This article was originally published in Homeland Security Today by Fivecast US Law Enforcement Advisor, Mike Downing.
Just as digital transformation is changing the way that organizations do business, it is also changing the way that organized crime groups communicate and operate as an enterprise.
As organized crime continues to grow in the U.S., individual groups are recognizing that there is strength in numbers – at least from a resource perspective. This is driving growing cooperation between networks.
While each group solidifies its proficiency in certain areas, they can simply tap into other networks to obtain what they need but don’t have. This includes the ability to traffic weapons, launder money, distribute narcotics, share in logistics such as transportation, source recruiting, engage in human trafficking, counterfeiting, and more.
The proliferation of online platforms not only enables criminal groups to source their assets or required skills and services, but it also facilitates inter-network communication and makes law enforcement investigations more demanding and time consuming.
In the past, terrorist networks and organized crime syndicates might never have had reason or the opportunity to collaborate. Today, thanks to advances in technology, criminal gangs, cartels, terrorist networks and organized crime groups can all meet in the middle, digitally. They can share in their financing, their recruiting, their logistics, and their transportation.
Thwarting this trend requires that law enforcement have the latest digital, artificial intelligence (AI) and data analytical capabilities. AI-driven open-source intelligence (OSINT) assets will enable investigators to identify leads and monitor criminal networks, who often utilize online platforms for communication purposes, and to degrade their operations and those who support them.
To optimally degrade converged criminal networks, law enforcement agencies should focus on four key areas where advanced technologies can give them an edge: node identification, link analysis and functionality, disrupting operational capabilities, and inter-agency coordination, all of which are discussed below.
The investigative challenges of node identification
It’s not good enough to merely disrupt a single target anymore. Entire networks must be brought down. From a strategy perspective this requires disrupting the criminal group’s various nodes, each of which has a specific function. Think of a node as the critical criminal operators in a network, either due to the connectivity they provide between other individuals or groups in the larger network, or due to their operational capabilities or contributions to the broader criminal grid in which they function.
For example, nodes in one group could be responsible for providing all relevant supporting partnerships and enterprises to nodes within other disparate threat groups. This could include arranging illicit support and tasks such as illegal weapons or distribution of narcotics, to supplying counterfeit documents, etc.
In order to be successful in combating all of these criminal individuals and groups, law enforcement must cast a very wide and deep net to better understand the entire illegitimate network and its supporters. It is by using advanced analytical capabilities that law enforcement has the ability to track communications and detect likely information and actions of interest. This will aid in identifying the criminal ‘outliers’ or organizational network nodes that ultimately feed to and off an initial target. These are the groups and individuals further out in the full criminal circle who would otherwise be harder to trace.
Nefarious groups try to keep these nodes hidden, for obvious reasons. The task and challenge for law enforcement is to identify a criminal enterprise’s structure by recognizing the function of each node within the structure. That includes who the key players are, how they are connected, and what the operational capability is of each. Detecting how a node communicates or interacts with other sources helps in mapping out the wider organization and its capabilities.
A popular environment where criminals ‘meet,’ communicate and operate is on the ‘Dark Web.’ Nefarious individuals operating in this environment are able to hide their true identities and engage in a wide variety of illegal activities. For example, anyone wishing to purchase a ransomware tool to attack a vulnerable organization and hold their data hostage would easily be able to acquire that software here. Think of it as ‘Angie’s List’ for illicit contractors.
State and local law enforcement, especially those outside the largest cities, don’t typically have a presence on the Dark Web and are at an investigative disadvantage. That gives criminals and organized groups a definite advantage, which allows the adversary to be a step ahead of law enforcement.
Law enforcement is making headway in node identification through analyzing multiple social platforms to better locate and identify data that can shed light on criminal activity and identities. It avoids challenges with the Dark Web and picks up valuable breadcrumbs left in the deep web by criminal entities.
Despite avoiding challenges with the Dark Web, collecting and analyzing this disparate social platform data still presents its own challenges. Threat actors may attempt to conceal their communications or pivot to difficult-to-access domains. This quick adaptation and pivoting can defeat traditional law enforcement strategies, keeping human detectives and analysts off balance. This is where AI becomes critical.
Understanding link analysis and functionality
An important advantage to law enforcement of acquiring data on nodes is the ability to create link analysis charts and conduct robust social network analysis. Such charts and analytics enable investigators to see how many different transactions there are between the comprising entities in a criminal enterprise. Monitoring which individuals, groups, and entities are contributing, communicating, and cooperating with one another enables investigators to develop a strategy to target the wider organization, identify the critical threat actors, and degrade the associated capabilities if it is advantageous to the investigation.
Instead of merely doing a blast disruption to the entire network, AI can enable methodical and surgically precise disruption efforts toward the most critical components of a criminal network. AI-enabled network analytics ensure the most critical components are clearly distinguished from the larger network and rapidly identified by the investigator.
Criminal organizations are complex. The adversary in a criminal organization may be multiple individuals or groups. There may also be additional adversaries supporting the primary adversary. A link analysis chart and social network analysis will display all individuals or groups who are part of the overall threat and help illustrate what the relevancy, capabilities and intents are of each. This is critical for disruption, as the structure and communications — or cooperation methodology — of an organization can impact intervention strategies.
For example, based on my law enforcement experience, when a decentralized organization is attacked, it becomes even more decentralized. When a centralized organization is attacked, it becomes even more centralized. When a criminal organization is attacked, a link analysis chart can reveal over time what the impact has been on the criminal operations. Has the organization scattered, has it re-organized, or has it reformed?
Without AI-enabled analytics of a social network to guide the disruption strategy taken and the subsequent impact assessment, one criminal group might be degraded, only to have another rise and take its place. Criminal enterprises can be very similar to a hydra – cut off one head and five more heads will appear, further complicating law enforcement’s investigation and disruption efforts.
That’s why it’s not good enough to just dismantle or disrupt a singular entity, individual, or organization in most cases. Successful disruption requires an understanding of all individuals, groups, and organizations that are supporting the target organization. OSINT and data analysis of publicly available information across the surface, deep and dark web will help law enforcement better understand other organizations are that are helping to nurture and feed the one being targeted.
Methods and Challenges for disrupting operational capabilities
To stop organized crime groups from converging and working together and achieving their goals, investigators need to disrupt their operational capabilities. The first places to start are by choking off funding and disrupting the recruiting efforts of the group. This is vital because criminal enterprises cannot function without manpower or financing.
Another key step is to identify potential vulnerabilities in an organization. Doing this will enable investigators to prepare relevant strategies to infiltrate and degrade the networks. There is a wealth of data that can be tapped to reveal these potential vulnerabilities. This includes crime and arrest data, informant data, FBI data, and terrorist watch information. Intelligence units within various agencies also have tip information and suspicious activity reporting that can help. Trained analysts can do complex searches on this data.
Much of the information needed to disrupt the operational capabilities of criminal networks exists on many disparate databases. The ability to consolidate that data is vital for the speedy resolution of an investigation.
A key enabler for analysts that lets them automate routine or complex tasks and consolidate data is AI. It can level the playing field for law enforcement by identifying patterns of behavior across large volumes of disparate data sets that give clues to illegal activity.
Obviously, the data volume available online extends way past what human analysts can deal with. AI and machine learning can review and analyze mountains of data in seconds and present it in an auditable and actionable format. The challenge for analysts is how to sort out valid and relevant findings from the irrelevant ‘noise’ so investigators can act on the intelligence obtained and move to degrade the criminal networks by rapidly locating their choke points.
The critical role of intra-agency coordination
Just as criminal networks cooperate with a common goal in mind, investigative agencies need to integrate and work together to best degrade the criminal network. Advanced technologies can play a key role in enabling investigators to share information and build valuable partnerships across agency, federal and state groups.
Larger law enforcement agencies are likely to have access to holistic data, but midsize and smaller law enforcement departments might not be aware of, or have access to, all the databases that exist. This is where Fusion Centers can help. These specialized centers are composed of officers and analysts who have the authority and technical skills to access certain databases and bring all the data needed for an investigation together. As a result, an analyst and a data-driven investigation is much more efficient and potentially more successful than a purely traditional boots-on-the-ground investigation.
Unfortunately, many detectives have probably not yet been introduced to the use of analysts and advanced analytics, at least at the state and local law enforcement level. In addition, there are so many disparate computer networks and databases that many don’t necessarily ‘talk’ to each other. As a result, inter-agency communication can be a challenge. That fact is hardly surprising, considering that there are more than 17,500 law enforcement groups in the United States.
The typical law enforcement agency does not have the resources, staffing or expertise to properly locate, identify, gather, and analyze the data that can be found related to criminal activity and its nexus to convergent support systems and other enterprises that complement operations. Most will need to recruit that capability, or partner with other organizations that have that capacity and expertise – perhaps even in the private sector.
State-owned and operated Fusion Centers are well positioned to do this. They typically have analysts, funding, and political leverage. They serve as focal points in states and major urban areas for the collection, analysis, and sharing of threat-related information between local, state, tribal, federal, and private-sector partners. As an example, the Fusion Center in Los Angeles covers seven counties, with 19 million residents, and approximately 166 police agencies.
One of the biggest concerns for law enforcement agencies using analytics and data sharing tools is the potential for abuse. Anytime analysts have a tool or a capability for performing risk analytics on large amounts of publicly available information, there needs to be clear policies in place to protect that data and any individuals it pertains to, without compromising an investigation. Otherwise, there can be abuse, mistakes, and civil litigation around missteps. Law enforcement needs to step into this area carefully and make sure decisions and actions are backed up by the proper policies and procedures that have an authentic eye toward privacy.
It is generally held that criminals are typically one step ahead of law enforcement at every turn. The same is true with the use of technology.
Individual criminals and criminal groups are taking full advantage of technological advances to better communicate, share resources, and hide their identities and activities. But they are not digitally invisible.
Law enforcement can also use advanced technologies such as AI-powered open-source intelligence to identify converged networks, generate leads, follow links to criminal targets, and identify the larger criminal enterprise. AI’s value is in ensuring that law enforcement can keep pace with the growing amount and variety of online platforms and communication channels that criminals use. It does so by helping law enforcement gather digital evidence that these criminal entities are leaving behind.
Additionally, AI enables investigators to analyze 100,000 times more data than a human analyst can do at one time, and display it in any number of ways to provide clues to connections and targets. It allows investigators to cast the net much wider. It enables a more holistic approach to the investigation. It catches things that may have been missed by a human working on their own and encourages them to broaden their perspective.
By focusing on four key areas — node identification, link analysis and functionality, disrupting operational capabilities, and inter-agency coordination — law enforcement can significantly close the technology gap. The adoption of advanced technology will not eradicate crime completely, but it will go a long way toward leveling the playing field.