Is there room for counter-intelligence in regulation?
By Neil Quarmby, CEO Intelligence Rising
I am interested in any regulator that has a robust counter-intelligence system in place and why. Counter-intelligence is an important capability and conceptual dimension of national security and law enforcement related intelligence yet appears largely absent in regulation. This may be because regulators often do not have a concept of ‘threats’ and hence do not often perceive there being a risks of themselves being targeted. (I acknowledge criminal investigative arms may provide some exception but would argue that the counter-intelligence driver is often one of ‘case protection’ or related to the culture of the investigators themselves.) The absence of counter-intelligence concepts may also reflect the fact that few regulators are subject to the internal investigative, professional standards and vetting regimes of the security and policing services. A more important reason may be that all regulators are subject to open disclosure laws making much of what they do visible: hence counter-intelligence may appear superfluous.
A fascinating area of conceptual overlap in counter-intelligence and regulatory practice lies in the area of detection thresholds. All regulators have a detection and response threshold whether they understand it or not. Mature regulators make the threshold visible on their web-site. One of the manifestations of non-conforming behaviour in society is working out and acting on ‘what you can get away with’. Hence, a useful way for regulators to control the behaviour of professionals and businesses licensed to participate in a jurisdiction is to promote the chance of being ‘outed’ as unprofessional by the regulator’s detection/monitoring systems. In regulation often the fear of getting caught has more deterrent effect that the punishment. Resource dependent regulators may set their detection threshold high. I recall one boss who dictated that threshold was to be set in $ terms as twice what an investigation cost him in resources. In effect, the detection system then had to monitor people perpetrating fraud under the threshold until they had stolen enough money to trigger a response. Efficient model for resourcing. Poor model for public value.
There's a natural tension here. Regulators should publicise their detection threshold to create a prevention effect. However, they also need to invest in an intelligence development system (priorities and collection management) that continually tests behaviours below and beyond the threshold. Of course, understanding the detection threshold and behavioural impacts in the first place is a good start.