Part 4: Determining Intelligence Needs and Co-ordinating Information Flows

Managing Threats to Domestic Security.

4.1
Intelligence, as far as domestic security is concerned, is information that has been obtained by secret methods or that has been analysed for security purposes. Intelligence is a key element of security. Intelligence is different from most other forms of information in that it needs to be protected and used carefully.

4.2
Using the framework illustrated in Figure 2 on page 25, information and intelligence are needed for:

  • Prevention – in order to know that an event might occur, so that action can be taken to either prevent or mitigate the effects of the event. At this stage, the intelligence is likely to be “sensitive” – it may come from sources that need to be protected. The intelligence may also be relatively obscure, be put together from a variety of sources, and require considerable analysis to put a recognisable picture together.
  • Response – The intelligence needs of the various agencies differ widely. For example, the Police want intelligence to assist in establishing who are the perpetrators of any offence, whereas primary responders require situational information to assist their response, e.g. what health facilities are available and their capacity to treat victims.
  • Recovery – information is required for contingency planning, roles and responsibilities in relation to recovery. Intelligence is seldom required in recovery.

4.3
Ensuring that the right intelligence is obtained and that it is passed on to the right people in a timely manner are key features of the intelligence process. Equally important is analysis of the information from which operational judgements can be made. Inadequate analysis negates any efforts to increase the quality and quantity of information gathered.

4.4
In this part of the report, we examine how intelligence needs are met, how the collection and flows of intelligence are co-ordinated, and the specific intelligence requirements for prevention and response.

4.5
We also examine the capability among agencies to assess preparedness and undertake effective analysis. We took account of performance measures for, and reviews of, analytical products and the processes for producing them.

Key Findings

4.6
The inter-agency Foreign Intelligence Requirements Committee process see (Figure 3 on page 32 and paragraphs 4.21-4.22 on page 55) establishes clear requirements for the collection agencies to collect foreign intelligence. But a similar process does not exist for the collection of domestic intelligence.

4.7
The creation of a more formalised process for sharing information and intelligence would enable individual agencies to share the substantial amounts of intelligence and other forms of information collected as part of their day-to-day business. ODESC recently supported the establishment of the New Zealand Intelligence Community Network (NZIC Net), which will provide a secure communications network to the Wellington intelligence community and key customer departments and agencies. NZIC Net will include secure e-mail services and the capability to distribute secret intelligence reports and classified assessment papers.

4.8
Formal and informal mechanisms combine to facilitate the flow of information between agencies and within agencies. These mechanisms are often supported by a co-operative attitude between individuals of different agencies, though inter-agency trust can – and should – take time to develop. Overall, these mechanisms are effective, particularly in relation to responses to incidents.

4.9
The maturity of agencies’ intelligence functions varied. Some had had extensive experience in intelligence analysis and collection, while others were in the process of extending the breadth of their intelligence coverage. One agency was in the early stages of establishing an effective intelligence capability. We observed differences in agencies’ use of intelligence and information – some used intelligence better to support their operations than others.

4.10
There are few examples of performance measures or ‘lessons learned’ reviews for analytical products. There are also few international models of how best to devise and implement new products. Given the very limited existing research and experience, this is clearly an area where agencies could benefit from working closely together and pooling knowledge and resources.

The Fundamentals of Intelligence Co-ordination

4.11
Trust is fundamental to sharing intelligence. If one organisation does not trust another to treat the information it is given with due sensitivity, the level of intelligence sharing between the two is likely to be low. The need for trust based on previous experience and relationships makes it difficult for new participants to enter the intelligence community.

4.12
This obstacle has important benefits in placing the onus on new participants to strengthen their systems and processes for handling classified material and information, and helps to maintain the integrity of the system. For example, until two years ago, Customs played a minor role in the intelligence community, and it was not until it improved its own internal security and established a sound intelligence capability that it was able to participate fully in intelligence matters. It is important that existing participants do all they can to bring ‘new entrants’ up to the required standard.

4.13
The system for classifying information is also fundamental. The Security in the Government Sector15 publication provides a classification framework to help ensure a consistent standard across government agencies. Getting information to the people who can take action often requires ‘declassification’ of some type, a process that needs to consider the source of the information and the attendant risks. Declassification may be required in both passing information between agencies (for example, from the Police to private sector organisations) and within agencies from senior staff with the appropriate clearance to front-line staff (such as Customs staff at airports). All agencies should ensure that they understand these processes.

Agencies’ Use of Intelligence

4.14
The value that an agency places on intelligence is generally related to the extent to which it is used to assist, direct, or drive agency operations. Intelligence is also used to inform policymaking. Agencies’ use of intelligence to drive operations varies substantially. Some agencies, such as the Police and Customs, have integrated intelligence fully as part of their operations. They use intelligence routinely to identify trends and target their resources.

4.15
Some other agencies do not place as much emphasis on gathering information for intelligence purposes. For example, the Immigration Service has a limited intelligence capability. Its business units may produce valuable information and intelligence, but there are few opportunities to match this with external information, or to establish a Service-wide picture of risks and threats.

4.16
The Immigration Service is in the process of improving its intelligence capability, and is planning for an enhanced capability to be operating within a year. Cabinet agreed to allocate $5.4 million for 2003-04 and $4.8 million for each subsequent year. The enhanced capability should:

  • strengthen links with other security agencies at both the operational and strategic level;
  • help to target resources through the use of risk and threat analyses; and
  • help to comprehensively identify where vulnerabilities currently exist in the system.

Meeting General Intelligence Needs

4.17
We examined the measures that are in place to establish what information and intelligence is needed to warn that a security incident is likely to occur. We also looked at the use made of information and intelligence within and between agencies to identify potential events, and to assist them more widely in undertaking their domestic security functions.

4.18
Foreign intelligence is that which is collected to meet the Government’s foreign intelligence requirement. Domestic intelligence is that which is collected to meet the relevant agencies’ security intelligence requirements. Different procedures apply to these two types of intelligence.

Foreign Information and Intelligence

4.19
Both the NZSIS and the GCSB collect foreign intelligence. The NZSIS focus is predominantly domestic intelligence, and the GCSB is focused solely on foreign intelligence.

4.20
The GCSB is responsible for collecting and reporting foreign signals intelligence from a variety of foreign communications. It processes, decrypts or decodes and/or translates the information the signals contain before passing the information on as a report to the appropriate government department. It does not assess the information it collects.

4.21
The Foreign Intelligence Requirements Committee (FIRC) is responsible for bringing together a range of agencies with the aim of providing to the GCSB and the NZSIS a comprehensive list of New Zealand’s foreign intelligence needs. This list is then used to determine and prioritise the foreign intelligence that will be collected, with the aim of effective use of available intelligence resources.

4.22
Sub-groups of FIRC (known as CIRGs – Current Intelligence Requirement Groups) have recently been established to give the process for defining information and intelligence requirements enough flexibility to handle immediate needs as they arise. DPMC has also been working with the agencies involved to rationalise the list of requirements to make the collection tasks more manageable, while still providing flexibility to collectors to be alert for intelligence relating to items that are not explicitly on the list.

4.23
The strengths of the FIRC process include:

  • clear definition of agency needs for foreign intelligence collection;
  • provision of clear guidance for collection agencies to follow; and
  • flexibility to respond to urgent requirements.

4.24
In our view, the FIRC process could be further strengthened by undertaking a ‘gap analysis’ of what the collector agencies have been asked for compared with what they are able to provide. While individual consumer agencies will already be aware of the information they have asked for that has not been provided, a systematic, system-wide gap analysis is more likely to reveal the main areas where collection capability cannot meet the stated requirements. The analysis would also provide assurance on the capabilities available to meet information and intelligence needs.

4.25
In addition to the FIRC process, individual agencies receive intelligence and information from overseas counterparts and through membership of international organisations. For example, the Police have access to Interpol, and Customs receives information on the latest methods for smuggling from its international counterparts.

Domestic Intelligence

4.26
Unlike foreign intelligence collection, domestic intelligence collection is not based on any consumer/collector system or multi-agency requirement definition. Individual agencies collect large quantities of information and intelligence for their own purposes. For example:

  • Customs and the Immigration Service have access to detailed information on both goods and people entering and leaving New Zealand;
  • the Police collect information and produce intelligence in relation to national and trans-national criminal activities (especially the newly established Strategic Intelligence Unit); and
  • the Ministry of Fisheries receives information and intelligence on the movement of fishing vessels around the coastline, the catches, and the potential illegal export of fish.

4.27
The NZSIS has responsibilities under its Act16 to obtain, correlate and evaluate intelligence relating to security. Much of the intelligence collected is secret.17 The Director of the NZSIS has the legislative authority18 to decide what intelligence will be collected and to whom it will be communicated.

4.28
The NZSIS considers its requirements and resources twice a year. The first exercise formally establishes the Objectives and Requirements Plan for the coming year, and the second (mid-term) exercise reviews the Plan decisions.

4.29
The NZSIS consults a range of other agencies in the areas of its operations in which it shares responsibilities – such as counter-terrorism – or in which it collects intelligence in support of the requirements of other agencies – as in illegal immigration. While the consultation appears sound, the setting of the final Objectives and Requirements Plan is entirely internal to the NZSIS.

4.30
We believe that more interaction with other relevant agencies would be likely to lead to plans that better reflect wider intelligence requirements. Greater interaction could include invitations to other domestic security agencies to submit their needs for input into the objective-setting process.

4.31
These additions would not alter NZSIS control over the process. The final decisions on what information is to be collected would remain with the Director, consistent with his independence in these matters.

4.32
Further, we consider that there would be benefit in formalising domestic security intelligence collection along the lines of the FIRC process. A more formal process should be in conjunction with, and support, individual agencies continuing to pursue their own information and intelligence needs. It should ensure that any duplication is reduced, and that opportunities for co-operation are taken.

Co-ordinating the Flow of Intelligence

4.33
The GCSB and the NZSIS have formal and informal processes for disseminating the intelligence they provide. The GCSB has liaison officers sited within key customer agencies for this purpose, and the NZSIS has daily or as required delivery arrangements with its customer agencies. Both agencies have a programme of visits.

4.34
The NZSIS also has a formal system for assessing how agencies rank the value of foreign intelligence it provides.

4.35
There are few formal processes to co-ordinate information collection and flows more widely across the various agencies. We noted the following examples:

  • In particular circumstances, DPMC will form Watch Groups to monitor developments (e.g. the potential for sea-borne unauthorised migrants). These are multi-agency, and continue until the need diminishes to the point where inter-agency processes resume (see paragraphs 4.40-4.41 on page 59).
  • The Police Strategic Intelligence Unit produces reports on subjects of relevance from a domestic security perspective and disseminates them to partner agencies as appropriate.
  • Customs and the CAA have established a system to process the information that they receive, which other agencies have access to and are able to use.
  • The arrangements for co-ordinating the collection of maritime intelligence (see Figure 5 on the next page) facilitates close co-operation between agencies to achieve whole-of-government goals, a common understanding of the maritime environment, and effective use of Government resources.

Figure 5
Co-ordination of Maritime Intelligence

The National Maritime Co-ordination Centre (NMCC) was established in 2002 and is governed by the Chief Executives from NZDF, Fisheries, Customs, the Police and the MSA. The centre is co-located with the NZDF Joint Force Headquarters in Trentham and is staffed from the NZDF and the civilian agencies. The NMCC is responsible for co-ordinating maritime surveillance to:
• maximise the effectiveness of New Zealand’s maritime surveillance assets;
• ensure the best possible use of available information; and
• enable a whole-of-government approach to maritime security, using a common risk management framework.

Its two main functions are therefore co-ordinating:
• agency maritime patrol and response activities; and
• the provision of a maritime intelligence picture compiled from multiple sources to participating agencies.

The NMCC does not have any direct operational responsibilities; these remain with the individual agencies.

A Risk Management Framework has been established which provides a clear methodology to assess security risks and enable competing patrol tasks to be prioritised on a multi-agency basis.

4.36
Informal interactions range from telephone calls and informal meetings between individual security analysts to the establishment of semi-formal groups. A Combined Law Agencies Group (CLAG) was set up in 1999 to improve co-ordination between agencies at an operational level, and there are now a number of regional CLAGs that operate under a national-level CLAG. They have evolved over time to include networking and information sharing as well as allowing law agencies to co-operate on common issues. Membership of a regional CLAG varies depending on agency representation in the region.

4.37
Agency officials involved in the CLAGs valued the groups, especially the informality and the flexibility of their size and location (for example, a location such as Auckland Airport could have a CLAG). They have enabled networks to be developed that have been helpful when needing to make contacts or initiate more formal co-operation.

4.38
While the initial informality of the CLAGs had some disadvantages, they have evolved to be an officially mandated accepted element of the law enforcement environment in New Zealand.

Intelligence Co-ordination During Response

4.39
We examined the processes and procedures to co-ordinate information and intelligence during security incidents or where incidents are highly likely to occur.

Responding to Potential Incidents

4.40
ODESC and its Watch Groups provide an effective mechanism to co-ordinate information and intelligence flows in relation to potential events or actual events. Sometimes ODESC will meet when potential events requiring a combined agency response are identified (for example, the potential arrival of a boat carrying illegal immigrants). In such cases, irrespective of whether an immediate operational response is required, a Watch Group is often formed to keep the situation under review.

4.41
On other occasions, a Watch Group is formed to keep the situation under review even if it is not considered necessary to convene ODESC at that time. If circumstances worsen, ODESC would be convened. In all cases, reports are made to Ministers – for information or decisions. ODESC and Watch Groups both provide opportunities for agencies to exchange information and intelligence about potential and actual events.

During Response to a Specific Incident

4.42
The co-ordination of information and intelligence at times of specific incidents is relatively well developed.

4.43
Co-ordination of information and intelligence in respect of a terrorist incident is achieved through the Joint Intelligence Group (JIG), comprising analysts from the Police and other agencies19. The JIG draws together and assesses all sources of intelligence to support the Police Operation Commander, and/or provide strategic intelligence to ODESC and Ministers (which together constitute the Terrorism Emergency Group) where a strategic response is required. The Police determine the JIG’s size, structure and location, taking account of the nature of the terrorist incident.

4.44
An ad hoc Intelligence Co-ordinator is generally also appointed to:

  • liaise with the Police to co-ordinate specific requests from officials for further intelligence and information from the JIG to support policy formulation and decision-making;
  • co-ordinate the strategic assessments (forward-looking and longer-term) required to inform Government decision-making, using the widest possible range of intelligence from both open and secret sources; and
  • arrange for particular aspects to be analysed by a specific agency other than the JIG if the Watch Group considers it necessary.

Responding to Other Incidents

4.45
Most incidents, whether major emergencies, disasters, or localised incidents, require a response from a number of different agencies. No single agency or department is able to handle a large-scale incident alone.

4.46
The Co-ordinated Incident Management System (CIMS) is designed to improve the management of the response phase to emergency incidents through better co-ordination between the major emergency services (Fire, Police, Ambulance, and Civil Defence). It also provides for co-ordination with the various other organisations that have a role in emergency response (local authorities, NZDF, MSA). CIMS is used in responding to natural hazards, incidents involving multiple casualties, environmental incidents, and public health and medical emergencies.

4.47
CIMS provides an effective way to facilitate information co-ordination when responding to an event. It was established to address a number of problems identified with emergency response including:

  • non-standard terminology among responding agencies;
  • non-standard and non-integrated communications;
  • lack of consolidated action plans; and
  • lack of facilities designated as available for a response.

4.48
To help co-ordinate the effective use of all available resources, CIMS is built around four major sections:

  • Incident Control – is responsible for the overall direction of the response, and the management of an incident across agencies. An incident will have only one incident controller, but multiple lines of command depending on the number of agencies involved.
  • Planning/Information – includes gathering, evaluating and disseminating information about the incident and the status of resources. This section is also responsible for the creation of an Incident Action Plan.
  • Operations – is responsible for carrying out the response activities described in the Incident Action Plan and directing an agency’s resources in combating the incident.
  • Logistics – is responsible for providing facilities, services and materials required to combat the incident.

4.49
CIMS can be expanded and contracted to manage the response to varying types and sizes of incidents – including single agency responses, multi-agency responses, major incidents requiring maximum organisation support, and multi-incident responses.

Providing Effective Analysis of Information and Intelligence

4.50
Making good use of intelligence and information requires sound analysis – including consideration of alternative means of analysis; otherwise the effectiveness of collection efforts is undermined. We therefore looked for performance measures around, and reviews of, analytical products and the processes for producing them.

4.51
We did not find many examples of reviews of analytical products and processes. The intelligence section of Customs has good practices in this respect – for example, external review is a quality indicator. Some other agencies attempt to evaluate the quality of analytical products, but not in a formal manner. Most agencies rely on individual analysts’ performance agreements to monitor the quality of analytical products.

4.52
New Zealand agencies are not alone in this respect. Our field work in Australia and the USA, and the available literature, illustrated that other countries also struggle with determining performance and quality measures for analytical products. Techniques exist, but have not been used systematically to create an analytical quality system. The techniques include

  • Using ‘A’ and ‘B’ teams for competitive analysis – this involves having two teams analyse information or a situation independently, and the two results are then compared. This technique is often used to challenge assumptions that analysts may be using when undertaking their work.
  • Interdisciplinary review and debate – a form of external review but with a focus on the reviewers challenging the mindset that was used to design the analytical product.
  • Matrix-form evaluation – where competing hypotheses are lined up against each other and actual analytical products compared.

15: See www.security.govt.nz/sigs.

16: The New Zealand Security Intelligence Service Act 1969.

17: “Secret” in that the holders of the information would prefer that lawful authorities were not aware of the content of that information.

18: Section 4 of the New Zealand Security Intelligence Service Act 1969.

19: A Memorandum of Understanding is agreed between agencies employing intelligence analysts, to provide intelligence support to the JIG in the event of a terrorist incident.

page top