Aerospace Ground Equipment craftsman remains vigilant over 761 pieces of equipment for MQ-1 Predator and MQ-9 Reaper unmanned aerial vehicles (U.S. Air Force/Christian Clausen)

Activity-Based Intelligence Revolutionizing Analysis

By Chandler P. Atwood

nformation-age technology is Intelligence, , and Recon- while also driving toward a unified advancing at a stunning pace, yield- naissance (ISR).1 The vast amount of strategy with the IC. The primary I ing increasingly complex informa- information that the Intelligence Com- strategy thus far has been acquisition tion architectures, data accessibility, munity (IC) collects demands a trans- based, looking to industry and research and knowledge management—all of formation in the way the Department and development organizations to which have created the conditions for of Defense (DOD) intelligence enter- provide the next best tool and soft- a leap in intelligence processes,” stated prise processes, organizes, and presents ware, rather than addressing the more Lieutenant General Robert Otto, the data. The enterprise must embrace existential requirement of advancing Air Force Deputy Chief of Staff for the opportunities inherent to big data analytical and transforming antiquated and processing methods. In our current diffuse and multipolar Lieutenant Colonel Chandler P. Atwood, USAF, is Chief of the Commander’s Action Group for the Deputy threat environment, the DOD intel- Chief of Staff for Intelligence, Surveillance, and Reconnaissance. He was previously a National Defense Fellow at The Washington Institute for Near East Policy and Squadron Director of Operations at the ligence enterprise faces the daunting National Air and Space Intelligence Center. task of discerning abnormal and/or

24 Forum / Activity-Based Intelligence JFQ 77, 2nd Quarter 2015 significant activities from normal patterns Figure 1. The Four Vs of Big Data of activities. To truly revolutionize and ta fundamentally change from an individual Da V of o s lum exploitation process to analysis-based rm e Fo Air Moving target : S tradecraft, the enterprise needs to harness e c t indication radar a ra Space le the potential of big data, replacing the a o p Cyber f methodology of individually exploited is D D a : Ground t pieces of data with an activity-based y a t Measurement and e Coalition i analysis approach, known as Activity- r signature intelligence a Human intelligence Based Intelligence (ABI). Use of the ABI V Human intelligence Open-source intelligence methodology will enable our intelligence Open-source intelligence analysts to focus on hard problems with Cyber critical timelines as well as normal day- to-day production activities across the Full-motion video V Ambiguities spectrum of conflict. This methodology e Wide Area l Incompleteness o will aid in the development and under- c Augmentation System i False positives a t Overhead Persistent Infrared t standing of patterns of life, which in y a : False negatives turn will enable analysts to differentiate D Moving target indication D a Redundancies f t o abnormal from normal activities as well a Open-source intelligence y A t as potentially defining a “new normal.” n Signals intelligence in a a l rt Furthermore, the sharp incline in the ys e is c amount of data, recent information w n h : U il y technology (IT) advances, and the ABI e i cit n M era methodology impel significant changes otion V within the traditional DOD intelligence production model of PCPAD (planning instance, U.S. and North Atlantic Treaty national and tactical intelligence due to and direction, collection, processing and Organization forces in Afghanistan have a preoccupation with data exploitation. exploitation, analysis and production, and suffered losses when they were surprised DCGS is a system with a laser focus on dissemination). by an unexpected larger insurgent force single-source, quick-look reporting. It not detected and relayed in time even does not provide larger discovery from Big Data: A Problem when there were ever-present ISR assets the integration of multiple intelligence or Opportunity? operating in a permissible environment.3 (multi-INT) disciplines and sources. Today’s IC faces the data challenges of This assertion still stands true today and Since 2003, the Air Force DCGS and the “four Vs” with persistent sensors portends an enduring DOD intelligence the greater DOD intelligence enterprise soaking the battlespace: variety, volume, enterprise challenge of integrating dis- have seen a steep growth in the number velocity, and veracity. The DOD intel- parate datasets into a clear picture for of sensors with multiple exponential in- ligence enterprise processing, exploita- warfighters and their commanders across creases in the data each produces, as well tion, and dissemination (PED) systems all types of battlespaces. Whether we as the multiple forms of data formats they and analysts cannot keep pace with the reflect over the last 13 years operating in must process and exploit. For instance, four Vs inherent in big data or continue a permissive environment or look to the we started this era with a strong and to mitigate the tendency of each orga- future in a potentially highly contested growing dependence on a narrow field- nizational entity to build stovepiped battlespace, DOD intelligence organiza- of-view full-motion video (FMV) MQ-1 systems with poor interoperability tions will operate in domains in which all Predator observing a 0.1 x 0.1 kilometer overall.2 The IC has dealt with data four Vs of data combine to create the big (km) “soda straw” spot on the ground. volume and velocity issues for decades, data conundrum. Today our DCGS core sites focus on but the challenge has more recently Most DOD intelligence enterprise processing, exploiting, and disseminat- expanded to include the full complexity analysts contend that “drowning in data” ing intelligence from dozens of MQ-1 of big data with variety and veracity leaves our intelligence organizations combat air patrols while also absorbing added to the equation as illustrated in afflicted with overstimulation and over- increased data from newer sensors with a figure 1. whelmed with man-hour intensive PED. much larger target area coverage. In the Even today in Afghanistan where ISR Specifically, the DOD Joint Distributed future, wide area airborne surveillance forces have been redundantly layered for Common Ground System (DCGS) programs of record will have a sensor years, the creation of a timely, coherent enterprise fits this paradigm and has yet coverage area of an enormous 30 x 30 picture gained from integrated, multi- to reach its full potential of networking km. These advances in motion video source intelligence data is a rarity. For and integrating the entire spectrum of coupled with the expansion of sensor

JFQ 77, 2nd Quarter 2015 Atwood 25 coverage across the spectral bands, such will come from replacing the method- in ways that cannot be done today with- as the data intensive hyperspectral sen- ology of individually exploited pieces of out proper automation. By accumulating sors, and the burgeoning light detection data with Activity-Based Intelligence. the multi-INT data on individual activi- and ranging sensors drive a significantly ABI is a high-quality methodology for ties, an ABI analyst can correlate activities, greater data problem concerning the maximizing the value we can derive from detect anomalies, and discover links four Vs. The list goes on, with increasing big data, making new discoveries about between objects. The derived object and signals intelligence (SIGINT) sensors adversary patterns and networks, yielding network knowledge will enable the dis- and moving target indicator (MTI) sen- context, and therefore also providing covery of new facilities, links and nodes, sors as well as the growing integration greater understanding.6 The information and patterns of activity. An ABI analyst of overhead persistent infrared (OPIR) age now brings the potential for techno- correlating activities and resolving objects data and nontraditional measurement logical improvements to harness big data will enable real-time tipping and cueing of and signatures (MASINT) sensors into in such a way that true ABI methodology sensors, thereby driving collection, again, the IC enterprise. This ever-expanding can indeed become a reality. in ways that cannot be done today.9 list of data generators leaves the ISR operators in a state of near paralysis and Activity-Based Intelligence Methodology in Action the training shops and leadership saying, Activity-Based Intelligence has already The confluence of four Vs in big data “enough is enough.”4 Today’s focus on been defined in many different ways, requires a significantly different way single-source exploitation in an envi- and after many months of debate, a of handling the task(s) that traditional ronment of multisource data availability codified and agreed-upon definition, intelligence methodologies cannot clearly hinders analysts from understand- based on Under Secretary of Defense support. For instance, the Intelligence ing and conveying the overall meaning of for Intelligence guidance, finally exists: Community reportedly had pieces of the integrated results. “ABI is a multi-INT approach to activ- information that provided indicators of In today’s dynamic and complex ity and transactional data analysis to the impending August 21, 2013, chem- battlespace, the DOD intelligence resolve unknowns, develop object and ical weapons (CW) attack in Syria, but enterprise requires near simultaneous network knowledge, and drive collec- seemingly failed to process and integrate access to and analysis of data from a tion.”7 The following paraphrasing may the information in time to portend such multitude of sources and disciplines— resonate more with DOD ISR profes- an attack. According to a White House thereby embracing big data. These sionals, enabling a better understanding Press Secretary official report, “In the integrated disciplines should include at a of ABI, though not intending to replace three days prior to the attack, we col- minimum SIGINT, human intelligence or circumvent the established definition: lected streams of HUMINT, SIGINT (HUMINT), geospatial intelligence and GEOINT that reveal regime activ- (GEOINT), MASINT, and even ABI is an analysis methodology which ities that we assess were associated with open source intelligence (OSINT) to rapidly integrates data from multiple preparations for a chemical weapons understand the problem and provide INTs and sources around the interactions attack.”10 This reported shortfall raises actionable intelligence to warfighters. of people, events and activities, in order to troublesome questions for the analytical Today’s analysts tend to develop an discover relevant patterns, determine and integration capabilities of the IC and expertise in only one or two of these identify change, and characterize those provides a hypothetical backdrop from disciplines, resulting in their inability to patterns to drive collection and create deci- which to develop an ABI tradecraft understand and convey the overall mean- sion advantage.8 workflow template applying its four ing of the integrated results potentially pillars and main enablers.11 obtainable from all data. ABI is an inherently multi-INT meth- Perhaps the individual agencies had In spite of big data overwhelming odology that invokes a transformational the data 3 days prior but failed to (or our existing ISR exploitation capabilities, approach to data processing and analysis. were unable to) integrate all the data there are indications that change is start- The methodology uses a large volume from their respective data streams in ing to occur. The increase in sensors and of data from a variety of intelligence order to first derive understanding and resulting vast amounts of disparate data sources to enable data correlations that, then to identify key indicators of ab- coupled with the increasing capabilities among other things, drive discovery of normal activity in a way that would lead of IT systems to handle the deluge are weak signatures and patterns in a noisy to a credible, defendable conclusion. transforming intelligence analysis. The data environment. This methodology Conceivably, the data associated with traditional process of stitching together will fill critical gaps in single-source data the individual intelligence components sparse data to derive conclusions is now PED processes. It will also help resolve only made sense after the attack, when evolving to a process of extracting conclu- unknowns through the process of cor- the events were manually retraced and sions from aggregation and distillation of relating activity data with information integrated across the other data sources big data.5 Although IT solutions will en- about the attributes, relationships, and through a manpower extensive post- able our analytical shift, the largest impact behaviors of known and unknown objects event reconstruction.

26 Forum / Activity-Based Intelligence JFQ 77, 2nd Quarter 2015 The ABI methodology will revolu- Figure 2. Traditional and Current PCPAD Intelligence Process tionize the analytic processes applied to situations like this example in a way that will enable automated real-time correla- All-Source Finished tion of data and information from current PCPAD Timeline Reporting Intelligence Analysis collections as well as through archived GEOINT SIGINT MASINT HUMINT data sources. These data correlations can establish baseline understanding of the Multi-INT information, historic trends of activity, Integration and Analysis and provide identification of anomalies. Multi-INT Analysis

When in action, the ABI methodology Content-Dominant has four, not necessarily sequential, pil- Single-Source Stovepipes lars: georeference to discover, integrate before exploitation, data (sensor) neutral- ity, and sequence neutrality.12 Single-INT Exploitation

The absolute first step in the ABI Time-Dominant methodology must be georeference to discover. All data sources should be spa- tially and temporally indexed at the time of collection rather than treated as an Processing afterthought or last step in the analytic process as often accomplished today Essential Elements of Information Key Intelligence across the IC, if possible. ABI depends Priority Intelligence Requirements Direction Planning, Questions on a variety of multi-INT data that need Commander’s Critical Information Requirements and Collection to be integrated to fill holes in sparse single-source datasets. To mitigate gaps becomes a relationship “map” of the ob- Still, much of the IC continues to in single-source data, all of the collected jects and entities and their transactions, be mired in a linear process that relies data must be “georeferenced” to a spe- such as those activities surrounding too heavily on a preset targeted collec- cific point in space and time.13 Only then preparatory CW attack efforts. Even tion strategy as well as an independent will an ABI analyst be able to correlate, in contested battlespaces, where data single-source PED and analysis process integrate, and cluster the multi-INT data sources are sparse, it is only through to address intelligence gaps. Yet by em- around a “spot of interest,” enabling the georeferencing all the available multi- bracing the ABI methodology, the IC discovery of entities, activities, transac- INT data that the ABI analysts can begin can overcome profound yet surmount- tions, and begin to relate them.14 Having their workflow. able challenges of transforming this preconditioned data, with explicit spatial After georeferencing the collected antiquated intelligence process and the and temporal aspects, allows the ABI data within the ABI context, it will related analytic tradecraft into one best analysts to spend more time applying be integrated before exploitation. suited for success in today’s data-con- contextual knowledge to the problem set, Georeferenced data are associated at gested enterprise. focusing their analysis. the earliest integration point, before an During execution, the PCPAD model Using Syria’s use of chemical analyst conducts detailed exploitation and narrowly focuses on a linear approach to weapons as a backdrop, what if regime analysis, not at the end of the production pushing data, typically single-sourced, personnel were observed operating in an process. The ABI methodology looks to address an intelligence gap driven area used to prepare chemical weapons for relationships at the earliest point of by causation, like Syria’s CW example. in the days leading up to the attack? consumption, applying context earlier In this traditional method, some infor- Hypothetically, we could call this an than in the classic intelligence process. mation may have been inadvertently analysis failure where the IC had the in- That process, codified in joint doctrine discounted during the stovepiped dications but did not integrate and make as a production model of PCPAD, exploitation process. In some cases, sense of the incoming multi-INT data integrates exploited and analyzed sin- the relevancy of the information only fast enough. Imagine instead HUMINT gle-source information at the end of the develops significance when associated and other data sources not fully used in process.16 When executed, the PCPAD and integrated with another data source the analysis had been georeferenced and model narrowly focuses on exploiting at the time of exploitation. The ABI temporally tagged at collection, enabling the stovepiped data first and then passing methodology will provide the means of an ABI analyst to retrieve and integrate to a multi-INT or all-source analyst to avoiding the trap of viewing data from a the sources through an interactive spatial integrate the different pieces of exploited single source or multiple sources of the application tool.15 The ABI product then data as depicted in figure 2. same discipline and making what may

JFQ 77, 2nd Quarter 2015 Atwood 27 Figure 3. How ABI Transforms the Traditional Intelligence Process In addition to PCPAD’s inherent inflexibility to integrate single INT ABI Analysis All-Source sources earlier in the process, it relies Multi-INT Integration Analysis too heavily on an antiquated preset tar- Answers AOR/AdversaryAOR/Adversary geted collection strategy against known Access to Data SystemsSystems SMEsSMEs andand ContextualContextual adversary targets. The PCPAD premise GEOINT SIGINT OSINT MASINT HUMINT ApplicationApplication of targeted collection is highly reliant on Discovery Multi-INT known and distinguishable signatures Analysis of supported with doctrinally aligned tactics, Exploited Data techniques, and procedures (TTPs) to be Products effective against such threats. The post– Integration Cold War’s diffuse and complex threat Big Data environment displays inherently nonstate threats, fleeting signatures, and minimally supporting doctrine from which to focus PCPAD’s target-based collection strategy. Processing To transform the current paradigm from a deliberate fixed target focus requires a revised model. Data The ABI methodology does not have a traditional target-centric approach to analysis, like observing specific CW

Essential Elements of Information stockpiles and production facilities on

Planning Key Intelligence Priority Intelligence Requirements a daily basis. Using the integrate before and Direction Questions Commander’s Critical Information Requirements exploit ABI pillar, the analyst is informed by the commingled data, allowing him to well prove to be inaccurate or incomplete drive additional analysis including the search for observables and to potentially value judgments before understanding time-dominant exploitation requirement discover a threat signature or indicator the full picture. of the GEOINT, SIGINT, and any that was not discernable in the PCPAD In so doing, the ABI methodology additional INT data pertaining to that paradigm. An ABI analyst integrating a enables analysts to sift through large vol- area. In this case, the time-dominant ex- variety of disparate datasets in this fashion umes and varieties of data to see how the ploitation of the HUMINT or SIGINT may have provided the activity linkage data overlap and intersect, identifying as- provides the GEOINT analyst with leading up to Syria’s CW attack well be- sociations and enabling significant events enough insight to focus his exploitation fore the intelligence process reached the to rise above the noise of data triage. For efforts on a specific area of the imagery, all-source analyst. instance, in our previous CW example, potentially reducing exploitation re- Furthermore, the observed activity, let us now presume a HUMINT or sources. Assuming limited information potential discoveries, and identification of SIGINT tip, not “finished intelligence” is available to corroborate potentially gaps surrounding a specific problem set reporting, has been intercepted indicating anomalous activity, a dynamic re-tasking will in turn drive current and subsequent that the use of CW had been ordered. of sensors could be conducted, driving collection requirements as depicted in This is information that could have been real-time collection. After the ABI analyst figure 3, with the arrow from “discov- integrated earlier in the intelligence commingles the various pieces of data ery” to “planning and direction.” This production process. A GEOINT ana- and identifies key pieces, exploitation correlated data discovery will potentially lyst routinely observing imagery may begins to occur within each INT, provid- answer questions that were never asked or have not seen abnormal activity days ing the results to the multi-INT analysts the analysts were unaware of the answers leading up to the attack. However, if to conduct integration of the exploited or how to answer the question in the the HUMINT or SIGINT tip had been information and address the intelligence past. Accordingly, the collection manager known by the GEOINT analyst at the questions as the process continues to and end customer do not necessarily need time of imagery exploitation, then what add additional information. Finally, an to know beforehand how the analysts was potentially disregarded as insignif- all-source analyst may receive the multi- plan to use the data, unlike the traditional icant activity may have been associated INT integrated information to provide targeted collection model. Such a trans- with preparatory CW operations and additional context and subject matter formation will likely drive predetermined identified as such. expertise to this ABI methodology dis- collection decks obsolete, while also As depicted in figure 3, this poten- covered intelligence of preparatory CW enabling the analysts to improve their tial ABI-derived discovery would then operations. understanding and build specialized

28 Forum / Activity-Based Intelligence JFQ 77, 2nd Quarter 2015 Distributed Common Ground System–Army Program Manager assesses tactical glasses demonstrated at Enterprise Challenge 13 (U.S. Army/Kristine Smedley)

collection strategies with faster decision aperture radar [SAR] imagery). Likewise, international humanitarian organizations cycles and anticipatory analysis. an ABI analyst must accept a nonspatial and hospitals.19 Of course, an ABI ana- The first two ABI methodological or georeferenced data source because it lyst has to understand and account for approaches of georeference to discover may act as a tip for other sources. For the confidence, reliability, and potential and data integration before exploitation instance, SIGINT or HUMINT data errors in the data source as well as the in- with their focus on multi-INT data clus- that may have an error of probability terrelationships of what the data from the tering can enable the discovery of new that geographically covers a large city separate sources are providing and their intelligence in a noisy data environment. and cannot be pinpointed to a specific integrated results. Moreover, these new methods can also suburb or facility must be treated as just Much of the collected data prior to fundamentally transform the PCPAD and as viable as a piece of information with an event or abnormal activity, such as traditional analytic processes to be more exacting coordinates. Also, a fleeting the activity observed 3 days prior to the responsive to analyst and warfighter needs. piece of intelligence, like transitory CW CW attack, would likely appear irrele- The next pillar to achieving the ABI preparations and the nonpersistent nature vant at the time of initial exploitation. methodological transformation occurs of poisonous gas when employed, must However, the observed CW activity can only when we take a data (sensor) neu- reside at an analyst’s fingertips to cor- be quickly identified as significant when trality approach. This pillar is predicated relate with the other pattern developing an ABI analyst applies the sequence neu- on accepting all data sources—that each multi-INT data. Additionally, the data trality approach, the fourth pillar of ABI. can potentially be equally viable and that must encompass a full range of sources, Essentially, ABI analysis of the data may one data source or piece of data is not to include OSINT, especially social media happen immediately, or the data may not biased over the other.17 In this case, an (for example, YouTube).18 For instance, become relevant until the analyst acquires ABI analyst does not favor any particular local Syrian social media reports of the more data and is able to develop a pattern intelligence discipline (for example, CW attack numbered in the thousands, of activity.20 As such, previously collected SIGINT) reporting over any other data with hundreds of videos to confirm the source (for example, GEOINT synthetic attack and highly credible reporting from (continued on page 32)

JFQ 77, 2nd Quarter 2015 Atwood 29 Five Examples of Big Data Analytics and the Future of ISR

By Jon A. Kimminau

hen we talk about U.S. Air These three elements are at the heart cation. Big data analytics will help us Force intelligence, surveil- of big data applications in the commer- move to a digital “commons,” organize W lance, and reconnaissance in cial and information technology digital our data in uniform manner across 2023, we often depict it graphically as space. But more importantly they are at all our sources, and then bring new beginning with a global array of sensors the forefront of future intelligence de- applications for exploring the data to an that produces a variety of data absorbed velopments and will greatly impact every analyst’s workstation. in a cloud, from which multisource and activity. all-source analysts produce decision Assessment advantage for both national and com- Discovery Intelligence assessment is the ability to batant decisionmakers. Big data analyt- Intelligence discovery is the ability to provide focused examination of data ics is at the core of this vision, and its select, manipulate, and correlate data and information about an object or an impacts to intelligence analysts and the from multiple sources in order to iden- event, to classify and categorize it, and way they execute their mission will be tify information relevant to ongoing to assess its reliability and credibility in multifaceted. operations and requirements. Discovery order to create estimates of capabilities How can we describe these impacts? is about better organizing and using and impacts. Assessment is how intelli- What are some examples or ways to the data that we already know. It is gence determines what our consumers show how big data analytics will work? also about finding previously hidden should be concerned with—and how To answer these questions, we must first patterns and anomalies—former Sec- concerned they should be. Imagine in understand what is meant by big data retary Donald Rumsfeld’s “unknown the future a military strike against a ter- analytics and how it can be distinguished unknowns.” Imagine in the future that rorist target in a Central Asian nation, from most of our present analysis opera- a Pacific Air Forces air operations center using an unmanned aerial vehicle. Com- tions. There are three essential elements analyst is examining air activity in the manders want to know the success of to true big data analytics: South China Sea over the past 2 weeks the strike. An analyst, drawing on near- and notes a pattern of flights from select real-time imagery and past information A high volume, velocity, and variety •• Chinese bases to outposts in the Paracel about the site and activity around it, of data with both time and space and Spratly Island groupings. Using an uses an application that detects all dimensions from multiple sources application, the analyst isolates bases changes. In addition, the application are collected and metatagged in an of origin and destination and filters the provides a visualization of the reactions information “cloud.” past 4 months of data to visualize the of both people and objects in the target Applications that allow analysts to •• activity. She discovers a pattern that vicinity. Synthesizing this information manipulate, visualize, and synthesize may be a shuttle operation of troops rapidly, the analyst can provide near- the data, leveraging relationships to outposts from which the troops real-time battle damage assessment to between data elements, must apparently do not return to home the commander, reporting that the be dynamically developed and base. This activity is then reported by primary physical target was destroyed, accessible. the analyst as a previously unknown that bodies were present, and that Analyst operations on the cloud— •• buildup of Chinese forces in disputed vehicles appeared to take some persons their projects, queries, folders, islands, which may lead to international away from the target area at speed. access—must be captured and confrontation. Our ability to discover Although communications from the continuously added to the cloud as this kind of activity today is severely high value individual (HVI) ceased at additional metatagged data. restricted by an inability to understand the strike, the vehicle departure with a what we have already got. The data are body is included in the assessment that derived from varying sensors, compiled “the target was physically destroyed; X Dr. Jon A. Kimminau is a Defense Intelligence in separate databases, and not accessible persons killed and Y possibly injured; Senior Leader and the U.S. Air Force Analysis and manipulable by any single appli- therefore, we are confident the HVI Mission Technical Advisor.

30 Forum / Activity-Based Intelligence JFQ 77, 2nd Quarter 2015 was injured or killed in the action.” At problem, rather than a “push” system blown finished intelligence estimates— another level, the theater commander is where analysts may be automatically and intelligence services, ranging from apprised in near real time of the results alerted to other similar work. Big crew threat briefings to daily intelli- of several simultaneous strikes, provid- data analytics expands the avenues for gence assessments at headquarters to ing an assessment of campaign effective- collaboration and multidisciplinary, real-time analyst response to requests ness. Our ability to execute both kinds shared expertise in a global, distributed for information. Imagine a flag officer of assessment today is hampered by lack enterprise. in a theater combatant command posi- of access to multiple sources, varying tion reading a classified daily briefing on levels of security controls, a lack of tools Anticipation a digital pad. One item deals with a past to rapidly correlate and visualize the Intelligence anticipation is the ability to day event of a U.S. reconnaissance plat- data, and lack of command and control warn and describe future states of the form being intercepted by an adversary applications to aggregate the reports environment based on the manipula- military fighter. The senior leader then into a near-real-time campaign battle tion and synthesis of past and present taps an icon titled “recent recce [recon- damage assessment. data. Anticipation includes near-term naissance] intercepts” and is provided a warning and longer term forecasting list of both local and global intercepts Explanation to alert and prepare decisionmakers to for the past six months. Noting several Intelligence explanation is the ability to events relevant to their responsibilities. in his own area of responsibility, the examine events and derive knowledge Imagine a Central Air Forces analyst leader also taps an icon titled “recent and insights from interrelated data in whose responsibility is force protection provocative incidents” and discovers order to create causal descriptions and surveillance of remaining U.S. bases in several ship confrontations in inter- propose significance in greater contexts. Afghanistan. Years of experience and national waters and an intelligence Explanation is how intelligence pro- lessons learned by the Joint Improvised estimate and open news media editorial vides our consumers narrative stories, Explosive Device Organization have both assessing the increased provoca- relates events to broader situations, and been incorporated into system alert tions as being intended to influence an identifies the core of what is going on. templates for a warning application. upcoming Secretary of Defense military Imagine in the future a U.S. European These templates respond to a variety visit. The ability for a consumer to draw Command analyst is tasked to look at of intelligence and open-source inputs on the context of an intelligence report an incident of civil unrest in southeast- when activated and focused on desig- service for a broader variety of relevant ern Lithuania. After composing and nated areas. When a large vehicle being information exists only in a limited executing a query and defining an area towed on a major road near one base fashion today—dependent on extensive, of interest, the system presents not only apparently stalls, sufficient indicators in manual preparation of the background information on the event in question, the template create a warning for the data and hyperlinks to it—but a big data but also that a fellow analyst is looking analysts of a potential massive car bomb infrastructure can automate the founda- at a similar event in Estonia and that situation. The analyst reports the alert tional background analytics. two other events of the past week are to base leadership and security teams, Big data analytics offers the potential under examination by others. Examin- and protocols are followed to isolate and to revolutionize how analysis supports ing the project folders of these analysts, assess the vehicle. This kind of anticipa- our warfighters and national decision- she then follows a thread about Russian tory intelligence is possible today only makers with intelligence—the decision troop movements along the borders when collection resources are focused to advantage in national security. This and an aerial reconnaissance intercept deployed exploitation centers, and ana- revolution extends across the spectrum of a North Atlantic Treaty Organization lysts there have both attention on the of intelligence analysis activity—from platform by a Russian fighter. Collabo- situation and the personal experience to discovery and assessment, to explanation rating with these and other analysts, an look for appropriate indicators. Big data and anticipation, to delivery. JFQ intelligence estimate is produced that analytics can incorporate that experience projects a building confrontation of into applications, cast the security net far Lithuanian and Estonian separatists with wider, and recognize potential situations host countries and potential provoca- much quicker. tion by Russian border elements. This type of assessment is difficult to produce Delivery today as data and information sets are Intelligence delivery is the ability to often segregated by type of source and develop, tailor, and present intelligence regional assignment. In addition, while products and services according to analysts can collaborate today, it is more customer requirements and preferences. often a “pull” system where one asks Delivery is about both intelligence those who are known to be working a products—from tactical reports to full-

JFQ 77, 2nd Quarter 2015 Atwood 31 (continued from page 29) accomplish this, the architecture must transparency—allowing a seamless collab- be able to scale to the level required to orative environment.25 and archived multi-INT data analyzed retrieve and transmit the vast new and The Defense Information Systems in a forensic manner can be as or more old data sources and store the datasets Agency (DISA) has been charged with important than data obtained near real efficiently for extended periods of time the herculean task of consolidating and time.21 Additionally, an ABI analyst will for archival analysis. integrating multiple DOD networks into not be biased toward an archived dataset Available technologies such as one common, shared network known that was specifically part of the targeted the Cloud and High Performance as the Joint Information Environment collection deck. In fact, incidentally col- Computing with advanced algorithms (JIE). Ostensibly, the JIE currently faces lected data may be as or more significant have matured rapidly and may provide the challenge of interacting and com- than data collected in a targeted fashion. the proper solution space to handle peting DOD program offices and being In some cases, data may need to be reex- the data storage dilemma and process- funded only by participants who desire ploited and analyzed based on additional ing of complex datasets that enable increased IT efficiencies. Furthermore, information or may be repurposed for a ABI. However, the Cloud and High the IC ITE task force recently stated different target within the same collection Performance Computing do not com- that the JIE “is neither an enterprise window. pletely resolve the requisite architecture (requiring common mission and leader- and bandwidth requirements to transmit ship) nor an architecture (requiring tight Establishing the ABI 26 Methodology and retrieve large disparate datasets management of implementation).” In from the sensor to the analyst in a timely fact, Admiral David Simpson, DISA Vice The described examples reveal how ABI fashion. Director, pointed out that the JIE “is not methodology provides insight earlier The time is right to move toward an a program of record or a joint program in the intelligence process, enabling integrated DOD and national intelligence office.”27 This troubling state of affairs analysts to spend more time gaining enterprise architecture “with budget suggests that DOD should reexamine context and analyzing the problem, realities, current state of technologies and the JIE and the end-goal of creating a while machine-to-machine processing a sense of urgency in the IC leadership all common, integrated network when it interfaces and correlates the georef- combining to create an optimal climate does not include complete DOD buy-in, erenced data automatically. This new for positive change,” according to the and more important, is not in sync with paradigm, as reflected in figure 3 (with IC Chief Information Officers in an the IC ITE construct. This two-pronged flipped pyramid), reveals how the DOD IC Information Technology Enterprise approach with both JIE and IC ITE will intelligence enterprise could shift its (ITE) white paper.23 In 2012, the drive many DOD intelligence organiza- model of exploiting approximately Director of National Intelligence moved tions to pick between the two or, even 80 percent of the collected data to to transform a historically agency-centric worse, to have to develop a hybrid system one focused only on the pertinent 20 IT approach to a new model of common that interacts with both. In fact, the Air percent.22 By analyzing only the perti- architecture—labeled IC ITE, which will Force ISR 2023 strategy contends that nent information and focusing the PED provide the IT shared services model to handle the challenges of data overflow efforts, there will be a net manpower for the national IC. The five leading and to transform to an ABI methodology, and cost savings to answer the key intel- national intelligence agencies—Central the Air Force ISR enterprise must be a ligence questions in an ABI-enabled and , National Security “full partner of the IC-ITE and JIE.”28 discovery focused environment. Agency, National Geospatial-Intelligence This approach portends an enterprise The DOD intelligence enterprise Agency, Defense Intelligence Agency, and with uncommon IT services, disparate must avoid the temptation to focus purely National Reconnaissance Office—have architectures, and an untenable budget on acquiring the next widget or-specific combined efforts to move the com- during a more constrained economic toolset and focus first on developing the munity to a “single, secure, coherent, environment. proper big data–enabled analytic envi- mutually operated and integrated IC IT ronment. Although these developmental Enterprise.”24 With over 70 percent of Conclusion ABI toolsets will be invaluable to even- the IC under DOD, the IC and DOD Using the four-pillared approach, ABI tually executing the methodology, the have ideally paired to share a common vi- will provide solutions to assembling an first foundational step for DOD to derive sion and have a similar timeline and path answer by fitting small bits of linked yet maximum value from its data must be to ahead to ensure a broader intelligence disparate information from brief ISR ensure that the sensor collection-to-anal- enterprise approach. The DOD and IC windows into a complete picture. This ysis timeline is quick enough to detect a share the same vision but are working will enable analysts to pull meaningful pattern. This process must take place in a on parallel solutions that are not neces- images from a sea of pictures, enabling matter of minutes to be truly actionable sarily creating a completely integrated discovery and greater context across the by a warfighter, not days (as seen in to- intelligence enterprise with analytical fabric of data for subsequent analysis. day’s multi-INT analysis paradigm). To The success of ABI relies on the inte-

32 Forum / Activity-Based Intelligence JFQ 77, 2nd Quarter 2015 gration and correlation of truly large of understanding. Only then will we be for Intelligence Symposium, Defense Strategies Institute, November 2013. amounts of multi-INT data, as well able to address the near peer countries 23 Accenture, “Driving High Performance as the tools to handle and appreciate and asymmetric threats, exhibiting weak in Government: Maximizing the Value of Pub- what the ABI methodology is revealing. and nonpersistent signatures for tactical lic-Sector Shared Services,” The Government Many analysts coming out of operations and strategic production needs. JFQ Executive Series, January 2005; Terry Roberts in Iraq and Afghanistan presuppose et al., White Paper, “Intelligence Community Information Technology Enterprise: Doing in that ABI is only enabled by persistently Common What Is Commonly Done,” Intelli- collected data, like ubiquitous full-mo- Notes gence and National Security Alliance, February tion video, on activity and transactions 2013. 1 over a broad area. However, ABI truly Robert P. Otto, Air Force ISR 2023: 24 Ibid. Delivering Decision Advantage (Washington, 25 harnesses big data by using a variety of Ibid. DC: Headquarters Department of the U.S. Air 26 Ibid. integrated sources regardless of sensor Force, 2013). 27 Amber Corrin, “JIE’s Murky Progress 2 platform. Even in contested battlespaces Lydia Ines Rivera, Debbie Salierno, and Raising Questions,” FCW [Federal Computer such as the hypothetical CW example, Allen Siwap, “Multi-Intelligence Distribution Week], August 27, 2013. ABI does not necessarily depend on Architecture,” Capstone Team Project, Univer- 28 Otto. sity of California, San Diego, 2013. 24/7 sensor coverage—it builds on a 3 Michael W. Isherwood, Layering ISR variety of multi-INT data that can be Forces, Mitchell Paper 8, (Arlington, VA: integrated to fill holes in sparse sin- Mitchell Institute Press, December 2011). gle-source datasets. 4 John K. Langley, “Occupational Burn- The DOD intelligence enterprise out and Retention of Air Force Distributed Common Ground System (DCGS) Intelligence must look over the horizon to an ABI Personnel,” RGSD-306 (Ph.D. diss., Pardee analytic environment where such ISR RAND Graduate School, 2012). sources as streaming FMV, MTI, OPIR, 5 Michael Farber et al., Massive Data SIGINT, MASINT, SAR, spectral, Analytics and the Cloud: A Revolution in and thermal imagery are integrated at Intelligence Analysis (McLean, VA: Booz Allen Hamilton, 2011). the post-processed and georeferenced 6 Letitia A. Long, “Activity Based Intelli- entry point and compared with archived gence: Understanding the Unknown,” The In- collected data in an automated fashion. telligencer 20, no. 2 (Fall/Winter 2013), 7–15. By harnessing a new IT environment 7 David Gauthier, “Activity-Based Intelli- enabled by ABI methodologies, analysts gence Definition for the Intelligence Commu- nity,” National Geospatial-Intelligence Agency, will be able to rely on readily available 2013. high-speed machine-to-machine process- 8 Jon Kimminau, author interview, October ing and big data to make ABI possible on 18, 2013. a large scale. These intuitive concepts will 9 Gauthier. 10 require significant effort and a unified IC “Government Assessment of the Syrian Government’s Use of Chemical Weapons on strategy to overcome the technical and August 21, 2013,” The White House, August cultural challenges of developing such 30, 2013. an information-sharing environment and 11 Shane Harris et al., “U.S. Had Intel on paradigm-shifting approach to the tradi- Chemical Strike Before It Was Launched,” tional intelligence process. Foreign Policy, August 30, 2013. 12 Gauthier. During the Cold War, the IC had a 13 Mark Phillips, “A Brief Overview of Ac- laser focus on the adversary and became tivity Based Intelligence and Human Domain adept at distinguishing and even pre- Analytics,” Trajectory, 2012. dicting Soviet strategic bomber activity 14 Gauthier. 15 and surface-to-air missile TTPs because Ibid. 16 Joint Publication 2-01, Joint and Nation- they possessed discernable signatures, al Intelligence Support to Military Operations and those signatures were embedded (Washington, DC: The Joint Staff, 2012). in doctrine. Today, the IC faces more 17 Gauthier. dynamic and multifaceted adversaries 18 Kristin Quinn, “A Better Toolbox: An- that possess fleeting signatures and min- alytic Methodology Has Evolved Significantly Since the Cold War,” Trajectory (Winter 2012), imally supporting doctrine. The DOD 1–8. intelligence enterprise must collectively 19 “Government Assessment.” invest in the ABI tools, develop analyst 20 Quinn. tradecraft, and embrace a transformed 21 Gauthier. 22 intelligence process to repossess this level Robert Jimenez, presentation, Big Data

JFQ 77, 2nd Quarter 2015 Atwood 33