Piper Treece's weblog

As previously noted, there are emerging technologies which verge on being sci-fi and are ominous of a surveillance state. Still, there are other innovations which assist law enforcement and investigators in assessing threats. While these applications may not be the ultimate answer to finding terrorists or preventing an attack, they are a step in the right direction being based on sound theory and limiting public intrusiveness.

The problem of finding insider threats has only magnified with the advent of networked information systems. In Protecting Against Insider Threat, it was stated that “in cases where respondents could identify the perpetrator of an electronic crime, 32% were committed by insiders.” While it is no easy task to determine who a potential insider is, a if a third of the attacks could have been deterred or prevented then it is something worth researching and looking into.

Developed by a team of behavioral, technical and legal specialists, WarmTouch is “computer software designed to detect changes in the emotional state and attitudes of individuals from their online communications, indicative of the emotions and attitudes associated with disgruntlement and risk of dangerous behaviors.” While it is still in the testing phase, this program has one key component that should be highlighted. It uses algorithms to search through a lot of data – not unlike data mining algorithms. However these algorithms are based in theory, thus, giving it more validity and reducing the false positives so typical in data-mining. Proponents of data-mining should look to such an application as an example for what is needed to produce legitimate data-mining algorithms which could lead to greater acceptance of its use.

Posted by Piper at 09:39 AM | Permalink | Comments (0) | TrackBacks (0)

If I am so against recognition technologies and these seemingly sci-fi advancements, what do I support? And perhaps more importantly, how can, or should these new technologies be implemented? Finally, what are the recommendations for future policy and procedures?

What technologies should be trumpeted?

Software applications which focus on the human element, programs based on theory, or those that fill a very real need and are properly secured. One brilliant innovation is that of the Intellipedia. The importance of information sharing was stressed in the 9/11 commission’s recommendations. After doing light personal research, the problem did seem to be more systemic. Intellipedia assists in this process of sharing information which before seemed to have never occur.

Software applications or data-mining based on theory and contrived from a range of experts should also be more readily utilized in the security field and more should be developed. There are some programs which are already being utilized such as WarmTouch, LIWC, and SSA. Each of these will be discussed in turn and more in-depth to better understand their development, current capabilities and any utilization implications. Additionally, such programs reinforce a need for developing technologies/algorithms/etc based on theories not on chance discovery.

Posted by Piper at 09:36 AM | Permalink | Comments (0) | TrackBacks (0)

While I wholly support technological innovation and using it to deter attacks or to locate criminals/terrorists/all around bad guys, I admit that there are some projects which make me hesitant to make such statements. In Getting the Message, Paul Wallich discusses technology resources which are being developed to assist ‘intelligence needs.’ Two of the more intriguing and also frightening technologies are face and gait recognition.

Wallich also discusses speech programs in the article. It is understandable that the government would want to create programs which do real time and accurate translation of languages. The language instruction in the US compared to other nations is lacking and recruitment of native speakers of desirable languages is difficult. And, it would greatly assist analysts if they could determine a command from a joke without listening to an entire conversation.

The intrusiveness of the face and now gait recognition makes the hairs on my neck stand up. The HumanID program’s goal is to recognize faces at a distance using ‘face-matching recognition.’ Our fears are only mildly relieved by knowing “[no program] has demonstrated the kind of selectivity required for large public venues – air-ports, say.” Likewise, gait recognition “recognizes the hitches and rhythms characteristic of a person’s walk.” How do we determine a known criminal or terrorists walk? And how do you explain away a false positive?

With all the hubbub against data-mining or using technology to search accessible information, there seems to be little attention on these intrusive innovations. It is important to use technology to the extent that it assists analysts in removing the white noise; however there is a fine line between accessing available information and subjecting entire populations to recognition programs. I can only hope that our civil liberties will fight these mass uses to ensure that our society is not forced to operate like some sci-fi movie, such as Minority Report, scanning our retinas/faces/walks/runs/etc to determine who we are; and if we are ‘good’ or ‘bad’.

Posted by Piper at 08:53 AM | Permalink | Comments (0) | TrackBacks (0)

Technology in CI remains primarily defensive. In his presentation, “Cyber-Counterintelligence – Just-in-Time Security in Today’s Agile IT Architecture”, Michael Thies argues that personal behavior adapting to technological innovations is more dangerous change than increasingly savvy cyberthreats. Based on changes in observed and reported behavior in relation to technology use, his perspective promotes two main aspects: distributed presence and learned covert behavior. Distributed presence is the expansion of propinquity through interpersonal interaction through wireless communication means or in the virtual world. For example, the increase and success of internet dating companies and the proliferation of cellular telephones and interactive video games reveal that people expect to build relationships through non-traditional venues. The idea that interpersonal relationships are initiated and maintained without two people ever physically meeting may be odd; however, it is a collective trend. This may be a future implication for CI safeguards as it will need to defend against these surreptitious intruders.

Concurrently, learned covert behavior is being passively taught to younger generations and is reinforced by instant messaging applications. Instant messaging services are used by all ages; and in a naturally innocent effort to avoid parental monitoring, children have created ‘secret’ messages to notify their counterpart that they are being observed. For example, ‘Parent Over Shoulder’ (POS) does not look much different from ‘Laughing Outloud’ (LOL) to someone who does not understand the code. The ability to communicate and act stealthy when being observed is being learned very young. In applications or even in on-line chat rooms, there is now an option to ‘go off the record’ as means to avoid having conversations inscribed, or to speak away from others. While Americans tend to be more naïve and unassuming, this new learning curve may later reveal trends that society is increasing its covert capabilities.

These developments require further investigation into whether human behaviors differ between the real world and virtual world. An example is a person who would never shoplift, because it is bad, but downloads free music without any thought. And has our society changed so much that these offenses are considered comparable to the general population? Likewise, are their other scenarios in which it seems acceptable to do something in the virtual world that is considered illegal in the real world? While these are issues which require more study, CI may begin to focus less on physical threats introduced by technology and start to examine these concealed treats. If these behaviors and trends continue, they should be viewed as a potential insider threat for which current internal safeguards should be adapted to accommodate, but still maintain oversight of, this evolving culture.

Posted by Piper at 09:07 AM | Permalink | Comments (0) | TrackBacks (0)

Cyber Counter-Intelligence

What is counterintelligence (CI)? A compilation of definitions assists with understanding that CI is:

a division within an intelligence service charged with protecting sensitive information from an enemy, who is a hostile intelligence service or individual(s) engaged in espionage, sabotage, subversion or terrorism, by identifying threats to security, creating and disseminating deceptive information, preventing subversion and sabotage, and thwarting attempts to access and collect while still attempting to gather information from that enemy.

This amalgamation incorporates the many aspects involved with counterintelligence and highlights the many complexities. The essential goal is to keep outsiders from insider information, and exploit any perpetrators to insider advantage by either providing false intelligence or using them as a means to gather information about that outsider organization. In short, it is no easy task.
While CI is already complicated, the innovative and technologically driven society in which we live is increasingly more sophisticated and introduces yet another obscuring factor in this already indistinct equation. To the extent ‘Cyber’ is a tradecraft in which opponents are employing new and more subversive attack measures and likewise must be deterred by implementing new defensive measures and detection and exploitation mechanisms, it can be argued that Cyber-Counterintelligence (Cyber-CI) is a divergent subfield of CI. This perspective focuses on cyberspace and the use of information warfare by external adversaries, such as foreign intelligence services, organized crime groups, or hackers, whether politically motivated or not; and how to defend against attacks using new means. Already, CI has implemented strategies and other countermeasures to maintain the integrity and security as well as thwart attacks. Measures are primarily defensive such as protecting networks via information assurance practices and information security tools, emphasis on system administration, and hardware and software protection. System administration reinforces the classification system and compartmentalization structure by granting users access only to information necessary to complete current duties and ensures all data is secured. Of the remaining mentioned defenses, Information Security (InfoSec) is most frequently discussed, perhaps because it is akin to other CI safeguards. InfoSec encompasses the control and security components applied to widely networked systems. For example, it guards against penetration with the use of firewalls and intrusion detection systems, and also includes systems, which identify system vulnerabilities that are considered a threat because they can be exploited by enemies. By incorporating Cyber-CI defense activities, the IC has begun to address these new threats and potential vulnerabilities in this technological era.

Posted by Piper at 09:02 AM | Permalink | Comments (0) | TrackBacks (0)

Countering Terrorism through Information Privacy Protection Technologies is one of my favorite articles to have read yet. While it spends more time on information technologies which analysts should be (already are?) using, it still highlights that balance can be struck between securing the homeland against terrorists while also ensuring privacy of citizens. There were a couple of phrases, or themes, which particularly caught my attention.

The first was, “the goal shouldn’t be to tear down these silos, but to punch holes in them and enable collaboration across agencies when appropriate and advantageous.” I wonder if the Intellipedia is sufficient to fill this need, or if the authors had envisioned a more collaborative arena? One such that would allow for across departmental debate and discussion and analytical collaboration. Obviously, little is known about the Intellipedia’s content, nature and structure, but it often appears more as reference guide of pooled ideas rather than as encouraging a collaborative intelligence community.

The second theme is that of pattern producing models. I wholly agree with the authors that ‘modeling tools play a crucial role in countering terrorism’. Ideally, statisticians, terrorist experts, and dynamics modeling experts should work closely to begin working on pattern searches that are based in theories. It would be interesting if critical pathways for terrorist schemes – at least on a simplistic level – could be found and utilized to help drill down through the information. There is certainly a lot of information out there, and more precise patterns would assist in purging some of the irrelevant information.

Posted by Piper at 03:25 PM | Permalink | Comments (0) | TrackBacks (0)

In Effective Counterterrorism and the Limited Role of Predictive Data Mining, Jeff Jonas and Jim Harper adamantly argue that data mining is bad because it is based on looking for patterns without prior theories, the false positive rate is far too high to be practically used, and can lead to huge infringements on civil liberties. Still, their argument is unbalanced in an effort to give all data-mining a bad reputation, even though, they, or at the very least Jonas in particular, uphold a form of data mining.

While the definition of data mining is fairly subjective, the general consensus is that the use of data analysis tools, such as statistical analysis and modeling, to find patterns and relationships in large data sets. Most definitions also include a phrase which states that data mining includes doing analysis and prediction. This last portion is where I often disagree – leave the analysis and predictions to the human analysts and let the machine be the number crunch. But to not digress, data mining is often also broken into two forms, one that searches for subjects and another that searches for patterns. The subject-based analysis starts with known information about a known threat and traces relationships between the known and others. Pattern-based analysis, though, statistical probabilities are utilized to find new data based solely on predictions which are not based in theory. There are many arguments against the latter form of data mining, and they are all very sound. Still, there seems to be more focus on the negative aspects of the bad technique than positive encouragement for subject-based analysis which would seem to be hugely beneficial to analysts and law enforcement agencies. Focus on what can be used and support information technologies and encourage their use in an effort to produce better analysis and locate more known threats or their accomplices.

Posted by Piper at 03:49 PM | Permalink | Comments (0) | TrackBacks (0)