Perhaps the most difficult part of the transition from public to private sector for cyber professionals coming out of the US intelligence community (IC) is one of language. Conversations regularly take place in industry settings where the first challenge is ensuring that everyone is speaking the same language. In the IC there are a few different definitions of intelligence, but they do not vary much from agency to agency. Career fields may differ in names based on the focus of an analyst’s work (signals intelligence, human intelligence, etc.), but the definition of intelligence varies little.
In contrast, in the private sector terms like data, information, and intelligence are often used interchangeably, with distinctions made based on either sheer volume or the source of the input. For instance, a single identified IP hosting malicious software might be seen as a data point, but if someone provided a list of 100 such IPs, that list of data points may be labeled “intelligence.” Similarly, anything acquired from the Dark Web is regularly labeled intelligence, regardless of the process used to obtain or validate those Dark Web findings.
Regardless of how hard it may be to obtain, or how valuable it may be once acquired, no data or information is equal to intelligence. This conflation confuses what intelligence is and inadvertently devalues the standards and methods applied to create meaningful intelligence. It’s therefore important to establish definitions for data, information, and intelligence, and to create a shared understanding as to how these three are related.
What is Data?
Webster’s defines data as “factual information (as measurements or statistics) used as a basis for reasoning, discussion, or calculation.” 1 This means we are not talking about opinions or analysis, but simply raw materials that are the fuel for analytic work. In terms of cybersecurity, the factual materials available are IPs, URLs, malware signatures, and other indicators of compromise (IOCs). All of this is incredibly important to defending our networks, information, and users. None of these are intelligence.
What is Information?
Dr. Jennifer Rowley defines information as “organized or structured data, which has been processed in such a way that the information now has relevance for a specific purpose or context, and is therefore meaningful, valuable, useful and relevant.” 2 This is where it starts to get easier to see why terms become confused. “Knowledge obtained from investigation or study” certainly sounds like it could be intelligence. The difference is that information is a much more general term applied to any data gained from any amount of investigation, study, or instruction. There is no implication of the application of a rigorous analysis process, application of concepts such as analysis of competing hypotheses (ACH), weighing of source reliability, or requirements for how to communicate information to a consumer in terms of volume and variety of sources or confidence ratings. In clearer terms, students gain information every day while in school and the general population gains information from anything they choose to read or ingest. Sources can include textbooks, news, social media, peer communications, or anything that adds to one’s knowledge base. The challenge, in the era of “fake news” is that it is increasingly difficult to know which information can be relied upon to create valid knowledge.
What is intelligence?
The dictionary defines intelligence in terms of one’s ability to process information, as in “the ability to learn or understand or to deal with new or trying situations.”3 Further down the line of definitions we find something closer to what we need, “information concerning an enemy or possible enemy or an area,”4 but that definition is very limiting and only modifies the previous definition of information by including an enemy as the subject. That won’t cut it.
What about the IC? As it turns out, the IC has several definitions that are all similar but not identical.
- The organization charged with leading the IC, the Office of the Director of National intelligence (ODNI), does not have a published definition of intelligence. It has, however, published a definition for counterintelligence.5
- In the 1990’s, Martin Bimford wrote a brief study on the subject, that is now posted in the Central intelligence Agency’s public website, with a definition that is far too focused on the specific needs of the counter-intelligence profession to provide much clarity for the private sector.6 Bimford concluded that intelligence was:
“the collecting and processing of that information about foreign countries and their agents which is needed by a government for its foreign policy and for national security, the conduct of non-attributable activities abroad to facilitate the implementation of foreign policy, and the protection of both process and product, as well as persons and organizations concerned with these, against unauthorized disclosure.”
- Beyond that, most intelligence agencies have their own nuanced views of intelligence. Unfortunately, the concepts get even murkier when we attempt to break intelligence down into components such as “actionable,” “operational,” or “strategic.”
None of this provides the required clarity, so for the purposes of discussion, the following definition, which is true to the standards and value of the IC, but applicable to the private sector, is provided:
Intelligence is the product resulting from the collection, evaluation, collation, interpretation, and analysis of all available data and information concerning the intentions, capabilities and objectives of known or suspected current or future adversaries vital to an organization’s development and execution of plans, policies, decisions, and courses of action.
A key portion of that definition is that intelligence is a product of a process (that includes collection, evaluation, collation, interpretation, and analysis). Intelligence production requires application of a repeatable process, combined with solid analytic tradecraft and standards – such as Intelligence Community Directives (ICD)7 or the business intelligence standards8 – to ensure the most accurate results needed to inform decision-making. The other powerful takeaway from this definition is that, just being aware isn’t sufficient. Intelligence is “vital to an organization’s development and execution” as well. Intelligence results in wise actions.
In terms of an intelligence process, I am a strong advocate for using the Intelligence Cycle as provided by the IC.
The process is a proven method that ensures an organization understands their needs first, which reduces wasted energy attempting to answer the wrong questions. Once an organization has captured their needs, those needs drive collection that can be focused against the topicsthat matter most to the organization. When working on intelligence analysis and production, it is important to ensure proper tradecraft is used to reduce bias and subjectivity, increasing validity of confidence language used in any assessments. As with definitions for intelligence, there are several versions of the intelligence cycle, but all are variations on the same theme. (See Figure 1: The Intelligence Cycle)
While not the focus of this writing, highlighting the Intelligence Cycle requires understanding the three key elements of intelligence production:
- Talent: Intelligence will only be as good as the people tasked with providing that intelligence.
- Personnel trained in analytical methodologies and tradecraft, who understand the importance of confidence ratings and the power of specific words when communicating, who are dedicated to objectivity, and who put integrity ahead of politics or personal gain are vital to successful intelligence.
- Access: Intelligence is only as good as the data and information available to the talent assigned.
- The brightest minds cannot provide intelligence in a vacuum.
- Time: Creating valuable intelligence takes time.
- The best data, combined with the brightest minds, will still not produce reliable intelligence without reasonable time to process, analyze, produce, and deliver.
- The less time allowed, the greater the tolerance for low confidence assessments and analytic errors must be.
When building a threat intelligence program, separating data, information, and intelligence clarifies what is currently available from what is needed, while simultaneously identifying what clarity is available when choosing to act upon available sources. Using the data, information, knowledge, and wisdom (DIKW) model is an excellent way to understand how the elements of intelligence relate to one another. In figure 2, seen on next page, the combination of knowledge and wisdom represents a reasonable understanding of intelligence.
With each step up the pyramid the user gains context and understanding, moving from a basic state of being informed to a point of understanding that can support educated decisions.
Bring it All Together
This is not an exhaustive look at the differences between data, information, and intelligence – only a primer. As the concept of intelligence gains in popularity in the private sector, so grows the need for a shared understanding of what it means to ask for intelligence to inform decisions. According to Rowley, data is “discrete, objective facts or observations, which are unorganized and unprocessed and therefore have no meaning or value because of lack of context and interpretation.”
In terms of cyber defense, data is best understood as IOCs. They are points of information that can be acted upon, but offer little beyond that transaction and bring an organization no closer to the understanding needed to push from a reactive to proactive state. Information, as well captured by Rowley, is “organized or structured data, which has been processed in such a way that the information now has relevance for a specific purpose or context, and is therefore meaningful, valuable, useful and relevant. But, information is still limited in scope to the specific area the “organized or structured data” supports. Intelligence, produced through a reliable and repeatable process – by personnel specifically trained to conduct such work – is what makes sense out of chaos. Intelligence helps leaders understand the quantity and quality of the information analyzed, puts that body of inputs into context and connects dots and prioritizes actions. Intelligence empowers leaders to make reasoned and informed decisions that align with organizational needs and objectives.
- Data [Def. 1]. (n.d.). In Merriam Webster Online, Retrieved April 11, 2017, from http://www.merriam-webster.com/dictionary/data.
- Rowley, Jennifer; Richard Hartley (2006). Organizing Knowledge: An Introduction to Managing Access to Information. Ashgate Publishing, Ltd. pp. 5–6.
- intelligence [Def. 1]. (n.d.). In Merriam Webster Online, Retrieved April 11, 2017, from http://www.merriam-webster.com/dictionary/intelligence.
- intelligence [Def. 4]. (n.d.). In Merriam Webster Online, Retrieved April 11, 2017, from http://www.merriam-webster.com/dictionary/intelligence.
- http://assets.timoelliott.com/docs/Implementing%20BI%20 Standards%20–%20A%20Field%20Guide.pdf