pb2010105593fixed - basic counterintelligence analysis in a nutshell

Introduction to CI AnalysisThis guide describes a step-by-step methodology for employing analytical skills and processes. It introduces analytical tools and suggests some sources of information that can be useful in CI situations, and can help you organize and process facts effi ciently and effectively.

Analytic Traps and MindsetsStart each analytical project by clearing your mind of preconceived notions about the project and information you are about to analyze. Otherwise, you may focus on proving your precon-ceived solution, and in so doing, overlook relevant information.

Perception: Why can’t we see what is there to be seen? The truth is, we tend to perceive what we expect to perceive. Many factors infl uence perception, including past experiences, education, cultural values, and operating assumptions. To encourage objectivity and overcome tunnel-vision, analysts should solicit collaboration at points in the analytical process. Explic-itly state your assumptions and reasoning, then ask others to challenge your thinking.

Memory: Anything that infl uences what you remember also infl uences the outcome of your analysis. Once you start thinking about a problem in a particular way, the same mental path-ways are activated and strengthened each time you think about it thereafter, making it diffi cult to embrace new ideas. Make a conscious effort to be open to new information and incorporate it into the data already held in your memory, especially when it may cause you to change your view.

Cognitive Biases: Cognitive biases are mental errors caused by the human tendancy toward simplifi ed information-processing strategies. Cognitive bias does not result from an emotional or intellectual predisposition toward a particular judgment, but from subconscious information-processing procedures. As a result, we naturally pick and choose from the com-plete set of data and focus on a subset that suits our cognitive biases. An example is accepting what we see and hear rather than abstract information that we don’t process as easily. Also, we tend to fully accept or reject data instead of assigning a probability that the information is valid. This sets a bias, closing the mind to accepting the data as true when new supporting information is acquired.

Techniques for Overcoming Mindsets:

Basic Counterintelligence Analysis in a NutshellQuick Reference Guide

By Irvin D. Sugg, Jr., B.S., J.D., Course Chairman, CI Analysis CourseJoint Counterintelligence Training Academy

Quick Reference Index

Analytic Traps and Mindsets

PerceptionMemoryCognitive BiasesTools for Overcoming Mindsets

Seven Steps of the Analytical Process

1. Identify the requirements and develop hypotheses.2. Formulate a plan.3. Collect and collate information.4. Analyze and evaluate information.5. Draw conclusions and make recommendations.6. Produce a report.7. Monitor new information.

••••

Technique Description When to UseBrainstorming An unconstrained group process for generating new

ideas and concepts.In the early stages of conceptualizing a problem or as a mechanism to break free from a prevailing mindset.

Key Assumptions Check

An explicit exercise to list and challenge the key working assumptions that underlie analytic judg-ments.

Develop key assumptions as you begin a project, then review them once the draft is completed to check how your thinking has evolved.

Red Cell Analysis Predicting the behavior of another individual or group by trying to replicate how that person or group thinks. Putting yourself “in their shoes.”

When trying to predict the behavior of a specifi c person who has the authority to make decisions.

What If ? Analysis Positing that an event with potential major (positive or negative) impact has occurred and then explain-ing how it came about.

When analysts are having diffi culty getting a decisionmaker or the policymaking community to focus on the potential for, or the consequences of, an event occuring, or when a conven-tional mindset is well-engrained.

Outside-In Thinking

Identifying the range of systemic forces, factors, and trends that would have an impact on shaping an issue, then factoring them into the analysis.

In the early stages, when attempting to identify all the factors that could infl uence how a particular situation will develop.

Indicators A pre-established list of observable events that is periodically reviewed to track events, spot emerging trends, and warn of unanticipated change.

As a stand-alone tool or paired with other techniques; for example, to help determine which scenario is emerging. Indica-tors help “depersonalize” an argument by shifting attention to a set of objective criteria.

continued

1. Identify the possible hypotheses to be considered. Use a group of analysts with different perspec-tives to brainstorm the possibili-ties. Avoid discounting anyone’s views simply because they are unpopular with you or your organization.

2. Make a list of signifi cant evidence and arguments for and against each hypothesis.

3. Prepare a matrix with hypoth-eses across the top and evidence down the side. Analyze the “diagnosticity” of the evidence and arguments – that is, identify which items could be most helpful in judging the relative likelihood of the hypotheses.

4. Refi ne the matrix. Reconsider the hypotheses and delete evidence and arguments that have no diagnostic value.

5. Draw tentative conclusions about the relative likelihood of each hypothesis. Proceed by trying to disprove the hypotheses rather than prove them.

6. Analyze how sensitive your conclusion is to a few critical items of evidence. Consider the consequences for your analysis if that evidence were wrong, misleading, or subject to a different interpretation.

7. Report conclusions that discuss the relative likelihood of all hypotheses, not just the most likely one.

8. Identify milestones for future observation that may indicate events are taking a different course than expected.

6. Produce a ReportTypical CI reports include threat assessments, trial materials, as well as graphic representations that clearly and concisely present the data. Examples are: link and matrix analyses, time event and fl ow charts, telephone toll analysis maps, and ACH decision matrices. These reports can be used to document the result of the analysis, and also to suggest solutions. Such reports can present a range of detail — as simple as a verbal synopsis of analytical results to a formal briefi ng or detailed document.

7. Monitor New InformationDuring the collection process, data and events can change on a regular basis. These changes can alter the result of the fi nal analysis such that the entire requirement must be re-evaluated based upon new and contradictory information. Consequently, one must continually monitor all old and new collection sources and be open to the possibilities raised by new information.

Selected BibliographyHeuer, Richards J., Jr. Psycholog y of Intelligence Analysis. McLean: Central Intelligence Agency Center for the Study of Intelligence. 1999. [Also available at http://www.cia.gov/csi/books/19104/index.html]

U.S. Department of Justice, Criminal Division, Asset Forfeiture and Money Laundering Section, Finan-cial Investigations Guide, June 1998.Haynal, Russ, www.Navigators.comGottlieb, Steven, Sheldon Arenberg, and Raj Singh. Crime Analysis, from fi rst report to fi nal arrest, Alpha Publishing, Montclair, CA, 1998.Pherson Associates, LLC. Handbook of Analytic Tools & Techniques. Sugg, Irvin D. Jr. The Counterintelligence Analytical Process, 1st Edition, Joint Counterintelligence Training Academy, 2003.

The Basic Counterintelligence Analysis in a Nutshell Quick Reference Guide is an authorized Joint Counterintelligence Training Academy (JCITA) publication. It is printed and distributed solely for Instructional Training purposes. All editorial content of the Basic Counterintelligence Analysis in a Nutshell Quick Reference Guide is prepared and edited by JCITA’s Education Services Branch. Opinions expressed herein by the author and writers are their own and not an offi cial expression by the Depart-ment of Defense. The appearance of commercial products in this publication is not an endorsement by the Department of Defense of the products depicted. All characters, companies, products and events depicted in the Basic Counterintelligence Analysis in a Nutshell Quick Reference Guide are fi ctitious, and no similarity with any real persons or entities, living or deceased, is intended or should be inferred. Permission to use copyrighted materials was granted by the appropriate copyright holder. Use of copyrighted materials in this document falls within the “fair use” doctrine and does not constitute an endorsement of any commercial companies depicted.

•

•

••

••

Figure 11. Analysis of Competing Hypotheses

Technique Description When to Use

Devil’s Advocacy Challenging a single, strongly held view or consen-sus by building the best possible case for an alterna-tive explanation.

Best performed just before sending a paper out for coordina-tion or presenting key conclusions to senior offi cials. Also helpful when there is widespread consensus on a critical issue.

Team A/Team B Analysis

Using independent analytic teams to contrast two (or more) strongly held views or competing hypoth-eses.

Most useful when there are competing views within the ana-lytic or policy communities or a single, strongly held view that needs to be challenged.

Analysis of Competing Hypotheses

Identifying a complete set of alternative hypotheses, systematically evaluating data that is consistent and inconsistent with each hypothesis, and rejecting hypotheses that contain too much inconsistent data.

When an overarching framework is needed to capture all possible hypotheses and there is a robust fl ow of data to ab-sorb and evaluate. Useful for dealing with controversial issues, especially when denial and deception may be present.

Alternative Fu-tures Analysis

A systematic method for identifying alternative tra-jectories by developing plausible but mind-stretch-ing “stories” based on critical uncertainties in order to illuminate decisions made today.

Useful for reducing uncertainty, anticipating surprise, and uncovering “unknown unknowns” when dealing with little concrete information.

Quadrant Crunching

A structured brainstorming technique for chal-lenging assumptions and discovering “unknown unknowns.”

Most useful for dealing with highly ambiguous issues, such as terrorist threats, when little data is available.

Deception Detection

The systematic use of checklists to determine when to look for deception, if it actually may be present, and how to avoid being deceived

When the analysis hinges on a critical piece of evidence and accepting the data would require changing key assumptions or expending/diverting major resources.

Tools For Overcoming Mindsets:

1. Identify the requirement and develop hypothesesMake sure you fully understand the requirement. Clarify with who, what, where, how, and why questions, then state the question in a single sentence plus a couple of sentences of explanation.

Develop Hypotheses - Brainstorm all possible answers to the question, but don’t try to determine the correct hypothesis at this point. Your conclusions are only as good as the supporting data, and you have not yet fully evaluated it.

2. Formulate a PlanThink of the project plan as a framework to guide collection. Decide what information is needed to prove or disprove the hypotheses and where you will get such information. Use the key elements of the question you identifi ed in step 1 (Identify the requirement and


analysis, you use accounting and auditing techniques to link fi nancial events. You can fi nd fi nancial data in records from many sources: people, public records, real estate, corporate/business, UCC fi lings, court records, DMV, tax, and fi nancial institutions. Spreadsheet software is very use-ful in fi nancial investigations for gathering and organizing data, and for calculating the subject’s fi nancial status. Net worth is calculated as follows: Assets – Liabilities = Net Worth. Figure 8 is an example of the use of this software in tracking net worth.

Map Analysis helps the analyst see patterns and as-sociations that are not easily detected from texts. Layering data on the map (contacts, places, events, times) makes it easy to note the subject’s proximity to associates and activities, and may reveal tradecraft and “hot” areas. The map might show stops at or near locations associated with intelligence activities; or overlay surveillance results for multiple subjects/organizations to compare foreign intelligence enti-ties’ routes, stops, or associations.

Pattern Anal-ysis – All of the above analytical tools can provide a pattern of prior activities that could help predict future behavior. Timelines may show that a sub-ject or entity has participated in specifi c activities on a regular basis and help project when he may do it again. Flow Charts reveal when a subject or entity has established a particular way of carrying out activities. Link Charts and Telephone Toll Analysis can show that a subject is associated with others and help predict future contacts based upon past communications. Financial Analysis can reveal spending habits. It can also show that money is received on a regular basis or after a certain catalyst event. Map Analysis can present a geographic pattern of routes with activities conducted along that route for one or more persons.

5. Draw Conclusions and Make RecommendationsAfter planning, collecting, and analyzing data, you must formulate conclusions and recommendations to report. It is at this point that you will evaluate the hypotheses developed in step 1 of the Analytical Process. A tool that will assist in selecting the most likely hypoth-esis is Analysis of the Competing Hypothesis (ACH).

Steps in Analysis of the Competing Hypothesis – With ACH you compare the supporting evidence for each hypothesis against the others. You then identify all reasonable alternatives and compete them against each other to determine which is best. Many people rely on their intuition, picking what they suspect is the likely answer, then seeking evidence that supports this point of view. If they fi nd enough evidence to support the favorite hypothesis, they pat themselves on the back and look no further. If the evidence points to another conclusion, they reject it as misleading or develop another hypothesis, which they attempt to prove through the same procedure. This mindset prevents them from fully evaluating the data and what they end up with is the fi rst solu-tion that seems satisfactory. Don’t do that. Instead:

•

•

•

7

Figure 1. Project PlanAssignment Date 21-Aug-02 Requestor Name Jay PendletonTarget Completion Date 22-Oct-02

Requirements Purpose Is Charles Jones involved in espionage?Project Number 1Requirement Description Gather background information concerning Jones, analyze it, and determine if he is a spy. If he is, what should we do with him.

Hypotheses 1. He is a spy 2. He is innocent. 3. He is not a spy but involved in criminal activity.

Information Collection Methods

IIRs Mapping - Imagery

DOD Websites Internet

Commercial Databases (ie. Lexis,

Dunn)

Relevant Databases

(i.e.. FinCEN)

Subject Experts

Source - Witness Surveillance

Investiga-tive Technol-

ogy (i.e.. Body wire, pen reg.)

Major Databases

x x x x x xI will gather information to support or refute each of the hypotheses above and if other hypotheses are discovered, gather information on this one also.

Data Analysis Method (Software Tools, Other Tools)

Timeline Matrix Map Analysis

Link Analysis

Database Query/Reports

x xWill use a timeline and link analysis to make sense of the collected data. Will also use map analysis to determine if route Jones took was used by other Foreign intel agents.

Reporting Method

Written Reports

Informal Briefi ng

PowerPoint Pres.

x xPresent fi ndings to JAY in a PowerPoint presentation.

2

Figure 9. Known vs. Unknown Income

Figure 10. Map Analysis

Known Drop Sites

Surveillance Route

3

develop hypotheses) to drive the collection plan. The plan should include all possible sources of information that are relevant to each requirement element, along with the planned analysis method and reporting procedures.

3. Collect and Collate InformationCollect and collate information according to the project plan.

3 a. Collect Information

The Internet has become a major source of investigative information. It provides background information on people, businesses, criminal activity, and much more. Collecting information from the Internet requires a strategy to obtain the information sought. You should be aware of your personna as you search the internet. See what you look like at coolredemo.com. You should always know what web sites know about you.

1. Follow these steps to make your search more effi cient:

Spell out your search words. Defi ne the topic, spell out key words, acronyms. Remember “what” and “who” defi ne the end product. (See Figure 2.)Strategize. Plan your approach, online resources, tools.Search. Get online, execute, stay focused, use advanced search features.Sift. Filter the results and follow the leads.Save. Take notes, organize results, bookmark results.

2. Use the right search tool.

Directories (http://dir.yahoo.com) offer manually built “subject trees” and match search terms with text in the directory’s own web page, category titles, website titles, description.Search Engines (Google, http://search.yahoo.com) are very large databases with a search engine “robot” that explores the Internet and copies web pages into their databases. These search engines support detailed keyword searches.Metasearch Engines (Dogpile, Metacrawler) reach multiple databases and search engines simultaneously, returning results from each at once. Thus, the user can conduct multiple searches by entering the search criteria once. Results vary, so try more than one.Linear Search Engines ( www.kartoo.com and http://vivisimo.com) are metasearch engines that display query results in a link chart that relates the results to other sites or sub-topics. Clustering Search Engines (http://clusty.com or webclust.com) are metasearch engines that extract data into groups, such as top-ics, sources, or urls, and display statistics showing what information relates to which part of the search criteria entered by the user.Virtual Libraries ( Joe’s guide to widgets) are built by subject experts and focus on a specifi c subject. Many can be found in Yahoo web directories, indices, FAQ’s, organizations (www.vlib.com).

3. Search Mailing lists, Refl ectors, Listservs email information to people who are part of the group or interest association. You can fi nd these groups searching for your group and adding the phrase “mailing list.”4. Search Usenet Newsgroups allow individuals to post comments on particular topics. They also allow others to post responses. You can locate these newsgroups using Google “groups” (http://www.google.com).5. Specifi c Search Engines provide a deeper search for specifi c topics.

Search Systems links to over 30,000 public record databases (http://www.searchsystems.net/).Publicly Held Business Records can be found at (http://www.sec.gov/), Hoover’s Online (http://www.hoovers.com/free/).Search Engines Worldwide include (http://www.searchenginecolossus.com/)Phone Directories, People fi nders, Yellow and White Page directories include (http://www.melissadata.com/lookups/), (http://peoplesearch.net/), (http://refdesk.whitepages.com/).Imagery can be found at http://local.live and http://earth.google.com.

•

••

••

•

•

•

•

•

•

•

•

••

•

6

required data from the telephone company is obtained, you must organize and analyze it to convert it to a useful form.

Frequency Analysis depicts the frequency of numbers called from the target phone. Figure 6 is a simple example.

Telephone Toll Analysis Charts information gleaned from phone records. The phone numbers are associated with each other according to the number of calls made between the phones. (See Figure 7.)

Financial Analysis is done to identify and document move-ment of money during the course of an activity. Proving someone has excess funds helps show espionage, terrorist, and other crimi-nal activities. For example, you learn during an investigation that a suspect’s legitimate annual net income is $50,000. However, his total annual cash expenditures are $100,000. What is the source of his ad-ditional income? Gift? Trust Fund? Illegal activity? During fi nancial

•

•

•

Figure 8. Concealed Income Analysis Worksheet for Sydney Slimeball

12/31/99 12/31/00 12/31/01

Ass

ets

(+

)

Cash in Bank $5,000.00 $7,000.00 $9,000.00

Savings Account $7,800.00 $18,000.00 $20,000.00

House (21005 Valenton Rd, Richmond, VA 15888) $280,000.00 $280,000.00 $280,000.00

Apartment Condo (1720 10th St., VA Beach, VA 23666) $68,000.00 $68,000.00 $68,000.00

Apartment Condo (7782 11th St., Ocean City, NJ 21842) $0.00 $244,400.00 $244,400.00

House (30052 Bangor Rd., Bala Cynwyd, PA 19004) $0.00 $0.00 $380,000.00

Lexus (1993) $14,000.00 $13,000.00 $12,000.00

Mercedes Benz (2001) $0.00 $0.00 $37,000.00

Paintings $0.00 $4,000.00 $14,000.00

Total Assets $374,800.00 $634,400.00 $1,064,400.00

Lia

bil

itie

s (-

)

Mortgage (21005 Valenton Rd, Richmond, VA 15888) $180,000.00 $179,200.00 $178,200.00

Mortgage (1720 10th St., VA Beach, VA 23666) $40,000.00 $39,300.00 $38,600.00

Mortgage (7782 11th St., Ocean City, NJ 21842) $0.00 $150,000.00 $149,200.00

Mortgage (30052 Bangor Rd., Bala Cynwyd, PA 19004) $0.00 $0.00 $270,000.00

Bank Loan $35,000.00 $32,800.00 $20,000.00

Total Liabilities $255,000.00 $401,300.00 $656,000.00

Net Worth $119,800.00 $233,100.00 $408,400.00

Less: Networth of Previous Year $119,800.00 $233,100.00

Increase in Networth $113,300.00 $175,300.00

Add: Personal Living Expenses (+) $64,400.00 $81,700.00

Total Income $297,500.00 $490,100.00

Less: Income from Known Sources Microsoft Salary (-) $85,000.00 $105,000.00

Income from Unidentifi ed Sources $212,500.00 $385,100.00

Figure 7. Telephone Toll Analysis

Figure 2. Collect Information

4

Research Portal containing references and links is Refdesk at http://www.refdesk.com.Live Airline Tracker is at www.aeroseek.com/links/tracking2.html.Real Estate information can be obtained from www.netroline.com/public_records.htm; http://realestate.yahoo.com/re/ homevalues/; www.zillow.com.

6. Data Removed from the Internet can be obtained from The Wayback Machine site (http://www.archive.org/).

Federal Agency Sources can provide a multitude of unclassifi ed and classifi ed data sources that track people, organizations, fi nances, and countries. This information is collected on topics of interest to military and civilian agencies. They include aviation, postal service, border control, law enforcement, and homeland security.

Major Computer Data Sources include Federal agency databases, such as defense personnel (Defense Manpower Data Center [DMDC]), fi nancial crimes and money laundering (Financial Crimes Enforcement Network [FinCEN]), and many others.

State and Local Sources, such as state police departments, provide criminal and forensic services.

Confi dential Informants, also known as assets, confi dential sources, or cooperating witnesses, can be a most valuable source of information in any investigation. Many times such sources provide specifi c information that cannot be obtained by any other means; often because they have been involved in criminal, espionage, or terrorist activities themselves and have trusted access to others involved in the same activities. Their reliability, and therefore, their information, must always be verifi ed, as their motives for talking to you can range from money, revenge, fear, ego, guilt about past wrong-doing, to simple good citizenship.

Private Business Databases maintain vast records on customer purchases, fi nancing, background, and other useful information. They also maintain information on every aspect of their business operations.

Commercial Databases contain very detailed information about people, businesses, and organizations not only in the U.S. but in many other countries. Examples include names, addresses, relatives, neighbors, home purchase price, news media from around the world, and legal research.

Investigative Technology consists of covert devices that record, transmit, and listen such that they collect valuable information undetected.

3 b. Collate Information

After you have collected all information that would support or not support each of your hypotheses, organize your information such that information relating to each hypothesis is grouped with that hypothesis.

4. Analyze and Evaluate InformationCompare, contrast, and review data, looking not only at what is there, but what is missing. Formulate leads to feed back into the analytical cycle as necessary. Specifi c analytical tools are invaluable in analyzing data.

Analyze

There are a number of techniques to aid in analysis, including: pen and paper analysis and computer programs (spread-sheet analysis). For example:

Timelines graphically display facts in chronological order, making it easier to understand what took place when. They are useful in preparing for interviews, conducting interrogations, informing key players, and provid-ing clear courtroom demonstrations. Timelines can also be used to show patterns that might lead to prediction of future events.

•••

•

5

Flow Charts show the progression of activities over time. The purpose of a fl owchart is to graphically depict relationships be-tween activities, events, and commodities.1. Activities Flow Charts pinpoint sequential patterns of activity. It is useful in illustrating a process or sequence where one activ-

ity depends upon completion of another.

2. Event Flow Charts is a timeline of an organization and/or individual’s activities.

3. Commodity Flow Charting assists in determining the distribution pattern of weapons, money, goods, or services within an intelligence or criminal network. It is also useful in helping to identify key players in an organization’s hierarchy.

Link Charts show the relationship between people and entities. They provide an overview of the interrelationships among the subjects of complex conspiracy investigations. They are used when there is a large amount of data, a need to show relationships be-tween a number of people and organizations. To create a link chart you must fi rst list all chart entities in an association matrix. From the matrix, you decide who is at the center of the organization and create the link chart from the matrix.

Figure 5. Link ChartStep 1. Create an Association Matrix

“Mohammad’s Right Hand” Association Matrix

Step 2. From the Association Matrix, Create a Link Chart

“Mohammad’s Right Hand” Attack Cell

Link Chart RulesUse solid lines for confi rmed/strong links and dashed lines for unconfi rmed/weak links.

Box entities that are associated with

each other.

Associating people with multiple associations.

No crossed lines. No curved lines.

Telephone Toll Analysis has many uses in an investigation. It is one of the most important methods of collecting data. It provides evidence of associations, contact between two phones, identifi es previously unknown associates, corroborates informant information, assists in establishing probable cause for wiretaps, and provides evidence in court proceedings. Forms of com-munication include phones, pagers, cell phones, computers, fax machines, PDAs. Raw data acquired from telephone companies has little value because of the volume of information. Once the

•

•

•Figure 6. Frequency Analysis

for Peter Grey Telephone Tolls5/9/2002

Target Number Number Called # of Calls

(834) 777-8695 (993) 898-2385 6(834) 777-8695 (993) 283-9491 2(834) 777-8695 (993) 348-3422 3

Figure 4. Flow of Funds to Support M’Aziq-Heri

Figure 3. Timeline of M’Aziq-Heri Activities

3

develop hypotheses) to drive the collection plan. The plan should include all possible sources of information that are relevant to each requirement element, along with the planned analysis method and reporting procedures.

3. Collect and Collate InformationCollect and collate information according to the project plan.

3 a. Collect Information

The Internet has become a major source of investigative information. It provides background information on people, businesses, criminal activity, and much more. Collecting information from the Internet requires a strategy to obtain the information sought. You should be aware of your personna as you search the internet. See what you look like at coolredemo.com. You should always know what web sites know about you.

1. Follow these steps to make your search more effi cient:

Spell out your search words. Defi ne the topic, spell out key words, acronyms. Remember “what” and “who” defi ne the end product. (See Figure 2.)Strategize. Plan your approach, online resources, tools.Search. Get online, execute, stay focused, use advanced search features.Sift. Filter the results and follow the leads.Save. Take notes, organize results, bookmark results.

2. Use the right search tool.

Directories (http://dir.yahoo.com) offer manually built “subject trees” and match search terms with text in the directory’s own web page, category titles, website titles, description.Search Engines (Google, http://search.yahoo.com) are very large databases with a search engine “robot” that explores the Internet and copies web pages into their databases. These search engines support detailed keyword searches.Metasearch Engines (Dogpile, Metacrawler) reach multiple databases and search engines simultaneously, returning results from each at once. Thus, the user can conduct multiple searches by entering the search criteria once. Results vary, so try more than one.Linear Search Engines ( www.kartoo.com and http://vivisimo.com) are metasearch engines that display query results in a link chart that relates the results to other sites or sub-topics. Clustering Search Engines (http://clusty.com or webclust.com) are metasearch engines that extract data into groups, such as top-ics, sources, or urls, and display statistics showing what information relates to which part of the search criteria entered by the user.Virtual Libraries ( Joe’s guide to widgets) are built by subject experts and focus on a specifi c subject. Many can be found in Yahoo web directories, indices, FAQ’s, organizations (www.vlib.com).

3. Search Mailing lists, Refl ectors, Listservs email information to people who are part of the group or interest association. You can fi nd these groups searching for your group and adding the phrase “mailing list.”4. Search Usenet Newsgroups allow individuals to post comments on particular topics. They also allow others to post responses. You can locate these newsgroups using Google “groups” (http://www.google.com).5. Specifi c Search Engines provide a deeper search for specifi c topics.

Search Systems links to over 30,000 public record databases (http://www.searchsystems.net/).Publicly Held Business Records can be found at (http://www.sec.gov/), Hoover’s Online (http://www.hoovers.com/free/).Search Engines Worldwide include (http://www.searchenginecolossus.com/)Phone Directories, People fi nders, Yellow and White Page directories include (http://www.melissadata.com/lookups/), (http://peoplesearch.net/), (http://refdesk.whitepages.com/).Imagery can be found at http://local.live and http://earth.google.com.

•

••

••

•

•

•

•

•

•

•

•

••

•

6

required data from the telephone company is obtained, you must organize and analyze it to convert it to a useful form.

Frequency Analysis depicts the frequency of numbers called from the target phone. Figure 6 is a simple example.

Telephone Toll Analysis Charts information gleaned from phone records. The phone numbers are associated with each other according to the number of calls made between the phones. (See Figure 7.)

Financial Analysis is done to identify and document move-ment of money during the course of an activity. Proving someone has excess funds helps show espionage, terrorist, and other crimi-nal activities. For example, you learn during an investigation that a suspect’s legitimate annual net income is $50,000. However, his total annual cash expenditures are $100,000. What is the source of his ad-ditional income? Gift? Trust Fund? Illegal activity? During fi nancial

•

•

•

Figure 8. Concealed Income Analysis Worksheet for Sydney Slimeball

12/31/99 12/31/00 12/31/01

Ass

ets

(+

)

Cash in Bank $5,000.00 $7,000.00 $9,000.00

Savings Account $7,800.00 $18,000.00 $20,000.00

House (21005 Valenton Rd, Richmond, VA 15888) $280,000.00 $280,000.00 $280,000.00

Apartment Condo (1720 10th St., VA Beach, VA 23666) $68,000.00 $68,000.00 $68,000.00

Apartment Condo (7782 11th St., Ocean City, NJ 21842) $0.00 $244,400.00 $244,400.00

House (30052 Bangor Rd., Bala Cynwyd, PA 19004) $0.00 $0.00 $380,000.00

Lexus (1993) $14,000.00 $13,000.00 $12,000.00

Mercedes Benz (2001) $0.00 $0.00 $37,000.00

Paintings $0.00 $4,000.00 $14,000.00

Total Assets $374,800.00 $634,400.00 $1,064,400.00

Lia

bil

itie

s (-

)

Mortgage (21005 Valenton Rd, Richmond, VA 15888) $180,000.00 $179,200.00 $178,200.00

Mortgage (1720 10th St., VA Beach, VA 23666) $40,000.00 $39,300.00 $38,600.00

Mortgage (7782 11th St., Ocean City, NJ 21842) $0.00 $150,000.00 $149,200.00

Mortgage (30052 Bangor Rd., Bala Cynwyd, PA 19004) $0.00 $0.00 $270,000.00

Bank Loan $35,000.00 $32,800.00 $20,000.00

Total Liabilities $255,000.00 $401,300.00 $656,000.00

Net Worth $119,800.00 $233,100.00 $408,400.00

Less: Networth of Previous Year $119,800.00 $233,100.00

Increase in Networth $113,300.00 $175,300.00

Add: Personal Living Expenses (+) $64,400.00 $81,700.00

Total Income $297,500.00 $490,100.00

Less: Income from Known Sources Microsoft Salary (-) $85,000.00 $105,000.00

Income from Unidentifi ed Sources $212,500.00 $385,100.00

Figure 7. Telephone Toll Analysis

Figure 2. Collect Information

Technique Description When to Use

Devil’s Advocacy Challenging a single, strongly held view or consen-sus by building the best possible case for an alterna-tive explanation.

Best performed just before sending a paper out for coordina-tion or presenting key conclusions to senior offi cials. Also helpful when there is widespread consensus on a critical issue.

Team A/Team B Analysis

Using independent analytic teams to contrast two (or more) strongly held views or competing hypoth-eses.

Most useful when there are competing views within the ana-lytic or policy communities or a single, strongly held view that needs to be challenged.

Analysis of Competing Hypotheses

Identifying a complete set of alternative hypotheses, systematically evaluating data that is consistent and inconsistent with each hypothesis, and rejecting hypotheses that contain too much inconsistent data.

When an overarching framework is needed to capture all possible hypotheses and there is a robust fl ow of data to ab-sorb and evaluate. Useful for dealing with controversial issues, especially when denial and deception may be present.

Alternative Fu-tures Analysis

A systematic method for identifying alternative tra-jectories by developing plausible but mind-stretch-ing “stories” based on critical uncertainties in order to illuminate decisions made today.

Useful for reducing uncertainty, anticipating surprise, and uncovering “unknown unknowns” when dealing with little concrete information.

Quadrant Crunching

A structured brainstorming technique for chal-lenging assumptions and discovering “unknown unknowns.”

Most useful for dealing with highly ambiguous issues, such as terrorist threats, when little data is available.

Deception Detection

The systematic use of checklists to determine when to look for deception, if it actually may be present, and how to avoid being deceived

When the analysis hinges on a critical piece of evidence and accepting the data would require changing key assumptions or expending/diverting major resources.

Tools For Overcoming Mindsets:

1. Identify the requirement and develop hypothesesMake sure you fully understand the requirement. Clarify with who, what, where, how, and why questions, then state the question in a single sentence plus a couple of sentences of explanation.

Develop Hypotheses - Brainstorm all possible answers to the question, but don’t try to determine the correct hypothesis at this point. Your conclusions are only as good as the supporting data, and you have not yet fully evaluated it.

2. Formulate a PlanThink of the project plan as a framework to guide collection. Decide what information is needed to prove or disprove the hypotheses and where you will get such information. Use the key elements of the question you identifi ed in step 1 (Identify the requirement and


analysis, you use accounting and auditing techniques to link fi nancial events. You can fi nd fi nancial data in records from many sources: people, public records, real estate, corporate/business, UCC fi lings, court records, DMV, tax, and fi nancial institutions. Spreadsheet software is very use-ful in fi nancial investigations for gathering and organizing data, and for calculating the subject’s fi nancial status. Net worth is calculated as follows: Assets – Liabilities = Net Worth. Figure 8 is an example of the use of this software in tracking net worth.

Map Analysis helps the analyst see patterns and as-sociations that are not easily detected from texts. Layering data on the map (contacts, places, events, times) makes it easy to note the subject’s proximity to associates and activities, and may reveal tradecraft and “hot” areas. The map might show stops at or near locations associated with intelligence activities; or overlay surveillance results for multiple subjects/organizations to compare foreign intelligence enti-ties’ routes, stops, or associations.

Pattern Anal-ysis – All of the above analytical tools can provide a pattern of prior activities that could help predict future behavior. Timelines may show that a sub-ject or entity has participated in specifi c activities on a regular basis and help project when he may do it again. Flow Charts reveal when a subject or entity has established a particular way of carrying out activities. Link Charts and Telephone Toll Analysis can show that a subject is associated with others and help predict future contacts based upon past communications. Financial Analysis can reveal spending habits. It can also show that money is received on a regular basis or after a certain catalyst event. Map Analysis can present a geographic pattern of routes with activities conducted along that route for one or more persons.

5. Draw Conclusions and Make RecommendationsAfter planning, collecting, and analyzing data, you must formulate conclusions and recommendations to report. It is at this point that you will evaluate the hypotheses developed in step 1 of the Analytical Process. A tool that will assist in selecting the most likely hypoth-esis is Analysis of the Competing Hypothesis (ACH).

Steps in Analysis of the Competing Hypothesis – With ACH you compare the supporting evidence for each hypothesis against the others. You then identify all reasonable alternatives and compete them against each other to determine which is best. Many people rely on their intuition, picking what they suspect is the likely answer, then seeking evidence that supports this point of view. If they fi nd enough evidence to support the favorite hypothesis, they pat themselves on the back and look no further. If the evidence points to another conclusion, they reject it as misleading or develop another hypothesis, which they attempt to prove through the same procedure. This mindset prevents them from fully evaluating the data and what they end up with is the fi rst solu-tion that seems satisfactory. Don’t do that. Instead:

•

•

•

7

Figure 1. Project PlanAssignment Date 21-Aug-02 Requestor Name Jay PendletonTarget Completion Date 22-Oct-02

Requirements Purpose Is Charles Jones involved in espionage?Project Number 1Requirement Description Gather background information concerning Jones, analyze it, and determine if he is a spy. If he is, what should we do with him.

Hypotheses 1. He is a spy 2. He is innocent. 3. He is not a spy but involved in criminal activity.

Information Collection Methods

IIRs Mapping - Imagery

DOD Websites Internet

Commercial Databases (ie. Lexis,

Dunn)

Relevant Databases

(i.e.. FinCEN)

Subject Experts

Source - Witness Surveillance

Investiga-tive Technol-

ogy (i.e.. Body wire, pen reg.)

Major Databases

x x x x x xI will gather information to support or refute each of the hypotheses above and if other hypotheses are discovered, gather information on this one also.

Data Analysis Method (Software Tools, Other Tools)

Timeline Matrix Map Analysis

Link Analysis

Database Query/Reports

x xWill use a timeline and link analysis to make sense of the collected data. Will also use map analysis to determine if route Jones took was used by other Foreign intel agents.

Reporting Method

Written Reports

Informal Briefi ng

PowerPoint Pres.

x xPresent fi ndings to JAY in a PowerPoint presentation.

2

Figure 9. Known vs. Unknown Income

Figure 10. Map Analysis

Known Drop Sites

Surveillance Route

Introduction to CI AnalysisThis guide describes a step-by-step methodology for employing analytical skills and processes. It introduces analytical tools and suggests some sources of information that can be useful in CI situations, and can help you organize and process facts effi ciently and effectively.

Analytic Traps and MindsetsStart each analytical project by clearing your mind of preconceived notions about the project and information you are about to analyze. Otherwise, you may focus on proving your precon-ceived solution, and in so doing, overlook relevant information.

Perception: Why can’t we see what is there to be seen? The truth is, we tend to perceive what we expect to perceive. Many factors infl uence perception, including past experiences, education, cultural values, and operating assumptions. To encourage objectivity and overcome tunnel-vision, analysts should solicit collaboration at points in the analytical process. Explic-itly state your assumptions and reasoning, then ask others to challenge your thinking.

Memory: Anything that infl uences what you remember also infl uences the outcome of your analysis. Once you start thinking about a problem in a particular way, the same mental path-ways are activated and strengthened each time you think about it thereafter, making it diffi cult to embrace new ideas. Make a conscious effort to be open to new information and incorporate it into the data already held in your memory, especially when it may cause you to change your view.

Cognitive Biases: Cognitive biases are mental errors caused by the human tendancy toward simplifi ed information-processing strategies. Cognitive bias does not result from an emotional or intellectual predisposition toward a particular judgment, but from subconscious information-processing procedures. As a result, we naturally pick and choose from the com-plete set of data and focus on a subset that suits our cognitive biases. An example is accepting what we see and hear rather than abstract information that we don’t process as easily. Also, we tend to fully accept or reject data instead of assigning a probability that the information is valid. This sets a bias, closing the mind to accepting the data as true when new supporting information is acquired.

Techniques for Overcoming Mindsets:

Basic Counterintelligence Analysis in a NutshellQuick Reference Guide

By Irvin D. Sugg, Jr., B.S., J.D., Course Chairman, CI Analysis CourseJoint Counterintelligence Training Academy

Quick Reference Index

Analytic Traps and Mindsets

PerceptionMemoryCognitive BiasesTools for Overcoming Mindsets


1. Identify the requirements and develop hypotheses.2. Formulate a plan.3. Collect and collate information.4. Analyze and evaluate information.5. Draw conclusions and make recommendations.6. Produce a report.7. Monitor new information.

••••

Technique Description When to UseBrainstorming An unconstrained group process for generating new

ideas and concepts.In the early stages of conceptualizing a problem or as a mechanism to break free from a prevailing mindset.

Key Assumptions Check

An explicit exercise to list and challenge the key working assumptions that underlie analytic judg-ments.

Develop key assumptions as you begin a project, then review them once the draft is completed to check how your thinking has evolved.

Red Cell Analysis Predicting the behavior of another individual or group by trying to replicate how that person or group thinks. Putting yourself “in their shoes.”

When trying to predict the behavior of a specifi c person who has the authority to make decisions.

What If ? Analysis Positing that an event with potential major (positive or negative) impact has occurred and then explain-ing how it came about.

When analysts are having diffi culty getting a decisionmaker or the policymaking community to focus on the potential for, or the consequences of, an event occuring, or when a conven-tional mindset is well-engrained.

Outside-In Thinking

Identifying the range of systemic forces, factors, and trends that would have an impact on shaping an issue, then factoring them into the analysis.

In the early stages, when attempting to identify all the factors that could infl uence how a particular situation will develop.

Indicators A pre-established list of observable events that is periodically reviewed to track events, spot emerging trends, and warn of unanticipated change.

As a stand-alone tool or paired with other techniques; for example, to help determine which scenario is emerging. Indica-tors help “depersonalize” an argument by shifting attention to a set of objective criteria.

continued

1. Identify the possible hypotheses to be considered. Use a group of analysts with different perspec-tives to brainstorm the possibili-ties. Avoid discounting anyone’s views simply because they are unpopular with you or your organization.

2. Make a list of signifi cant evidence and arguments for and against each hypothesis.

3. Prepare a matrix with hypoth-eses across the top and evidence down the side. Analyze the “diagnosticity” of the evidence and arguments – that is, identify which items could be most helpful in judging the relative likelihood of the hypotheses.

4. Refi ne the matrix. Reconsider the hypotheses and delete evidence and arguments that have no diagnostic value.

5. Draw tentative conclusions about the relative likelihood of each hypothesis. Proceed by trying to disprove the hypotheses rather than prove them.

6. Analyze how sensitive your conclusion is to a few critical items of evidence. Consider the consequences for your analysis if that evidence were wrong, misleading, or subject to a different interpretation.

7. Report conclusions that discuss the relative likelihood of all hypotheses, not just the most likely one.

8. Identify milestones for future observation that may indicate events are taking a different course than expected.

6. Produce a ReportTypical CI reports include threat assessments, trial materials, as well as graphic representations that clearly and concisely present the data. Examples are: link and matrix analyses, time event and fl ow charts, telephone toll analysis maps, and ACH decision matrices. These reports can be used to document the result of the analysis, and also to suggest solutions. Such reports can present a range of detail — as simple as a verbal synopsis of analytical results to a formal briefi ng or detailed document.

7. Monitor New InformationDuring the collection process, data and events can change on a regular basis. These changes can alter the result of the fi nal analysis such that the entire requirement must be re-evaluated based upon new and contradictory information. Consequently, one must continually monitor all old and new collection sources and be open to the possibilities raised by new information.

Selected BibliographyHeuer, Richards J., Jr. Psycholog y of Intelligence Analysis. McLean: Central Intelligence Agency Center for the Study of Intelligence. 1999. [Also available at http://www.cia.gov/csi/books/19104/index.html]

U.S. Department of Justice, Criminal Division, Asset Forfeiture and Money Laundering Section, Finan-cial Investigations Guide, June 1998.Haynal, Russ, www.Navigators.comGottlieb, Steven, Sheldon Arenberg, and Raj Singh. Crime Analysis, from fi rst report to fi nal arrest, Alpha Publishing, Montclair, CA, 1998.Pherson Associates, LLC. Handbook of Analytic Tools & Techniques. Sugg, Irvin D. Jr. The Counterintelligence Analytical Process, 1st Edition, Joint Counterintelligence Training Academy, 2003.

The Basic Counterintelligence Analysis in a Nutshell Quick Reference Guide is an authorized Joint Counterintelligence Training Academy (JCITA) publication. It is printed and distributed solely for Instructional Training purposes. All editorial content of the Basic Counterintelligence Analysis in a Nutshell Quick Reference Guide is prepared and edited by JCITA’s Education Services Branch. Opinions expressed herein by the author and writers are their own and not an offi cial expression by the Depart-ment of Defense. The appearance of commercial products in this publication is not an endorsement by the Department of Defense of the products depicted. All characters, companies, products and events depicted in the Basic Counterintelligence Analysis in a Nutshell Quick Reference Guide are fi ctitious, and no similarity with any real persons or entities, living or deceased, is intended or should be inferred. Permission to use copyrighted materials was granted by the appropriate copyright holder. Use of copyrighted materials in this document falls within the “fair use” doctrine and does not constitute an endorsement of any commercial companies depicted.

•

•

••

••

Figure 11. Analysis of Competing Hypotheses

pb2010105593fixed - basic counterintelligence analysis in a nutshell

Documents