When people outside of the intelligence community imagine intelligence, their mind wanders to electronic surveillance devices, dead drops, and cryptic conversations involving mysterious men and women. As the U.S. Federal Bureau of Investigation puts it, “simply defined, intelligence is information relevant to decision-making.” Put this way, it is easy to see how reliant we are on intelligence during crises. Command centers are stood up to process and coordinate information, escalation processes clarify when and how information should be received by decision-makers, and a common recognized information picture forms the cornerstone of briefings for senior leaders. The missing piece for disaster management and business continuity professionals is a fuller understanding of modern open-source intelligence (OSINT) and how it can be used across all phases of the emergency management cycle.
What is OSINT and how is it changing?
OSINT is nothing more than intelligence gathered from publicly accessible sources, which today increasingly means online sources. Speaking to OSINT value in the public sector, former directors of the U.S. Central Intelligence Agency and U.S. Defense Intelligence Agency (DIA), among others, have noted that 80-90 percent of intelligence is open source. So “Googling” is important, but why is a comprehensive strategy for OSINT needed? There are several factors at play that make OSINT dynamic and challenging. These include:
- Internet growth generally – the site Internetlivestats.com estimates that the number of websites has grown from approximately 860 million in 2015 to some 1.7 billion as of writing. In short, when it comes to finding distinct and high-quality pieces of online information, the needle is getting buried by an ever-bigger haystack.
- Proliferation of social media – for organizations in need of user-created information specifically, the growth of social media is even more of a concern. It is no longer enough to follow a hashtag on Twitter for the latest information on an emerging crisis. There are now dozens of platforms, some in varying languages, and all with different levels of privacy.
- Need for speed – the requirements of organizations are changing too, with priority now being placed on speed of information delivered, often via mobile devices. Various technology vendors have stepped up to the task of sifting through online information to provide a curated feed, but the target is always moving.
These difficulties have been recognized by the private sector and, as a result, most of the Fortune 100—according to the author’s personal knowledge—currently have intelligence programs and specialized personnel. Due in part to the origins of intelligence in the national security and law enforcement arena, however, such programs are typically subsumed under corporate security. Other risk and resilience professionals in the private sector stand to benefit from intelligence programs and strategies as well, and an understanding of how OSINT can be woven into their operating models can help. There are many models to choose from, but the emergency management cycle framework used by the Federal Emergency Management Agency (FEMA) is a good start. The following sections explain how OSINT can be leveraged for each phase of the cycle—mitigation, preparedness, response, and recovery.
The mitigation phase—alternatively known as the prevention phase— involves an enterprise taking steps to lessen either the likelihood or impact of an emergency. For many organizations, this means creating or improving infrastructure to prepare for a physical or cyber-crisis. Other enterprises focus on revisiting their insurance policies.
This is also a stage at which seasoned intelligence analysts can provide significant value by conducting data- and incident-driven research. Data-centric research is critical to determine the latest in what works and what does not. The workplace violence prevention field, for instance, is constantly evolving and a hired hand who is a specialist may quickly get behind on the latest research. An intelligence program tasked with keeping track of findings on behavioral indicators of violence or the validity of violence risk assessment tools can contribute significantly to mitigation efforts.
Incident-driven intelligence collection can likewise have an important role to play. Organizations at the mitigation phase tend to focus their efforts on risks that are known, but there is often no consistent process for discovering new threats or threat variations. Take the example of kidnap and ransom (K&R) incidents. For many years, these situations followed a pattern involving an individual being taken and a ransom being subsequently demanded for their safe release. Today, kidnappings can be “express” (e.g., a person being taken to the ATM to withdraw cash) or “virtual” (e.g., a person being tricked into believing someone close to them has been kidnapped). Tactics are shifting rapidly, and a systematic analysis of new incident types by intelligence analysts is critical for any kind of prevention measures to take place.
As part of the preparedness phase, organizations make plans and get ready for a crisis. One of the intelligence contributions at this stage can be assistance in the area of plan and standard benchmarking. OSINT professionals are experts at finding materials in the digital realm. Although risk and resilience leaders likely go into emergency planning with ideas about how they want a plan to look, and may have industry contacts to help them, intelligence experts can find a slew of planning documents to use for comparison purposes. The same goes for standards. Following ISO standards may be obvious for planning processes, but an intelligence team can uncover standards that are more obscure or issue specific.
The preparedness stage also involves accounting for the internal and external resources available in a disaster. This is another area where intelligence integration is significant for accurate planning. A global company may want to understand local healthcare capacity in an area that is at high risk of emerging infectious diseases. A partial solution may be contacting a local medical facility and asking questions. Beyond this effort though, intelligence personnel can investigate how successfully the facility handled previous healthcare emergencies and the reputation of the facility for medical care generally. While this may sound like a farfetched use of intelligence, it is, in fact, something government analysts at institutions like the U.S. Defense Intelligence Agency’s National Center for Medical Intelligence do on a regular basis.
Exploitation of intelligence to save lives or reduce damage to property or assets during or just after an emergency—the response phase—is probably the most well-known of its use cases. Many existing programs are centered around monitoring for disasters and the production and dissemination of instant alerts if something does occur. This early warning can include information about who, what, where, and when, but depending on their role in the organization, analysts can also attempt to answer the question of “what next?”
As the emergency progresses, analysts can update decision-makers with ground-level information, including photos and videos. In this task, private sector analysts are aided by a variety of technology companies—some that provide a minute-by-minute feed of local social media content, and others that create sophisticated visualizations tying events to company assets globally. Don’t have analysts at all? No problem. Some vendors now offer tailored alerting services with their own analysts working on your behalf.
Returning to normal, steady-state operations following a crisis—the recovery phase—is difficult for any kind of organization, and recovery efforts are often fraught with risk themselves. This was the case following Hurricanes Irma and Maria in 2017, when several Caribbean islands saw a ramp-up in criminal activity that affected companies seeking to rebuild local infrastructure. Intelligence teams can offer continuous tracking for threats such as these long after the initial disaster has long passed.
For private sector companies, financial problems in the wake of an emergency are typical as well. Consider cyber-attacks, for example. A 2019 study of three major data breaches by the cloud security firm Bitglass found that publicly traded companies lost 7.5 percent of stock value and an average of $5.4 billion in market cap following the breaches. Juggling the needs of employees, the worries of customers, and the concerns of shareholders is a tall order and success is not a guaranteed, but an intelligence strategy can help enterprises navigate the seas of perception. Analysts can be responsible for reputational monitoring of media and social media channels, identifying widespread worries of firm stakeholders and briefing risk and resilience leaders on common themes. When the company acts, an intelligence team can track the ripples across open-source channels, potentially helping an organization recognize how its long-term response to a past crisis is being viewed. Through this process, OSINT can play a key role in providing valuable feedback to a company as it recovers.
Toward intelligence-driven business continuity
The impact of a disaster rarely falls neatly into an organizational silo so most teams addressing risk and continuity issues—such as business continuity teams or crisis management teams—include an array of professionals from disparate fields. Information is often a lubricant for the functioning of such teams, but thus far, intelligence experts who specialize in seeking out and analyzing valuable nuggets of data have had a relatively limited role across the emergency management cycle in the private sector. Today, intelligence is mostly relegated to the response phase of a disaster, potentially helping an organization narrowly swerve out of harm’s way or react to a crisis. There is a lot more room for intelligence in other disaster phases and risk and resilience leaders should take note.