What’s Next for Investigative Intelligence?


With the emergence of hybrid threats, Investigative Intelligence requires correlating new data with historical data and marrying real-time processing with AI technologies.

Today, the Investigative Intelligence market is driven by challenges that we didn’t talk about five years ago. Let’s start with big data. Due to exponential data growth, we now have to contend with many more sources that can originate from many different attack surfaces. Formerly, investigations were always analyzing historical data after the fact. Now we are examining and processing data that is streaming and includes real-time alerts. This has changed the sector completely. Also, we are now dealing with hybrid threats across cyber, physical, infrastructure, media, and even society at large.

It is also impossible to ignore AI and how we apply the machine to the problem. The machine is now enabling and helping the analyst in terms of classification, search, prediction, entity resolution, and huge progress has been made around Natural Language Processing (NLP). All of these advancements have changed the Investigative Intelligence landscape, which formerly used to be focussed on individual narrow domains. Now we have to look at hybrid threats across all domains, which is easier said than done. Investigative intelligence is a work in progress, but we’re getting there.

See also: The State of Government AI Initiatives

Why budgets are being reallocated

From a national security perspective, there is a recognition that fewer tanks and more analysts are needed moving forward. Budgets are being diverted from traditional military and security spending into AI, cyber threat, and general Investigative Intelligence – a trend that is occurring globally. Change is always difficult, but I think there is a recognition across the board that the challenges facing national security are quite different from what they were ten years ago.

For example, we now read about attacks on election infrastructure and false and malicious information operations campaigns. There is now much more commitment to resolve these issues because they are now being recognized and understood as a genuine threat. Nations now need to be ready for all sorts of threats, whether it’s cables in the sea, cyberattacks on physical infrastructure, or attempts to undermine the democratic process. The threat is now across many domains. Undoubtedly, threat actors have become more sophisticated.

Lessons learned

The nation-states of the west are trying to react to advances in threats, which means they are looking to technology-based solutions – throwing more people at the issue isn’t the answer. We see organizations taking threats, that not so long ago were not high on security agendas, very seriously. For example, a threat to IP theft or supply chain security – these are now front and center of security thinking.

Let’s go back to 9/11 and the questions that were asked afterwards about what was known and when. It is generally recognized there was a need for better coordination across agencies, more collaboration, better dissemination of intelligence is vital in this new world. There is no question these still remain huge challenges if we are to keep people safe.

The benefits of technology

However, the challenge is so much harder now due to the amount of data floating around in a multitude of domains, and the adversaries are far more sophisticated. This is where adopting new technologies becomes imperative. We can then ask ourselves focussed and incisive questions of data and expect an answer in real-time. For example, are incidents a coincidence at a macro level, or is there a correlation between events? When looking at multiple events, it is really important to understand if they are related and orchestrated or if they are pure coincidences. And this must be done across very broad, previously unrelated areas of interest. We can now use technology to answer these questions. However, an analyst must first understand the problem their leadership is trying to solve. These problems then shape the technology needed and how the analysts actually use it.

But we must accept that human-based manual processes will always exist, which leads to bureaucracy and red tape. Many security processes will remain document and people-oriented, and unfortunately, slow. Although I believe we will undoubtedly see many more processes becoming automated, and the analyst will be augmented with machine-driven intelligence to speed up procedures and therefore close the gaps which threat actors really depend on.

Joining the dots

Look what happened on Capitol Hill recently – in effect, this was organized in broad daylight. However, after monitoring of discussion groups, open forums, chat rooms, and social media, it was evident that there was little effort put into concealing what the plan was. Threat actors often use social media to announce their intent long before acting out.

But, in terms of the supply chain of information and the people responsible for securing the building, there has clearly been a breakdown. These breakdowns, in hindsight, can be stopped.  It’s another example of not using information that is in the public domain and recognizing actors that would be ringing alarm bells. Part of the problem is process, part of the problem technology, but at the end of the day, we need to get better at joining the dots as this could have been stopped.

Embracing and coming to terms with big data is a huge part of this. Making sense of the data and having big data correlations is where the greatest challenge lies. Paint a picture and create a visualization of what is really happening. Find out things that you were never meant to see, but do it on a massive scale. You need an environment that pieces together what is happening before it happens.

Do it across Signals Intelligence (SIGNAL), Cyber Threat, traditional Policing data, and in particular, Open Source Intelligence (OSINT). When major events unfold, intelligence analysts must understand the social context of the event and its impact on their national security. OSINT provides the social context missing from traditional sources, such as motivations, cultural reflections, and atmospherics. It gives context to classified sources used to create an assessment. Various intelligence sources lack the broader context needed to understand the situation. Single-sourced assessments may result in a misunderstanding that can cripple an operation. OSINT fills in the gaps from fragmented sources used in the intelligence community. If all of this is done properly, real progress can be made.

Closing Words

It’s not just about reacting to real-time data; you have to be smart about it. You need insights. You need to be able to correlate new data with historical data, and marrying real-time processing with AI technologies is hugely important. We need to see things as they are, not as threat actors want us to see things. As the world becomes more and more complicated, the need for agility and connected dots is getting greater. The need for us all to be on our toes and aware of the unseen threat is essential. This is what’s next for Investigative Intelligence.

John Randles

About John Randles

John Randles is CEO Of Siren, a Galway-based Investigative Intelligence platform which merges functionalities that were previously disconnected, such as big data dashboards, link analysis, search engines, and operational monitoring. Siren is a spin-off of the Data-Intensive Infrastructure research group at the National University of Ireland Galway (NUIG). Siren is Randles’ third start-up having previously set up Eontec and PolarLake.

Leave a Reply

Your email address will not be published. Required fields are marked *