Thursday, August 11, 2022

Need to Know and Action-On

 

I don't think anybody could disagree with the notion that secret intelligence should only be available to those who need to know. The devil is in the detail:

The strict application of the "need to know" principle from early 1940 onwards was designed to protect the Enigma secret. 'C' was obsessive about the need to protect the fact that the machine the Germans trusted so much that it became their work-horse for encryption had been broken. (In the last LSIB meeting he attended on 1 July 1952 he said that that 'he was convinced that it was only by the most rigid imposition of security that we had won the last war' (Liddell's diaries KV 4/474)).

"Need to know" was imposed inside Bletchley Park as well as outside. Henry Hayward, the Senior Security Officer used to lecture new entrants and impress upon them that 'Secrets which you do not need to know are an unnecessary burden and someone else's secret is never quite so secret as one's own' (de Grey HW 43/78). Staff were discouraged from discussing the work of their section with colleagues from other sections.

In fact, this did not suit the way a Sigint organisation needs to work. It led people to believe that because intelligence derived from cryptanalysis needed a greater level of protection than other intelligence, decrypted material was more important, more valuable, than the rest. The reductio ad absurdam of this position came when the section dealing with German experimental weapons could not get cover of the Luftwaffe nets which produced the intelligence on the development of V-1s and V-2s because it came from plaintext messages and operator chat (HW 43/82 Section K). It also inhibited the sharing of information between huts (except at the most senior level) even though Enigma usage was common across all elements of German forces. Although the area is under-researched, I think it likely that over-rigorous application of "need-to-know" at least contributed to the long delay between it being clear from decrypted material that the Germans were reading to codes in use in the North Atlantic and their being secured.

By the end of the war, the CMY section controlled all UK collection resources in the European theatre, and allocated tasking through a process in which all involved were aware of what needed to be collected, and why, and to what extent. Not every message on every network needed to be collected and decrypted in full every day. For example, a reserve formation might only need to be monitored at its morning call-up once a week to confirm that there was no change in the list of subscribers or their location, freeing up receiver time for other tasks. The relevant importance of the different services, or of diplomatic traffic sent by wireless, could be rebalanced on a daily basis as requirements changed. But this only worked because there was a reconsideration of "need to know": in fact its replacement. By sharing the maximum amount of relevant information CMY was able to optimise the use of allied resources and produce more wanted intelligence for customers. London ministries stated their requirements and people who understood the technicalities of Sigint collection and processing answered them.

The compartmentation which "need to know" had led to within GC&CS was replaced in post-war GCHQ by a system which used vetting as a starting point for creating an organisation with far fewer compartments than had operated at Bletchley Park. Access to Sigint reporting might still be rigorously compartmented outside, but within the organisation there would be no artificial barriers to knowledge sharing.

This doesn't mean, of course, that everybody within GCHQ had access to everything: a member of staff couldn't simply walk into another office and demand to read their reports; furthermore, a process developed which gave extra protection to particularly sensitive lines of traffic; but it meant that a realistic attitude was taken to sharing information.

However, Sigint organisations' need to protect their secrets do not translate simply into the way other parts of the national security community like to handle and process information, and much less how to use it.

A principle created in 1941 when Sigint was first being sent to N Africa applies to this day (though is perhaps more metaphorical than literal today). In it, no recipient of a Sigint report is an action addressee; rather, all are information addressees. You see a shadow of the old signal form every time you receive an email: who it's from, to whom it is addressed, and to whom it is copied. These map onto the From, To, and Info addresses on a signal form. If you are sent a copy of a signal for information, it meant precisely that: you were not authorised to act on that information. The information (the intelligence in the case of Sigint reports) 'belongs' to the originator – the 'From' addressee – and if you are an 'Info' addressee you cannot do anything with the content of the signal without the authority of the originator, the owner.

This concept of ownership is important: 'someone else's secret is never quite so secret as one's own'; but ownership means that the originator can prevent the information being used in a way that might compromise the source of the intelligence or the method used to derive it; it also means that the originator can mandate the standards for storing and sharing the intelligence. This meant that from the 1940s onwards Sigint reports could only normally be read within special facilities (though senior people might have the reports taken to them) by people cleared according to standards agreed to by GCHQ.  

Yet however good the intelligence, it is ultimately valueless if it can't be used. This meant creating a process (Action-On) in which the originator of the intelligence created a plausible alternative source for the information. The classic example of Action-On comes from North Africa during the Second World War: suppose that GHQ learned from a decrypted Enigma message that a convoy carrying supplies for Rommel's Afrika Korps was leaving Sicily for Tunis. Obviously the UK wanted to destroy or disrupt the convoy but simply to attack it would flag up to the Italians and Germans that (at least potentially) the UK had had prior knowledge of the convoy's departure. How could an attack be launched without tipping the enemy off? The best answer was to launch a reconnaissance aircraft on a route which would allow it to spot the resupply convoy and be spotted by it, then allow a sufficient amount of time for the reconnaissance aircraft to radio the information back and for an attack to be mounted by allied forces notionally about other business. This means that some convoys would get though (and some reconnaissance aircraft would get shot up) but these were prices it was thought worth paying.

One of the hardest disciplines to impose was that of only granting access to secret intelligence according to need, and not according to seniority. It was Churchill who, with 'C' removed names from the original list he was given of those with access to Enigma reporting, and at the other end of the production line, restricting access to Y Stations to those with a legitimate reason for entry, rather than simply because it fell under the responsibility of a Command cut across a fundamental piece of military doctrine: how could a Commander be responsible for a unit on his establishment if he had no access to it? The issue was managed, but not simply.

The Second World War saw the first attempt to manage large volumes of secret intelligence produced by large number of people who entered the secret world with little or no background in secrecy. "Need-to-know" was probably the best principle to apply at first: preserving the secret of Enigma was probably one of the most important tasks facing Government in the first half of 1940; but while restricting the circle of knowledge helped protect the secret, it was at a cost of efficient and effective intelligence production for most of the Second World War.

No comments:

Post a Comment