Connecting the Dots: Lessons for Intelligence Fusion
How to fuse intelligence to better identify and mitigate threats
By Grant Woodward, SAS Canada Public Safety and Defence Specialist CPA, CA , CFE
In the age of big data, it is generally accepted that when analyzing an issue, more data yields better insight, more accurate analyses and ultimately drives better decisions. This is true whether developing a marketing plan, reducing fraud or detecting, deterring and investigating criminal and national security threats.
While this idea is not new, it was given a prominent boost in national security circles in the wake of the US 9/11 commission report which set the stage for the establishment of the position of Director of National Intelligence (DNI), the National Counterterrorism Center (NCTC), and over 70 data fusion centres located in major cities and most states with the aim of closing gaps in intelligence-sharing among local, state, and federal agencies. In Canada, ITAC, the Integrated Terrorism Assessment Centre was created as were similar Five Eyes agencies - Australia National Threat Assessment Centre, New Zealand Combined Threat Assessment Group, and the UK Joint Terrorism Analysis Centre.
The term “fusion centre” is usually applied to a separate entity like those listed above that accesses, integrates and analyses data from its member organizations’ systems and then disseminates intelligence products to the members and government departments. However, the concept is perfectly transferable to single agencies that operate in multiple jurisdictions and / or have a collection of disparate systems that need to be accessed by analysts and investigators. This type of internal fusion may actually be more relevant and important in Canada where we have fewer law enforcement and intelligence agencies than in the United States and the RCMP in particular that covers federal, provincial and municipal mandates.
Success stories illustrating the value of data fusion for intelligence and enforcement occur within many agencies on a daily basis; but many are largely classified and unreported or not detailed in the news as arrests are made. The detailed public analyses of investigations more often happen after a successful attack and it is at these times that the value of fusion is evident and invoked with the ubiquitous “connect the dots” metaphor.
An example is the publicized failure to intercept Boston marathon bomber Tamerlan Tsarnaev upon return to the US after his 2012 visit to Chechnya even though his name had been added to a terrorist watch-list in 2011. The name had been misspelled so that he was not intercepted and then there was also no possibility of attention being brought to his subsequent activities such as creating a YouTube channel with links to videos categorized as "Terrorists", and links to other jihadi videos.
Do we have any indication of how to successfully apply the data fusion concept to law enforcement and intelligence information? Results of attempts to accomplish the data fusion goal within Canadian agencies are not public information but evaluations of the US state fusion centres have been made publicly available. The United States Senate Permanent Subcommittee on Investigations issued a 2012 report on the operations of the Department of Homeland Security (DHS) funded State fusion centres. DHS itself also conducted a study.
While there is disagreement between the Senate Committee and DHS about the effectiveness of the fusion centre operations, there is no question raised as to the principle of fusing intelligence to better identify and mitigate threats. As a result, these reports are informative and point to what could be considered critical success factors for managing the application of the data fusion concept in an operational environment.
These success factors include:
The principle of data fusion is to bring as much relevant data as is available and accessible into a single point of access. Data sources include internal databases, partner agency databases, 911 calls, licence plate readers, surveillance video etc. Also, open source information has become increasingly critical and important to access along with classified data holdings, as I explained in a previous article here.
With the introduction of unstructured open source data, photos, video and greater volumes within classified police and intelligence systems, a robust technology platform is essential. The platform must be highly usable by investigators and analysts and increasingly the need for real-time data availability, analytically driven insights, secure access and auditability. An example of a simple analytically driven capability is fuzzy matching on name searches that would have allowed for questioning or possible arrest of Tamerlan Tsarnaev before the Boston marathon attack.
Data and technology are the tools that human analysts and investigators employ. The human element is always the most important component of success. Qualified, well trained and managed staff with appropriate fact checking are critical. Staffing and training plans are required to build and maintain this essential asset over time.
In any endeavor, it’s unlikely to hit a target that isn’t defined. The data sources, analytical techniques, procedures for sharing information, identified clients and meaningful metrics for results are all critical.
Definition of these elements reduces mission creep and avoids a focus on process. As clients develop and demonstrate reliance on the intelligence products and give meaningful feedback about quality, positive synergy serves to further increase performance.
Timeliness of output is critical. Intelligence received too late to be actionable is useless. Duplication of the work of other agencies or operational units also creates confusion and harms working relationships within the intelligence, law enforcement community.
Intelligence products must respect privacy and individual rights. This may seem like an obvious statement but with the increased prevalence of open source and social media data and analytics and the uncertain legal framework about its appropriate use, careful consideration and policy is required to guide the design and operations of the fusion environment.
Oversight and Accountability
For the value of an independent fusion centre or a single-agency internal fusion capability to establish itself and avoid criticisms of mismanagement or lack of accountability, it must fall under a regime of oversight. What exactly that regime looks like can vary by jurisdiction but the basic building blocks of that oversight will include policy, administration and expenditure as key elements.
Data fusion for intelligence is a complex and multifaceted challenge that requires a comprehensive plan and sustained effort. However, this fusion will continue to be a key provider of value and allow intelligence agencies to keep up with high demands for situational awareness and proactive threat mitigation and policy advice. While data can be a conduit to enable faster and better-informed decision making to better identify and mitigate threats; agencies must learn to navigate the challenges on the path to actionable intelligence.