By Dr. David James Kritz | 11/27/2024
Imagine a scenario where an unusual event happens, but you don’t fully understand its significance or the potential consequences. Soon, more signs emerge that suggest suspicious or even nefarious activities are happening, and then reports begin to warn of a possible danger.
Now, picture a different situation. Perhaps an action initially reported as dangerous turns out to be a false alarm or the same action goes unreported.
Finally, imagine a policymaker who receives warnings of danger but chooses not to act on them.
What are the implications of each scenario in terms of threat intelligence and intelligence management, and how can timely warnings, mitigations, or threat intelligence tools help prevent future attacks?
Understanding Threat Intelligence: The Role of Indications and Warnings
The U.S. Intelligence Community is charged with not only focusing on threats facing our nation but also finding opportunities to expose them. To achieve these goals, analyses are conducted at the strategic level to wade through uncertainty and help policymakers make more informed decisions about threats and threat actors.
For example, analysts must analyze phenomena ranging from various nation-state and non-state threat actors to transnational issues, as well as weapons of mass destruction and other disruptive technologies. To support an analysis, analysts on security teams use structured frameworks and analytic techniques to conduct a thorough assessment of threat data.
Theoretical frameworks and security controls help us to learn from historical events in order to better understand the present and forecast future events with greater accuracy. While forecasts may be helpful, they do not often meet the level of accurate predictions. Similarly, while intelligence analysts use analytic techniques and provide their best judgment with available information, they are not fortune tellers.
Modern Threat Intelligence
In the modern era, threat intelligence must include initiatives such as cyber threat intelligence programs. These types of intelligence programs are crucial to enable security teams and organizations to detect and respond to cyber threats effectively.
Cyber attacks are becoming increasingly sophisticated and relentless, with attackers continually adapting their methods to exploit vulnerabilities across digital infrastructures. Also, intelligence analysts must take more cyber threat intelligence indicators into consideration, such as messages posted on social media sites.
Unfortunately, we live in a world of probabilities and not certainties. The former U.S. Secretary of Defense, Donald Rumsfeld stated that we “live in a world defined by surprise and uncertainty.”
For example, unexpected events or threats, also known as “strategic surprises,” can cause intelligence failures. One example would be the attack on Pearl Harbor that drew the U.S. into WWII.
The complexity and the amount of information available to analysts can grow over time. Intelligence professionals providing warnings and indications can prevent intelligence failures, which can potentially save lives.
The Threat Intelligence Lifecycle
The U.S. Intelligence Community has five major phases, known as the threat intelligence lifecycle. These phases are:
- Planning
- Collection
- Processing
- Analysis
- Dissemination
Indications and warnings are a subset within the analysis phase and are often referred to as warning analysis at the strategic level.
Indications and warning are two separate activities that alert decision makers that an attack is likely to occur or has commenced.
Recognizing Indicators: Signals and Patterns in Intelligence
The concept of deriving insights from threat indicators largely came from Cynthia Grabo, a Defense Intelligence Agency analyst and writer. Indicators can take various forms, such as artifacts (computer files or photos) or behaviors (such as a group of terrorists purchasing the materials needed to make a bomb).
There may be a single threat indicator (such as the police catching a truck driver transporting a bomb) or several indicators. Threat actors may act separately or simultaneously.
Indications may be a general proposition or factual evidence. For example, an adversary’s media reports say that missile testing may occur within the year (general proposition). Later, media images from the adversary’s country depicts the fueling of missiles on a launch pad (factual evidence).
Indicators of a threat may be the absence or increase of something usually present, information that can be obtained from human observers and geospatial intelligence analysis. This information could then be used by security personnel to counter potential threats.
For instance, imagine that intelligence analysts receive images that depict submarines missing from their base for weeks. The absence of these submarines is an anomaly and a potential indicator that an attack will occur in the future.
Similarly, German forces mobilizing and deploying their forces along the Russian border during WWII was an indicator that Hitler planned on attacking Stalin. In this instance, Stalin ignored the indications and warnings provided by the United States.
Threat indications may also include diplomatic actions. For instance, the families of diplomats from several countries were told to leave Ukraine before Russia’s invasion. Another example is the deployment of North Korean military forces to Ukraine in order to support Russia.
Strategic Warnings: Early Alerts to Emerging Threats
“Strategic warnings” or "strategic threat intelligence" warn decision makers of emerging threats and opportunities that require their immediate attention and action. Unlike routine intelligence updates, a strategic warning focuses on risks that pose a serious threat to national security or key interests, such as military aggression, economic instability, or large-scale cyber attacks.
The purpose of a strategic warning is to ensure that policymakers fully grasp the severity of these threats. The strategic warning also clears up any assumptions or misunderstandings that could stand in the way of an effective and informed response.
In contrast to “tactical threat intelligence,” strategic warnings need to occur prior to the commencement of an attack and should be intended to surprise decision makers. Unlike traditional intelligence analysis that is screened multiple times and “polished” with feedback and editing prior to briefing Intelligence Community customers, these warnings should be delivered almost instantaneously. Otherwise, they may be ineffective.
By their nature, strategic warnings are complex. They are often mired in misinformation, disinformation, propaganda, denial, and deception.
One example of strategic deception is Operation Anadyr. The Soviet Union transported missiles to Cuba in the early 1960s, but it deceived the U.S. Intelligence Community into thinking that Russia forces were being deployed to the Arctic region.
Cold weather clothing and other winter equipment was distributed to troops and low-level Soviet commanders were told to anticipate a strategic exercise in the far north of Russia. As the result of these activities and other surreptitious movements, U.S. intelligence agents were fooled into thinking that the USSR intended to conduct military activities at home, when in fact they were able to transport missiles to Cuba with Cuba’s cooperation.
However, the Director of Central Intelligence, John McCone, warned the newly appointed Kennedy administration of the potential weapon shipment and implementation. While the U.S. refers to this 13-day period as the Cuban Missile Crisis, the Soviet Union refers to it as the Caribbean Crisis, which lasted 59 days in reality. It was not until over a month after suspicious activities occurred that the U.S. finally picked up on the threat and went into crisis mode.
Analyzing Strategic Surprise: Lessons from Historic Oversights
As intelligence professionals search for facts within available information, indications come in various forms. The challenge, however, is disseminating intelligence to Intelligence Community customers in a timely, accurate manner.
That’s why it is so important for threat indications to be checked for accuracy and validity or else strategic surprises may occur. Strategic surprise can be defined as an emotional or cognitive state from an unanticipated action that threatens a nation’s survival, such as a surprise attack.
When threat indications cannot be masked by denial and deception, a tactic is to increase disinformation. Intelligence practitioners commonly refer to this increase in disinformation as “noise”. Noise can mask valuable information or the threat signal.
The terrorist events that occurred on 9/11 are an example of strategic surprise, and the U.S. Intelligence Community received blame for its inability to anticipate the attack. Stating a threat may occur is not good enough when it comes to defending our nation. Specific questions that cover the who, what, where, when, why, and how must be addressed by security professionals.
Terrorism Warnings: Assessing Modern Threats and Preparedness
The Annual Threat Assessment of the U.S. Intelligence Community depicts global terrorism as a major threat. Unfortunately, global terrorism is not a new phenomenon.
A surprise attack occurred on the Marine barracks in Beirut, Lebanon, which killed 241 U.S. servicemembers in 1983. An investigation after the attack determined that indicators of the threat remained unnoticed.
Interestingly, research from intelligence expert Erik Dahl states that information technology can inhibit analysts and decision makers by overwhelming them with too much information to sort through. However, newer technology such as artificial intelligence and machine learning may help security professionals mitigate the increasing complexity of threats.
Learning from previous research and case studies, the application of indications and warnings can mitigate terrorist operations, save lives, and reduce the spread of fear.
Improving Threat Detection: New Approaches in Indications and Warnings
The most significant obstacle to greater accuracy of threat detections may be how we think about threat indications and warnings. The Intelligence Community places a disproportionate amount of emphasis on current intelligence over long-term indications and warning analyses.
As a result, the responsibility for indications and warnings are often considered as an additional duty or an afterthought. They are sometimes not conducted as a formal process.
Indications and warnings are activities primarily considered as everyone’s responsibility. However, this approach is flawed and dangerous.
When an activity such as threat monitoring is labeled as everyone’s responsibility, it is unlikely that anyone does it consistently well. With this approach, surprise events and intelligence failures can occur. Intelligence gaps need to be identified to preempt future attacks.
The Relationship between Analysts and Policymakers
There is often some tension between policymakers and intelligence analysts. This tension can be mitigated with the establishment of trust and reliable intelligence to ensure more informed security decisions.
Former deputy secretary of state for President Obama and former deputy assistant secretary of state for Intelligence and Research James Steinberg said: “Policymakers look to the Intelligence Community to uncover the facts that will help them achieve their goals. Contrary to the views of some critics, most policymakers do not resist bad news if it is reliable and timely, because they know they cannot succeed by sticking their heads in the sand and pretending that adverse developments will go away if they simply ignore or dismiss them.
“But often policymakers feel that the Intelligence Community views its mission as solely being the bearer of bad news or ‘warning’ – that is, telling the policy community about all the obstacles to achieving their objectives, rather than identifying opportunities and how to make the best of the situation to achieve them. Yet for many analysts such a role is tantamount to ‘supporting’ the policy and thus violating the most sacred canon of analytic objectivity and policy neutrality.”
Developing Long-Term Threat Strategies
The Intelligence Community can enhance its effectiveness in conducting strategic intelligence by developing long-term practitioners and refining its tactics, techniques, and procedures. A way to accomplish these goals is by forming threat intelligence and cyber threat intelligence programs.
For instance, a dedicated threat intelligence team could be built to gain a deeper understanding of advanced persistent threats and to analyze and assess the threat landscape. Activities for such a team would include threat data collection and tracking threat actors, as well as activities relating to tactical intelligence, strategic intelligence, and operational threat intelligence.
Building Trust in Intelligence: Effective Communication and Action
When threat indicators are apparent and warnings are given to Intelligence Community customers, those warnings need to be promptly acted upon to ensure policy success and avert intelligence and policymaker failures. Policymakers need to trust intelligence professionals, accepting their warnings without considering them an inconvenience.
Intelligence Studies Programs at American Military University
For adult learners interested in pursuing opportunities in areas such as cyber threat intelligence, operational threat intelligence, strategic threat intelligence or tactical threat intelligence, American Military University (AMU) offers several degree programs:
- An online bachelor’s degree in intelligence studies
- An online master’s degree in intelligence studies
- An online doctoral degree in strategic intelligence
Courses in these programs include threat analysis, critical analysis, intelligence collection, international relations, ethical challenges in the Intelligence Community, and indications and warnings. Other courses include a capstone course in intelligence studies and big data and social media analysis.
Courses in these programs also place an emphasis on developing useful skills such as critical thinking and accurate intelligence analysis. These courses are taught by experienced professionals with a high degree of expertise in the intelligence field.
For more information, visit AMU’s intelligence degree program page.
