4 November 2022

Intelligence Community Help Wanted: Open Source Ninjas

KRISTIN WOOD, CYNTHIA SADDY

OPINION – For those who have been privileged enough to read, write for, or brief the Intelligence Community’s President’s Daily Brief (PDB), the following quote looks like the topic paragraph of one of the 4-5 articles that would run “in the book,” and one that likely would garner a significant amount of senior policymaker feedback.

“A joint investigation…has discovered voluminous telecom and travel data that implicates Russia’s Federal Security Service (FSB) in the poisoning of the prominent Russian opposition politician Alexey Navalny. Moreover, the August 2020 poisoning… appears to have happened after years of surveillance, which began…after Navalny first announced his intention to run for president of Russia. …FSB operatives from a clandestine unit specialized in working with poisonous substances shadowed Navalny during his trips across Russia, traveling alongside him on more than 30 overlapping flights to the same destinations.”

But this isn’t from the PDB. This insight is available to all and written by Bellingcat, the open-source investigations non-profit, together with The Insider in cooperation with Der Spiegel and CNN. The analytic bottom line: telecom and travel data implicate the FSB in the August 2020, poisoning of Alexey Navalny. Confidence levels? High. And why wouldn’t it be? It’s based on data, commercial data.

As few as 10 years ago, this kind of information was only available to national security experts working in a secure classified information facility (SCIF). It is now available on YouTube, Twitter, and across the internet due to the global digital interconnectivity of devices and the data this interconnectivity produces. This “new open source” (which I’m calling NOS, not a universally accepted acronym, just one offered here to distinguish it from the long-held view that “open source” is just media and social media)includes data from media, the internet, signals, sensors of all kinds, and more. It more closely mirrors the USG’s complex suite of “national technical means (NTM)” systems than it does the Intelligence Community (IC’s) classic open-source work focused on traditional media and social media.

NOS has birthed the relatively new field of open-source investigation, which uses this data, publicly available analytic tools, and collaborative teams of citizen analysts or “ninjas” to analyze world events. Open-source investigation is a blend of intelligence analysis, journalism, and criminal investigation, and it closely resembles the work and skills of numerous job categories in the national security community. Eliot Higgins, founder of Bellingcat, characterizes his organization as “an intelligence agency for the people” and notes that “guarding society and upholding truth are not the exclusive domain of institutions anymore.” He is not wrong.

The analytic work that Bellingcat and other open-source investigators are doing can be remarkable. They have created a global open-source community that exploits NOS by developing new tradecraft, creating tools to understand data, and by being rigorous about source quality, often in ways that any expert would recognize as rigorous. They then also transparently share their sourced analysis to allow those who read it to test the work for themselves. This is not to say that all open-source investigators are doing equally good work but to acknowledge two points: 1) that there is much tradecraft here from which the IC can learn and 2) because the source of the assessment is commercial data, the analysis can be replicated by and shared with anyone.

Bellingcat alone has broken open cases that would have previously been considered only in the realm of national security experts, writing reports such as:

And it’s not just in the media that great work is happening. It’s available in academia, think tanks, and throughout the private sector, with NOS allowing companies’ geopolitical intelligence, security, and financial units to offer their leaderships remarkable insights in time to shape decision-making. There are dozens of examples of this, but in just one, a major multi-national firm was able to accurately predict the Russian invasion of Ukraine to the day, enabling their Ukraine and Russia operators to prepare and evacuate before it happened.

The NOS world, as many in the IC already know, poses profound challenges to how the IC operates and understands the world. As countless open-source investigations have shown, we cannot hope to keep even our most sensitive operations secret forever. We can only hope that they have served their purposes by the time they are discovered.

The real way to “win” here is to secure a decision advantage by learning from this open world faster than our adversaries do. And if speed to insight is the coin of the realm, how do we expand our understanding of the NOS world?

There are several important questions to address, among them:

Despite its ubiquity “on the outside,” the IC only uses a small slice of the NOS data that is now available. But truly all-source analysis in 2022 must include the right NOS information. How much of this world will the IC hold itself responsible for, and how much will it outsource to others?

The IC can do almost anything, but when NOS data is growing by the zettabyte (i.e., a billion terabytes) — yet needs to come in and be analyzed at speed of mission through communications pipes that are necessarily narrower by a limited team of officers – how does that happen?

A further challenge is that the open-source world currently is analyzed by intelligence officers who live nearly exclusively in a classified world. Most are also buried under the demands of taskings and vast amounts of classified data. Does that need to change? Does open-source work have to be done only in classified environments? Do all open-source officers need to be cleared? If both remain as is, how do we ensure that our adversaries do not get to insight first?

One choice that does seem straightforward would be to empower the DNI’s Open Source Enterprise (OSE) with the mission and resources to transform. As the IC’s functional manager for open source, OSE could be the central hub for developing and offering NOS training to the community with officers’ “home” agencies or units providing additional training related to their own specific mission. OSE could offer a major injection of data acumen throughout the IC enterprise by harnessing a consortium of those elsewhere in the COS ecosystem – media, academia, and industry – to help create high-quality training for that larger “army” of open-source ninjas. It could become the place that experiments with the most up-to-date commercial open-source tools and make available the NOS insights created by others in the IC and elsewhere. Deepening partnerships with Defense Intelligence Agency (DIA), National Geospatial-Intelligence Agency (NGA) in particular, can help make progress happen faster.

Why does all this matter? It matters because the NOS world is where we and our adversaries live and work. Among other things, it is where disinformation/misinformation campaigns proliferate to do their evil work, where cyber and ransomware attacks often land, and from where IP is often stolen. In short, it is where we are experiencing and will continue to experience competition and future conflict.

We cannot take full advantage of the opportunities NOS poses — or see and mitigate against our vulnerabilities — without fully understanding how and where we and our adversaries are exposed. US national security can no longer be protected solely with information derived from our traditional NTM suite; we are at greater risk as a nation until we further institutionalize and proliferate NOS expertise. The IC’s existing open-source experts need back-up and more access to data, tools and training.

No comments: