Drowning in data - complexity's threat to terror investigations
Knowing everything, except what happened?
That does not however make what they do sensible. There was some dispute during the Home Affairs Committee sessions over how long it took to image a hard disk, but whether its 30 minutes or 12 hours (which is what it is in Met procedure) isn't massively relevant. It's the time that's spent poring over the data on the hard disk, searching everywhere for the slightest clue, that's the killer. Police are to some extent now being selective in what they try to analyse, but it is probably still more a case of them deciding whether or not to conduct an extensive analysis of a whole hard disk, rather than being selective within it (e.g. a check of the email client, browser cache and other likely places). And with reference to mobile phones, witness Vinesh Parmar of the digital crime unit of LGC Ltd made a telling point: "Too often we get requests which say we want everything, which in reality is not a workable request. What we find is that law enforcement agencies need to start understanding the data that is available and to start understanding what is possible evidence or what is intelligence... At the moment a lot of work we do is fishing expeditions where we are basically requested to grab everything out of there and we do not know the case history."
To some extent this is the product of the completist police mentality that demands that all computers with the slightest connection to an enquiry be seized and examined in painstaking detail, but it's also what you'd expect to happen if police had first arrested a suspect, and second started to try to find the crime.
Just imagine.. In Hayman's showcase exhibit the threat is imaginary, but one suspects imagination can also form a component of the real thing. Real terror cases and claimed terror plots frequently include plans to attack major public buildings, tall buildings (e.g. Canary Wharf), international airports, and references to CBRN weapons use. Few if any of those that have been "frustrated" or documented so far include convincing plans (even plans, full stop) for actually mounting the attacks, sourcing the deadly poisons and constructing the weapons. Transcripts meanwhile are peppered with lurid and unfeasible attack ideas (often sounding uncannily like the sort of thing a mouthy teenager would say to impress his mates) and references to 'terror manuals' which often turn out to be dodgy survivalist poison recipes and/or the ubiquitous Encyclopaedia of Jihad which, as it includes references to tall buildings, is a handy fall-back if the prosecution is in want of a target list.
We can, by going a little theoretical ourselves, try to understand what's happening in such cases. Young men disaffected with the state (you know why) get together, talk, consider actions. Being young they're Internet and mobile phone aware, so they use technology for some of their communications and maybe contact similarly disaffected young men in other countries. They consider bombs, and they've heard a hell of a lot about tall buildings, aircraft, chemicals and poisons so guess what, they talk about these too, and maybe they start researching how to do it. And guess what? They're almost certainly going to find those very same dodgy poison recipes, excerpts from the Encyclopaedia of Jihad and a few beheading videos. Are they dangerous yet? Are they a major international terror plot to be frustrated? Probably not. Yet. But it's the first anniversary of the July bombings this week, and that's reason enough to accept that disaffected youth can grow into real terror.
There is clearly a major problem for the security services in distinguishing disaffected talk from serious planning, and in deciding when an identified group constitutes a real threat. But the current technology-heavy approach to the threat doesn't make a great deal of sense, because it produces very large numbers of suspects who are not and never will be a serious threat. Quantities of these suspects will nevertheless be found to be guilty of something, and along the way large amounts of investigative resource will have been expended to no useful purpose, aside from filling up 90 days. Overreaction to suggestions of CBRN threats is similarly counter-productive, because it makes it more likely that nascent groups will, just like the police, misunderstand the capabilities of the weapons, and start trying to research and build them. Mischaracterising the threat by inflating early, inexpert efforts as 'major plots' meanwhile fosters a climate of fear and ultimately undermines public confidence in the security services.
The oft-used construct, "the public would never forgive us if..." is a cop-out. It's a spurious justification for taking the 'collar the lot' approach, throwing resources at it, ducking out of responsibility and failing to manage. Getting back to basics, taking ownership and telling the public the truth is more honest, and has some merit. A serious terror attack needs intent, attainable target and capability, the latter being the hard bit amateurs have trouble achieving without getting spotted along the way. Buying large bags of fertiliser if you're not known to the vendor and you don't look in the slightest bit like a farmer is going to put you onto MI5's radar, and despite what it says on a lot of web sites, making your own explosives if you don't know what you're doing is a good way of blowing yourself up before you intended to. If disaffected youth had a more serious grasp of these realities, and had heard considerably more sense about the practicalities, then it's quite possible that fewer of them would persist with their terror studies. Similarly, if the general public had better knowledge it would be better placed to spot signs of bomb factories. Bleached hair, dead plants, large numbers of peroxide containers? It could surely have been obvious.
Does that work? Does it get us very far? No, in the sense that it doesn't stop the sympathisers from sympathising and it doesn't stop all of the bombs. But given that neither of these is going to happen whatever the police do, and whatever the law says, we need a long-term survival/endurance strategy that doesn't drown the security services in a swamp of data, doesn't turn us into a police state, but does whatever is feasible to minimise risk. Despite what they (inc., the Home Affairs Committee) tell you, we've been here before, and it isn't all that different this time around. ®
Sponsored: DevOps and continuous delivery