Updated: Jun 7, 2020
Intelligence grading is a fundamental step in the intelligence collection process. Intelligence is graded so that any individual reading it can have the confidence to rely on it. When intelligence is submitted it should go through a grading process where a handling code is attached to the intelligence as part of an initial risk assessment process. Grading intelligence allows for the quick and easy expression of this risk assessment of a source of intelligence, as well as allowing for sanitisation to take place to protect that source.
Sanitisation is the process of removing any details that could lead to potential risk to the source. If a piece of intelligence leaked and it stated that Betty from No.9 saw the subject of the intelligence log stab someone, then Betty is at risk. Sanitisation ensures the removal of any mention of Betty. However, by removing the source, someone reading the sanitised intelligence no longer knows the strength of the statement that they're reading, as they don't who shared it. Therefore, intelligence needs to be graded when it is sanitised, which allows the individuals that are sanitising the log to enter an assessment of the reliability and validity of the intelligence and its source.
One of the major problems with any grading system is that it has to be easily understood. The sharing of intelligence allows for improved responses to emerging threats and assists in the reduction of crime. However, it's no use sending intelligence to an officer on the street or to another force or organisation using a grading system that they don't understand. If someone doesn't understand the grading system, then they can't accurately assess the reliability of the intelligence that they've been given and therefore, they don't know what weight they need to give to it when formulating a response. To combat this issue, a nationally standardised grading system exists to allow police forces and other government bodies to quickly share intelligence in a way that all parties can understand it's trustworthiness. This universally understood system comes from the National Intelligence Model and is an evaluation process introduced to replace the previous “rule of thumb” process.
The 3x5x2 model
In this standardized system, intelligence grading is expressed via numerical and alphabetical values. These values are very easily expressed verbally and are highly auditable. This system was introduced as the 5x5x5 system, however, the previous system has been simplified to a 3x5x2 system. The numbers in the name represent information evaluation, source evaluation and intelligence handling and sharing rules. These evaluations and rules are used to express an assessment of the reliability and validity of any intelligence received. There is also a similar 6x6 system, which relies on the same basic structure, which is the national security or military model and is used by the entities including NATO.
The 3x5x2 model works as such:
Based on the Reliability and Validity grading of intelligence, someone can very quickly determine its strength. This table below demonstrates the standard measure of strength attributed to different grades of intelligence:
Grading in OSINT
Intelligence collected through Internet Investigation and Open-Source methods does not differ from any other intelligence; it should be appropriately graded for the very justifications outlined above. However, grading doesn't always take place in the private sector. Some companies have adapted the 3x5x2 model and a few others may still rely on the old 5x5x5 model if they don't actively share intelligence beyond their own employees. However, it appears that there is little evidence to suggest that there has been any broad introduction of the 3x5x2 model into the private sector of the intelligence and investigation world.
Intelligence grading would allow intelligence sharing between organisations to be done more easily, benefiting both parties whilst still protecting the source. Grading improves the standard of data held to allow it to be sanitised, removing the identity of the source, which also assists companies with worries about GDPR. Source protection is paramount; at minimum, if a source doesn't feel safe then you lose them as a source of future intelligence. The further risks of improperly sanitised intelligence are far worse. Grading also improves auditability, which should make any decision-maker in a company happy. Therefore, there are a number of clear reasons why intelligence grading would be beneficial if introduced more broadly to the private sector. The 3x5x2 system is tried and tested by government entities, and its introduction to the private sector would allow for improved intelligence sharing with the police and other government departments.
Intelligence gathered via OSINT was traditionally always graded as E41 under the 5x5x5 system by Law Enforcement within the UK, regardless of where it came from on the internet. In fact, my understanding is the many Police Force's in England and Wales still grade any intelligence gathered through the internet this way, as 2DP under the 3x5x2 system. However, I don't support this approach to grading. Intelligence sources are not all the same and shouldn't be treated as such. The internet is full of false information, however, there are also many trustworthy sources that can be relied upon. Internet sources should be treated in exactly the same way as human sources and graded on their merit, rather than applying a blanket grading that does not honour the intention of the intelligence grading concept. I would love to see a change in how Law Enforcement Agencies perceive intelligence collected through the internet that truly captures the modern world that we live in.
As well as grading intelligence collected online, I also assign a confidence level for any OSINT gathered. This isn't an industry standard and is something I introduced myself. The reason for this is that two pieces of intelligence gathered online could share the same Intelligence grading, yet, I would be more likely to rely on one than the other. An example of my reasoning is as such:
Intelligence from Equifax would be 1AP, it comes from a reliable source and they hold the data directly, having collected it from official institutions. This data is highly likely to be correct and so I would give it a full level of confidence.
Conducting a search on Facebook by email address, the result would also be 1AP. The data is held by Facebook, rather than coming from the individual, so it's from a "trusted" source. Whilst I don't trust Facebook with Security, I do trust that it isn't given me false information in this one specific example. The data is also held by them and was an email address provided by the individual when they created an account. However, the reason I don't give it my full level of confidence is twofold. Firstly, we have no idea how old the account is and whether or not the email address is still in use. Listing this as a current email address for an individual could be a mistake. We know it was once used by the account holder, but it may not be anymore. This brings me to the second reason. We cannot know for absolute certain that the person who created the account is the named individual. It's highly likely to be and if there's nothing to suggest it was created by someone else, then we should be able to rely on it. However, for these reasons, I lower my level of confidence slightly and look to parallel source the intelligence much quicker than I would Equifax data.
I've put together a table showing how I would grade a list of some OSINT sources, as well as the confidence level that I give to Intelligence: