Communication is key in intelligence activities.

On the one hand, it is essential to transfer to a number of recipients the knowledge coming from information acquisition and analysis (“intelligence communication”); on the other hand, it is crucial to understand and control the communication connected with the activities carried out (“communication intelligence”).

As to current events, the inclusion of pandemic phenomena among major global threats is a normal (and not new) practice for intelligence analysts. Watchful intelligence operators have been long communicating – in strategic documents – the possible outbreak of a pandemic. The outbreak and its consequences were predictable and to some extent they were predicted, at least as a non-specific threat. There is not always a follow-up to strategic communications, as priority is usually given to tactical communications. Regardless of the content. Tactical measures involve less exposure than strategic ones: Decision-makers are reluctant to rely on long-term plans and forecasts.

Spies

In other words, it’s like the finger pointing to the moon. Predicting phenomena and not being heard is not a good job. Cassandra’s curse. The discrepancy between intelligence communication and use of the communicated intelligence is a long-standing problem. This is even more true for cyber intelligence.

Some definitions could help out to frame the theme. To communicate means to share information with others by speaking, writing or using other signals. In this context, it refers to share intelligence and to master communication about intelligence. The term cyber refers, by and large, to the virtual world of ICT, the Internet and computers. Cyber intelligence is a subset of intelligence. Intelligence, in our domain, refers to “information that has been collected, integrated, evaluated, analyzed, and interpreted”. Such information ought to be shared. And used. Both these steps involve a sound process of communication.

The current cyber threat landscape is characterized by a growing range of threats with an increasing level of sophistication: The threat scenario shows a high degree of interconnection, that keeps on enlarging the attack surface. Due to the instantaneous and asymmetric nature of threats, it is essential to share real-time information about them (and about the related threat actors), in order to prevent cyber-attacks and to mitigate the risk of exposure.

One of the most insidious aspects of intelligence communication is analyzing heterogeneous data coming from different sources: It is important to boost capabilities to aggregate only relevant information so as to provide finished intelligence to decision makers.

The ultimate goal of the process is building a model for each threat, by profiling threat actors and developing effective countermeasures to improve the overall resilience of infrastructures.

Classical theories about communication cannot utterly fit to the intelligence sphere: Communicating bad news or threat scenarios has little to do with marketing, persuasion and sales techniques. Even if one could have recourse, to a certain extent, to some of these techniques.

Intelligence deals with secrets: Notwithstanding, it is now getting increasingly public. Intelligence services used to mainly operate in the dark, often away from the media and the public (when they managed to do that).

The global growth of the Internet and cyberspace have amplified the need for intelligence operators to go public and to communicate both internally and externally.

As far as intelligence communication is concerned, one of the fundamental aspects of the intelligence cycle consists in condensing complex analysis and investigations into concise and exhaustive outputs.

This step is essential to convey the results of cyber intelligence investigations – which are technical and detailed per se– into clear and concrete information. Top management officers should have actionable intelligence at their disposal: Timely and accurate information, which allows them to make decisions and initiate effective actions. Communication is as important as analysis: A bad one could nullify any analysis effort.

Intelligence communication is also extremely important to set the strategic direction to be followed in technical, tactical and operational cyber intelligence activities. Position papers and documents ought to serve this purpose.

Finally, it is crucial to strengthen and to develop an information network for the exchange of cyber intelligence information, through direct relationships with relevant institutional and private counterparts.

Information sharing aims at building a network of entities (i.e. individuals, security researchers, organizations, and businesses) that could gather and exchange information about cyber threats.

As reported by the ENISA, one of the most important aspect for cyber security is information sharing at national and transnational level. The European agency recommends that the knowledge on cyber-attacks, incident response procedures, mitigation measures and preparatory controls ought to be shared between relevant stakeholders. With reference to cyber intelligence, information sharing activities are crucial.

A study on Cooperative Models for Information Sharing and Analysis Centers (ISACs), published by the ENISA in 2017, proposes specific patterns for information sharing and good practices about physical and cyber threats, including mitigation. The report categorized the most common approaches in three different models: The country focused, the sector specific and the international structures.

An effective information sharing process also depends on the quality of the information shared among entities: Data must be provided in a readable and understandable way and have to obey an applicable taxonomy in compliance with the sharing initiative.

Another aspect to consider is the need to sustain the information sharing among public and private industries, even if entities involved in the process of creating ISACs have different motivations.

Diagram

Figure 1 – : Reasons for the creation of ISACs (ENISA)

With reference to intelligence communication, some problems could derive from the “balkanization” of the intelligence activities. Although some powers remain exclusive prerogative of intelligence agencies, information collection and analysis activities – especially in the cyber domain – are now also performed by private organizations and other administrative institutions. Carrying out intelligence activities within administrative institutions involves a set of snags related to pre-existing schemes and procedures, designed for other kind of activities. A failure in communication patterns and information sharing between public and private actors could bring about several glitches, so jeopardizing the entire ecosystem.

In addition to intelligence communication – that takes place downstream of the collection of information and analysis – communication intelligence is also crucial.

“PSYOP” and “INFOP” are certainly well-known practices. New tools and techniques are daily used by individuals and threat actors to spread disinformation. Terms like trolls, fake news, narrative, deep fakes and echo-chambers are becoming more and more popular, even if the rationale behind these actions has been standing for millennia.

Armies around the world have conducted systematic PSYOP on multiple occasions. For example, during World War I, the US Captain Heber Blankenhorn established (in the War Department) the Propaganda Subsection, that was specifically tasked on carrying out Psychological Operations. At the time, over 50 million leaflets were delivered in modified artillery shells and leaflet bombs dropped from airplanes on enemy units on the Western Front.

The current scenario – and future trends are likely to get more tricky – is mainly complicated by hybrid war phenomena and by the interconnection of increasingly complex threats. The cyber domain simply boosts these features.

Over the years things changed, threat actors (and among these, of course, state entities) use social networks and instant messaging applications to influence the sentiment of public opinion on specific topics: Psychological operations are nowadays immediate and could be carried out on a global scale.

The most relevant – and partly new – element is that the communicative component becomes intrinsically connected to intelligence activities. It is no longer just an ancillary tool.

Public events (at least until the current emergency situation and social distancing) with speeches delivered by intelligence agencies’ top management – sometimes even jointly (see the case of the Five Eyes) – are a relatively new fact as well.

Deterrence, propaganda, awareness, information, public service, recruitment, cooperation and research are just few of the purposes for which intelligence operators come out into the open. These purposes – that mainly affect the so called “institutional communication” – are pursued by an array of means: Institutional websites, social networks accounts, sector magazines et cetera. These media respond to different audiences, but they are often tightly intertwined.

As far as “strategic communication” is concerned, communications units deal with the dissemination of strategic messages to a gamut of internal and external stakeholders, from management to technical units, from community to constituency, from media to the general public.

As to communication intelligence itself, controlled and voluntary data leaks are powerful weapons for the intelligence agencies: The use of true, false, distorted or manipulated information (or a simultaneous mix of these kinds of information) to influence public opinion and/or to force decision makers is frequent. On the opposite side, insider threats, unexpected and uncontrolled leaks are always lurking (whistleblowers like Edward Snowden, Bradley Manning and Joshua Adam Schulte are just prominent examples). At present, these aspects do not only concern intelligence agencies, given the increase in intelligence and cyber intelligence activities performed by other institutions and private companies.

Cyber intelligence and communication intelligence are fundamental tools for analyzing, understanding and controlling the threat scenario’s emergent behaviors. Adaptation and evolution ought to be the preferred drivers to cope with the external complex context.

Regardless of the origin of the virus and its phylogeny, the ongoing pandemic is changing the global financial, economic, technological, psychological and social scenarios. Geopolitical confrontation becomes more severe in some geostrategic regions. Some states will benefit from this emergency situation, others will be disadvantaged. Communication and information war will have an increasing clout. Mastering communication is – and will be more and more in the future – a tantalizing mantra for both private organizations and institutions. The above considerations apply to both democratic governments and totalitarian regimes.

The Original Paper containing the reference is available here:

https://securityaffairs.co/Downloads/Paganini_Giannetto_Cyber%20Intelligence.pdf

About the Authors: Boris Giannetto and Pierluigi Paganini

Boris Giannetto works in the Bank of Italy’s CERT and deals with cyber intelligence. He has the role of ha ndling communication initiatives on this topic. His expertise is focused on strategic analysis and positioning. He worked on cyber resilience and held the role of expert for operational risk; for a short period he was employed at the Italian FIU (UIF). He used to work for some years for Telecom Italia S.p.A. (TIM) – Public & Regulatory Affairs, on regulatory strategy and public policy. Professional experiences in the private sector, Legal and Foreign Affairs. Background in Institutions such as MAECI-UN-ODC, Italian Parliament, and UN-ICRI, with a focus on security issues. He graduated cum Laude in International Political Science at La Sapienza in Rome, with a thesis about regulation and electronic communications; classical high school diploma with full marks; he speaks several languages. He published papers and articles at national and international level and attended as a speaker various events and summits (most recently ITASEC 202