We are entering an age of persistent engagement with our adversaries in order to keep ourselves safe. Those adversaries mean our societies harm, be they the autocrats that control undemocratic states, terrorists, proliferation networks, hackers, narcotics traffickers, people smugglers and other organised criminal gangs. They have in common that their activities directly affect our citizens and that increasingly they are carried out online. The first responsibility of government must be to protect society from such harms. As I describe in this article that will place new demands on our intelligence communities.
We face a variety of threats requiring responses every day across all the five operational domains of modern conflict: land, sea, air, space, cyber – six domains if we include information, which I add to emphasise the way that achieving information dominance plays an analogous part today to that played by air superiority in conventional armed conflict.
During my many years in the Ministry of Defence in London during the Cold War we planned and exercised with our Norwegian and other NATO allies to deter the most serious of threats, armed attack by the Soviet Union on the NATO area. We need to continue to send out that strong confident deterrent message, to whomsoever it concerns, don’t miscalculate and even think of starting down that road against NATO territory. I am confident that today Russia sees the option of deliberate armed aggression against NATO territory as closed off by NATO’s defence and deterrence strategy and capability. But we all know that today State aggression continues below the level of armed conflict and we know that international criminal groups acting for financial gain are well organised and resourced and are targeting our societies. The defence, intelligence, security and law enforcement capabilities of the democracies are therefore locked in a ‘peacetime’ persistent struggle against those who pose a threat to our societies.
This means we have to organise ourselves to combat our adversaries in what has been called ‘the grey zone’, lying between the light of true peace and the dark of major armed conflict. The common factor affecting both the threats and our responses in each dimension of grey zone operations is the power of digital information. If our adversaries have information advantage then they are able to penetrate our defences, steal our secrets and our resources, whether intellectual property or money, interfere with our critical infrastructure, and inject false and deceptive narratives into the consciousness of our public reducing public confidence in the authorities. We are inevitably exposed to such attacks by our openness as democratic societies and by the characteristics of the Internet including the inherent anonymity it allows its users. To prevent our adversaries acquiring such information advantage means therefore possessing the intelligence capability to uncover what is going on and then having the integrated capabilities to manage the risk they pose. It may be possible to neutralise their hostile activities and bring those responsible to justice, or at least raise the price the adversary must pay for conducting such operations.
My acronym for these threats is the CESSPIT: Crime, Espionage, Sabotage and Subversion Perverting Internet Technology. Crime, like North Korea in 2016 manipulating the SWIFT inter-banking system to try to steal over $950m. Espionage, like China hacking into the US Office of Personnel Management to steal the identities and vetting records of American public servants. Sabotage, like Russia hacking into the Kiev electricity system to turn off the supply to the civilian population. Subversion, like the Russian covert influence operations on US and European electorates, distracting our governments and widening divisions within our societies.
That line of analysis about conflict in the grey zone is the jumping off point for the Integrated Operating Concept for 2025 that has recently been introduced for UK defence by General Sir Nicholas Carter, Chief of Defence[i]. As he writes, ‘What is changing is the character of warfare, which is evolving significantly due to the pervasiveness of information and the pace of technological change’. To give effect to the concept, the UK now has a new Strategic Command, that includes control of Special Forces and a joint UK Cyber Force being created to engage in cyber operations, the latter a joint responsibility with GCHQ, the UK’s digital intelligence and cyber security organisation. The key to the new operating concept is the recognition that competition and conflict in the Grey Zone are ever-present in today’s world. We cannot simply wait passively to consider responses after our adversaries have made their moves. We must engage with them day to day to raise the level of difficulty and cost to them.
We will therefore certainly need to get smarter at using our intelligence capabilities to reduce our ignorance of what is happening in the grey zone that can threaten our interests. If we are to have effective evidence-based and legally justified responses, we will also need to know how our adversaries in turn are reading our response to their cyber exploits, and to our persistent engagement with them in cyberspace. That is a big ask for our intelligence communities, and it demands new partnerships with civilian departments and agencies and the private sector, as well as with our NATO allies. The use of the word ‘integrated’ in the UK Integrated Operating Concept is significant in that respect. The information domain may be at the heart of modern defence, but it is not the sole responsibility of the Armed Services or the Ministry of Defence. Tackling digital subversion will have to be an all-of-nation effort. In effect, a modern version of total defence, of course an approach very familiar to Norwegian readers.
Countering digital subversion was not a task that a few years ago our intelligence communities would have expected to have to address. The experience of the 2016 US Presidential Election demonstrated how to the surprise of the US intelligence community a foreign state, Russia, could covertly intervene in the domestic democratic process of their nation to try to obtain an outcome that Moscow believed would help secure its interests. Such activity must be expected to continue and we must expect more nations with an interest in influencing our domestic opinion to try to use these techniques of digital subversion.
In my recent book, How Spies Think: 10 Lessons in Intelligence[ii], I have analysed this phenomenon of digital subversion and the threat it poses to our democracy itself. To help counter the rising tide of half-truths and emotional distortions that seek to persuade us online of what we ought to think and want, I argue for a return to greater emphasis on rational analysis and all-source assessment to support decision making. That then allows exposure and countering of the downright falsehoods and deceptions we are being fed, and not just coming from Russia, aimed at widening divisions in society and increasingly setting us at each other’s throats.
I used to run GCHQ and spent seven years as a member of Britain’s Joint Intelligence Committee that since 1936 has been providing government with what it needs to know to inform national security decisions. Of course, analysts never have all the information they would like – lesson number one in intelligence is that our knowledge of the world is always fragmentary, incomplete, and is sometimes wrong. That is also true of the information we use when we make any kind of personal decision. But I have watched intelligence analysts over the years succeed in reaching good judgements despite never having enough data. We can all learn from their methods - and acquire self-knowledge of the ways in which we are more likely to fall into error or be deceived.
In the arena of national security, we take care to separate two types of thinking. We want the most impartial professional judgements possible, using all sources of information, in the UK from the Joint Intelligence Committee, the Joint Terrorism Analysis Centre, and other professional parts of government to guide those who have to take hard decisions. Of course, all we can know comes from our own personal sensory inputs, and analysts thus cannot fully escape their unconscious emotional framing of issues – precisely because they are unconscious. But by understanding how they can fall into error and by following the physician’s Delphic command, first know yourself, analysts can reach a high standard of impartiality and truth telling. We expect Ministers and policy advisers to take heed of such analysis in pursuing their objectives and applying their political belief systems to their actual decisions, drawing on their democratic mandate.
When it comes to making an important decision, leaders in any organisation have to bring together in their own heads these two different qualities of thought. On the one hand, rational analysis of the situation facing them and the choices open, and on the other, their ambitions for what is hoped will be achieved by the decision (or what bad outcomes are to be avoided by it). Both kinds of thinking, the dispassionate staff-work and the passionate leadership, the “is” and the “ought”, are necessary and both need to be understood if leaders are to end up taking sound decisions.
Bringing these types of thinking together has always been hard. But it is getting harder to maintain rational decision taking in the Internet age. What we find online cannot be assumed to be objective evidence. Instead what comes up can be emotionally manipulative, contradictory, and sometimes deliberately false information - from more sources than ever. That is as true about preparing to make choices in the polling booth as it would be choices made on an online dating site.
The Internet is thus shaping our reality and is not just a reflection of it. It is why autocratic States like Russia and China can use their censored internets to control their populations.
In my new book, I describe how intelligence analysts go about making sense of the world and advising decision makers how events are most likely to turn out, providing when necessary warning of threatening developments. I have coined for these intelligence outputs another acronym, reflecting what analysts hope to provide by seeing clearly, SEES: Situational awareness; Explanation; Estimation; and Strategic notice. These are the four essential intelligence outputs that policymakers and military commanders must demand if they are to make firm and wise decisions.
Situational awareness answers questions about “what, when, and where and who?” It comes from accessing data about what is happening on the ground and in cyberspace as well. We need reliable, consistent data to give us situational awareness of all that we face, essential before we start arguing about what choices we may have. In a crisis, decision makers at all levels of government, the armed services and the private sector need to work with their professional advisers to determine what data, on what common definitions, will be central to their upcoming decisions, and by when it will be needed. The British intelligence community has for example put significant effort into building systems to provide better situational awareness of the activity of malign actors. The data points being sought include online identities, associates and networks, locations, movements, finances and purchasing, internet usage, and much else.[iii] Agencies will also have to devote more resources to open-source analysis of what of concern is going on in the grey zone, and seek the cooperation of the Internet companies to help uncover harmful behaviours online.
Even well-established facts are, however, capable of multiple interpretations, as every defence lawyer recognises. Was the reason the accused’s fingerprints were found on the fragments of a bottle thrown at a police patrol during a demonstration because he threw it, or was it just his old beer bottle the mob spotted as they passed the recycling bin outside his house? My second lesson in intelligence is that even when we have acquired relevant data it needs explaining.
Explanation is therefore the second type of output needed for supporting sound decisions, answering objectively questions such as “why are we seeing this pattern of data?” and “is the occurrence of these situations together just coincidence or does it reflect a malign design?”
Our choice of explanation of what we see can, however, be easily be swayed by our unconscious feelings. Cognitive errors such as confirmation bias, seeing only what we want to see, are common. I warn too in the book about the dangers of conspiratorial thinking - we must not make the mistake of seeing our adversaries as all-powerful in the Grey Zone. We know that the tradecraft of the Russian services is not infallible.
However, when we have reached a sound evidence-based explanation we can be confident in moving on to the third output of analytical thinking, an estimate of how events may unfold on different assumptions about how the adversary may react and on what the adversary may assume we will do next.
Estimates and modelling are therefore the third essential output of SEES analysis to answer questions about “what will happen next if we do - or do not – act in a particular way”, such as blocking a particular server or publicly attributing a cyber-attack. ‘Estimation’ is a term intelligence analysts prefer to ‘prediction’, a word that may conjure up an unrealistic expectation: there are no crystal balls that reveal the future. There is, however, technology available for interactive modelling on alternative assumptions about how an adversary may react or assume we will react.
Here is a third lesson in intelligence. If we are to estimate how events will unfold it is essential to apply a sound explanation of events to our situational awareness. It is always tempting to take trends in data and assume without any real reason to do so that they will continue. Often events will work out that way, but when they do not their impact may be disastrous for us.
Experience shows that decision-takers can be so focused on today that they fail to spot new challenges forming over the horizon. The decision-taker needs, therefore, a fourth type of output from SEES analysis: strategic notice of possible new future challenges. Strategic notice helps in answering questions of the ‘how could we best prepare for whatever might hit us next?’ type, or even ‘how could we pre-empt this risk so that it never comes to test us?’. Most of the information needed to provide strategic notice can be provided from open sources, and outreach to academia and think tanks can significantly help identify novel future threats.
The fourth lesson in intelligence is that if we obtain and use strategic notice we do not have to be so surprised by surprise itself. And armed with the four outputs from SEES analysis we need not fear persistent engagement with our adversaries.
[i] UK Ministry of Defence, Integrated Operating Concept for 2025, available at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/922969/20200930_-_Introducing_the_Integrated_Operating_Concept.pdf
[ii] David Omand, How Spies Think: 10 Lessons in Intelligence, London: Penguin Viking, 2020
[iii] David Omand, Securing the State, London: Hurst, 2010, Ch.1.