Thank you for the chance to appear.
I'd like to talk about two things, the first of which is how intelligence analysis tends to work in the forces, and also in the more civilian world.
In general, analysts are trying to find interesting things without quite knowing what they're looking for. In adversarial situations, adversaries are trying to come up with novel approaches, and therefore you're always looking for something new, and you can't do this based on a set of rules or limited known patterns that you might already happen to know about. This means that analysts are constantly having to think of new hypotheses and be very creative, and even imaginative, about what they're looking for. When they come up with something they would like to explore, the general strategy is to ask, “Is there evidence for this?” These days that generally means, “Is there evidence in data that we've already collected for this?”
Unfortunately, the way that tends to be implemented, physically or virtually, is that this request is thrown over some large wall to the people who guard the data. They go and see whether there is, indeed, any evidence for this hypothesis in the data, and then they write a report about it and send that back to the analyst. This process can take weeks. The people interrogating the data and writing the report do not have any context and therefore cannot say, “There isn't what you were asking about, but there's something very similar to it”, because they simply don't know. If new data arrive the day after they wrote the report, nobody notices. This is a very ineffective and deeply flawed way to do intelligence analysis.
There's a way to do a lot better, but it's subtle and it's hard for people to appreciate. It is that the data itself can generate its own hypotheses. At first this seems like magic, but it's really not. In an adversarial setting, it's usually plausible to assume that anything that's common is normal, and therefore anything that is exceptional deserves some further exploration. That is the key to making this process work.
It's possible, algorithmically and inductively, to put in front of the data computational engines that will throw up hypotheses for which there is some evidence. The role of the analyst now is different, but inherently simpler, and that is simply to judge whether those hypotheses are plausible or not, and if they're not, to feed back into the process an indication of why that is. Often it turns out there are technical collection problems of various sorts, but sometimes it's just a lack of sophistication in the inductive process itself.
This push from the data towards the analyst is much more effective and cost-effective than trying to get the analysts to pull from the data, for the reasons I've outlined.
The reason this isn't being done is partly a cultural one: analysts tend to be trained in the social sciences, and they do not have the data analysis background to either see or understand, naturally, the kind of process I've outlined. My suggestion would be that it's important to get the benefit of this kind of approach by cross-training, as it were, people with social science and data analysis backgrounds, rather than the current set-ups, which are very much based on quite strong separations between people who are called analysts and people who handle large amounts of data.
The second thing I'd like to talk about is cyber-security, which I understand you heard something about yesterday as well.
My first point is that organization matters. All of the western countries have struggled with the issue of which parts of government should do cyber-security, malware, and things like that, and all of them have not come up with a good solution, with one exception. The U.K. government, more or less by accident, included the economic well-being of the United Kingdom in the mandate of the Government Communications Headquarters. That has meant that for a very long time, the people at Cheltenham have taken on board all of the issues that in other countries have struggled to find a home.
That's paid off for them in a very big way, because it turns out there are major synergies between the things you have to think about to do cyber-security and the things you have to think about to do signals intelligence, in both directions. That's the reason why GCHQ is both the world leader in signals intelligence and the world leader in cyber-security.
So I would suggest that for the Canadian government, which faces the same issues, the Communications Security Establishment is the right place to put cyber-security and all of its related issues.
Secondly, it's very easy, particularly from a military background, to slip into a castle model of cyber-security. You can see in the words that people use to describe things like firewalls, intrusion detection, and spam filters that there's this metaphor underlying all of those things that suggests we can live inside enclaves of purity and keep the bad stuff out. That simply is not plausible in today's world.
We have to find ways to live with compromised environments. I would suggest that the human immune system is at least an interesting metaphor for that. Although our bodies are good at keeping out certain kinds of bad things, they also have major things going on inside us that, as it were, patrol for bad things that have invaded the first level of defence.
That's a difficult model to have. We have not learned to think in that way, but it is important that we head in that direction rather than aiming for an ultimately futile perimeter view of cyber-security.
Third, there are no borders on the Internet--I think this fact is fairly widely appreciated--so attribution is incredibly difficult, and that means that some of the things the military has traditionally used will not work. You can't tell who attacked you. You can't even tell what kind of “who” attacked you. Whether it's a state actor, a group, or an individual, it's impossible, in general, to distinguish those things. That means we have no leverage from ideas like retribution. Something like détente is simply impossible to deal with, so prevention is the only path for handling cyber-security in the end.
Thank you.