Reverse Deception: Organized Cyber Threat Counter-Exploitation (45 page)

A profile can provide the “catalyst” that ties together evidence in a way that leads to the offender. Sometimes an investigation will contain a set of evidentiary objects that are linked to the crime, but the investigators have not been able to tie them together in a meaningful way that will assist in identifying the offender or eliminating potential suspects.

Another way that a profile may be deployed is one where it plays a much more proactive role in the identification and apprehension of offenders by getting them to perform some desired action. Developing a comprehensive understanding of the personality, motivations, skills, and environment within which a perpetrator operates gives the pursuer the information with which to develop a set of strategies that manipulate the behavior of the targeted individual or group.

The objective of the manipulation varies according to the final outcome that is selected by the profiler and his team. In many cases, such as Brussel’s Mad Bomber case, the objective is to maneuver the target into performing some action—often some form of communication—that contains additional information about the identity that can be used to narrow the list of suspects and further guide the investigation.

In other cases, the objective of the team is to guide the profiled target into performing behaviors that are part of some more complex plan, where the identification and apprehension of the target may not be the final objective; that is, the behaviors that the target is guided to perform may be just one related but necessary element of a much larger schema where the objectives involve additional actors, materials, and events. Having a fundamental understanding of the psychological and social psychological makeup of the individual actors involved, as well as the social context within which they are operating, allows profilers and their teams to plan specific actions that encourage the targeted individual to perform the desired behaviors, which in turn move the larger scenario along the desired path. More will be said about this use of profiles in
Chapter 10
.

The Nature of Profiling

The nature of the profiling process is essentially one of winnowing. Starting with a complete population of potential suspects, the profiler carefully examines the physical and behavioral evidence to draw some basic conjectures about the offender. Each offender characteristic that the profiler can accurately extract narrows the pool of suspects. For example, if the profiler can be fairly confident that the offender was male, then the suspect pool is cut approximately in half. If the profiler can confidently state that the offender is between the ages of 15 and 29, this eliminates about three-quarters of the US population. If you combine the two, you have eliminated almost 87 percent of the population.

If the profiler can make the assumption that the offender resides within a local geographic area—say one that encompasses a suburb of 4,000 individuals—there might be only 520 males who match the demographic criteria in that area. This then narrows the suspect search space to a point where the authorities can begin examining additional data for these individuals and arranging personal interviews for those who appear to have the best chance of being the offender.

Unfortunately, this winnowing of the population process doesn’t always work as neatly as just described. For example, it may be the case that the population that contains the universe of individuals including the offender that you are attempting to profile is actually a subpopulation of the US population. For example, let’s assume that the profiler has identified the subpopulation that the male offender is a member of as the malicious hacking community. The good news is that you have reduced the suspect pool from more than 300 million persons to let’s say 100,000 individuals. The bad news is that, assuming the malicious hacker community subpopulation pool is approximately 90 percent male and 10 percent female, you have eliminated only 10 percent of the members of the suspect pool.

A second issue arises from the fact that the probabilities of various demographic characteristics may not be independent of each other. While Brent Turvey just assumes that you can multiply the probabilities together to get an overall probability of an offender having a certain set of demographic characteristics (Turvey, 2008), in fact because these probabilities are not independent, the simple product of the probabilities of specific demographics in question will produce an incorrect overall estimate of the incidence of an individual with those characteristics existing in the subpopulation under investigation.

Winnowing down the statistical odds through a single class of characteristics such as demographics still leaves a rather daunting number of potential suspects. Profilers often combine many different types of evidence, both physical and behavioral, in the process of developing an offender profile. In the case of traditional profiling, it may be the time of day the crime was committed. In the “Information Vectors for Profiling” section later in this chapter, you will see how temporal elements can assist both traditional profiling and cyber profiling missions.

The environment surrounding a traditional crime scene may also give the profiler clues about the perpetrator. A violent crime committed in an open space with expectations of normal foot or vehicular traffic may suggest an unplanned crime of opportunity, while one committed in a more secluded area suggests more forethought and planning might have been involved. Conversely, a computer crime committed on a heavily loaded network segment where there are multiple avenues of entry—some of them on heavily trafficked subnets and others on less-traveled paths—may suggest a level of preplanning in terms of wanting to hide where there is a wide variety of heavy network traffic destined for a number of open ports.

Basic Types of Profiling

As Bongardt points out, there are two basic types of offender profiling: retrospective profiling and prospective profiling (Bongardt, 2010).
Retrospective profiling
refers to the traditional development of a composite profile of an individual through the behavioral and physical evidence linked to one or more crimes thought to be perpetrated by the same individual or individuals. The focus of retrospective profiling is on investigating and solving a specific crime or set of crimes that have already been committed, through the enhancement of traditional investigative approaches offered by a physical and psychological profile of the offender.

Prospective profiling
examines the characteristics of past crimes and crime scenes with the intention of building a classification system designed to assist in the identification of future offenders. Now, the definition of “future offender” is open to interpretation. In one sense, future offender can refer to a perpetrator who has committed a crime after the taxonomy has been developed. In this case, the taxonomy is used to highlight probable characteristics of the offender in order to assist investigators in their apprehension of the perpetrator for a crime that has already been committed.

A second interpretation of future offender that has been applied in some cases to prospective profiling is the deployment of characteristics of past offenders and crimes in predictive models. In this case, the characteristics in the profiles are used to predict the probability that an individual may be likely to commit a criminal offense in the present or in the future. This leads to some rather interesting and sticky ethical and legal issues. Particularly suited for intelligence purposes and objectives, the ability to differentiate a pool of potential current or future offenders into a risk taxonomy—such as low-, medium-, and high-risk individuals—can be an effective tool to assist in focusing agency resources on the most likely sources of current or future threats.

Conducting this particular variation of prospective profiling of pools of potential offenders or threats may bring with it unique and specific risks. From a legal standpoint, there may be issues of providing legal substantiation to deploy data-collection mechanisms that collect the data necessary for the statistically based prediction model to be computed.
⁶
Many of the predictive variables may consist of personally identifiable information whose collection, retention, and use might be constrained by federal, state, or foreign laws. One example of this conflict between the need for data collection and the law was the discovery in 2007 that the National Security Agency had placed taps on large capacity data lines in the AT&T data offices in San Francisco (Nakashima, 2007). There was an immediate outcry that this activity was illegal and the legal fight revolving around the legality of these taps is still raging today.

In addition to specific legal and charter issues regarding the collection of information on United States citizens by the US intelligence community, there is also the substantial issue of public outcry against US government entities collecting personal information about its citizens, especially when there is no evidence of a crime being committed. A good example of this occurred during late 2002 when news of a new anti-terrorism program called Total Information Awareness (TIA) emerged. First described by John Poindexter at the Defense Advanced Research Projects Agency in August 2002 (Poindexter, 2002), TIA was a collection of programs that included efforts to collect information on US citizens that would then be warehoused and specially developed algorithms applied to the data to search for evidence of suspicious activity that might be linked to terrorism. It was in December 2002 that this became a national issue as the
New York Times
published details about the TIA program and a public outcry ensued (Rosen, 2002). While much of the program was dismantled after extensive protests from the American public, a number of those programs managed to survive to this day.

The challenges both from the legal as well as the public outcry arenas may result in databases that either do not contain key predictive variables or have sparsely populated key variables. While these types of statistical models can and have been used in sparse information environments where there are missing data elements due to legal or logistical reasons, the presence of missing data in these models often degrades the performance of the model, and in some cases, can render it nearly useless.

There are also risks that must be assessed from a methodological and statistical perspective. Statistical models may be deployed, for example, to estimate or predict the probability that an actor is likely to commit a specific act. In fact, statistical models can be quite useful in identifying and isolating critical data elements within very large and noisy data environments. They are also quite useful at helping researchers decide whether a difference in a characteristic between two groups is likely a true difference or probably the result of random chance. Further, statistical models are quite good at extracting latent, often abstract and unobservable features from data sets. For example, a cluster model might be able to group individuals into distinct behavioral groups based upon common behavioral traits. This is something that can be quite useful in more strategic areas where developing standard profiles of specific groups is a valuable task.