There is no shortage of high priced OSINT practitioners filling classrooms and lecture halls across the country. The once disregarded art of surfing the Internet for information has become a full blown discipline. Many of the practitioners travelling the country as subject matter experts (SME) are indeed qualified and very experienced in extracting information from various internet sources. The one aspect however most of the current instructors miss is what to do with the information once extracted.
Just like the intelligence cycle, competent OSINT has a specific workflow; Research, Extract, Sort, Analyze, and Disposition. Research is the topic of most open source classes and symposia. Thousands of law enforcement, security, and intelligence professionals are very adept at scouring the Internet for information. Most of them are equally adept at extracting the information they need. Where the cycle falls apart in many cases is at the sorting phase. Here practitioners need to stop research and extraction and look through the data they have. Decisions need to be made on what is important and what is not based on mission parameters. The data needs to be further categorized in terms of direct impact on the mission, ancillary impact, and questionable impact. From here, the deep analysis begins.
Analysis of open source information is contingent on the overall impact to the mission. If, for example, you are investigating a series of photographs depicting a subject holding firearms, and the subject is a prohibited possessor, the analysis of the photos will need to be rigorous. An investigator will need to determine if the suspect is readily identifiable. Is the weapons he or she possesses real or fake, and what clues lead to either conclusion? How recent is the photograph? Where was the photograph taken? Finally, what was said about the photograph by the poster and the followers? From a criminal intelligence stand point, what about this post has ramifications beyond this case? A private security officer who is examining the photographs must review each comment to measure the general mood of the posts. A lot can be learned about employee social networks and insider threats by reading comments.
Aside from meaningful analysis, the disposition of open source information can be one of the hardest phases of the cycle. Here, a practitioner needs to store the information or deliver it to the needed customer. In law enforcement you have two main choices; case information and criminal intelligence. Case information means the information is evidence and needs to be stored and processed in accordance with court procedures for prosecution. The implications of such a disposition are many due to the various methods for storing digital information. If it is determined the information falls into the criminal intelligence realm, it is governed by 28 CFR Part 23 and will need to be audited. In the intelligence field, this information may need to be sent to other intelligence professionals for analysis on larger threats or trends. Private security may share the information with Human Resource professionals, or store it as a part of insider threat investigations. In any case, disposition of the information will ultimately be scrutinized and must therefore be carefully handled.
Open source intelligence (OSINT) is still an emerging tradecraft and will go through many iterations before it is commonly accepted. Following the cycle above and seeking out training that reinforces the cycle will build a cultural foundation for practitioners and make the discipline far more reputable. As challenges arise, security will be found in establishing solid industry standards like the cycle described above. For those in command positions; seek out full scope training and move away from training that only focuses one aspect of the discipline. After all, looking at a small piece of the canvas is nowhere near as inspiring as seeing the full painting.