22 January 2010

Intelligence-led Investigations: DecisionAdvantage...

Operational Risk incidents are surrounding us on a global basis. The continuity of operations in the rescue and relief efforts in Haiti. The security of information and Internet politics with Google and 30+ other companies. A growing AQAP threat after Ft. Hood and NW 253 while Islam converts flock from US prisons to Yemen to drink the "Shariah" Kool-aide. The economic integrity of global banking with new rule-sets and oversight on how banks are structured in order to mitigate systemic risk.

All of these Operational Risk Management (ORM) challenges require the same intelligence-led investigations to establish the ground truth and then to enable a "DecisionAdvantage."

"Whoever wishs to foresee the future must consult the past; for human events ever resemble those of preceding times. This arises from the fact that they are produced by men who ever have been, and ever shall be, animated by the same passions, and thus they necessarily have the same results." --Machiavelli

When does information that is collected become a violation of a persons privacy or legal rights? At the point it is collected from a source or at the point in time when it is analyzed by a human?

Intelligence-led investigations include the use of automated Internet Bots to troll the Internet and Open Source content (OSINT) for the collectors to find what they are looking for. This begins with a hypothesis and then the development of an algorithm to carry out the automated mechanism for collection.

These Intelligence-led investigations also include the use of new forensically sound methods and proven procedures for collection of digital data from a myriad of technology platforms including laptops, PDA's and cell phones. These methods have been proven and certified in the forensic sciences for decades and follow many of the legally bound and court tested rules associated with evidence collection, preservation and presentation. Digital Forensic tools and 21st century capabilities enable global enterprises, law enforcement and governments to not only discover what they are looking for but to use this in a court of law to find the truth.

The monitoring and collection of information associated with people begins various intersections with the context, relevance and legality of storing it, analyzing it and when to destroy it. The ability to do this effectively inside the walls of the global enterprise corporate headquarters, the Regional Fusion Center or the National Counterterrorism Center (NCTC) is at stake.

DecisionAdvantage is a term that promotes the connotation of competition, safety or defeating an adversary but only one will apply as you begin to understand the environment and the circumstances under which information is being utilized for one or the other. If you are making decisions on the most safe and ideal drop points for water, food and medical triage supplies in Haiti, decisions are being made with information collected from satellites, humans, and the national geological scientists at CalTech. It isn't until you take all of these elements into context and establish relevancy with human brainpower can you make an informed decision to give you an advantage of improved safety and security to achieve your goal.

Investigators or analysts who are leveraging the use of software, hardware and telecommunications infrastructure to more efficiently arrive at the answers of the hard hypothesis or questions being asked must improve their training, education and awareness to the associated human factors. Predicting human behavior is difficult if not impossible. What is more realistic is the utilization of automated systems to assist the human in trying to achieve a DecisionAdvantage. Proving the ground truth is a challenge in a court of law, in front of a jury and so too when it comes to declaring a cyber attack from another nation state. According to Jeffrey Carr and his Grey Goose Project, here is why:

When sensitive or classified data faces cyber attack, why can’t governments – or organisations – identify the culprits with any conclusivity?

A state cannot respond to concerted assaults by hackers with anything more potent than a diplomatic protest – which will be met with a firm denial by the accused government or body. There isn’t even agreement on what constitutes “cyber warfare”. As an expert in cyber warfare intelligence, I have researched the legal complexities and multiple strains of conflict, with the aim of trying to identify which acts qualify as cyber war.

What is undeniable is that politically-motivated attacks are becoming more frequent and sustained. Amazingly, none of the assaults on security shown (right), all of which have occurred in the last 18 months, qualify as an act of “cyber war”. The only issue that has been defined by international agreement is a nation’s right to self-defence when attacked, which, for the moment at least, applies only to the traditional manner of attack, ie, “armed” attack. From some adversaries’ point of view, this makes the internet an ideal battleground.

The eight events described opposite have all been characterized by various media sources as acts of cyber war. But definitive “attribution” – the smoking gun – was rarely achieved. The problem is that the internet was not built to be a secure platform. Its architecture inherently supports anonymity. As a result, a purely technical analysis of cyber attacks has almost never been successful at producing definitive proof, the cyber equivalent of DNA evidence.

For 18 months I and my colleagues in the Grey Goose Project have investigated Russian cyber attacks on Georgia in 2008, and we believe governments must adopt a new method of determining attribution, taking into account the policy of a state, regional events and intelligence. In addition, we apply the tried and trusted criminal investigation test of means, motive, and opportunity. I hope the attack on Google and its inevitable departure from China’s internet will trigger a broader awakening about the need to define what we call cyber warfare.


"History, by appraising...[the students] of the past, will enable them to judge of the future." --Thomas Jefferson