Establishing a cross-spectrum intelligence data gathering capacity to empower agencies
November 18, 2019
The strategic environment enveloping our immediate geopolitical and digital environment is changing rapidly. In an increasingly uncertain world driven by considerations connected with state and non-state actors, threats are becoming increasingly diffused, diverse and omnipresent.
While we confront conventional challenges to our national security, we also need to scale up our efforts to confront emerging threats sustained by technology advances and a result of evolutionary changes brought in by adoption of newer means of communication and data exchange. Our efforts will have to turn more agile, innovative, and resilient to deal with such threats that increase our risk exposure.
Our intelligence gathering apparatus currently focuses on identifying and monitoring short-term and long-term threats to the country’s diverse interests spanning economic, geostrategic and defence frontiers. As the threats diversify and the actors intensify their efforts to attack us and our interests, we need to ramp up our ability to defend ourselves and protect our national interests and assets.
Today, state and non-state actors are using a variety of tactics to target us. This includes social engineering, information pilferage, spreading fake news, industrial and IP espionage, debilitating attacks on critical infrastructure, persistent attacks on smart home and connected devices and more. There is also the threat posed by non-conventional adversaries who are not necessarily our adversaries but are still targeting us for various reasons.
As trade wars intensify, cyberspace will serve as a new frontier and a battleground for our adversaries to target us. Trade-related issues between countries will cast a shadow on interactions in the digital space as well. Countries with adversarial intent from a trade perspective will also exploit opportunities to reduce our competitive credibility to wean away from our export customers and more. This is one motivation that will drive cyberattacks more frequently in the near future.
Such motivations will also put added pressure on our intelligence agencies to rapidly adjust their strategies and tactics to address these threats. The challenges will arise from these aspects:
• Identifying new sources of threats by deciphering their motivation
• Early identification and mitigation of threats in the digital space
• Preventing our information and IP from being pilfered
• Preventing espionage through social engineering
• Scuttling attempts to spread misinformation through digital means and agencies
• Attempts to steak research from our educational institutions
• Preventing hackers from monetising stolen data
• Gathering the right data that can feed into actionable intelligence
• Preventing online terror funding using cryptocurrencies
With a need breed of cyber terrorists using cryptocurrencies and drug sales online to fund malware development and deployment, the risks have increased manifold for key pillars of the Indian economy, strategic growth and defence.
In the decade since 26/11 agencies here have focused on improving their ability to tap multiple sources of intelligence to gather and validate human (humint) and signal (sigint) intelligence. As the threats diversify, the agencies are also deploying a diversity of tactics to harvest and analyse intelligence early to cull these threats before they manifest into episodes that warrant a publicly identifiable nomenclature.
As the conventional definitions of warfare morph into newer paradigms are emerging that are stretching the boundaries of intelligence gathering. During 26/11, the terrorists were in constant touch with their handlers across the border through phone calls. During the Kargil conflict, a call was made to Gen. Musharraf’s by his trusted aide who called him up at his hotel in Beijing to report about the domestic political situation in Pakistan and how the then Pakistani PM was angry about being kept in the dark by Musharraf on the invasion of Kargil heights. In both these instances, the conversations were intercepted by agencies. The latter conversation was even released to the media leading to the unravelling of the sheath of lies that the Pakistan army had fabricated to mask its involvement in Kargil.
Consequent to such instances, many of India’s adversaries have shifted to mediums that are less affable to interception and monitoring. With the onset and wide adoption of social and digital mediums, that affords a high degree of opacity amidst noise and chatter. These spaces have emboldened our adversaries to launch multi-pronged campaigns to not just spy on us but also create fissures and chasms of public opinion to be exploited at a suitable juncture to permeate civil unrest and to demoralise India’s armed forces personnel.
A sustained campaign has been launched across mediums to instigate and enrage public opinion by spreading fake news and malicious rumours to prevent rational thinking and to defame and discredit our government, our armed forces and various arms of governance and public instruction and engagement. These efforts are being conducted through stealthy channels in a concerted manner through paid and motivated agents located across the world and in digital bunkers with layers of anonymity separating them.
Our adversaries are also weaponising information, malware and other communication agents as part of a sustained effort to attack our interests and economy. Information sourced from reputed sources informs us that the quality and volume of malware released in India targeting businesses, communication infrastructure and various strategic assets are also increasing by the day. Critical infrastructure is a key target as is our defence infrastructure.
Some of these agents are also being deployed to harvest the information of significance or actionable intelligence. So, on the one hand, these agents acting through digital mediums create noise to erase their trail; on the other, they also scout for intelligence or signals among the noise. Acting with stealth and timing, they tend to wait for sensitive data to appear in the systems in which they are deployed.
On the humint front, recruiting moles and human agents is a task render easier due to reduction of traditional cross-border communication hurdles. Today, with the availability of many encrypted mediums and those that can mask their true geographical coordinates and carry out their tasks with adequate confidence. With handlers being able to operate across borders globally with ease, more mercenaries are also being deployed by our adversaries to disrupt our digital progress.
The Dark Web that serves as a den for all kinds of illegal information exchange including information gleaned through piracy, espionage, pilferage and other means, ends up being a conduit for such information changing hands. Information with national security implications also ends up on the Dark Web though it is not easily accessible. Our adversaries are also working towards using technologies such as blockchain to store and exchange information.
The threat spectrum
New and evolving technologies such as the Internet of Things, Artificial Intelligence and high-performance computing are enabling the evolution of a whole new set of improved military and intelligence capabilities for our adversaries. Cyber threats are challenging the business, governance and health-care fabric of the nation and stretching the imagination of cyber-defence forces of the country in terms of anticipating the next set of attacks, vectors and threats.
Actors are also looking at combining sigint with humint to validate data and information as also to figure out ways to breach secure systems and retain the ability to launch a debilitating strike in the event of an escalation of hostilities. Malware with high levels of persistence is now being detected with alarming frequency in systems connected with infrastructure, data storage, manufacturing, utilities and oil and gas.
Acting in concert with moles and trained intelligence handlers available for hire from other countries (to provide for plausible denial), technical means of espionage are being exploited by our adversaries to a significant extent. Extremist groups supported by multi-country money laundering networks as also drug and contraband trade are being used by our adversaries to promote the spread of online vitriol, fake news and misinformation.
Mission objective: capacity building to address cross-spectrum threats
In order to deal with threats with a firm hand, our ability to detect, contain and defuse such threats must evolve and grow. Traditional intelligence-gathering methods and approaches focusing on military capabilities of adversaries, suspicious domestic activities, transnational criminal activities form what can be called as a foundational intelligence gathering. Such activities must be supplemented by layers of non-conventional scanning, monitoring and analysis of information from non-conventional sources backed by an ability to detect and highlight anomalous activity.
The first three mission objectives address foundational missions of the IC, which transcend individual threats, topics, or geographic regions. This is different from foundational military intelligence, which is intelligence on foreign military capabilities. As such, foundational mission objectives collectively represent the broadest and most fundamental of the IC’s intelligence missions.
Intelligence gathering to tackle non-conventional threats can be bucketed under the following heads:
• Strategic intelligence: online and sentiment analysis activities (based on publicly available data) designed to detect, identify and assess the capacities and capabilities, activities, and intentions of adversarial entities to evolve a deeper understanding of the strategic environment, predict developments on issues of enduring interest, and feed into the national security policy and strategy decisions.
• Prophylactic/pre-emptive Intelligence: designed to zero in on and assess new, emerging trends, change in field conditions, and underappreciated developments in order to reframe assumptions, derive new postures and offer warnings
• Operational intelligence: to detect and convey threats that are immediate or involve disrupting communications, information manipulation or asymmetric injection of misinformation. This effort also planned and ongoing operations.
• Threat tagging: post-identification, sources of threats, actors, malware and other threats must be tagged and a priority assigned to them for action by concerned agencies
Best practices for improving intelligence gathering and usage capabilities
Involves the use of cognitive augmentation, machine augmented intelligence, signal and pattern detection and enhanced intelligence to strengthen data utility and decision making. The core idea is to provide maximum attention to anomalies and other aspects of intelligence collected by various agencies that warrant attention as also to derive a larger context to the uncovered input.
Event processing capability
Any intelligence capability is incomplete without the ability to process raw data and derive actionable/insightful intelligence. A central agency should be able to compile and analyse data using advanced analytics with modern data extraction, correlation, and enrichment capabilities to maximise the value and utility of data collected as also to prevent any important signs of an impending event or adversarial action from going undetected.
Beginning with a search on the web to uncover foreigners or tourists or students who are entering under a legitimate pretext to identify suspects (by harvesting information available in public domain such as their social media accounts, blogs, public interactions with other individuals on online forums) who could be working for foreign intelligence agencies. Such facilities should be made available at the port of entry itself so that the suspect can be detained for questioning and subject to intelligence interrogation if needed be before he or she infiltrates the country and drops off the surveillance radar. If possible, such checks should be done as and when the subject applies for a visa.
In case of a suspect already working with other agencies and passing on intelligence, such acts should be detected through pattern identification which calls out a series of steps or lack of certain steps to identify suspicious behaviour.
Natural resources are among the key factors that are essential for the economic and general well-being of our country. Cases of illegal exploitation of forests and also illegal trawling\fishing in our EEZ has been reported in many instances. Our intelligence data should be able to enable our agencies to act against such agents and protect our national resources and our environment.
Data centralisation right now, every intelligence agency is gathering data and sharing it with other agencies through an established framework. In the future, however, a single repository of intelligence and threats will have to be created that taps into multiple sources, analyses the data and prioritises the information gathered. A technology platform should be put in place that can:
A) Ingest disparate type of data from different sources
B) Correlate and link various types of data
C) Store vast quantities of data to be used by multiple agencies in a secure manner
D) Enable data modelling, threat forecasting and predictive analysis using AI and ML
E) Prioritise data access: offer a granular level of data access – but based on various parameters such as roles, mission-based access, need to know etc.
F) Assist with operations, investigations, episode-based negotiations
G) Connect with civic agencies such as law enforcement, healthcare, infrastructure planning, citizen services, etc., at a higher level to enable the fulfilment of objectives such as containing the epidemic outbreak, post-disaster response, civil defence, reduce crime and permeation of misinformation
This is indeed a key matter of concern. Data on Indian citizens should not just rest within our shores but also be accessed only by authorised individuals for specific purposes with the consent of the citizen concerned. Data that has been collected as part of various government schemes and through other interactions should be secured and any attempts to breach such data reservoirs be scuttled at the earliest. Leakage of any kind of data in any manner by unscrupulous individuals is an inexcusable crime and must be curbed through early and sustained intervention practices.
Roadmap: securing citizens, assets and national interests
No intelligence capability is complete without making citizens feel secure, businesses operate without fear of cyberattacks or physical attacks and getting the right information to intervene at the right time. The intelligence capability needs to be enhanced in a phased manner along these lines:
• Modeling using existing data to locate sources of relevant information from publicly available data
• Identifying Locating and harvesting data from sources of interest early; tagging these sources to retain intelligence interest in them
• Build the ability to act on specific inputs so that resources are conserved
• Operate through a central platform to offer the largest segregated data pool to all agencies for verification and cross verification
• Offer agencies the ability to act on information within the shortest period of time
• Gain ability to see patterns of stress or strain on public health, economy, citizen services, disaster recovery or other critical areas so that mitigation measures could be implemented within the shortest duration with less investments
• Foresee, predict and act : offer central and state agencies the maximum opportunity to collaborate and tackle challenges together
• Gain the ability to analyze and validate primary and secondary data faster in border areas, coastal areas and other sensitive zones
• Prevent exploitation of environment\natural resources in an unsustainable manner
• Give all agencies enough bandwidth and reaction time to execute their mandate in the most efficient and productive manner
• Secure our borders and our national interests through data security