Background to “Assessing Russian Activities and Intentions in Recent US Elections”: The Analytic Process and Cyber Incident Attribution
“Assessing Russian Activities and Intentions in Recent US Elections” is a declassified version of a highly classified assessment that has been provided to the President and to recipients approved by the President.
- The Intelligence Community rarely can publicly reveal the full extent of its knowledge or the precise bases for its assessments, as the release of such information would reveal sensitive sources or methods and imperil the ability to collect critical foreign intelligence in the future.
- Thus, while the conclusions in the report are all reflected in the classified assessment, the declassified report does not and cannot include the full supporting information, including specific intelligence and sources and methods.
The Analytic Process
The mission of the Intelligence Community is to seek to reduce the uncertainty surrounding foreign activities, capabilities, or leaders’ intentions. This objective is difficult to achieve when seeking to understand complex issues on which foreign actors go to extraordinary lengths to hide or obfuscate their activities.
- On these issues of great importance to US national security, the goal of intelligence analysis is to provide assessments to decisionmakers that are intellectually rigorous, objective, timely, and useful, and that adhere to tradecraft standards.
- The tradecraft standards for analytic products have been refined over the past ten years. These standards include describing sources (including their reliability and access to the information they provide), clearly expressing uncertainty, distinguishing between underlying information and analysts’ judgments and assumptions, exploring alternatives, demonstrating relevance to the customer, using strong and transparent logic, and explaining change or consistency in judgments over time.
- Applying these standards helps ensure that the Intelligence Community provides US policymakers, warfighters, and operators with the best and most accurate insight, warning, and context, as well as potential opportunities to advance US national security.
Intelligence Community analysts integrate information from a wide range of sources, including human sources, technical collection, and open source information, and apply specialized skills and structured analytic tools to draw inferences informed by the data available, relevant past activity, and logic and reasoning to provide insight into what is happening and the prospects for the future.
- A critical part of the analyst’s task is to explain uncertainties associated with major judgments based on the quantity and quality of the source material, information gaps, and the complexity of the issue.
- When Intelligence Community analysts use words such as “we assess” or “we judge,” they are conveying an analytic assessment or judgment.
- Some analytic judgments are based directly on collected information; others rest on previous judgments, which serve as building blocks in rigorous analysis. In either type of judgment, the tradecraft standards outlined above ensure that analysts have an appropriate basis for the judgment.
Intelligence Community judgments often include two important elements: judgments of how likely it is that something has happened or will happen (using terms such as “likely” or “unlikely”) and confidence levels in those judgments (low, moderate, and high) that refer to the evidentiary basis, logic and reasoning, and precedents that underpin the judgments.
Determining Attribution in Cyber Incidents
The nature of cyberspace makes attribution of cyber operations difficult but not impossible. Every kind of cyber operation—malicious or not—leaves a trail. US Intelligence Community analysts use this information, their constantly growing knowledge base of previous events and known malicious actors, and their knowledge of how these malicious actors work and the tools that they use, to attempt to trace these operations back to their source. In every case, they apply the same tradecraft standards described in the Analytic Process above.
- Analysts consider a series of questions to assess how the information compares with existing knowledge and adjust their confidence in their judgments as appropriate to account for any alternative hypotheses and ambiguities.
- An assessment of attribution usually is not a simple statement of who conducted an operation, but rather a series of judgments that describe whether it was an isolated incident, who was the likely perpetrator, that perpetrator’s possible motivations, and whether a foreign government had a role in ordering or leading the operation.