In the face of national security threats, governments need to stay prepared and make prompt, appropriate decisions to protect assets and potentially save human life. Open-source intelligence (OSINT) has become valuable for driving these decisions. This includes publicly-available information, indexed or not, that is accessible on the web.
In many ways, the internet has become intertwined with real-world threats. Extremist movements originate and grow in online spaces, leading to violent plotting and attacks. Online mis- and disinformation has the power to sway public opinion in the wake of democratic processes and crisis response. Physical and cyber threats to critical infrastructure, such as transportation networks, are discussed and exposed through online channels. And social media is often the first place a bystander turns to as they witness an unfolding crisis.
How does this publicly-available information actually help support national security initiatives? Here are five OSINT applications relevant to government intelligence teams.
Counter-terrorism and extremism
Foreign jihadist groups like the Islamic State and Al-Qaeda are no longer solely responsible for the threat of terrorism and extremism. Domestic extremist movements based on conspiracy theories, right-wing ideology, and discriminatory worldviews now also pose serious national security threats. This reality has become apparent through countless attacks and plots over the last two decades—in fact, right-wing extremism accounts for the majority of terrorist plots and incidents in the US since 1994.
Online spaces are leveraged in very similar ways for both domestic extremist movements as well as foreign terrorist organizations. Social media networks play a huge role in spreading propaganda and recruiting. Both mainstream social media sites and less-regulated networks support extremists in this process, the former enabling wider reach while the latter allows for more explicit communications and content.
As we saw with the 2021 Capitol Hill insurrection, violent planning and mobilization are discoverable on these more covert networks. It would be rare to find such explicit plotting for jihadists groups—but online spaces, from social networks to dark web marketplaces, can provide publicly-available information relevant to terrorist financing and propaganda distribution.
Open-source intelligence is crucial to understanding how extremist groups of any background operate. Governments can then better predict public safety risks and protect citizens and national security interests from domestic and global terrorism.
Addressing mis- and disinformation
National security threats no longer exclusively include targeting physical assets or computer systems. Citizens are also targeted through online influence campaigns, which can compromise democratic processes and lead to real-world security risks.
Mis- and disinformation can take the form of:
- Impersonating public or private sector or personal social media accounts
- Spreading false or misleading information about a government, individual, or event
- Creating photos or videos that do not represent reality
- Reposting false content on legitimate sources
- Misleading phrases or hashtags that quickly gain popularity
Disinformation (which is engineered to deliberately deceive) and misinformation (false information that is not necessarily spread with malicious intent) is widely prevalent online. Publicly-available information is crucial for tracking disinformation campaigns so governments can mitigate their impact and keep the public safer and more informed. This is crucial when mis- and disinformation has serious national security ramifications, such as providing false COVID-19 treatment information or influencing public opinion in the lead-up to an election.
Beyond swaying public opinion, disinformation campaigns can also aid in leveraging cyber attacks (e.g. through phishing and impersonation) or extremist movement narratives—which can escalate into violent threats.
Breaching government data is financially and politically lucrative for lone-wolf attackers, organized hacking groups, and nation-state actors. Sophisticated technologies are also available to a greater diversity of adversaries than ever before. Governments grapple with a range of agile cyberattack techniques targeting their data, infrastructure, and citizens, whether or not the threat actors are backed by nation-state resources.
Persistent online threats include:
- Breaches and cyber espionage. Adversaries, especially nation-state, target data related to public sector technologies. Critical infrastructure systems are also lucrative for ransomware attacks. Extremist groups may also target the data of government entities or individuals as part of violent planning or harassment campaigns.
- Network attacks and take-downs. Distributed denial of service (DDoS) attacks can take down critical government systems and are commonly conducted by hacktivist groups and nation-states.
- Botnets. These can infect computer networks with malware or impact democratic processes by distributing disinformation through social media.
Cyber attacks also increase significantly in response to global events that elevate public anxiety—such as the COVID-19 pandemic. Following the early months of the pandemic in 2020, for example, there was an increase in malicious domains providing health information, government and public health entity impersonation, phishing, and ransomware attacks. This trend is expected to continue in the face of future public crises around the world.
Paste sites, discussion forums, and marketplaces on the deep and dark web often provide early indicators of nation-state targeted breaches, malware, and attack techniques. Combining this publicly-available information with other cybersecurity feeds can help intelligence teams more confidently predict, mitigate, and investigate cyber compromise.
National transportation networks, including airports, seaports, and highways, make up a country’s critical infrastructure. When this infrastructure is compromised, governments and security teams need to stay prepared and alerted to prevent damage to assets, data, and human life.
Online data plays a crucial role in providing the information required for effective transportation security planning and incident response. For intelligence teams, social media networks and deep and dark web content can:
- Provide the earliest alerts for location-based threats near airports, seaports, and other transportation hubs
- Inform security teams about tactics used to bypass security systems or commit attacks, particularly at airports
- Monitor for threats directly targeted at the security/public sector organizations themselves
- Stay alert to vulnerable data that could compromise a transportation network’s digital or physical security
Addressing national and global crises
When a national crisis occurs, governments must make timely, informed decisions to protect their data, assets, and citizens. As we’ve seen with the COVID-19 pandemic, adversaries often co-opt real-world events through digital attack surfaces. Major real-world events require response efforts in both a digital and physical context, and open-source data can help generate intelligence on both fronts.
Whether it’s a natural disaster, public health crisis, or terrorist attack, intelligence teams need to know:
- Where is the crisis occurring, what does the damage/impact look like, and what is likely to happen next?
- Where are resources required?
- How are other countries responding to the crisis, and how can that inform our strategy?
- What information needs to be disseminated to the public, first responders, and other public sector entities?
- What activities are happening at the border or other pertinent geographical areas?
Online spaces are often the earliest sources of publicly-available information to provide this context. For example, social media users often post public updates and images from the scene of a crisis as it unfolds. Aligning this open-source data with other feeds can help provide a faster and more informed response.
The internet is a valuable source of public data relevant to national security risks, from cyber espionage to airport security threats. Online spaces can provide the context necessary to produce more timely, nuanced, and comprehensive intelligence reporting in response to these risks. Government intelligence teams must understand the value of online data in informing the intelligence process—and use tools that improve online data coverage and support more efficient data collection, processing, and analysis.
In the event of an urgent or ongoing crisis, this can mean the difference between secured data, assets, and people—and a delayed or misinformed response with potentially disastrous consequences.