analysis and conclusions. Critical thinking ensures analysts fully account for the elements of thought, the intellectual standards of thought, and the traits of a critical thinker.

Critical thinking is a deliberate process of analyzing and evaluating thought with a view to improve it. The elements of thought (the parts of a person’s thinking) and the standards of thought (the quality of a person’s thinking) support critical thinking. Key critical thinking attributes include human traits such as intellectual courage, integrity, and humility. Creative thinking involves creating something new or original.

Analysts use thinking to transform information into intelligence. Critical thinking can improve many tasks and processes across Army operations, especially the conduct of intelligence analysis. Critical thinking includes the intellectually disciplined activity of actively and skillfully analyzing and synthesizing information. The key distinction in critical thinking is a reflective and self-disciplined approach to thinking.

For the analyst, the first step in building critical thinking skills is to begin a course of personal study and practice with a goal of improving the ability to reason. This means moving outside the Army body of doctrine and other Army professional writing when beginning this study. Most of the body of thought concerning critical thinking extends throughout various civilian professions, particularly those in academia

ELEMENTS OF THOUGHT

Whenever people think, they think for a purpose within a point of view based on assumptions leading to implications and consequences. People use concepts, ideas, and theories to interpret data, facts, and experiences in order to answer questions, solve problems, and resolve issues. These eight elements of thought assist in describing how critical thinking works:

Element 1—Purpose. All thinking has a purpose. Critical thinkers will state the purpose clearly. Being able to distinguish the purpose from other related purposes is an important skill that critical thinkers possess. Checking periodically to ensure staying on target with the purpose is also important.

Element 2—Question at issue. All thinking is an attempt to figure something out, to settle some question, or to solve some problem. A critical thinker can state questions clearly and precisely, express the questions in several ways to clarify their meaning and scope, and break the questions into subquestions.

Element 3—Information. All thinking is based on data, information, and evidence. Critical thinkers should support their conclusions with relevant information and be open to actively searching for information that supports and contradicts a position. All information should be accurate, clear, and relevant to the situation being analyzed.

Element 4—Interpretation and inference. All thinking contains interpretations and inferences by which to draw conclusions and give meaning to data. Critical thinkers should be careful to infer only what the evidence implies and to crosscheck inferences with each other. They should clearly identify the assumptions and concepts that led to the inferences, as well as consider alternative inferences or conclusions. Developing and communicating well-reasoned inferences represent the most important parts of what intelligence analysts provide because they aid situational understanding and decision making.

Element 5—Concepts. All thinking is expressed through, and shaped by, concepts. A concept is a generalized idea of a thing or a class of things. People do not always share the same concept of a thing. For example, the concept of happiness means something different to each individual because happiness comes in many different forms. For a star athlete, happiness may be winning; for a mother, happiness may be seeing her children do well. To ensure effective communications, critical thinkers identify the meaning they ascribe to the key concepts used in their arguments and determine if others in their group ascribe different meanings to those concepts.

Element 6—Assumptions. All thinking is based, in part, on assumptions. In this context, an assumption is a proposition accepted to be true without the availability of fact to support it. Assumptions are layered throughout a person’s thinking and are a necessary part of critical thinking. The availability of fact determines the amount of assumption an analyst must use in analysis. Critical thinkers clearly identify their assumptions and work to determine if they are justifiable.

Element 7—Implications and consequences. All thinking leads somewhere or has implications and consequences. Analysts should take the time to think through the implications and consequences that follow from their reasoning. They should search for negative as well as positive implications.

Element 8—Point of view. All thinking is performed from some point of view. To think critically, analysts must recognize a point of view, seek other points of view, and look at them fair-mindedly for their strengths and vulnerabilities.

By applying the eight elements of thought, analysts can develop a checklist for reasoning. Developing and using a checklist, as shown in table B-1, can help analysts focus their efforts to a specific problem and avoid wasting time on irrelevant issues or distractions.

AVOIDING ANALYTICAL PITFALLS

Critical thinking is a mental process that is subject to numerous influences. Intelligence analysts involved in analyzing complex situations and making conclusions are prone to the influences that shape and mold their view of the world and their ability to reason. These influences are referred to as analytical pitfalls. The elements of thought, intelligence standards, and intellectual traits assist analysts in recognizing these pitfalls in their analysis and the analysis performed by others. Logic fallacies and biases are two general categories of analytical pitfalls.

Fallacies of Omission

Fallacies of omission occur when an analyst leaves out necessary material in a conclusion or inference. Some fallacies of omission include oversimplification, composition, division, post hoc, false dilemma, hasty generalization, and special pleading:

Oversimplification is a generality that fails to adequately account for all the complex conditions bearing on a problem. Oversimplification results when one or more of the complex conditions pertaining to a certain situation is omitted and includes ignoring facts, using generalities, and/or applying an inadequately qualified generalization to a specific case.

Fallacy of composition is committed when a conclusion is drawn about a whole based on the features of parts of that whole when, in fact, no justification is provided for that conclusion.

Fallacy of division is committed when a person infers that what is true of a whole must also be true of the parts of that whole.

False dilemma (also known as black-and-white thinking) is a fallacy in which a person omits consideration of more than two alternatives when in fact there are more than two alternatives.

Hasty generalizations are conclusions drawn from samples that are too few or from samples that are not truly representative of the population

Fallacies of Assumption

Fallacies of assumption implicitly or explicitly involve assumptions that may or may not be true. Some fallacies of assumption include begging the question, stating hypotheses contrary to fact, and misusing analogies:

- Begging the question (also known as circular reasoning) is a fallacy in which the conclusion occurs as one of the premises.
  - It is an attempt to support a statement by simply repeating the statement in different and stronger terms. For example, a particular group wants democracy. America is a democratic nation. Therefore, that group will accept American-style democracy.
  - When asked why the enemy was not pinned down by fire, the platoon leader replied, “Our suppressive fire was inadequate.” The fallacy in this response is that by definition suppressive fire pins down the enemy or is intended to pin him down. Since the platoon failed to pin down the enemy, the inadequacy of this fire was self-evident.
- Stating hypotheses contrary to fact occurs when someone states decisively what would have happened had circumstances been different. Such fallacies involve assumptions that are either faulty or simply cannot be proven. For example, the statement, “If we had not supported Castro in his revolutionary days, Cuba would be democratic today” is contrary to fact. Besides being a gross oversimplification, the assumption made in the statement cannot be verified.
- Misusing analogies occurs when one generalizes indiscriminately from analogy to real world. One method for weakening an analogous argument is by citing a counter-analogy. Analogies are strong tools that can impart understanding in a complex issue. In the absence of other evidence, intelligence analysts may reason from analogy. Such reasoning assumes that the characteristics and circumstances of the object or event being looked at are similar to the object or event in the analogy.

The strength of a conclusion drawn from similar situations is proportional to the degree of similarity between the situations. The danger in reasoning from analogy is assuming that because objects, events, or situations are alike in certain aspects, they are alike in all aspects. Conclusions drawn from analogies are inappropriately used when they are accepted as evidence of proof. Situations may often be similar in certain aspects, but not in others. A counter-analogy weakens the original analogy by citing other comparisons that can be made on the same basis.

BIASES

A subjective viewpoint, bias indicates a preconceived notion about someone or something. Biases generally have a detrimental impact on intelligence analysis because they obscure the true nature of the information. Intelligence analysts must be able to recognize cultural, organizational, personal, and cognitive biases and be aware of the potential influence they can have on judgment.

Cultural Bias

Americans see the world in a certain way. The inability to see things through the eyes of someone from another country or culture is cultural bias. Biases interfere with the analyst’s ability to think the way a threat commander might think or to give policymakers informed advice on the likely reaction of foreign governments to U.S. policy. Also known as mirror imaging, cultural bias attributes someone else’s intentions, actions, or reactions to the same kind of logic, cultural values, and thought processes as the individual analyzing the situation. Although cultural bias is difficult to avoid, the following measures can lessen its impact:

l Locate individuals who understand the culture:

Include them in the intelligence analysis process.
Ask their opinion about likely responses to friendly actions.
Take care when using their opinions since they may be subject to biases regarding ethnic groups or cultures in the region and their knowledge may be dated or inaccurate.

Locate regional experts, such as foreign and regional area officers, who have lived or traveled through the area and are somewhat conversant regarding the culture. Assess the quality of the information provided against the level of knowledge and experience the individual has for that culture or region.

Organizational Bias

Most organizations have specific policy goals or preconceived ideas. Analysis conducted within these organizations may not be as objective as the same type of analysis done outside the organization. Groupthink and best case are organizational biases that can significantly skew internal analysis.

Groupthink. This bias occurs when a judgment is unconsciously altered because of exposure to selective information and common viewpoints held among individuals. Involving people outside the organization in the analysis can help identify and correct this bias.

Best case. This bias occurs when an analyst presents good news or bad news in the most optimistic light. The judgment is deliberately altered to provide only the information the commander wants to hear. Analysts can avoid this bias by having the moral courage to tell the commander the whole story, good and bad.

Cognitive Bias

The intelligence analyst evaluates information from a variety of sources. The degree of reliability, completeness, and consistency varies from source to source and even from report to report. This variance often creates doubt about the reliability of some sources. Cognitive biases that affect the analyst are—

Vividness.Clearandconciseorvividinformationhasagreaterimpactonanalyticalthinkingthan abstract and vague information. A clear piece of information is held in higher regard than a vague piece of information that may be more accurate. Analysts must consider that an enemy may use deception to portray vivid facts, situations, and capabilities that they want the friendly intelligence effort to believe.

Absence of evidence. Lack of information is the analyst’s most common problem, especially in the tactical environment. Analysts must do their best with limited information and avoid holding back intelligence because it is inconclusive. To avoid this bias, the analyst should—

Realize that information will be missing.
Identify areas where information is lacking and consider alternative conclusions.
Adapt or adjust judgments as more information becomes available.
Consider whether a lack of information is normal in those areas or whether the absence of information itself is an indicator.

Oversensitivity to consistency. Consistent evidence is a major factor for confidence in the analyst’s judgment. Information may be consistent because it is appropriate, or it may be consistent because it is redundant, is from a small or biased sample, or is the result of the enemy’s deception efforts. When making judgments based on consistent evidence, the analyst must—

Be receptive to information that comes in from other sources regardless of whether it supports the hypothesis or not.
Be alert for circular reporting, which is intelligence already obtained by the unit that is then reformatted by other units and intelligence organizations, modified slightly, and disseminated back to the unit. This is a common problem; particularly in digital units, where large volumes of information are being processed. It helps to know, to the degree possible, the original source for all intelligence to ensure that a circular report is not used as evidence to confirm an intelligence estimate or conclusion.

Persistence on impressions. When evidence is received, there is a tendency to think of connections that explain the evidence. Impressions are based on these connections. Although the evidence eventually may be discredited, the connection remains and so do the impressions.

Dependency on memory. The ability to recall past events influences judgment concerning future events. Since memory is more readily available, it is easy to rely on memory instead of seeking new information to support analysis.

Acceptance of new intelligence. Often new intelligence is viewed subjectively; either valued as having more value or less value than current intelligence.

Appendix C
Analytic Standards and Analysis Validation

INTELLIGENCE COMMUNITY ANALYTIC STANDARDS

C-1. During intelligence analysis, the conclusions reached should also adhere to analytic standards, such as those established by the Director of National Intelligence in ICD 203. This directive establishes the analytic standards that govern the production and evaluation of national intelligence analysis to meet the highest standards of integrity and rigorous analytic thinking.

The following identify and describe the five ICD 203 Intelligence Community Analytic Standards, including the nine analytic tradecraft standards:

Objective: Analysts must perform their functions with objectivity and awareness of their own assumptions and reasoning. They must employ reasoning techniques and practical mechanisms that reveal and mitigate bias. Analysts should be alert to the influences of existing analytical positions or judgments and must consider alternative perspectives and contrary information. Analysis should not be unduly constrained by previous judgments when new developments indicate a modification is necessary.
Independent of political consideration: Analytical assessments must not be distorted by, nor shaped for, advocacy of a particular audience, agenda, or policy viewpoint. Analytical judgments must not be influenced by the force of preference for a particular policy.
Timely: Analysis must be disseminated in time for it to be actionable. Analytical elements must be continually aware of events of intelligence interest and of intelligence requirements and priorities in order to provide useful analysis at the right time.
Based on all available sources of intelligence information: Analysis should be informed by all relevant information available. Analytical elements should identify and address critical information gaps and work with collection managers and data providers to develop access and collection strategies.
Implement and exhibit the analytic tradecraft standards: See paragraphs C-3 through C-14.

ANALYSIS VALIDATION

C-2. Intelligence analysis and the resultant judgments are incomplete without the estimative language that provides both the probability that an event will occur and the confidence level of the analyst making this assessment. Analysts employ the analytic tradecraft standards to assess probabilities and confidence levels and the actions associated with analytical rigor to draw accurate conclusions.

ANALYTIC TRADECRAFT STANDARDS

C-3. Intelligence analysts exhibit and implement the nine analytic tradecraft standards, one of the five ICD 203 Intelligence Community Analytic Standards. Specifically, they—

Properly describe the quality and credibility of all underlying sources, information, and methodologies.
Properlyexpressandexplainuncertaintiesassociatedwithmajoranalyticaljudgments.
Properly distinguish between underlying intelligence information and analysts’ assumptions and judgments.
Incorporate analysis of alternatives.
Demonstrate customer relevance and address implications.
Use clear and logical argumentation.
Explain change to or consistency of analytical judgments.
Make accurate judgments and assessments.
Incorporate effective visual information where appropriate.

Properly Describe the Quality and Credibility of All Underlying Sources, Information, and Methodologies

C-4. Analytical products should include all underlying sources, information, and methodologies from which analytical judgments are based. Factors affecting source quality and credibility should be described using source descriptors in accordance with ICD 206, Sourcing Requirements for Disseminated Analytic Products. Such factors can include accuracy and completeness, possible denial and deception, age and continued currency of information, and technical elements of collection, as well as source access, validation, motivation, possible bias, or expertise. Source summary statements, described in ICD 206, should be used to provide a holistic assessment of the strengths or vulnerabilities in the source base and explain which sources are most important to key analytical judgments.

Properly Express and Explain Uncertainties Associated with Major Analytical Judgments

C-5. Analysts must properly express and explain uncertainties associated with any major analytical judgment. When briefing their analytical results, analysts, at a basic level, must be able to assess the likelihood of an event happening, expressed by using estimative language. Then, they must express their confidence level—high, moderate, or low—in that assessment. (See figure C-1.) For intelligence analysts to reach a high level of confidence in the accuracy of their analytical assessment, they must apply the actions of high analytical rigor found in table C-1 on page C-5.

Assessing the Likelihood of an Event Happening

C-6. Phrases (such as we judge, we assess, and we estimate) commonly used to convey analytical assessments and judgments, are not facts, proofs, or knowledge. Intelligence analysts use estimative language, shown in figure C-1, to convey their assessment of the probability or likelihood of an event and the level of confidence ascribed to the judgment.

Expressing Confidence in Assessments

C-7. Confidence levels express the strength of the assessment given the reasoning, methodologies, gaps, and assumptions; the number, quality, and diversity of sources; and the potential for deception.

Properly Distinguish Between Underlying Intelligence Information and Analysts’ Assumptions and Judgments

C-8. Analytical products should clearly distinguish statements that convey underlying intelligence information used in analysis from statements that convey assumptions or judgments. Assumptions are suppositions used to frame or support an argument; assumptions affect analytical interpretation of underlying intelligence information. Judgments are conclusions based on underlying intelligence information, analysis, and assumptions. Products should state assumptions explicitly when they serve as the linchpin of an argument or when they bridge key information gaps. Products should explain the implications for judgments if assumptions prove to be incorrect. As appropriate, products should also identify indicators that, if detected, would alter judgments.

Incorporate Analysis of Alternatives

C-9. Analysis of alternatives is the systematic evaluation of differing hypotheses to explain events or phenomena, explore near-term outcomes, and imagine possible futures to mitigate surprise and risk. Analytical products should identify and assess plausible alternative hypotheses. This is particularly important when major judgments must contend with significant uncertainties, or complexity, such as forecasting future trends, or when low probability events could produce high-impact results. In discussing alternatives, products should address factors such as associated assumptions, likelihood, or implications related to Army forces. Products should also identify indicators that, if detected, would affect the likelihood of identified alternatives.

Demonstrate Relevance and Address Implications

C-10. Analytical products should provide information and insight on issues relevant to the commanders and address the implications of the information and analysis they provide. Products should add value by addressing prospects, context, threats, or factors affecting opportunities for action.

Use Clear and Logical Argumentation

C-11. Analytical products should present a clear main analytical conclusion up front. Products containing multiple judgments should have a main analytical conclusion that is drawn collectively from those judgments. All analytical judgments should be effectively supported by relevant intelligence information and coherent reasoning. Products should be internally consistent and acknowledge significant supporting and contrary information affecting judgments.

Explain Change To or Consistency Of Analytical Judgments

C-12. Analysts should state how their major judgments on a topic are consistent with or represent a change from those in previously published analysis or represent initial coverage of a topic. Products need not be lengthy or detailed in explaining change or consistency. They should avoid using reused or unoriginal language and should make clear how new information or different reasoning led to the judgments expressed in them. Recurrent products should note any changes in judgments; absent changes, recurrent products need not confirm consistency with previous editions. Significant differences in analytical judgment, such as between two intelligence community analytical elements, should be fully considered and brought to the attention of customers.

Make Accurate Judgments and Assessments

C-13. Analytical products should apply expertise and logic to make the most accurate judgments and assessments possible, based on the information available and known information gaps. In doing so, analytical products should present all judgments that would be useful to commanders and should include difficult judgments in order to minimize the risk of being wrong. Inherent to the concept of accuracy is that the analytical conclusion that the analyst presents to the commander should be the one the analyst intended to send. Therefore, analytical products should express judgments as clearly and precisely as possible, reducing ambiguity by addressing the likelihood, timing, and nature of the outcome or development.

Incorporate Effective Visual Presentations When Feasible

C-14. Analysts should present intelligence in a visual format to clarify an analytical conclusion and to complement or enhance the presentation of intelligence and analysis. In particular, visual presentations should be used when information or concepts, such as spatial or temporal relationships, can be conveyed better in graphic form, such as tables, flow charts, and images coupled with written text. Visual presentations may range from a plain display of intelligence information to interactive displays for complex issues and analytical concepts. Visual presentations should always be clear and pertinent to the product’s subject. Analytical content in a visual format should also adhere to other analytic tradecraft standards.

ANALYTICAL RIGOR

C-15. Analytical rigor is the application of precise and exacting standards to better understand and draw conclusions based on careful consideration or investigation. There are eight primary action-metrics that lead to analytical rigor. When analysts combine these action-metrics with the intelligence analysis process, they can determine the analytical sufficiency of their conclusions.

Consider alternative hypotheses: Hypothesis exploration describes the extent to which multiple hypotheses were considered in explaining data.

Evaluate depth of research: Information search relates to the depth and breadth of the search process used in collecting data.

Validate information accuracy: Information validation details the levels at which information sources are corroborated and cross-validated.

Examine source bias: Stance analysis is the evaluation of data with the goal of identifying the stance or perspective of the source and placing it into a broader context of understanding.

Scrutinize strength of analysis: Sensitivity analysis considers the extent to which the analyst considers and understands the assumptions and limitations of their analysis.

Amalgamate information: Information synthesis refers to how far beyond simply collecting and listing data an analyst went in their process.

Incorporate expert input: Specialist collaboration describes the degree to which an analyst incorporates the perspectives of domain experts into their assessments.

Assess breadth of collaboration: Explanation critique is a different form of collaboration that captures how many different perspectives were incorporated in examining the primary hypotheses.

Appendix E

Intelligence Production

E-1. The fundamental requirement of intelligence analysis is providing timely, accurate, reliable, and predictive intelligence assessments about the threat and OE to the commander and staff. Therefore, intelligence production requires the dissemination of reports and presentations to support operations. These reports involve various updates to IPB and collection management templates and matrices.

INTELLIGENCE PRODUCTS

E-2. The intelligence products described in this appendix are organized based on the following:

Threat and OE Analysis reports.
Current intelligence reports.
Supplemental analytical reports.
Analytical assessments that support orders and briefings.

THREAT AND OPERATIONAL ENVIRONMENT ANALYSIS REPORTS

E-3. The intelligence estimate, intelligence running estimate, and Annex B (Intelligence) to the operation order (OPORD) each maintain an analytical assessment of threat forces’ strengths, vulnerabilities, tactics, composition, disposition, training, equipment, and personnel, as well as other OE considerations before, during, and after operations (revision of the original estimate).

Intelligence Estimate

E-5. An intelligence estimate is the appraisal, expressed in writing or orally, of available intelligence relating to a specific situation or condition with a view of determining the courses of action open to the enemy or adversary and the order of probability of their adoption (JP 2-0). Since intelligence analysts will have performed IPB to support the commander’s MDMP effort and likely participated in a thorough staff war- gaming effort to validate friendly and threat COAs, the intelligence estimate is a version of the staff planning effort and part of the larger OPORD.

E-6. The intelligence staff develops and maintains the intelligence estimate to disseminate information and intelligence that define the threat COA along with the requirements to determine the adoption of a COA. The assessments in the intelligence estimate of COA development, including threat strengths, compositions, dispositions, and vulnerabilities, form the basis for future intelligence analytical requirements.

Intelligence Running Estimate

E-7. Effective plans and successful execution hinge on accurate and current running estimates. A running estimate is the continuous assessment of the current situation used to determine if the current operation is proceeding according to the commander’s intent and if the planned future operations are supportable (ADP 5-0). Failure to maintain accurate running estimates may lead to errors or omissions that result in flawed plans or bad decisions during execution. Each staff element is responsible for updating its portion of the running estimate as the operation unfolds.

E-8. The intelligence running estimate enables the intelligence operational officer/noncommissioned officer to continually update the commander on the mission execution from the intelligence perspective. Unlike other intelligence products, the intelligence running estimate combines both the analysis of friendly and allied forces’ intelligence activities to support current operations.

E-9. Figure E-3 illustrates an example intelligence running estimate. The analysis focuses on current threat activities, strengths, and assessed intent/objectives to provide the commander and associated reporting requirements with a consistent summary of the threat. As the operation progresses, the collaborative effort may involve further analysis of the terrain and weather, monitoring the flow of displaced persons on the battlefield as inhibitors to friendly force maneuverability, and, when necessary, additional security requirements.

CURRENT INTELLIGENCE REPORTS

E-10. Current intelligence reports address the current reporting of threat activities on the battlefield. The goal is to provide the commander with predictive analysis of the threat’s intentions for future operations based on what conditions occurred by either threat or friendly actions during the past reporting period. This requires extensive intelligence analytical rigor in assessing threat activities and vigilance to the friendly scheme of maneuver.

Intelligence Summary

E-11. The intelligence summary (also known as INTSUM) is a periodic publication of the G-2/S-2 assessment of the threat situation on the battlefield. It provides the commander with context to support decision making based on the G-2/S-2’s interpretation and conclusions about the threat, terrain and weather, and civil considerations over a designated period of time. This is typically identified in unit SOPs and in associated OPORD reporting instructions. The intelligence summary also provides COA updates based on the current situation. Unit SOPs designate the command’s format for preparing and disseminating an intelligence summary. At a minimum, the intelligence summary should contain the paragraphs and subparagraphs as shown in figure E-4.

Graphic Intelligence Summary

E-12. The graphic intelligence summary (also known as GRINTSUM) can be included with the intelligence summary or disseminated as a separate analytical report. It is a graphical representation of the intelligence summary, with emphasis on the threat forces location compared to friendly forces’ location. The graphic intelligence summary also includes current PIRs and a summary of threat activities. (See figure E-5 on page E-8.) Since the emphasis of a graphic intelligence summary is graphical, most of the written details should be captured in the intelligence summary or an accompanying report.

E-13. There are challenges with using the graphic intelligence summary:

The size of the graphical portrayal of the OE is often driven by critical facts about the threat that must be shown. Therefore, it is advisable to begin with a general OE map and zoom in on key areas. Ensure the written assessment includes the necessary details by either referencing the accompanying intelligence summary or other report or including the details in the Notes page of a PowerPoint slide.
The file size must follow the commander’s guidance or unit SOPs. Typically, the graphic intelligence summary is one or two graphics (PowerPoint slides) and limited in bit size for ease in emailing and posting on unit web portals.

Intelligence Report

E-14. The intelligence report (also known as INTREP) demonstrates the importance of intelligence analysis. It is a standardized report, typically one page, used to establish a near current-threat operational standpoint. It points to the threat’s responses to friendly actions and the battlefield environment. Intelligence reports may also highlight time-sensitive critical activities that require corroboration with other units and higher echelons.

SUPPLEMENTAL ANALYTICAL REPORTS

E-15. Supplemental analytical reports, such as the periodic intelligence and supplementary intelligence reports, do not fall into a predetermined dissemination timeline. Periodic intelligence reports and supplementary intelligence reports follow a similar format, designated by a senior operational intelligence officer and staff. These reports allow for expanded analytical efforts, providing assessments of a technical or historical comparative nature. However, once the analysis begins to shape an assessment of threat intentions or capabilities, the urgency for releasing these analytical reports may increase.

Periodic Intelligence Report

E-16. The periodic intelligence report (also known as PERINTREP) is a summary of the intelligence situation that covers a longer period than the intelligence summary. (See figure E-7.) It is a means of disseminating detailed information and intelligence, including threat losses, morale, assessed strength, tactics, equipment, and combat effectiveness.

E-17. The periodic intelligence report includes but is not limited to sketches, overlays, marked maps or graphics, and annexes, providing a written and visual representation of the information and/or intelligence. The report is disseminated through the most suitable means based on its volume and urgency.

Supplementary Intelligence Report

E-18. The supplementary intelligence report (also known as SUPINTREP) is a comprehensive analysis of one or more specific subjects, typically the result of a request or to support a particular operation. This report is formatted similarly to a periodic intelligence report, but it addresses analysis over an extended period of time. Typically, the detailed analysis is from an accumulation of national assessments of threat actions, tactics, and doctrine identified during combat—normally a post-combat review. Maximum use of sketches, photos, overlays, marked maps or graphics, and annexes provides a written and visual representation of the information and/or intelligence. The supplementary intelligence report is disseminated based on the intelligence it contains and the commander’s requirements.

E-19. Specific reports may pertain to but are not limited to the following:

Technical intelligence summary includes detailed analysis of captured military equipment, communications devices, and can include post-explosive reports.
Enemy prisoner of war interrogation reports from tactical to national sources.
Translation of captured enemy documents (DOMEX).
Cyberspace security updates.
Medical or environmental hazards.
Changes to civil political and other civilian authorities.

ANALYTICAL ASSESSMENTS THAT SUPPORT ORDERS AND BRIEFINGS

E-20. In addition to designated intelligence production requirements, the intelligence staff also provides analytical assessments to orders, briefings, and staff events, as described in FM 6-0. (See table E-1.) Normally, the intelligence analysis identifies the current threat situation and assessed threat capabilities (often tied to a threat COA); the same information exists in the intelligence summary, intelligence report, and intelligence running estimate. For intelligence analysts, the commander, and often the key staff officer, defines the requirement and may provide additional detailed requirements in unit SOPs.

Appendix F
Intelligence Support to Targeting

F-1. The targeting effort is cyclical and closely tied to combat assessments. Targeting is a complex and multidiscipline effort that requires coordinated interaction among many command and staff elements. The functional element necessary for effective collaboration is represented in the targeting working group. Intelligence analysts perform a number of critical tasks as part of this working group and the overall targeting effort. (See ATP 3-60 for more information on targeting.)

TARGETING GUIDELINES

F-2. The threat presents a large number of targets that must be engaged with available information collection assets and attack assets. The targeting process assesses the benefits and the costs of engaging various targets in order to achieve the desired end state. Adhering to the five targeting guidelines should increase the probability of creating desired effects while diminishing undesired or adverse collateral effects:

Targeting focuses on achieving the commander’s objectives.
Targeting seeks to create specific desired effects through lethal and nonlethal actions.
Targetingdirectslethalandnonlethalactionstocreatedesiredeffects.
Targeting is a fundamental task of the fires warfighting function that encompasses many disciplines and requires participation from many staff elements and components.
Targeting creates effects systematically.

TARGETING GUIDANCE AND CATEGORIES

F-3. The commander’s targeting guidance must be articulated clearly and simply to enhance understanding. The guidance must be clearly understood by all warfighting functions, especially by the intelligence staff. Targeting guidance must focus on essential threat capabilities and functions that interfere with the achievement of friendly objectives.

F-4. The commander’s targeting guidance describes the desired effects to be generated by fires, physical attack, cyberspace electromagnetic activities, and other information-related capabilities against threat operations. Targeting enables the commander, through various lethal and nonlethal capabilities, the ability to produce the desired effects. Capabilities associated with one desired effect may also contribute to other effects. For example, delay can result from disrupting, diverting, or destroying threat capabilities or targets. Intelligence personnel should understand and only use the 14 terms used in ATP 3-60 to describe desired effects:

Deceive.
Defeat.
Degrade.
Delay.
Deny.
Destroy.
Destruction.
Disrupt.
Divert.
Exploitation.
Interdict.
Neutralize.
Neutralization.
Suppress.

F-5. To effectively target the threat, friendly forces use deliberate and dynamic targeting. Deliberate targeting prosecutes planned targets, while dynamic targeting prosecutes targets of opportunity and changes to planned targets. During both categories of targeting, friendly forces may prosecute normal, time-sensitive, and sensitive targets.

TARGETING METHODOLOGY

F-6. The targeting methodology organizes the efforts of the commander and staff to accomplish key targeting requirements. This methodology is referred to as the decide, detect, deliver, and assess methodology. The methodology assists the commander and staff in deciding which targets must be acquired and engaged and in developing options to engage those targets. Options can be lethal or nonlethal, organic, or supporting assets at all levels as listed—maneuver, electronic attack, psychological, attack aircraft, surface-to-surface fires, air to surface, other information-related capabilities, or a combination of these operations.

F-7. The decide, detect, deliver, and assess methodology is an integral part of the MDMP. During the MDMP, targeting becomes more focused based on the commander’s guidance and intent. A very important part of targeting is identifying potential fratricide situations and the necessary coordination measures to positively manage and control the attack of targets. These measures are incorporated in the coordinating instructions and appropriate annexes of the operation plan or OPORD.

DECIDE

F-8. The decide function of the targeting methodology provides the overall focus and sets priorities for information collection and attack planning. It is the most important targeting function and requires close interaction between the intelligence, plans, operations, and fires cells, and the servicing judge advocate. This step draws heavily on the staff’s knowledge of the threat, a detailed IPB (which occurs simultaneously), and a continuous assessment of the situation. Targeting priorities are addressed for each phase or critical event of an operation. The decisions made are reflected in visual products as follows:

HPT list. The high-payoff target list is a prioritized list of high-payoff targets by phase of the operation (FM 3-09). A high-payoff target is a target whose loss to the enemy will significantly contribute to the success of the friendly course of action (JP 3-60). An HPT is an HVT that must be acquired and successfully engaged for the success of the friendly commander’s mission. A high-value target is a target the enemy commander requires for the successful completion of the mission (JP 3-60).
Information collection plan. The information collection plan focuses the collection effort to answer PIRs and other significant requirements. If an HPT is not designated as a PIR, it must still be supported by collection. The information collection plan usually supports the acquisition of more HPTs. (See ATP 2-01.)
Target selection standard matrices. These matrices address accuracy or other specific criteria requiring compliance before targets can be attacked.
Attack guidance matrix. The attack guidance matrix is a targeting product approved by the commander, which addresses the how and when targets are engaged and the desired effects (ATP 3-60).

Intelligence Preparation of the Battlefield

F-9. In the same manner that targeting involves coordinated interactions among the commander and entire staff, IPB involves the active participation of the entire staff. The interactions between intelligence personnel and fires personnel are important during the IPB process. (For more information on staff collaboration during IPB, see ATP 2-01.3.) Many of the IPB products significantly influence or are brought forward into the targeting effort. These products assist in target value analysis and war gaming. Some examples of important IPB products include—

The modified combined obstacle overlay.
Civil considerations (ASCOPE) products.
Weather effects products.

Threat models with recommended HVTs.
Situation templates with threat time phase lines.
Event templates and matrices, which have named areas of interest (NAIs).

Target Value Analysis and War Gaming

F-10. From the coordination and work performed during the IPB effort, the targeting working group, especially the intelligence staff and targeting officer, perform target value analysis that yields HVT lists (which may include high-value individual lists) for a specific threat COA. Target value analysis continues the detailed analysis of relevant threat factors, including doctrine, tactics, equipment, capabilities, and expected actions for a specific threat COA. The target value analysis process identifies HVT sets associated with critical threat functions.

F-11. Target spreadsheets (or target folders, as appropriate) identify an HVT compared to a type of operation. Target spreadsheets give detailed targeting information for each HVT, which is used during IPB and war gaming. The intelligence staff and targeting officer collaborate to develop and maintain the target spreadsheet.

Target Development

F-30. Target development is the systematic examination of potential targets and their components, individual targets, and even elements of targets to determine the necessary type and duration of the action that must be exerted on each target to create an effect that is consistent with the commander’s specific objective (JP 3-60). This analysis includes deconfliction, aim point recommendations, target materials production, and collateral damage estimation. Target development generally results in products such as target folders, information collection requirements, and target briefs. Detailed analysis should characterize the function, criticality, and vulnerabilities of each target, linking targets back to targeting objectives and measures of effectiveness. Target development includes target vetting and target validation.

Note. Although target development is discussed under detect in ATP 3-60, for this publication, it is more useful to discuss this step under decide.

Target Vetting

F-31. Vetting is a part of target development that assesses the accuracy of the supporting intelligence to targeting (JP 3-60). Vetting establishes a reasonable level of confidence in a target’s designated functional characterization. The BCT intelligence cell accomplishes this by reviewing all target data for accuracy. At a minimum, the assessment includes at a review of target identification, significance, collateral damage estimation, geospatial or location issues, impact on the threat or friendly forces, impact of not conducting operations on the target, environmental sensitivity, and intelligence gain or loss concerns. Vetting does not include an assessment of compliance with the law of war or rules of engagement.

Target Validation

F-32. Validation is a part of target development that ensures all candidate targets meet the objectives and criteria outlined in the commander’s guidance and ensures compliance with the law of war and rules of engagement (JP 3-60). Targets are validated against multinational concerns during some operations. Target vetting and validation should recur as new intelligence is collected or the situation changes. Target validation is performed by targeting personnel, in coordination with planners, servicing judge advocate, and other experts, as required. (See ATP 3-60 for a list of useful target validation questions.)

DETECT

F-33. As much as possible, the procedures and supporting products that are used during the detect function should be developed during the decide function. However, the targeting team must periodically update decisions made during the decide function concerning IPB products, HPT lists, target synchronization matrices, attack guidance matrices, the information collection plan, and the OPORD. Updating these products can occur throughout the detect, deliver, and assess functions of the targeting methodology.

F-34. Based on targeting priorities, the targeting working group establishes target detection and tracking priorities. Target tracking is inherent in target detection. The fires cell provides the intelligence cell with the degree of accuracy required and dwell time for a target to be eligible for engagement. Then the collection manager can match those requirements to the target location error of the information collection asset.

DELIVER

F-39. The deliver function executes the target attack guidance and supports the commander’s plan once HPTs have been located and identified. Target engagement requires several decisions and actions, which are grouped into tactical and technical decisions.

Tactical Decisions

F-40. Tactical decisions are made based on the analysis that was accomplished during target development. Tactical decisions reconfirm or determine the—

Time of the engagement.
Desired effect, degree of damage, or both.
Delivery system to be used through weaponeering and collateral damage estimation.

Time of Engagement and Desired Effect

F-41. Time of engagement and the desired effect that will be achieved on the target are critical considerations. The commander needs to weigh the operational risk of tactical patience balanced against the immediacy of the planned action in the attack guidance matrix.

Delivery System

F-42. This step builds on the analysis performed during target development and includes weaponeering and collateral damage estimation. If the target was already planned, then this step starts with determining if the delivery means is available and still the best weapon or means for the engagement. When the target is a target of opportunity then some analysis is necessary to work through completion of a quick target development.

F-43. Weaponeering is the process of determining the specific means required to create a desired effect on a given target (JP 3-60). As much as possible, weaponeering should be planned during the plan function during target development. Weaponeering considers munitions delivery error and accuracy, damage mechanisms and criteria, probability of kill, weapon reliability, and trajectory.

Technical Decisions

F-45. Once the tactical decisions have been made, the G-3/S-3 directs the appropriate unit to engage the target. The fires cell provides the asset or system manager with selected time of engagement, desired effects, and any special restraints or requests for particular munitions types.

ASSESS

F-47. The assess function of the targeting methodology is nested in the overall continuous assessment of operations within the operations process. Assessment is directly tied to the commander’s decisions throughout the planning, preparation, and execution of operations. Planning for assessment identifies key aspects of the operation that the commander directs be closely monitored, and where the commander wants to make the decisions. Commanders and staffs consider assessment ways, means, and measures. ADP 5-0 discusses overall operational assessment, including measures of effectiveness, measures of performance, and indicators. Intelligence plays a major role in operational assessment.

F-48. Intelligence also plays a major role in assessment as a part of the targeting methodology. The assess function of the targeting methodology is performed through combat assessment. Combat assessment is the determination of the effectiveness of force employment during military operations (JP 3-60). Combat assessment comprises three elements:

Munitions effectiveness assessment.
Reengagement recommendation.

F-49. Together, BDA and munitions effectiveness assessment provide the commander and staff with an assessment of the effects achieved against targets and whether the targeting guidance was met. Based on this information, the staff can recommend reengagement when necessary.

Battle Damage Assessment

F-50. Battle damage assessment is the estimate of damage composed of physical and functional damage assessment, as well as target system assessment, resulting from the application of lethal or nonlethal military force (JP 3-0).

Producing BDA is primarily an intelligence cell responsibility but requires coordination across the staff, similarly to IPB and most steps of intelligence support to targeting. BDA requirements should be captured as PIRs or as similar high-priority information collection requirements. BDA provides—

Commanders with an assessment of the target’s mission effectiveness, overall lstatus, capabilities (whether full or partial), and likely reactions or any change to their intent. This assists the staff in determining if the engagement is meeting the targeting guidance and is critical to any recommendation to reengage the target.
Important analysis used to conduct quick target development and decide on the allocation or redirection of assets or weapon systems for any reengagement.

F-51. BDA has three components (see table F-1):

Physical damage assessment. The staff estimates the extent of physical damage to a target based on observed or interpreted damage. It is a post-attack target analysis coordinated among all units.

Functional damage assessment. All-source intelligence analysts assess the remaining functional or operational capability of the threat. The assessment focuses on measurable effects and estimates the threat’s ability to reorganize or find alternative means to continue operations. The targeting cell and staff integrate analysis with external sources to determine if the commander’s intent for fires has been met.

Target system assessment. The staff conducts a broad assessment of the overall impact and effectiveness of all types of engagement against an entire target system capability (for example, threat air defense artillery systems). All-source intelligence analysts assist the staff in assessing the threat’s combat effectiveness or major threat subordinate elements or capabilities needed to accomplish a threat mission. This is a relatively permanent assessment (compared to functional damage assessment) that can be used for more than one mission.

F-52. BDA requirements for specific HPTs are determined during the decide function. Often information collection assets can answer either target development and target acquisition requirements or BDA, but not both types of requirements. An asset used for BDA may be unavailable for target development and target acquisition requirements. The intelligence cell receives, processes, and disseminates results that are analyzed based on desired effects to the targeting team attack.

F-53. The targeting team should consider the following BDA principles:

BDA should measure what is important to commanders, not make important what is easily measurable.
BDA should be objective. When receiving a BDA product from another echelon, the conclusions should be verified (time permitting) to identify and resolve discrepancies among BDA analysts at different headquarters.
The degree of reliability and credibility of BDA relies largely on information collection assets. The quantity and quality of information collection assets influence whether the assessment is highly reliable (concrete, quantifiable, and precise) or has low reliability (estimation). Effective BDA uses more than one source to verify each conclusion.

F-54. BDA is more than determining the number of casualties or the amount of equipment destroyed. The targeting team can use other information such as—

Whether the targets are moving or hardening in response to the attack.
Changes in deception efforts and techniques.
Whether the damage achieved is affecting the threat’s combat effectiveness as expected.

Notes from Plan Requirements and Assess Collection ATP 2-01

Preface

ATP 2-01 establishes doctrine for the specific tasks under planning requirements and assessing collection. It expands on the principles in FM 3-55. ATP 2-01 should be used in conjunction with FM 3-55 and with FM 2-0. Readers should be familiar with fundamental doctrine contained in ADPs 2-0, 3-0, 5-0, and 6-0 and ADRPs 2-0, 3-0, 5-0, and 6-0.

This publication’s primary audience is the intelligence and operations staffs within the Army’s corps, divisions, brigade combat teams, and maneuver battalions. These staffs collaborate to develop the information collection plan. Commanders also must understand the importance of developing requirements and assessing collection as part of information collection planning and the operations process. Commanders and staffs of Army headquarters serving as a joint task force or multinational headquarters should refer joint doctrine contained in JP 2-01 or appropriate multinational doctrine. ATP 2-01 forms the foundation for instruction on planning requirements and assessing collection within the Army’s educational system.

Introduction

ATP 2-01 establishes doctrine for the specific functions under planning requirements and assessing collection. It expands on the principles in FM 3-55. ATP 2-01 should be used in conjunction with FM 3-55 and with FM 2-0. It outlines the preparation of planning requirements tools during the conduct (planning, preparation, execution, and assessment) of operations.

This publication provides details on the four continuing functions of planning requirements and assessing collection. It includes techniques for developing planning requirements tools and keeping them current throughout an operation. It addresses factors to consider when supporting offensive, defensive, and stability tasks. It also discusses considerations when operating in urban and nontemperate environments.

Although the discussions and descriptions in this manual may seem linear, planning requirements and assessing collection is a dynamic, continuous, and interactive process requiring constant interaction between the commander and staff. Depending on the mission, time available, ongoing operations, and standard operating procedures (SOPs), units may develop techniques for abbreviated information collection planning to meet the commander’s needs. The information presented is descriptive, not prescriptive or restrictive. However, it describes the optimal process. This manual complies with Doctrine 2015 guidelines.

PART ONE

Fundamentals

Chapter 1 Relationships

INFORMATION COLLECTION AND THE INTEGRATING TASKS

1-1. This chapter provides basic information regarding planning requirements and assessing collection. It starts with a brief discussion of information collection and its tasks, of which one is planning requirements and assessing collection. Then it discusses planning requirements and assessing collection across the echelons and the vital role of the commander and staff. Finally, it discusses the linkage between planning requirements and assessing collection, the MDMP, IPB, and targeting, all of which are executed to support current and future operations.

INFORMATION COLLECTION

1-2. The Army executes ISR (Intelligence, Surveillance, and Reconnaissance) through the operations and intelligence processes (with an emphasis on intelligence analysis and leveraging the larger intelligence enterprise) and information collection. Information collection is an activity that synchronizes and integrates the planning and employment of sensors and assets as well as the processing, exploitation, and dissemination systems in direct support of current and future operations

FM 3-55 describes an information collection capability as any human or automated sensor, asset, or processing, exploitation, and dissemination (PED) system that can be directed to collect information that enables better decisionmaking, expands understanding of the operational environment, and supports warfighting functions in decisive action.

INFORMATION COLLECTION TASKS

1-3. Information collection involves the acquisition of information and the provision of this information to processing elements and consists of the following tasks:

Plan requirements and assess collection.
Task and direct collection.
Execute collection.

PLAN REQUIREMENTS AND ASSESS COLLECTION

1-4. Plan requirements and assess collection is the task of analyzing requirements, evaluating available assets (internal and external), recommending to the operations staff taskings for information collection assets, submitting requests for information for adjacent and higher collection support, and assessing the effectiveness of the information collection plan. It is a commander-driven, coordinated staff effort led by the G-2/S-2. The continuous functions of planning requirements and assessing collection identify the best way to satisfy the requirements of the supported commander and staff. These functions are not necessarily sequential.

TASK AND DIRECT COLLECTION

1-5. The G-3/S-3 (based on recommendations from the staff) tasks, directs, and, when necessary, retasks the information collection assets. Tasking and directing of limited information collection assets is vital to their control and effective use. Staffs accomplish tasking information collection by issuing warning orders, fragmentary orders, and operation orders. They accomplish directing information collection assets by continuously monitoring the operation. Staffs conduct retasking to refine, update, or create new requirements.

EXECUTE COLLECTION

1-6. Executing collection focuses on requirements tied to the execution of tactical missions (normally reconnaissance, surveillance, security operations, and intelligence operations).

Information acquired during collection activities about the threat and the area of interest is provided to intelligence processing and exploitation elements. (For intelligence purposes, exploitation is defined as taking full advantage of any information that has come to hand for tactical, operational, or strategic purposes.

Typically, collection activities begin soon after receipt of mission and continue throughout preparation for and execution of the operation. They do not cease at the conclusion of the mission but continue as required. This allows the commander to focus combat power, execute current operations, and prepare for future operations simultaneously.

1-7. To provide effective support to execution, planning requirements and assessing collection must be linked to planned and ongoing operational activities. Plans and orders direct and coordinate information collection by providing information collection tasks based on validated requirements essential for mission accomplishment. Plans and orders help allocate scarce information collection assets effectively and efficiently. The intelligence staff must collaborate with higher, lower, and adjacent intelligence staffs to ensure the effectiveness of planning requirements and assessing collection.

COLLABORATION ACROSS ECHELONS

1-8. Planning requirements and assessing collection is integrated and layered across echelons. It is integrated with all other activities, systems, efforts, and capabilities associated with unified land operations to provide the information required to create intelligence. Integration occurs vertically and horizontally, with unified action partners and throughout the operations process. (See appendix A.) It also requires the intelligence staff to leverage the intelligence enterprise. (See ADRP 2-0.)

1-9. Requirements for information collection are arranged vertically and horizontally using a layered approach. Layering ensures the optimal use of limited information collection assets within a unit’s task organization. Layering allows for mutual supporting activities to share requirements. Sharing requirements across echelons helps to support commanders at all levels.

ROLES OF THE COMMANDER AND STAFF

1-10. Commanders drive information collection activities through their choice of critical information requirements and through mission command. Commanders provide planning guidance with their initial intent statement. Planning guidance conveys the essence of the commander’s visualization.

1-11. Effective planning requirements and assessing collection focuses information collection activities on obtaining the information required by commanders and staffs to influence decisions and operations. Planning requirements and assessing collection—

Includes commander and staff efforts to synchronize and integrate information collection tasks throughout the operations process.
Supports the commander’s situational understanding and visualization of the operation by—
- Identifying information gaps.
- Coordinating assets and resources against requirements for information to fill these gaps.
- Assessing the collected information and intelligence to inform the commander’s decisions.
Supports the staff during all operations process activities, integrating processes, and continuing activities (for example, during IPB and the MDMP, as well as the targeting, operations, and intelligence processes).

1-12. The direct result of the intelligence and operations staffs’ efforts is a coordinated information collection plan. The information collection plan supports the operation with the necessary information collection assets and the required PED enablers to support collection and decisionmaking. As information and intelligence are assessed and refinements to the plan are made during execution, the operations staff issues fragmentary orders to retask or assign new missions to information collection assets.

ARMY PROCESSES

1-13. In addition to its relationship to information collection, planning requirements and assessing collection relates to each of the Army’s integrating processes and continuing activities, primarily to the MDMP, IPB and targeting process.

RELATIONSHIP WITH THE MILITARY DECISIONMAKING PROCESS

1-14. During mission analysis, the staff develops a list of initial information requirements. (See FM 6-0.)

These CCIRs identify information critical for planning. They usually result in information collection missions executed while planning for the overall operation is underway. Commanders decide what information is critical based on their experience, the mission, the higher commander’s specified and implied intent, and the input from the entire staff.

RELATIONSHIP WITH INTELLIGENCE PREPARATION OF THE BATTLEFIELD

1-17. Planning requirements and assessing collection relies on the results of IPB. The staff’s completion of IPB provides an analysis of the operational environment and the options it presents to friendly and threat forces. It also provides information required to plan information collection activities, such as—

Characteristics of the area of interest that will influence friendly and threat operations (including civil considerations).
Enemy event templates, including decision points and matrices critical to information collection planning.
Information collection assets’ sensitivities to weather and the effects of weather on planned or potential operations.
Threat characteristics, doctrine, tactics, techniques, and behavior.
Possible and likely threat courses of action.
High-value targets. s

RELATIONSHIP WITH TARGETING

1-19. The targeting process produces requirements that are incorporated into planning requirement tools and the unit’s information collection plan. The tools and plan contain tasks for target development, target detection, and combat assessment that support the scheme of fires.

1-20. To effectively target the threat, the staff develops named areas of interest (NAIs) and targeted areas of interest (TAIs). The staff also develops a high-value target list that can include geographic NAIs or TAIs as well as organizations, networks, or individuals identified as key or critical nodes. Targeting requirements must support the commander’s objectives and intent. In certain circumstances, some requirements may not be focused on a certain geographic area.

Chapter 2
Inputs and Functions

ROLES OF THE COMMANDER AND STAFF

2-1. The commander and staff interact to provide input to planning requirements and assessing collection throughout the overall operation. Based on this input, the staff performs the planning requirements and assessing functions.

This chapter discusses how the commander provides the staff with inputs necessary to perform planning requirements and assessing collection. It then describes how the staff, using the commander’s inputs, develops their respective running estimates, requests for information, and requirements. Finally, it outlines the functions of planning requirements and assessing collection, specifically why each is important and their successful results.

COMMANDER AND STAFF INPUT

2-2. The commander is the most important participant in planning requirements and assessing collection. The initial commander’s intent, planning guidance, and CCIRs form the foundation of the information collection plan and the basis for assessing its execution. During planning and preparation, the staff, primarily the operations and intelligence working group, develops the information collection plan and the staff products required to execute it. During execution, they oversee execution of the plan, keeping the staff products current and using them to keep information collection efforts synchronized with the overall operation. The staff updates planning requirements as operations unfold and modify the plan as necessary to satisfy new information requirements that emerge.

COMMANDER INPUT

2-3. During planning, the commander’s visualization provides the basis for developing the order, including the information collection plan. Commanders and staffs continuously assess the progress of operations toward the desired end state.

2-4. When providing guidance, commanders consider that military intelligence collection assets are distinct from other Army information collection capabilities. The distinction is required because intelligence collection is enabled by and must comply with all applicable U.S. laws and policy.

2-5. After commanders visualize an operation, they communicate their visualization to their staffs and subordinates. Through collaboration and dialog, commanders ensure subordinates understand the visualization well enough to begin planning. As it pertains to information collection activities, commanders express their initial visualization in terms of—

Initial commander’s intent.
Planning guidance, including an initial concept of operations.

Initial Commander’s Intent

2-6. The initial commander’s intent links the operation’s purpose with the conditions that define the desired end state. The staff uses the initial commander’s intent statement to develop and refine requirements and assess the information collection plan throughout the operation. Usually, the initial intent statement evolves as planning progresses and more information becomes available. The information collection plan evolves concurrently.

Planning Guidance

2-7. Commanders provide planning guidance with their initial intent statement. Planning guidance conveys the essence of the commander’s visualization. Effective planning guidance is essentially an initial concept of operations that prioritizes the information collection activities. Planning guidance—

Reflects how the commander sees the operation unfolding.
Broadly describes when, where, and how the commander intends to employ combat power to accomplish the mission within the higher commander’s intent.
For planning requirements, provides the staff information to begin the steps within the planning activity of the operations process, that is, to develop an initial information collection plan, which is refined into the final plan that is incorporated into the unit order.

Requirements

2-8. Commanders base their initial information requirements on the critical gaps identified during IPB in the mission analysis step of the MDMP. Refined and updated requirements result from staff wargaming and the commander’s selection of a particular friendly course of action that becomes the concept of operations. Commanders drive planning requirements and assessing collection through their choice of critical information requirements and through mission command throughout the operations process.

2-9. For requirements management, there are two types of requirements that result from planning requirements and assessing collection: priority intelligence requirements (PIRs) that are part of the CCIRs, and information requirements. PIRs and information requirements may focus on threat units or on capabilities the threat requires to complete missions and tasks. Each requirement is further refined into discrete pieces of information that together answer that requirement. These pieces are referred to as indicators and specific information requirements (SIRs). The indicators and SIRs are used to develop the information collection plan.

Information Requirements

2-10. An information requirement is any information element the commander and staff require to successfully conduct operations. They include all elements necessary to address the mission variables (mission, enemy, terrain and weather, troops and support available, time available, and civil considerations [also called METT-TC]). For the purposes of the intelligence warfighting function, validated information collection plan requirements are requirements that, when answered, will fill a gap in knowledge and understanding of the area of operations (AO) and the area of interest.

Commander’s Critical Information Requirements

2-11. A commander’s critical information requirement is an information requirement identified by the commander as being critical to facilitating timely decisionmaking (JP 3-0). The two CCIR categories are friendly force information requirements and PIRs. (See figure 2-3.) A CCIR directly influences decisionmaking and facilitates the successful execution of military operations. Commanders decide whether to designate an information requirement as a CCIR based on likely decisions and their visualization of the course of the operation. A CCIR may support more than one decision. During planning, staffs recommend information requirements for commanders to designate as CCIRs. During preparation and execution, they recommend changes to CCIRs based on assessment. A CCIR is—

Specified by a commander for a specific operation.
Applicable only to the commander who specifies it.
Situation-dependent—directly linked to a current or future mission.
Focused on predictable events or activities.
Time-sensitive—CCIR answers are reported to the commander immediately by any means available.

2-12. Priority Intelligence Requirements. A priority intelligence requirement is an intelligence requirement, stated as a priority for intelligence support, that the commander and staff need to understand the adversary or other aspects of the operational environment (JP 2-01). PIRs identify information about the enemy, terrain and weather, and civil considerations that the commander considers most important. The intelligence staff manages PIRs for the commander. Commanders limit the number of PIRs to focus the efforts of limited information collection assets. This helps staffs and subordinates identify information the commander needs immediately. A good staff expertly distills that information, identifying answers to PIRs and disseminating them to the commander immediately.

2-13. Friendly Force Information Requirements. A friendly force information requirement is information the commander and staff need to understand the status of friendly force and supporting capabilities (JP 3-0). Friendly force information requirements identify the information the commander considers most important about the mission, troops and support available, and time available for friendly forces. In coordination with the staff, the G-3/S-3 manages friendly force information requirements for the commander.

STAFF INPUT

2-14. Planning requirements and assessing collection consists of various staff functions designed to place collection assets and resources into a synchronized plan in order to leverage the various capabilities. The plan synchronizes and coordinates collection activities within the overall concept of operations. The information collection plan positions and tasks collection assets so they can collect the right information, sustain or reconstitute for branches or sequels, or shift priorities as the situation develops. Effective planning for information collection focuses on answering the commander’s requirements by translating information collection tasks into orders.

2-15. Planning requirements and assessing information collection requires full staff integration. The staff—

Prepares or updates their respective running estimates.
Develops requirements.
Participates in the operations and intelligence working group (if formed).
Develops technical channels (as required).

Running Estimates

2-16. A running estimate is the continuous assessment of the current situation used to determine if the current operation is proceeding according to the commander’s intent and if planned future operations are supportable (ADP 5-0). Intelligence staffs (or the operations and intelligence working group, if formed) use running estimates to assist with determining whether requirements have been satisfied, the need for additional requirements, and which assets are available for tasking. (See FM 6-0 for additional information on running estimates.)

Operations and Intelligence Working Group

2-17. Depending on the availability of personnel, the commander may designate an operations and intelligence working group. The primary staff officers for operations and intelligence (G-3/S-3 and G-2/S-2) should direct and manage the efforts of this working group to achieve a fully synchronized and integrated information collection plan.

2-18. The operations and intelligence working group is a temporary grouping of designated staff representatives who coordinate and integrate information collection, and provide recommendations to the commander. The purpose of the operations and intelligence working group is to bring together representatives from all command post cells to validate information requirements and deconflict the use of organic and attached assets. The operations and intelligence working group ensures maximum efficiency in information collection by carefully synchronizing all collection tasks within the information collection plan. Input is required from each member of the working group.

2-19. Unit SOPs and the operation’s tempo determine how frequently the operations and intelligence working group needs to meet. This working group should be closely aligned with both the current operations and integration cell and the future operations (or plans) cell to ensure information collection is properly integrated into the overall operation plan.

2-20. The G-3/S-3 comes prepared to provide the following:

The current friendly situation.
Current CCIRs.
The status and availability of collection assets.
Requirements from higher headquarters (including recent fragmentary orders or taskings).
Changes to the commander’s intent.
Changes to the task organization.
Future operations.

2-21. The G-2/S-2 comes prepared to provide the following:

The current enemy situation.
Current status of PIRs, and potential changes to PIRs.
The current information collection priorities and strategies.
The status and availability of intelligence operations assets.
Current planning requirements tools.
The situational template tailored to the time discussed.
Current status of the communication plan for information collection assets.
Support the G-2/S-2 must request from higher headquarters’ resources.
Weather and effects of weather on information collection assets.
Civil considerations (as applicable).

2-22. Outputs of the working group include but are not limited to—

Priorities and recommendations for latest information collection plan.
Updated CCIRs for commander approval.
Information collection input for fragmentary orders.

Technical Channels

2-24. Information normally moves throughout a force along specific transmission paths, or channels. Establishing these channels directs the flow of reported information derived during intelligence operations. Channels help streamline information dissemination by ensuring the right information passes promptly to the right people. Commanders and staffs normally communicate through three channels—command, staff, and technical.

2-25. For intelligence operations, technical channels are the transmission paths between intelligence units (to include command post cells and staff elements) performing a technical function requiring special expertise. Technical channels are used to transmit required technical data used to focus the highly technical intelligence operations collection. Establishing intelligence technical channels facilitates adherence to existing policies or regulations for information collection tasks contained within the information collection plan. Technical channels do not interfere with command and staff channels. Technical channels are not used for conducting operations.

2-26. While planning requirements and assessing collection, the intelligence staff ensures that technical channels are used to focus intelligence collectors appropriately. These channels facilitate a collaborative environment and more efficient intelligence operations. The collector or lowest level management for the collector, in turn provides feedback of a technical nature to the intelligence staff. An example of this feedback is when a collector is tasked to collect on threat communications but does not possess the equipment capable of intercepting the signal.

PLANNING REQUIREMENTS AND ASSESSING COLLECTION FUNCTIONS

2-27. After receiving inputs from the commander and staff—intent, planning guidance, and requirements— the intelligence staff, in close coordination with the operations staff, performs the planning requirements and assessing collection functions. (See figure 2-4.) The planning requirements and assessing collection functions are the basis for creating an information collection plan that synchronizes activities of the information collection effort to enable the commander’s visualization and situational understanding. The intelligence staff, in coordination with the operations staff, monitors available collection assets and assesses their ability to provide the required information. They also recommend adjustments to new requirements or locations of information collection assets, if required. The planning requirements and assessing collection functions are—

Develop planning requirements.
Develop planning requirements tools.
Assess information collection.
Update planning requirement stools.

DEVELOP PLANNING REQUIREMENTS

2-28. Developing requirements involves identifying, prioritizing, and refining uncertainties concerning the threat and significant aspects of the operational environment that must be resolved to accomplish the mission. The purpose of the develop requirements function is to receive, analyze, and prioritize requirements appropriate to task to organic assets as part of the information collection plan.

2-29. An important element of developing requirements during execution is the constant collaboration between analytical personnel and staff elements of the various command post cells to refine information requirements and focus the information collection effort as the situation develops.

2-30. The result of requirements development is a prioritized list of validated requirements. Successful requirements development results in—

The information arriving in time for commanders to use.
Analysts receiving information that directly relates to the CCIRs.
Collection carried out only on requirements important to the operation.

DEVELOP PLANNING REQUIREMENTS TOOLS

2-31. The intelligence staff creates and uses planning requirements tools to track planned and ongoing information collection tactical tasks—reconnaissance, surveillance, security operations, and intelligence operations. These tools are not tasking documents or systems; they are products developed to facilitate the synchronization of collection and analytical efforts. The intelligence staff uses the tools to assist the operations staff in creating the information collection plan.

2-32. The subfunction tasks to develop planning requirements tools (see chapter 4) are—

Evaluate resources.
Develop a collection strategy.

- - Submit requests for support (collection).
  - Submit requests for information.
  - Match information collection asset capabilities to expected activity.

Develop SIRs.

- - Develop supporting tools.
  - Information collection matrix.
  - Information collection synchronization matrix.
  - Information collection overlay.

2-33. The result of develop requirements planning tools is the creation of working aids that assist in the creation and execution of an information collection plan that answers the CCIRs. Success results in the synchronization of information collection with the overall operation through the effective use of the right collection assets at the right time and place. Successful requirements planning tools result in—

Selecting a collection asset with the appropriate capability.
Focusing the collection asset on the right area at the right time to answer the requirements.

ASSESSING COLLECTION

2-34. Assessing collection involves two concurrent tasks: assessing the information collection plan and assessing tactical task execution. Commanders and staffs continuously evaluate the information collection plan based on the assessment of results from tactical tasks. Collection assessment is particularly important during execution because situations change rapidly; evaluation identifies updates for information collection activities. Together, commanders and staffs determine if CCIRs have been satisfied or are still relevant.

2-35. The subfunction tasks of assess tactical task execution (see chapter 5) are—

Monitor the tactical situation.
Screen reporting to ensure task completion.
Correlate reports to requirements.
Provide feedback to assets.
Maintain synchronization with operations.
Cue assets to collection opportunities.
Recommend retasking of assets.

2-36. Monitoring information collection tasks aids in identifying the need to retask assets as the situation changes or cue assets to collection opportunities. Effective monitoring allows the intelligence and operations staffs to keep the information collection plan current. To support this goal, the rest of the staff also monitors the situation from the perspective of their command post cell to identify possible issues that need to be brought to the attention of the G-3/S-3.

UPDATE PLANNING REQUIREMENTS TOOLS

2-37. As the situation changes, adjustments to the planning requirements tools keep information collection synchronized with the overall operation, thus optimizing the force’s collection effort. Satisfied requirements are deleted, and collectors remain focused on unsatisfied and new requirements. Success results in the collection and reporting of information when needed to support the commander’s decisions.

2-38. The subfunctions of update planning requirements tools (see chapter 6) are—

Receive inputs from the commander and staff.
Eliminate satisfied requirements.
Develop and add new requirements.
Transition to the next operation.

2-39. The functions of planning requirements and assessing collection are continuous, collaborative, and interactive. Several outputs from the various MDMP steps require collaboration with the rest of the staff, especially between the intelligence and operations staffs. Keeping the planning tools current cannot be achieved without constant coordination among the entire staff.

PART TWO

Techniques

Chapter 3

Developing Requirements

ROLE OF DEVELOPING REQUIREMENTS

3-1. Requirements development forms the foundation of the information collection plan. This chapter describes how to perform the tasks associated with this function. Developing requirements includes the following subfunction tasks:

Participate in planning.
Anticipate requirements.
Analyze requirements.
Refine requirements.

PARTICIPATE IN PLANNING

3-2. Throughout planning, requirements are developed and refined; some are consolidated, others discarded. Commanders and staffs add and delete individual requirements throughout an operation based on the information needed for specific decisions.

3-3. Requirements development begins as early as possible—in some cases before receipt of mission, when only partial information about the general location or category of a mission is known. Development continues as the intelligence staff collects initial (baseline) information and intelligence from existing sources and databases and through intelligence reach to develop the initial intelligence estimate in support of planning. Other command post cells gather information as they prepare or update their running estimates to support planning.

3-4. Maximum efficiency in information collection is achieved when all the collection tasks are carefully synchronized throughout an operation. This appropriate mix of collection tasks helps satisfy as many different requirements as possible. It also reduces the likelihood of the operations and intelligence working group favoring or becoming too reliant on one particular unit, intelligence discipline, or system.

3-5. The intelligence staff and other staff members continue to develop and refine requirements as the commander receives the mission and presents initial guidance to the staff. The commander’s guidance includes the critical information for the AO and area of interest that the commander must know to successfully conduct operations, expressed in later steps of the MDMP as CCIRs

3-7. Because developing requirements is continuous, the function occurs throughout all activities of the operations process. Developing requirements results in the production of new requirements from ongoing operations that drive new operations, branches, and sequels. Effective requirements development depends on establishing the intelligence architecture and having effective network connectivity that provides situational understanding and input from the entire staff. Command post cells and staff elements use the following products to identify gaps that may result in information requirements:

Detailed and current IPB.
Current intelligence running estimate.
Current running estimates from other command post cells and staff elements.
Enemy situation templates and course of action statements.
Event templates and matrices.
Estimates and templates of anticipated civil responses to friendly and threat operations (as applicable).

3-8. Requirements management is not a one-time effort or the sole responsibility of the intelligence staff. Each staff element that develops requirements must follow the same development process.

ANTICIPATE REQUIREMENTS

3-9. The intelligence staff and other staff members identify new requirements or refine existing ones and present them to the commander for approval. The intelligence staff must recognize when and where to shift collection assets and make timely recommendations to the operations staff. Anticipating and developing new requirements requires a detailed understanding of the unit and its operational capabilities. It also requires a detailed situational understanding, a thorough understanding of IPB products and existing intelligence holdings, and an understanding of the concept of operations—including branches, sequels, and anticipated transitions to follow-on operations.

3-10. The ability to anticipate requirements gives intelligence staffs additional time to plan the use of information collection assets, including any joint or national assets available. It requires seamless involvement with the planners and operations staff. Anticipating upcoming requirements allows intelligence staffs to communicate with higher headquarters and plan future requests for information. The more time intelligence staffs give units that control Army, joint, and national systems, the more likely they are to obtain the required support for a specified time frame. A good example is forecasting additional support needed during critical events, such as national elections while conducting stability tasks, or during the initial phases of an attack.

ANALYZE REQUIREMENTS

3-11. The intelligence staff analyzes requirements to determine the most effective use of information collection assets. Each requirement is analyzed to determine how best to satisfy it. Sometimes this does not require tasking a unit, organization, or sensor for collection. Often, a newly received requirement can be satisfied by intelligence reach or by submitting a request for information. Analyzing requirements involves separating, recording, validating, consolidating, and prioritizing each recommended requirement.

SEPARATE

3-12. Intelligence staffs place intelligence gaps into one of three categories based on how best to answer them. These categories are—

Intelligence reach. Intelligence reach allows access to resources of national, joint, foreign, and other military organizations and units. Requesters can acquire information through push and pull of information, databases, homepages, collaborative tools, and broadcast services. Intelligence reach also supports distributed analysis. (See ADRP 2-0.)
Requests for information. Submitting a request for information to the next higher headquarters or adjacent units is the normal procedure for obtaining intelligence information that available information collection assets cannot collect. Users enter requests for information into a management system where every other system user can see them. Thus, an organization several echelons above the actual requester can become aware of the request and answer it.
Request for support (collection). When a gap cannot be answered by available sources and assets, intelligence staffs submit requests for support (collection) to higher and lateral organizations for incorporation into their information collection plans.

VALIDATE

3-14. Once recorded, the intelligence staff validates the requirements. Remember the commander provides the final validation of requirements when approving the operation order or fragmentary order. A valid requirement is necessary, feasible, and complete.

- Necessity. Is this requirement really necessary? If yes, has it already been satisfied? If it has not, check databases to see if someone has already collected the information or produced the intelligence. If a product that satisfies the requirement already exists, provide the requester to the agency that produced it. If the requester does not have access to that agency’s database, then obtain and provide the product to the requester. Refer requests for production to the appropriate agency. In some cases, the intelligence already exists but not in the format the requester desires. For example, a unit may need a demographic map created from existing data. In those cases, ask the requester if the product on hand will answer the requirement. If so, provide it.
- Feasibility. Does the unit have assets with capabilities able to execute the mission in time and with the detail required to support a decision? If not, can the unit submit a request for information to the echelon owning the information collection capability with a reasonable expectation of receiving a timely response?
- Completeness. All requirements should specify—
  - Who (needs the results).
  - When (time the indicator is expected to occur and the latest time the commander needs to know).
  - What (activity or indicator).
  - Where (geolocation, NAI, or TAI).
  - Why (justification).
  - Other (specific instructions or information).

3-15. Once requirements are validated, existing information, such as a database, is examined to determine if requirements can be satisfied with existing information through either a request for information to higher or lateral units or through intelligence reach. If the requirement cannot be completely satisfied by either of these methods, the requirement is further refined and provided to the operations staff for incorporation into the information collection plan.

CONSOLIDATE

3-16. Requirements received as tasks and requests are often similar to those generated during planning. Consolidation involves identifying identical and similar requirements and combining them into a single requirement. Successful consolidation results in a smaller number of requirements to track and identification of subordinate elements that may be capable of collecting on a requirement.

3-17. Merging similar requirements simplifies the collection effort. For example, replace a poorly written requirement with the wording of the better justified or more specific requirement. However, exercise caution by—

Ensuring the intent of the original requirements is not lost when merging requirements.
Maintaining accountability of merged requirements through accurate record keeping.
Disseminating requirements to every requesting headquarters when requirements are satisfied or eliminated.

PRIORITIZE

3-18. Each requirement is prioritized based on its importance in supporting the concept of operations and anticipated decisions. Prioritization based on the commander’s guidance and the current situation ensures limited collection assets are directed towards the most critical requirements. Effective prioritization requires monitoring the operation to respond to changing situations.

3-19. When prioritizing, the significance of the requirement to the requester is considered more important than the echelon that generated the requirement. A subordinate commander’s requirement may well be more important to the success of the higher headquarters’ mission than all other requirements.

3-20. When prioritizing requirements over the course of the operation, intelligence staffs should consider their ability to meet requirements as well as the justification, specificity, significance, and time phasing of individual requirements.

Significance

3-21. Some tasks the force performs are more important to accomplishing the mission than others. During wargaming, commanders give guidance on what they consider most important. In any case, the commander’s intent is reflected in the priorities assigned to each phase of the operation. This is the basis for establishing a prioritized requirements list from which to make recommendations to the commander for approval.

3-22. After intelligence staffs prioritize the requirements and make recommendations, commanders designate some of the most important requirements as PIRs. Answering PIRs is mission-essential. In other words, failure to satisfy the PIRs endangers the command’s mission accomplishment. For maximum effectiveness, intelligence staffs and commanders should refine PIRs into specific questions. The significance of a requirement is often tied to the phase of the operation in which the information is required.

Time Phasing

3-23. Time phasing influences prioritization. Requirements time phasing, like synchronization, is a continuous process. The operation may progress more or less quickly than anticipated during wargaming. Consequently, expected timelines based on wargaming may change during the operation. Staffs monitor execution of the operation and remain alert for changes in the LTIOV based on other shifts in the operational timeline. Latest time information is of value is the time by which an intelligence organization or staff must deliver information to the requester in order to provide decisionmakers with timely intelligence. This must include the time anticipated for processing and disseminating that information as well as for making the decision. The most important requirement may have an LTIOV in a later phase of an operation.

these methods, the requirement is further refined and provided to the operations staff for incorporation into the information collection plan.

CONSOLIDATE

Ensuring the intent of the original requirements is not lost when merging requirements.
Maintaining accountability of merged requirements through accurate record keeping.
Disseminating requirements to every requesting headquarters when requirements are satisfied or eliminated.

PRIORITIZE

Significance

Time Phasing

INDICATORS

3-29. An indicator, in intelligence usage, is an item of information which reflects the intention or capability of an adversary to adopt or reject a course of action (JP 2-0). Indicators are positive or negative information regarding threat activity or any characteristic of the AO that—

Points toward threat capabilities and vulnerabilities.
Points toward the adoption or rejection by the threat of a particular course of action or activity.
May influence the commander’s selection of a course of action.

3-30. Indicators may result from previous actions or from threat failure to take action and usually do not stand alone. Indicators are typically not sent out as part of the information collection tasks but rather are used primarily by all-source intelligence analysts. All-source intelligence analysts develop indicators, integrating each one with other factors to detect patterns or signatures and establish threat intentions.

3-31. Indicators corresponding to the PIRs and groups described in paragraphs 3-27 and 3-28 might be—

- Identification of agitators, insurgents, or criminal organizations, their supporters, and sympathizers who suddenly appear in or move from an area.
- Evidence of increased foot and vehicle traffic.
- Increased travel within and into remote or isolated areas.
- Apartments, houses, or buildings being rented but not lived in as homes.

3-32. The mission statement, key tasks, and PIRs signify the initiation of developing requirements and the initial information collection plan. The G-2/S-2 identifies requirements appropriate to task to unit collection assets and recommends tasking those assets to the G-3/S-3.

3-33. After performing functional analysis and developing threat models, the intelligence staff is prepared to further refine PIRs into areas where information can be collected by collection assets and resources. For the major threat groups operating within the AO in a counterinsurgency environment, these groupings may include—

Leadership:
- Who are cell leaders?
- How do they operate within the urban areas of the AO?

Safe havens: Where are groups receiving passive and active support?
Movement: Where and how are cell members moving throughout the AO?
Logistics: Centered on weapons and weapon-making materials, how are materials obtained for offensive and defensive tasks?
Finance: How are group operations funded?
Intelligence collection: How are groups receiving information and conducting reconnaissance and surveillance of targets?
Personnel:
- How are cells structured?
- How are they receiving and incorporating new personnel?
Ideology: How are groups using the information environment?
Communication:
- How do groups communicate internally within the group?
- How do groups communicate externally with other groups?

3-34. Economic-based PIRs may have the following associated groupings:

How do telecommunications in the area of interest impact the economy?
How do natural resources in the area of interest impact the economy?
How do powerplants in the area of interest impact the economy?
How do marketplaces in the area of interest impact the economy?
What is normally traded within these markets?
What are the normal prices of food items?
What are the normal prices of clothing items?
Are new items being sold within the markets?

3-35. Economic-based PIRs based on the threat may have the following associated groupings:

What businesses are targeted by the threat?
What businesses support the threat?
What illegal products are produced, sold, or traded in the marketplace?

3-36. Information-based PIRs may have the following associated groupings:

What are the information sources, resource facilities, and organizations within the area of interest?
What are the official and unofficial information channels within the area of interest?
What are the means of communication within the civilian population?
What media representatives and organizations are in the area of interest?
Which authorities in the area of interest espouse anti-host-nation government rhetoric?

PRODUCTS

3-37. The conduct and results of initial and continuous IPB are important prerequisites to developing requirements. They provide—

Well-reasoned threat situation overlays, course of action statements, and event templates or matrices.
Thorough analysis of civil considerations (areas, structures, capabilities, organizations, people, events [often referred to as ASCOPE]) for inclusion in the information collection plan.
Continual and timely adjustment of the running estimate as the situation changes.
Information and intelligence that support the development of the commander’s decision points or actions (lines of operations or lines of effort).

3-38. The most useful product for developing requirements is the event template. A technique to better understand how the threat conducts operations is to use threat models to graphically depict their anticipated actions and related decisions.

The threat model is used to create an event template. The event template depicts the threat’s actions on a timeline showing the steps through which threat activities advance while preparing to execute a task and mission. This graphic provides the staff with ways to create requirements for collection and to possibly interdict threat operations. (See figures 7-2 on page 7-4, 7-5 on page 7-8, and 7-8 on page 7-12 for examples of event templates.)

3-39. Once developed, the event template is a key product in developing the information collection plan. Likely threat locations, avenues of approach, infiltration routes, support areas, and areas of activity become NAIs or TAIs on which information collection assets and resources focus their collection efforts.

3-40. During operations against irregular or hybrid threats, the event template must be modified to address more than the predicted threat activity. For example—

Within the AO, Army forces interact with additional organizations and the local population on a daily basis.
In addition to the tasks performed by Army units, multinational units, and the host-nation military in the AO, the commander and staff must be aware of events occurring within the area of interest.

3-41. If the commander and staff choose to expand the event template, they require input from outside of the staff. The activities of interagency partners should be considered whenever possible. The commander and staff determine the activities to depict. Activities may include—

Religious events.
Government meetings.
Reconstruction projects.
Openings of government facilities, markets, schools, and clinics.
Medical clinic activity(immunizations).
Transportation improvements (work on roads).

Chapter 4
Developing Planning Requirements Tools

ROLE OF PLANNING REQUIREMENTS TOOLS

4-1. The planning requirements tools developed by the intelligence staff begin the process of synchronizing the information collection plan with the concept of operations and are updated as the concept of operations changes. The tools are used by the operations staff (in close collaboration with the intelligence staff) to develop the information collection plan. Developing requirements tools includes evaluating resources, developing a collection strategy, and developing supporting tools.

EVALUATE RESOURCES

4-2. While reviewing collection assets during the MDMP, the staff also performs an evaluation of the collection assets using the following criteria: availability, capability, sustainability, and vulnerability.

AVAILABILITY

Corps and divisions allocate support from the apportioned assets to brigade combat teams (BCTs) and below. (See appendix B.) Staff members must understand the system of apportionment and allocation. They determine what joint assets are available by—

Conducting collaboration and coordination early in the planning process.
Analyzing the higher headquarters order and reviewing the various scheduling or tracking mechanisms.

CAPABILITY

4-4. The staff must know and consider practical capabilities and limitations of all unit organic assets. Capabilities include the following:

Range. Range deals with the collector’s ability to provide target coverage. When considering an asset’s range, it is important to consider mission range (duration and distance) and how close the collection asset must be to the target to collect against it. Additionally, intelligence staffs consider communication requirements from the asset to the command post. The staff determines—
- Ability to maneuver, including travel and support times.
- Transit and dwell times, if the best asset is an unmanned aircraft system (UAS).
Day and night effectiveness. Staffs consider factors such as available optics and any effects of thermal crossover.
Technical characteristics. Each asset has time factors (such as set-up and tear-down times) for task accomplishment that must be considered. Other technical characteristics include the following:
- Whether the sensor can see through fog or smoke.
- The effects of the environment on the collection asset (including factors such as urban or rural terrain and soil composition).
- Whether the asset can continue despite electronic attack.

Reporting timeliness. Each asset is assigned an earliest time and a latest time information reporting is of value to the information collection plan, based on—
The established reporting criteria for each collection asset.
How long it takes to disseminate collected information to each requester.
Geolocation accuracy. Accuracy implies reliability and precision. The asset must be capable of locating a target accurately enough to engage it with precision-guided munitions.
Durability includes such factors as—
Whether the aircraft can launch in high winds or limited visibility.
Whether the prime mover can cross restricted terrain.
Threat activity. The staff considers whether the collection asset can detect the expected threat activity.
Performance history. Experienced staff officers know which information collection assets have been reliable in meeting different information requirements. Readiness rates, responsiveness, and accuracy over time may raise one collector’s reliability factor.
PED enablers. The staff considers whether the unit has the PED enablers required to support more flexible and responsive intelligence operations. (See ADRP 2-0.)

DEVELOP A COLLECTION STRATEGY

4-7. After thorough evaluation of availability, capability, sustainability, and vulnerability of collection assets, the operations and intelligence staffs develop a collection strategy. Although the strategy adopted will vary based on the mission and the information requirements to be satisfied, tasking organic assets should be considered first. The advantage to this is that the commander has the most control over these assets and they are generally more responsive than other supporting assets. If organic assets cannot satisfy a requirement, the staff may need to submit a request for support (collection) or request for information to higher or lateral headquarters. Layering collection assets is accomplished through cue, redundancy, and mix.

SUBMIT REQUESTS FOR SUPPORT (COLLECTION)

4-8. Information requirements generated during planning often require external resources to answer. When needed, requests for support (collection) from higher headquarters—such as for joint force, combatant command, or national assets—should be prepared and submitted through appropriate channels. Although external collection resources may be more capable than organic assets, those external assets may already be tasked against other information requirements, resulting in the requester’s requirements going unmet. Various tasking documents levy information on collection resources. Some tasking mechanisms are joint force- or intelligence system-unique. Various manuals specify procedures and formats for requesting support from national systems or agencies.

MATCH RESOURCES TO INDICATORS

4-13. After evaluating available assets, the operations and intelligence staffs match these assets to SIRs. Each requirement is associated with its corresponding decision points and timelines. Starting at the point in time the commander requires intelligence to make a decision, the intelligence staff reverse-plans to account for dissemination, analysis, processing, collection, and tasking time. An effective tool used to link and synchronize the collection strategy with the expected flow of the operation is the information collection synchronization matrix. As part of matching assets to SIRs, the staff also considers cueing, redundancy, and mix.

Cueing

4-14. Cueing involves the use of one or more information collection assets to provide data that directs collection by other assets. For example, sweeping the AO electronically with a surveillance system can reveal activity that triggers direct collection by a more accurate sensor system. Cueing maximizes the efficient use of limited collection assets in support of multiple, often competing, information collection priorities. An effective strategy includes plans to create opportunities for cued collection.

4-15. For example: A BCT may plan to use a human intelligence (HUMINT) source 24 hours prior to a UAS launch to confirm or deny activity along a key corridor. If the source reports the absence of activity, the UAS may be redirected to another mission or used to confirm the absence of activity, depending on the relative priority of requirements. If the HUMINT source reports significant activity earlier than anticipated, the UAS mission may be accelerated to collect supporting details or retasked to another collection mission.

Redundancy

4-16. Redundancy planning as part of collection strategy development involves the use of several same- discipline (or same-capability) assets to cover the same target. Redundant tasking is appropriate against high-payoff targets when the probability of success by any one system is low. For example, if several signals intelligence (SIGINT) collectors target a designated emitter at different times, the probability of intercept improves, even if the emitter operates intermittently. Using redundant collection assets also improves the chance of accurate geolocation.

Mix

4-17. Mix means planning for complementary coverage by a combination of assets from multiple intelligence disciplines. Sensor mix increases the probability of collection and reduces the risk of successful enemy deception. It also can facilitate cueing and provides more complete reporting. For example, if scouts report activity within a known assembly area, SIGINT intercept of the associated logistic net might provide unit identity, subordination, and indications of future activity.

DEVELOP SPECIFIC INFORMATION REQUIREMENTS

4-18. The intelligence staff develops SIRs for each PIR based on its group, the indicators, and related information requirements. (See paragraphs 3-27 through 3-28.) Developing SIRs requires the collection manager to be knowledgeable of the following:

Capabilities of the available collection assets.
Specificity of the information they provide.
Time it takes to collect and report the information in relation to the specificity and timeliness requirements the commander and staff articulated with the LTIOV.

4-19. SIRs help the intelligence staff determine the right combinations of collection assets to provide the timely, specific, and relevant information required. SIRs also ensure that information collection taskings correlate with the PIRs and priorities for information collection. In addition, SIRs allow collection assets to work in combinations timed to achieve efficient results and reduce the possibility of being fooled by threat denial and deception efforts.

4-20. SIRs are developed for each information collection asset based on the capabilities of the asset and the expected threat activity. SIRs provide specific information about specific threat activity (or lack thereof) at specific locations. SIRs help collection assets provide information specific and timely enough to make a difference in answering the PIRs.

DEVELOP SUPPORTING TOOLS

4-21. The supporting tools are developed by the intelligence staff to help the operations staff develop the information collection plan. Both staffs work closely together to ensure the collection plan is synchronized with the concept of operations and updated as the concept of operations changes. Chapter 7 contains sample information collection matrices and information collection overlays for offensive, defensive, and stability missions. Supporting tools are—

The information collection matrix.
The information collection synchronization matrix.
The information collection overlay.

INFORMATION COLLECTION MATRIX

4-22. The information collection matrix links PIRs with indicators, SIRs, NAIs, and TAIs. Constructed in a spreadsheet format and including individual work sheets as required, the matrix provides detailed collection and reporting requirements. The information collection matrix is not a tasking document. Although not published as part of the order, the matrix is a key tool used by both the intelligence staff and the operations staff in executing the information collection plan. It is maintained on the unit Web page and assists the intelligence staff in synchronizing internal information collection activities across echelons.

4-23. To create the information collection matrix, the intelligence staff requires several outputs from the MDMP. Initial and subsequent refinements to the following are required to complete the requirements matrix:

Concept of operations. The concept of operations is a statement that directs the manner in which subordinate units cooperate to accomplish the mission and establishes the sequence of actions the force uses to achieve the end state (ADRP 5-0).
Commander’s guidance for information collection. The concept of operations, coupled with the commander’s guidance for information collection, provides the intelligence staff with how the commander intends to use information collection to support the concept of operations.
Commander’s critical information requirements. CCIRs, mainly PIRs, are those requirements for which the information collection plan provides timely answers.
Initial task organization. The initial task organization depicts assets available that the intelligence staff may consider requesting for tasking by the operations staff.
Apportionment, allocation, and distribution of Army and joint aerial assets.
- Apportionment. The joint force commander determines the apportionment of aerial assets. Apportionment, in the general sense, is distribution of forces and capabilities as the starting point

for planning, etc. (JP 5-0). Specific apportionments (such as, air sorties and forces) are described as apportionment of air sorties and forces for planning. (See JP 5-0.) Apportionment (air) is determination and assignment of the total expected effort by percentage and/or by priority that should be devoted to various air operations for a given period of time. (See JP 5-0.)

Allocation. The joint force air component commander takes that apportionment and turns it into sorties to support priority ground forces in accordance with the joint force commander’s intent. This process is called allocation, which is the distribution of limited forces and resources for employment among competing requirements (JP 5-0). Allocation (air) is the translation of the air apportionment decision into total numbers of sorties by aircraft type available for each operation or task. Thus, a corps or division is allocated joint ISR sorties.
Distribution. When the corps or division sends its allocated sorties to subordinate units, normally via the air support operations center or a tactical air control party, this process is called distribution. The distribution of joint assets provides additional information collection capabilities for inclusion into the information collection plan.

INFORMATION COLLECTION SYNCHRONIZATION MATRIX

4-24. The intelligence staff uses the information collection synchronization matrix to synchronize information collection tasks with the current threat assessment and friendly concept of operations. This product and process can synchronize and communicate information collection tasks horizontally and vertically across commands. However, it does not provide the detail needed to perform control of information collection assets through technical channels.

4-25. Figure 4-2 on pages 4-8 and 4-9 displays an example of an information collection synchronization matrix. The intelligence staff uses this matrix to accomplish the following:

Ensure collection tasks are tied to the concept of operations in time and space, effectively linking information collection to it. The matrix is typically constructed in spreadsheet format and accompanied by an information collection overlay that graphically depicts the information the matrix contains.
Synchronize information collection tasks the same way the operations staff uses the maneuver synchronization matrix to synchronize the overall unit scheme of maneuver.
When necessary, brief the information collection plan and overlay to specific information collection assets. (This usually is done during operations predominated by stability tasks.)

4-26. Intelligence staffs develop and modify the matrix based on the current intelligence running estimate, enemy situation overlay, stated requirements, and event template or matrix. The matrix generally has five parts:

Threat timeline.
Friendly timeline.
Information collection focus.
Collection assets.
Coverage timeline.

4-27. The information collection synchronization matrix coordinates the collection strategy with the planned friendly and predicted threat operations. The matrix depicts the NAIs from the event template and reflects timelines of expected threat activity from the event template and matrix. The matrix also provides the basic structure for completion of the information collection plan and is tied to a decision or decision points for the impending operation.

INFORMATION COLLECTION OVERLAY

4-28. The operations staff issues an information collection overlay depicting the information collection plan in graphic form as an appendix to annex L (Information Collection) to the operation order. (See figure 7-3 on page 7-5 and figure 7-6 on page 7-9.) Typical items on the overlay include—

Friendly boundaries and phase lines.
Reconnaissance handover lines.
NAIs and TAIs.
Limits of advance and limits of reconnaissance. (Limits of reconnaissance are constraints derived from higher headquarters orders that may designate a limit of advance affecting reconnaissance units. See FM 3-55.)
Counter reconnaissance areas.
Fire support coordination measures.
Graphics depicting zone, area, or route reconnaissance missions.
Route start points, release points, infiltration lanes, and checkpoints.
Primary and alternate observation post locations.
Ambulance exchange points and logistic release points.
Planned or existing obstacles.
Scan sectors for sensors.
UAS flight paths.
Retransmission locations.

PLANNING REQUIREMENTS BRIEFING TOOL

4-29. Many units create a graphic version of the planning requirements function for briefing purposes. The planning requirements briefing tool combines the information collection synchronization matrix, information collection overlay, and PIRs into one product.

WORKING AIDS FOR CREATING TOOLS

4-30. The intelligence staff uses several working aids that assist in creating planning requirements tools. Normally developed and refined during the MDMP, these working aids are not contained within the requirements planning tools or information collection plan.

NAMED AREA OF INTEREST MATRIX

4-31. The NAI matrix is used to synchronize information collection missions with NAIs or TAIs. The purpose of the NAI matrix is to ensure information collection assets are tasked to cover critical NAIs and TAIs during anticipated times of activity. (See figure 4-4 on page 4-12.)

NAMED AREA OF INTEREST WORK SHEET

4-32. For each NAI, the operations and intelligence staffs develop observation times and a task, a purpose, and SIRs for assets conducting information collection missions involving it. This information may be consolidated on an NAI work sheet. (See figure 4-5 on page 4-13.) It is crucial to focus the task on a clearly defined and achievable purpose.

NAMED AREA OF INTEREST OVERLAY

4-33. An NAI overlay visually depicts NAI locations. (See figure 4-6 on page 4-14.) The NAI overlay may also contain the task and purpose (what and why) of the NAI.

Chapter 5

Assessing Collection

5-1. Assessment is determination of the progress toward accomplishing a task, creating a condition, or achieving an objective (JP 3-0). Commanders, assisted by their staffs and subordinate commanders, continuously assess the operational environment, the progress of the operation, and the information collected by the assets executing the information collection plan. Based on their assessment, commanders direct adjustments to the information collection plan, thus ensuring the plan remains focused on providing information and intelligence products to assist in decisionmaking. Assessing collection involves assessing the information collection plan and assessing tactical task execution.

ASSESSING THE INFORMATION COLLECTION PLAN

5-2. The commander and staff continuously evaluate the information collection plan based on the assessment of results from reconnaissance missions, surveillance tasks, intelligence operations, and security operations. Collection assessment is particularly important during execution because situations change rapidly. Evaluation identifies updates required to keep the information collection plan synchronized with the overall operation. Together, commanders and staffs determine if CCIRs have been satisfied or are still relevant:

If CCIRs have been satisfied or are no longer relevant, they are eliminated from the information collection plan.
If CCIRs have not been satisfied but are still relevant, the intelligence staff coordinates with the operations staff during operations and intelligence working group meetings for additional assets and/or recommends adjustments to the current coverage.

5-3. The operations staff is deeply involved in assessing the operation as a whole and looks to the operations and intelligence working group’s assessment of the information collection effort to assist in that assessment. Assessment is one of the working group’s continuing activities to support directing and collecting. (See FM 3-55.) It is particularly important in enabling the evaluation of the information collection plan.

ASSESSING TACTICAL TASK EXECUTION

5-4. The staff performs the following steps when assessing the execution of tactical tasks:

Monitor the tactical situation.
Screen reporting to ensure the completion of tasks.
Correlate reporting to requirements.
Provide feedback to assets.
Maintain synchronization with operations.
Cue assets to other collection opportunities.
Recommend retasking of assets.

MONITOR THE TACTICAL SITUATION

5-5. Staffs track the progress of the operation against requirements and the information collection plan. The operation seldom progresses on the timelines assumed during planning and staff wargaming. The staff watches for changes in tempo that require changes in reporting times, such as LTIOVs. The intelligence and operations staffs coordinate any changes with all parties concerned, including commanders and appropriate staff elements.

SCREEN REPORTING TO ENSURE THE COMPLETION OF TASKS

5-6. The staff screens reporting to determine whether each collection task has been satisfied and screens each report for the following criteria:

Relevance. Does the collected information actually answer the requirements associated with the information collection task? If not, can this information be used to satisfy other requirements?
Completeness. Is essential information missing? (Refer to the original information collection task.)
Timeliness.HastheassetreportedbytheLTIOVestablishedintheoriginaltask?
Opportunities for cueing. Can this asset or another asset take advantage of new information to increase the effectiveness and efficiency of the overall information collection effort? If the report suggests an opportunity to cue other assets, the intelligence and operations staffs immediately cue them and record any new requirements in the appropriate planning requirements tool.

CORRELATE REPORTING TO REQUIREMENTS

5-7. The staff tracks which specific information collection task originates from which requirement to ensure the collected information is provided to the original requester and to all who need the information. For efficiency and timeliness, the staff ensures production tasks are linked to requirements. This allows the staff to determine which requirements have been satisfied and which require additional collection.

5-8. The staff addresses the following potential challenges:

Large volumes of information that could inundate the intelligence analysis staff element. The intelligence staff may have trouble correlating each report to a requirement.
Routing information from reports that have nothing to do with the collection task to tasks the information might satisfy.
Reports that do not refer to the task that drove the collection mission.
Circular reporting or unnecessary message traffic that wastes valuable time.

5-9. Correlating information reporting to the original requirement and evaluating reports is key to

effective requirements management. This quality control effort helps the staff ensure timely satisfaction of requirements. Requirements management includes dissemination of reporting and related information to original requesters and other users.

PROVIDE FEEDBACK TO ASSETS

5-10. The staff provides feedback to all collection assets on their mission effectiveness and to analysis elements on their production. Normally this feedback is given to the military intelligence leader or commander of the asset or staff element. Feedback reinforces whether collection or production satisfies the original task or request and provides guidance if it does not. Feedback is essential to maintaining information collection effectiveness and alerting leaders of deficiencies to be corrected.

5-11. Running estimates are important tools for assessing the information collection plan. They inform the staff of the status of collection on the CCIRs. Running estimates are even more effective when compared with previous estimates that refer to the same time period. This rates the accuracy and relevancy of the prediction to what actually occurred.

MAINTAIN SYNCHRONIZATION WITH OPERATIONS

5-12. As execution progresses, the staff refines the estimate of when information is needed (the LTIOV, based on the decision point timeline in the order) with when the information is actually required. The staff stays alert to the need for recommending changes in the information collection plan because of these refinements. As the need for changes arises, the intelligence staff coordinates with the appropriate command post cells and staff elements to update products as required to refine the information collection plan. This may be as simple as updating timelines, or it may require that these products be completely redone. Sometimes it may require retasking information collection assets.

CUE ASSETS TO OTHER COLLECTION OPPORTUNITIES

5-13. The intelligence and operations staffs track the status of information collection assets, cueing them as necessary and teaming assets as appropriate. Cueing allows assets to take advantage of new information to increase the effectiveness and efficiency of their collection. For example, if a Soldier reports hearing tracked vehicles but cannot observe the vehicles due to the terrain, a UAS can be cued to observe the area for the presence of tracked vehicles.

RECOMMEND RETASKING OF ASSETS

5-14. Retasking is assigning an information collection asset a new task and purpose. It is done—

Upon completion of its initial requirement.
After the LTIOV, if the original requirement has not been satisfied and the LTIOV cannot be adjusted.
On order to support a branch or sequel.
To respond to variances in the situation. (SeeADRP5-0.)

5-15. The operations staff issues orders to retask assets, normally in consultation with the intelligence staff for assets controlled by the unit. In cases where the intelligence staff is coordinating with higher headquarters for additional assets, the intelligence staff may transmit the request for retasking resources, but the operations staff typically follows up through operations channels to the higher headquarters.

Chapter 6
Updating Planning Requirements Tools

STAFF ACTIONS DURING EXECUTION

6-1. Evaluation and assessment of collection reporting, production, and dissemination together identify updates required to keep information collection activities synchronized with the overall operation. As the tactical situation changes, the staff adjusts the planning requirements tools to effect this synchronization. This optimizes the collection and exploitation effort.

6-2. Determining satisfied requirements allows the staff to redirect assets to unfulfilled requirements. Whether modifying reporting requirements because of new reporting criteria, new or modified PIRs, loss of an asset, or changes in the mission, the staff recommends modifications to the information collection plan to fit the commander’s needs. During modification of the information collection plan, the following considerations should be addressed:

What assets need to be shifted?
What is the new collection requirement?
What is the target location?
Must the asset move to a new location?
What is the risk of moving the asset? Is the risk worth the potential gain of information?
Does the collector functionally match the collection requirement based on the collector’s capabilities?
What and when does the collector report?
How does the collector report?
To whom does the collector report?

6-3. Updated IPB products and running estimates can be used as a baseline for refocusing the information collection effort. Information collection assets are retasked as appropriate for subsequent missions. Requirements are constantly updated to ensure information collection efforts are synchronized with current operations while also supporting future operations planning. As requirements are answered, the information collection plan and planning requirements tools are updated.

6-4. After receiving input from the commander and staff, the intelligence staff synchronizes new requirements with ongoing information collection activities and recommends adjustments to the information collection plan to the operations staff. The following steps are performed when updating planning requirements tools:

Eliminate satisfied requirements.
Develop and add new requirements.
Transition to the next operation.

6-5. These steps are collaborative efforts by the intelligence and operations staffs. Some steps predominately engage the intelligence staff while others engage the operations staff. Steps may require coordination with other staff elements, and the entire intelligence and operations working group may be engaged, at times.

PART THREE

Considerations for Specific Tasks and Unique Environments

Chapter 7

Considerations for Offensive, Defensive, and Stability Tasks

SUCCESS AND DECISIONMAKING DURING EXECUTION

7-1. The techniques associated with information collection do not drastically differ whether conducting offensive, defensive, or stability tasks. The difference lies in the tempo at which offensive and defensive tasks are conducted versus the tempo at which stability tasks are conducted. In operations where offensive and defensive tasks predominate, the activities of the operations process and commander’s decisionmaking are accelerated to match the quickly changing conditions.

7-2. Commanders and staffs follow the rapid decisionmaking and synchronization process to make decisions during execution. It is routinely employed when the MDMP not timely enough for mission execution. This technique is used by leaders to focus on executing rather than planning. The rapid decisionmaking and synchronization process is based on an existing order and seeks an acceptable solution, while the MDMP seeks an optimal solution. (See FM 6-0.)

7-3. Success in stability tasks is measured in far different terms from success in the offense and defense. Time may be the ultimate arbiter of a stability mission’s success: time to bring safety and security to an embattled populace; time to provide for the essential, immediate humanitarian needs of the people; time to restore basic public order and a semblance of normalcy to life; and time to rebuild the institutions of government and market economy that provide the foundations for enduring peace and stability.

ECHELONED APPROACH AND INTELLIGENCE HANDOVER LINES

7-4. In the offense or defense, the commander attacks or defends in depth. Information collection adopts this principle by using a phased, echeloned approach to collecting information to satisfy requirements. Each echelon conducting information collection plays a critical role in the success of any military operation. There are interdependencies at each echelon for the horizontal and vertical integration of collected information and the resulting intelligence, sensor feeds, and reporting in support to commanders and staffs. Interdependent relationships exist from the lowest tactical echelon to the highest strategic-level agencies and centers; no one echelon can do it all. Commanders require intelligence operations to provide information that is timely, accurate, relevant, and in sufficient detail to enable situational understanding and effective decisionmaking.

7-5. In the offense and defense, units should use an intelligence handover line to effect the echeloned approach. The intelligence handover line is a control measure that establishes areas within which each echelon is responsible for collecting information. It is much like a limit of reconnaissance and based on the unit’s AO.

OFFENSIVE TASK CONSIDERATIONS

7-9. An offensive task is a task conducted to defeat or destroy enemy forces and seize terrain, resources, and population centers (ADRP 3-0). The purpose of the offense is to impose the commander’s will on the enemy. Figures 7-2 on page 7-4, 7-3 on page 7-5, and 7-4 on page 7-7 depict samples of an event template, an information collection overlay, and part of an information collection matrix associated with an offensive task. Conducting offensive tasks may—

Deprive the threat of resources.
Seize decisive terrain.
Deceive or divert the threat.
Develop intelligence.
Fix a threat in position.

7-10. Offensive tasks are either force-oriented or terrain-oriented. Force-oriented tasks focus on the threat. Terrain-oriented tasks focus on seizing and retaining control of the terrain and facilities. A commander’s information requirements for offensive tasks commonly include—

Locations, composition, equipment, strengths, and weaknesses of the defending enemy force, including high-payoff targets and enemy information collection capabilities.
Locations of possible enemy assembly areas.
Locations of enemy in direct-fire weapons systems and units.
Locations of gaps and assailable flanks.
Locations of landing zones for friendly and enemy air assaults.
Locations of enemy air defense gun and missile systems.
Locations of enemy electronic warfare systems.
Effects of weather and terrain on current and projected operations.
Numbers, routes, and direction of movement of dislocated civilians.
Withdrawal routes for enemy forces.
Anticipated timelines for the enemy’s most likely course of action and other probable courses of action.
Locations of enemy command posts, fire direction control centers, electronic warfare sites, and target acquisition sensor and target fusion sites and the frequencies they are using.

7-12. Figure 7-4 shows a sample information collection matrix for a PIR associated with an offensive task. Information collection matrices for all decisive action tasks display information as follows:

Column 1 states the PIR. Units may determine that the best way to manage the requirements matrix is for each sheet to contain one PIR. This technique provides a single page containing the collection strategy for each PIR.
Column2 contains indicators associated with the PIR. (See paragraphs 3-29 through 3-31.)
Column 3 contains SIRs associated with each indicator. Each requirement, coupled with the collection strategy, should contain all information needed by the intelligence staff to develop supporting SIRs. As the intelligence staff develops SIRs, the staff should coordinate the BCT, division, and corps intelligence and operations staffs, including supporting analysts, to gain an understanding of the specifics required to support planning. One technique is for intelligence staffs to develop SIR sets while operations staffs develop the collection strategy for each requirement and the general scheme of maneuver. (See paragraphs 3-29 through 3-31.)
Column 4 contains the NAIs or TAIs associated with each SIR. NAIs and TAIs each have an associated task and purpose statement explaining what is to be conducted by the observer and why it is essential for accomplishment. The staff may develop several types of NAIs based on the situation in the AO and the types of activity for observation. When conducting a counterinsurgency, the following types of NAIs may be appropriate:
Counter-improvised explosive device NAIs—NAIs at tier-1 locations where improvised explosive device emplacement typically occurs.
Support zones—NAIs (Names Areas of Interest) at locations where insurgent groups have unlimited freedom of movement and where caches, safe houses, and other supplies are located.
High-value individual NAIs—NAIs at targeted high-value individuals’ pattern of life locations.
Infrastructure—NAIs at key infrastructure locations.
Column5 contains the starting time and ending time for collection. These times are based on the LTIOV and the capabilities and limitations of available information collection assets. Additionally, the time required to process and exploit the collected information (for example, translation of SIGINT intercepts, exploitation of imagery, drafting of HUMINT reports) is considered when developing the collection end time. The LTIOV is the absolute latest time the information can be used by the commander in making the decision the PIR supports. The LTIOV can be linked to time, an event, or a point in the operation.
Remaining columns contain organic resources available for the intelligence staff to recommend for tasking by the operations staff. Also included are requested collection resources whose support has been confirmed by higher headquarters.

STABILITY TASK CONSIDERATIONS

7-16. Stability is an overarching term encompassing various military missions, tasks, and activities conducted outside the United States in coordination with other instruments of national power to maintain or reestablish a safe and secure environment, provide essential government services, emergency infrastructure reconstruction, and humanitarian relief. (See JP 3-0.) Stability tasks address societal factors that may affect accomplishing a mission. In operations where these tasks predominate, these tasks are often key, if not essential, tasks. One example is when Army forces conduct stability tasks to support a host-nation or an interim government or as part of a transitional military authority when no government exists. Another is a mission where stability tasks help to establish or maintain a safe and secure environment by training or resourcing the host-nation security forces and facilitating reconciliation among local or regional adversaries. Figures 7-8 on page 7-12, 7-9 on page 7-13, and 7-10 on page 7-14 show a sample event template, information collection overlay, and information collection matrix associated with a stability task.

7-17. Information needed to accomplish stability tasks usually falls under the civil considerations mission variable. However the wide variety of societies and cultures Army forces may encounter precludes establishing a single checklist of factors to consider. That said, the following list provides a starting point for organizing this information into categories:

Culture and customs.
Threats and adversaries, such as criminals and insurgents.
Formal and informal leaders.
How people communicate.
Civil services.
Other aspects of a society.

7-18. The information collection effort provides information the entire staff uses to provide products and assessments to support situational understanding. For each stability mission, information collection is focused to provide the relevant information the commander and staff require to make decisions. The following is a basic (but not all-inclusive) description of what the information collection effort does to support conducting stability tasks:

Identify insurgents, threats, adversaries, and other impediments to the unit’s accomplishment of its mission.
Identify the natural or manmade hazards that exist with the unit’s AO.
Provide the foundational information needed to assess the establishment of a safe and secure environment.
Identify areas of conflict among social, religious, or ethnic groups within the AO. This must be done by city to be most effective.
Identify the areas of conflict among local, regional, and national organizations, groups, and factions, and how these are tied to political, social, and economic unrest.
Identify unofficial, religious, and political leaders locally, regionally, and nationally.
Provide the information needed to assess the effectiveness of civil-military operations projects.
Identify the newspaper, radio, and television services that service populations within the AO, including their ranges and any specific ethnic, religious, or political affiliation.
Provide the information needed to assess the establishment or rebuilding of political, legal, social, and economic institutions.
Provide the information needed to assess the ability of the legitimate civil authority to assume responsibility for governance.
Constant awareness and shared understanding of civil considerations are crucial to the long-term success of stability tasks. The intelligence staff classifies civil considerations into logical groups (such as, tribal, political, religious, ethnic, and government) based on the mission and situation. This information is refined further by the information collected during collection activities. These groups are evaluated, graphically portrayed, maintained, and updated. Because the populace is rarely homogeneous, sentiments exhibited by different population segments may vary in different geographical areas.
Commanders typically visualize stability tasks along lines of effort. A line of effort is a line that links multiple tasks using the logic of purpose rather than geographical reference to focus efforts toward establishing operational and strategic conditions (ADRP 3-0). For stability tasks, commanders may consider linking primary stability tasks to their corresponding line of effort.

DEFENSE SUPPORT OF CIVIL AUTHORITIES TASK CONSIDERATIONS

7-19. Army defense support of civil authorities operations encompass all support provided by the components of the Army to civil authorities within the United States and its possessions and territories. This includes support provided by the Regular Army, Army Reserve, and Army National Guard. Army forces frequently conduct defense support of civil authorities operations in response to requests from federal, state, local, and tribal authorities for domestic incidents, emergencies, disasters, designated law enforcement support, and other domestic activities. (See ADRP 3-28.)

7-20. When Army intelligence personnel, assets, or capabilities are needed to provide intelligence support to defense support of civil authorities operations, specific authorization from the Secretary of Defense is required for both the mission and use of those military intelligence resources. The Secretary of Defense authorization will stipulate that a military intelligence element supporting defense support of civil authorities operations is subject to Executive Order 12333, applicable Department of Defense and Service regulations and policies, and intelligence oversight rules, as well as any other mission-specific restrictions.

Chapter 8
Considerations for Unique Environments

SIGNIFICANCE OF ENVIRONMENTAL FACTORS

8-1. The geographic range of U.S. interests in the world today requires Army forces to be prepared to fight and win in all types of environments. Army tactical units may be committed to battle in areas where severe weather, climate, and terrain affect military operations, including the intelligence mission. In addition to the physical effects on the individual Soldier, environmental extremes limit information collection capabilities. Regardless of environmental conditions, commanders need information for decisionmaking. This chapter covers environments in which operations may require special tactics, techniques, or equipment.

SUPPORT IN URBAN ENVIRONMENTS

8-2. Urban operations are military operations conducted in a topographical complex and adjacent natural terrain where manmade construction and high population density are the dominant features.

INFORMATION SOURCES IN URBAN ENVIRONMENTS

8-3. As in any environment, every Soldier in an urban environment is an information collector. Soldiers conducting patrols, manning observation posts, manning checkpoints, or even convoying supplies along a main supply route can serve as the commander’s eyes and ears. The challenge for intelligence professionals is to understand what types of information Soldiers performing different tasks and missions can provide to an understanding of the overall situation, how to get them to report, and how to leverage that information into situational understanding.

8-4. This discussion briefly addresses some of the types of information Soldiers with different specialties can provide to the intelligence staff during urban operations. It is essential to properly brief Soldiers so they are aware of their information collection tasks prior to their missions and to debrief them immediately upon completion of their missions. Prompt debriefing captures information while it is still current in their minds. It also places the information into the intelligence system sooner, increasing the likelihood that it can be used for further action. Some examples of debriefing techniques are listed in FM 2-91.6. This cycle (brief- mission-debrief-intelligence/understanding of the current situation) is continuous throughout operations.

INTELLIGENCE OPERATIONS IN URBAN ENVIRONMENTS

8-6. The fluid nature of the urban environment creates a need for reliable and timely intelligence. Information needed to develop this intelligence is difficult to acquire. The effects of concentrations of buildings on information collection efforts, the complexity and difficulty of providing specific details on the urban threat, and the lack of cultural information can compound the challenges to the collection of information in an urban environment.

8-7. With knowledge of U.S. collection techniques, threats can use the environment to impede information collection efforts. The amount of detail that needs to be collected in the urban environment and constant attention to focusing on the details that are significant in urban analysis in a particular situation creates further challenges for intelligence professionals. Current analysis tools and methods must be appropriately focused and developed to the level of detail required for the urban environment.

Table 8-3. Considerations for intelligence operations in an urban environment (continued)

Open-source intelligence

Academia. Courseware, dissertations, lectures, presentations, research papers, and studies in both hardcopy and softcopy on economics, geography (physical, cultural, and political-military), international relations, regional security, science, and technology.
Governmental, intergovernmental, and nongovernmental organizations. Databases, posted information, and printed reports on a wide variety of economic, environmental, geographic, humanitarian, security, science, and technology issues.
Commercial and public information services. Broadcasted, posted, and printed news on current international, regional, and local topics.
Libraries and research centers. Printed documents and digital databases on a range of topics, as well as knowledge and skills in information retrieval.
Individuals and groups. Handwritten, painted, posted, printed, and broadcasted information (for example, art, graffiti, leaflets, posters, and Web sites).
The Internet offers quick access to numerous types of information on urban environments, such as Intelink.

Cyber-enabled intelligence is a complementary intelligence capability providing the ability to collect information and produce unique intelligence. Cyber-enabled intelligence is produced through the combination of intelligence analysis and the collaboration of information concerning activity in cyberspace and the electromagnetic spectrum. The use of cyber-enabled intelligence facilitates an understanding of the threat’s—

Potential actions.
Impact on the environment.

Appendix A
Joint, National, and Multinational Planning

JOINT INTELLIGENCE OPERATIONS

A-1. Joint intelligence supports joint operations by providing critical information and finished intelligence products to the combatant command, subordinate Service and functional component commands, and subordinate joint forces. Commanders at all levels depend on timely, accurate information and intelligence on a number of an adversary’s dispositions: among them, strategy, tactics, intent, objectives, strengths, weaknesses, values, capabilities, and critical vulnerabilities. Joint intelligence must focus on the commander’s mission and concept of operations.

A-2. An understanding of joint ISR is required to understand the relationship of Army intelligence operations and information collection to joint ISR.

JOINT INTELLIGENCE PROCESS

A-4. Joint doctrine defines intelligence operations differently from Army doctrine. Joint doctrine defines intelligence operations as the variety of intelligence and counterintelligence tasks that are carried out by various intelligence organizations and activities within the intelligence process (JP 2-0). The joint intelligence process describes how the various types of joint intelligence operations interact to meet the commander’s intelligence needs. The process includes the following intelligence operations:

Planning and direction.
Processing and exploitation.
Analysis and production.
Dissemination and integration.
Evaluation and feedback.

JOINT TERMINOLOGY

A-5. Service-specific and joint terms describing management of information collection may differ, based on the respective Service. In joint intelligence doctrine, collection management is the process of converting intelligence requirements into collection requirements, establishing priorities, tasking or coordinating with appropriate collection sources or agencies, monitoring results, and retasking as required (JP 2-0). In the joint lexicon, collection management has two distinct functions: collection requirements management and collection operations management.

A-6. Collection requirements management—

- Defines what intelligence systems must collect.
- Focuses on the requirements of the customer.
- Is all-source- (all-intelligence-discipline-) oriented and advocates (provides and supports) what information is necessary for collection.

A-7. Collection operations management—

- Specifies how to satisfy the requirement.
- Focuses on the selection of specific intelligence disciplines and specific systems within a discipline to collect information addressing customers’ requirements.
- Is conducted by organizations to determine which collection assets can best satisfy customers’ product requests.

A-8. Collection requirements management and collection operations management are performed at all joint levels. Each level interacts with levels above and below, as well as among units, agencies, and organizations on the same level. The further up the chain of command, the broader the perspective and scope of responsibility; the lower the chain of command, the more specific the function and narrower the scope. Organizations possessing collection assets or resources perform collection operations management.

A-9. Tasking, processing, exploitation, and dissemination (also called TPED) is the joint expression used to describe associated activities that support a joint task force commander’s collection strategy and subsequent ISR operations. Similarly, Army intelligence officers consider the analysis, production, and dissemination effort as part of planning requirements and assessing collection. Much of tasking, processing, exploitation, and dissemination occurs outside the theater of operations via reachback (what the Army calls intelligence reach) and is distributed through the intelligence architecture so requirements do not overwhelm in-theater assets. Service organizations and joint organizations provide reachback capabilities to forward-deployed joint forces. Service organizations include the National Ground Intelligence Center, National Maritime Intelligence Center, Marine Corps Intelligence Agency, and the Air Force Intelligence, Surveillance, and Reconnaissance Agency (which includes the National Air and Space Intelligence Center). Joint organizations include the Defense Intelligence Agency and the National Center for Medical Intelligence.

A-10. Two other important joint terms are collection asset and collection resource. A collection asset is a collection system, platform, or capability that is supporting, assigned, or attached to a particular commander (JP 2-01). A collection resource is a collection system, platform, or capability that is not assigned or attached to a specific unit or echelon which must be requested and coordinated through the chain of command (JP 2-01). A collection asset is subordinate to the requesting unit or echelon, while a collection resource is not.

A-11. In joint collection management, all requests for support (collection) are referred to as target nominations. From the joint collection resource perspective, an NAI or TAI is a target for collection. Target nomination boards are responsible for prioritizing collection requests and allocating resources against those requirements.

JOINT COLLECTION MANAGEMENT PLANNING CONSIDERATIONS

A-18. In joint collection management operations, the collection manager, in coordination with the operations directorate, forwards collection requirements to the Service component commander exercising tactical control over joint force ISR assets. A mission tasking order is issued to the unit selected as responsible for the collection operation. The selected unit, sometimes called the mission manager, makes the final choice of specific platforms, equipment, and personnel required for the collection operation, based on operational considerations, such as, maintenance, schedules, training, and experience.

COLLECTION MANAGEMENT MISSION APPLICATIONS

A-19. Collection Management Mission Applications is a Web-centric information system architecture that incorporates existing programs and is sponsored by several commands, Services, and agencies. It provides tools for recording, gathering, organizing, and tracking intelligence collection requirements for all intelligence disciplines. It facilitates the rapid and secure exchange of collection management data and applications and provide

NATIONAL INTELLIGENCE SUPPORT TEAMS

A-23. National intelligence support teams are formed at the request of a deployed joint task force commander. These teams comprise intelligence and communication experts from the Defense Intelligence Agency, Central Intelligence Agency, National Geospatial-Intelligence Agency, National Security Agency, and other agencies, as required to support the joint force commander’s specific needs. The Joint Staff intelligence directorate is the executive agent for the national intelligence support team program and has delegated this mission to the Deputy Directorate for Crisis Operations (also called the J-2O). This office manages daily operations and interagency coordination for all teams. The Defense Intelligence Agency is the executive agent for all national intelligence support team operations. Once on station, a team supplies a steady stream of agency intelligence on local conditions and potential threats. Mission needs dictate the team’s size and composition.

A-24. National intelligence support team personnel are often sent to support corps- or division-level organizations. However, during recent operations, national agencies placed personnel at the BCT level.

NATIONAL PLANNING RESOURCES

A-25. The following national databases and Intelink sites contain information applicable to the IPB process and planning. They should be reviewed and evaluated to determine the availability of current data, information, and intelligence products that might answer intelligence or information requirements:

Modernized Integrated Data Base. Accessible via Intelink, this database contains current, worldwide and theater threat characteristics (previously order of battle factors). This data is organized by country, unit, facility, and equipment.
National Exploitation System. Managed by the National Geospatial-Intelligence Agency and accessible via Intelink, this resource permits users to—
- Research the availability of imagery coverage over targets of interest.
- Access historical national imagery archives and imagery intelligence reports.
Country knowledge bases and crisis home pages. Many combatant commands and joint force commands have Intelink Web sites containing the best and most up-to-date intelligence products available from the intelligence community.
SIGINT On-line Information System. This resource is a database containing current and historical finished SIGINT products.
Secure Analyst File Environment. This resource comprises structured data files. The following databases are accessible:

Intelligence Report Index Summary File. This resource contains index records and the full text of current and historical intelligence information reports.
All-Source Document Index. This resource contains index records and abstracts for hardcopy all-source intelligence documents produced by the Defense Intelligence Agency.

HUMINT collection requirements. This is a registry of all validated HUMINT requirements and tasking.
Modernized Defense Intelligence Threat Data System. This resource is a collection of analytical tools that support the retrieval and analysis of information and intelligence related to counterintelligence, indications and warning, and counterterrorism.
Community On-Line Intelligence System for End-users and Managers. This database application (also called COLISEUM), allows users to identify and track the status of all validated crisis and noncrisis intelligence production requirements.

ALLIANCES

A-34. Army units frequently perform intelligence operations in a multinational environment within the structure of an alliance, which presents many additional challenges for intelligence personnel. The North Atlantic Treaty Organization (also called NATO) and the United Nations Command in the Republic of Korea are examples of highly structured and enduring alliances. Intelligence architectures, organizations, and procedures are well defined in alliances. Therefore, Army staffs must learn to operate within the parameters of an alliance, maintaining SOPs and standards in accordance with their unit policies but also complying with the alliance’s standardized agreements.

A-35. An alliance’s existing international standardization agreements (for example, NATO standardization agreements [also called STANAGs]) establish rules and policies for conducting joint intelligence operations. Since each multinational operation has unique aspects, such standing agreements may have to be modified or amended based on the situation. However, these agreements provide a starting point for establishing policies for a specific operation.

Similarities and Differences

A-41. There are differences in intelligence doctrine and procedures among multinational partners. A key to effective multinational intelligence is extensive coordination, training, and liaison, beginning with the highest levels of command, to make the adjustments required to resolve these differences:

Major differences may include—

How intelligence is provided to the commander (jointly or by individual Services or agencies).
Procedures for sharing information among intelligence agencies.
The degree of security afforded by different communication systems and procedures.

Administrative differences that need to be addressed may include—

Classification levels.
Personnel security clearance standards.
Requirements for access to sensitive intelligence.
Translation requirements.

Notes from Knowledge Management in the Intelligence Enterprise

Notes from Knowledge Management in the Intelligence Enterprise

Knowledge Management in the Intelligence Enterprise

This book is about the application of knowledge management (KM) principles to the practice of intelligence to fulfill those consumers’ expectations.

Unfortunately, too many have reduced intelligence to a simple metaphor of “connecting the dots.” This process, it seems, appears all too simple after the fact—once you have seen the picture and you can ignore irrelevant, contradictory, and missing dots. Real-world intelligence is not a puzzle of connecting dots; it is the hard daily work of planning operations, focusing the collection of data, and then processing the collected data for deep analysis to produce a flow of knowledge for dissemination to a wide range of consumers.

this book… is an outgrowth of a 2-day military KM seminar that I teach in the United States to describe the methods to integrate people, processes, and technologies into knowledge- creating enterprises.

The book progresses from an introduction to KM applied to intelligence (Chapters 1 and 2) to the principles and processes of KM (Chapter 3). The characteristics of collaborative knowledge-based intelligence organizations are described (Chapter 4) before detailing its principle craft of analysis and synthesis (Chapter 5 introduces the principles and Chapter 6 illustrates the practice). The wide range of technology tools to support analytic thinking and allow analysts to interact with information is explained (Chapter 7) before describing the automated tools that perform all-source fusion and mining (Chapter 8). The organizational, systems, and technology concepts throughout the book are brought together in a representative intelligence enterprise (Chapter 9) to illustrate the process of architecture design for a small intelligence cell. An overview of core, enabling, and emerging KM technologies in this area is provided in conclusion (Chapter 10).

Knowledge Management and Intelligence

This is a book about the management of knowledge to produce and deliver a special kind of knowledge: intelligence—that knowledge that is deemed most critical for decision making both in the nation-state and in business.

Knowledge management refers to the organizational disciplines, processes, and information technologies used to acquire, create, reveal, and deliver knowledge that allows an enterprise to accomplish its mission (achieve its strategic or business objectives). The components of knowledge management are the people, their operations (practices and processes), and the information technology (IT) that move and transform data, information, and knowledge. All three of these components make up the entity we call the enterprise.
Intelligence refers to a special kind of knowledge necessary to accomplish a mission—the kind of strategic knowledge that reveals critical threats and opportunities that may jeopardize or assure mission accomplishment. Intelligence often reveals hidden secrets or conveys a deep understanding that is covered by complexity, deliberate denial, or out- right deception. The intelligence process has been described as the process of the discovery of secrets by secret means. In business and in national security, secrecy is a process of protection for one party; discovery of the secret is the object of competition or security for the competitor or adversary… While a range of definitions of intelligence exist, perhaps the most succinct is that offered by the U.S. Central Intelligence Agency (CIA): “Reduced to its simplest terms, intelligence is knowledge and foreknowledge of the world around us—the prelude to decision and action by U.S. policymakers”

The intelligence enterprise encompasses the integrated entity of people, processes, and technologies that collects and analyzes intelligence data to synthesize intelligence products for decision-making consumers.

intelligence (whether national or business) has always involved the management (acquisition, analysis, synthesis, and delivery) of knowledge.

At least three driving factors continue to make this increasing need for automation necessary. These factors include:

Breadth of data to be considered.
Depth of knowledge to be understood.
Speed required for decision making.

Throughout this book, we distinguish between three levels of abstraction of knowledge, each of which may be referred to as intelligence in forms that range from unprocessed reporting to finished intelligence products

Individual observations, measurements, and primitive messages form the lowest level. Human communication, text messages, electronic queries, or scientific instruments that sense phenomena are the major sources of data. The terms raw intelligence and evidence (data that is determined to be relevant) are frequently used to refer to elements of data.
Information. Organized sets of data are referred to as information. The organization process may include sorting, classifying, or indexing and linking data to place data elements in relational context for subsequent searching and analysis.
Information once analyzed, understood, and explained is knowledge or foreknowledge (predictions or forecasts). In the context of this book, this level of understanding is referred to as the intelligence product. Understanding of information provides a degree of comprehension of both the static and dynamic relationships of the objects of data and the ability to model structure and past (and future) behavior of those objects. Knowledge includes both static con- tent and dynamic processes.

These abstractions are often organized in a cognitive hierarchy, which includes a level above knowledge: human wisdom.

In this text, we consider wisdom to be a uniquely human cognitive capability—the ability to correctly apply knowledge to achieve an objective. This book describes the use of IT to support the creation of knowledge but considers wisdom to be a human capacity out of the realm of automation and computation.

1.1 Knowledge in a Changing World

This strategic knowledge we call intelligence has long been recognized as a precious and critical commodity for national leaders.

the Hebrew leader Moses commissioned and documented an intelligence operation to explore the foreign land of Canaan. That classic account clearly describes the phases of the intelligence cycle, which proceeds from definition of the requirement for knowledge through planning, tasking, collection, and analysis to the dissemination of that knowledge. He first detailed the intelligence requirements by describing the eight essential elements of information to be collected, and he described the plan to covertly enter and reconnoiter the denied area

requirements articulation, planning, collection, analysis-synthesis, and dissemination

The U.S. defense community has developed a network-centric approach to intelligence and warfare that utilizes the power of networked information to enhance the speed of command and the efficiency of operations. Sensors are linked to shooters, commanders efficiently coordinate agile forces, and engagements are based on prediction and preemption. The keys to achieving information superiority in this network-centric model are network breadth (or connectivity) and bandwidth; the key technology is information networking.

The ability to win will depend upon the ability to select and convert raw data into accurate decision-making knowledge. Intelligence superiority will be defined by the ability to make decisions most quickly and effectively—with the same information available to virtually all parties. The key enabling technology in the next century will become processing and cognitive power to rapidly and accurately convert data into com- prehensive explanations of reality—sufficient to make rapid and complex decisions.

Consider several of the key premises about the significance of knowledge in this information age that are bringing the importance of intelligence to the forefront. First, knowledge has become the central resource for competitive advantage, displacing raw materials, natural resources, capital, and labor. This resource is central to both wealth creation and warfare waging. Second, the management of this abstract resource is quite complex; it is more difficult (than material resources) to value and audit, more difficult to create and exchange, and much more difficult to protect. Third, the processes for producing knowledge from raw data are as diverse as the manufacturing processes for physical materials, yet are implemented in the same virtual manufacturing plant—the computer. Because of these factors, the management of knowledge to produce strategic intelligence has become a necessary and critical function within nations-states and business enterprises—requiring changes in culture, processes, and infrastructure to compete.

with rapidly emerging information technologies, the complexities of globalization and diverse national interests (and threats), businesses and militaries must both adopt radically new and innovative agendas to enable continuous change in their entire operating concept. Innovation and agility are the watchwords for organizations that will remain competitive in Hamel’s age of nonlinear revolution.

Business concept innovation will be the defining competitive advantage in the age of revolution. Business concept innovation is the capacity to reconceive existing business models in ways that create new value for customers, rude surprises for competitors, and new wealth for investors. Business concept innovation is the only way for newcomers to succeed in the face of enormous resource disadvantages, and the only way for incumbents to renew their lease on success

A functional taxonomy based on the type of analysis and the temporal distinction of knowledge and foreknowledge (warning, prediction, and forecast) distinguishes two primary categories of analysis and five subcategories of intelligence products

Descriptive analyses provide little or no evaluation or interpretation of collected data; rather, they enumerate collected data in a fashion that organizes and structures the data so the consumer can perform subsequent interpretation.

Inferential analyses require the analysis of collected relevant data sets (evidence) to infer and synthesize explanations that describe the mean- ing of the underlying data. We can distinguish four different focuses of inferential analysis:

Analyses that explain past events (How did this happen? Who did it?);
Analyses that explain the structure of current structure (What is the organization? What is the order of battle?);
Analyses that explain current behaviors and states (What is the competitor’s research and development process? What is the status of development?);
Foreknowledge analyses that forecast future attributes and states (What is the expected population and gross national product growth over the next 5 years? When will force strength exceed that of a country’s neighbors? When will a competitor release a new product?).

1.3 The Intelligence Disciplines and Applications

While the taxonomy of intelligence products by analytic methods is fundamental, the more common distinctions of intelligence are by discipline or consumer.

The KM processes and information technologies used in all cases are identical (some say, “bits are bits,” implying that all digital data at the bit level is identical), but the content and mission objectives of these four intelligence disciplines are unique and distinct.

Nation-state security interests deal with sovereignty; ideological, political, and economic stability; and threats to those areas of national interest. Intelligence serves national leadership and military needs by providing strategic policymaking knowledge, warnings of foreign threats to national secu- rity interests (economic, military, or political) and tactical knowledge to support day-to-day operations and crisis responses. Nation-state intelligence also serves a public function by collecting and consolidating open sources of foreign information for analysis and publication by the government on topics of foreign relations, trade, treaties, economies, humanitarian efforts, environmental concerns, and other foreign and global interests to the public and businesses at large.

Similar to the threat-warning intelligence function to the nation-state, business intelligence is chartered with the critical task of foreseeing and alerting management of marketplace discontinuities. The consumers of business intelligence range from corporate leadership to employees who access supply-chain data, and even to customers who access information to support purchase decisions.

A European Parliament study has enumerated concern over the potential for national intelligence sources to be used for nation-state economic advantages by providing competitive intelligence directly to national business interests. The United States has acknowledged a policy of applying national intelligence to protect U.S. business interests from fraud and illegal activities, but not for the purposes of providing competitive advantage

1.3.1 National and Military Intelligence

National intelligence refers to the strategic knowledge obtained for the leadership of nation-states to maintain national security. National intelligence is focused on national security—providing strategic warning of imminent threats, knowledge on the broad spectrum of threats to national interests, and fore-knowledge regarding future threats that may emerge as technologies, economies, and the global environment changes.

The term intelligence refers to both a process and its product.

The U.S. Department of Defense (DoD) provides the following product definitions that are rich in description of the processes involved in producing the product:

The product resulting from the collection, processing, integration, analysis, evaluation, and interpretation of available information concerning foreign countries or areas;
Information and knowledge about an adversary obtained through observation, investigation, analysis, or understanding.

Michael Herman accurately emphasizes the essential components of the intelligence process: “The Western intelligence system is two things. It is partly the collection of information by special means; and partly the subsequent study of particular subjects, using all available information from all sources. The two activities form a sequential process.”

Martin Libicki has provided a practical definition of information dominance, and the role of intelligence coupled with command and control and information warfare:

Information dominance may be defined as superiority in the generation, manipulation, and use of information sufficient to afford its possessors military dominance. It has three sources:

Command and control that permits everyone to know where they (and their cohorts) are in the battlespace, and enables them to execute operations when and as quickly as necessary.
Intelligence that ranges from knowing the enemy’s dispositions to knowing the location of enemy assets in real-time with sufficient precision for a one-shot kill.
Information warfare that confounds enemy information systems at various points (sensors, communications, processing, and command), while protecting one’s own.

The superiority is achieved by gaining superior intelligence and protecting information assets while fiercely degrading the enemy’s information assets. The goal of such superiority is not the attrition of physical military assets or troops—it is the attrition of the quality, speed, and utility of the adversary’s decision-making ability.

“A knowledge environment is an organizations (business) environment that enhances its capability to deliver on its mission (competitive advantage) by enabling it to build and leverage it intellectual capital.”

1.3.2 Business and Competitive Intelligence

The focus of business intelligence is on understanding all aspects of a business enterprise: internal operations and the external environment, which includes customers and competitors (the marketplace), partners, and suppliers. The external environmental also includes independent variables that can impact the business, depending on the business (e.g., technology, the weather, government policy actions, financial markets). All of these are the objects of business intelligence in the broadest definition. But the term business intelligence is also used in a narrower sense to focus on only the internals of the business, while the term competitor intelligence refers to those aspects of intelligence that focus on the externals that influence competitiveness: competitors.

Each of the components of business intelligence has distinct areas of focus and uses in maintaining the efficiency, agility, and security of the business; all are required to provide active strategic direction to the business. In large companies with active business intelligence operations, all three components are essential parts of the strategic planning process, and all contribute to strategic decision making.

1.4 The Intelligence Enterprise

The intelligence enterprise includes the collection of people, knowledge (both internal tacit and explicitly codified), infrastructure, and information processes that deliver critical knowledge (intelligence) to the consumers. This enables them to make accurate, timely, and wise decisions to accomplish the mission of the enterprise.

This definition describes the enterprise as a process—devoted to achieving an objective for its stakeholders and users. The enterprise process includes the production, buying, selling, exchange, and promotion of an item, substance, service, or system.

the DoD three-view architecture description, which defines three interrelated perspectives or architectural descriptions that define the operational, system, and technical aspects of an enterprise [29]. The operational architecture is a people- or organization-oriented description of the operational elements, intelligence business processes, assigned tasks, and information and work flows required to accomplish or support the intelligence function. It defines the type of information, the frequency of exchange, and the tasks that are supported by these information exchanges. The systems architecture is a description of the systems and interconnections providing for or supporting intelligence functions. The system architecture defines the physical connection, location, and identification of the key nodes, circuits, networks, and users, and specifies system and component performance parameters. The technical architecture is the minimal set of rules (i.e., standards, protocols, interfaces, and services) governing the arrangement, interaction, and interdependence of the elements of the system.

These three views of the enterprise (Figure 1.4) describe three layers of people-oriented operations, system structure, and procedures (protocols) that must be defined in order to implement an intelligence enterprise.

The operational layer is the highest (most abstract) description of the concept of operations (CONOPS), human collaboration, and disciplines of the knowledge organization. The technical architecture layer describes the most detailed perspective, noting specific technical components and their operations, protocols, and technologies.

The intelligence supply chain that describes the flow of data into knowledge to create consumer value is measured by the value it provides to intelligence consumers. Measures of human intellectual capital and organizational knowledge describe the intrinsic value of the organization.

1.5 The State of the Art and the State of the Intelligence Tradecraft

The subject of intelligence analysis remained largely classified through the 1980s, but the 1990s brought the end of the Cold War and, thus, open publication of the fundamental operations of intelligence and the analytic methods employed by businesses and nation-states. In that same period, the rise of commercial information sources and systems produced the new disciplines of open source intelligence (OSINT) and business/competitor intelligence. In each of these areas, a wealth of resources is available for tracking the rapidly changing technology state of the art as well as the state of the intelligence tradecraft.

1.5.1 National and Military Intelligence

Numerous sources of information provide management, legal, and technical insight for national and military intelligence professionals with interests in analysis and KM

These sources include:

Studies in Intelligence—Published by the U.S. CIA Center for the Study of Intelligence and the Sherman Kent School of Intelligence, unclassified versions are published on the school’s Web site (http://odci. gov.csi), along with periodically issued monographs on technical topics related to intelligence analysis and tradecraft.
International Journal of Intelligence and Counterintelligence—This quarterly journal covers the breadth of intelligence interests within law enforcement, business, nation-state policymaking, and foreign affairs.
Intelligence and National Security—A quarterly international journal published by Frank Cass & Co. Ltd., London, this journal covers broad intelligence topics ranging from policy, operations, users, analysis, and products to historical accounts and analyses.
Defense Intelligence Journal—This is a quarterly journal published by the U.S. Defense Intelligence Agency’s Joint Military Intelligence College.
American Intelligence Journal—Published by the National Military Intelligence Association (NMIA), this journal covers operational, organizational, and technical topics of interest to national and military intelligence officers.
Military Intelligence Professional Bulletin—This is a quarterly bulletin of the U.S. Army Intelligence Center (Ft. Huachuca) that is available on- line and provides information to military intelligence officers on studies of past events, operations, processes, military systems, and emerging research and development.
Jane’s Intelligence Review—This monthly magazine provides open source analyses of international military organizations, NGOs that threaten or wage war, conflicts, and security issues.

1.5.2 Business and Competitive Intelligence

Several sources focus on the specific areas of business and competitive intelligence with attention to the management, ethical, and technical aspects of collection, analysis, and valuation of products.

Competitive Intelligence Magazine—This is a CI source for general applications-related articles on CI, published bimonthly by John Wiley & Sons with the Society for Competitive Intelligence (SCIP).
Competitive Intelligence Review—This quarterly journal, also published by John Wiley with the SCIP, contains best-practice case studies as well as technical and research articles.
Management International Review—This is a quarterly refereed journal that covers the advancement and dissemination of international applied research in the fields of management and business. It is published by Gabler Verlag, Germany, and is available on-line.
Journal of Strategy and Business—This quarterly journal, published by Booz Allen and Hamilton focuses on strategic business issues, including regular emphasis on both CI and KM topics in business articles.

1.5.3 KM

The developments in the field of KM are covered by a wide range of business, information science, organizational theory, and dedicated KM sources that pro- vide information on this diverse and fast growing area.

CIO Magazine—This monthly trade magazine for chief information officers and staff includes articles on KM, best practices, and related leadership topics.

Harvard Business Review, Sloan Management Review—These management journals cover organizational leadership, strategy, learning and change, and the application of supporting ITs.
Journal of Knowledge Management—This is a quarterly academic journal of strategies, tools, techniques, and technologies published by Emerald (UK). In addition, Emerald also publishes quarterly The Learning Organization—An International Journal.
IEEE Transactions of Knowledge and Data Engineering—This is an archival journal published bimonthly to inform researchers, developers, managers, strategic planners, users, and others interested in state-of- the-art and state-of-the-practice activities in the knowledge and data engineering area.
Knowledge and Process Management—A John Wiley (UK) journal for executives responsible for leading performance improvement and con- tributing thought leadership in business. Emphasis areas include KM, organizational learning, core competencies, and process management.
American Productivity and Quality Center (APQC)—THE APQC is a nonprofit organization that provides the tools, information, expertise, and support needed to discover and implement best practices in KM. Its mission is to discover, research, and understand emerging and effective methods of both individual and organizational improvement, to broadly disseminate these findings, and to connect individuals with one another and with the knowledge, resources, and tools they need to successfully manage improvement and change. They maintain an on-line site at www.apqc.org.
Data Mining and Knowledge Discovery—This Kluwer (Netherlands) journal provides technical articles on the theory, techniques, and practice of knowledge extraction from large databases.

1.6 The Organization of This Book

This book is structured to introduce the unique role, requirements, and stake- holders of intelligence (the applications) before introducing the KM processes, technologies, and implementations.

2
The Intelligence Enterprise

Intelligence, the strategic information and knowledge about an adversary and an operational environment obtained through observation, investigation, analysis, or understanding, is the product of an enterprise operation that integrates people and processes in a organizational and networked computing environment.

The intelligence enterprise exists to produce intelligence goods and service—knowledge and foreknowledge to decision- and policy-making customers. This enterprise is a production organization whose prominent infrastructure is an information supply chain. As in any business, it has a “front office” to manage its relations with customers, with the information supply chain in the “back office.”

The intellectual capital of this enterprise includes sources, methods, workforce competencies, and the intelligence goods and services produced. As in virtually no other business, the protection of this capital is paramount, and therefore security is integrated into every aspect of the enterprise.

2.1 The Stakeholders of Nation-State Intelligence

The intelligence enterprise, like any other enterprise providing goods and services, includes a diverse set of stakeholders in the enterprise operation. The business model for any intelligence enterprise, as for any business, must clearly identify the stakeholders who own the business and those who produce and consume its goods and services.

The owners of the process include the U.S. public and its elected officials, who measure intelligence value in terms of the degree to which national security is maintained. These owners seek awareness and warning of threats to prescribed national interests.
Intelligence consumers (customers or users) include national, military, and civilian user agencies that measure value in terms of intelligence contribution to the mission of each organization, measured in terms of its impact on mission effectiveness.
Intelligence producers, the most direct users of raw intelligence, include the collectors (HUMINT and technical), processor agencies, and analysts. The principal value metrics of these users are performance based: information accuracy, coverage breadth and depth, confidence, and timeliness.

The purpose and value chains for intelligence (Figure 2.2) are defined by the stakeholders to provide a foundation for the development of specific value measures that assess the contribution of business components to the overall enterprise. The corresponding chains in the U.S. IC include:

Source—the source or basis for defining the purpose of intelligence is found in the U.S. Constitution, derivative laws (i.e., the National Security Act of 1947, Central Intelligence Agency Act of 1949, National Security Agency Act of 1959, Foreign Intelligence Surveillance Act of 1978, and Intelligence Organization Act of 1992), and orders of the executive branch [2]. Derived from this are organizational mission documents, such as the Director of Central Intelligence (DCI) Strategic Intent [3], which documents communitywide purpose and vision, as well as derivative guidance documents prepared by intelligence providers.
Purpose chain—the causal chain of purposes (objectives) for which the intelligence enterprise exists. The ultimate purpose is national security, enabled by information (intelligence) superiority that, in turn, is enabled by specific purposes of intelligence providers that will result in information superiority.
Value chain—the chain of values (goals) by which achievement of the enterprise purpose is measured.
Measures—Specific metrics by which values are quantified and articulated by stakeholders and by which the value of the intelligence enterprise is evaluated.

In a similar fashion, business and competitive intelligence have stakeholders that include customers, shareholders, corporate officers, and employees… there must exist a purpose and value chain that guides the KM operations. These typically include:

Source—the business charter and mission statement of a business elaborates the market served and the vision for the businesses role in that market.
Purpose chain—the objectives of the business require knowledge about internal operations and the market (BI objectives) as well as competitors (CI).
Value chain—the chain of values (goals) by which achievement of the enterprise purpose is measured.
Measures—Specific metrics by which values are quantified. A balanced set of measures includes vision and strategy, customer, internal, financial, and learning-growth metrics.

2.2 Intelligence Processes and Products

The process that delivers strategic and operational intelligence products is gener- ally depicted in cyclic form (Figure 2.3), with five distinct phases.

In every case, the need is the basis for a logical process to deliver the knowledge to the requestor.

Planning and direction. The process begins as policy and decision makers define, at a high level of abstraction, the knowledge that is required to make policy, strategic, or operational decisions. The requests are parsed into information required, then to data that must be collected to estimate or infer the required answers. Data requirements are used to establish a plan of collection, which details the elements of data needed and the targets (people, places, and things) from which the data may be obtained.
Collection. Following the plan, human and technical sources of data are tasked to collect the required raw data. The next section introduces the major collection sources, which include both openly available and closed sources that are accessed by both human and technical methods.

These sources and methods are among the most fragile [5]—and most highly protected—elements of the process. Sensitive and specially compartmented collection capabilities that are particularly fragile exist across all of the collection disciplines.

Processing. The collected data is processed (e.g., machine translation, foreign language translation, or decryption), indexed, and organized in an information base. Progress on meeting the requirements of the col- lection plan is monitored and the tasking may be refined on the basis of received data.
All-source analysis-synthesis and production. The organized information base is processed using estimation and inferential (reasoning) techniques that combine all-source data in an attempt to answer the requestor’s questions. The data is analyzed (broken into components and studied) and solutions are synthesized (constructed from the accumulating evidence). The topics or subjects (intelligence targets) of study are modeled, and requests for additional collection and processing may be made to acquire sufficient data and achieve a sufficient level of understanding (or confidence to make a judgment) to answer the consumer’s questions.
Dissemination. Finished intelligence is disseminated to consumers in a variety of formats, ranging from dynamic operating pictures of war- fighters’ weapon systems to formal reports to policymakers. Three categories of formal strategic and tactical intelligence reports are distinguished by their past, present, and future focus: current intelligence reports are news-like reports that describe recent events or indications and warnings, basic intelligence reports provide complete descriptions of a specific situation (e.g., order of battle or political situation), and intelligence estimates attempt to predict feasible future outcomes as a result of current situation, constraints, and possible influences [6].

Though introduced here in the classic form of a cycle, in reality the process operates as a continuum of actions with many more feedback (and feedforward) paths that require collaboration between consumers, collectors, and analysts.

2.3 Intelligence Collection Sources and Methods

A taxonomy of intelligence data sources includes sources that are openly accessible or closed (e.g., denied areas, secured communications, or clandestine activities). Due to the increasing access to electronic media (i.e., telecommunications, video, and computer networks) and the global expansion of democratic societies, OSINT is becoming an increasingly important source of global data. While OSINT must be screened and cross validated to filter errors, duplications, and deliberate misinformation (as do all sources), it provides an economical source of public information and is a contributor to other sources for cueing, indications, and confirmation

Measurements and signatures intelligence (MASINT) is technically derived knowledge from a wide variety of sensors, individual or fused, either to perform special measurements of objects or events of interest or to obtain signatures for use by the other intelligence sources. MASINT is used to characterize the observable phenomena (observables) of the environment and objects of surveillance.

U.S. intelligence studies have pointed out specific changes in the use of these sources as the world increases globalization of commerce and access to social, political, economic, and technical information [10–12]:

The increase in unstructured and transnational threats requires the robust use of clandestine HUMINT sources to complement extensive technical verification means.
Technical means of collection are required for both broad area coverage and detailed assessment of the remaining denied areas of the world.

2.3.1 HUMINT Collection

HUMINT refers to all information obtained directly from human sources

HUMINT sources may be overt or covert (clandestine); the most common categories include:

Clandestine intelligence case officers. These officers are own-country individuals who operate under a clandestine “cover” to collect intelligence and “control” foreign agents to coordinate collections.
Agents. These are foreign individuals with access to targets of intelligence who conduct clandestine collection operations as representatives of their controlling intelligence officers. These agents may be recruited or “walk-in” volunteers who act for a variety of ideological, financial, or personal motives.

Émigrés, refugees, escapees, and defectors. The open, overt (yet discrete) programs to interview these recently arrived foreign individuals provide background information on foreign activities as well as occasional information on high-value targets.
Third party observers. Cooperating third parties (e.g., third-party countries and travelers) can also provide a source of access to information.

The HUMINT discipline follows a rigorous process for acquiring, employing, and terminating the use of human assets that follows a seven-step sequence. The sequence followed by case officers includes:

Spotting—locating, identifying, and securing low-level contact with agent candidates;
Evaluation—assessment of the potential (i.e., value or risk) of the spotted individual, based on a background investigation;
Recruitment—securing the commitment from the individual;
Testing—evaluation of the loyalty of the agent;
Training—supporting the agent with technical experience and tools;
Handling—supporting and reinforcing the agent’s commitment;
Termination—completion of the agent assignment by ending the relationship.

HUMINT is dependent upon the reliability of the individual source, and lacks the collection control of technical sensors. Furthermore, the level of security to protect human sources often limits the fusion of HUMINT reports with other sources and the dissemination of wider customer bases. Directed high-risk HUMINT collections are generally viewed as a precious resource to be used for high-value targets to obtain information unobtainable by technical means or to validate hypotheses created by technical collection analysis.

2.3.2 Technical Intelligence Collection

Technical collection is performed by a variety of electronic (e.g., electromechanical, electro-optical, or bioelectronic) sensors placed on platforms in space, the atmosphere, on the ground, and at sea to measure physical phenomena (observables) related to the subjects of interest (intelligence targets).

The operational utility of these collectors for each intelligence application depends upon several critical factors:

Timeliness—the time from collection of event data to delivery of a tactical targeting cue, operational warnings and alerts, or formal strategic report;
Revisit—the frequency with which a target of interest can be revisited to understand or model (track) dynamic behavior;
Accuracy—the spatial, identity, or kinematic accuracy of estimates and predictions;
Stealth—the degree of secrecy with which the information is gathered and the measure of intrusion required.

2.4 Collection and Process Planning

The technical collection process requires the development of a detailed collection plan, which begins with the decomposition of the subject target into activities, observables, and then collection requirements.

From this plan, technical collectors are tasked and data is collected and fused (a composition, or reconstruction that is the dual of the decomposition process) to derive the desired intelligence about the target.

2.5 KM in the Intelligence Process

The intelligence process must deal with large volumes of source data, converting a wide range of text, imagery, video, and other media types into organized information, then performing the analysis-synthesis process to deliver knowledge in the form of intelligence products.

IT is providing increased automation of the information indexing, discovery, and retrieval (IIDR) functions for intelligence, especially the exponentially increasing volumes of global open-source data.

The functional information flow in an automated or semiautomated facility (depicted in Figure 2.5) requires digital archiving and analysis to ingest continu- ous streams of data and manage large volumes of analyzed data. The flow can be broken into three phases:

Capture and compile;
2. Preanalysis;
3. Exploitation (analysis-synthesis).

The preanalysis phase indexes each data item (e.g., article, message, news segment, image, book or chapter) by assigning a reference for storage; generating an abstract that summarizes the content of the item and metadata with a description of the source, time, reliability-confidence, and relationship to other items (abstracting); and extracting critical descriptors of content that characterize the contents (e.g., keywords) or meaning (deep indexing) of the item for subsequent analysis. Spatial data (e.g., maps, static imagery, or video imagery) must be indexed by spatial context (spatial location) and content (imagery content).

The indexing process applies standard subjects and relationships, maintained in a lexicon and thesaurus that is extracted from the analysis information base. Fol- lowing indexing, data items are clustered and linked before entry into the analy- sis base. As new items are entered, statistical analyses are performed to monitor trends or events against predefined templates that may alert analysts or cue their focus of attention in the next phase of processing.

The categories of automated tools that are applied to the analysis information base include the following tools:

Interactive search and retrieval tools permit analysts to search by content, topic, or related topics using the lexicon and thesaurus subjects.
Structured judgment analysis tools provide visual methods to link data, synthesize deductive logic structures, and visualize complex relation- ships between data sets. These tools enable the analyst to hypothesize, explore, and discover subtle patterns and relationships in large data volumes—knowledge that can be discerned only when all sources are viewed in a common context.
Modeling and simulation tools model hypothetical activities, allowing modeled (expected) behavior to be compared to evidence for validation or projection of operations under scrutiny.
Collaborative analysis tools permit multiple analysts in related subject areas, for example, to collaborate on the analysis of a common subject.
Data visualization tools present synthetic views of data and information to the analyst to permit patterns to be examined and discovered.

2.6 Intelligence Process Assessments and Reengineering

The U.S. IC has been assessed throughout and since the close of the Cold War to study the changes necessary to adapt to advanced collection capabilities, changing security threats, and the impact of global information connectivity and information availability. Published results of these studies provide insight into the areas of intelligence effectiveness that may be enhanced by organizing the community into a KM enterprise. We focus here on the technical aspects of the changes rather than the organizational aspects recommended in numerous studies.

2.6.1 Balancing Collection and Analysis

Intelligence assessments have evaluated the utility of intelligence products and the balance of investment between collection and analysis.

2.6.2 Focusing Analysis-Synthesis

An independent study [21] of U.S. intelligence recommended a need for intelligence to sharpen the focus of analysis-synthesis resources to deal with the increased demands by policymakers for knowledge on a wider ranges of topics, the growing breadth of secret and open sources, and the availability of commercial open-source analysis.

2.6.3

Balancing Analysis-Synthesis Processes

One assessment conducted by the U.S. Congress reviewed the role of analysis- synthesis and the changes necessary for the community to reengineer its processes from a Cold War to a global awareness focus. Emphasizing the crucial role of analysis, the commission noted:

The raison d’etre of the Intelligence Community is to provide accurate and meaningful information and insights to consumers in a form they can use at the time they need them. If intelligence fails to do that, it fails altogether. The expense and effort invested in collecting and processing the information have gone for naught.

The commission identified the KM challenges faced by large-scale intelligence analysis that encompasses global issues and serves a broad customer base.

The commission’s major observations provide insight into the emphasis on people- related (rather than technology-related) issues that must be addressed for intelligence to be valued by the policy and decision makers that consume intelligence:

Build relationships. A concerted effort is required to build relationships between intelligence producers and the policymakers they serve. Producer-consumer relationships range from assignment of intelligence liaison officers with consumers (the closest relationship and greatest consumer satisfaction) to holding regular briefings, or simple producer-subscriber relationships for general broadcast intelligence. Across this range of relationships, four functions must be accomplished for intelligence to be useful:

Analysts must understand the consumer’s level of knowledge and the issues they face.
Intelligence producers must focus on issues of significance and make information available when needed, in a format appropriate to the unique consumer.
Consumers must develop an understanding of what intelligence can and—equally important—cannot do.
Both consumer and producer must be actively engaged in a dialogue with analysts to refine intelligence support to decision making.

Increase and expand the scope of analytic expertise. The expertise of the individual analysts and the community of analysts must be maintained at the highest level possible. This expertise is in two areas: domain, or region of focus (e.g., nation, group, weapon systems, or economics), and analytic-synthetic tradecraft. Expertise development should include the use of outside experts, travel to countries of study, sponsor- ship of topical conferences, and other means (e.g., simulations and peer reviews).
Enhance use of open sources. Open-source data (i.e., publicly available data in electronic and broadcast media, journals, periodicals, and commercial databases) should be used to complement (cue, provide con- text, and in some cases, validate) special, or closed, sources. The analyst must have command of all available information and the means to access and analyze both categories of data in complementary fashion.
Make analysis available to users. Intelligence producers must increasingly apply dynamic, electronic distribution means to reach consumers for collaboration and distribution. The DoD Joint Deployable Intelligence Support System (JDISS) and IC Intelink were cited as early examples of networked intelligence collaboration and distribution systems.
Enhance strategic estimates. The United States produces national intelligence estimates (NIEs) that provide authoritative statements and fore- cast judgments about the likely course of events in foreign countries and their implications for the United States. These estimates must be enhanced to provide timely, objective, and relevant data on a wider range of issues that threaten security.
Broaden the analytic focus. As the national security threat envelope has broadened (beyond the narrower focus of the Cold War), a more open, collaborative environment is required to enable intelligence analysts to interact with policy departments, think tanks, and academia to analyze, debate, and assess these new world issues.

In the half decade since the commission recommendations were published, the United States has implemented many of the recommendations. Several examples of intelligence reengineering include:

Producer-consumer relationships. The introduction of collaborative networks, tools, and soft-copy products has permitted less formal interaction and more frequent exchange between consumers and producers. This allows intelligence producers to better understand consumer needs and decision criteria. This has enabled the production of more focused, timely intelligence.
Analytic expertise. Enhancements in analytic training and the increased use of computer-based analytic tools and even simulation are providing greater experience—and therefore expertise—to human analysts.
Open source. Increased use of open-source information via commercial providers (e.g., Lexis NexisTM subscription clipping services to tailored topics) and the Internet has provided an effective source for obtaining background information. This enables special sources and methods to focus on validation of critical implications.
Analysis availability. The use of networks continues to expand for both collaboration (between analysts and consumers as well as between analysts) and distribution. This collaboration was enabled by the intro- duction and expansion of the classified Internet (Intelink) that interconnects the IC [24].
Broadened focus. The community has coordinated open panels to dis- cuss, debate, and collaboratively analyze and openly publish strategic perspectives of future security issues. One example is the “Global Trends 2015” report that resulted from a long-term collaboration with academia, the private sector, and topic area experts [25].

2.7 The Future of Intelligence

The two primary dimensions of future threats to national (and global) security include the source (from nation-state actors to no-state actors) and the threat-generating mechanism (continuous results of rational nation-state behaviors to discontinuities in complex world affairs). These threat changes and the contrast in intelligence are summarized in Table 2.4. Notice that these changes coincide with the transition from sensor-centric to network- and knowledge-centric approaches to intelligence introduced in Chapter 1.

intelligence must focus on knowledge creation in an enterprise environment that is prepared to rapidly reinvent itself to adapt to emergent threats.

3
Knowledge Management Processes

KM is the term adopted by the business community in the mid 1990s to describe a wide range of strategies, processes, and disciplines that formalize and integrate an enterprise’s approach to organizing and applying its knowledge assets. Some have wondered what is truly new about the concept of managing knowledge. Indeed, many pure knowledge-based organizations (insurance companies, consultancies, financial management firms, futures brokers, and of course, intelligence organizations) have long “managed” knowledge—and such management processes have been the core competency of the business.

The scope of knowledge required by intelligence organizations has increased in depth and breadth as commerce has networked global markets and world threats have diversified from a monolithic Cold War posture. The global reach of networked information, both open and closed sources, has produced a deluge of data—requiring computing support to help human analysts sort, locate, and combine specific data elements to provide rapid, accurate responses to complex problems. Finally, the formality of the KM field has grown significantly in the past decade—developing theories for valuing, auditing, and managing knowledge as an intellectual asset; strategies for creating, reusing, and leveraging the knowledge asset; processes for con- ducting collaborative transactions of knowledge among humans and machines; and network information technologies for enabling and accelerating these processes.

3.1 Knowledge and Its Management

In the first chapter, we introduced the growing importance of knowledge as the central resource for competition in both the nation-state and in business. Because of this, the importance of intelligence organizations providing strategic knowledge to public- and private-sector decision makers is paramount. We can summarize this importance of intelligence to the public or private enterprise in three assertions about knowledge.

First, knowledge has become the central asset or resource for competitive advantage. In the Tofflers’ third wave, knowledge displaces capital, labor, and natural resources as the principal reserve of the enterprise. This is true in wealth creation by businesses and in national security and the conduct of warfare for nation-states.

Second, it is asserted that the management of the knowledge resource is more complex than other resources. The valuation and auditing of knowledge is unlike physical labor or natural resources; knowledge is not measured by “head counts” or capital valuation of physical inventories, facilities, or raw materials (like stockpiles of iron ore, fields of cotton, or petroleum reserves). New methods of quantifying the abstract entity of knowledge—both in people and in explicit representations—are required. In order to accomplish this complex challenge, knowledge managers must develop means to capture, store, create, and exchange knowledge, while dealing with the sensitive security issues of knowing when to protect and when to share (the trade-off between the restrictive “need to know” and the collaborative “need to share”).

The third assertion about knowledge is that its management therefore requires a delicate coordination of people, processes, and supporting technologies to achieve the enterprise objectives of security, stability, and growth in a dynamic world:

People. KM must deal with cultures and organizational structures that enable and reward the growth of knowledge through collaborative learning, reasoning, and problem solving.
Processes. KM must also provide an environment for exchange, discovery, retention, use, and reuse of knowledge across the organization.
Technologies. Finally, IT must be applied to enable the people and processes to leverage the intellectual asset of actionable knowledge.

Definitions of KM as a formal activity are as diverse as its practitioners (Table 3.1), but all have in common the following general characteristics:

KM is based on a strategy that accepts knowledge as the central resource to achieve business goals and that knowledge—in the minds of its people, embedded in processes, and in explicit representations in knowledge bases—must be regarded as an intellectual form of capital to be leveraged. Organizational values must be coupled with the growth of this capital.

KM involves a process that, like a supply chain, moves from raw materials (data) toward knowledge products. The process is involved in acquiring (data), sorting, filtering, indexing and organizing (information), reasoning (analyzing and synthesizing) to create knowledge, and finally disseminating that knowledge to users. But this supply chain is not a “stovepiped” process (a narrow, vertically integrated and compartmented chain); it horizontally integrates the organization, allowing collaboration across all areas of the enterprise where knowledge sharing provides benefits.

KM embraces a discipline and cultural values that accept the necessity for sharing purpose, values, and knowledge across the enterprise to leverage group diversity and perspectives to promote learning and intellectual problem solving. Collaboration, fully engaged communication and cognition, is required to network the full intellectual power of the enterprise.

The U.S. National Security Agency (NSA) has adopted the following “people-oriented” definition of KM to guide its own intelligence efforts:

Strategies and processes to create, identify, capture, organize and leverage vital skills, information and knowledge to enable people to best accomplish the organizational mission.7ryfcv

The DoD has further recognized that KM is the critical enabler for information superiority:

The ability to achieve and sustain information superiority depends, in large measure, upon the creation and maintenance of reusable knowledge bases; the ability to attract, train, and retain a highly skilled work force proficient in utilizing these knowledge bases; and the development of core business processes designed to capitalize upon these assets.

The processes by which abstract knowledge results in tangible effects can be examined as a net of influences that effect knowledge creation and decision making.

The flow of influences in the figure illustrates the essential contributions of shared knowledge.

Dynamic knowledge. At the central core is a comprehensive and dynamic understanding of the complex (business or national security) situation that confronts the enterprise. This understanding accumulates over time to provide a breadth and depth of shared experience, or organizational memory.
Critical and systems thinking. Situational understanding and accumulated experience enables dynamic modeling to provide forecasts from current situations—supporting the selection of adapting organizational goals. Comprehensive understanding (perception) and thorough evaluation of optional courses of actions (judgment) enhance decision making. As experience accumulates and situational knowledge is refined, critical explicit thinking and tacit sensemaking about current situations and the consequences of future actions is enhanced.
Shared operating picture. Shared pictures of the current situation (common operating picture), past situations and outcomes (experience), and forecasts of future outcomes enable the analytic workforce to collaborate and self-synchronize in problem solving.
Focused knowledge creation. Underlying these functions is a focused data and experience acquisition process that tracks and adapts as the business or security situation changes.

While Figure 3.1 maps the general influences of knowledge on goal setting, judgment, and decision making in an enterprise, an understanding of how knowledge influences a particular enterprise in a particular environment is necessary to develop a KM strategy. Such a strategy seeks to enhance organizational knowledge of these four basic areas as well as information security to protect the intellectual assets,

3.2 Tacit and Explicit Knowledge

In the first chapter, we offered a brief introduction to hierarchical taxonomy of data, information, and knowledge, but here we must refine our understanding of knowledge and its construct before we delve into the details of management processes.

In this chapter, we distinguish between the knowledge-creation processes within the knowledge-creating hierarchy (Figure 3.2). The hierarchy illustrates the distinctions we make, in common terminology, between explicit (represented and defined) processes and those that are implicit (or tacit; knowledge processes that are unconscious and not readily articulated).

3.2.1 Knowledge As Object

The most common understanding of knowledge is as an object—the accumulation of things perceived, discovered, or learned. From this perspective, data (raw measurements or observations), information (data organized, related, and placed in context), and knowledge (information explained and the underlying processes understood) are also objects. The KM field has adopted two basic distinctions in the categories of knowledge as object:

Explicit knowledge. This is the better known form of knowledge that has been captured and codified in abstract human symbols (e.g., mathematics, logical propositions, and structured and natural language). It is tangible, external (to the human), and logical. This documented knowledge can be stored, repeated, and taught by books because it is impersonal and universal. It is the basis for logical reasoning and, most important of all, it enables knowledge to be communicated electronically and reasoning processes to be automated.
Tacit knowledge. This is the intangible, internal, experiential, and intuitive knowledge that is undocumented and maintained in the human mind. It is a personal knowledge contained in human experience. Philosopher Michael Polanyi pioneered the description of such knowledge in the 1950s, considering the results of Gestalt psychology and the philosophic conflict between moral conscience and scientific skepticism. In The Tacit Dimension, he describes a kind of knowledge that we cannot tell. This tacit knowledge is characterized by intangible fac- tors such as perception, belief, values, skill, “gut” feel, intuition, “know-how,” or instinct; this knowledge is unconsciously internalized and cannot be explicitly described (or captured) without effort.

An understanding of the relationship between knowledge and mind is of particular interest to the intelligence discipline, because these analytic techniques will serve two purposes:

Mind as knowledge manager. Understanding of the processes of exchanging tacit and explicit knowledge will, of course, aid the KM process itself. This understanding will enhance the efficient exchange of knowledge between mind and computer—between internal and external representations.
Mind as intelligence target. Understanding of the complete human processes of reasoning (explicit logical thought) and sensemaking (tacit, emotional insight) will enable more representative modeling of adversarial thought processes. This is required to understand the human mind as an intelligence target—representing perceptions, beliefs, motives, and intentions

Previously, we have used the terms resource and asset to describe knowledge, but it is not only an object or a commodity to be managed. Knowledge can also be viewed as a dynamic, embedded in processes that lead to action. In the next section, we explore this complementary perspective of knowledge.

3.2.2 Knowledge As Process

Knowledge can also be viewed as the action, or dynamic process of creation, that proceeds from unstructured content to structured understanding. This perspective considers knowledge as action—as knowing. Because knowledge explains the basis for information, it relates static information to a dynamic reality. Knowing is uniquely tied to the creation of meaning.

Karl Weick introduced the term sensemaking to describe the tacit knowing process of retrospective rationality—the method by which individuals and organizations seek to rationally account for things by going back in time to structure events and explanations holistically. We do this, to “make sense” of reality, as we perceive it, and create a base of experience, shared meaning, and understanding.

To model and manage the knowing process of an organization requires attention to both of these aspects of knowledge—one perspective emphasizing cognition, the other emphasizing culture and context. The general knowing process includes four basic phases that can be described in process terms that apply to tacit and explicit knowledge, in human and computer terms, respectively.

This process acquires knowledge by accumulating data through human observation and experience or technical sensing and measurement. The capture of e-mail discussion threads, point-of-sales transactions, or other business data, as well as digital imaging or signals analysis are but examples of the wide diversity of acquisition methods.

Maintenance. Acquired explicit data is represented in a standard form, organized, and stored for subsequent analysis and application in digital databases. Tacit knowledge is stored by humans as experience, skill, or expertise, though it can be elicited and converted to explicit form in terms of accounts, stories (rich explanations), procedures, or explanations.
Transformation. The conversion of data to knowledge and knowledge from one form to another is the creative stage of KM. This knowledge-creation stage involves more complex processes like internalization, intuition, and conceptualization (for internal tacit knowledge) and correlation and analytic-synthetic reasoning (for explicit knowledge). In the next subsection, this process is described in greater detail.
Transfer. The distribution of acquired and created knowledge across the enterprise is the fourth phase. Tacit distribution includes the sharing of experiences, collaboration, stories, demonstrations, and hands-on training. Explicit knowledge is distributed by mathematical, graphical, and textual representations, from magazines and textbooks to electronic media.

the three phases of organizational knowing (focusing on culture) described by Davenport and Prusak in their text Working Knowledge [17]:

Generation. Organizational networks generate knowledge by social processes of sharing, exploring, and creating tacit knowledge (stories, experiences, and concepts) and explicit knowledge (raw data, organized databases, and reports). But these networks must be properly organized for diversity of both experience and perspective and placed under appropriate stress (challenge) to perform. Dedicated cross- functional teams, appropriately supplemented by outside experts and provided a suitable challenge, are the incubators for organizational knowledge generation.
Codification and coordination. Codification explicitly represents generated knowledge and the structure of that knowledge by a mapping process. The map (or ontology) of the organization’s knowledge allows individuals within the organization to locate experts (tacit knowledge holders), databases (of explicit knowledge), and tacit-explicit net- works. The coordination process models the dynamic flow of knowledge within the organization and allows the creation of narratives (stories) to exchange tacit knowledge across the organization.
Transfer. Knowledge is transferred within the organization as people interact; this occurs as they are mentored, temporarily exchanged, transferred, or placed in cross-functional teams to experience new perspectives, challenges, or problem-solving approaches.

3.2.3 Knowledge Creation Model

Nonaka and Takeuchi describe four modes of conversion, derived from the possible exchanges between two knowledge types (Figure 3.5):

Tacit to tacit—socialization. Through social interactions, individuals within the organization exchange experiences and mental models, transferring the know-how of skills and expertise. The primary form of transfer is narrative—storytelling—in which rich context is conveyed and subjective understanding is compared, “reexperienced,” and internalized. Classroom training, simulation, observation, mentoring, and on-the-job training (practice) build experience; moreover, these activities also build teams that develop shared experience, vision, and values. The socialization process also allows consumers and producers to share tacit knowledge about needs and capabilities, respectively.
Tacit to explicit—externalization. The articulation and explicit codification of tacit knowledge moves it from the internal to external. This can be done by capturing narration in writing, and then moving to the construction of metaphors, analogies, and ultimately models. Externalization is the creative mode where experience and concept are expressed in explicit concepts—and the effort to express is in itself a creative act. (This mode is found in the creative phase of writing, invention, scientific discovery, and, for the intelligence analyst, hypothesis creation.)

Explicit to explicit—combination. Once explicitly represented, different objects of knowledge can be characterized, indexed, correlated, and combined. This process can be performed by humans or computers and can take on many forms. Intelligence analysts compare multiple accounts, cable reports, and intelligence reports regarding a common subject to derive a combined analysis. Military surveillance systems combine (or fuse) observations from multiple sensors and HUMINT reports to derive aggregate force estimates. Market analysts search (mine) sales databases for patterns of behavior that indicate emerging purchasing trends. Business developers combine market analyses, research and development results, and cost analyses to create strategic plans. These examples illustrate the diversity of the combination processes that combine explicit knowledge.
Explicit to tacit—internalization. Individuals and organizations internalize knowledge by hands-on experience in applying the results of combination. Combined knowledge is tested, evaluated, and results in new tacit experience. New skills and expertise are developed and integrated into the tacit knowledge of individuals and teams.

Nonaka and Takeuchi further showed how these four modes of conversion operate in an unending spiral sequence to create and transfer knowledge throughout the organization

Organizations that have redundancy of information (in people, processes, and databases) and diversity in their makeup (also in people, processes, and databases) will enhance the ability to move along the spiral. The modes of activity benefit from a diversity of people: socialization requires some who are stronger in dialogue to elicit tacit knowledge from the team; externalization requires others who are skilled in representing knowledge in explicit forms; and internalization benefits from those who experiment, test ideas, and learn from experience, with the new concepts or hypotheses arising from combination.

Organizations can also benefit from creative chaos—changes that punctuate states of organizational equilibrium. These states include static presumptions, entrenched mindsets, and established processes that may have lost validity in a changing environment. Rather than destabilizing the organization, the injection of appropriate chaos can bring new-perspective reflection, reassess- ment, and renewal of purpose. Such change can restart tacit-explicit knowledge exchange, where the equilibrium has brought it to a halt.

3.3 An Intelligence Use Case Spiral

We follow a distributed crisis intelligence cell, using networked collaboration tools, through one complete spiral cycle to illustrate the spiral. This case is deliberately chosen because it stresses the spiral (no face-to-face interaction by the necessarily distributed team, very short time to interact, the temporary nature of the team, and no common “organizational” membership), yet illustrates clearly the phases of tacit-explicit exchange and the practical insight into actual intelligence- analysis activities provided by the model.

3.3.1 The Situation

The crisis in small but strategic Kryptania emerged rapidly. Vital national inter- ests—security of U.S. citizens, U.S. companies and facilities, and the stability of the fledgling democratic state—were at stake. Subtle but cascading effects in the environment, economy, and political domains triggered the small political lib- eration front (PLF) to initiate overt acts of terrorism against U.S. citizens, facili- ties, and embassies in the region while seeking to overthrow the fledgling democratic government.

3.3.2 Socialization

Within 10 hours of the team formation, all members participate in an on-line SBU kickoff meeting (same-time, different-place teleconference collaboration) that introduces all members, describes the group’s intelligence charter and procedures, explains security policy, and details the use of the portal/collaboration workspace created for the team. The team leader briefs the current situation and the issues: areas of uncertainly, gaps in knowledge or collection, needs for information, and possible courses of events that must be better understood. The group is allowed time to exchange views and form their own subgroups on areas of contribution that each individual can bring to the problem. Individuals express concepts for new sources for collection and methods of analysis. In this phase, the dialogue of the team, even though not face to face, is invaluable in rapidly establishing trust and a shared vision for the critical task over the ensuing weeks of the crisis.

3.3.3 Externalization

The initial discussions lead to the creation of initial explicit models of the threat that are developed by various team members and posted on the portal for all to see

The team collaboratively reviews and refines these models by updating new versions (annotated by contributors) and suggesting new submodels (or linking these models into supermodels). This externalization process codifies the team’s knowledge (beliefs) and speculations (to be evaluated) about the threat. Once externalized, the team can apply the analytic tools on the portal to search for data, link evidence, and construct hypothesis structures. The process also allows the team to draw on support from resources outside the team to conduct supporting collections and searches of databases for evidence to affirm, refine, or refute the models.

3.3.4 Combination

The codified models become archetypes that represent current thinking—cur- rent prototype hypotheses formed by the group about the threat (who—their makeup; why—their perceptions, beliefs, intents, and timescales; what—their resources, constraints and limitations, capacity, feasible plans, alternative courses of action, vulnerabilities). This prototype-building process requires the group to structure its arguments about the hypotheses and combine evidence to support its claims. The explicit evidence models are combined into higher level explicit explanations of threat composition, capacity, and behavioral patterns.

Initial (tentative) intelligence products are forming in this phase, and the team begins to articulate these prototype products—resulting in alternative hypotheses and even recommended courses of action

3.3.5 Internalization

As the evidentiary and explanatory models are developed on the portal, the team members discuss (and argue) over the details, internally struggling with acceptance or rejection of the validity of the various hypotheses. Individual team members search for confirming or refuting evidence in their own areas of expertise and discuss the hypotheses with others on the team or colleagues in their domain of expertise (often expressing them in the form of stories or metaphors) to experience support or refutation. This process allows the members to further refine and develop internal belief and confidence in the predictive aspects of the models. As accumulating evidence over the ensuing days strengthens (or refutes) the hypotheses, the process continues to internalize those explanations that the team has developed that are most accurate; they also internalize confidence in the sources and collaborative processes that were most productive for this ramp-up phase of the crisis situation.

3.3.6 Socialization

As the group periodically reconvenes, the subject focuses away from “what we must do” to the evidentiary and explanatory models that have been produced. The dialogue turns from issues of startup processes to model-refinement processes. The group now socializes around a new level of the problem: Gaps in the models, new problems revealed by the models, and changes in the evolving crisis move the spiral toward new challenges to create knowledge about vulnerabilities in the PLF and supporting networks, specific locations of black propaganda creation and distribution, finances of certain funding organizations, and identification of specific operation cells within the Kryptanian government.

3.3.7 Summary

This example illustrates the emergent processes of knowledge creation over the several day ramp-up period of a distributed crisis intelligence team.

The full spiral moved from team members socializing to exchange the tacit knowledge of the situation toward the development of explicit representations of their tacit knowledge. These explicit models allowed other supporting resources to be applied (analysts external to the group and online analytic tools) to link further evidence to the models and structure arguments for (or against) the models. As the models developed, team members discussed, challenged, and internalized their understanding of the abstractions, developing confidence and hands-on experience as they tested them against emerging reports and discussed them with team members and colleagues. The confidence and internalized understanding then led to a drive for further dialogue—initializing a second cycle of the spiral.

3.4 Taxonomy of KM

Using the fundamental tacit-explicit distinctions, and the conversion processes of socialization, externalization, internalization, and combination, we can establish a helpful taxonomy of the processes, disciplines, and technologies of the broad KM field applied to the intelligence enterprise. A basic taxonomy that categorizes the breadth of the KM field can be developed by distinguishing three areas of distinct (though very related) activities:

People. The foremost area of KM emphasis is on the development of intellectual capital by people and the application of that knowledge by those people. The principal knowledge-conversion process in this area is socialization, and the focus of improvement is on human operations, training, and human collaborative processes. The basis of collaboration is human networks, known as communities of practice—sharing purpose, values, and knowledge toward a common mission. The barriers that challenge this area of KM are cultural in nature.
Processes. The second KM area focuses on human-computer interaction (HCI) and the processes of externalization and internalization. Tacit-explicit knowledge conversions have required the development of tacit-explicit representation aids in the form of information visuali- zation and analysis tools, thinking aids, and decision support systems. This area of KM focuses on the efficient networking of people and machine processes (such autonomous support processes are referred to as agents) to enable the shared reasoning between groups of people and their agents through computer networks. The barrier to achieving robustness in such KM processes is the difficulty of creating a shared context of knowledge among humans and machines.
Processors. The third KM area is the technological development and implementation of computing networks and processes to enable explicit-explicit combination. Network infrastructures, components, and protocols for representing explicit knowledge are the subject of this fast-moving field. The focus of this technology area is networked computation, and the challenges to collaboration lie in the ability to sustain growth and interoperability of systems and protocols.

Because the KM field can also be described by the many domains of expertise (or disciplines of study and practice), we can also distinguish five distinct areas of focus that help describe the field. The first two disciplines view KM as a competence of people and emphasize making people knowledgeable:

Knowledge strategists. Enterprise leaders, such as the chief knowledge officer (CKO), focus on the enterprise mission and values, defining value propositions that assign contributions of knowledge to value (i.e., financial or operational). These leaders develop business models to grow and sustain intellectual capital and to translate that capital into organizational values (e.g., financial growth or organizational performance). KM strategists develop, measure, and reengineer business processes to adapt to the external (business or world) environment.
Knowledge culture developers. Knowledge culture development and sustainment is promoted by those who map organizational knowledge and then create training, learning, and sharing programs to enhance the socialization performance of the organization. This includes the cadre of people who make up the core competencies of the organization (e.g., intelligence analysis, intelligence operations, and collection management). In some organizations a chief learning officer (CLO) is designated this role to oversee enterprise human capital, just as the chief financial officer (CFO) manages (tangible) financial capital.

The next three disciplines view KM as an enterprise capability and emphasize building the infrastructure to make knowledge manageable:

KM applications. Those who apply KM principles and processes to specific business applications create both processes and products (e.g., software application packages) to provide component or end-end serv- ices in a wide variety of areas listed in Table 3.10. Some commercial KM applications have been sufficiently modularized to allow them to be outsourced to application service providers (ASPs) [20] that “package” and provide KM services on a per-operation (transaction) basis. This allows some enterprises to focus internal KM resources on organizational tacit knowledge while outsourcing architecture, infra- structure, tools, and technology.
Enterprise architecture. Architects of the enterprise integrate people, processes, and IT to implement the KM business model. The architecting process defines business use cases and process models to develop requirements for data warehouses, KM services, network infrastructures, and computation.
KM technology and tools. Technologists and commercial vendors develop the hardware and software components that physically implement the enterprise. Table 3.10 provides only a brief summary of the key categories of technologies that make up this broad area that encompasses virtually all ITs.

3.5 Intelligence As Capital

We have described knowledge as a resource (or commodity) and as a process in previous sections. Another important perspective of both the resource and the process is that of the valuation of knowledge. The value (utility or usefulness) of knowledge is first and foremost quantified by its impact on the user in the real world.

the value of intelligence goes far beyond financial considerations in national and MI application. In these cases, the value of knowledge must be measured in its impact on national interests: the warning time to avert a crisis, the accuracy necessary to deliver a weapon, the completeness to back up a policy decision, or the evidential depth to support an organized criminal conviction. Knowledge, as an abstraction, has no intrinsic value—its value is measured by its impact in the real world.

In financial terms, the valuation of the intangible aspects of knowledge is referred to as capital—intellectual capital. These intangible resources include the personal knowledge, skills, processes, intellectual property, and relationships that can be leveraged to produce assets of equal or greater importance than other organizational resources (land, labor, and capital).

What is this capital value in our representative business? It is comprised of four intangible components:

Customer capital. This is the value of established relationships with customers, such as trust and reputation for quality.

Intelligence tradecraft recognizes this form of capital in the form of credibility with consumers—“the ability to speak to an issue with sufficient authority to be believed and relied upon by the intended audience”

Innovation capital. Innovation in the form of unique strategies, new concepts, processes, and products based on unique experience form this second category of capital. In intelligence, new and novel sources and methods for unique problems form this component of intellectual capital.
Process capital. Methodologies and systems or infrastructure (also called structural capital) that are applied by the organization make up its process capital. The processes of collection sources and both collection and analytic methods form a large portion of the intelligence organization’s process (and innovation) capital; they are often fragile (once discovered, they may be forever lost) and are therefore carefully protected.
Human capital. The people, individually and in virtual organizations, comprise the human capital of the organization. Their collective tacit knowledge—expressed as dedication, experience, skill, expertise, and insight—form this critical intangible resource.

O’Dell and Grayson have defined three fundamental categories of value propositions in If Only We Knew What We Know [23]:

Operational excellence. These value propositions seek to boost revenue by reducing the cost of operations through increased operating efficiencies and productivity. These propositions are associated with business process reengineering (BPR), and even business transformation using electronic commerce methods to revolutionize the operational process. These efforts contribute operational value by raising performance in the operational value chain.
Product-to-market excellence. The propositions value the reduction in the time to market from product inception to product launch. Efforts that achieve these values ensure that new ideas move to development and then to product by accelerating the product development process. This value emphasizes the transformation of the business, itself (as explained in Section 1.1).
Customer intimacy. These values seek to increase customer loyalty, customer retention, and customer base expansion by increasing intimacy (understanding, access, trust, and service anticipation) with customers. Actions that accumulate and analyze customer data to reduce selling cost while increasing customer satisfaction contribute to this proposition.

For each value proposition, specific impact measures must be defined to quantify the degree to which the value is achieved. These measures quantify the benefits, and utility delivered to stakeholders. Using these measures, the value added by KM processes can be observed along the sequential processes in the business operation. This sequence of processes forms a value chain that adds value from raw materials to delivered product.

Different kinds of measures are recommended for organizations in transition from legacy business models. During periods of change, three phases are recognized [24]. In the first phase, users (i.e., consumers, collection managers, and analysts) must be convinced of the benefits of the new approach, and the measures include metrics as simple as the number of consumers taking training and beginning to use serv- ices. In the crossover phase, when users begin to transition to the systems, measurers change to usage metrics. Once the system approaches steady-state use, financial-benefit measures are applied. Numerous methods have been defined and applied to describe and quantify economic value, including:

Economic value added (EVA) subtracts cost of capital invested from net operating profit;
Portfolio management approaches treats IT projects as individual investments, computing risks, yields, and benefits for each component of the enterprise portfolio;
Knowledge capital is an aggregate measure of management value added (by knowledge) divided by the price of capital [25];
Intangible asset monitor (IAM) [26] computes value in four categories—tangible capital, intangible human competencies, intangible internal structure, and intangible external structure [27].

The four views of the BSC provide a means of “balancing” the measurement of the major causes and effects of organizational performance but also provide a framework for modeling the organization.

3.6 Intelligence Business Strategy and Models

The commercial community has explored a wide range of business models that apply KM (in the widest sense) to achieve key business objectives. These objectives include enhancing customer service to provide long-term customer satisfaction and retention, expanding access to customers (introducing new products and services, expanding to new markets), increasing efficiency in operations (reduced cost of operations), and introducing new network-based goods and services (eCommerce or eBusiness). All of these objectives can be described by value propositions that couple with business financial performance.

The strategies that leverage KM to achieve these objectives fall into two basic categories. The first emphasizes the use of analysis to understand the value chain from first customer contact to delivery. Understanding the value added to the customer by the transactions (as well as delivered goods and services) allows the producer to increase value to the customer. Values that may be added to intelligence consumers by KM include:

Service values. Greater value in services are provided to policymakers by anticipating their intelligence needs, earning greater user trust in accuracy and focus of estimates and warnings, and providing more timely delivery of intelligence. Service value is also increased as producers personalize (tailor) and adapt services to the consumer’s interests (needs) as they change.

Intelligence product values. The value of intelligence products is increased when greater value is “added” by improving accuracy, providing deeper and more robust rationale, focusing conclusions, and building increased consumer confidence (over time).

The second category of strategies (prompted by the eBusiness revolution) seeks to transform the value chain by the introduction of electronic transactions between the customer and retailer. These strategies use network-based advertising, ordering, and even delivery (for information services like banking, investment, and news) to reduce the “friction” of physical-world retailer-customer

These strategies introduce several benefits—all applicable to intelligence:

Disintermediation. This is the elimination of intermediate processes and entities between the customer and producer to reduce transaction fric- tion. This friction adds cost and increases the difficulty for buyers to locate sellers (cost of advertising), for buyers to evaluate products (cost of travel and shopping), for buyers to purchase products (cost of sales) and for sellers to maintain local inventories (cost of delivery). The elimination of “middlemen” (e.g., wholesalers, distributors, and local retailers) in eRetailers such as Amazon.com has reduced transaction and intermediate costs and allowed direct transaction and delivery from producer to customer with only the eRetailer in between. The effect of disintermediation in intelligence is to give users greater and more immediate access to intelligence products (via networks such as the U.S. Intelink) and to analysis services via intelligence portals that span all sources of intelligence.
Infomediation. The effect of disintermediation has introduced the role of the information broker (infomediary) between customer and seller, providing navigation services (e.g., shopping agents or auctioning and negotiating agents) that act on the behalf of customers [31]. Intelligence communities are moving toward greater cross-functional collection management and analysis, reducing the stovepiped organization of intelligence by collection disciplines (i.e., imagery, signals, and human sources). As this happens, the traditional analysis role requires a higher level of infomediation and greater automation because the analyst is expected (by consumers) to become a broker across a wider range of intelligence sources (including closed and open sources).
Customer aggregation. The networking of customers to producers allows rapid analysis of customer actions (e.g., queries for information, browsing through catalogs of products, and purchasing decisions based on information). This analysis enables the producers to better understand customers, aggregate their behavior patterns, and react to (and perhaps anticipate) customer needs. Commercial businesses use these capabilities to measure individual customer patterns and mass market trends to more effectively personalize and target sales and new product developments. Intelligence producers likewise are enabled to analyze warfighter and policymaker needs and uses of intelligence to adapt and tailor products and services to changing security threats.

These value chain transformation strategies have produced a simple taxonomy to distinguish eBusiness models into four categories by the level of transaction between businesses and customers

Business to business (B2B). The large volume of trade between businesses (e.g., suppliers and manufacturers) has been enhanced by network-based transactions (releases of specifications, requests for quotations, and bid responses) reducing the friction between suppliers and producers. High-volume manufacturing industries such as the auto- makers are implementing B2B models to increase competition among suppliers and reduce bid-quote-purchase transaction friction.
2. Business to customer (B2C). Direct networked outreach from producer to consumer has enabled the personal computer (e.g., Dell Computer) and book distribution (e.g., Amazon.com) industries to disintermediate local retailers and reach out on a global scale directly to customers. Similarly, intelligence products are now being delivered (pushed) to consumers on secure electronic networks, via subscription and express order services, analogous to the B2B model.
Customer to business (C2B). Networks also allow customers to reach out to a wider range of businesses to gain greater competitive advantage in seeking products and services.

the introduction of secure intelligence networks and on-line intelligence product libraries (e.g., common operating picture and map and imagery libraries) allows consumers to pull intelligence from a broader range of sources. (This model enables even greater competition between source providers and provides a means of measuring some aspects of intelligence utility based on actual use of product types.)

Customer to customer (C2C). The C2C model automates the mediation process between consumers, enabling consumers to locate those with similar purchasing-selling interests.

3.7 Intelligence Enterprise Architecture and Applications

Just like commercial businesses, intelligence enterprises:

Measure and report to stakeholders the returns on investment. These returns are measured in terms of intelligence performance (i.e., knowledge provided, accuracy and timeliness of delivery, and completeness and sufficiency for decision making) and outcomes (i.e., effects of warnings provided, results of decisions based on knowledge delivered, and utility to set long-term policies).
Service customers, the intelligence consumers. This is done by providing goods (intelligence products such as reports, warnings, analyses, and target folders) and services (directed collections and analyses or tailored portals on intelligence subjects pertinent to the consumers).
Require intimate understanding of business operations and must adapt those operations to the changing threat environment, just as businesses must adapt to changing markets.
Manage a supply chain that involves the anticipation of future needs of customers, the adjustment of the delivery of raw materials (intelligence collections), the production of custom products to a diverse customer base, and the delivery of products to customers just in time [33].

3.7.1 Customer Relationship Management

CRM processes that build and maintain customer loyalty focus on managing the relationship between provider and consumer. The short-term goal is customer satisfaction; the long-term goal is loyalty. Intelligence CRM seeks to provide intelligence content to consumers that anticipates their needs, focuses on the specific information that supports their decision making, and provides drill down to supporting rationale and data behind all conclusions. In order to accomplish this, the consumer-producer relationship must be fully described in models that include:

Consumer needs and uses of intelligence—applications of intelligence for decision making, key areas of customer uncertainty and lack of knowledge, and specific impact of intelligence on the consumer’s decision making;
Consumer transactions—the specific actions that occur between the enterprise and intelligence consumers, including urgent requests, subscriptions (standing orders) for information, incremental and final report deliveries, requests for clarifications, and issuances of alerts.

CRM offers the potential to personalize intelligence delivery to individual decision makers while tracking their changing interests as they browse subject offerings and issue requests through their own custom portals.

3.7.2 Supply Chain Management

The SCM function monitors and controls the flow of the supply chain, providing internal control of planning, scheduling, inventory control, processing, and delivery.

SCM is the core of B2B business models, seeking to integrate front-end suppliers into an extended supply chain that optimizes the entire production process to slash inventory levels, improve on-time delivery, and reduce the order-to-delivery (and payment) cycle time. In addition to throughput efficiency, the B2B models seek to aggregate orders to leverage the supply chain to gain greater purchasing power, translating larger orders to reduced prices. The key impact measures sought by SCM implementations include:

Cash-to-cash cycle time (time from order placement to delivery/ payment);
Delivery performance (percentage of orders fulfilled on or before request date);
Initial fill rate (percentage of orders shipped in supplier’s first ship- ment);
Initial order lead time (supplier response time to fulfill order);
On-time receipt performance (percentage of supplier orders received on time).

Like the commercial manufacturer, the intelligence enterprise operates a supply chain that “manufactures” all-source intelligence products from raw sources of intelligence data and relies on single-source suppliers (i.e., imagery, signals, or human reports).

3.7.3 Business Intelligence

The BI function provides all levels of the organization with relevant information on internal operations and the external business environment (via marketing) to be exploited (analyzed and applied) to gain a competitive advantage. The BI function serves to provide strategic insight into overall enterprise operations based on ready access to operating data.

The emphasis of BI is on explicit data capture, storage, and analysis; through the 1990s, BI was the predominant driver for the implementation of corporate data warehouses, and the development of online analytic processing (OLAP) tools. (BI preceded KM concepts, and the subsequent introduction of broader KM concepts added the complementary need for capture and analysis of tacit and explicit knowledge throughout the enterprise.)

The intelligence BI function should collect and analyze real- time workflow data to provide answers to questions such as:

What are the relative volumes of requests (for intelligence) by type?
What is the “cost” of each category of intelligence product?
What are the relative transaction costs of each stage in the supply chain?
What are the trends in usage (by consumers) of all forms of intelligence over the past 12 months? Over the past 6 months? Over the past week?
Which single sources of incoming intelligence (e.g., SIGINT, IMINT, and MASINT) have greatest utility in all-source products, by product category?

Like their commercial counterparts, the intelligence BI function should not only track the operational flows, they should also track the history of operational decisions—and their effects.

Both operational and decision-making data should be able to be conveniently navigated and analyzed to provide timely operational insight to senior leadership who often ask the question, “What is the cost of a pound of intelligence?”

3.8 Summary

KM provides a strategy and organizational discipline for integrating people, processes, and IT into an effective enterprise.

as noted by Tom Davenport, a leading observer of the discipline:

The first generation of knowledge management within enterprises emphasized the “supply side” of knowledge: acquisition, storage, and dissemination of business operations and customer data. In this phase knowledge was treated much like physical resources and implementation approaches focused on building “warehouses” and “channels” for supply processing and distribution. This phase paid great attention to systems, technology and infrastructure; the focus was on acquiring, accumulating and distributing explicit knowledge in the enterprise [35].

Second generation KM emphasis has turned attention to the demand side of the knowledge economy—seeking to identify value in the collected data to allow the enterprise to add value from the knowledge base, enhance the knowledge spiral, and accelerate innovation. This generation has brought more focus to people (the organization) and the value of tacit knowledge; the issues of sustainable knowledge creation and dissipation throughout the organization are emphasized in this phase. The attention in this generation has moved from understanding knowledge systems to understanding knowledge workers. The third generation to come may be that of KM innovation, in which the knowledge process is viewed as a complete life cycle within the organization, and the emphasis will turn to revolutionizing the organization and reducing the knowledge cycle time to adapt to an ever-changing world environment

The Knowledge-Based Intelligence Organization

National intelligence organizations following World War II were characterized by compartmentalization (insulated specialization for security purposes) that required individual learning, critical analytic thinking, and problem solving by small, specialized teams working in parallel (stovepipes or silos). These stovepipes were organized under hierarchical organizations that exercised central control. The approach was appropriate for the centralized organizations and bipolar security problems of the relatively static Cold War, but the global breadth and rapid dynamics of twenty-first century intelligence problems require more agile networked organizations that apply organization-wide collaboration to replace the compartmentalization of the past. Founded on the virtues of integrity and trust, the disciplines of organizational collaboration, learning, and problem solving must be developed to support distributed intelligence collection, analysis, and production.

This chapter focuses on the most critical factor in organizational knowl- edge creation—the people, their values, and organizational disciplines. The chapter is structured to proceed from foundational virtues, structures, and com- munities of practice (Section 4.1) to the four organizational disciplines that sup- port the knowledge creation process: learning, collaboration, problem solving, and best practices—called intelligence tradecraft.

the people perspective of KM presented in this chapter can be contrasted with the process and technology perspectives (Table 4.1) five ways:

Enterprise focus. The focus is on the values, virtues, and mission shared by the people in the organization.
Knowledge transaction. Socialization, the sharing of tacit knowledge by methods such as story and dialogue, is the essential mode of transac- tion between people for collective learning, or collaboration to solve problems.
The basis for human collaboration lies in shared pur- pose, values, and a common trust.
A culture of trust develops communities that share their best practices and experiences; collaborative problem solving enables the growth of the trusting culture.
The greatest barrier to collaboration is the inability of an organization’s culture to transform and embrace the sharing of values, virtues, and disciplines.

The numerous implementation failures of early-generation KM enterprises have most often occurred because organizations have not embraced the new business models introduced, nor have they used the new systems to collaborate. As a result, these KM implementations have failed to deliver the intellectual capital promised. These cases were generally not failures of process, technology, or infrastructure; rather, they were failures of organizational culture change to embrace the new organizational model. In particular, they failed to address the cultural barriers to organizational knowledge sharing, learning, and problem solving.

Numerous texts have examined these implementation challenges, and all have emphasized that organizational transformation must precede KM system implementations.

4.1 Virtues and Disciplines of the Knowledge-Based Organization

At the core of an agile knowledge-based intelligence organization is the ability to sustain the creation of organizational knowledge through learning and collaboration. Underlying effective collaboration are values and virtues that are shared by all. The U.S. IC, recognizing the need for such agility as its threat environment changes, has adopted knowledge-based organizational goals as the first two of five objectives in its Strategic Intent:

Unify the community through collaborative processes. This includes the implementation of training and business processes to develop an inter-agency collaborative culture and the deployment of supporting technologies.
Invest in people and knowledge. This area includes the assessment of customer needs and the conduct of events (training, exercises, experiments, and conferences/seminars) to develop communities of practice and build expertise in the staff to meet those needs. Supporting infrastructure developments include the integration of collaborative networks and shared knowledge bases.

Clearly identified organizational propositions of values and virtues (e.g., integrity and trust) shared by all enable knowledge sharing—and form the basis for organizational learning, collaboration, problem solving, and best-practices (intelligence tradecraft) development introduced in this chapter. This is a necessary precedent before KM infrastructure and technology is introduced to the organization. The intensely human values, virtues, and disciplines introduced in the following sections are essential and foundational to building an intelligence organization whose business processes are based on the value of shared knowledge.

4.1.1 Establishing Organizational Values and Virtues

The foundation of all organizational discipline (ordered, self-controlled, and structured behavior) is a common purpose and set of values shared by all. For an organization to pursue a common purpose, the individual members must conform to a common standard and a common set of ideals for group conduct.

The knowledge-based intelligence organization is a society that requires virtuous behavior of its members to enable collaboration. Dorothy Leonard-Barton, in Wellsprings of Knowledge, distinguishes two categories of values: those that relate to basic human nature and those that relate to performance of the task. In the first category are big V values (also called moral virtues) that include basic human traits such as personal integrity (consistency, honesty, and reliability), truthfulness, and trustworthiness. For the knowledge worker’s task, the second category (of little v values) includes those values long sought by philosophers to arrive at knowledge or justify true belief. Some epistemologies define intellectual virtue as the foundation of knowledge: Knowledge is a state of belief arising out of intellectual virtue. Intellectual virtues include organizational conformity to a standard of right conduct in the exchange of ideas, in reasoning and in judgment.

Organizational integrity is dependent upon the individual integrity of all contributor—as participants cooperate and collaborate around a central purpose, the virtue of trust (built upon shared trust- worthiness of individuals) opens the doors of sharing and exchange. Essential to this process is the development of networks of conversations that are built on communication transactions (e.g., assertions, declarations, queries, or offers) that are ultimately based in personal commitments. Ultimately, the virtue of organizational wisdom—seeking the highest goal by the best means—must be embraced by the entire organization recognizing a common purpose.

Trust and cooperative knowledge sharing must also be complemented by an objective openness. Groups that place consensus over objectivity become subject to certain dangerous decision-making errors.

4.1.2 Mapping the Structures of Organizational Knowledge

Every organization has a structure and flow of knowledge—a knowledge environment or ecology (emphasizing the self-organizing and balancing characteristics of organizational knowledge networks). The overall process of studying and characterizing this environment is referred to as mapping—explicitly rep- resenting the network of nodes (competencies) and links (relationships, knowledge flow paths) within the organization. The fundamental role of KM organizational analysis is the mapping of knowledge within an existing organization.

the knowledge mapping identifies the intangible tacit assets of the organization. The mapping process is conducted by a variety of means: passive observation (where the analyst works within the community), active interviewing, formal questionnaires, and analysis. As an ethnographic research activity, the mapping analyst seeks to understand the unspoken, informal flows and sources of knowledge in the day-to-day operations of the organization. The five stages of mapping (Figure 4.1) must be conducted in partnership with the owners, users, and KM implementers.

The first phase is the definition of the formal organization chart—the for- mal flows of authority, command, reports, intranet collaboration, and information systems reporting. In this phase, the boundaries, or focus of mapping interest is established. The second phase audits (identifies, enumerates, and quantifies as appropriate) the following characteristics of the organization:

Knowledge sources—the people and systems that produce and articulate knowledge in the form of conversation, developed skills, reports, implemented (but perhaps not documented) processes, and databases.
Knowledge flowpaths—the flows of knowledge, tacit and explicit, for- mal and informal. These paths can be identified by analyzing the transactions between people and systems; the participants in the trans- actions provide insight into the organizational network structure by which knowledge is created, stored, and applied. The analysis must distinguish between seekers and providers of knowledge and their relationships (e.g., trust, shared understanding, or cultural compatibility) and mutual benefits in the transaction.
Boundaries and constraints—the boundaries and barriers that control, guide, or constrict the creation and flow of knowledge. These may include cultural, political (policy), personal, or electronic system characteristics or incompatibilities.
Knowledge repositories—the means of maintaining organizational knowledge, including tacit repositories (e.g., communities of experts that share experience about a common practice) and explicit storage (e.g., legacy hardcopy reports in library holdings, databases, or data warehouses).

Once audited, the audit data is organized in the third phase by clustering the categories of knowledge, nodes (sources and sinks), and links unique to the organization. The structure of this organization, usually a table or a spreadsheet, provides insight into the categories of knowledge, transactions, and flow paths; it provides a format to review with organization members to convey initial results, make corrections, and refine the audit. This phase also provides the foundation for quantifying the intellectual capital of the organization, and the audit categories should follow the categories of the intellectual capital accounting method adopted.

The fourth phase, mapping, transforms the organized data into a structure (often, but not necessarily, graphical) that explicitly identifies the current knowledge network. Explicit and tacit knowledge flows and repositories are distinguished, as well as the social networks that support them. This process of visualizing the structure may also identify clusters of expertise, gaps in the flows, chokepoints, as well as areas of best (and worst) practices within the network.

Once the organization’s current structure is understood, the structure can be compared to similar structures in other organizations by benchmarking in the final phase. Benchmarking is the process of identifying, learning, and adapting outstanding practices and processes from any organization, anywhere in the world, to help an organization improve its performance. Benchmarking gathers the tacit knowledge—the know-how, judgments, and enablers—that explicit knowledge often misses. This process allows the exchange of quantitative performance data and qualitative best-practice knowledge to be shared and com- pared with similar organizations to explore areas for potential improvement and potential risks.

Because the repository provides a pointer to the originating authors, it also provides critical pointers to people, or a directory that identifies people within the agency with experience and expertise by subject

4.1.3 Identifying Communities of Organizational Practice

A critical result of any mapping analysis is the identification of the clusters of individuals who constitute formal and informal groups that create, share, and maintain tacit knowledge on subjects of common interest.

The functional workgroup benefits from stability, established responsibilities, processes and storage, and high potential for sharing. Functional workgroups provide the high-volume knowledge production of the organization but lack the agility to respond to projects and crises.

Cross-functional project teams are shorter term project groups that can be formed rapidly (and dismissed just as rapidly) to solve special intelligence problems, maintain special surveillance watches, prepare for threats, or respond to crises. These groups include individuals from all appropriate functional disciplines—with the diversity often characteristic of the makeup of the larger organization, but on a small scale—with reach back to expertise in functional departments.

M researchers have recognized that such organized commu- nities provide a significant contribution to organizational learning by providing a forum for:

Sharing current problems and issues;
Capturing tacit experience and building repositories of best practices;
Linking individuals with similar problems, knowledge, and experience;
Mentoring new entrants to the community and other interested parties.

Because participation in communities of practice is based on individual interest, not organizational assignment, these communities may extend beyond the duration of temporary assignments and cut across organizational boundaries.

The activities of working, learning, and innovating have traditionally been treated as independent (and conflicting) activities performed in the office, in the classroom, and in the lab. However, studies by John Seely Brown, chief scientist of Xerox PARC, have indicated that once these activities are unified in communities of practice, they have the potential to significantly enhance knowledge transfer and creation.

4.1.4 Initiating KM Projects

The knowledge mapping and benchmarking process must precede implementation of KM initiatives, forming the understanding of current competencies and processes and the baseline for measuring any benefits of change. KM implementation plans within intelligence organizations generally consider four components, framed by the kind of knowledge being addressed and the areas of investment in KM initiatives:

Organizational competencies. The first area includes assessment of workforce competencies and forms the basis of an intellectual capital audit of human capital. This area also includes the capture of best practices (the intelligence business processes, or tradecraft) and the development of core competencies through training and education. This assessment forms the basis of intellectual capital audit.
Social collaboration. Initiatives in this area enforce established face-to-face communities of practice and develop new communities. These activities enhance the socialization process through meetings and media (e.g., newsletters, reports, and directories).
KM networks. Infrastructure initiatives implement networks (e.g., corporate intranets) and processes (e.g., databases, groupware, applications, and analytic tools) to provide for the capture and exchange of explicit knowledge.
Virtual collaboration. The emphasis in this area is applying technology to create connectivity among and between communities of practice. Intranets and collaboration groupware (discussed in Section 4.3.2) enable collaboration at different times and places for virtual teams—and provide the ability to identify and introduce communities with similar interests that may be unaware of each other.

4.1.5 Communicating Tacit Knowledge by Storytelling

The KM community has recognized the strength of narrative communication—dialogue and storytelling—to communicate the values, emotion (feelings, passion), and sense of immersed experience that makeup personalized, tacit knowledge.

The introduction of KM initiatives can bring significant organizational change because it may require cultural transitions in several areas:

Changes in purpose, values, and collaborative virtues;
Construction of new social networks of trust and communication;
Organizational structure changes (networks replace hierarchies);
Business process agility, resulting a new culture of continual change (training to adopt new procedures and to create new products).

All of these changes require participation by the workforce and the communication of tacit knowledge across the organization.

Storytelling provides a complement to abstract, analytical thinking and communication, allowing humans to share experience, insight, and issues (e.g., unarticulated concerns about evidence expressed as “negative feelings,” or general “impressions” about repeated events not yet explicitly defined as threat patterns).

The organic school of KM that applies storytelling to cultural transformation emphasizes a human behavioral approach to organizational socialization, accepting the organization as a complex ecology that may be changed in a large way by small effects.

These effects include the use of a powerful, effective story that communicates in a way that spreads credible tacit knowledge across the entire organization.

This school classifies tacit knowledge into artifacts, skills, heuristics, experience, and natural talents (the so-called ASHEN classification of tacit knowledge) and categorizes an organizations’ tacit knowledge in these classes to understand the flow within informal communities.

Nurturing informal sharing within secure communities of practice and distinguishing such sharing from formal sharing (e.g., shared data, best practices, or eLearning) enables the rich exchange of tacit knowledge when creative ideas are fragile and emergent.

4.2 Organizational Learning

Senge asserted that the fundamental distinction between traditional controlling organizations and adaptive self-learning organizations are five key disciplines including both virtues (commitment to personal and team learning, vision shar- ing, and organizational trust) and skills (developing holistic thinking, team learning, and tacit mental model sharing). Senge’s core disciplines, moving from the individual to organizational disciplines, included:

Personal mastery. Individuals must be committed to lifelong learning toward the end of personal and organization growth. The desire to learn must be to seek a clarification of one’s personal vision and role within the organization.

Systems thinking. Senge emphasized holistic thinking, the approach for high-level study of life situations as complex systems. An element of learning is the ability to study interrelationships within complex dynamic systems and explore and learn to recognize high-level patterns of emergent behavior.

Mental models. Senge recognized the importance of tacit knowledge (mental, rather than explicit, models) and its communication through the process of socialization. The learning organization builds shared mental models by sharing tacit knowledge in the storytelling process and the planning process. Senge emphasized planning as a tacit- knowledge sharing process that causes individuals to envision, articulate, and share solutions—creating a common understanding of goals, issues, alternatives, and solutions.

Shared vision. The organization that shares a collective aspiration must learn to link together personal visions without conflicts or competition, creating a shared commitment to a common organizational goal set.

Team learning. Finally, a learning organization acknowledges and understands the diversity of its makeup—and adapts its behaviors, pat- terns of interaction, and dialogue to enable growth in personal and organizational knowledge.

It is important, here, to distinguish the kind of transformational learning that Senge was referring to (which brings cultural change across an entire organization), from the smaller scale group learning that takes place when an intelligence team or cell conducts a long-term study or must rapidly “get up to speed” on a new subject or crisis.

4.2.1 Defining and Measuring Learning

The process of group learning and personal mastery requires the development of both reasoning and emotional skills. The level of learning achievement can be assessed by the degree to which those skills have been acquired.

The taxonomy of cognitive and affective skills can be related to explicit and tacit knowledge categories, respectively, to provide a helpful scale for measuring the level of knowledge achieved by an individual or group on a particular subject.

4.2.2 Organizational Knowledge Maturity Measurement

The goal of organizational learning is the development of maturity at the organizational level—a measure of the state of an organization’s knowledge about its domain of operations and its ability to continuously apply that knowledge to increase corporate value to achieve business goals.

Carnegie-Mellon University Software Engineering Institute has defined a five-level People Capability Maturity Model® (P-CMM ®) that distinguishes five levels of organizational maturity, which can be measured to assess and quantify the maturity of the workforce and its organizational KM performance. The P-CMM® framework can be applied, for example, to an intelligence organization’s analytic unit to measure current maturity and develop strategy to increase to higher levels of performance. The levels are successive plateaus of practice, each building on the preceding foundation.

4.2.3 Learning Modes

4.2.3.1 Informal Learning

We gain experience by informal modes of learning on the job alone, with men- tors, team members, or while mentoring others. The methods of informal learning are as broad as the methods of exchanging knowledge introduced in the last chapter. But the essence of the learning organization is the ability to translate what has been learned into changed organizational behavior. David Garvin has identified five fundamental organizational methodologies that are essential to implementing the feedback from learning to change; all have direct application in an intelligence organization.

Systematic problem solving. Organizations require a clearly defined methodology for describing and solving problems, and then for implementing the solutions across the organization. Methods for acquiring and analyzing data, synthesizing hypothesis, and testing new ideas must be understood by all to permit collaborative problem solving. The process must also allow for the communication of lessons learned and best practices developed (the intelligence tradecraft) across the organization.
Experimentation. As the external environment changes, the organization must be enabled to explore changes in the intelligence process. This is done by conducting experiments that take excursions from the normal processes to attack new problems and evaluate alternative tools and methods, data sources, or technologies. A formal policy to encourage experimentation, with the acknowledgment that some experiments will fail, allows new ideas to be tested, adapted, and adopted in the normal course of business, not as special exceptions. Experimentation can be performed within ongoing programs (e.g., use of new analytic tools by an intelligence cell) or in demonstration programs dedicated to exploring entirely new ways of conducting analysis (e.g., the creation of a dedicated Web-based pilot project independent of normal operations and dedicated to a particular intelligence subject domain).
Internal experience. As collaborating teams solve a diversity of intelligence problems, experimenting with new sources and methods, the lessons that are learned must be exchanged and applied across the organization. This process of explicitly codifying lessons learned and making them widely available for others to adopt seems trivial, but in practice requires significant organizational discipline. One of the great values of communities of common practice is their informal exchange of lessons learned; organizations need such communities and must support formal methods that reach beyond these communities. Learning organizations take the time to elicit the lessons from project teams and explicitly record (index and store) them for access and application across the organization. Such databases allow users to locate teams with similar problems and lessons learned from experimentation, such as approaches that succeeded and failed, expected performance levels, and best data sources and methods.
External sources of comparison. While the lessons learned just described applied to self learning, intelligence organizations must look to external sources (in the commercial world, academia, and other cooperating intelligence organizations) to gain different perspectives and experiences not possible within their own organizations. A wide variety of methods can be employed to secure the knowledge from external perspectives, such as making acquisitions (in the business world), establishing strategic relationships, the use of consultants, establishing consortia. The process of sharing, then critically comparing qualitative and quantitative data about processes and performance across organizations (or units within a large organization), enables leaders and process owners to objectively review the relative effectiveness of alter- native approaches. Benchmarking is the process of improving performance by continuously identifying, understanding, and adapting outstanding practices and processes found inside and outside the organization [23]. The benchmarking process is an analytic process that requires compared processes to be modeled, quantitatively measured, deeply understood, and objectively evaluated. The insight gained is an understanding of how best performance is achieved; the knowledge is then leveraged to predict the impact of improvements on over- all organizational performance.
Transferring knowledge. Finally, an intelligence organization must develop the means to transfer people (tacit transfer of skills, experience, and passion by rotation, mentoring, and integrating process teams) and processes (explicit transfer of data, information, business processes on networks) within the organization. In Working Knowledge [24], Davenport and Prusak point out that spontaneous, unstructured knowledge exchange (e.g., discussions at the water cooler, exchanges among informal communities of interest, and discussions at periodic knowledge fairs) is vital to an organization’s success, and the organization must adopt strategies to encourage such sharing.

4.2.3.2 Formal Learning

In addition to informal learning, formal modes provide the classical introduc- tion to subject-matter knowledge.

Information technologies have enabled four distinct learning modes that are defined by distinguishing both the time and space of interaction between the learner and the instructor

Residential learning (RL). Traditional residential learning places the students and instructor in the physical classroom at the same time and place. This proximity allows direct interaction between the student and instructor and allows the instructor to tailor the material to the students.
Distance learning remote (DL-remote). Remote distance learning pro- vides live transmission of the instruction to multiple, distributed locations. The mode effectively extends the classroom across space to reach a wider student audience. Two-way audio and video can permit limited interaction between extended classrooms and the instructor.
Distance learning canned (DL-canned). This mode simply packages (or cans) the instruction in some media for later presentation at the student’s convenience (e.g., traditional hardcopy texts, recorded audio or video, or softcopy materials on compact discs) DL-canned materials include computer-based training courseware that has built-in features to interact with the student to test comprehension, adaptively present material to meet a student’s learning style, and link to supplementary materials to the Internet.
Distance learning collaborative (DL-collaborative). The collaborative mode of learning (often described as e-learning) integrates canned material while allowing on-line asynchronous interaction between the student and the instructor (e.g., via e-mail, chat, or videoconference). Collaboration may also occur between the student and software agents (personal coaches) that monitor progress, offer feedback, and recommend effective paths to on-line knowledge.

4.3 Organizational Collaboration

The knowledge-creation process of socialization occurs as communities (or teams) of people collaborate (commit to communicate, share, and diffuse knowledge) to achieve a common purpose.

Collaboration is a stronger term than cooperation because participants are formed around and committed to a com- mon purpose, and all participate in shared activity to achieve the end. If a problem is parsed into independent pieces (e.g., financial analysis, technology analysis, and political analysis), cooperation may be necessary—but not collabo- ration. At the heart of collaboration is intimate participation by all in the creation of the whole—not in cooperating to merely contribute individual parts to the whole.

Collaboration is widely believed to have the potential to perform a wide range of functions together:

Coordinate tasking and workflow to meet shared goals;
Share information, beliefs, and concepts;
Perform cooperative problem-solving analysis and synthesis;
Perform cooperative decision making;
Author team reports of decisions and rationale.

This process of collaboration requires a team (two or more) of individuals that shares a common purpose, enjoys mutual respect and trust, and has an established process to allow the collaboration process to take place. Four levels (or degrees) of intelligence collaboration can be distinguished, moving toward increasing degrees of interaction and dependence among team members

Sociologists have studied the sequence of collaborative groups as they move from inception to decision commitment. Decision emergence theory (DET) defines four stages of collaborative decision making within an individual group: orientation of all members to a common perspective; conflict, during which alternatives are compared and competed; emergence of collaborative alternatives; and finally reinforcement, when members develop consensus and commitment to the group decisions.

4.3.1 Collaborative Culture

First among the means to achieve collaboration is the creation of a collaborating culture—a culture that shares the belief that collaboration (as opposed to competition or other models) is the best approach to achieve a shared goal and that shares a commitment to collaborate to achieve organizational goals.

The collaborative culture must also recognize that teams are heterogeneous in nature. Team members have different tacit (experience, personality style) and cognitive (reasoning style) preferences that influence their unique approach to participating in the collaborative process.

The mix of personalities within a team must be acknowledged and rules of collaborative engagement (and even groupware) must be adapted to allow each member to contribute within the constraints and strengths of their individual styles.

Collaboration facilitators may use Myers-Brigg or other categorization schemes to analyze a particular team’s structure to assess the team’s strengths, weaknesses and overall balance

4.3.2 Collaborative Environments

Collaborative environments describe the physical, temporal, and functional setting within which organizations interact.

4.3.3 Collaborative Intelligence Workflow

The representative team includes:

Intelligence consumer. The State Department personnel requesting the analysis define high-level requirements and are the ultimate customers for the intelligence product. They specify what information is needed: the scope or breadth of coverage, the level of depth, the accuracy required, and the timeframe necessary for policy making.

All-source analytic cell. The all-source analysis cell, which may be a dis- tributed virtual team across several different organizations, has the responsibility to produce the intelligence product and certify its accuracy.

Single-source analysts. Open-source and technical-source analysts (e.g., imagery, signals, or MASINT) are specialists that analyze the raw data collected as a result of special tasking; they deliver reports to the all- source team and certify the conclusions of special analysis.

Collection managers. The collection managers translate all-source requests for essential information (e.g., surveillance of shipping lines, identification of organizations, or financial data) into specific collection tasks (e.g., schedules, collection parameters, and coordination between different sources). They provide the all-source team with a status of their ability to satisfy the team’s requests.

4.3.3.3 The Collaboration Paths

Problem statement.

Interacting with the all-source analytic leader (LDR)—and all-source analysts on the analytic team—the problem is articulated in terms of scope (e.g., area of world, focus nations, and expected depth and accuracy of estimates), needs (e.g., specific questions that must be answered and pol- icy issues) urgency (e.g., time to first results and final products), and expected format of results (e.g., product as emergent results portal or softcopy document).

Problem refinement. The analytic leader (LDR) frames the problem with an explicit description of the consumer requirements and intelligence reporting needs. This description, once approved by the consumer, forms the terms of reference for the activity. The problem statement-refinement loop may be iterated as the situation changes or as intelligence reveals new issues to be studied.
Information requests to collection tasking. Based on the requirements, the analytic team decomposes the problem to deduce specific elements of information needed to model and understand the level of trafficking. (The decomposition process was described earlier in Section 2.4.) The LDR provides these intelligence data requirements to the collec- tion manger (CM) to prepare a collection plan. This planning requires the translation of information needs to a coordinated set of data- collection tasks for humans and technical collection systems. The CM prepares a collection plan that traces planned collection data and means to the analytic team’s information requirements.
Collection refinement. The collection plan is fed back to the LDR to allow the analytic team to verify the completeness and sufficiency of the plan—and to allow a review of any constraints (e.g., limits to coverage, depth, or specificity) or the availability of previously collected relevant data. The information request–collection planning and refinement loop iterates as the situation changes and as the intelligence analysis proceeds. The value of different sources, the benefits of coordinated collection, and other factors are learned by the analytic team as the analysis proceeds, causing adjustments to the collection plan to satisfy information needs.
Cross cueing. The single-source analysts acquire data by searching exist- ing archived data and open sources and by receiving data produced by special collections tasked by the CM. Single-source analysts perform source-unique analysis (e.g., imagery analysis; open-source foreign news report, broadcast translation, and analysis; and human report analysis) As the single-source analysts gain an understanding of the timing of event data, and the relationships between data observed across the two domains, the single-source analysts share these temporal and functional relationships. The cross-cueing collaboration includes one analyst cueing the other to search for corroborating evidence in another domain; one analyst cueing the other to a possible correlated event; or both analysts recommending tasking for the CM to coordinate a special collection to obtain time or functionally correlated data on a specific target. It is important to note that this cross-cueing collaboration, shown here at the single-source analysis level function is also performed within the all-source analysis unit (8), where more subtle cross-source relations may be identified.
Single-source analysis reporting. Single-source analysts report the interim results of analysis to the all-source team, describing the emerging picture of the trafficking networks as well as gaps in information. This path provides the all-source team with an awareness of the progress and contribution of collections, and the added value of the analysis that is delivering an emerging trafficking picture.
Single-source analysis refinement. The all-source team can provide direction for the single-source analysts to focus (“Look into that organization in greater depth”), broaden (“Check out the neighboring countries for similar patterns”), or change (“Drop the study of those shipping lines and focus on rail transport”) the emphasis of analysis and collection as the team gains a greater understanding of the subject. This reporting-refinement collaboration (paths 6 and 7, respectively) precedes publication of analyzed data (e.g., annotated images, annotated foreign reports on trafficking, maps of known and suspect trafficking routes, and lists of known and suspect trafficking organizations) into the analysis base.
All-source analysis collaboration. The all-source team may allocate components of the trafficking-analysis task to individuals with areas of subject matter specialties (e.g., topical components might include organized crime, trafficking routes, finances, and methods), but all contribute to the construction of a single picture of illegal trafficking. The team shares raw and analyzed data in the analysis base, as well as the intelligence products in progress in a collaborative workspace. The LDR approves all product components for release onto the digital production system, which places them onto the intelligence portal for the consumer.

In the initial days, the portal is populated with an initial library of related subject matter data (e.g., open source and intelligence reports and data on illegal trafficking in general). As the analysis proceeds, analytic results are posted to the portal,

4.4 Organizational Problem Solving

Intelligence organizations face a wide range of problems that require planning, searching, and explanation to provide solutions. These problems require reactive solution strategies to respond to emergent situations as well as opportunistic (proactive) strategies to identify potential future problems to be solved (e.g., threat assessments, indications, and warnings).

The process of solving these problems collaboratively requires a defined strategy for groups to articulate a problem and then proceed to collectively develop a solution. In the context of intelligence analysis, organizational problem solving focuses on the following kinds of specific problems:

Planning. Decomposing intelligence needs for data requirements, developing analysis-synthesis procedures to apply to the collected data to draw conclusions, and scheduling the coordinated collection of data to meet those requirements
Discovery. Searching and identifying previously unknown patterns (of objects, events, behaviors, or relationships) that reveal new understanding about intelligence targets. (The discovery reasoning approach is inductive in nature, creating new, previously unrevealed hypotheses.)
Detection. Searching and matching evidence against previously known target hypotheses (templates). (The detection reasoning approach is deductive in nature, testing evidence against known hypotheses.)
Explanation. Estimating (providing mathematical proof in uncertainty) and arguing (providing logical proof in uncertainty) are required to provide an explanation of evidence. Inferential strategies require the description of multiple hypotheses (explanations), the confidence in each one, and the rationale for justifying a decision. Problem-solving descriptions may include the explanation of explicit knowledge via technical portrayals (e.g., graphical representations) and tacit knowledge via narrative (e.g., dialogue and story).

To perform organizational (or collaborative) problem solving in each of these areas, the individuals in the organization must share an awareness of the reasoning and solution strategies embraced by the organization. In each of these areas, organizational training, formal methodologies, and procedural templates provide a framework to guide the thinking process across a group. These methodologies also form the basis for structuring collaboration tools to guide the way teams organize shared knowledge, structure problems, and proceed from problem to solution.

Collaborative intelligence analysis is a difficult form of collaborative problem solving, where the solution often requires the analyst to overcome the efforts of a subject of study (the intelligence target) to both deny the analyst information and provide deliberately deceptive information.

4.4.1 Critical, Structured Thinking

Critical, or structured, thinking is rooted in the development of methods of careful, structured thinking, following the legacy of the philosophers and theologians that diligently articulated their basis for reasoning from premises to conclusions.

Critical thinking is based on the application of a systematic method to guide the collection of evidence, reason from evidence to argument, and apply objective decision-making judgment (Table 4.10). The systematic methodology assures completeness (breadth of consideration), objectivity (freedom from bias in sources, evidence, reasoning, or judgment), consistency (repeatability over a wide range of problems), and rationality (consistency with logic). In addition, critical thinking methodology requires the explicit articulation of the reasoning process to allow review and critique by others. These common methodologies form the basis for academic research, peer review, and reporting—as well as for intelligence analysis and synthesis.

structured methods that move from problem to solution provide a helpful common framework for groups to communicate knowledge and coordi- nate a process from problem to solution. The TQM initiatives of the 1980s expanded the practice of teaching entire organizations common strategies for articulating problems and moving toward solutions. A number of general problem-solving strategies have been developed and applied to intelligence applications, for example (moving from general to specific):

Kepner-TregoeTM. This general problem-solving methodology, introduced in the classic text The Rational Manager [38] and taught to generations of managers in seminars, has been applied to management, engineering, and intelligence-problem domains. This method carefully distinguishes problem analysis (specifying deviations from expectations, hypothesizing causes, and testing for probable causes) and decision analysis (establishing and classifying decision objectives, generating alternative decisions, and comparing consequences).
Multiattribute utility analysis (MAUA). This structured approach to decision analysis quantifies a utility function, or value of all decision factors, as a weighted sum of contributing factors for each alternative decision. Relative weights of each factor sum to unity so the overall utility scale (for each decision option) ranges from 0 to 1.
Alternative competing hypotheses (ACH). This methodology develops and organizes alternative hypotheses to explain evidence, evaluates the evidence across multiple criteria, and provides rationale for reasoning to the best explanation.
Lockwood analytic method for prediction (LAMP). This methodology exhaustively structures and scores alternative futures hypotheses for complicated intelligence problems with many factors. The process enumerates, then compares the relative likelihood of COAs for all actors (e.g., military or national leaders) and their possible outcomes. The method provides a structure to consider all COAs while attempting to minimize the exponential growth of hypotheses.

A basic problem-solving process flow (Figure 4.7), which encompasses the essence of each of these three approaches, includes five fundamental component stages:

Problem assessment. The problem must be clearly defined, and criteria for decision making must be established at the beginning. The problem, as well as boundary conditions, constraints, and the format of the desired solution, is articulated.
Problem decomposition. The problem is broken into components by modeling the “situation” or context of the problem. If the problem is a corporate need to understand and respond to the research and develop- ment initiatives of a particular foreign company, for example, a model of that organization’s financial operations, facilities, organizational structure (and research and development staffing), and products is con- structed. The decomposition (or analysis) of the problem into the need for different kinds of information necessarily requires the composition (or synthesis) of the model. This models the situation of the problem and provides the basis for gathering more data to refine the problem (refine the need for data) and better understand the context.
Alternative analysis. In concert with problem decomposition, alterna- tive solutions (hypotheses) are conceived and synthesized. Conjecture and creativity are necessary in this stage; the set of solutions are catego- rized to describe the range of the solution space. In the example of the problem of understanding a foreign company’s research and develop- ment, these solutions must include alternative explanations of what the competitor might be doing and what business responses should be taken to respond if there is a competitive threat. The competitor ana- lyst must explore the wide range of feasible solutions and associated constraints and variables; alternatives may range from no research and
Problem decomposition. The problem is broken into components by modeling the “situation” or context of the problem. If the problem is a corporate need to understand and respond to the research and develop- ment initiatives of a particular foreign company, for example, a model of that organization’s financial operations, facilities, organizational structure (and research and development staffing), and products is con- structed. The decomposition (or analysis) of the problem into the need for different kinds of information necessarily requires the composition (or synthesis) of the model. This models the situation of the problem and provides the basis for gathering more data to refine the problem (refine the need for data) and better understand the context.
Alternative analysis. In concert with problem decomposition, alternative solutions (hypotheses) are conceived and synthesized. Conjecture and creativity are necessary in this stage; the set of solutions are categorized to describe the range of the solution space. In the example of the problem of understanding a foreign company’s research and development, these solutions must include alternative explanations of what the competitor might be doing and what business responses should be taken to respond if there is a competitive threat. The competitor analyst must explore the wide range of feasible solutions and associated constraints and variables; alternatives may range from no research and development investment to significant but hidden investment in a new, breakthrough product development. Each solution (or explanation, in this case) must be compared to the model, and this process may cause the scope of the model to be expanded in scope, refined, and further decomposed to smaller components.
Decision analysis. In this stage the alternative solutions are applied to the model of the situation to determine the consequences of each solution. In the foreign firm example, consequences are related to both the likelihood of the hypothesis being true and the consequences of actions taken. The decision factors, defined in the first stage, are applied to evaluate the performance, effectiveness, cost, and risk associated with each solution. This stage also reveals the sensitivity of the decision factors to the situation model (and its uncertainties) and may send the analyst back to gather more information about the situation to refine the model [42].
Solution evaluation. The final stage, judgment, compares the outcome of decision analysis with the decision criteria established at the onset. Here, the uncertainties (about the problem, the model of the situation, and the effects of the alternative solutions) are considered and other subjective (tacit) factors are weighed to arrive at a solution decision.

This approach underlies the basis for traditional analytic intelligence methods, because it provides structure, rationale, and formality. But most recognize that the solid tacit knowledge of an experienced analyst provides a complementary basis—or an unspoken confidence that underlies final decisions—that is recognized but not articulated as explicitly as the quantified decision data.

4.4.2 Systems Thinking

In contrast with the reductionism of a purely analytic approach, a more holistic approach to understanding complex processes acknowledges the inability to fully decompose many complex problems into a finite and complete set of linear processes and relationships. This approach, referred to as holism, seeks to understand high-level patterns of behavior in dynamic or complex adaptive systems that transcend complete decomposition (e.g., weather, social organizations, or large-scale economies and ecologies). Rather than being analytic, systems approaches tend to syn- thetic—that is, these approaches construct explanations at the aggregate or large scale and compare them to real-world systems under study.

Complexity refers the property of real-world systems that prohibits any formalism to represent or completely describe its behavior. In contrast with simple systems that may be fully described by some formalism (i.e., mathematical equations that fully describe a real-world process to some level of satisfaction for the problem at hand), complex systems lack a fully descriptive formalism that captures all of their properties, especially global behavior.

systems of subatomic scale, human organizational systems, and large-scale economies, where very large numbers of independent causes interact in large numbers of interactive ways, are characterized by inability to model global behavior—and a frustrating inability to predict future behavior.

The expert’s judgment is based not on an external and explicit decomposition of the problem, but on an internal matching of high-level patterns of prior experience with the current situation. The experienced detective as well as the experienced analyst applies such high-level comparisons of current behaviors with previous tacit (unarticulated, even unconscious) patterns gained through experience.

It is important to recognize that analytic and systems-thinking approaches, though in contrast, are usually applied in a complementary fashion by individuals and team alike. The analytic approach provides the structure, record keeping, and method for articulating decision rationale, while the systems approach guides the framing of the problem, provides the synoptic perspective for exploring alternatives, and provides confidence in judgments.

4.4.3 Naturalistic Decision Making

in times of crisis, when time does not permit the careful methodologies, humans apply more naturalistic methods that, like the systems-thinking mode, rely entirely on the only basis available—prior experience.

Uncontrolled, [information] will control you and your staffs … and lengthen your decision-cycle times.” (Insightfully, the Admiral also noted, “You can only manage from your Desktop Computer … you cannot lead from it”

While long-term intelligence analysis applies the systematic, critical analytic approaches described earlier, crisis intelligence analy- sis may be forced to the more naturalistic methods, where tacit experience (via informal on-the-job learning, simulation, or formal learning) and confidence are critical.

4.5 Tradecraft: The Best Practices of Intelligence

The capture and sharing of best practices was developed and matured through- out the 1980s when the total quality movement institutionalized the processes of benchmarking and recording lessons learned. Two forms of best practices and lessons capture and recording are often cited:

Explicit process descriptions. The most direct approach is to model and describe the best collection, analytic, and distribution processes, their performance properties, and applications. These may be indexed, linked, and organized for subsequent reuse by a team posed with simi- lar problems and instructors preparing formal curricula.
Tacit learning histories. The methods of storytelling, described earlier in this chapter, are also applied to develop a “jointly told” story by the team developing the best practice. Once formulated, such learning histories provide powerful tools for oral, interactive exchanges within the organization; the written form of the exchanges may be linked to the best-practice description to provide context.

While explicit best-practices databases explain the how, learning histories provide the context to explain the why of particular processes.

The CIA maintains a product evaluation staff to evaluate intelligence products, learn from the large range of products produced (estimates, forecasts, technical assessments, threat assessments, and warnings) and maintains the database of best practices for training and distribution to the analytic staff.

4.6 Summary

In this chapter, we have introduced the fundamental cultural qualities, in terms of virtues and disciplines that characterize the knowledge-based intelligence organization. The emphasis has necessarily been on organizational disciplines—learning, collaborating, problem solving—that provide the agility to deliver accurate and timely intelligence products in a changing environment. The virtues and disciplines require support—technology to support collaboration over time and space, to support the capture and retrieval of explicit knowledge, to enable the exchange of tacit knowledge, and to support the cognitive processes in analytic and holistic problem solving.

Principles of Intelligence Analysis and Synthesis

At the core of all knowledge creation are the seemingly mysterious reasoning processes that proceed from the known to the assertion of entirely new knowledge about the previously unknown. For the intelligence analyst, this is the process by which evidence [1], that data deter- mined to be relevant to a problem, is used to infer knowledge about a subject of investigation—the intelligence target. The process must deal with evidence that is often inadequate, undersampled in time, ambiguous, and carries questionable pedigree.

We refer to this knowledge-creating discipline as intelligence analysis and the practitioner as analyst. But analysis properly includes both the processes of analysis (breaking things down) and synthesis (building things up).

5.1 The Basis of Analysis and Synthesis

The process known as intelligence analysis employs both the functions of analysis and synthesis to produce intelligence products.

In a criminal investigation, this leads from a body of evidence, through feasible explanations, to an assembled case. In intelligence, the process leads from intelligence data, through alternative hypotheses, to an intelligence product. Along this trajectory, the problem solver moves forward and backward iteratively seeking a path that connects the known to the solution (that which was previously unknown).

Intelligence analysis-synthesis is very interested in financial, political, economic, military, and many other evidential relationships that may not be causal, but provide understanding of the structure and behavior of human, organizational, physical, and financial entities.

Descriptions of the analysis-synthesis processes can be traced from its roots in philosophy and problem solving to applications in intelligence assessments.

Philosophers distinguish between propositions as analytic or synthetic based on the direction in which they are developed. Propositions in which the predicate (conclusion) is contained within the subject are called analytic because the predicate can be derived directly by logical reasoning forward from the subject; the subject is said to contain the solution. Synthetic propositions on the other hand have predicates and subjects that are independent. The synthetic proposition affirms a connection between otherwise independent concepts.

The empirical scientific method applies analysis and synthesis to develop and then to test hypotheses:

Observation. A phenomenon is observed and recorded as data.
Hypothesis creation. Based upon a thorough study of the data, a working hypothesis is created (by the inductive analysis process or by pure inspi- ration) to explain the observed phenomena.
Experiment development. Based on the assumed hypothesis, the expected results (the consequences) of a test of the hypothesis are synthesized (by deduction).
Hypothesis testing. The experiment is performed to test the hypothesis against the data.

When the consequences of the test are confirmed, the hypothesis is verified (as a theory or law depending upon the degree of certainty).

The analyst iteratively applies analysis and synthesis to move forward from evidence and backward from hypothesis to explain the available data (evidence). In the process, the analyst identifies more data to be collected, critical missing data, and new hypotheses to be explored. This iterative analysis-synthesis process provides the necessary traceability from evidence to conclusion that will allow the results (and the rationale) to be explained with clarity and depth when completed.

5.2 The Reasoning Processes

Reasoning processes that analyze evidence and synthesize explanations perform inference (i.e., they create, manipulate, evaluate, modify, and assert belief). We can characterize the most fundamental inference processes by their process and products:

Process. The direction of the inference process refers to the way in which beliefs are asserted. The process may move from specific (or particular) beliefs toward more general beliefs, or from general beliefs to assert more specific beliefs.
Products. The certainty associated with an inference distinguishes two categories of results of inference. The asserted beliefs that result from inference may be infallible (e.g., an analytic conclusion is derived from infallible beliefs and infallible logic is certain) or fallible judgments (e.g., a synthesized judgment is asserted with a measure of uncertainty; “probably true,” “true with 0.95 probability,” or “more likely true than false”).

5.2.1 Deductive Reasoning

Deduction is the method of inference by which a conclusion is inferred by applying the rules of a logical system to manipulate statements of belief to form new logically consistent statements of belief. This form of inference is infallible, in that the conclusion (belief) must be as certain as the premise (belief). It is belief preserving in that conclusions reveal no more than that expressed in the original premises. Deduction can be expressed in a variety of syllogisms, including the more common forms of propositional logic.

5.2.2 Inductive Reasoning

Induction is the method of inference by which a more general or more abstract belief is developed by observing a limited set of observations or instances.

Induction moves from specific beliefs about instances to general beliefs about larger and future populations of instances. It is a fallible means of inference.

The form of induction most commonly applied to extend belief from a sample of instances to a larger population, is inductive generalization:

By this method, analysts extend the observations about a limited number of targets (e.g., observations of the money laundering tactics of several narcotics rings within a drug cartel) to a larger target population (e.g., the entire drug cartel).

Inductive prediction extends belief from a population to a specific future sample.

By this method, an analyst may use several observations of behavior (e.g., the repeated surveillance behavior of a foreign intelligence unit) to create a general detection template to be used to detect future surveillance activities by that or other such units. The induction presumes future behavior will follow past patterns.

In addition to these forms, induction can provide a means of analogical reasoning (induction on the basis of analogy or similarity) and inference to relate cause and effect. The basic scientific method applies the principles of induction to develop hypotheses and theories that can subsequently be tested by experimentation over a larger population or over future periods of time. The subject of induction is central to the challenge of developing automated systems that generalize and learn by inducing patterns and processes (rules).

Koestler uses the term bisociation to describe the process of viewing multiple explanations (or multiple associations) of the same data simultaneously. In the example in the figure, the data can be projected onto a common plane of discernment in which the data represents a simple curved line; projected onto an orthogonal plane, the data can explain a sinusoid. Though undersampled, as much intelligence data is, the sinusoid represents a new and novel explanation that may remain hidden if the analyst does not explore more than the common, immediate, or simple interpretation.

In a similar sense, the inductive discovery by an intelligence analyst (aha!) may take on many different forms, following the simple geometric metaphor. For example:

A subtle and unique correlation between the timing of communications (by traffic analysis) and money transfers of a trading firm may lead to the discovery of an organized crime operation.
A single anomalous measurement may reveal a pattern of denial and deception to cover the true activities at a manufacturing facility in which many points of evidence, are, in fact deceptive data “fed” by the deceiver. Only a single piece of anomalous evidence (D5 in the figure) is the clue that reveals the existence of the true operations (a new plane in the figure). The discovery of this new plane will cause the analyst to search for additional supporting evidence to support the deception hypothesis.

Each frame of discernment (or plane in Koestler’s metaphor) is a framework for creating a single or a family of multiple hypotheses to explain the evidence. The creative analyst is able to entertain multiple frames of discernment, alternatively analyzing possible “fits” and constructing new explanations, exploring the many alternative explanations. This is Koestler’s constructive-destructive process of discovery.

Collaborative intelligence analysis (like collaborative scientific discovery) may produce a healthy environment for creative induction or an unhealthy competitive environment that stifles induction and objectivity. The goal of collaborative analysis is to allow alternative hypotheses to be conceived and objectively evaluated against the available evidence and to guide the tasking for evidence to confirm or disconfirm the alternatives.

5.2.3 Abductive Reasoning

Abduction is the informal or pragmatic mode of reasoning to describe how we “reason to the best explanation” in everyday life. Abduction is the practical description of the interactive use of analysis and synthesis to arrive at a solution or explanation creating and evaluating multiple hypotheses.

Unlike infallible deduction, abduction is fallible because it is subject to errors (there may be other hypotheses not considered or another hypothesis, however unlikely, may be correct). But unlike deduction, it has the ability to extend belief beyond the original premises. Peirce contended that this is the logic of discovery and is a formal model of the process that scientists apply all the time.

Consider a simple intelligence example that implements the basic abduc- tive syllogism. Data has been collected on a foreign trading company, TraderCo, which indicates its reported financial performance is not consistent with (less than) its level of operations. In addition, a number of its executives have subtle ties with organized crime figures.

The operations of the company can be explained by at least three hypotheses:

Hypothesis (H1)—TraderCo is a legitimate but poorly run business; its board is unaware of a few executives with unhealthy business contacts.

Hypothesis (H2)—TraderCo is a legitimate business with a naïve board that is unaware that several executives who gamble are using the business to pay off gambling debts to organized crime.

Hypothesis (H3)—TraderCo is an organized crime front operation that is trading in stolen goods and laundering money through the business, which reports a loss.

Hypothesis H3 best explains the evidence.

∴ Therefore, Accept Hypothesis H3 as the best explanation.

Of course, the critical stage of abduction unexplained in this set of hypotheses is the judgment that H3 is the best explanation. The process requires a criteria for ranking hypotheses, a method for judging which is best, and a method to assure that the set of candidate hypotheses cover all possible (or feasible) explanations.

5.2.3.1 Creating and Testing Hypotheses

Abduction introduces the competition among multiple hypotheses, each being an attempt to explain the evidence available. These alternative hypotheses can be compared, or competed on the basis of how well they explain (or fit) the evidence. Furthermore, the created alternative hypotheses provide a means of identifying three categories of evidence important to explanation:

Positive evidence. This is evidence revealing the presence of an object or occurrence of an event in a hypothesis.
Missing evidence. Some hypotheses may fit the available evidence, but the hypothesis “predicts” that additional evidence that should exist if the hypothesis were true is “missing.” Subsequent searches and testing for this evidence may confirm or disconfirm the hypothesis.
Negative evidence. Hypotheses that contain evidence of a nonoccurrence of an event (or nonexistence of an object) may confirm a hypothesis.

5.2.3.2 Hypothesis Selection

Abduction also poses the issue of defining which hypothesis provides the best explanation of the evidence. The criteria for comparing hypotheses, at the most fundamental level, can be based on two principle approaches established by philosophers for evaluating truth propositions about objective reality [18]. The correspondence theory of the truth of a proposition p is true is to maintain that “p corresponds to the facts.”

For the intelligence analyst this would equate to “hypothesis h corresponds to the evidence”—it explains all of the pieces of evidence, with no expected evidence missing, all without having to leave out any contradictory evidence. The coherence theory of truth says that a proposition’s truth consists of its fitting into a coherent system of propositions that create the hypothesis. Both concepts contribute to practical criteria for evaluating competing hypotheses

5.3 The Integrated Reasoning Process

The analysis-synthesis process combines each of the fundamental modes of reasoning to accumulate, explore, decompose to fundamental elements, and then fit together evidence. The process also creates hypothesized explanations of the evidence and uses these hypotheses to search for more confirming or refuting elements of evidence to affirm or prune the hypotheses, respectively.

This process of proceeding from an evidentiary pool to detections, explanations, or discovery has been called evidence marshaling because the process seeks to marshal (assemble and organize) into a representation (a model) that:

Detects the presence of evidence that match previously known premises (or patterns of data);
Explains underlying processes that gave rise to the evidence;
Discovers new patterns in the evidence—patterns of circumstances or behaviors not known before (learning).

The figure illustrates four basic paths that can proceed from the pool of evidence, our three fundamental inference modes and a fourth feedback path:

Deduction. The path of deduction tests the evidence in the pool against previously known patterns (or templates) that represent hypotheses of activities that we seek to detect. When the evidence fits the hypothesis template, we declare a match. When the evidence fits multiple hypotheses simultaneously, the likelihood of each hypothesis (determined by the strength of evidence for each) is assessed and reported. (This likelihood may be computed probabilistically using Bayesian methods, where evidence uncertainty is quantified as a probability and prior probabilities of the hypotheses are known.)
Retroduction. This feedback path, recognized and named by C.S. Peirce as yet another process of reasoning, occurs when the analyst conjectures (synthesizes) a new conceptual hypothesis (beyond the cur- rent frame of discernment) that causes a return to the evidence to seek evidence to match (or test) this new hypothesis. The insight Peirce provided is that in the testing of hypotheses, we are often inspired to realize new, different hypotheses that might also be tested. In the early implementation of reasoning systems, the forward path of deduction was often referred to as forward chaining by attempting to automatically fit data to previously stored hypothesis templates; the path of retroduction was referred to as backward chaining, where the system searched for data to match hypotheses queried by an inspired human operator.
Abduction. The abduction process, like induction, creates explanatory hypotheses inspired by the pool evidence and then, like deduction, attempts to fit items of evidence to each hypothesis to seek the best explanation. In this process, the candidate hypotheses are refined and new hypotheses are conjectured. The process leads to comparison and ranking of the hypotheses, and ultimately the best is chosen as the explanation. As a part of the abductive process, the analyst returns to the pool of evidence to seek support for these candidate explanations; this return path is called retroduction.
Induction. The path of induction considers the entire pool of evidence to seek general statements (hypotheses) about the evidence. Not seeking point matches to the small sets of evidence, the inductive path conjectures new and generalized explanation of clusters of similar evidence; these generalizations may be tested across the evidence to determine the breadth of applicability before being declared as a new discovery.

5.4 Analysis and Synthesis As a Modeling Process

The fundamental reasoning processes are applied to a variety of practical ana- lytic activities performed by the analyst.

Explanation and description. Find and link related data to explain entities and events in the real world.
Detection. Detect and identify the presence of entities and events based on known signatures. Detect potentially important deviations, including anomaly detection of changes relative to “normal” or “expected” state or change detection of changes or trends over time.
Discovery. Detect the presence of previously unknown patterns in data (signatures) that relate to entities and events.
Estimation. Estimate the current qualitative or quantitative state of an entity or event.
Prediction. Anticipate future events based on detection of known indicators; extrapolate current state forward, project the effects of linear fac- tors forward, or simulate the effects of complex factors to synthesize possible future scenarios to reveal anticipated and unanticipated (emergent) futures.

In each of these cases, we can view the analysis-synthesis process as an evidence-decomposing and model-building process.

The objective of this process is to sort through and organize data (analyze) and then to assemble (synthesize), or marshal related evidence to create a hypothesis—an instantiated model that represents one feasible representation of the intelligence subject (target). The model is used to marshal evidence, evaluate logical argumentation, and provide a tool for explanation of how the available evidence best fits the analyst’s conclusion. The model also serves to help the analyst understand what evidence is missing, what strong evidence supports the model, and where negative evidence might be expected. The terminology we use here can be clarified by the following distinctions:

A real intelligence target is abstracted and represented by models.
A model has descriptive and stated attributes or properties.
A particular instance of a model, populated with evidence-derived and conjectured properties, is a hypothesis.

A target may be described by multiple models, each with multiple instances (hypotheses). For example, if our target is the financial condition of a designated company, we might represent the financial condition with a single financial model in the form of a spreadsheet that enumerates many financial attributes. As data is collected, the model is populated with data elements, some reported publicly and others estimated. We might maintain three instances of the model (legitimate company, faltering legitimate company, and illicit front organization), each being a competing explanation (or hypothesis) of the incomplete evidence. These hypotheses help guide the analyst to identify the data required to refine, affirm, or discard existing hypotheses or to create new hypotheses.

Explicit model representations provide a tool for collaborative construction, marshaling of evidence, decomposition, and critical examination. Mental and explicit modeling are complementary tools of the analyst; judgment must be applied to balance the use of both.

Former U.S. National Intelligence Officer for Warning (1994–1996) Mary McCarthy has emphasized the importance of the explicit modeling to analysis:

Rigorous analysis helps overcome mindset, keeps analysts who are immersed in a mountain of new information from raising the bar on what they would consider an alarming threat situation, and allows their minds to expand other possibilities. Keeping chronologies, maintaining databases and arraying data are not fun or glamorous. These techniques are the heavy lifting of analysis, but this is what analysts are supposed to do [19].

The model is an abstract representation that serves two functions:

Model as hypothesis. Based on partial data or conjecture alone, a model may be instantiated as a feasible proposition to be assessed, a hypothesis. In a homicide investigation, each conjecture for “who did it” is a hypothesis, and the associated model instance is a feasible explanation for “how they did it.” The model provides a framework around which data is assembled, a mechanism for examining feasibility, and a basis for exploring data to confirm or refute the hypothesis.
Model as explanation. As evidence (relevant data that fits into the model) is assembled on the general model framework to form a hypothesis, different views of the model provide more robust explanations of that hypothesis. Narrative (story), timeline, organization relationships, resources, and other views may be derived from a common model.

The process of implementing data decomposition (analysis) and model construction-examination (synthesis) can be depicted in three process phases or spaces of operation (Figure 5.6):

Data space. In this space, data (relevant and irrelevant, certain and ambiguous) are indexed and accumulated. Indexing by time (of collection and arrival), source, content topic, and other factors is performed to allow subsequent search and access across many dimensions.
Argumentation space. The data is reviewed; selected elements of potentially relevant data (evidence) are correlated, grouped, and assembled into feasible categories of explanations, forming a set (structure) of high-level hypotheses to explain the observed data. This process applies exhaustive searches of the data space, accepting some as relevant and discarding others. In this phase, patterns in the data are dis- covered, although all the data in the patterns may not be present; these patterns lead to the creation of hypotheses even though all the data may not exist. Examination of the data may lead to creation of hypotheses by conjecture, even though no data supports the hypothesis at this point. The hypotheses are examined to determine what data would be required to reinforce or reject each; hypotheses are ranked in terms of likelihood and needed data (to reinforce or refute). The models are tested and various excursions are examined. This space is the court in which the case is made for each hypothesis, and they are judged for completeness, sufficiency, and feasibility. This examination can lead to requests for additional data, refinements of the current hypotheses, and creation of new hypotheses.
Explanation space. Different “views” of the hypothesis model provide explanations that articulate the hypothesis and relate the supporting evidence. The intelligence report can include a single model and explanation that best fits the data (when data is adequate to assert the single answer) or alternative competing models, as well as the sup- porting evidence for each and an assessment of the implications of each. Figure 5.6 illustrates several of the views often used: timelines of events, organization-relationship diagrams, annotated maps and imagery, and narrative story lines.

For a single target under investigation, we may create and consider (or entertain) several candidate hypotheses, each with a complete set of model views. If, for example, we are trying to determine the true operations of the foreign company introduced earlier, TradeCo, we may hold several hypotheses:

H1—The company is a legal clothing distributor, as advertised.
H2 —The company is a legal clothing distributor, but company executives are diverting business funds for personal interests.
H3—The company is a front operation to cover organized crime, where hypothesis 3 has two sub-hypotheses:

H31—The company is a front for drug trafficking.
• H32—The company is a front for terrorism money laundering.

In this case, H1, H2, H31, and H32 are the four root hypotheses, and the analyst identifies the need to create an organizational model, an operations flow-process model, and a financial model for each of the four hypotheses—creating 4 × 3 = 12 models.

5.5 Intelligence Targets in Three Domains

We have noted that intelligence targets may be objects, events, or dynamic processes—or combinations of these. The development of information operations has brought a greater emphasis on intelligence targets that exist not only in the physical domain, but in the realms of information (e.g., networked computers and information processes) and human decision making.

Information operations (IO) are those actions taken to affect an adversary’s information and information systems, while defending one’s own information and information systems. The U.S. Joint Vision 2020 describes the Joint Chiefs of Staff view of the ultimate purpose of IO as “to facilitate and protect U.S. decision-making processes, and in a conflict, degrade those of an adversary”.

The JV2020 builds on the earlier JV2010 [26] and retains the fundamental operational concepts, two with significant refinements that emphasize IO. The first is the expansion of the vision to encompass the full range of operations (nontraditional, asymmetric, unconventional ops), while retaining warfighting as the primary focus. The second refinement moves information superiority concepts beyond technology solutions that deliver information to the concept of superiority in decision making. This means that IO will deliver increased information at all levels and increased choices for commanders. Conversely, it will also reduce information to adversary commanders and diminish their decision options. Core to these concepts and challenges is the notion that IO uniquely requires the coordination of intelligence, targeting, and security in three fundamental realms, or domains of human activities.

These are likewise the three fundamental domains of intelligence targets, and each must be modeled:

The physical domain encompasses the material world of mass and energy. Military facilities, vehicles, aircraft, and personnel make up the principal target objects of this domain. The orders of battle that measure military strength, for example, are determined by enumerating objects of the physical world.
The abstract symbolic domain is the realm of information. Words, numbers, and graphics all encode and represent the physical world, storing and transmitting it in electronic formats, such as radio and TV signals, the Internet, and newsprint. This is the domain that is expanding at unprecedented rates, as global ideas, communications, and descriptions of the world are being represented in this domain. The domain includes the cyberspace that has become the principal means by which humans shape their perception of the world. It interfaces the physical to the cognitive domains.
The cognitive domain is the realm of human thought. This is the ultimate locus of all information flows. The individual and collective thoughts of government leaders and populations at large form this realm. Perceptions, conceptions, mental models, and decisions are formed in this cognitive realm. This is the ultimate target of our adversaries: the realm where uncertainties, fears, panic, and terror can coerce and influence our behavior.

Current IO concepts have appropriately emphasized the targeting of the second domain—especially electronic information systems and their information content. The expansion of networked information systems and the reliance on those systems has focused attention on network-centric forms of warfare. Ultimately, though, IO must move toward a focus on the full integration of the cognitive realm with the physical and symbolic realms to target the human mind

Intelligence must understand and model the complete system or complex of the targets of IO: the interrelated systems of physical behavior, information perceived and exchanged, and the perception and mental states of decision makers.

Of importance to the intelligence analyst is the clear recognition that most intelligence targets exist in all three domains, and models must consider all three aspects.

The intelligence model of such an organization must include linked models of all three domains—to provide an understanding of how the organization perceives, decides, and communicates through a networked organization, as well as where the people and other physical objects are moving in the physical world. The concepts of detection, identification, and dynamic tracking of intelligence targets apply to objects, events, and processes in all three domains.

5.6 Summary

the analysis-synthesis process proceeds from intelligence analysis to operations analysis and then to policy analysis.

The knowledge-based intelligence enterprise requires the capture and explicit representation of such models to permit collaboration among these three disciplines to achieve the greatest effectiveness and sharing of intellectual capital.

The Practice of Intelligence Analysis and Synthesis

The chapter moves from high-level functional flow models toward the processes implemented by analysts.

A practical description of the process by one author summarizes the perspective of the intelligence user:

A typical intelligence production consists of all or part of three main elements: descriptions of the situation or event with an eye to identifying its essential characteristics; explanation of the causes of a development as well as its significance and implications; and the prediction of future developments. Each element contains one or both of these components: data, pro- vided by knowledge and incoming information and assessment, or judgment, which attempts to fill the gaps in the data

Consumers expect description, explanation, and prediction; as we saw in the last chapter, the process that delivers such intelligence is based on evidence (data), assessment (analysis-synthesis), and judgment (decision).

6.1 Intelligence Consumer Expectations

The U.S. Government Accounting Office (GAO) noted the need for greater clarity in the intelligence delivered in U.S. national intelligence estimates (NIEs) in a 1996 report, enumerating five specific standards for analysis, from the perspective of policymakers.

Based on a synthesis of the published views of current and former senior intelligence officials, the reports of three independent commissions, and a CIA publication that addressed the issue of national intelligence estimating, an objective NIE should meet the following standards [2]:

[G1]: quantify the certainty level of its key judgments by using percentages or bettors’ odds, where feasible, and avoid overstating the certainty of judgments (note: bettors’ odds state the chance as, for example, “one out of three”);
[G2]: identify explicitly its assumptions and judgments;
[G3]: develop and explore alternative futures: less likely (but not impossible) scenarios that would dramatically change the estimate if they occurred;
[G4]: allow dissenting views on predictions or interpretations;
[G5]: note explicitly what the IC does not know when the information gaps could have significant consequences for the issues under consideration.

The Commission would urge that the [IC] adopt as a standard of its meth- odology that in addition to considering what they know, analysts consider as well what they know they don’t know about a program and set about fill- ing gaps in their knowledge by:

[R1] taking into account not only the output measures of a program, but the input measures of technology, expertise and personnel from both internal sources and as a result of foreign assistance. The type and rate of foreign assis- tance can be a key indicator of both the pace and objective of a program into which the IC otherwise has little insight.
[R2] comparing what takes place in one country with what is taking place in others, particularly among the emerging ballistic missile powers. While each may be pursuing a somewhat different development program, all of them are pursuing programs fundamentally different from those pursued by the US, Russia and even China. A more systematic use of comparative methodologies might help to fill the information gaps.
[R3] employing the technique of alternative hypotheses. This technique can help make sense of known events and serve as a way to identify and organize indicators relative to a program’s motivation, purpose, pace and direction. By hypothesizing alternative scenarios a more adequate set of indicators and col- lection priorities can be established. As the indicators begin to align with the known facts, the importance of the information gaps is reduced and the likely outcomes projected with greater confidence. The result is the possibility for earlier warning than if analysts wait for proof of a capability in the form of hard evidence of a test or a deployment. Hypothesis testing can provide a guide to what characteristics to pursue, and a cue to collection sensors as well.
[R4] explicitly tasking collection assets to gather information that would dis- prove a hypothesis or fill a particular gap in a list of indicators. This can prove a wasteful use of scarce assets if not done in a rigorous fashion. But moving from the highly ambiguous absence of evidence to the collection of specific evidence of absence can be as important as finding the actual evidence [3].

intelligence consumers want more than estimates or judgments; they expect concise explanations of the evidence and reasoning processes behind judgments with substantiation that multiple perspectives, hypotheses, and consequences have been objectively considered.

They expect a depth of analysis-synthesis that explicitly distinguishes assumptions, evidence, alternatives, and consequences—with a means of quantifying each contribution to the outcomes (judgments).

6.2 Analysis-Synthesis in the Intelligence Workflow

Analysis-synthesis is one process within the intelligence cycle… It represents a process that is practically implemented as a continuum rather than a cycle, with all phases being implemented concurrently and addressing a multitude of different intelligence problems or targets.

The stimulus-hypothesis-option-response (SHOR) model, described by Joseph Wohl in 1986, emphasizes the consideration of multiple perception hypotheses to explain sensed data and assess options for response.

The observe-orient-decide-act (OODA) loop, developed by Col. John Warden, is a high-level abstraction of the military command and control loop that considers the human decision-making role and its dependence on observation and orientation—the process of placing the observations in perceptual framework for decision making.

The tasking, processing, exploitation, dissemination (TPED) model used by U.S. technical collectors and processors [e.g., the U.S. National Reconnaissance Office (NRO), the National Imagery and Mapping Agency (NIMA), and the National Security Agency (NSA)] distinguishes between the processing elements of the national technical-means intelligence channels (SIGINT, IMINT, and MASINT) and the all-source analytic exploitation roles of the CIA and DIA.

The DoD Joint Directors of Laboratories (JDL) data fusion model is a more detailed technical model that considers the use of multiple sources to produce a common operating picture of individual objects, situations (the aggregate of objects and their behaviors), and the consequences or impact of those situations. The model includes a hierarchy of data correlation and combination processes at three levels (level 0: signal refinement; level 1: object refinement; level 2: situation refinement; level 3: impact refinement) and a corresponding feedback control process (level 4: process refinement) [10]. The JDL model is a functional representation that accommodates automated processes and human processes and provides detail within both the processing and analysis steps. The model is well suited to organize the structure of automated processing stages for technical sensors (e.g., imagery, signals, and radar).

Level 0: signal refinement automated processing correlates and combines raw signals (e.g., imagery pixels or radar signals intercepted from multiple locations) to detect objects and derive their location, dynamics, or identity.
Level 1: object refinement processing detects individual objects and correlates and combines these objects across multiple sources to further refine location, dynamics, or identity information.
Level 2: situation refinement analysis correlates and combines the detected objects across all sources within the background context to produce estimates of the situation—explaining the aggregate of static objects and their behaviors in context to derive an explanation of activities with estimated status, plans, and intents.
Level 3: impact refinement analysis estimates the consequences of alternative courses of action.
The level 4 process refinement flows are not shown in the figure, though all forward processing levels can provide inputs to refine the process to: focus collection or processing on high-value targets, refine processing parameters to filter unwanted content, adjust database indexing of intermediate data, or improve overall efficiency of the production process. The level 4 process effectively performs the KM business intelligence functions introduced in Section 3.7.

The analysis stage employs semiautomated detection and discovery tools to access the data in large databases produced by the processing stage. In general, the processing stage can be viewed as a factory of processors, while the analysis stage is a lower volume shop staffed by craftsmen—the analytic team.

6.3 Applying Automation

Automated processing has been widely applied to level 1 object detection (e.g., statistical pattern recognition) and to a lesser degree to level 2 situation recognition problems (e.g., symbolic artificial intelligence systems) for intelligence applications.

Viewing these dimensions as the number of nodes (causes) and number of interactions (influencing the scale of effects) in a dynamic system, the problem space depicts the complexity of the situation being analyzed:

Causal diversity. The first dimension relates to the number of causal fac- tors, or actors, that influence the situation behavior.
Scale of effects. The second dimension relates to the degree of interaction between actors, or the degree to which causal factors influence the behavior of the situation.

As both dimensions increase, the potential for nonlinear behavior increases, making it more difficult to model the situation being analyzed.

These problems include the detection of straightforward objects in images, content patterns in text, and emitted signal matching. More difficult problems still in this category include dynamic situations with moderately higher numbers of actors and scales of effects that require qualitative (propositional logic) or quantitative (statistical modeling) reasoning processes.

The most difficult category 3 problems, intractable to fully automated analysis, are those complex situations characterized by high numbers of actors with large-scale interactions that give rise to emergent behaviors.

6.4 The Role of the Human Analyst

The analyst applies tacit knowledge to search through explicit information to create tacit knowledge in the form of mental models and explicit intelligence reports for consumers.

The analysis process requires the analyst to integrate the cognitive reasoning and more emotional sensemaking processes with large bodies of explicit information to produce explicit intelligence products for consumers. To effectively train and equip analysts to perform this process, we must recognize and account for these cognitive and emotion components of comprehension. The complete process includes the automated workflow, which processes explicit information, and the analyst’s internal mental workflow, which integrates the cognitive and emotional modes

Complementary logical and emotional frameworks are based on the current mental model of beliefs and feelings and the new information is compared to these frameworks; differences have the potential for affirming the model (agreement), learning and refining the model (acceptance and model adjustment), or rejecting the new information. Judgment integrates feelings about consequences and values (based on experience) with reasoned alternative consequences and courses of action that construct the meaning of the incoming stimulus. Decision making makes an intellectual-emotional commitment to the impact of the new information on the mental model (acceptance, affirmation, refinement, or rejection).

6.5 Addressing Cognitive Shortcomings

The intelligence analyst is not only confronted with ambiguous information about complex subjects, but is often placed under time pressures and expectations to deliver accurate, complete, and predictive intelligence. Consumer expectations often approach infallibility and omniscience.

In this situation, the analyst must be keenly aware of the vulnerabilities of human cognitive short- comings and take measures to mitigate the consequences of these deficiencies. The natural limitations in cognition (perception, attention span, short- and long-term memory recall, and reasoning capacity) constrain the objectivity of our reasoning processes, producing errors in our analysis.

In “Combatting Mind-Set,” respected analyst Jack Davis has noted that analysts must recognize the subtle influence of mindset, the cumulative mental model that distills analysts’ beliefs about a complex subject and “find[s] strategies that simultaneously harness its impressive energy and limit[s] the potential damage”.

Davis recommends two complementary strategies:

Enhancing mindset. Creating explicit representation of the mind- set—externalizing the mental model—allows broader collaboration, evaluation from multiple perspectives, and discovery of subtle biases.
Ensuring mind-set. Maintaining multiple explicit explanations and projections and opportunity analyses provides insurance against single-point judgments and prepares the analyst to switch to alternatives when discontinuities occur.

Davis has also cautioned analysts to beware the paradox of expertise phenomenon that can distract attention from the purpose of an analysis. This error occurs when discordant evidence is present and subject experts tend to be distracted and focus on situation analysis (solving the discordance to understand the subject situation) rather than addressing the impact on the analysis of the consequences of the discrepancy. In such cases, the analyst must focus on providing value added by addressing what action alternatives exist for alternatives and their consequences in cost-benefit terms

Heuer emphasized the importance of supporting tools and techniques to overcome natural analytic limitations [20]: “Weaknesses and biases inherent in human thinking processes can be demonstrated through carefully designed experiments. They can be alleviated by conscious application of tools and techniques that should be in the analytical tradecraft toolkit of all intelligence analysts.”

6.6 Marshaling Evidence and Structuring Argumentation

Instinctive analysis focuses on a single or limited range of alternatives, moves on a path to satisfy minimum needs (satisficing, or finding an acceptable explanation), and is performed implicitly using tacit mental models. Structured analysis follows the principles of critical thinking introduced in Chapter 4, organizing the problem to consider all reasonable alternatives, systematically and explicitly representing the alternative solutions to comprehensively analyze all factors.

6.6.1 Structuring Hypotheses

6.6.2 Marshaling Evidence and Structuring Arguments

There exist a number of classical approaches to representing hypotheses, marshaling evidence to them, and arguing for their validity. Argumentation structures propositions to move from premises to conclusions. Three perspectives or disciplines of thought have developed the most fundamental approaches to this process.

Each discipline has contributed methods to represent knowledge and to provide a structure for reasoning to infer from data to relevant evidence, through intermediate hypotheses to conclusion. The term knowledge representation refers to the structure used to represent data and show its relevance as evidence, the representation of rules of inference, and the asserted conclusions.

6.6.3 Structured Inferential Argumentation

Philosophers, rhetoricians, and lawyers have long sought accurate means of structuring and then communicating, in natural language, the lines of reasoning, that lead from complicated sets of evidence to conclusions. Lawyers and intelligence analysts alike seek to provide a clear and compelling case for their conclusions, reasoned from a mass of evidence about a complex subject.

We first consider the classical forms of argumentation described as infor- mal logic, whereby the argument connects premises to conclusions. The com- mon forms include:

Multiple premises, when taken together, lead to but one con- clusion. For example: The radar at location A emits at a high pulse repetition frequency (PRF); when it emits at high PRF, it emits on fre- quency (F) → the radar at A is a fire control radar.
Multiple premises independently lead to the same conclu- sion. For example: The radar at A is a fire control radar. Also Location A stores canisters for missiles. → A surface to air missile (SAM) battery must be at location A.
A single premise leads to but one conclusion, for example: A SAM battery is located at A the battery at A → must be linked to a command and control (C2) center.
A single premise can support more than one conclusion. For example: The SAM battery could be controlled by the C2 center at golf, or The SAM battery could be controlled by the C2 center at hotel.

These four basic forms may be combined to create complex sets of argu- mentation, as in the simple sequential combination and simplification of these examples:

The radar at A emits at a high PRF; when it emits at high PRF, it emits on frequency F, so it must be a fire control radar. Also, location A stores canisters for missiles, so there must be a SAM battery there. The battery at A must be linked to a C2 center. It could be controlled by the C2 centers at golf or at hotel.

The structure of this argument can be depicted as a chain of reasoning or argumentation (Figure 6.7) using the four premise structures in sequence.

Toulmin distinguished six elements of all arguments [24]:

Data (D), at the beginning point of the argument, are the explicit elements of data (relevant data, or evidence) that are observed in the external world.

Claim (C), is the assertion of the argument.
Qualifier (Q), imposes any qualifications on the claim.
Rebuttals (R) are any conditions that may refute the claim.
Warrants (W) are the implicit propositions (rules, principles) that permit inference from data to claim.
Backing (B) are assurances that provide authority and currency to the warrants.

Applying Toulmin’s argumentation scheme requires the analyst to distinguish each of the six elements of argument and to fit them into a standard structure of reasoning—see Figure 6.8(a)—which leads from datum (D) to claim (C). The scheme separates the domain-independent structure from the warrants and backing, which are dependent upon the field in which we are working (e.g., legal cases, logical arguments, or morals).

The general structure, described in natural language then proceeds from datum (D) to claim (I) as follows:

The datum (D), supported by the warrant (W), which is founded upon the backing (B), leads directly to the claim (C), qualified to the degree (Q), with the caveat that rebuttal (R) is present.

Such a structure requires the analyst to identify all of the key components of the argument—and explicitly report if any components are missing (e.g., if rebuttals or contradicting evidence is not existent).

The benefits of this scheme are the potential for the use of automation to aid analysts in the acquisition, examination, and evaluation of natural-language arguments. As an organizing tool, the Toulmin scheme distinguishes data (evidence) from the warrants (the universal premises of logic) and their backing (the basis for those premises).

It must be noted that formal logicians have criticized Toulmin’s scheme due to its lack of logical rigor and ability to address probabilistic arguments. Yet, it has contributed greater insight and formality to developing structured natural-language argumentation.

6.6.4 Inferential Networks

Moving beyond Toulmin’s structure, we must consider the approaches to create network structures to represent complex chains of inferential reasoning.

The use of graph theory to describe complex arguments allows the analyst to represent two crucial aspects of an argument:

Argument structure. The directed graph represents evidence (E), events, or intermediate hypotheses inferred by the evidence (i), and the ultimate, or final, hypotheses (H) as graph nodes. The graph is directed because the lines connecting nodes include a single arrow indicating the single direction of inference. The lines move from a source element of evidence (E) through a series of inferences (i1, i2, i3, … in) toward a terminal hypothesis (H). The graph is acyclic because the directions of all arrows move from evidence, through intermediate inferences to hypothesis, but not back again: there are no closed-loop cycles.
Force of evidence and propagation. In common terms we refer the force, strength, or weight of evidence to describe the relative degree of contribution of evidence to support an intermediate inference (in), or the ultimate hypothesis (H). The graph structure provides a means of describing supporting and refuting evidence, and, if evidence is quantified (e.g., probabilities, fuzzy variables, or other belief functions), a means of propagating the accumulated weight of evidence in an argument.

Like a vector, evidence includes a direction (toward certain hypotheses) and a magnitude (the inferential force). The basic categories of argument can be structured to describe four basic categories of evidence combination (illustrated in Figure 6.9):

Direct. The most basic serial chain of inference moves from evidence (E) that the event E occurred, to the inference (i1) that E did in fact occur. This inference expresses belief in the evidence (i.e., belief in the veracity and objectivity of human testimony). The chain may go on serially to further inferences because of the belief in E.

Consonance. Multiple items of evidence may be synergistic resulting in one item enhancing the force of another; their joint contribution pro- vides more inferential force than their individual contributions. Two items of evidence may provide collaborative consonance; the figure illustrates the case where ancillary evidence (E2) is favorable to the credibility of the source of evidence (E1), thereby increasing the force of E1. Evidence may also be convergent when E1 and E2 provide evidence of the occurrence of different events, but those events, together, favor a common subsequent inference. The enhancing contribution

(i1) to (i2) is indicated by the dashed arrow.

Redundant. Multiple items of evidence (E1, E2) that redundantly lead to a common inference (i1) can also diminish the force of each other in two basic ways. Corroborative redundancy occurs when two or more sources supply identical evidence of a common event inference (i1). If one source is perfectly credible, the redundant source does not contribute inferential force; if both have imperfect credibility, one may diminish the force of the other to avoid double counting the force of the redundant evidence. Cumulative redundancy occurs when multiple items of evidence (E1, E2), though inferring different intermediate hypotheses (i1,i2), respectively, lead to a common hypothesis (i3) farther up the reasoning chain. This redundant contribution to (i3), indicated by the dashed arrow, necessarily reduces the contribution of inferential force from E2.

Dissonance. Dissonant evidence may be contradictory when items of evidence E1 and E2 report, mutually exclusively, that the event E did occur and did not occur, respectively. Conflicting evidence, on the other hand, occurs when E1and E2 report two separate events i1 and i2 (both of which may have occurred, but not jointly), but these events favor mutually exclusive hypotheses at i3.

The graph moves from bottom to top in the following sequence:

Direct evidence at the bottom;
Evidence credibility inferences are the first row above evidence, infer- ring the veracity, objectivity, and sensitivity of the source of evidence;
Relevance inferences move from credibility-conditioned evidence through a chain of inferences toward final hypothesis;
The final hypothesis is at the top.

Some may wonder why such rigor is employed for such a simple argument. This relatively simple example illustrates the level of inferential detail required to formally model even the simplest of arguments. It also illustrates the real problem faced by the analyst in dealing with the nuances of redundant and conflicting evidence. Most significantly, the example illustrates the degree of care required to accurately represent arguments to permit machine-automated reasoning about all-source analytic problems.

We can see how this simple model demands the explicit representation of often-hidden assumptions, every item of evidence, the entire sequence of inferences, and the structure of relationships that leads to our conclusion that H1 is true.

Inferential networks provide a logical structure upon which quantified calculations may be performed to compute values of inferential force of evidence and the combined contribution of all evidence toward the final hypothesis.

6.7 Evaluating Competing Hypotheses

Heuer’s research indicated that the single most important technique to over- come cognitive shortcomings is to apply a systematic analytic process that allows objective comparison of alternative hypotheses

“The simultaneous evaluation of multiple, competing hypotheses entails far greater cognitive strain than examining a single, most-likely hypothesis”

Inferential networks are useful at the detail level, where evidence is rich and the ACH approach is useful at the higher levels of abstraction and where evidence is sparse. Networks are valuable for automated computation; ACH is valuable for collaborative analytic reasoning, presentation, and explanation. The ACH approach provides a methodology for the concurrent competition of multiple explanations, rather than the focus on the currently most plausible.

The ACH structure approach described by Heuer uses a matrix to organize and describe the relationship between evidence and alternative hypotheses. The sequence of the analysis-synthesis process (Figure 6.11) includes:

Hypothesis synthesis. A multidisciplinary team of analysts creates a set of feasible hypotheses, derived from imaginative consideration of all possibilities before constructing a complete set that merits detailed consideration.
Evidence analysis. Available data is reviewed to locate relevant evidence and inferences that can be assigned to support or refute the hypotheses. Explicitly identify the assumptions regarding evidence and the arguments of inference. Following the processes described in the last chapter, list the evidence-argument pairs (or chains of inference) and identify, for each, the intrinsic value of its contribution and the potential for being subject to denial or deception (D&D).
Matrix synthesis. Construct an ACH matrix that relates evidence- inference to the hypotheses defined in step 1.
Matrix analysis. Assess the diagnosticity (the significance or diagnostic value of the contribution of each component of evidence and related inferences) of each evidence-inference component to each hypothesis. This process proceeds for each item of evidence-inference across the rows, considering how each item may contribute to each hypothesis. An entry may be supporting (consistent with), refuting (inconsistent with), or irrelevant (not applicable) to a hypothesis; a contribution notation (e.g., +, –, or N/A, respectively) is marked within the cell. Where possible, annotate the likelihood (or probability) that this evi- dence would be observed if the hypothesis is true. Note that the diagnostic significance of an item of evidence is reduced as it is consistent with multiple hypotheses; it has no diagnostic contribution when it supports, to any degree, all hypotheses.
Matrix synthesis (refinement). Evidence assignments are refined, eliminating evidence and inferences that have no diagnostic value.
Hypotheses analysis. The analyst now proceeds to evaluate the likelihood of each hypothesis, by evaluating entries down the columns. The likelihood of each hypothesis is estimated by the characteristics of supporting and refuting evidence (as described in the last chapter). Inconsistencies and gaps in expected evidence provide a basis for retasking; a small but high-confidence item that refutes the preponderance of expected evidence may be a significant indicator of deception. The analyst also assesses the sensitivity of the likely hypothesis to contributing assumptions, evidence, and the inferences; this sensitivity must be reported with conclusions and the consequences if any of these items are in error. This process may lead to retasking of collectors to acquire more data to sup- port or refute hypotheses and to reduce the sensitivity of a conclusion.
Decision synthesis (judgment). Reporting the analytic judgment requires the description of all of the alternatives (not just the most likely), the assumptions, evidence, and inferential chains. The report must also describe the gaps, inconsistencies, and their consequences on judgments. The analyst must also specify what should be done to provide an update on the situation and what indictors might point to significant changes in current judgments.

Notice that the ACH approach deliberately focuses the analyst’s attention on the contribution, significance, and relationships of evidence to hypotheses, rather than on building a case for any one hypothesis. The analytic emphasis is, first, on evidence and inference across the rows, before evaluating hypotheses, down the columns.

The stages of the structured analysis-synthesis methodology (Figure 6.12) are summarized in the following list:

Organize. A data mining tool (described in Chapter 8, Section 8.2.2) automatically clusters related data sets by identifying linkages (relation- ships) across the different data types. These linked clusters are visualized using link-clustering tools used to visualize clusters and linkages to allow the analyst to consider the meaningfulness of data links and dis- cover potentially relevant relationships in the real world.
Conceptualize. The linked data is translated from the abstract relation- ship space to diagrams in the temporal and spatial domains to assess real-world implications of the relationships. These temporal and spatial models allow the analyst to conceptualize alternative explanations that will become working hypotheses. Analysis in the time domain considers the implications of sequence, frequency, and causality, while the spatial domain considers the relative location of entities and events.
Hypothesize. The analyst synthesizes hypotheses, structuring evidence and inferences into alternative arguments that can be evaluated using the method of alternative competing hypotheses. In the course of this process, the analyst may return to explore the database and linkage diagrams further to support or refute the working hypotheses.

6.8 Countering Denial and Deception

Because the targets of intelligence are usually high-value subjects (e.g., intentions, plans, personnel, weapons or products, facilities, or processes), they are generally protected by some level of secrecy to prevent observation. The means of providing this secrecy generally includes two components:

Denial. Information about the existence, characteristics, or state of a target is denied to the observer by methods of concealment. Camouflage of military vehicles, emission control (EMCON), operational security (OPSEC), and encryption of e-mail messages are common examples of denial, also referred to as dissimulation (hiding the real).
Deception. Deception is the insertion of false information, or simulation (showing the false), with the intent to distort the perception of the observer. The deception can include misdirection (m-type) deception to reduce ambiguity and direct the observer to a simulation—away from the truth—or ambiguity (a-type) deception, which simulates effects to increase the observer’s ambiguity or understanding about the truth

D&D methods are used independently or in concert to distract or disrupt the intelligence analyst, introducing distortions in the collection channels, ambiguity in the analytic process, errors in the resulting intelligence product, and misjudgment in decisions based on the product. Ultimately, this will lead to distrust of the intelligence product by the decision maker or consumer. Strategic D&D poses an increasing threat to the analyst, as an increasing number of channels for D&D are available to deceivers. Six distinct categories of strategic D&D operations have different target audiences, means of implementation, and objectives.

Propaganda or psychological operations (PSYOP) target a general population using several approaches. White propaganda openly acknowledges the source of the information, gray propaganda uses undeclared sources. Black propaganda purports to originate from a source other its actual sponsor, protecting the true source (e.g., clandestine radio and Internet broadcast, independent organizations, or agents of influence. Coordinated white, gray, and black propaganda efforts were strategically conducted by the Soviet Union throughout the Cold War as active measures of disinformation

Leadership deception targets leadership or intelligence consumers, attempting to bypass the intelligence process by appealing directly to the intelligence consumer via other channels. Commercial news channels, untrustworthy diplomatic channels, suborned media, and personal relationships can be exploited to deliver deception messages to leadership (before intelligence can offer D&D cautions) in an effort to establish mindsets in decision makers.

Intelligence deception specifically targets intelligence collectors (technical sensors, communications interceptors, and humans) and subsequently analysts by combining denial of the target data and by introducing false data to disrupt, distract, or deceive the collection or analysis processes (or both processes). The objective is to direct the attention of the sensor or the analyst away from a correct knowledge of a specific target.

Denial operations by means of OPSEC seek to deny access to true intentions and capabilities by minimizing the signatures of entities and activities.

Two primary categories of countermeasures for intelligence deception must be orchestrated to counter either the simple deception of a parlor magician or the complex intelligence deception program of a rogue nation-state. Both collection and analysis measures are required to provide the careful observation and critical thinking necessary to avoid deception. Improvements in collection can provide broader and more accurate coverage, even limited penetration of some covers.

The problem of mitigating intelligence surprise, therefore, must be addressed by considering both large numbers of models or hypotheses (analysis) and large sets of data (collection, storage, and analysis)

In his classic treatise, Strategem, Barton Whaley exhaustively studied over 100 historical D&D efforts and concluded, “Indeed, this is the general finding of my study—that is, the deceiver is almost always successful regardless of the sophistication of his victim in the same art. On the face of it, this seems an intolerable conclusion, one offending common sense. Yet it is the irrefutable conclusion of historical evidence”

The components of a rigorous counter D&D methodology, then, include the estimate of the adversary’s D&D plan as an intelligence subject (target) and the analysis of specific D&D hypotheses as alternatives. Incorporating this process within the ACH process described earlier amounts to assuring that reasonable and feasible D&D hypotheses (for which there may be no evidence to induce a hypothesis) are explicitly considered as alternatives.

two active searches for evidence to support, refute, or refine the D&D hypotheses [44]:

Reconstructive inference. This deductive process seeks to detect the presence of spurious signals (Harris call these sprignals) that are indicators of D&D—the faint evidence predicted by conjectured D&D plans. Such sprignals can be strong evidence confirming hypothesis A (the simulation), weak contradictory evidence of hypothesis C (leakage from the adversary’s dissimulation effort), or missing evidence that should be present if hypothesis A were true.
Incongruity testing. This process searches for inconsistencies in the data and inductively generates alternative explanations that attribute the incongruities to D&D (i.e., D&D explains the incongruity of evidence for more than one reality in simultaneous existence).

These processes should be a part of any rigorous alternative hypothesis process, developing evidence for potential D&D hypotheses while refining the estimate of the adversaries’ D&D intents, plans, and capabilities. The processes also focus attention on special collection tasking to support, refute, or refine current D&D hypotheses being entertained.

Summary

Central to the intelligence cycle, analysis-synthesis requires the integration of human skills and automation to provide description, explanation, and prediction with explicit and quantified judgments that include alternatives, missing evidence, and dissenting views carefully explained. The challenge of discovering the hidden, forecasting the future, and warning of the unexpected cannot be performed with infallibility, yet expectations remain high for the analytic com- munity.

The practical implementation of collaborative analysis-synthesis requires a range of tools to coordinate the process within the larger intelligence cycle, augment the analytic team with reasoning and sensemaking support, overcome human cognitive shortcomings, and counter adversarial D&D.

Knowledge Internalization and Externalization

The process of conducting knowledge transactions between humans and computing machines occurs at the intersection between tacit and explicit knowledge, between human reasoning and sensemaking, and the explicit computation of automation. The processes of externalization (tacit-to-explicit transactions) and internalization (explicit-to-tacit transactions) of knowledge, however, are not just interfaces between humans and machines; more properly, the intersection is between human thought, symbolic representations of thought, and the observed world.

7.1 Externalization and Internalization in the Intelligence Workflow

The knowledge-creating spiral described in Chapter 3 introduced the four phases of knowledge creation.

Externalization

Following social interactions with collaborating analysts, an analyst begins to explicitly frame the problem. The process includes the decomposition of the intelligence problem into component parts (as described in Section 2.2) and explicit articulation of essential elements of information required to solve the problem. The tacit-to-explicit transfer includes the explicit listing of these essential elements of information needed, candidate sources of data, the creation of searches for relevant SMEs, and the initiation of queries for relevant knowledge within current holdings and collected all-source data. The primary tools to interact with all-source holdings are query and retrieval tools that search and retrieve information for assessment of relevance by the analyst.

Combination

This explicit-explicit transfer process correlates and combines the collected data in two ways:

Interactive analytic tools. The analyst uses a wide variety of analytic tools to compare and combine data elements to identify relationships and marshal evidence against hypotheses.
Automated data fusion and mining services. Automated data combination services also process high-volume data to bring detections of known patterns and discoveries of “interesting” patterns to the attention of the analyst.

Internalization

The analyst integrates the results of combination in two domains: external hypotheses (explicit models and simulations) and decision models (like the alter- native competing hypothesis decision model introduced in the last chapter) are formed to explicitly structure the rationale between hypotheses, and internally, the analyst develops tacit experience with the structured evidence, hypotheses, and decision alternatives.

Services in the data tier capture incoming data from processing pipelines (e.g., imagery and signals producers), reporting sources (news services, intelligence reporting sources), and open Internet sources being monitored. Content appropriate for immediate processing and production, such as news alerts, indications, and warning events, and critical change data are routed to the operational storage for immediate processing. All data are indexed, transformed, and loaded into the long-term data warehouse or into specialized data stores (e.g., imagery, video, or technical databases). The intelligence services tier includes six basic service categories:

Operational processing. Information filtered for near-real-time criticality are processed to extract and tag content, correlate and combine with related content, and provide updates to operational watch officers. This path applies the automated processes of data fusion and data mining to provide near-real-time indicators, tracks, metrics, and situation summaries.
Indexing, query, and retrieval. Analysts use these services to access the cumulating holdings by both automated subscriptions for topics of interest to be pushed to the user upon receipt and interactive query and retrieval of holdings.
Cognitive (analytic) services. The analysis-synthesis and decision- making processes described in Chapters 5 and 6 are supported by cognitive services (thinking-support tools).
Collaboration services. These services, described in Chapter 4, allow synchronous and asynchronous collaboration between analytic team members.
Digital production services. Analyst-generated and automatically created dynamic products are produced and distributed to consumers based on their specified preferences.
Workflow management. The workflow is managed across all tiers to monitor the flow from data to product, to monitor resource utilization, to assess satisfaction of current priority intelligence requirements, and to manage collaborating workgroups.

7.2 Storage, Query, and Retrieval Services

At the center of the enterprise is the knowledge base, which stores explicit knowledge and provides the means to access that knowledge to create new knowledge.

7.2.1 Data Storage

Intelligence organizations receive a continuous stream of data from their own tasked technical sensors and human sources, as well as from tasked collections of data from open sources. One example might be Web spiders that are tasked to monitor Internet sites for new content (e.g., foreign news services), then to collect, analyze, and index the data for storage. The storage issues posed by the continual collection of high-volume data are numerous:

Diversity. All-source intelligence systems require large numbers of inde- pendent data stores for imagery, text, video, geospatial, and special technical data types. These data types are served by an equally high number of specialized applications (e.g., image and geospatial analysis and signal analysis).

Legacy. Storage system designers are confronted with the integration of existing (legacy) and new storage systems; this requires the integration of diverse logical and physical data types.

Federated retrieval and analysis. The analyst needs retrieval, application, and analysis capabilities that span across the entire storage system.

7.2.2 Information Retrieval

Information retrieval (IR) is formally defined as “… [the] actions, methods and procedures for recovering stored data to provide information on a given subject” [2]. Two approaches to query and retrieve stored data or text are required in most intelligence applications:

Data query and retrieval is performed on structured data stored in relational database applications. Imagery, signals, and MASINT data are generally structured and stored in structured formats that employ structured query language (SQL) and SQL extensions for a wide variety of databases (e.g., Access, IBM DB2 and Informix, Microsoft SQL Server, Oracle, and Sybase). SQL allows the user to retrieve data by context (e.g., by location in data tables, such as date of occurrence) or by content (e.g., retrieve all record with a defined set of values).
Text query and retrieval is performed on both structured and unstructured text in multiple languages by a variety of natural language search engines to locate text containing specific words, phrases, or general concepts within a specified context.

Data query methods are employed within the technical data processing pipelines (IMINT, SIGINT, and MASINT). The results of these analyses are then described by analysts in structured or unstructured text in an analytic database for subsequent retrieval by text query methods.

Moldovan and Harabagiu have defined a five-level taxonomy of Q&A systems (Table 7.1) that range from the common keyword search engine that searches for relevant content (class 1) to reasoning systems that solve complex natural language problems (class 5) [3]. Each level requires increasing scope of knowledge, depth of linguistic understanding, and sophistication of reasoning to translate relevant knowledge to an answer or solution.

The first two levels of current search capabilities locate and return relevant content based on keywords (content) or the relationships between clusters of words in the text (concept).

While class 1 capabilities only match and return content that matches the query, class 2 capabilities integrate the relevant data into a simple response to the question.

Class 3 capabilities require the retrieval of relevant knowledge and reasoning about that knowledge to deduce answers to queries, even when the specific answer is not explicitly stated in the knowledge base. This capability requires the ability to both reason from general knowledge to specific answers and provide rationale for those answers to the user.

Class 4 and 5 capabilities represent advanced capabilities, which require robust knowledge bases that contain sophisticated knowledge representation (assertions and axioms) and reasoning (mathematical calculation, logical inference, and temporal reasoning).

7.3 Cognitive (Analytic Tool) Services

Cognitive services support the analyst in the process of interactively analyzing data, synthesizing hypotheses, and making decisions (choosing among alternatives). These interactive services support the analysis-synthesis activities described in Chapters 5 and 6. Alternatively called thinking tools, analytics, knowledge discovery, or analytic tools, these services enable the human to trans- form and view data, create and model hypotheses, and compare alternative hypotheses and consequences of decisions.

Exploration tools allow the analyst to interact with raw or processed multi- media (text, numerical data, imagery, video, or audio) to locate and organize content relevant to an intelligence problem. These tools provide the ability to search and navigate large volumes of source data; they also provide automated taxonomies of clustered data and summaries of individual documents. The information retrieval functions described in the last subsection are within this category. The product of exploration is generally a relevant set of data/text organized and metadata tagged for subsequent analysis. The analyst may drill down to detail from the lists and summaries to view the full content of all items identified as relevant.
Reasoning tools support the analyst in the process of correlating, comparing, and combining data across all of the relevant sources. These tools support a wide variety of specific intelligence target analyses:
Temporal analysis. This is the creation of timelines of events, dynamic relationships, event sequences, and temporal transactions (e.g., electronic, financial, or communication).
Link analysis. This involves automated exploration of relationships among large numbers of different types of objects (entities and events).
Spatial analysis. This is the registration and layering of 3D data sets and creation of 3D static and dynamic models from all-source evidence. These capabilities are often met by commercial geospatial information system and computer-aided design (CAD) software.
Functional analysis. This is the analysis of processes and expected observables (e.g., manufacturing, business, and military operations, social networks and organizational analysis, and traffic analysis).

These tools aid the analyst in five key analytic tasks:

Correlation: detection and structuring of relationships or linkages between different entities or events in time, space, function, or interaction; association of different reports or content related to a common entity or event;
Combination: logical, functional, or mathematical joining of related evidence to synthesize a structured argument, process, or quantitative estimate;
Anomaly detection: detection of differences between expected (or modeled) characteristics of a target;
Change detection: detection of changes in a target over time—the changes may include spectral, spatial, or other phenomenological changes;
Construction: synthesis of a model or simulation of entities or events and their interactions based upon evidence and conjecture.

Sensemaking tools support the exploration, evaluation, and refinement of alternative hypotheses and explanations of the data. Argumentation structuring, modeling, and simulation tools in this category allow analysts to be immersed in their hypotheses and share explicit representations with other collaborators. This immersion process allows the analytic team to create shared meaning as they experience the alternative explanations.

Decision support (judgment) tools assist analytic decision making by explicitly estimating and comparing the consequences and relative merits of alternative decisions.

These tools include models and simulations that permit the analyst to create and evaluate alternative COAs and weigh the decision alternatives against objective decision criteria. Decision support systems (DSSs) apply the principles of probability to express uncertainty and decision theory to create and assess attributes of decision alternatives and quantify the relative utility of alternatives. Normative, or decision-analytic DSSs, aid the analyst in structuring the decision problem and in computing the many factors that lead from alternatives to quantifiable attributes and resulting utilities. These tools often relate attributes to utility by influence diagrams and compute utilities (and associated uncertainties) using Bayes networks.

The tools progressively move from data as the object of analysis (for exploration) to clusters of related information, to hypotheses, and finally on to decisions, or analytic judgments.

intelligence workflow management software can provide a means to organize the process by providing the following functions:

Requirements and progress tracking: maintains list of current intelligence requirements, monitors tasking to meet the requirements, links evidence and hypotheses to those requirements, tracks progress toward meeting requirements, and audits results;
Relevant data linking: maintains ontology of subjects relevant to the intelligence requirements and their relationships and maintains a data- base of all relevant data (evidence);
Collaboration directory: automatically locates and updates a directory of relevant subject matter experts as the problem topic develops.

In this example, an intelligence consumer has requested specific intelligence on a drug cartel named “Zehga” to support counter-drug activities in a foreign country. The sequence of one analyst’s use of tools in the example include:

The process begins with synchronous collaboration with other analysts to discuss the intelligence target (Zehga) and the intelligence requirements to understand the cartel organization structure, operations, and finances. The analyst creates a peer-to-peer collaborative workspace that contains requirements, essential elements of information (EEIs) needed, current intelligence, and a directory of team members before inviting additional counter-drug subject matter experts to the shared space.
The analyst opens a workflow management tool to record requirements, key concepts and keywords, and team members; the analyst will link results to the tool to track progress in delivering finished intelligence. The tool is also used to request special tasking from technical collectors (e.g., wiretaps) and field offices.
Once the problem has been externalized in terms of requirements and EEIs needed, the sources and databases to be searched are selected (e.g., country cables, COMINT, and foreign news feeds and archives). Key concepts and keywords are entered into IR tools; these tools search current holdings and external sources, retrieving relevant multi- media content. The analyst also sets up monitor parameters to continually check certain sources (e.g., field office cables and foreign news sites) for changes or detections of relevant topics; when detected, the analyst will be alerted to the availability of new information.

The IR tools also create a taxonomy of the collected data sets, structuring the catch into five major categories: Zehga organization (personnel), events, finances, locations, and activities. The taxonomy breaks each category into subcategories of clusters of related content. Documents located in open-source foreign news reports are translated into English, and all documents are summarized into 55-word abstracts.
The analyst views the taxonomy and drills down to summaries, then views the full content of the most critical items to the investigation. Selected items (or hyperlinks) are saved to the shared knowledge base for a local repository relevant to the investigation.
The retrieved catch is analyzed with text mining tools that discover and list the multidimensional associations (linkages or relationships) between entities (people, phone numbers, bank account numbers, and addresses) and events (meetings, deliveries, and crimes).
The linked lists are displayed on a link-analysis tool to allow the analyst to manipulate and view the complex web of relationships between people, communications, finances, and the time sequence of activities. From these network visuals, the analyst begins discovering the Zehga organizational structure, relationships to other drug cartels and financial institutions, and the timeline of explosive growth of the cartel’s influence.
The analyst internalizes these discoveries by synthesizing a Zehga organization structure and associated financial model, filling in the gaps with conjectures that result in three competing hypotheses: a centralized model, a federated model, and a loose network model. These models are created using a standard financial spreadsheet and a net- work relationship visualization tool. The process of creating these hypotheses causes the analyst to frequently return to the knowledge base to review retrieved data, to issue refined queries to fill in the gaps, and to further review the results of link analyses. The model synthesis process causes the analyst to internalize impressions of confidence, uncertainty, and ambiguity in the evidence, and the implications of potential missing or negative evidence. Here, the analyst ponders the potential for denial and deception tactics and the expected subtle “sprignals” that might appear in the data.
An ACH matrix is created to compare the accrued evidence and argumentation structures supporting each of the competing models. At any time, this matrix and the associated organizational-financial models summarize the status of the intelligence process; these may be posted on the collaboration space and used to identify progress on the work- flow management tool.
The analyst further internalizes the situation by applying a decision sup- port tool to consider the consequences or implications of each model on counter-drug policy courses of action relative to the Zehga cartel.
Once the analyst has reached a level of confidence to make objective analytic judgments about hypotheses, results can be digitally published to the requesting consumers and to the collaborative workgroup to begin socialization—and another cycle to further refine the results. (The next section describes the digital publication process.)

Commercial tool suites such as Wincite’s eWincite, Wisdom Builder’s Wisdombuilder, and Cipher’s Knowledge. Works similarly integrate text-based tools to support the competitive intelligence analysis.

Tacit capture and collaborative filtering monitors the activities of all users on the network and uses statistical clustering methods to identify the emergent clusters of interest that indicate communities of common practice. Such filtering could identify and alert these two analysts to other ana- lysts that are converging on a common suspect from other directions (e.g., money laundering and drug trafficking).

7.4 Intelligence Production, Dissemination, and Portals

The externalization-to-internalization workflow results in the production of digital intelligence content suitable for socialization (collaboration) across users and consumers. This production and dissemination of intelligence from KM enterprises has transitioned from static, hardcopy reports to dynamically linked digital softcopy products presented on portals.

Digital production processes employ content technologies that index, structure, and integrate fragmented components of content into deliverable products. In the intelligence context, content includes:

Structured numerical data (imagery, relational database queries) and text [e.g., extensible markup language (XML)-formatted documents] as well as unstructured information (e.g., audio, video, text, and HTML content from external sources);
Internally or externally created information;
Formally created information (e.g., cables, reports, and imagery or signals analyses) as well as informal or ad hoc information (e.g., e-mail, and collaboration exchanges);
Static or active (e.g., dynamic video or even interactive applets) content.

The key to dynamic assembly is the creation and translation of all content to a form that is understood by the KM system. While most intelligence data is transactional and structured (e.g., imagery, signals, MASINT), intelligence and open-source documents are unstructured. While the volume of open-source content available on Internet and closed-source intelligence content grows exponentially, the content remains largely unstructured.

Content technology pro- vides the capability to transform all-sources to a common structure for dynamic integration and personalized publication. The XML offers a method of embed- ding content descriptions by tagging each component with descriptive information that allows automated assembly and distribution of multimedia content

Intelligence standards being developed include an intelligence information markup language (ICML) specification for intelligence reporting and metadata standards for security, specifying digital signatures (XML-DSig), security/encryption (XML-Sec), key management (XML-KMS), and information security marking (XML-ISM) [12]. Such tagging makes the content interoperable; it can be reused and automatically integrated in numerous ways:

Numerical data may be correlated and combined.
Text may be assembled into a complete report (e.g., target abstract, tar- getpart1, targetpart2, …, related targets, most recent photo, threat summary, assessment).
Various formats may be constructed from a single collection of contents to suit unique consumer needs (e.g., portal target summary format, personal digital assistant format, or pilot’s cockpit target folder format).

a document object model (DOM) tree can be created from the integrated result to transform the result into a variety of formats (e.g., HTML or PDF) for digital publication.

The analysis and single-source publishing architecture adopted by the U.S. Navy Command 21 K-Web (Figure 7.7) illustrates a highly automated digital production process for intelligence and command applications [14]. The production workflow in the figure includes the processing, analysis, and dissemination steps of the intelligence cycle:

Content collection and creation (processing and analysis). Both quantitative technical data and unstructured text are received, and content is extracted and tagged for subsequent processing. This process is applied to legacy data (e.g., IMINT and SIGINT reports), structured intelligence message traffic, and unstructured sources (e.g., news reports and intelligence e-mail). Domain experts may support the process by creating metadata in a predefined XML metadata format to append to audio, video, or other nontext sources. Metadata includes source, pedigree, time of collection, and format information. New content created by analysts is entered in standard XML DTD templates.
Content applications. XML-tagged content is entered in the data mart, where data applications recognize, correlate, consolidate, and summarize content across the incoming components. A correlation agent may, for example, correlate all content relative to a new event or entity and pass the content on to a consolidation agent to index the components for subsequent integration into an event or target report. The data (and text) fusion and mining functions described in the next chapter are performed here.
Content management-product creation (production). Product templates dictate the aggregation of content into standard intelligence products: warnings, current intelligence, situation updates, and target status. These composite XML-tagged products are returned to the data mart.
Content publication and distribution. Intelligence products are personalized in terms of both style (presentation formats) and distribution (to users with an interest in the product). Users may explicitly define their areas of interests, or the automated system may monitor user activities (through queries, collaborative discussion topics, or folder names maintained) to implicitly estimate areas of interest to create a user’s personal profile. Presentation agents choose from the style library and user profiles to create distribution lists for content to be delivered via e-mail, pushed to users’ custom portals, or stored in the data mart for subsequent retrieval. The process of content syndication applies an information and content exchange (ICE) standard to allow a single product to be delivered in multiple styles and to provide automatic content update across all users.

The user’s single entry point is a personalized portal (or Web portal) that provides an organized entry into the information available on the intelligence enterprise.

7.5 Human-Machine Information Transactions and Interfaces

In all of the services and tools described in the previous sections, the intelligence analyst interacts with explicitly collected data, applying his or her own tacit knowledge about the domain of interest to create estimates, descriptions, expla- nations, and predictions based on collected data. This interaction between the analyst and KM systems requires efficient interfaces to conduct the transaction between the analyst and machine.

7.5.1 Information Visualization

Edward Tufte introduced his widely read text Envisioning Information with the prescient observation that, “Even though we navigate daily through a perceptual world of three dimensions and reason occasionally about higher dimensional arena with mathematical ease, the world portrayed on our information displays is caught up in the two-dimensionality of the flatlands of paper and video screen”. Indeed, intelligence organizations are continually seeking technologies that will allow analysts to escape from this flatland.

The essence of visualization is to provide multidimensional information to the analyst in a form that allows immediate understanding by this visual form of thinking.

A wide range of visualization methods are employed in analysis (Table 7.6) to allow the user to:

Perceive patterns and rapidly grasp the essence of large complex (multi-dimensional) information spaces, then navigate or rapidly browse through the space to explore its structure and contents;
Manipulate the information and visual dimensions to identify clusters of associated data, patterns of linkages and relationships, trends (temporal behavior), and outlying data;
Combine the information by registering, mathematically or logically jointing (fusing), or overlaying.

7.5.2 Analyst-Agent Interaction

Intelligent software agents tailored to support knowledge workers are being developed to provide autonomous automated support in the information retrieval and exploration tasks introduced throughout this chapter. These collaborative information agents, operating in multiagent networks, provide the

potential to amplify the analyst’s exploration of large bodies of data, as they search, organize, structure, and reason about findings before reporting results. Information agents are being developed to perform a wide variety of functions, as an autonomous collaborating community under the direction of a human analyst, including:

Personal information agents (PIMs) coordinate an analyst’s searches and organize bookmarks to relevant information; like a team of librarians, the PIMs collect, filter, and recommend relevant materials for the analyst.
Brokering agents mediate the flow of information between users and sources (databases, external sources, collection processors); they can also act as sentinels to monitor sources and alert users to changes or the availability of new information.
Planning agents accept requirements and create plans to coordinate agents and task resources to meet user goals.

agents also offer the promise of a means of interaction with the analyst that emulates face- to-face conversation, and will ultimately allow information agents to collaborate as (near) peers with individuals and teams of human analysts. These interactive agents (or avatars) will track the analyst (or analytic team) activities and needs to conduct dialogue with the analysts—in terms of the semantic concepts familiar to the topic of interest—to contribute the following kinds of functions:

Agent conversationalists that carry on dialogue to provide high- bandwidth interactions that include multimodal input from the analyst (e.g., spoken natural language, keyboard entries, and gestures and gaze) and multimodal replies (e.g., text, speech, and graphics). Such conversationalists will increase “discussions” about concepts, relevant data, and possible hypotheses [23].
Agent observers that monitor analyst activity, attention, intention, and task progress to converse about suggested alternatives, potentials for denial and deception, or warnings that the analyst’s actions imply cognitive shortcomings (discussed in Chapter 6) may be influencing the analysis process.
Agent contributors that will enter into collaborative discussions to interject alternatives, suggestions, or relevant data.

The integration of collaborating information agents and information visualization technologies holds the promise of more efficient means of helping analysts find and focus on relevant information, but these technologies require greater maturity to manage uncertainty, dynamically adapt to the changing ana- lytic context, and understand the analyst’s intentions.

7.6 Summary

The analytic workflow requires a constant interaction between the cognitive and visual-perceptive processes in the analyst’s mind and the explicit representations of knowledge in the intelligence enterprise.

Explicit Knowledge Capture and Combination

In the last chapter, we introduced analytic tools that allow the intelligence analyst to interactively correlate, compare, and combine numerical data and text to discover clusters and relationships among events and entities within large databases. These interactive combination tools are considered to be goal-driven processes: the analyst is driven by a goal to seek solutions within the database, and the reasoning process is interactive with the analyst and machine in a common reasoning loop. This chapter focuses on the largely automated combination processes that tend to be data driven: as data continuously arrives from intelligence sources, the incoming data drives a largely automated process that continually detects, identifies, and tracks emerging events of interest to the user. These parallel goal-driven and data-driven processes were depicted as complementary combination processes in the last chapter

In all cases, the combination processes help sources to cross-cue each other, locate and identify target events and entities, detect anomalies and changes, and track dynamic targets.

8.1 Explicit Capture, Representation, and Automated Reasoning

The term combination introduced by Nonaka and Takeuchi in the knowledge-creation spiral is an abstraction to describe the many functions that are performed to create knowledge, such as correlation, association, reasoning, inference, and decision (judgment). This process requires the explicit representation of knowledge; in the intelligence application this includes knowledge about the world (e.g., incoming source information), knowledge of the intelligence domain (e.g., characteristics of specific weapons of mass destruction and their production and deployment processes), and the more general procedural knowledge about reasoning.

The DARPA Rapid Knowledge Formation (RKF) project and its predecessor, the High-Performance Knowledge Base project, represent ambitious research aimed at providing a robust explicit knowledge capture, representation, and combination (reasoning) capability targeted toward the intelligence analysis application [1]. The projects focused on developing the tools to create and manage shared, reusable knowledge bases on specific intelligence domains (e.g., biological weapons subjects); the goal is to enable creation of over one million axioms of knowledge per year by collaborating teams of domain experts. Such a knowledge base requires a computational ontology—an explicit specification that defines a shared conceptualization of reality that can be used across all processes.

The challenge is to encode knowledge through the instantiation and assembly of generic knowledge components that can be readily entered and understood by domain experts (appropriate semantics) and provide sufficient coverage to encompass an expert-level of understanding of the domain. The knowledge base must have fundamental knowledge of entities (things that are), events (things that happen), states (descriptions of stable event characteristics), and roles (entities in the context of events). It must also describe knowledge of the relationships between (e.g. cause, object of, part of, purpose of, or result of) and properties (e.g., color, shape, capability, and speed) of each of these.

8.2 Automated Combination

Two primary categories of the combination processes can be distinguished, based on their approach to inference; each is essential to intelligence processing and analysis.

The inductive process of data mining discovers previously unrecognized patterns in data (new knowledge about characteristics of an unknown pattern class) by searching for patterns (relationships in data) that are in some sense “interesting.” The discovered candidates are usually presented to human users for analysis and validation before being adopted as general cases [3].

The deductive process, data fusion, detects the presence of previously known patterns in many sources of data (new knowledge about the existence of a known pattern in the data). This is performed by searching for specific pattern templates in sensor data streams or databases to detect entities, events, and complex situations comprised of interconnected entities and events.

data sets used by these processes for knowledge creation are incomplete, dynamic, and contain data contaminated by noise. These factors make the following process characteristics apply:

Pattern descriptions. Data mining seeks to induce general pattern descriptions (reference patterns, templates, or matched filters) to characterize data understood, while data fusion applies those descriptions to detect the presence of patterns in new data.
Uncertainty in inferred knowledge. The data and reference patterns are uncertain, leading to uncertain beliefs or knowledge.
Dynamic state of inferred knowledge. The process is sequential and inferred knowledge is dynamic, being refined as new data arrives.
Use of domain knowledge. Knowledge about the domain (e.g., constraints, context) may be used in addition to collected raw intelligence data.

8.2.1 Data Fusion

Data fusion is an adaptive knowledge creation process in which diverse elements of similar or dissimilar observations (data) are aligned, correlated, and combined into organized and indexed sets (information), which are further assessed to model, understand, and explain (knowledge) the makeup and behavior of a domain under observation.

The data-fusion process seeks to explain an adversary (or uncooperative) intelligence target by abstracting the target and its observable phenomena into a causal or relationship model, then applying all-source observation to detect entities and events to estimate the properties of the model. Consider the levels of representation in the simple target-observer processes in Figure 8.2 [6]. The adversary leadership holds to goals and values that create motives; these motives, combined with beliefs (created by perception of the current situation), lead to intentions. These intentions lead to plans and responses to the current situation; from alternative plans, decisions are made that lead to commands for action. In a hierarchical military, or a networked terrorist organization, these commands flow to activities (communication, logistics, surveillance, and movements). Using the three domains of reality terminology introduced in Chapter 5, the motive-to-decision events occur in the adversary’s cognitive domain with no observable phenomena.

The data-fusion process uses observable evidence from both the symbolic and physical domains to infer the operations, communications, and even the intentions of the adversary.

The emerging concept of effects-based military operations (EBO) requires intelligence products that provide planners with the ability to model the various effects influencing a target that make up a complex system. Planners and opera- tors require intelligence products that integrate models of the adversary physical infrastructure, information networks, and leadership and decision making

The U.S. DoD JDL has established a formal process model of data fusion that decomposes the process into five basic levels of information-refining processes (based upon the concept of levels of information abstraction) [8]:

Level 0: Data (or subobject) refinement. This is the correlation across signals or data (e.g., pixels and pulses) to recognize components of an object and the correlation of those components to recognize an object.
Level 1: Object refinement. This is the correlation of all data to refine individual objects within the domain of observation. (The JDL model uses the term object to refer to real-world entities, however, the subject of interest may be a transient event in time as well.)
Level 2: Situation refinement. This is the correlation of all objects (information) within the domain to assess the current situation.
Level 3: Impact refinement. This is the correlation of the current situation with environmental and other constraints to project the meaning of the situation (knowledge). The meaning of the situation refers to its implications to the user: threat, opportunity, change, or consequence.
Level 4: Process refinement. This is the continual adaptation of the fusion process to optimize the delivery of knowledge against a defined mission objective.

8.2.1.1 Level 0: Data Refinement

Raw data from sensors may be calibrated, corrected for bias and gain errors, limited (thresholded), and filtered to remove systematic noise sources. Object detection may occur at this point—in individual sensors or across multiple sensors (so-called predetection fusion). The object-detection process forms observation reports that contain data elements such as observation identifier, time of measurement, measurement or decision data, decision, and uncertainty data.

8.2.1.2 Level 1: Object Refinement

Sensor and source reports are first aligned to a common spatial reference (e.g., a geographic coordinate system) and temporal reference (e.g., samples are propagated forward or backward to a common time.) These alignment transformations place the observations in a common time-space coordinate system to allow an association process to determine which observations from different sensors have their source in a common object. The association process uses a quantitative correlation metric to measure the relative similarity between observations. The typical correlation metric, C, takes on the following form:

n
c = ∑wi xi

i1=1

Where;
wi = weighting coefficient for attribute xi.

xi = ith correlation attribute metric.

The correlation metric may be used to make a hard decision (an association), choosing the most likely parings of observations, or a deferred decision, assigning more that one hypothetical paring and deferring a hard decision until more observations arrive. Once observations have been associated, two functions are performed on each associated set of measurements for common object:

Tracking. For dynamic targets (vehicles or aircraft), the current state of the object is correlated with previously known targets to determine if the observation can update a model of an existing model (track). If the newly associated observations are determined to be updates to an existing track, the state estimation model for the track (e.g., a Kalman filter) is updated; otherwise, a new track is initiated.
Identification. All associated observations are used to determine if the object identity can be classified to any one of several levels (e.g., friend/foe, vehicle class, vehicle type or model, or vehicle status or intent).

8.2.1.3 Level 2: Situation Refinement

All objects placed in space-time context in an information base are analyzed to detect relationships based on spatial or temporal characteristics. Aggregate sets of objects are detected by their coordinated behavior, dependencies, proximity, common point of origin, or other characteristics using correlation metrics with high-level attributes (e.g., spatial geometries or coordinated behavior). The synoptic understanding of all objects, in their space-time context, provides situation knowledge, or awareness.

8.2.1.4 Level 3: Impact (or Threat) Refinement

Situation knowledge is used to model and analyze feasible future behaviors of objects, groups, and environmental constraints to determine future possible out- comes. These outcomes, when compared with user objectives, provide an assessment of the implications of the current situation. Consider, for example, a simple counter-terrorism intelligence situation that is analyzed in the sequence in Figure 8.4.

8.2.1.5 Level 4: Process Refinement

This process provides feedback control of the collection and processing activities to achieve the intelligence requirements. At the top level, current knowledge (about the situation) is compared to the intelligence requirements required to achieve operational objectives to determine knowledge shortfalls. These shortfalls are parsed, downward, into information, then data needs, which direct the future acquisition of data (sensor management) and the control of internal processes. Processes may be refined, for example, to focus on certain areas of interest, object types, or groups. This forms the feedback loop of the data-fusion process.

8.2.2 Data Mining

Data mining is the process by which large sets of data (or text in the specific case of text mining) are cleansed and transformed into organized and indexed sets (information), which are then analyzed to discover hidden and implicit, but previously undefined, patterns. These patterns are reviewed by domain experts to determine if they reveal new understandings of the general structure and relationships (knowledge) in the data of a domain under observation.

The object of discovery is a pattern, which is defined as a statement in some language, L, that describes relationships in subset Fs of a set of data, F, such that:

The statement holds with some certainty, c;
The statement is simpler (in some sense) than the enumeration of all facts in Fs [13].

This is the inductive generalization process described in Chapter 5. Mined knowledge, then, is formally defined as a pattern that is interesting, according to some user-defined criterion, and certain to a user-defined measure of degree.

In application, the mining process is extended from explanations of limited data sets to more general applications (induction). In this example, a relationship pattern between three terrorist cells may be discovered that includes intercommunication, periodic travel to common cities, and correlated statements posted on the Internet.

Data mining (also called knowledge discovery) is distinguished from data fusion by two key characteristics:

Inference method. Data fusion employs known patterns and deductive reasoning, while data mining searches for hidden patterns using inductive reasoning.
Temporal perspective. The focus of data fusion is retrospective (determining current state based on past data), while data mining is both retrospective and prospective—focused on locating hidden patterns that may reveal predictive knowledge.

Beginning with sensors and sources, the data warehouse is populated with data, and successive functions move the data toward learned knowledge at the top. The sources, queries, and mining processes may be refined, similar to data fusion. The functional stages in the figure are described next.

Data warehouse. Data from many sources are collected and indexed in the warehouse, initially in the native format of the source. One of the chief issues facing many mining operations is the reconciliation of diverse database formats that have different formats (e.g., field and record sizes and parameter scales), incompatible data definitions, and other differences. The warehouse collection process (flow in) may mediate between these input sources to transform the data before storing in common form [20].
Data cleansing. The warehoused data must be inspected and cleansed to identify and correct or remove conflicts, incomplete sets, and incompatibilities common to combined databases. Cleansing may include several categories of checks:

Uniformity checks verify the ranges of data, determine if sets exceed limits, and verify that formats versions are compatible.
Completeness checks evaluate the internal consistency of data sets to ensure, for example, that aggregate values are consistent with individual data components (e.g., “verify that total sales is equal to sum of all sales regions, and that data for all sales regions is present”).
Conformity checks exhaustively verify that each index and reference exists.
Genealogy checks generate and check audit trails to primitive data to permit analysts to drill down from high-level information.

Data selection and transformation. The types of data that will be used for mining are selected on the basis of relevance. For large operations, ini- tial mining may be performed on a small set, then extended to larger sets to check for the validity of abducted patterns. The selected data may then be transformed to organize all data into common dimensions and to add derived dimensions as necessary for analysis.
Data mining operations. Mining operations may be performed in a supervised manner in which the analyst presents the operator with a selected set of training data, in which the analyst has manually determined the existence of pattern classes. Alternatively, the operation may proceed without supervision, performing an automated search for patterns. A number of techniques are available (Table 8.4), depending upon the type of data and search objectives (interesting pattern types).

Discovery modeling. Prediction or classification models are synthesized to fit the data patterns detected. This is the proscriptive aspect of mining: modeling the historical data in the database (the past) to provide a model to predict the future. The model attempts to abduct a generalized description that explains discovered patterns of interest and, using statistical inference from larger volumes of data, seeks to induct generally applicable models. Simple extrapolation, time-series trends, com- plex linked relationships, and causal mathematical models are examples of models created.
Visualization. The analyst uses visualization tools that allow discovery of interesting patterns in the data. The automated mining operations cue the operator to discovered patterns of interest (candidates), and the analyst then visualizes the pattern and verifies if, indeed, it contains new and useful knowledge. OLAP refers to the manual visualization process in which a data manipulation engine allows the analyst to create data “views” from the human perspective and to perform the following categories of functions:

Multidimensional analysis of the data across dimensions, through relationships (e.g., command hierarchies and transaction networks) and in perspectives natural to the analyst (rather that inherent in the data);
Transformation of the viewing dimensions or slicing of the multidimensional array to view a subset of interest;
Drill down into the data from high levels of aggregation, downward into successively deeper levels of information;
Reach through from information levels to the underlying raw data, including reaching beyond the information base, back to raw data by the audit trail generated in genealogy checking;
Modeling of hypothetical explanations of the data, in terms of trend analysis, extrapolations.

Refinement feedback. The analyst may refine the process, by adjusting the parameters that control the lower level processes, as well as requesting more or different data on which to focus the mining operations.

8.2.3 Integrated Data Fusion and Mining

In a practical intelligence application, the full reasoning process integrates the discovery processes of data mining with the detection processes of data fusion. This integration helps the analyst to coordinate learning about new signatures and patterns and apply that new knowledge, in the form of templates, to detect other cases of the situation. A general application of these integrated tools can support the search for nonliteral target signatures, the use of those learned and validated signatures to detect new targets [21]. (Nonliteral target signatures refer to those signatures that extend across many diverse observation domains and are not intuitive or apparent to analysts, but may be discovered only by deeper analysis of multidimensional data.)

The mining component searches the accumulated database of sensor data, with discovery processes focused on relationships that may have relevance to the nonliteral target sets. Discovered models (templates) of target objects or processes are then tested, refined, and verified using the data-fusion process. Finally, the data-fusion process applies the models deductively for knowledge detection in incoming sensor data streams.

8.3 Intelligence Modeling and Simulation

Modeling activities take place in externalization (as explicit models are formed to describe mental models), combination (as evidence is combined and compared with the model), and in internalization (as the analyst ponders the matches, mismatches, and incongruities between evidence and model).

While we have used the general term model to describe any abstract representation, we now distinguish here between two implementations made by the modeling and simulation (M&S) community. Models refer to physical, mathematical, or otherwise logical representations of systems, entities, phenomena, or processes, while simulations refer to those methods to implement models over time (i.e., a simulation is a time-dynamic model)

Models and simulations are inherently collaborative; their explicit representations (versus mental models) allow analytic teams to collectively assemble, and explore the accumulating knowledge that they represent. They support the analysis-synthesis process in multiple ways:

Evidence marshaling. As described in Chapter 5, models and simulations provide the framework for which inference and evidence is assembled; they provide an audit trail of reasoning.
Exploration. Models and simulations also provide a means for analysts to be immersed in the modeled situation, its structure, and dynamics. It is a tool for experimentation and exploration that provides deeper understanding to determine necessary confirming or falsifying evidence, to evaluate potential sensing measures, and to examine potential denial and deception effects.
Dynamic process tracking. Simulations model the time-dynamic behavior of targets to forecast future behavior, compare with observations, and refine the behavior model over time. Dynamic models provide the potential for estimation, anticipation, forecasting, and even prediction (these words imply increasing accuracy and precision in their estimates of future behavior).
Explanation. Finally, the models and simulations provide a tool for presenting alternative hypotheses, final judgments, and rationale.

chance favors the prepared prototype: models and simulations can and should be media to create and capture surprise and serendipity

The table (8.5) illustrates independent models and simulations in all three domains, however these domains can be coupled to create a robust model to explore how an adversary thinks (cognitive domain), transacts (e.g., finances, command, and intelligence flows), and acts (physical domain).

A recent study of the advanced methods required to support counter-terrorism analysis recommended the creation of scenarios using top-down synthesis (manual creation by domain experts and large-scale simulation) to create synthetic evidence for comparison with real evidence discovered by bottom-up data mining.

8.3.1 M&S for I&W

The challenge of I&W demands predictive analysis, where “the analyst is looking at something entirely new, a discontinuous phenomenon, an outcome that he or she has never seen before. Furthermore, the analyst only sees this new pat- tern emerge in bits and pieces”

The tools monitor world events to track the state and time-sequence of state transitions for comparison with indicators of stress. These analytic tools apply three methods to provide indicators to analysts:

Structural indicator matching. Previously identified crisis patterns (statistical models) are matched to current conditions to seek indications in background conditions and long-term trends.
Sequential tracking models. Simulations track the dynamics of events to compare temporal behavior with statistical conflict accelerators in cur- rent situations that indicate imminent crises.
Complex behavior analysis. Simulations are used to support inductive exploration of the current situation, so the analyst can examine possible future scenarios to locate potential triggering events that may cause instability (though not in prior indicator models).

A general I&W system architecture (Figure 8.7), organized following the JDL data-fusion structure, accepts incoming news feed text reports of current situations and encodes the events into a common format (by human or automated coding). The event data is encoded into time-tagged actions (assault, kid- nap, flee, assassinate), proclamations (threaten, appeal, comment) and other pertinent events from relevant actors (governments, NGOs, terror groups). The level 1 fusion process correlates and combines similar reports to produce a single set of current events organized in time series for structural analysis of back- ground conditions and sequential analysis of behavioral trends by groups and interactions between groups. This statistical analysis is an automatic target-recognition process, comparing current state and trends with known clusters of unstable behaviors. The level 2 process correlates and aggregates individual events into larger patterns of behavior (situations). A dynamic simulation tracks the current situation (and is refined by the tracking loop shown) to enable the analyst to explore future excursions from the present condition. By analysis of the dynamics of the situation, the analyst can explore a wide range of feasible futures, including those that may reveal surprising behavior that is not intuitive—increasing the analyst’s awareness of unstable regions of behavior or the potential of subtle but potent triggering events.

8.3.2 Modeling Complex Situations and Human Behavior

The complex behavior noted in the prior example may result from random events, human free will, or the nonlinearity introduced by the interactions of many actors. The most advanced applications of M&S are those that seek to model environments (introduced in Section 4.4.2) that exhibit complex behaviors—emergent behaviors (surprises) that are not predictable from the individual contributing actors within the system. Complexity is the property of a system that prohibits the description of its overall behavior even when all of the components are described completely. Complex environments include social behaviors of significant interest to intelligence organizations: populations of nation states, terrorist organizations, military commands, and foreign leaders [32]. Perhaps the grand challenge of intelligence analysis is to understand an adversary’s cognitive behavior to provide both warning and insight into the effects of alternative preemptive actions that may avert threats.

Nonlinear mathematical solutions are intractable for most practical problems, and the research community has applied dynamic systems modeling and agent-based simulation (ABS) to represent systems that exhibit complex behavior [34]. ABS research is being applied to the simulation of a wide range of organizations to assess intent, decision making and planning (cognitive), com- mand and finances (symbolic), and actions (physical). The applications of these simulations include national policies [35], military C2 [36], and terrorist organizations [37].

9
The Intelligence Enterprise Architecture

The processing, analysis, and production components of intelligence operations are implemented by enterprises—complex networks of people and their business processes, integrated information and communication systems and technology components organized around the intelligence mission. As we have emphasized throughout this text, an effective intelligence enterprise requires more than just these components; the people require a collaborative culture, integrated electronic networks require content and contextual compatibility, and the implementing components must constantly adapt to technology trends to remain competitive. The effective implementation of KM in such enterprises requires a comprehensive requirements analysis and enterprise design (synthesis) approach to translate high-level mission statements into detailed business processes, networked systems, and technology implementations.

9.1 Intelligence Enterprise Operations

In the early 1990s the community implemented Intelink, a communitywide network to allow the exchange of intelligence between agencies that maintained internal compartmented networks [2]. The DCI vision for “a unified IC optimized to provide a decisive information advantage…” in the mid-1990s led to the IC CIO to establish an IC Operational Network (ICON) office to perform enterprise architecture analysis and engineering to define the system and communication architectures in order to integrate the many agency networks within the IC [3]. This architecture is required to provide the ability to collaborate securely and synchronously from the users’ desktops across the IC and with customers (e.g., federal government intelligence consumers), partners (component agencies of the IC), and suppliers (intelligence data providers within and external to the IC).

The undertaking illustrates the challenge of implementing a mammoth intelligence enterprise that is comprised of four components:

Policies. These are the strategic vision and derivative policies that explicitly define objectives and the approaches to achieve the vision.

Operational processes. These are collaborative and operationally secure processes to enable people to share knowledge and assets securely and freely across large, diverse, and in some cases necessarily compartmented organizations. This requires processes for dynamic modification of security controls, public key infrastructure, standardized intelligence product markup, the availability of common services, and enterprisewide search, collaboration, and application sharing.
System (network). This is an IC system for information sharing (ICSIS) that includes an agreed set of databases and applications hosted within shared virtual spaces within agencies and across the IC. The system architecture (Figure 9.1) defines three virtual collaboration spaces, one internal to each organization and a second that is accessible across the community (an intranet and extranet, respectively). The internal space provides collaboration at the Special Compartmented Intelligence (SCI) level within the organization; owners tightly control their data holdings (that are organizationally sensitive). The community space enables IC-wide collaboration at the SCI level; resource protection and control is provided by a central security policy. A separate collateral community space provides a space for data shared with DoD and other federal agencies.

The enterprise requires the integration of large installed bases of legacy components and systems with new technologies. The integration requires definition of standards (e.g., metadata, markup languages, protocols, and data schemas) and the plans for incremental technology transitions.

9.2 Describing the Enterprise Architecture

Two major approaches to architecture design that are immediately applicable to the intelligence enterprise have been applied by the U.S. DoD and IC for intelligence and related applications. Both approaches provide an organizing method- ology to assure that all aspects of the enterprise are explicitly defined, analyzed, and described to assure compatibility, completeness, and traceability back to the mission objectives. The approaches provide guidance to develop a comprehensive abstract model to describe the enterprise; the model may be understood from different views in which the model is observed from a particular perspective (i.e., the perspectives of the user or developer) and described by specific products that makeup the viewpoint.

The first methodology is the Zachman Architecture FrameworkTM, developed by John Zachman in the late1980s while at IBM. Zachman pioneered a concept of multiple perspectives (views) and descriptions (viewpoints) to completely define the information architecture [6]. This framework is organized as a matrix of 30 perspective products, defined by the cross product of two dimensions:

Rows of the matrix represent the viewpoints of architecture stakeholders: the owner, planner, designer, builder (e.g., prime contractor), and subcontractor. The rows progress from higher level (greater degree of abstraction) descriptions by the owner toward lower level (details of implementation) by the subcontractor.
Columns represent the descriptive aspects of the system across the dimensions of data handled, functions performed, network, people involved, time sequence of operations, and motivation of each stakeholder.

Each cell in the framework matrix represents a descriptive product required to describe an aspect of the architecture.

This framework identifies a single descriptive product per view, but permits a wide range of specific descriptive approaches to implement the products in each cell of the framework:

Mission needs statements, value propositions, balanced scorecard, and organizational model methods are suitable to structure and define the owner’s high-level view.
Business process modeling, the object-oriented Unified Modeling Language (UML), or functional decomposition using Integrated Definition Models (IDEF) explicitly describe entities and attributes, data, functions, and relationships. These methods also support enterprise functional simulation at the owner and designer level to permit evaluation of expected enterprise performance.
Detailed functional standards (e.g., IEEE and DoD standards specification guidelines) provide guidance to structure detailed builder- and subcontractor–level descriptions that define component designs.

The second descriptive methodology is the U.S. DoD Architecture Frame- work (formally the C4ISR Architecture Framework), which defines three inter- related perspectives or architectural views, each with a number of defined products [7]. The three interrelated views (Figure 9.2) are as follows:

1. Operational architecture is a description (often graphical) of the operational elements, intelligence business processes, assigned tasks, work- flows, and information flows required to accomplish or support the intelligence function. It defines the type of information, the frequency of exchange, and what tasks are supported by these information exchanges.
2. Systems architecture is a description, including graphics, of the systems and interconnections providing for or supporting intelligence functions. The system architecture defines the physical connection, location, and identification of the key nodes, circuits, networks, and users and specifies system and component performance parameters. It is constructed to satisfy operational architecture requirements per standards defined in the technical architecture. This architecture view shows how multiple systems within a subject area link and interoperate and may describe the internal construction or operations of particular systems within the architecture.
3. Technical architecture is a minimal set of rules governing the arrangement, interaction, and interdependence of the parts or elements whose purpose is to ensure that a conformant system satisfies a specified set of requirements. The technical architecture identifies the services, interfaces, standards, and their relationships. It provides the technical guidelines for implementation of systems upon which engineering specifications are based, common building blocks are built, and product lines are developed.

Both approaches provide a framework to decompose the enterprise into a comprehensive set of perspectives that must be defined before building; following either approach introduces the necessary discipline to structure the enterprise architecture design process.

The emerging foundation for enterprise architecting using framework models is distinguished from the traditional systems engineering approach, which focuses on optimization, completeness, and a build-from-scratch originality [11]. Enterprise (or system) architecting recognizes that most enterprises will be constructed from a combination of existing and new integrating components:

Policies, based on the enterprise strategic vision;
People, including current cultures that must change to adopt new and changing value propositions and business processes;
Systems, including legacy data structures and processes that must work with new structures and processes until retirement;
IT, including legacy hardware and software that must be integrated with new technology and scheduled for planned retirement.

The adoption of the architecture framework models and system architecting methodologies are developed in greater detail in a number of foundational papers and texts [12].

9.3 Architecture Design Case Study: A Small Competitive Intelligence Enterprise

The enterprise architecture design principles can be best illustrated by developing the architecture description for a fictional small-scale intelligence enterprise: a typical CI unit for a Fortune 500 business. This simple example defines the introduction of a new CI unit, deliberately avoiding the challenges of introducing significant culture change across an existing organization and integrating numerous legacy systems.

The CI unit provides legal and ethical development of descriptive and inferential intelligence products for top management to assess the state of competitors’ businesses and estimate their future actions within the current marketplace. The unit is not the traditional marketing function (which addresses the marketplace of customers) but focuses specifically on the competitive environment, especially competitors’ operations, their business options, and likely decision-making actions.

The enterprise architect recognizes the assignment as a corporate KM project that should be evaluated against O’Dell and Grayson’s four-question checklist for KM projects [14]:

Select projects to advance your business performance. This project will enhance competitiveness and allow FaxTech to position and adapt its product and services (e.g., reduce cycle time and enhance product development to remain competitive).
Select projects that have a high success probability. This project is small, does not confront integration with legacy systems, and has a high probability of technical success. The contribution of KM can be articulated (to deliver competitive intelligence for executive decision making), there is a champion on the board (the CIO), and the business case (to deliver decisive competitor knowledge) is strong. The small CI unit implementation does not require culture change in the larger Fax- Tech organization—and it may set an example of the benefits of collaborative knowledge creation to set the stage for a larger organization-wide transformation.
Select projects appropriate for exploring emerging technologies. The project is an ideal opportunity to implement a small KM enterprise in FaxTech that can demonstrate intelligence product delivery to top management and can support critical decision making.
Select projects with significant potential to build KM culture and discipline within the organization. The CI enterprise will develop reusable processes and tools that can be scaled up to support the larger organization; the lessons learned in implementation will be invaluable in planning for an organization-wide KM enterprise.

9.3.1 The Value Proposition

The CI value proposition must define the value of competitive intelligence.

The quantitative measures may be difficult to define; the financial return on CI investment measure, for example, requires a careful consideration of how the derived intelligence couples with strategy and impacts revenue gains. Kilmetz and Bridge define a top-level measure of CI return on investment (ROI) metric that considers the time frame of the payback period (t, usually updated quarterly and accumulated to measure the long-term return on strategic decisions) and applies the traditional ROI formula, which subtracts the cost of the CI investment (C CI+I,, the initial implementation cost, plus accumulating quarterly operations costs using net present values) from the revenue gain [17]:

ROICI =∑[(P×Q)−CCI+I]t

The expected revenue gain is estimated by the increase in sales (units sold, Q, multiplied by price, P, in this case) that are attributable to CI-induced decisions. Of course, the difficulty in defining such quantities is the issue of assuring that the gains are uniquely attributable to decisions possible only by CI information [18].

In building the scorecard, the enterprise architect should seek the lessons learned from others, using sources such as the Society for Competitive Intelligence Professionals or the American Productivity and Quality Center

9.3.2 The CI Business Process

The Society of Competitive Intelligence Professionals has defined a CI business cycle that corresponds to the intelligence cycle; the cycle differs by distinguishing primary and published source information, while eliminating the automated processing of technical intelligence sources. The five stages, or business processes, of this high-level business model include:

Planning and direction. The cycle begins with the specific identification of management needs for competitive intelligence. Management defines the specific categories of competitors (companies, alliances) and threats (new products or services, mergers, market shifts, technology discontinuities) for focus and the specific issues to be addressed. The priorities of intelligence needed, routine reporting expectations, and schedules for team reporting enables the CI unit manager to plan specific tasks for analysts, establish collection and reporting schedules, and direct day-to-day operations.

Published source collection. The collection of articles, reports, and financial data from open sources (Internet, news feeds, clipping services, commercial content providers) includes both manual searches by analysts and active, automated searches by software agents that explore (crawl) the networks and cue analysts to rank-ordered findings. This collection provides broad, background knowledge of CI targets; the results of these searches provide cues to support deeper, more focused primary source collection.
Primary source collection. The primary sources of deep competitor information are humans with expert knowledge; ethical collection process includes the identification, contact, and interview of these individuals. Such collections range from phone interviews, formal meetings, and consulting assignments to brief discussions with competitor sales representatives at trade shows. The results of all primary collections are recorded on standard format reports (date, source, qualifications, response to task requirement, results, further sources suggested, references learned) for subsequent analysis.
Analysis and production. Once indexed and organized, the corpus of data is analyzed to answer the questions posed by the initial tasks. Collected information is placed in a framework that includes organizational, financial, and product-service models that allow analysts to estimate the performance and operations of the competitor and predict likely strategies and planned activities. This process relies on a synoptic view of the organized information, experience, and judgment. SMEs may be called in from within FaxTech or from the outside (consultants) to support the analysis of data and synthesis of models.
Reporting. Once approved by the CI unit manager, these quantitative models and more qualitative estimative judgments of competitor strategies are published for presentation in a secure portal or for formal presentation to management. As result of this reporting, management provides further refining direction and the cycle repeats.

9.3.4 The CI Unit Organizational Structure and Relationships

This manager accepts tasking from executive management, issues detailed tasks to the analytic team, and then reviews and approves results before release to management. The manager also manages the budget, secures consultants for collection or analysis support, manages special collections, and coordinates team training and special briefings by SMEs.

9.3.5 A Typical Operational Scenario

For each of the five processes, a number of use cases may be developed to describe specific actions that actors (CI team members or system components) perform to complete the process. In object-oriented design processes, the devel- opment of such use cases drives the design process by first describing the many ways in which actors interact to perform the business process [22]. A scenario or process thread provides a view of one completed sequence through a single or numerous use case(s) to complete an enterprise task. A typical crisis response scenario is summarized in Table 9.3 to illustrate the sequence of interactions between the actors (management, CI manager, deputy, knowledge-base man- ager and analysts, system, portal, and sources) to complete a quick response thread. The scenario can be further modeled by an activity diagram [23] that models the behavior between objects.

The development of the operational scenario also raises nonfunctional performance issues that are identified and defined, generally in parametric terms, for example:

Rate and volume of data ingested daily;
Total storage capacity of the on-line and offline archived holdings;
Access time for on-line and off-line holdings;
Number of concurrent analysts, searches, and portal users;
Information assurance requirements (access, confidentiality, and attack rejection).

9.3.6 CI System Abstraction

The purpose of use cases and narrative scenarios is to capture enterprise behavior and then to identify the classes of object-oriented design. The italicized text in the scenario identifies the actors, and the remaining nouns are candidates for objects (instantiated software classes). From these use cases, software designers can identify the objects of design, their attributes, and interactions. Based upon the use cases, object-oriented design proceeds to develop sequence diagrams that model messages passing between objects, state diagrams that model the dynamic behavior within each object, and object diagrams that model the static description of objects. The object encapsulates state attributes and provides services to manipulate the internal attributes

Based on the scenario of the last section, the enterprise designer defines the class diagram (Figure 9.7) that relates objects that accept the input CI requirements through the entire CI process to a summary of finished intelligence. This diagram does not include all objects; the objects presented illustrate those that acquire data related to specific competitors, and these objects are only a subset of the classes required to meet the full enterprise requirements defined earlier. (The objects in this are included in the analysis package described in the next section.) The requirement object accepts new CI requirements for a defined competitor; requirements are specified in terms of essential elements of information (EEI), financial data, SWOT characteristics, and organization structure. In this object, key intelligence topics may be selected from predefined templates to specify specific intelligence requirements for a competitor or for a marketplace event [24]. The analyst translates the requirements to tasks in the task object; the task object generates search and collect objects that specify the terms for automated search and human collection from primary sources, respectively. The results of these activities generate data objects that organize and present accumulated evidence that is related to the corresponding search and collect objects.

The analyst reviews the acquired data, creating text reports and completing analysis templates (SWOT, EEI, financial) in the analysis object. Analysis entries are linked to the appropriate competitor in the competitor list and to the supporting evidence in data objects. As results are accumulated in the templates, the status (e.g., percentage of required information in template completed) is computed and reported by the status object. Summary of current intelligence and status are rolled up in the summary object, which may be used to drive the CI portal.

9.3.7 System and Technical Architecture Descriptions

The abstractions that describe functions and data form the basis for partitioning packages of software services and the system hardware configuration. The system architecture description includes a network hardware view (Figure 9.8, top) and a comparable view of the packaged software objects (Figure 9.8, bottom)

The enterprise technical architecture is described by the standards for commercial and custom software packages (e.g., the commercial and developed software components with versions, as illustrated in Table 9.4) to meet the requirements developed in system model row of the matrix. Fuld & Company has published periodic reviews of software tools to support the CI process; these reviews provide a helpful evaluation of available commercial packages to support the CI enterprise [25]. The technical architecture is also described by the standards imposed on the implementing components—both software and hardware. These standards include general implementation standards [e.g., American National Standards Institute (ANSI), International Standards Organization (ISO), and Institute of Electrical and Electronics Engineers (IEEE)] and federal standards regulating workplace environments and protocols. The applicable standards are listed to identify applicability to various functions within the enterprise.

A technology roadmap should also be developed to project future transitions as new components are scheduled to be integrated and old components are retired. It is particularly important to plan for integration of new software releases and products to assure sustained functionality and compatibility across the enterprise.

10
Knowledge Management Technologies

IT has enabled the growth of organizational KM in business and government; it will continue to be the predominant influence on the progress in creating knowledge and foreknowledge within intelligence organizations.

10.1 Role of IT in KM

When we refer to technology, the application of science by the use of engineering principles to solve a practical problem, it is essential that we distinguish the difference between three categories of technologies that all contribute to our ability to create and disseminate knowledge (Table 10.1). We may view these as three technology layers, with the basic computing materials sciences providing the foundation technology applications for increasing complexity and scale of communications and computing.

10.4.1 Explicit Knowledge Combination Technologies

Future explicit knowledge combination technologies include those that trans- form explicit knowledge into useable forms and those that perform combination processes to create new knowledge.

Multimedia content-context tagged knowledge bases. Knowledgebase technology will support the storage of multimedia data (structured and unstructured) with tagging of both content and context to allow com- prehensive searches for knowledge across heterogeneous sources.
Multilingual natural language. Global natural language technologies will allow accurate indexing, tagging, search, linking, and reasoning about multilingual text (and recognized human speech at both the content level and the concept level. This technology will allow analysts to conduct multilingual searches by topic and concept at a global scale

Integrated deductive-inductive reasoning. Data-fusion and-data mining technologies will become integrated to allow interactive deductive and inductive reasoning for structured and unstructured (text) data sources. Data-fusion technology will develop level 2 (situation) and level 3 (impact, or explanation) capabilities using simulations to represent complex and dynamic situations for comparison with observed situations.
Purposeful deductive-inductive reasoning. Agent-based intelligence will coordinate inductive (learning and generalization) and deductive (decision and detection) reasoning processes (as well as abductive explanatory reasoning) across unstructured multilingual natural language, common sense, and structured knowledge bases. This reasoning will be goal-directed based upon agent awareness of purpose, values, goals, and beliefs.
Automated ontology creation. Agent-based intelligence will learn the structure of content and context, automatically populating knowledge bases under configuration management by humans.

10.4.3 Knowledge-Based Organization Technologies

Technologies that support the socialization processes of tacit knowledge exchange will enhance the performance and effectiveness of organizations; these technologies will increasingly integrate intelligence agents into the organization as aids, mentors, and ultimately as collaborating peers.

Tailored naturalistic collaboration. Collaboration technologies will provide environments with automated capabilities that will track the con- text of activities (speech, text, graphics) and manage the activity toward defined goals. These environments will also recognize and adapt to individual personality styles, tailoring the collaborative process (and the mix of agents-humans) to the diversity of the human-team composition.
Intimate tacit simulations. Simulation and game technologies will enable human analysts to be immersed in the virtual physical, symbolic, and cognitive environments they are tasked to understand. These technologies will allow users to explore data, information, and complex situations in all three domains of reality to gain tacit experience and to be able to share the experience with others.
Human-like agent partners. Multiagent system technologies will enable the formation of agent communities of practice and teams—and the creation of human-agent organizations. Such hybrid organizations will enable new analytic cultures and communities of problem-solving.
Combined human-agent learning. Personal agent tutors, mentors, and models will shadow their human partners, share experiences and observations, and show what they are learning. These agents will learn monitor subtle human cues about the capture and use of tacit knowledge in collaborative analytic processes.
Direct brain tacit knowledge. Direct brain biological-to-machine connections will allow monitors to provide awareness, tracking, articulation, and capture of tacit experiences to augment human cognitive performance.

10.5 Summary

KM technologies are built upon materials and ITs that enable the complex social (organizational) and cognitive processes of collaborative knowledge creation and dissemination to occur over large organizations, over massive scales of knowledge. Technologists, analysts, and developers of intelligence enterprises must monitor these fast-paced technology developments to continually reinvent the enterprise to remain competitive in the global competition for knowledge. This continual reinvention process requires a wise application of technology in three modes. The first mode is the direct adoption of technologies by upgrade and integration of COTS and GOTS products. This process requires the continual monitoring of industry standards, technologies, and the marketplace to project the lifecycle of products and forecast adoption transitions. The second application mode is adaptation, in which a commercial product component may be adapted for use by wrapping, modifying, and integrating with commercial or custom components to achieve a desired capability. The final mode is custom development of a technology unique to the intelligence application. Often, such technologies may be classified to protect the unique investment in, the capability of, and in some cases even the existence of the technology.

Technology is enabling, but it is not sufficient; intelligence organizations must also have the vision to apply these technologies while transforming the intelligence business in a rapidly changing world.