By Bryan Ware
The Boston Marathon bombing, subsequent manhunt and current investigation are unprecedented – not only due to the nature of the attack but because of how much information has been available to law enforcement, the public and the suspects. Unlike any previous large-scale attack, data came in at a staggering velocity within seconds of the twin explosions, yielding constant changes and misreporting, but also the timely apprehension of the suspects.
For all its evident successes, however, this “big data” event exposed many limitations in existing technologies, demonstrating the need for new capabilities and providing new collaborative opportunities for law enforcement and technology developers. This article is about the technological capabilities Boston demonstrated we need, rather than about the victims, the heroism of the Boston responders or cooperation among the agencies involved. Some of the technologies discussed below may already exist in some form, but still are not ideally suited to the needs of this kind of event.
Here’s my punch list:
Avid for Intel: The FBI and Boston Police Department (BPD) requested and received video and photos from witnesses to the blast and from private security cameras in the vicinity. Capabilities in this area are not ready for “prime time”. To my knowledge there is no image and video management system that can operate at scale to quickly to stitch together the various images in both space and time. The best seem to be in the entertainment industry – something akin to the Avid video editing and production suite – than the intelligence community. Each image from a smart phone carries telemetry data that can be used to orient it in space and time. Add hundreds or even thousands of those images together, taken from different vantage points and different times, and you have an amazingly detailed mosaic of the environment. Being able to ‘play it back’ to particular time stamps, say to see who put a package where, is an enormous challenge and opportunity. I suspect that Boston pulled off this feat with brute force but a technology solution to this type of image management capability seems to be in order. Similar ideas can be seen in movies, but these haven’t yet made the trip from the big screen to the real world. No matter how many video cameras a city installs, we should expect that there will be increasing amounts of consumer imagery and video available and we must develop the technology to harness it.
Complex Event Processing (CEP): It’s difficult to imagine the barrage of information flying at the Boston law enforcement team on April 15th: citizen tips, social media posts, 911 calls and forensic evidence to name a few. But I could imagine that the primary information management system was email, and that it wouldn’t take long in a rapidly evolving event such as this to be drowned in message traffic and miss key pieces of information. CEP is an idea typically found in machine automation, but automating alerts based on key events could ensure that the right message gets to the right people automatically. That might mean any small event in a key location (or a certain type of activity anywhere) generates an alert. In order for CEP to be effective for a rapidly evolving situation, it would require a very simple configuration interface and easy integration into data streams and messaging systems. In the next Boston-type event there will be no time to call a support contractor for help configuring rules; this has to be almost consumer-friendly out of the box.
Link Analysis: There is a critical need in rapidly unfolding situations to organize the information you have and tie it together in a way that allows you to tell a story or build a case. As the Boston authorities tried to figure out who the suspects were, little pieces of information came in all the time, answering critical questions like: How many suspects are there? Where do they live? Where do they work? How are they tied together? This is certainly the promise of link analysis software from vendors like Palantir, IBM/i2, Visual Analytics, Centrifuge and others. Unfortunately, without a room full of engineers from the vendor, customers don’t have the capability to use these tools rapidly enough and with the level of sophistication this type of event requires, and most agencies end up using these tools for a few simple activities and as basic drawing packages. The products, business models and capabilities destined for use in crises must evolve in order to make the kind of headway needed during a fast-moving event. Even a city the size of Boston doesn’t have the budget or the day-to-day need for the level of investment that would be required to have those capabilities using today’s solutions.
Geographic Information Systems (GIS): Every law enforcement and homeland security agency has GIS tools. But let’s face it: nobody can use them at the pace and level of complexity that Boston required. And that’s not Boston’s fault; it’s the tools’. Modern GIS systems are built on old software architectures to support geographers. But they need to be rebuilt for the velocity of social media data, for easy and rapid data entry, for simple analysis, and for quick information sharing and reporting. The needs of law enforcement to see the locations of detonations, devices that were discovered, suspect homes and other parts of the crime scenes and then correlate that data with reporting from social media, random tips and their own personnel was just out of reach. They had the tools and they knew how to use them, but the tools are not up to the task. Given the revolution in geo-enabled consumer apps such as Foursquare, Google Maps, Yelp and Find My iPhone, it’s disappointing that the professional tools are so lacking in capability.
Crowd Analytics: From the DARPA Challenge to the recent Intelligence Advanced Research Projects Activity (IARPA) crowd forecasting program, this has been a pretty hot topic for research. The FBI’s release of suspect photos proved that the crowd was able to identify the suspects better than facial recognition algorithms were apparently able to do against their drivers’ licenses and other publicly available photos. In addition to allowing witnesses who saw or knew the suspects to identify them, the crowd presents a massive computational reasoning capability with the entire Internet at its disposal. The crowd was able to find the suspects’ Russian-language social network VKontakte (VK), Twitter and other social media accounts faster than the government. Leveraging the crowd for search, translation, information dissemination and such bears much promise and much peril. More will be written, I’m sure, about the ill-fated reddit community attempt to analyze crime scene imagery, but make no mistake: a well-organized crowd can be a powerful tool.
Social Identity: Identity resolution and identity management capabilities are used every day by law enforcement and intelligence agencies. But these capabilities struggle with low-quality data sources. It’s one thing to find an identity match with a name, date of birth and social security number; it’s something else entirely when the name has multiple spellings and there’s no other good information. It’s particularly hard to find that person’s social media identity, perhaps the first place you’ll see their extreme views or other information that may provide additional leads or explanations of motives. And, in this case like many others, fraudulent websites are created as quickly as the event unfolds, further confusing the search for suspect identities. High quality but rapid social identity solutions are needed to understand a person’s identity when their official government identity is either unknown or insufficient. And these tools must not only be timely in order to have any value to law enforcement, they must also be accurate.
Social TTL: The concept of tagging, tracking, and locating (TTL) is well known in the intel and special operations communities. But, as we could see that one of the suspects was logging into his VK and Twitter accounts from his smart phone during the event, it exposed the need for a different kind of TTL. All of the technology capabilities to identify the user and track the location of his mobile phone exist, but were not readily available in a timely manner in Boston.
Phone Neutralization/Intercept: The explosive devices used during the marathon were apparently triggered with controllers from a radio-operated toy, but they first appeared to have been detonated by mobile calls or messages, as with many other attacks of this nature. After the suspects were identified there was concern that they possessed additional devices and that those devices could be remotely detonated using mobile phones as well. Along with the Social TTL idea, there is a need to either neutralize, intercept or exploit the mobile phones of the suspects. This would have been even more essential with more assailants or a protracted standoff. Products exist that would allow law enforcement to disable a phone from communicating on the network, track it precisely and even send it direct messages.
Digital Canvassing: Digital cameras and video were not the only sources of information available at the time of, or leading up to, the explosions. There was also a high volume of Tweets, Facebook updates, Yelp check-ins, Instagram posts and even YouTube uploads. One idea for identifying potential witnesses or suspects is to play back all of those time-stamped posts to determine who was in the vicinity, and when. Similar to deploying policemen to canvass a neighborhood, a digital canvass would allow investigators to review what was in the public social space that might yield clues.
Behavioral Markers: Every friend of the suspects interviewed by the media said that they were shocked by the attack. That their friends had been normal Americans but that something must have triggered a fundamental change. Each time there’s an event like Boston or Sandy Hook or the Gabrielle Giffords attack or the Aurora movie theater shooting, we seem surprised that these acts occurred, that we could only see the evidence after the fact. In reality, the behavioral ‘markers’ were there more often than not. But any attempt at analytical prevention or detection approaches quickly encroaches on the privacy and civil liberties of people with psychological disorders or those of a given race or chosen religion. In light of the potential to save many lives, we must have the courage to do responsible research on the behavioral markers of people who are mentally or ideologically capable of committing mass murder. We must address the root causes and find signals that we can detect in advance so that we can prevent these events from happening.
Smart Phones for Law Enforcement: Government, from the Pentagon to local police departments, have been slow to embrace smart phones. This mainly stems from a legitimate concern for protecting sensitive information, determining acceptable use, limiting the high cost of migrating to a new device – even from the uncertainty of choosing the right vendor. But it seems obvious that the Boston suspects had a real-time information advantage over those responsible for tracking them down. The smart phones the suspects carried would have allowed them to listen to the police scanners (I’m not sure they did, but I did – so they could have), tweet to their growing list of followers, monitor the news and call their mother. This “net centric warfare” provided a time and information advantage over the chain-of-command information flow to radios and outmoded Blackberry email devices. Equipping cops with smart phones, connected to some of the information sources described above, would tip the playing field back in favor of law enforcement.
Information Security: The International Association of Chiefs of Police (IACP) and others have reported recently that law enforcement’s use of social media is primarily to disseminate information rather than to monitor or engage. As former Homeland Security Secretary Michael Chertoff wrote in The Wall Street Journal recently, BPD did a fantastic job of using Twitter as an authoritative information source to quell rumors and enlist the public’s help. However, this event also showed the need to be able to control publicly available information that may be used by the adversary. I suspect BPD had forgotten or didn’t know that its police scanners with detailed operational information were being streamed over the Internet. The rapid flow of information that is easily accessed by even the simplest smart phone raises the stakes for information- and cyber-security during events like Boston.
To close, I welcome your ideas, your comments, your additions, and your opposing viewpoints. In such a dialogue lies a tremendous opportunity for refinement and innovation of the tools and products that support our public safety and intelligence agencies.
# # #
Disclaimer: These observations are made from a distance; I was not part of the Boston response nor do I have input on these technologies from anyone who was. Moreover, this is being written while the event is still unfolding and nothing has yet been published about the tools and technologies that were actually used during the event. These observations and opinions, and any errors, are my own.