Open Source Pitfalls

Michael Tanji, writing both at his website and Wired’s Danger Room, discusses the benefits of open-source intelligence compared to the more traditional, secret sorts of things we think of when we use the term “intelligence”. The case he makes is a good one, but I have to object to part of his article.

He writes that “…[W]hile secrets always come with baggage (is the source lying to you? does the source even know what he’s talking about? is the information old? is this a trick?) OSINT can be fact-checked in real-time by multiple sources”, and this is true, up to a point. However, I don’t think this adequately represents either aspect – secret or open-source intelligence. Consider:

Secrets come with baggage, yes – but some come with much less baggage than others. Humans make notoriously unreliable sources, but within certain limits, many technical intelligence sources – communications intelligence, electronic-emissions intelligence, materials-analysis intelligence, for example – provide relatively inarguable facts. (The interpretation of those facts, however, is where problems often arise.) If you intercept someone’s private communications, for example, you know what he’s saying, and probably to whom – but without further context, it might be meaningless, or highly misinterpretable – and there’s always the slight chance that you’ve fallen for a counterintelligence deception operation.

I’m not sure the term is entirely applicable – traditionally, “intelligence” is the value-added end-product of analyzed “information”, and while the information at play might be open-source, the actual analysis and intelligence production rarely is – but whatever you choose to call it, open-source intelligence isn’t necessarily any better than other sorts. Wikipedia editors have been arguing for years about how you accurately identify a “trustworthy source” online without getting anywhere, and my cynical-sounding but very real belief is that that vast majority of news stories – regardless of source, author, or media outlet – contain at least one substantiative error, however small. Yes, you can often use multiple open sources to fact-check one another, but all too often, unless you have foolproof ways of identifying the people behind OSINT sources, you run the risk of the very real pitfall that is using a single source to confirm itself – or just as bad, relying on a single, otherwise unverifiable source.

Tanji is spot-on, as is the CRS report he quotes, in saying that, at the end of the day, it’s the analysis that counts. You don’t consistently get good analysis without having good information and intelligence to work with, though – or analysts with sufficient experience and expertise.

One of the things that fuels my interest in OPSEC is the implicit way that its practices acknowledge both the blessing and the curse of OSINT. OPSEC, of course, is centered around the recognition that your opponents can, by analyzing a lot of minor and seemingly unimportant pieces of essentially open-source intelligence, get a look at what you’re really up to (which, presumably, you don’t want them to.) OSINT collection can bear a striking similarity to OPSEC exploitation, in that you’re collecting lots of little pieces which, in and of themselves, have little if any independent intelligence value. At the same time, much – if not everything – relies on analysis and those who perform it.

Intelligence is the future, most likely, and like Tanji says, the value of information lies solely in its utility, not how it was obtained. To be useful, it needs to be analyzed – without the mistaken belief that being “open source” adds (or detracts) from its credibility – by people with the ability, experience, and tools to do so.

Published in: General, Security | on December 14th, 2007| Comments Off on Open Source Pitfalls

Both comments and pings are currently closed.

Comments are closed.