During my last tour in Afghanistan, Palantir was quickly becoming the sweetheart analysis software suite of the Army and Marine Corps. Before I deployed, I sat through a class offered by the company, and immediately recognized that it’s great software. Intelligently designed, easy to use, top notch functionality, and categorization options allow an end-user to drill down and really dissect the adversary and surrounding events. It is, however, only as powerful as the end-user allows it to be.
By the time I left the intelligence community, I had become disillusioned with the state of the average analyst (though not every analyst) and much of leadership which is more interested in developing the latest technology instead developing the minds of their analysts. Intelligence analysis is, and likely will be for decades to come, 80% investigation and 20% technology; but tools like Palantir are trying to invert that into 80% technology and 20% investigation. Without a highly inquisitive mind motivated to find the solutions to unanswered or seemingly unanswerable questions, and the proper analytical methods to pick apart your adversary, your analysis of information of intelligence value will be found wanting.
SPACE is an acronym that every good analyst should use, especially where it concerns community security. Its roots are in our operational security (OPSEC) manual, and when the adversary doesn’t care enough to implement SPACE into his security considerations, it’s our job as collectors and analyzers of information to exploit their mistakes.
One of the things an analyst should consider of his adversary are his vulnerabilities, which makes OPSEC so important to both parties. In SPACE, we are presented with invisible vulnerabilities: indicators that aren’t often considered and don’t appear to be vulnerabilities on their faces, but are useful nonetheless when applied to the enemy’s operating picture.
Keep SPACE in mind when inventorying your own security measures. It may be the case that the analyst assigned to you fails to consider them. Then again, maybe he doesn’t. Each piece of information from the SPACE method is cumulative; each on its own isn’t as powerful as when they are all taken into consideration.
Signatures are identifiable, unique, and stable to an individual or group of individuals. A signature is an encrypted or signed email, or a message from a specific phone or email address, or a semantic tell – the way we speak or write, for instance. These are pieces of a puzzle that can be collected and analyzed to form a better understanding our adversaries. A signature is something standardized (or roughly standardized) in the way you operate that may identify you as being separate from someone else, much like a signature recipe is to a chef. Serial killers have signatures. Gangs and gang members have signatures. You will never mistake the sound of a monster truck for that of a Toyota Prius, or a dog’s bark for a cat’s meow. Observed over time, the way you communicate likely presents a signature. A signature may not always be deliberate, but it’s a calling card that helps an analyst identify a specific, and perhaps anonymous, individual.
One of the easiest and simplest ways we can identify and record signatures is to look for gang-related tagging and graffiti in the area. Take a photo of the tag in or around your community, and begin a collection. We can use these photos to identify gangs that may be present in the area, as well as establish the boundaries of the gang activity. Analyzing the locations of a particular gang’s graffiti or tagging could help us understand their area of operations or “turf”.
Signatures may develop a pattern of indicators called a profile. In Afghanistan a convoy of jingle trucks led and followed by a couple gun trucks fits the profile of a supply convoy. No one would mistake this profile for that of a U.S. security patrol or raid. In each case, the jingle truck differentiates itself from others by its signature, the same as a gun truck would. You’d never mistake a jingle truck for a gun truck; but, added together, we get the supply convoy profile. Another example would be a customer wearing a Ford baseball cap in a gas station purchasing $50 of diesel fuel. If forced to guess, would you conclude that he drives a 3/4-ton Ford pickup or a Toyota Prius? If you stopped at a red light behind a camouflage-painted Ford Ranger with two Browning stickers and a Size Matters deer antler decal, would you expect the driver to be wearing an Obama ’16 t-shirt and a drinking a cup of Starbucks frappachino? No, because his signatures fit a specific profile.
When presented with two separate but anonymous individuals — for instance, two different graffiti “artists” who belong to the same gang but have distinct characteristics, or signatures, to their tags — our first step towards identification is to develop a profile for each of the gang members. If each of the tags has its own signatures, what can they tell us about gang-affiliation? Are they the same or different gangs? Once we associate a tag with a specific gang, then we can get a much better idea as to the threat level the gang poses to our community.
Associations help adversaries to interpret actions. Good analysis is about identifying indicators and patterns in order to predict future events. We ask ourselves, is one event associated to another and, if so, what does that tell us about the two events? These events could be phone calls, emails, travel patterns – all indicators of communication – associated with specific events. We might identify a pattern of communication before an event, and therefore associate the two. In Iraq, perhaps it’s the case that when one specific phone number calls another specific phone number, there’s a sectarian bombing against the civilian populace the next day, but only when those two specific numbers communicate. That communication is an indicator and we form associations between the phone call and the bombing. The next time we see those two phones light up, maybe we increase security, harden our fixed targets, or remove the possible target altogether.
So how can we develop associations start with gang tags? In the Signatures paragraph, I talked about mapping gang tags to get a general idea of the gang’s area of operations. As long as we have the members of our community documenting and reporting the locations of these tags, then we should also be speaking with them about who’s responsible for the tagging and about gang membership in the community. If we can develop streams of reporting, then we can begin associating tags to individuals, individuals to gangs, and individuals to activities. Identifying these previously unknown or anonymous gang members is the absolute first step in targeting them or their behavior.
Just like the contrast on our televisions and computer screens, which ranges from black to white, good analysts observe contrasts in the battlespace, or for an individual or organization. An example of contrast for an individual is the route to and from work. If our subject takes the same route every day, but today makes a change by turning onto a different road, then that’s a new contrast. If our subject calls his wife every day after work, but stops making the phone call, then we’ve just identified a new contrast. Those actions beg the question, “Why the change?” These contrasts are red flags for analysts, and good analysts begin looking for the reason for the change in baseline activity. These deviations should cause us to ask questions and identify the reasons why there was a change in expected behaviors or patterns.
So what are the expected communications, actions, battle rhythms, or operational tempos from a profile we’ve developed? Let’s start by identifying the baseline activities of the gang members (or drug addicts or burglars, etc.) in our community. How would we describe their baseline behaviors and crimes and activities we expect from them, and with what frequency do those crimes and activities occur? Once we’ve answered these questions, then we can begin looking for patterns that don’t match the baseline and identify why there are changes.
Exposure consists of three factors: duration, repetition, and timing. Phone calls placed at random iterations, each lasting for two hours, is an example of duration exposure. The same is said for phone calls that last for ten seconds. The duration of the phone call is potentially important for us — what conclusions could we draw based on the length of the call? Next, repetition exposure is observed when a phone call occurs repeatedly. That repetition means something and could give us clues as to patterns and associations. Finally, those phone calls that occur at 7pm local time are an example of timing exposure. Why always 7pm? — that’s a question that deserves some attention.
What we’re developing with these three types of exposure is what’s called a pattern of life. These factors of time help us form associations, perhaps geographically, so we can begin identifying patterns in an individual or organization’s daily activities. And once we observe these set patterns, they can be exploited, especially if these patterns lead to predictive intelligence — that is, being able to predict where you will be Wednesday afternoon based on the patterns you’ve previously exhibited.
Back to our gang scenario, how can we identify exposure with gang activity? Starting with duration, how long do their activities last? A robbery, for example, lasts how long? If we’ve observed a handful of robberies from the same individuals and each of them lasts fewer than five minutes, then what does that tell us about their tactics, techniques and procedures? How long are future robberies likely to last? Probably less than five minutes. Or if there’s a rash of robberies over the period of two weeks, and then zero robberies for a week, and then another rash of robberies that last two weeks, based on the patterns of duration, when will the next robberies begin and end? Identifying patterns in duration can help us understand how the adversary operates, and that’s a critical step in stopping them.
For repetition, we can find associations in time and date of gang activities. Do gang meetings or robberies occur every Tuesday, or every 14 days, for example? Just like duration, repetition allows us to develop predictive intelligence, which greatly aids in the targeting process. These same is said for timing exposure — if these robberies are occurring sporadically or with no identifiable frequency, are there any patterns in the timing of robberies?
Although we just covered five characteristics of activities that will help us to build a pattern of life for our adversaries, keep in mind that your adversaries may be building a pattern of life for you, too. Do a SPACE Analysis on yourself and identify the patterns you set and how they could be exploited. Humans are creatures of habit, so be sure to identify the habits or patterns you exhibit.
SPACE Analysis can be used to find patterns and associations for a multitude of things, not just gang activities. Put it in your analytic toolbox and apply it to real world situations that affect your community.