What does the ISC’s report mean for the security sector?

On Monday, the Home Secretary gave a speech on the terrorist threat to the UK.  In this speech, she indicated a number of capability areas that the security sector has (or could have) a role in.

On Tuesday, the Intelligence and Security Committee (ISC) published its report into the intelligence relating to the murder of Fusilier Lee Rigby in May 2013.

As a result of the ISC’s investigation, the Prime Minister announced that the government

will make an additional £130 million available over the next 2 years, including new funding to enhance our ability to monitor and disrupt these self-starting terrorists [extremists who seek encouragement or inspiration from extremists such as Al Qaeda leadership, but who then plan and conduct their own attacks without external direction].

I previously have noted that national security is the function of a partnership between the public and private sectors.  As part of this, the security industry develops and delivers capabilities which underpin the investigations undertaken by the police, security and intelligence agencies.

In developing and delivering capabilities to the police and security and intelligence agencies, it is important for the security sector to be aware both of the pressures faced by those investigating agencies and the legal context within which they work (for example, the requirements of the Regulation of Investigatory Powers Act – RIPA).  The ISC’s report provides useful insight into these areas, which the sector should take into account.

The ISC’s report also suggests areas where improvements to existing capabilities are required or new capabilities need to be developed, changes to funding models for the agencies, and changes to where capabilities might sit; this information should inform the security sector’s Research and Development (R&D) and approach to engaging with their customer base.


Subjects of Interest are increasingly ‘security conscious’ and aware.  They are better able to evade surveillance techniques and capabilities.  Capabilities need to adapt to the increasing sophistication of these Subjects of Interest.

Digital Intelligence (DIGINT)

The challenge of digital Intelligence – that is, intelligence or information acquired from digital sources – receives extensive coverage in the ISC’s report.

Investigators are required to increase ever-growing volumes of digital intelligence related to Subjects of Interest – and integrate DIGINT with non-DIGINT sources.  Despite an increase in staffing and resource for its DIGINT Team, there is a requirement for the Security Service to:

  • Complete identification tasks in quicker timescales.
  • Enhance DIGINT databases to make it easy to establish which of the many digital products related to a Subject of Interest have been viewed and assessed.
  • Automatically notify investigators when new DIGINT is received.
  • Automate its exploitation of new digital intelligence to a greater extent.

GCHQ has had to increase its staffing levels to support increasing numbers of request from the Security Service.  In the future, it is possible that the agencies could integrate their DIGINT and interception capabilities to achieve as much capacity as possible:

A further issue is whether the division between GCHQ’s work on overseas interception and MI5’s work on domestic terrorism is as clear cut as it once was. The Home Secretary told the Committee that she felt the role of GCHQ was evolving, and that the balance between GCHQ and MI5 resource and expertise in areas such as digital intelligence may change in future as a result:

[In terms of] the role of GCHQ and the relative role of GCHQ domestically and internationally… this is something that… has been changing, but I think actually there will be a point at which there is a genuine question to be asked about where that role should sit and what the balance between those two should be, and in a sense, depending on that answer, depends on the extent to which it would be necessary to retain the capability within the Security Service.

PREVENT and social media analysis

Greater priority and funding should be attached to PREVENT programmes to divert individuals from the radicalisation path.

Key to the success of PREVENT is identifying at-risk individuals at an early stage, based on suitable evidence, to intervene in non-criminalising ways.   The Security Service notes:

In order to maximise our chances of detecting [such individuals], we use a set of factors identified as being common – but not unique – to many lone actors: an inability to cope with stress and anxiety; a pre-existing history of violence; mental health issues; blaming others for (personal or group) grievances; an immediate need to act to rectify grievances; social isolation; and significant interest in extremist material encouraging lone actor attacks.

It also ‘looks at odd things on the internet’, consulting with GCHQ for this purpose.

The security sector can contribute tools such as social media analysis to assist with this.

Record/database management

Databases need to be enhanced to facilitate better record management.  For example, GCHQ has introduced a new Counter Terrorist Team Tool to track specific analytic tasks and their current status.  (There is overlap with aspects of the DIGINT requirements).

Online extremist content

The intelligence agencies undertake work to identify UK-based individuals who show an interest in extremist media or espouse extremist views.  The volume of extremist material presents a challenge in this regard, though some of the media is prioritised (such as Inspire magazine – the ISC notes that the influence of Inspire has grown considerably over time: the Security Service now places great weight on it as a contributing factor to extremism).

The government is exploring options to restrict access to unlawful terrorist-related content which is hosted overseas but which may give rise to offences under UK law.

Software solutions may assist both of these areas.

Dealing with suspects on the periphery of multiple investigations

The ISC recommended that the Security Service should re-consider how it prioritises the ‘cumulative effect’ of an individual’s ‘history’, where they have appeared on the Service’s radar in connection with numerous operations.

However, a key issue is that the number of individuals in this category is large.  The Security Services needs a ‘better way of identifying’ individuals who move repeatedly between investigations and of presenting this information.  Data and visual analytics and algorithms could be developed for this purpose.

Communications data

Communications data remains a vital resource for intelligence and police investigations.  The police and agencies are increasingly worried about the capability gap emerging in relation to communications data.

Accessing communications content

Investment in operational solutions relating to interception and data recovery will be sustained, as will work with domestic and international partners to share best practice and develop standards in the areas of interception and data recovery.

Ways of increasing the capacity of the agencies to undertake technical operations and process internet data could also be explored.

The ISC is concerned at the reduced ability of the intelligence and security agencies to access communications content – partly because of commercial encryption, and partly because much material is hosted by overseas service providers.  Subject to any legislative or diplomatic developments, there may be scope for developing tools that enable service providers to automate the monitoring of their networks for terrorist use and automatically notify agencies.


The ability forensically to recover the content of communications is important in assisting post-event analysis.

A new funding model for the Security Service?

Finally, the ISC’s report suggests a possible funding model for the Security Service, to enable it to manage both high and low priority investigations simultaneously:

MI5’s current funding model means that lower priority investigations are effectively paused or suspended whenever an IOC [Intelligence Operations Centre for high priority investigations] is opened. Consideration should be given to whether MI5 might operate a similar funding model to the MOD, whereby core funding enables routine work to continue and individual crises are funded from a separate reserve…without sacrificing other investigations.