The Federal Bureau of Investigation's Efforts to Improve the Sharing of Intelligence and Other Information
Report No. 04-10
Office of the Inspector General
The FBI has established nine primary methods of disseminating intelligence and other information, either within the FBI or to the intelligence and state and local law enforcement communities. Our analysis showed that the four most informative and detailed methods were those that disseminated highly classified information: the Director’s Briefing (since replaced by the more general Director’s Daily Report), Intelligence Information Reports, intelligence assessments or estimates, and twice daily secure teleconferences. However, distribution of the intelligence products was limited to FBI components and certain federal agencies. Internally, the Director instituted the concept of Urgent Reports, which enable FBI field offices to convey information in memorandum format directly to senior FBI management. The content of the Urgent Reports was not limited to counterterrorism, and the urgency of the reports was sometimes questionable. The four methods of communicating with state and local law enforcement agencies – Intelligence Bulletins, Quarterly Terrorist Threat Assessments, NLETS messages, and Terrorist Watch List submissions to the NCIC database – disseminate information on a law enforcement sensitive basis. While much of the unclassified information provides state and local law enforcement agencies with useful background and awareness, the information typically is not actionable nor does it necessarily focus on the high risks associated with radical Islamic fundamentalist terrorism. The reality is that specific, actionable information is often unavailable to the FBI. Still, to the extent that classified information may aid the preparedness efforts of state and local jurisdictions, the FBI should continue to encourage state and local officials to apply for security clearances, and to the extent possible, provide classified information to cleared state and local officials who have a need to know.
At the time of our field work, the FBI Director received each morning a detailed Top Secret Director’s Briefing consisting of four or five sections: 1) Threat Matrix; 2) Operational Highlights; 3) Counterterrorism Update; 4) Summary of Significant Intelligence; and 5) FISA. However, in responding to a draft of this report in September 2003, FBI officials informed us that the Director’s Briefing has been replaced by a Director’s Daily Report, which eliminates all elements of the former Director’s Briefing except the Threat Matrix. As described to us, the Daily Report no longer has a sole focus on counterterrorism. FBI officials described the Daily Report as an FBI-wide summary of significant information arranged by the Director’s priorities, including criminal, cyber, and counterintelligence items.
We did not review the new Daily Reports because the FBI initiated the reports after the completion of our audit work. However, during our audit we reviewed Director’s Briefings between February 27, 2003, and March 13, 2003. The Director’s Briefing was a fluid document that varies according to the Counterterrorism Division’s need to inform the Director about sensitive intelligence, and the Director’s desire to be kept informed about FBI counterterrorism operations. As an intelligence product, the Director’s Briefing demonstrates the FBI’s ability to cull intelligence reporting and disseminate only the most important intelligence to its leadership. Because much of the information included in the Director’s Briefing is extremely sensitive – Top Secret, SCI, or “eyes only” – the information was not disseminated to the FBI’s field offices, partly because the FBI did not have the ability to electronically transmit Top Secret information either within headquarters or to its field offices. Further, most field offices do not have approved facilities to store SCI materials.
The Threat Matrix was a joint CIA-FBI product compiled by the CIA. After our audit work was completed, the Threat Matrix was compiled by the TTIC. The matrix summarizes significant reporting from the intelligence community concerning new or updated terrorist threats over the previous 24 hours. A separate threat report summarizing the most important information provided on the matrix is given to the President. The matrix includes a preliminary assessment of each intelligence item and a summary of the actions taken in response. For each item or threat, the following information is included: source, target, alleged group, type of threat, description and analysis, and action taken. Some copies of the Threat Matrix contained handwritten notes indicating referrals to FBI offices. We noted that the Threat Matrix has improved since our previous audit of the FBI’s counterterrorism program in September 2002. For example, the matrix now contains more analysis of the credibility of a given threat, its relationship to other threats, and the terrorist organization’s capability to carry out the threat.
The threats listed in the matrices we reviewed dealt almost exclusively with international terrorism. For the 16-day period we reviewed, the number of threats included in each matrix varied from 2 to 19, and averaged about 11. The entries on the matrix were derived from a number of sources and methods. As a result, some entries do not constitute threats as much as they represent significant reporting from intelligence agencies. [CLASSIFIED INFORMATION REDACTED]. Multiple reports about the same threat were combined, and all sources of information were listed.
For the period we reviewed, nearly 80 percent of the threats dealt with U.S. interests abroad. Of the U.S. interests abroad, [CLASSIFIED INFORMATION REDACTED]. Another 10 percent of the entries dealt with targets in the continental United States. Because of the small sample size, the most often targeted facilities can only be categorized as critical infrastructure, [CLASSIFIED INFORMATION REDACTED]. For the remaining 10 percent of the entries, the threat did not indicate a specific target. The threat may have been generalized, [CLASSIFIED INFORMATION REDACTED].
The Operational Highlights section was organized according to investigative subject areas – international terrorism, domestic terrorism and WMD – and chronicled major developments in the FBI’s casework. The most complete entries were divided into three subheadings: current situation, background, and investigative plan. A few entries contained only the current situation.
The international terrorism investigations portion of the Operational Highlights covered such items as [CLASSIFIED INFORMATION REDACTED].
The domestic terrorism investigations portion of the Operational Highlights covered such items as violations of the Freedom of Access to Clinic Entrances Act and the use of explosives.
Typical of the investigations discussed in the WMD portion of the Operational Highlights were threats of anthrax attacks, suspicious powder leaking from envelopes, and substances missing or stolen from a university laboratory.
The Counterterrorism Update section was not always included in the Director’s Briefing. When the section is included, it covers new issues, updates, and resolved issues. The update essentially mirrors the Operational Highlights section.
The Intelligence Summary contained significant intelligence community reporting [CLASSIFIED INFORMATION REDACTED]. The summary included a short narrative description of an intelligence item, followed by supporting documentation or analysis. The supporting documentation was typically a printout [CLASSIFIED INFORMATION REDACTED].
In general, the SCI-level Intelligence Summaries updated the Director on what the FBI knows through intelligence community reporting [CLASSIFIED INFORMATION REDACTED].
Foreign Intelligence Surveillance Act
The FISA portion of the Director’s Briefing contained an SCI-level summary regarding surveillance on terrorist suspects.
The FBI’s Terrorism Reports and Requirements Section of the Counterterrorism Division prepares IIRs to disseminate to the appropriate FBI offices, intelligence agencies, and other federal agencies. The IIRs contain specific intelligence that may be actionable or useful in analyzing terrorist activities and “connecting the dots.” We reviewed a judgmental sample of 22 Secret level IIRs issued between March 3, 2003, and March 26, 2003. The reports varied in length from 3 to 14 pages, with generally one page listing recipients and one page providing a point of contact and administrative information. The reports state the subject and characterize the credibility of the source. The reports were issued in the form of classified cables.
Although dissemination of the reports varied by content, standard recipients included the intelligence community, certain military components, the White House, and the State Department. FBI dissemination always included the Director, but varied by topic, with some reports provided to specific field offices and Legal Attachés and other reports disseminated to all field offices.
Nearly all of the sampled IIRs related to international terrorists or terrorist activities. A few reports related to [CLASSIFIED INFORMATION REDACTED]. One report seemed to have a criminal focus, but it alluded to an unsubstantiated threat to the President. The information in the reports seemed to be as detailed as possible and would provide recipients with potentially useful information for follow-up or operational action. The reports are not analyzed intelligence or necessarily validated, and this fact is made clear in the reports. The IIRs are not broad threat assessments, intelligence estimates, or finished intelligence products. Rather, the IIRs disseminate specific intelligence to parties that need to know and may need to act quickly on the information. Also, in some cases the FBI is requesting recipients to determine if they have additional information on the topic that can be provided to the FBI.
We conclude that the IIRs are a good means by which the FBI is disseminating specific intelligence. However, the distribution of the reports is necessarily limited to those with appropriate security clearances and a need to know. Consequently the information contained in the IIRs generally would not be disseminated to state and local law enforcement agencies except through a JTTF or unless modified for distribution on a law enforcement sensitive basis.
The FBI has begun to produce formal, strategic or long-range intelligence assessments in addition to the shorter and more tactical IIRs. We reviewed one major intelligence assessment, or estimate, entitled “The Terrorist Threat to the U.S. Homeland: An FBI Assessment”, which also is available in an unclassified law enforcement sensitive version, dated January 2003.33 The Secret/SCI version is a 65-page document, compared to 27 pages in the unclassified version, that provides a detailed national threat assessment and addresses the likelihood of terrorist attack as well as methods, targets, casualties, and sources. The assessment begins with a three-page “Key Judgments” section, followed by detailed analyses including risk tables (for example, a “Threat and Vulnerability Matrix”) and descriptions of terrorist groups and their intentions and capabilities. The assessment describes risks in categories of high, medium, and low. The assessment discusses WMD, but not in great detail. The FBI plans to issue a separate report on the chemical and biological agents most likely to be used in a terrorist attack.
Twice daily, FBI CTD officials confer with their counterparts in the intelligence community and with other federal agencies through the Secure Video Teleconferencing System (SVTS). Following the attacks of September 11, the FBI and the CIA started the SVTS sessions to discuss the threats of the day. Initially, the Threat Monitoring Unit represented the FBI at the SVTS, but that responsibility has now transferred to the CT Watch Unit. Participation in the SVTS varies by the nature of the threat being discussed, although from 8 to 15 agencies typically participate. Participating agencies have included: the Department of Justice, FBI, CIA, DHS, Department of Energy, DOD, NSA, Department of State, Federal Aviation Administration, Transportation Security Administration, Coast Guard, Customs Service, Secret Service, and the Postal Service. An FBI official told us that during the SVTS, the agencies discuss unusual or suspicious events that have happened during the past day and examine the events for any nexus to terrorist activity. He stated as an hypothetical example a drunk airline passenger who assaults a flight attendant. Because causing a disruption on an airplane could be a part of an attempt to take over the airplane, the incident would be discussed during the SVTS to determine whether or not there is a terrorist nexus. If the group determined that the incident was related to terrorism, the representatives would be assigned tasks for the investigation or the operational response. The status of the threat is then discussed at subsequent SVTS. In the cited example, however, the assault is not likely to be linked to terrorism, so the issue would not be discussed in subsequent SVTS unless some terrorism connection was discovered.
Although we did not observe any of the sessions, FBI officials explained that the regularly scheduled video conferences were a useful tool for sharing intelligence and other information with other agencies on a real-time basis. We concur that secure video conferencing is a useful method for direct and timely discussion and exchange of information on potential terrorist activities and resulting counterterrorism actions.
After the September 11 terrorist attacks, the Director instituted the concept of Urgent Reports, which allow field offices to provide information directly to senior FBI managers in e-mail format with a formal EC to follow. The written report is often preceded by a telephoned report to FBI headquarters. We reviewed a sample of 42 Urgent Reports issued during March 2003. The FBI received between 1 and 9 reports daily for the period we reviewed. The reports, which averaged one to two pages in length, covered a variety of topics, ranging from criminal investigations to terrorism cases. The Urgent Reports are addressed to the Director, with copies to the Deputy Director and to the FBI’s Counterterrorism Watch Unit. Additional recipients vary depending on the topic. Also, the Counterterrorism Watch Unit may distribute the Urgent Report further based on its judgment of what FBI units might need to be aware of the information.
Our analysis of the 42 sampled Urgent Reports found that relatively few were directly related to specific threats of [CLASSIFIED INFORMATION REDACTED] terrorism but instead covered a wide variety of mostly criminal matters. Also, many did not appear to be urgent matters that needed to be brought to the Director’s immediate attention. Of 11 reports with an actual or suspected international terrorism connection (26 percent of the total we reviewed), 6 reports discussed 2 al-Qaeda members, 1 reported on the sentencing of Hizballah members, 1 covered a suspected casing incident, 2 dealt with threats over the internet (including a threat to the White House), and 1 was about an incident at a water facility that was found not to be terrorism-related. Overall, the 42 Urgent Reports covered:
FBI Intelligence Bulletins are prepared by the Terrorist Watch and Warning Unit under the National Threat Center Section. The Bulletins are issued weekly to some 18,000 law enforcement agencies nationwide to provide information on selected topics from FBI counterterrorism investigations and analyses. The Unit Chief estimated that roughly one-third of the information contained in the Intelligence Bulletins was formerly classified but revised into a law enforcement sensitive version. The Bulletins, which average between one and two pages in length, do not provided threat assessments other than citing the national color-coded threat level. Threat assessments are issued quarterly in a separate document (discussed below), and any immediate threat information is conveyed through the NLETS or by direct contact with state and local law enforcement officials. Intelligence Bulletins (and other law enforcement sensitive information) are disseminated to state and local law enforcement authorities through NLETS, LEO, the Regional Information-Sharing System, and facsimile.34
We reviewed a sample of 15 weekly Intelligence Bulletins issued between December 2002 and March 2003. The Intelligence Bulletins vary in their relevance to the threat of international terrorism and in their specificity of guidance to law enforcement agencies. The Bulletins usually request that suspicious activities be reported to the local JTTF even if such activities are criminal or protest-oriented rather than radical Islamic fundamentalist terrorism. Of the 15 Bulletins we reviewed, 6 gave concrete and actionable guidance on terrorism and 3 provided general information or called for vigilance. Six Bulletins were not related to the high-risk presented by international terrorists. It should be noted that Intelligence Bulletins not related to international terrorism may still provide information desired by state and local law enforcement, such as the tactics of social protesters.
In our opinion, the Bulletins are a worthwhile attempt to provide general information and guidance to state and local law enforcement agencies. However, the Bulletins are somewhat “hit and miss” in terms of providing guidance on what specific actions to take or what terrorist characteristics to be aware of. The declassification of information for release through the Bulletins necessarily reduces the specificity of the information. Further, the Bulletins are not “alerts” that advise law enforcement agencies to take particular actions; instead the Bulletins are more an effort to inform and provide awareness should law enforcement personnel encounter a situation mentioned in a Bulletin. According to FBI officials, the FBI must limit the types of information that can be shared widely with the greater law enforcement community because such information frequently finds its way to the news media. As discussed in Finding 1 of this report, among the difficulties in sharing intelligence with state and local officials are, in addition to IT limitations, the following: 1) lack of appropriate security clearances by would-be recipients; 2) non-FBI originator control over intelligence, including the need to protect sensitive sources and methods of collection; 3) lack of a secure means of transmitting classified information; and 4) lack of approved secure storage capability. Additionally, FBI officials point out that there is seldom direct intelligence on a threat against a specific target, but that if such a threat were identified the state and local authorities would be notified immediately regardless of whether the information was classified. However, FBI officials stress that more sensitive, classified information is available to state and local law enforcement representatives who serve with FBI agents on JTTFs and have Top Secret security clearances.
Two contrasting examples of Intelligence Bulletins appear in Appendices 5 and 6: one that, in our opinion, provides useful information to state and local law enforcement agencies on international terrorism issues and one that does not.
Quarterly Terrorist Threat Assessments35
The Quarterly Terrorist Threat Assessments, prepared by the Terrorist Watch and Warning Unit under the FBI’s National Threat Center Section, are issued to law enforcement agencies nationwide. The purpose of the reports, which range in length from 19 to 28 pages including a 3-page Appendix, is stated in the September-December 2002 report: “a strategic overview of the current terrorist threat against the United States, a general description of civil disturbance threats and protester tactics, and a global antipathy report.” We reviewed five Quarterly Terrorist Threat Assessments dated September-December 2002 (two reports), March 2003 (two reports), and April 2003 (one report) to evaluate the content and the potential of the information to state and local law enforcement agencies.
The September-December 2002 report format is a series of bullets under the following headings: Terrorism Threat (including a subheading entitled WMD), Civil Disturbance (subheadings Potential Protest Practices & Tactics, Protest Organization, Improvised Body Armor and Shields, Stink Bombs and Pyrotechnics, False Identification & Impersonation, Surveillance of Law Enforcement, Targeting of Law Enforcement, Assessment Summary), Antipathy Report (subheadings Africa, Americas, Asia, Europe & Western Asia, Middle East), and Transnational Issues. An Appendix section covers scope, dissemination restrictions, and methodology.
The reports for February-March 2003, updated March 2003, and April 2003 reports are narrative in format with the following content: Strategic Overview, Terrorist Threat (subheadings for International Terrorism, Activities and Targeting, Domestic Terrorism, Activities and Targeting, Civil Disturbance, WMD, and Assessment Summary).
The Quarterly Terrorist Threat Assessments are “rolling” assessments in that much of the information is repeated from report to report with some new information added to the new quarterly report. The interim reports within a quarter are nearly identical except for any changes to the national threat level changing. Much of the information provided to state and local law enforcement agencies through the assessments could be described as general awareness, and much of the information on al-Qaeda provides a good background on the methods employed by such terrorist organizations. In some cases law enforcement is provided with information that could be actionable at the initiative of the law enforcement agency, such as looking into security at general aviation airports or perhaps asking scuba trainers or equipment providers about suspicious clients. However, the assessments do not make such direct suggestions to law enforcement agencies about specific steps that should be taken to either thwart or investigate potential terrorists or what local JTTFs might already be investigating. Further, although the reports assess the general threat, they do not provide law enforcement with an assessment of risk in terms of what scenarios may be more likely or of greater probability of occurring and what counterterrorism activities would be recommended.
The five reports we reviewed covered various topics on international terrorism (as well as domestic terrorism and protestor activities). For example, the reports discuss al-Qaeda’s operational methods and capabilities and warn of terrorists’ interest in using small aircraft for suicide attacks and developing scuba capability. The reports also state al-Qaeda’s focus on returning to previous targets that were unsuccessfully attacked, which could signal a threat to any remaining September 11 targets such as the White House.
The FBI periodically sends e-mail messages of one to three pages in length to other federal, state, and local law enforcement agencies using the NLETS. We reviewed a sample of 11 NLETS messages issued by the FBI’s CTD between September 11, 2001, and March 21, 2003, to determine the content and evaluate the usefulness of the information to state and local law enforcement agencies. The NLETS messages varied in their relevance to the threat of international terrorism and in their specificity of guidance to law enforcement agencies. The messages usually requested that suspicious activities be reported to the local JTTF, the nearest field office, or FBI headquarters. Of the 11 messages reviewed, 5 were “Be On The Lookout For” (BOLO) alerts for specific individuals. Of the five BOLO alerts, three were for individuals considered armed and dangerous who possibly presented a terrorist threat to the United States. Another BOLO message stated that although the FBI had no specific information connecting the named individuals to terrorism, they were being sought for questioning. The remaining BOLO canceled a previous alert. Of the remaining six NLETS messages, three concerned changes in the national threat advisory level between “significant risk of terrorist attacks” (yellow) and “high risk of terrorist attacks” (orange) and general information on why the threat level was changed. For example, a September 2002 message cited the establishment of al-Qaeda cells in Southeast Asia, the preparation of suicide bombers for attacks against U.S. interests, and the possibility of al-Qaeda operatives using the September 11 anniversary to launch attacks. The other three messages concerned a terrorist threat advisory following the events of September 11, 2001, an advisory to remain vigilant over the Fourth of July 2002 holiday, and an advisory concerning al-Qaeda’s interest in targeting the nation’s fuel infrastructure.
The FBI’s NLETS messages offer a method of providing immediate general information to state and local law enforcement agencies. Specifically, NLETS is used to inform the law enforcement community of terrorist threats and the general factors leading to changes in the national threat advisory level as well as naming and describing individuals sought by the FBI. Because the FBI knows of a general threat but not a specific target to cite in the messages, the advisories urge a heightened alert. Guidance regarding an increase in the color-coded national threat level is general such as the need to coordinate security efforts with other law enforcement agencies and to be prepared to execute contingency procedures such as relocating to alternative sites or dispersing the workforce. In the case of BOLO messages, the FBI instructs law enforcement agencies to either detain the individual or obtain further guidance from the FBI or the local JTTF.
According to Unit Chief, the FBI’s Terrorist Watch and Warning Unit posts the names of some 5,000 terrorists from the FBI’s Terrorist Watch List on the NCIC database, which can be accessed by state and local law enforcement personnel. The Watch List information is derived from the FBI’s Violent Gang and Terrorist Organization File. If a local law enforcement agency produces a “hit” from the NCIC check, the system provides guidance how to handle the individual: detain, arrest, or notify the FBI. Of the 5,000 names on the FBI’s Watch List, about half are international terrorist suspects. In April 2003 the GAO reported that federal agencies maintain 12 different watch lists.36 One of the watch lists cited was the FBI’s Violent Gang and Terrorist Organization File. The GAO recommended that the DHS lead an effort to consolidate and standardize the disparate watch lists. In the meantime, we believe that the FBI’s effort to post terrorists’ names on the NCIC, begun in March 2002, can help prevent local police from releasing terrorist suspects.
The FBI has taken a number of measures to more effectively share intelligence and other information on the terrorist threat. Communications within the FBI, and to and from the intelligence community in particular, have improved through Intelligence Information Bulletins and formal intelligence assessments. For top FBI management, the Director’s Briefing provided highly-classified, specific intelligence to the extent such information is available. We have not reviewed the Daily Reports that recently replaced the Director’s Briefing, but the reports appear to serve a similar purpose. Although Urgent Reports allow field offices to work around the time-consuming and unwieldy EC process, the subject of the messages varies from potential terrorist activity to much less urgent matters. Given the continuous stream of information flowing to senior FBI leadership, we believe that only the most serious and urgent matters should be brought to the immediate attention of the Director and other senior managers.
The most problematic aspect of the FBI’s efforts to improve information sharing concerns state and local law enforcement. The FBI’s weekly Intelligence Bulletins, Quarterly Terrorist Threat Assessments, and periodic NLETS messages are only partially effective in providing actionable information. Frequently the information being shared on terrorism could be described as background; often the subject of the FBI’s communications is not the high risk of radical Islamic fundamentalist terrorism but social protests or the criminal activities of environmental or animal activists. Still, the FBI is limited as to what intelligence and information it can provide state and local law enforcement agencies on terrorists and their activities, either because specific threats and targets are not known to the FBI or because lack of security clearances by state and local officials or other national security concerns prevent the sharing of more detailed information. We believe the FBI should continue to encourage state and local law enforcement officials to apply for security clearances and provide cleared officials with relevant terrorist threat information on a need-to-know basis either in writing if the recipient has approved storage containers or through periodic classified briefings.
We recommend that the Director of the FBI: