28 September 2014

HSI: Homeland Security Intelligence...

What is the modern definition of U.S. Homeland Security Intelligence (HSI)? Many would differ on the jurisdiction, sources and nexus with specific intelligence that falls outside U.S. borders. The future of sharing relevant pieces of the vast mosaic of information may well lie with the definition and the interpretation of Homeland Security Intelligence.

One thing is certain about this topic of debate. If the information is being utilized to determine the nature of a threat within the confines of the U.S. Homeland, then that information will be treated according to the laws of the United States. This brings us to the next question. Are the current laws an impediment to more effective Homeland Security Intelligence (HSI) processes, methods and outcomes?  The following areas must be addressed in order to get closer to the truth.
  • Governance
  • Policies
  • Regulatory and Statutory Concerns
  • Civil rights and Liberties
Yet the question begs the discussion on the structure and the purpose of the Intelligence Community (IC) itself. Is a policeman or fireman on the ground in every major city in the country part of the IC? Are they not collectors of Homeland Security Intelligence as they fill out their manual or electronic "Suspicious Activity Reports" (SARS)? If they are then as much a part of the greater HSI mechanism that is deemed collection and not analysis, so too will they be subjected to the laws of the land regarding privacy and information governance.
Getting to the point where we are spending even more than half of the time doing actual human analysis is a long way off in to the future. Software systems are getting automated crawlers to pull more relevant OSINT into the data bases for unstructured query yet what about the front line observer who is the witness to an incident. They must process this by interfacing with a paper based report that is filled in with a #2 pencil or an electronic form on a PDA to check boxes and select categories that best describe the observed event that risk managers, watch commanders and operations directors need for more effective decision support.
Regardless of how the collector gets the information it still remains a matter of relevance with other data that already exists in a repository or the addition of a future data set that suddenly creates a "Red Flag." It isn't until that "Red Flag" indicator goes off that the human analyst can then put grey matter on the issue to determine the relevance at that point in time and the implication of the law, policies and governance. This topic has been addressed in previous posts to this blog:

There are some that would say that the reason why the "Dots are not Connected" sooner, faster or more efficiently is because we are drowning in too much information to analyze. The automation of collection is the easy part. The filtering and pushing relevancy through the digital cheese cloth to get the most vital intelligence assets is a bit harder to accomplish. The human analysis and applying "Gray Matter" to the problem set and understanding the current "State-of-Play" is the ultimate challenge.

Beyond this, the average "John Q" citizen has probably never heard of 28CFR Part 23. The privacy assurance mechanism put into place in the 90's pertaining to the fusion of criminal intelligence. Perhaps this is the single greatest impediment we face to insuring our safety, security and threats from transnational eCrime syndicates, non-state actors and even the most sophisticated Nation States.
The topic of Homeland Security Intelligence is really about the Information Risk Governance and Consumer Privacy laws that protect us as U.S. citizens. At the same time, these same legal statutes might be the exact balance between what law enforcement and the intelligence community need to do their jobs without infringing on the rights of "John Q. Jihadist."  Here is a great example:

A Saudi student appeared to smile Friday morning as U.S. marshals escorted him to his first federal court appearance on a terror charge.
Khalid Ali-M Aldawsari, 20, stood before U.S. Magistrate Nancy Koenig charged with attempted use of a weapon of mass destruction.
The former Texas Tech student was suspected of purchasing chemicals and supplies to build a bomb and of researching possible targets in the United States before his arrest by federal officials late Wednesday.

Aldawsari came to federal attention after trying to have a large quantity of a suspicious chemical, which has both benign and nefarious uses, shipped to a Lubbock freight address, according to a sworn affidavit by an FBI agent filed in support of the warrant for Aldawsari’s arrest.
Subsequent electronic surveillance led to two secret searches of Aldawsari’s Lubbock apartment, where authorities found a makeshift lab that could be used to make explosives, as well as some of the ingredients and supplies necessary to build and detonate a bomb, according to the affidavit.
E-mails and his personal journal indicated an interest in planning attacks, ranging from an initial desire to start a local al-Qaida-type organization to researching nightclubs as a potential target, according to the FBI investigation.
Homeland Security Intelligence collected from a U.S. domestic chemical company, freight trucking line and as a result of legal searches of the suspects apartment all were utilized to interdict this potential plot of terrorism in the United States. Effective HSI will determine whether we continue to be as effective in the future. Gods Speed to us all....

21 September 2014

Alternative Analysis: Intelligence-Led Methodologies...

Operational Risk Management (ORM) is about the consideration of past failures and the possibility of unknown future failures of people, processes, systems and external events. The analysis of the likelihood and implications of those loss events requires different methodologies to assist in the mitigation strategies to prevent or avoid the risks of failure. In light of the nature and complexity of transnational asymmetric threats, this requires the use of alternative methods of analysis.

Intuitive decision making and sense-making— can be combined into a framework for categorizing the residual thought processes of intelligence analysts. This is called "intelligence sense-making". This process involves the application of expertise, imagination, and conversation and the benefit of intuition without systematic, consideration of alternative hypotheses. Compared to traditional methods of analysis, intelligence sense-making is continuous rather than discrete, informal rather than formal, and focused more on issues that don't have normal constraints.

Employing alternative analysis means that you can't “afford getting it wrong” and then you challenge assumptions and identify alternative outcomes. However, it may be of little use in today's growing non-state transnational threats and for ongoing criminal enterprise complexities. This is because there are so many considerable outcomes, consistent and perpetual changes, and contingencies for any single risk management process to be effective all the time.

Web-logs 3.0 are the future for some effective transnational alternative analysis. Combined with new APPs such as Recorded Future, the open source analyst can operate with increasing pace and context. Unlike more formal published papers, intelligence Web-logs are a more free flowing “unfinished” production, whereby both human intuitions and more formal arguments are posted, and then challenged by those with alternative ideas. Indeed, Web-logs are the mechanism for a facilitated contextual dialogue— the electronic equivalent of out loud sense-making.

On September 11th, about half of the hijackers had been flagged for scrutiny at the gate before boarding the ill-fated flights. Had the concerns of the Phoenix FBI office about flight training not only been shared broadly within the government but also integrated into a mindfulness-focused inter- agency process—featuring out loud sense-making, Web-log type forums, computer-generated references to extant scenarios for crashing airplanes into prominent targets—might at least some of the detentions been prolonged, disrupting the plan?  --“Rethinking ‘Alternative Analysis’ to Address Transnational Threats,” published in Kent Center Occasional Papers, Volume 3, Number 2.

In our modern day era of Twitter, Facebook and "Crowd Sourcing" technologies perhaps the tools are already in place. Platforms such as Ushahidi are geocoding the information origin, providing ground truth situational awareness and providing context on issues that are unbounded. How often does the published press currently use these tools to get their original leads, potential sources or new ideas for a more formal story. This story then takes on the formal journalistic requirements for confirmation from trusted and vetted sources, before it makes the final deadline and is delivered on printed paper to our doorstep each morning.

The doctrine of analysis for transnational threats and homeland security intelligence, are still evolving in this accelerating digital ecosystem. The alternative methods and tools that we will utilize to examine, refute or justify our thoughts remains endless. The degree to which we are effectively operating within the legal rule-sets for our particular country, state or locality, remains the ultimate privacy and civil liberties challenge. These respective governance guidelines particularly with regard to intelligence record systems and liability issues, must remain paramount:

  • Who is responsible for entering information into the Intelligence Records System?
  • Who is the custodian of the Intelligence Records System that ensures all regulations, law, policy and procedures are followed?
  • What types of source documents are entered into the Intelligence Records System?
  • Does the retention process adhere to the guidelines of 28 CFR Part 23 in the United States?
Finally, community-based policing has developed skills in many law enforcement first responders, that directly support new counterterrorism responsibilities. Intelligence-led policing (ILP) provides strategic integration of intelligence, into the overall mission of the larger "Homeland Security Intelligence" enterprise. It involves multiple jurisdictions, is threat driven and incorporates the citizens of the community to cooperate when called upon, to be aware of your surroundings and report anything suspicious.

So what types of information do street officers need from an Intelligence Unit?
  1. Who poses threats?
  2. Who is doing what with whom?
  3. What is the modus operandi of the threat?
  4. What is needed to catch offenders / threat actors?
  5. What specific types of information are being sought by the intelligence unit to aid in the broader threat analysis?
Alternative analysis is designed to hedge against human behavior. Analysts, like all human beings, typically concentrates on data that confirms, rather than discredits existing hypotheses. Law enforcement is constantly focused on the key evidence to prove who committed the crime. Alternative analysis shall remain part of the intelligence tool kit, for more formal policy level work. Imagine the use of Intelligence-led methodologies such as "intelligence sense-making" combined with secure Web 3.0 collaborative APPs, at the finger tips of our Homeland Security first responders. Now think about that "lone wolf" or "sleeper cell" laying in wait.

Proactive and preventative risk management requires the right tools, with the right information in the hands of the right people.

14 September 2014

Rule-based Design: The Future of HSI...

Levers in the Homeland Security Intelligence (HSI) ecosystem impact the performance and the health of the environment that the entities are sharing their respective insights. These HSI entities are people within the analytic ecosystem, who are diverse in the art and science they utilize to create and share insight.

The threat to any ecosystem in many cases is "too much" or "too little" of a key element of that environment that makes it thrive. Anything that occurs to offset the equilibrium in the ecosystem can have dramatic effects. What is the greatest killer of human beings on the planet earth over the past few decades? A good guess would be "Drought". Too much sun and too little water has killed millions.

Yet in the context of intelligence, if data is "The Sun" and shared insight is "The Water" then in order to mitigate the impacts of upsetting the equilibrium of our HSI ecosystem a prudent course of action is required. The levers should assist in the governance of the right amount of data and the right amount of shared insights so no one entity is at risk. Now we must examine the topic of "Rule-based Design."

Homeland Security Intelligence analysts who are experiencing too much data and not enough insight is many times the argument at hand. They are indeed at the mercy of the compliance and data governance mechanisms that are in place, because of the civil liberties, legal framework and privacy statutes across 50 U.S. states. To add to the complexity are the systems and analytic software solutions that have been developed over the past ten plus years. The software designers must incorporate "Rule-based Design" if they are to assist in the entire equilibrium of the HSI ecosystem. Jeffrey Ritter explains:
Clearly, for the IT architect, there are lessons to be learned. For each step taken by the IT architect to better account for all of the rules that a solution must navigate, before the design process begins and long before construction of the solution is underway, the IT architect is able to better assure the timely completion of the solution, and the compliance of the systems and resulting data with applicable rules. Yet, even in this second decade of the 21st century, we are witnessing a continued failure of IT systems to be designed for compliance. Time and again, systems are designed, built and implemented without early and complete evaluation of the rules that must be satisfied. The result is that corporations (and their lawyers) are often patching compliance onto the systems after the fact. Expenses are increased, compliance is less assured, and the IT architect often gets stuck with the responsibility.
“Rules–based design” means that IT solutions are designed with a fully-informed awareness of all of the rules, including the legal rules, that the solution and the data must satisfy. With cloud computing, data that is dynamic and volatile, and mobile users, the challenge is genuine – how do we anticipate all of the legal rules that may apply?
The solution will emerge incrementally. But the first step is to accept the principle that IT systems, and their data, can be designed differently. We can take into account prior to the design process, and not after the completion of construction, all of the rules that the systems and the data must successfully navigate.
Now we must examine the "Civil Liberties and Privacy Policy" and the applicability within the Department of Homeland Security.
The Policy applies to “protected information,” which the ISE defines as information about U.S. citizens and legal permanent residents that is subject to information privacy, civil rights, and civil liberties protections required under the U.S. Constitution and Federal laws of the United States. DHS has instituted a policy whereby any personally identifiable information (PII) that is collected, used, maintained, and/or disseminated in connection with a mixed system is treated as a system of records subject to the administrative protections of the Privacy Act regardless of whether the information pertains to a U.S. citizen, legal permanent resident, visitor, or alien. As a result, this Policy also applies to information about nonresident aliens contained in “mixed systems.”
When you combine the complexity of a vast and endless data ecosystem with the rule-based design to try to accomplish the civil liberties and privacy of U.S. citizens; you have the basis for a significant challenge and a simultaneous opportunity. The governance of Homeland Security Intelligence is in the hands of policy makers and software systems designers. The drought metaphor utilized earlier to illustrate the point on "too much data" and "too little insight" can now be clarified in our focus post 9/11. As of this writing, the system is working and has prevented a terrorist attack in the U.S. homeland on the magnitude of that unforgettable Tuesday in September, 2001.

The entities within our Homeland Security Intelligence ecosystem will continue to be enabled or impeded by the policy decisions of civil liberties and privacy laws. The degree to which the software systems and rule-based design are commensurate with these policies may very well determine whether the equilibrium continues it's success in the United States.

The levers to improve our HSI in the midst of a dynamic and asymmetric enemy are a constant ambition. Looking into the future, we can only pray our analytic entities execute in an ecosystem that perpetuates our successes so far and minimizes our failures. The governance factors designed by our policy makers and software developers will determine our abilities to save lives and protect our vital national assets for years to come.

11 September 2014

9/11 2014: Never Forget This Anniversary...

On this anniversary of the four terrorist attacks on the United States, September 11, 2001, we pause and remember.  We reflect on where we were at 8:46, 9:03, 9:37 and 10:07AM on that horrific morning, as the two planes crashed into the World Trade Center Towers in New York City, followed by the Pentagon in Washington, DC and a field near Stonycreek Township outside Shanksville, Pennsylvania.

The Islamic State fight continues 13 years later in an arena of global asymmetric warfare.  This includes YouTube videos, Twitter, Special Operators from USSOCOM and  other "Quiet Professionals" on the Internet or in the shadows of Istanbul and Cairo, that you will never read about.

When any moral person watches the replay of the video news reporting on 9/11, emotions are evident. Telling the story to those who were not born or are too young to remember is imperative.  No different than the importance of other historic events of evil during two World Wars, Vietnam or the continued wars across Iraq, Afghanistan and the Middle East.

Over the past 13 years our lives have been forever impacted in the midst of conflict over religion, real estate and resources.  This is nothing new from a historical perspective until you add the technology components.  The Internet and mobile phone technologies have brought the reporting, intelligence and dissemination of real-time information to us in seconds or minutes.  No longer days or hours.

On this 9/11 anniversary, we can only pray that our humanity endures the kinetic evil and the light speed of digital information that will continue to evolve in the decades and milliseconds ahead of us...

07 September 2014

Cyber Insurance: The Future of Enterprise Risk Management...

There has been great debate over the years on the topic of cyber security insurance to complement a comprehensive Operational Risk Management (ORM) strategy.  Does the existence of a robust Enterprise Risk Management (ERM) program that includes substantial components of Operational Risk benefit the organization in the eyes of the insurer?

Could the Cyber Insurance industry be heading towards a future model for making the case for "Enterprise Risk Management" in the Cyber Risk Space?  As a parallel example, the banking industry requires homeowners insurance before loans are approved.  This is because there are a hundred plus years of history on fires as a potential threat and the actuaries know the odds for a loss event, especially with the new building materials and the rules on sprinkler systems in certain areas.

We are getting close to the point where data analytics and the history of cyber attack information will be used to assist insurers in writing a "Cyber Risk policy" based upon your industry sector and geographic location. The data being analyzed now on the banking sector and energy sector is vast and these are just two critical infrastructure sectors that have a long history of being attacked by criminal network bots and also nation states, on an hourly basis.

The U.S. Department of Homeland Security (DHS) has been looking into the multi-factors surrounding Enterprise Risk Management in the context of cyber insurance for the past few years:
Based on what it had learned, NPPD hosted an insurance industry working session in April 2014 to assess three areas where it appeared progress could lead to a more robust first-party market: the creation of an anonymized cyber incident data repository; enhanced cyber incident consequence analytics; and enterprise risk management evangelization.
The evangelization of ERM is vital not only for those Global 500 organizations but also for the INC. 500.  The companies that are the supply chain to the enterprise are even more at risk of attack since they provide an on-ramp for modern malware to seek new vulnerabilities.  These supply chain companies will soon be asked about their Enterprise Risk Management (ERM) program strategies and for good reason.

In order for the Global 500 to continue to have confidence in a robust ERM strategy, they must have ways to validate their own supply chain organizations maturity in the cyber risk management domain. So what did the participants in the DHS NPPD cyber insurance roundtable in 2014 recommend as elements of a successful ERM program?
Engagement of senior leadership. A reinsurer commented that effective ERM programs must be implemented at the senior leadership level. Specifically, he advised that they should reflect a corporate culture that features cyber-related ERM discussions at all board meetings and that subjects itself to regular oversight – including through periodic internal risk audits and audits by outside, independent organizations.
Engagement of general counsels. A broker described general counsels and chief compliance officers as key players in successful ERM programs and stated that her company’s risk assessment workshops for corporate leaders are always more successful when these leaders are involved.
Engagement of CISOs. An underwriter added that it is similarly valuable to include a company’s CISO in the ERM process – particularly a CISO who understands the role that insurance can play as part of a comprehensive risk management strategy.
Establishing direct lines of communication. A third underwriter asserted that when it comes to cyber security specifically, a company should establish a direct line for ERM reporting to its board of directors rather than a hierarchal chain that requires many approvals before funds can be spent on someone (e.g., outside cyber forensics support) or something (e.g., a new technology) to address a cyber risk or incident.
So what does all this mean, if my INC. 500 company is part of the supply chain of a Global 500 organization?

It means that your ERM program will be under the magnifying glass if not now, very soon.  If you are considered to be a vital supplier to the Global 500 enterprise, then you most likely are cyber-connected for data exchange or even more.  The digital systems level decisions and the speed of business require that you have cyber data handshakes every few minutes or seconds.  The ability for your product or service to perform, requires this high degree of "Trust Decisions."

The time has come for Cyber Risk insurance to mature and to become another standard component in the Operational Risk Management (ORM) portfolio.  We look forward to seeing the language of the policies themselves as they evolve.  Will attribution of the origin of the cyber attack be a factor in a first-party coverage claim?  We think you can count on it...