Enable breadcrumbs token at /includes/pageheader.html.twig

Intelligence Generates a Cyber Picture

Seeing is believing for geospatial intelligence products, even for the virtual world.

A Pleiades satellite image clearly shows buildings, including Olympic venues, in Sochi, Russia. The National Geospatial-Intelligence Agency is employing its own intelligence products to help personnel from other intelligence organizations locate and identify structures worldwide that might be the source of hostile cyber activity.

The borderless world of cybersecurity now is benefitting from geospatial intelligence products. The U.S. National Geospatial-Intelligence Agency has joined the fight against cybermarauders by providing imagery to help cyberwarriors track down online adversaries. Experts defending the United States from cyber attack abroad have a new tool in their kit by being able to see the facility from which digital malefactors are plying their wares.

The agency long has provided a variety of value-added geospatial products to customers throughout the defense and intelligence communities. In turning its eyes toward cyber, it combines data from partners to produce a unique product that over time may alter the agency’s mission.

Lisa Spuria, director of analysis at the National Geospatial-Intelligence Agency (NGA), explains the agency can help provide information about a potential location of cyber activity. The NGA can help find that site, she states, and it also can provide imagery products for efforts against cybermarauders.

“When you actually find a location where cyber activity might be occurring, when you see it, it really does enable much better understanding of what might be going on,” she offers. “We bring the location information—the finding information—as well as visualization, being able to see it.”

When other elements of the intelligence or cyber community suspect malevolent cyber activity may be taking place in potential locations, the NGA can help find that spot, she explains. The agency known for its imagery will help locate facilities or buildings housing that activity. Customers then can view the suspect facility and assess activities accordingly.

“When you can visualize a [cyber] location, it can be really powerful for people to see a place or a building,” Spuria points out.

The NGA does not go out hunting cybermarauders on its own. The agency is part of a cybermission team spanning the Defense Department and the intelligence community. Customers would approach the NGA with intelligence on potential cyber target areas, and the agency would incorporate this information to narrow down the location. It produces a product designed to fit whatever information the customer has.

“It’s an iterative process; we do it in collaboration,” she explains. “That sometimes helps us narrow it down.”

Customers usually request a simple description of the potential target—its appearance, its location and any distinguishing features. This description could be very revealing—for example, a set of microwave dishes on a building’s roof could tip off analysts that a structure is more than just an innocuous building. In some cases, customers ask the NGA to identify a specific location. Usually, the request is fairly general, Spuria allows.

Analysts across the intelligence community work directly with their counterparts among the different organizations, and this collaborative process generates requests for cyber geointelligence. These relationships foster the day-to-day work over time, she says.

Spuria describes this activity as a relatively new area in which the NGA did not know originally what form its contribution would take. The agency still has been “scratching the surface” of understanding what it can bring to the cyber table she says, calling it an emerging area.

Accordingly, the NGA has not yet altered its collection processes to serve this emerging cybermission. Any assistance it provides to the nation’s cybermission comes from existing collection capabilities at the agency. The NGA is applying its regular analytic tools to the cyber geointelligence mission. Spuria allows, however, that the agency’s new cyber role might drive the agency to examine other areas of collection.

With its new mission growing in importance, the NGA is addressing the issue of tradecraft. “We were not sure what the outcome was going to be when we first started [cyber geointelligence],” Spuria admits. “So, we took a very deliberate approach to building a tradecraft—we take more of a deliberate approach so we get the tradecraft down and make sure that we are refining it and going about it in the right way. It’s been very successful, so we will put some additional analysts on it and we’ll probably begin to develop some more specialized tools and training.”

NGA experts originally were not trained in cyber geointelligence, so the agency must develop the craft of the discipline as it evolves. “We are learning a lot as we go,” Spuria allows. “The process that we follow is we document what we learned, and we actually have built some training for our analysts based on what we have learned to date.” She offers that much of this effort entails NGA’s senior analysts training junior analysts. “We really are right in the middle of the development right now, and it’s a ‘learn, document and refine’ process, and then document and training as we mature it.”

The agency’s partnership with the National Security Agency and the U.S. Cyber Command will help the NGA continue to grow this tradecraft, she adds. The NGA is “spending a lot of analytic effort” to develop that tradecraft.

A key to this tradecraft is to think about an intelligence problem from a geointelligence perspective before tackling it, Spuria says. The NGA has a different view of the world than what other agencies might have, and this must be factored into the agency’s cyber operations.

“If you started at the beginning, a lot of people would have said, ‘How can geointelligence, which is very visual, really add something to understanding cyber, which is in the cyberworld?’” she offers. “It took some creative analysts to sit down and think about it from a visual perspective, and it is very powerful when you begin to identify facilities and locations—and really visualize what the cyberworld looks like from a physical perspective.

“Everything is somewhere,” she continues. “Cyber activity has to start from somewhere, so there must be some physical manifestation of it. We really can enable the understanding of location and the visualization of it. When you think about it that way, it changes your view of how to tackle the problem.

“When you can visualize what you’re trying to understand, it helps everyone—no matter which [intelligence] discipline they come from—really understand the issue on the same page of music,” she continues. “Everyone then begins to understand the fundamental underpinnings.”

“People tend to be very visual,” Spuria points out. “We want to see it, to understand it; and the visualization really brings its alive. Something as complex as cyber is hard to bring alive, and visualization is really powerful for that.”

While the NGA works with academia on a regular basis, Spuria cannot cite any examples of this cooperation in cyber geointelligence. From industry, the NGA hopes for training assistance and tradecraft development. The agency has done this in the past with other partners, she notes.

Eventually, as tradecraft emerges and the NGA develops a better understanding its role and what it is bringing to the table, the analysts will generate ideas for the kinds of tools they may need, Spuria says. This will lead to a partnership with industry to bring in specialized analytic tools for cyber geointelligence. “It’s all tradecraft- or mission-driven, and over time we’ll see even more engagement with industry to help us build those tools,” she says.