The challenge for investigators in a data rich world (Guest blog by Clue Computing)
Investigations, analysis and intelligence work are at the forefront of keeping society safe; they feature at the heart of national security, law enforcement, regulatory and other government missions.
But the landscape is changing rapidly. We are now facing sophisticated, tech-enabled adversaries, and this challenges the ability of many investigators and intelligence officers and analysts to catch up, keep up and get ahead of the threats that we face.
Data is the lifeblood of effective intelligence and investigations – and it has never been more so. It’s a powerful resource if we can successfully exploit it, ethically, to our advantage. But as data sources proliferate, our ability to collect, ingest, analyse, triage and exploit it become ever more challenging.
Below we’ll explore several themes, limiting factors and consequent major risks that as a community we all have a role to play in resolving.
From communications data from seized devices to entire datasets passed between organisation, the quantity of data required to progress an intelligence operation or investigation continues to grow almost exponentially.
Data volumes will only increase in future. The UK / US Bilateral Agreement and consequent use of Crime Overseas Production Orders (COPO), for example, will enable service of UK Production Orders on US technology companies and speedy return of data. This is extremely positive and could be a game-changer for investigators, but it will also bring further data volume challenges.
Internationalisation of data
Increasingly, the data required by intelligence officers or investigators is not located within their respective jurisdiction. There are excellent examples of sharing data sets from friendly nations, such as in combatting child sexual abuse online. But when the data is held in less cooperative or even hostile states, which is the case in many cyber-crime or economic crime cases, that the challenge becomes significant.
Fragmentation of data
In the same way that quantities of relevant data are proliferating, so are the sources and complexity. The full intelligence picture, or an actionable investigative lead, are rarely sourced from a single data source, and increasingly multiple sources must be overlaid to put together the pieces of the virtual jigsaw.
Encryption of data
Encryption is a good thing; it protects data from unlawful access by malicious actors. But that same capability is also used by organised criminals, terrorists and child sexual abuse offenders to try and mask their criminal activity from law enforcement, national security or government agencies, where they have a lawful requirement and relevant lawful authorisations to access it.
The use of anonymisation capabilities by subjects of interest also exacerbates the challenge of identifying and attributing a real-world identity to the criminality being committed under the shroud of anonymity.
This includes elite cyber criminals using online handles, organised criminals using anonymised communications devices or child sexual abuse offenders using online nicknames.
In each of these examples and more, to manage the threat and risk posed means first understanding and then proving who is behind the virtual mask.
These data challenges and more are compounded by limiting factors including reliance on legacy technology, lack of data standardisation, poor design and implementation, lack of skills and resistance to change which, when combined, lead to two major risks that we must in my view take very seriously.
This risk materialises when an agency, organisation or team are unable to ‘join the dots’, or put together the pieces of the jigsaw, leading to them either failing to stop an adverse outcome, or failing to capitalise on an opportunity.
In stark terms, this could be a child at risk of abuse, that should have been identified, located and safeguarded, but due to intelligence failure this did not happen in time. It could be a terrorist attack, where on detailed review working ‘smoking gun backwards’ it becomes apparent that an opportunity to identify, risk assess, intervene, or disrupt was missed.
Alternatively, this could be a missed opportunity to prevent a major fraud from occurring, a failure to identify a sanctions breach, or regulatory intervention that did not occur, where action would have prevented harm.
This risk materialises when despite often overwhelming evidence of guilt, a prosecution either does not commence or is stayed because disclosure obligations have not been fulfilled.
Effectively managing disclosure compliance flowing from intelligence and investigations is a critical aspect of the whole ‘value chain’, but several of the data challenges outlined above contribute to difficulties in this field.
Fundamentally this is about effective and accurate data handling, management, categorisation and scheduling. But rapidly increasing data volumes and data that is difficult or impossible to acquire or analyse make this much more difficult and labour intensive.
Disclosure failure can be traced back to issues with disparate, legacy systems where information is missed or incorrectly classified, while lack of appropriate disclosure training and awareness - along with stretched resourcing and sometimes poor leadership - can also contribute to this risk.
In the current investigative and intelligence data-rich context disclosure simply cannot be delivered without the right capabilities and culture.
The path ahead
None of the challenges or risks highlighted in this article are straightforward to solve, and they will only become more acute as technology, society and adversaries evolve.
Part of the solution must come from more and better innovation and development by industry, academia, agencies and government to develop improved solutions for operational deployment.
We must also address legacy and technical debt issues that abound and foster a joint approach to interoperability.
No single solution will address all the issues. Therefore, it must be incumbent on all of us to design and develop solutions that can work with other components in as frictionless a manner as possible.
This requires us to get better at creating the communities and working groups, cutting across sectors and areas of responsibility, to really grapple with the big challenges facing intelligence, analysis and investigation.
While data may be the ‘lifeblood’ of intelligence and investigation, and the technology the ‘heart, lungs and circulatory system’, the people involved are the ‘brain, nerves, skeleton and muscles’ coordinating and steering the process.
So, we must take seriously the people aspect, buy investing sufficient time and resources into their recruitment, training, engagement, retention and career pathways.
Without this key element there is a risk that the focus becomes purely technology, and as important as that is, it is only part of the solution.