Beyond Tradecraft: Factors Affecting Open Source Intelligence

Media Thumbnail
  • 0.5
  • 1
  • 1.25
  • 1.5
  • 1.75
  • 2
This is a podcast episode titled, Beyond Tradecraft: Factors Affecting Open Source Intelligence. The summary for this episode is: <p>Most Open Source Intelligence training focuses on tradecraft, and rightfully so. Less common is the inclusion of other factors that impact the ability of an analyst’s ability to deliver effective open source intelligence Products. In in this conversation Cynthia Hetherington, Founder and President of the Hetherington Group and Kyle McGroarty of Janes Intelligence Unit discuss Cynthia’s experience of open source research, from physical archives as a librarian, to managing research, and providing security investigations to a wide range of customers. The success of the Hetherington Group and Cynthia’s enthusiasm for the subject also inspired her the establishment of OSMOSICON, an annual conference for practitioners of open source intelligence. OSMOSISCON this year will be held from 10 to 12 October in San Diego.</p>

Kyle: Hello, and welcome to this Janes Podcast episode. Today I'm joined by Cynthia Hetherington, the founder and president of the Hetherington Group, a consulting, publishing, and training firm that leads in due diligence, corporate intelligence, and cyber investigations. So first, let's give you the chance to say hello.

Cynthia Hetherington: Hello, Kyle. Hello, everyone who's listening. I'm very excited to be part of this podcast and to chit chat and share what I can.

Kyle: Thanks. So the thing that I noticed first of all, a master of Library Science, and then a master of Information Systems Management. So tell us about that.

Cynthia Hetherington: The background that I came from in the late 80s and the early 90s as a librarian taught me how to understand information needs, a whole psychology of human information behavior and how we seek out data and information. This is before we had the World Wide Web, so I was an early adopter of gopher, veronica, jughead, and text- based platforms to get into the Internet. And just young librarian types, all competitively finding information, trying to stump each other with questions and queries. 25, 30 years later, that just turned into a corporation for me that allows me to do this for my clients. But it's the same principles. It's the same information understanding, dissemination, curation, cooperation. I'm going to keep using all these words because they really come together with defining our work product, as well as the products that we reach into to gather information for our clients. But the technology side of it allowed me to understand from the zeros and ones perspective how information dissemination, storage, and what we now call big data... back then it was SAS/ Cognos, and Oracle machines. So I gained an understanding from the cyber and the information side.

Kyle: Okay. First of all, I love the idea of a group cutthroat competitive librarians stumping each other with questions. That's fantastic. But you're right. That's the way it seems to have evolved for people who get really stuck in the delivering open source intelligence. I'm increasingly of the opinion that you can't do analysis in your own head and it requires at least two brains to bounce ideas between, but that's probably another conversation. There's a couple of other things I wanted to mention because I find them really impressive. So, 2019, Entrepreneur of the Year, New Jersey award finalist for Ernst& Young. And the one I. m even more impressed by, Enterprising Woman of the Year for the Enterprising Women magazine.

Cynthia Hetherington: Thank you for mentioning those. It was long in coming that I actually had my name put up for some of these accolades, and it was wonderful to receive. What I'd like to do, and what I like to emphasize in this was not that I won an award, and got to go out to a nice dinner, but that I'm a role model for young women who might consider going into the cyber space or into the intelligence space. And so in that year, I also received the CybHER Warrior of the Year from an organization called CybHER, C- Y- B- H- E- R, which really gets down to the high school and sometimes younger levels of young women.

Kyle: Oh wow.

Cynthia Hetherington: Yeah. Oh, it's so exciting. It's when you get to get teenagers, and tell these young girls who might... They've been introduced to STEM and other technology, engineering and sciences, where I never saw any of that in my young years. We were working with an abacus and a chalk board. But today, there's a lot of opportunity, and I wanted these young girls to see that they could be themselves. They could be sassy, but they can also be incredibly cyber. So all those awards are a matter of me saying, " This is a path that you might want to consider. And sure, you get a nice award at the end. That's fun."

Kyle: Yeah, and that's fantastic. And there's nothing quite like peer recognition. And it comes out in some of the quotes. So there's one from somebody you've trained that says, " I love it that you gave us methods that are ethical and easy," which is a great combination. But it's a great starting point. For Janes, as well. We deal with a lot of government customers, a lot of law enforcement customers, and the first question is, " Well, what's your open source intelligence policy? What's your country's open source intelligence legislation?" All of these things around GDPR, and data management, and are you aware of that, as an analyst, because that's going to set your left and right of arc.

Cynthia Hetherington: An interesting conundrum that we are presented as professionals. Because let's face it, although we are throwing the phrase OSINT around, and the whole online intelligence is... you and I certainly will recognize it. Our listeners will understand what that means. But this is still a very new field. And the framework to what a practicing proper tradecraft professional known as an osinter, or a collector, or an analyst, any one of those roles, really hasn't been studiously created, to the point where we say, " This is what that profession looks like." Unlike attorneys, or legislators, or doctors. There is very clear roles of... a code of ethics. So in the lacks of having that content, and the fact that I did not come from a military or a law enforcement organization which gave me a code of conduct to abide by, I adopted my librarian's code of conduct. And that has always been precedent towards" Do no harm." And think of it this way. For me, my historical perspective coming into this, as a librarian in the early 1990s, we did not have Google. I was Google. So anybody and everybody who walked in off the street... there was no question as to what open source was. The library is the ultimate source place. And you said, " I need to find out something about Cuba. I need to understand more about this medical issue. I want to buy a new car. I want to sell my car." A librarian is trained to understand the quality of information sitting on your shelves, to select those books... Google, there's no selection process. This is why we have a lot of fact- finding these days, to vet our sources. But the librarian has already taken the time to look at those sources very clearly, and understand what are the pluses and minuses to each product. Janes is a product that goes back to my librarian days. And if I had to look up anything involving military, military aircraft, there was a book on my shelf that had Janes in there, and it was a vetted source. So that's what we would hand to the patron. But the key piece here is not so much that we were smart enough to figure out what was good and what was bad. It's that when we handed it to our client, we did not hand it to them with bias. I'm not a counselor. I am not an attorney. I am not a doctor. I cannot have bias in this information. And that is absolutely a guiding ethic in my practice, at both training and the work product we produce.

Kyle: I couldn't agree more. And it's a very hard thing to do in a digital world. There's two aspects to what you were speaking about. The first one is the structure of it. Janes is quite highly structured information because of what we cover. Once you understand how to read that, kind of go through it, it becomes quite easy to navigate it. But there's a world of information that's kind of distinct. You kind of get all the ingredients in one go from Google with a hundred million results on one particular topic. And how many people go to the second page of Google, or manage to get to the third page of Google, where there be dragons. Nobody clicks on the next page. It's always the top 10 results, and it's really strange because you can change your Google settings really quickly. So here's a bit of tradecraft tips for people: go into your Google settings, and change your results from 10 to a 100. And now you've got even more. And that's one set of button clicks, and you're done. So yeah. You've got that structure, and then you've got the bias on top of it as well. Trying to understand where this information's come from, that is a whole other challenge for us, as open source intelligence analysts. But it's interesting what you say about it being a discipline. If you're in a law enforcement role, or a national security role, there are quite clear disciplines there. There's human intelligence, there's imagery intelligence, there's signals intelligence. In my experience, we're only just starting to get to the stage where people are going, " Oh, you are an osinter, a humanter, or an imanter. You are a specialist in this discipline." And it takes having a background in library sciences or other things that allow you think about structured research.

Cynthia Hetherington: What's always been very compelling, or kind of saddens me, I should say, is that this should not be a specialist product. Frankly, we should be taught how to conduct proper research and primary and secondary school. We should be instructed how to look, and be an unbiased consumer of information. I have four college degrees. It wasn't until the third one that I learned how to conduct research properly, to understand that I can get results more efficiently, faster, not event just to be high brow and say I understand the content, I have pulled from these amazing curated databases, but to just say, " Gosh, I have to write a report about the Apache tribe. I can get that done in 20 minutes if I know exactly what source I'm going to." We do not teach this anywhere on the planet, as far as I know, how to conduct proper research. It's a big call for, I think, professionals in my tradecraft today that stand in leadership roles to call back to schooling systems and say, " This should be a requirement of young people" because it's Internet hygiene.

Kyle: Yeah.

Cynthia Hetherington: It's not just how to be a good researcher, but it's also how to protect themselves, how to understand how their information gets overspread, and overshared, and how they can become a victim. How their own social media post can be weaponized against them.

Kyle: And your point about the hygiene. This is the one skill that you can teach quite quickly. I remember having a fantastic boss years ago, who in a very broad Yorkshire accent that I won't try to imitate because I can't, said to us when he first took over the job, that being in a position of command and authority is like being a monkey climbing up a tree. The higher you climb, the more people can see your bare ass. " So I want to thank all of you in advance for shielding that, and saving me the embarrassment." He acutely aware of just how much exposure he had as he climbed through the ranks. And he got very, very far. But that stuck with me because he was very aware of his exposure. But his kids, his wife, other people around him, every time he went to a public event, photographs that were taken of him, of his car, of his license plate, and everything else that was going on around him was fair game. And nobody seems to spend that much time, and it doesn't take a lot, just to start thinking about their own health, their own cyber hygiene, their own exposure. Because if you can find it on someone else, they can probably find it on you.

Cynthia Hetherington: I think if you look at it in terms of a different type of information, DNA information... So very popular today are these DNA databases. Take a swab, send it out to some company. They tell you you're from Wales, or you're from Uganda. And for$ 99, you can get a history, which by the way, people just without any recourse, just believe. And it concerns me because if... I would never... I have an entire article written about how to pull yourself out of these databases. I would never contribute that. That would never... That just doesn't go into my operational security behavior at all. But if my brother, or my mother, or my cousin did it? I'm automatically opted in.

Kyle: Yes.

Cynthia Hetherington: Same thing with information. If a CEO of a company decides, " Well, I'm too busy being the master of my world, my universe. I don't tweet." But his 16- year old daughter's got a SoundCloud account, or is busy Instagramming everything she does out there, by default, he's exposed. So when we take on engagements with clients like this, it is always a full family engagement, or we will not take them on.

Kyle: Yeah. And I think that's the right approach. In fact, one of your... members of your board of advisors OSMOSIS, David Benford, who we spoke about, who's genuinely one of the nicest people I've met in a long time. He was helping me deliver a course, and one of the students asked about, " Do I go onto LinkedIn? Do I have an account on Twitter because I work in quite a sensitive job?" And his response was, " I could probably find you by where you aren't. There's a you- shaped hole in social media that fits you, and around the edge of that black hole, on that event horizon, are all those people you know, and they are pointing straight at you, whether you know it or not." Which I thought was a really interesting way of thinking about it.

Cynthia Hetherington: David is brilliant. And we so enjoy having him at the OSMOSIS conference, and just collectively putting our brains together, and just chit- chatting about this type of stuff. And he's definitely identified a very clear o syntactic. So I always tell those who are unsure, and we use a phrase" managed attribution..." They're unsure what their profile should be out there on the Internet. And I say, " Well, you should have something. But you can curate what people see." And as you identified, Kyle, very few researchers even will go past page one of the Google hits. And I always... My teaching method is that I actually start at the end of the Google hits. The last 10 links are very telling. So when we find a vacuum of data, we immediately start assessing that this person could be in any type of industry that might be connected to ours, or something similar, or why don't you exist. And then we start pulling in all the data of all the relatives. In fact, in our background investigations, we start a lot of times instantly with the spouse because she's going to tell me more about you that you are going to tell me about you.

Kyle: Yeah. Stuff she doesn't even realize, or he doesn't even realize. So I've got a couple of questions for you, because we are in the middle of the pandemic, or hopefully coming to the end of it, or at least the end of the beginning. How has 2020 been for you, in dealing with clients, and the requirements that they've had?

Cynthia Hetherington: Obviously, the pandemic is the worst catastrophe that I hope I ever see in my lifetime, and I've lived quite a few years. That said, and with respect to the calamity that it has incurred, this has been a boom year for me. My company has grown by 400%. I've actually brought on a new manager of intelligence, and in the next hour I'll be meeting with him, finally. And that's what's interesting, is the Zoom interviews and that...

Kyle: Oh, yeah.

Cynthia Hetherington: Oh.

Kyle: Colleagues you haven't met for six months.

Cynthia Hetherington: Even in our podcast here. I get to meet you, and... would we have met? Would we have even thought about doing this a year ago? Everything would have been in- person or presence meetings.

Kyle: Yes

Cynthia Hetherington: So the volume of meetings has increased. I'm perfectly fine. I don't get Zoom exhaustion. I relish an audience and a stage, so I'm okay with doing this type transaction. And my clients love it because they can sit from home, and talk to me, and ask me for questions. In our intelligence world, in the world of open source intelligence, risk intelligence and protective intelligence, not only with COVID, but also with the world's calamity of political upsets in the past year, and certainly with being aware of the conditions of what people have been putting through, and the duress, there's been an escalation of security needs. So my team supports all the boots on the ground security practitioners. We're the operational intelligence that supports them in the back end. And again, 400%, new hires. I've hired three people in the last month.

Kyle: Wow.

Cynthia Hetherington: Just incredible opportunity. And Kyle, I was a business owner and an intelligence operator during 9/ 11, always a private company. And the last time I've seen an increase like that was then.

Kyle: Wow.

Cynthia Hetherington: There's been ups and downs. There's been market trades. There's been other little bumps. But this is now when we get to shine. And it's an incredibly unfortunate circumstances, but heroes are never made heroes because they help the old lady across the street. It's because they grabbed her because she was falling from a fiery building. We're there when other people necessarily can't be.

Kyle: You're right. And it's strange because it's always something slightly different. I switched from... I had 12 flights booked in the space of about eight weeks. Oh, God. The days of having flights pending, and long haul ones, as well. I was going to spend a good five weeks, on and off, in hotels. And then the pandemic hit. They got canceled, and I switched wholesale to support on COVID-19 tracking. And what do I know about COVID- 19 tracking? I'd spent a little bit of time with the Health Protection Agency while I was in university, so I had some kind of understanding about public health outbreaks, but very basic. And I had to take that, build on what that had taught me to understand the type of information that you need in order to look at large scale pandemics, and then start supporting clients to deliver some reporting that was helpful for them. Because most clients that we had, they have no idea about public health outbreaks. They're not looking... They don't have pandemic experts, sitting, waiting for something like this to happen. So it was a real challenge. And then, like you say, the growth in demand has been very huge, but also we spend more time on Zoom, so that's more digital exhaust that we're pushing out, we are more concerned about the information that we've got, that we're putting online. We can't really do anything about it because you can't live a digital life at home and avoid any of that. And the difference between 9/ 11 and now technology- wise is just staggering. There's so little information around by comparison... there was still quite a lot. I'll never forget looking at that piece of research... I can't remember who did it, kind of the end of November, looking at the individuals... 2001, looking at individuals who were involved in 9/ 11. I thought to myself, " How on earth do you find all that information so quickly, put those relationships together, and start understanding the links between the individuals?" And it was public. He was able to publish it. I think it was in the New York Times. Hats off to them. Their researchers are exceptional.

Cynthia Hetherington: Absolutely.

Kyle: The quality of some of that research... I mean, their response to the Beirut blast, that awful tragedy? That was an exceptional piece of journalism that brought together all sorts of things. And then you had... I think it was Forensic Architecture did the three- dimensional view of it. And these are resources that I mention because people should go and take a look at this. If you're looking for ideas on how to do your open source intelligence in new ways, I always try and tell clients, " Go, take a look at Forensic Architecture, or Bellingcat." I just got their book. I can't wait to start diving into it as soon as I get the chance to actually do some reading. It's really quite incredible, the amount of information we've got.

Cynthia Hetherington: What's interesting is that in the two agencies that you point out, the New York Times and the Bellingcat, I have a coquettish envy of them. And it's because I read their work, and I feel like I just showed up to the party. I'm like, " Oh."

Kyle: Yeah.

Cynthia Hetherington: How dare I call myself a researcher? How dare I call myself an analyst? Please remember that they have exceptional work. I mean, it's just... It's why it gets the awards that it gets. In fact, my OSMOSIS gave them an award last year because we were like, " This is what it should look like." But when you're given the time, and the breadth, and the depth, and you have editors, and supporters, and you're... And I'll poke fun. Like, if you have genes who's helping produce this document, you have an analyst who can really hyper focus on that in a period of weeks, to create that kind of tome of intellectual capacity that shows off every angle of a threat system. Most intelligence, Kyle, is done in less than 24 hours, though.

Kyle: Yeah.

Cynthia Hetherington: That's why we have briefings. That's why we have updates. Sometimes that's why you get emails from us. When you do risk or protective intelligence, you don't have the ability. So I want to make sure the analysts who listen to this feel like they always have to aspire. You should. In your analytical career, everyone should create basically a version of a college or high school term paper that says, " This is what my enterprise looks like when I really have the capacity to pull it together." I wrote three books in that style. But when a client calls up and says, " Barbarians are at the gate. Do I open it or not?" That's when your intelligence and action... Well, actionable intelligence. That's when you're really producing quickly. So those works certainly set a standard, but it's not the benchmark that we're all trying to reach every day.

Kyle: Yeah. And it's also client- specific. I come from a background that's highly hierarchical. It's very rigid. There were very set ways in with information flows into and out of an organization and amongst the analysts within it. So when I do train individuals or organizations, I say to them, " I actually don't teach open source intelligence. I teach intelligence." I teach the processes, the workflows, the sorts of things that you need to understand, that support documents. The fact that you need an intelligence collection plan. The fact that you actually need a relationship with your customer, your internal intelligence customer, when you can say to him, " Is that really the question you want answered? Or is that the first question that came to mind, and actually you're thinking about something else?" And never guide them and try to provide left and right of arc, and lead them down an alleyway. Because you're not there to make a decision despite the number of times somebody has asked me, " Well, you wrote this. What do you think I should do?" I'm not getting paid for that. But you do try to structure it. And if you understand how your own organization works, you can start to build those frameworks, and those processes so that they do fit your ability to respond to somebody's questions. Because you're right. You don't get a question six months out when things are good. You get a last minute question that's going to ruin your Friday afternoon because it invariably comes at 2: 30 on a Friday afternoon. And they go home expecting an answer on a Monday, and you're there until midnight. That's not a gripe. I thoroughly enjoy my time as analyst in uniform, but that tended to be the pattern.

Cynthia Hetherington: Kyle, what you just described is the life on an analyst. So when I get a new hire in, the first thing I tell them is, " You have to rethink about what your weekends look like because the last day of the week, the last hour of the day, the last week of the month, the last month of the year, so during... when everyone else is going on a holiday during what could be the Christmas break, you're going to be sitting at your desk doing somebody else's last minute work." And they get that. But in the event of what you're saying is... I want to enunciate on something you talked about in the question phase, and this is hyper critical for us to kind of focus in on. I was speaking with Arno Reuser, who's a well- respected OSINT professional from the Hague. I think he's out of Leiden in the Netherlands. And he and I were chit- chatting. And he's also a librarian and archivist. So we were really having a nerd fest with each other this week, and we both agreed on this one concept that you just put the period on the end of the sentence for me. A patron walks into a library and says, " Where is the New York Times?" And as a librarian, you're like... It's a very strict question. " So the newspapers, all the periodicals, are over there, sir. Please go help yourself." And you walk over, and inevitably you see them standing around, looking a little frustrated because they're looking at today's newspaper. And they come back to the reference desk, and they say, " Where are the other New York Times?" Now, a Google or someone who's new to this would say, " Oh. Well, we keep that collection over here," and just stop. A librarian learns... and I'm not trying to espouse that everyone needs to go to the library school. But this was a good tradecraft taught to me. A librarian learns the reference interview. " You know what, sir? We have the New York Times in the collection over here to the side. Is there something specific I can help you find in there? Was there an article you wanted to capture? Is there a piece you need? Do you need an index because there's a lot of financial indexes in there?" And they'll either make that choice... They always make that choice right there. Like, they either trust the librarian is going to understand their question because they come in assuming that we shelve books all day and don't understand or have the capacity to think as deeply, as technically, or as business- wise as they do. But when in fact, you say to them, " I probably could get the answer for you in five minutes versus you sitting there, and digging through 400 layers." And here's the hard part in the question and answer session. You have to be kind. You have to not look at them like, " Hey, I have my master's in this. I'm really smart, and you should respect my authority." You've got to really handle that interview in an appropriate way that gets them to... elicits them, gets them to give you the specific needs so you can get their answer, and get them out of your library so you can go back to reading popular fiction.

Kyle: Yeah. No. I couldn't agree more. And the quality of your response is the thing that demonstrates the competence. The sort of question, " What is China doing?" Well, probably winning. But could you refine the question? Oh, actually, I can see the bottom of your signature block, and it says that you are concerned with amphibious operations, and... so what you really mean is, what is China doing in the South China Sea around artificial... Like, I can see where that question's going. But you need to understand not only your audience, you understand your customer. And then start to understand the sorts of problems that they're facing. So on that note, what do you find are the most common questions that you get from clients?

Cynthia Hetherington: Well, I don't feel like we're fielding this question as much as when I first started 20, 25 years ago when I would go out in front of a client and make a presentation that they should hire us to do this very elegant style research form. And then the question then was, " Well, I have a pretty sharp secretary and Google. What do I need you for?" And at the time, my little sharp answer back was, " Well, I trained Google. I've been to California. I've stood in front of their classes, and I've taught their corporate security team how to Google Google." It always seemed to impress them because I was speaking their language of, " Who could step on each other faster."

Kyle: Yes.

Cynthia Hetherington: But I feel like the greatest challenge is in our community right now... because I am looking at a higher threshold, and setting a benchmark, is clearly defining what and OSINT professional is, the very many ways that we approach this. I'm private sector; there's military; there's law enforcement; there's environmental; there's space. I mean there's every kind of... I would always fall back to, " We are very specialized researchers who charge money."

Kyle: Yeah.

Cynthia Hetherington: But I'm clearly caught up in trying to make sure that our profession is defined. My OSMOSIS conference was clearly an attempt to establish a tradecraft association, and an attempt to get us all gathered in one place where we can sit there and have these conversations, and meet the different types of us so that we can share. One thing I also would enjoy mentioning is that we don't all come from the library world. Very few of us do. But we all have the same librarian's approach of sharing information. Not necessarily reports and details, but sharing amongst each other what our tradecraft is growing. Because everybody that I talk to in this industry is very vested in" I need to be seen as a respected individual at the table."

Kyle: Yes.

Cynthia Hetherington: So we're trying to, as a non- autonomous society, verify and vet each other and the industry, and get the wannabes, and the show- ups, the last minute guy who's got a Google account, and maybe a public records database and says, " Oh, I do OSINT." How do you define yourself from those individuals?

Kyle: Yeah. Or who spent 2.5 thousand pounds a month on a tool that they don't understand how to use. Which is another problem that we have, the constant, " Oh. Have you got a tool for that? Could I find a tool for that?" And I find it really strange because I can do two weeks of 10- hour days and find nothing on a subject. How do I go to a client and say, " I've done two weeks' worth of work. This is X amount, but I found nothing," and still convince him that actually it's worth paying for two weeks of my time despite the fact that he has not got an answer, or she has not got an answer. And I think if you've got a standard for how open source intelligence is done for the basics that you would get in any other... plumbers, lawyers, doctors, accountants, that's a really appealing idea. Quite how we do that is a challenge. I look at Bellingcat and BBC Africa I, and their research was phenomenal. But what I realized was, that wasn't traditional OSINT. That wasn't one person sitting there, going through a library, going through online resources. That is a group of people who are collaborative, who are talking to each other, who are reaching out to individuals on Twitter and other places. And if you're an OSINT researcher, and you're not following some of the luminaries of the subject on Twitter, then you're missing out on some great tradecraft, and some tips. And nobody seems to be particularly precious about their tradecraft because I learned it from someone else, who learned it from someone else. And hey, if you just happened to read Google's files on how to use Google, most of the answers on how to do this are there. But pulling it all together, and practicing it, that's the challenge. And then for SOCMINT, it becomes even worse. And I feel like there's an ever- increasing set of expectations about what social media can deliver. That's a big challenge for us. How is it for you, guys?

Cynthia Hetherington: It's interesting because now more acronyms are sneaking in to our language. And this is a lot because of A, marketing, and B, we have so many military folks who have come over, and they're now in our world, and they love acronyms. It took me probably 10 years to embrace the expression" OSINT" because I still call it Internet research.

Kyle: Yeah.

Cynthia Hetherington: It's stuff you find using the Internet and the databases you get access through... Hello? The Internet. No one's dialing into Dialog anymore. But SOCMINT, all of a sudden, is a phrase that... Well, I shouldn't say" all of a sudden," but is a phrase that we get to pass around a lot. And SOCMINT to me... I think it's trendy, and I might be getting tweets about this. But I think it's kind of trendy. I think it allows people to offer training on... social media intelligence, it takes me 10 minutes, and another 50 to teach you how to do open source intelligence in social media. Because you want to set up an expectation. You can, in that day, teach somebody a Facebook, or a LinkedIn. But if the APIs, you're completely reliant on the backbone of another technology. So it's like understanding how to analyze a submarine moving through the ocean while it's moving. It could turn. And in that world, I think I'd rather be more about our tradecraft, and more about the proper attempts of crosstalk data, and not so much teaching the data points, the Parlers, the Twitter, but how do you conduct research on something that's in a web 2.0- based technology, an XML system, or... Because the one thing that social media gives us, that is consistent, is somebody else wrote the software. And it's genuine software. It's not hypertext markup language. It's an actual software program. And in software is consistency and regulation. So yes, you can build a button tool to strip out as much as is available from the API on that whim of that day. And I call them the buttonologists. The people who call it OSINT, but sit there and just push tools all day? They forget that they need to be able to do this without the tools at hand. What if you lose that free resource? What if Google is down for a day? What do you do? And I have an exercise where I make people understand the source information of what they would look for to answer certain questions if Google wasn't in existence.

Kyle: Oh, I couldn't agree more. Kashmir, three months of no Internet. I believe it was 2017, the Indian government shut off the Internet in part or all of India 154 times. Somebody is going to tell me that those statistics that I've quoted are wrong, but the spirit of it is there. And they have a conversation that's ongoing with Twitter and other organizations about how that's managed. We'll just ban TikTok. Well, great. So now, you have lost a feed. Not only have you lost it because the API has been blocked, or there's a new security protocol, like with Facebook's Graph Search. But now you've lost access to it completely. Sudan was a great example, where the Internet disappeared for two weeks in the middle of all this turmoil. It comes back on two weeks later, and people just start uploading stuff. So now, all your timelines, and all your date/ time stamps are out of whack because everything looks like it happened on the same day. Because it was all uploaded on the same day.

Cynthia Hetherington: Oh, yeah.

Kyle: But it happened over a two- week period. So how do you break all of that down? And this gets us back to two things that we started talking about. You're a Master's of Information Systems Management. How do you manage this data? Because this is a different set of tradecraft. And also the ethics because if I'm stripping out an entire country's social media, I'm very, very quickly going to come up against an invasion of privacy for a whole group of individuals, not just legally but ethically, as well. So at what point as an open source intelligence analyst, or an Internet researcher do I turn around to my intelligence customer and say, " I can't do this. There are these reasons why." You don't have the technology background. We don't have the resources. We don't have the access. We don't have the funding. Or this is just plain unethical. We're not taking 20, 000 people's private conversations, even if they are available. And there's a difference between private and accessible. What I might tweet as somebody who works for Janes, that is accessible and public. What I might have as a conversation with friends of mine on Facebook or anything else, that is private and has nothing to do with Janes. And yet we see those overlaps, and those problems. So how do we manage that? And I think that's probably not as much a part of our open source intelligence training as it should be.

Cynthia Hetherington: It's brilliant. This is a conundrum that society of competitive intelligence professionals was addressing easily 25 years ago. And it was, when given access to private information that is really telling, and what a brand, or a company, or an organization may be shifting, and what do you do with it? And they had clear codes of conduct assessed to that. And I respect that immensely. But I also had to separate from them because I'm also a private investigator, and that's a very different tool kit. It's a very different tradecraft, and there's a different set of ethics. So in line of what the end product is, what is the customer communication, what is the information need, I will make an assessment as to what data I am looking at, and say, " This can or cannot be valuable information for my client." If I were given access to private conversations, toll records, or things that are normally protected... First of all, you look at the data as data. And the data itself, in my terms of metadata. Not like it's a Word document. It was printed on 12- 12. It's more along the lines of... This comes from the government of Ghana, and this has the words of" confidential, private." It wasn't leaked through a media source already. It isn't already common knowledge information, but it was really something somebody threw on my desk, I'll read it.

Kyle: And that's the challenge. Because as the analyst, you... sure. We read that because we look at the data and we want to do something with it. But now is the decision. Do you include it in the report.

Cynthia Hetherington: Yes. We definitely don't want in the end to be like, "I'll read it," and then Cynthia cuts away. Because that's the trick. I will read it, and I want to know what information is being presented to me. Because there could be any reason, or a number of reasons that that information is deliberately being put under my nose. Then I will make an assessment. That is a by the drink assessment. It's not a de facto statement. My gut will always say that I will always go the ethical route. So I'll never expose that point of information. That will never show up in my report. I won't reference it if... because frankly, in the corporate world, if the client gets their hands on it, they can be held to any number of trades, laws... There's any number of reasons you could get them in trouble. So I have to behave as the hand of the entity that has hired me. That doesn't mean that I will not try to find five other ways I can get that information to help. It might be the lead. And this is the clear definition of evidence, intelligence, and hearsay. Intelligence is the information that Janes gives me. Someone has gone through all this content, has curated it to a point, and will give me something I can trust and verify, and put into a report. It's intelligent, it's a trusted source. Hearsay is that bit of information we just captured that could be questionable. Can I get an intelligence source to help back that up? Can I find a public record, a document, or make the illusion enough based on other hearsay that leads to it? That's true tradecraft.

Kyle: Yeah. And it's as much a skill as it is something that is taught. It's as much a kind of innate curiosity where you look at something and think, " I might have read that somewhere else. Let's go back and find something that corroborates that. If I can find something that corroborates it that is publicly accessible, then let's make a decision whether we include something like that." I mean, Parler is going to provide on end of questions, and should provide no end of ethical questions for anybody that's doing research on that data set. We'll park completely the question about the politics of the individuals that are on there. That's neither here nor there for this debate. But what you do with that information, private conversations that people are having, pictures that they might have put up, videos, metadata, geolocation data, how you deal with that? Where you send that analysis, that should cause you a long pause for just trying to figure out what you're trying to say. Because it would be tempting to drop a 100 pages of a report with all of this information there, but it doesn't actually tell anybody anything. It looks fantastic. You can charge a lot of money for it if you're in a private role, but actually, it isn't answering the question. It's just gratuitous exposure of somebody else's private communication. And that to me seems like it's a morally reprehensible thing to do. So how do you balance that?

Cynthia Hetherington: Kyle, I have a question for you right off of this. So there you are, doing some research, and you come across some sort of private communications, or some sort of protected type data. But it's alarming. It's not just, " I think this company is going to take over that company." Frankly, it's got nothing to do with companies. It calls into question life peril for the security of a body of people. I'm happy to tell you what my approach is to that. But what would you do when you see something that is so alarmist that you're glad it's protected?

Kyle: It is a very difficult thing, I think. Within the researchers in Janes, we've had these questions, and we've got different backgrounds. Amongst our open source intelligence analysts and amongst the trainers, we'll take a step back there and go back to the customer. So what is my... why am I looking at this research? Is the customer a public body? Because if the customer is a public organization, a government organization, law enforcement, then my first question is, if I'm going to be conducting research on their behalf, I'm being paid to do this research, I should hold myself, as a private organization, to the same standards around their limitations policy- wise and legislation- wise. So if it was a U. K. organization, for argument's sake, do I look at Ripper and say, " Well, I don't have the processes in place," because ripper is very set processes. But the spirit of it is that I need to have some audit trail for my research, some reason why I've done the research I need to apply to somebody with authority who is going to say, " Yes. Do that research." I need to say when I've stopped doing it. And if there is a direct threat to life and limb, then I need to have thought about that before I do the research. If I see something that indicates there is the possibility of violence occurring in London, who do I talk to? What is the mechanism for getting that there? How do I back that up with evidence, with an audit trail, with something that may not be digitally forensic quality, but is approaching that. And if I do that, do I open myself up to a bigger set of questions? Can I stand up in the court of public opinion, where so much of this is decided, and say, " I saw something that genuinely alarmed me. I went to the authorities. I conducted this research because this is what I do for a living. I am confident that I hold myself to a set of legislation and policy that... I don't have to because I'm a private organization, I do what I want... or an individual freelance researcher, but I want to obey the spirit of that law. And if there's a question afterwards about the reasons why I've done it, I'm sure I can stand by those. That's a long answer to your question, but I think it's a complicated question. Yeah. I absolutely would. And I think that that should be a mature response to it.

Cynthia Hetherington: I love that. You were very good and clear. And I appreciate your entertaining me and letting me ask that question because it's a lot of... We definitely want to cover our analysts, but at the end, if somebody's going to die and I have the information, yes. It's easier to ask for forgiveness and permission in some cases. But that's not quite the truth because we become the whistleblowers, in a sense, and whistleblowers are always villainized. I work in an organization called the Association of Certified Fraud Examiners, and every year we bring a famous whistleblower on stage, and they tell their story.

Kyle: Oh wow.

Cynthia Hetherington: And like Harry Markopolos from the Bernie Madoff matter, who's a dear friend...

Kyle: I bet it never ends as a positive story. I bet they're still suffering the repercussions of it.

Cynthia Hetherington: Because frankly, you're a tattle- tell. That's what people believe. Oh, you're a tattle... Oh, you had this information. And yet, if they didn't, we would have villainized them if they didn't say something. So...

Kyle: Yeah. They're either complicit, or they're standing by their principles.

Cynthia Hetherington: So I think this kind of draws to a fine point, that we as specialized information researchers, are always looking at something that is one mouse click away from being really expository, and overly explicit. And we have really... We have to tender... That's why I started... when we started talking, I said, " Do no harm." We really have to think about the action we take every time we sit down at a computer. The roll call that we have, the people we report to, and here's the quick and easy answer to my other question too is, you have management. Most OSINT analysts are not working in a bubble by themselves. There is a protocol, and there's, frankly, someone at a higher pay grade that can answer those questions for you. And that's what I teach when I talk about ethics in OSINT. Go ask your boss. Make this somebody else's headache. Just be the specialized researcher. And when you grow up to be the boss, you can then answer those big questions.

Kyle: You know what? I couldn't agree more. And when you said the word" explicit", it reminded me of a conversation that I try to have whenever I do training, which is the duty of care that managers have to make sure that their analysts can deal with what could be potentially very difficult. Because if you are doing HUMINT, or you're doing SIGINT, or you're doing IMINT, you're aware of when it starts to creep up. You could click the wrong link, particularly the dark web, and there be dragons. So nobody knows what it is, and everybody's worried that someone's talking about them on the dark web. My answer is, " You're probably not that interesting." And it's the dark web. It's like that for a reason. I could spend years harvesting 99% of it and still not find that one bit of information that makes you think it's worth paying for, but it probably isn't. But if I've got a junior analyst, somebody... or even a senior, seasoned analyst, are they clicking on something that very quickly leads them illicit, illegal, upsetting, disturbing, explicit material that now starts to affect them because researchers are people, too, despite our OCD tendencies, and how do you, as a manager, deal with that? It's also because if that happens in isolation, and the guy just steps away from his screen, or the woman steps away from their screen, and says, "I just need a moment," everybody else in the room is going to look around and they're not going to go, " Oh, he's stumbled across something." It'll be, " Why is he looking at that?" And then it's an HR issue, and then it's a mental health issue. It doesn't need to be that way. One of our trainers did a lot of work doing animal rights activist, so investigating animal rights research. And that was awful for him. He said that was really difficult. And he'd spent years in the military, and like myself, years in the military, the thing that really got to me was working at the City of London police, and walking into the digital forensics room and... there it was. I didn't sleep for about four days. Because it's graphic and it's awful. And you're so exposed. So for anybody who is a manager of open source intelligence researchers, Internet archivist, whatever title you have, think long and hard about how you manage that, and how you talk about it amongst other analysts so that it is something that you can deal with. Especially if you're looking at things that might be a risk to life.

Cynthia Hetherington: Near and dear to my heart with this content. I started out in Internet research when cyber forensics was starting... computer forensics. We were still on 386 and 486 computers when I was meeting my first cyber cops who were breaking down computers, and you could do it by hand, and now we do it by machine. But it took about... And that's why I really remember... It was all child pornography back then. And about six years into that world growing, those cops started changing. I would see them at conferences. And they would change. Their marriages were breaking up. Their lives were messed up. Their heads weren't straight. And people smarter than me, and behavioral science identified that it was a post- traumatic. So you'd think I would be brilliant about this. I hired some of my first analysts, and put them in front of computers, and started... And it wasn't even necessarily the truly nasty bits. It was watching someone just get broken down on Tumblr. One girl's profile, and how she was being ripped apart. Because we were trying to rescue her online identity. And she was just being torn to pieces.

Kyle: And it's the repetition of it.

Cynthia Hetherington: Oh, yeah. Again, there are people out there who can explain it to us in scientific detail, but we know... I looked at this analyst, and I'm like, " What's up with you?" And she's like, "I'm just so tired of looking at this all day." And I had enough presence of mind, because I don't always, to look at her and say, " You're burned out. I've put a case in front of you too long. I need to deal with this." And since then, we have a mitigation standard here. From the very frivolous... I have dogs in my office. You probably hear her scratching on the outside of the door. So we have dogs that run through, which seems very silly, but is quite disruptive in the middle of the day to have a dog throw a tennis ball in your lap, and it kind of breaks your train of thought.

Kyle: Yeah.

Cynthia Hetherington: Which I think analysts need anyway because you mentioned it early, we're OCD. We don't get up and stand, and walk, and breathe, and get fresh air. We don't do that. We really dive in. So when you're diving into bad content, it's like diving into a pool filled with acid and not water.

Kyle: Yeah. Especially when there's a time pressure to deliver a report. And also, back to your comment about how you deliver something that is unbiased. If you're struggling with PTSD, or you're dealing with something that's... How do you deliver an unbiased report? So from a professional standards level, let alone human care level, this is a bigger deal that I think a lot of people appreciate.

Cynthia Hetherington: Yeah. People have bias. And you have to understand where they're coming from, and know what they're doing when they're pulling their reports together. We were given a client has been quite corrosive in the last year. And when the client was introduced to us, I thought... My analysts asked me like, "Will we do work for them?" And I said, " Well, what's the work? Let's get down to basics." It's background investigations. They wanted to hire new employees, and they wanted to make sure their people were not criminals, or from an opposing force, or... And I thought, " That's pretty straightforward." And our work is never biased. It's always about the facts speaking for themselves. So I said, " So what's your concern?" And they're like, " Well, but it's that group."

Kyle: There's your bias.

Cynthia Hetherington: And I said, "No. We do not treat... there is no that's, them's, you's and us's. There is paying clients and un- paying clients.

Kyle: Yeah. No, I agree. I can't remember which politician it was that said, " Never attack somebody's intent because you don't know it."

Cynthia Hetherington: Exactly.

Kyle: And that's, I think, the objective way to take it. So we've spoken for about an hour. Almost all of it has been about open source intelligence, and almost none of it has been about open source intelligence tradecraft, which just goes to show how much there is around this subject. I believe OSMOSIS Con 2021 is the 10th to 12th of October?

Cynthia Hetherington: Yes, it is.

Kyle: In San Diego.

Cynthia Hetherington: Beautiful San Diego.

Kyle: Yeah. Pandemic willing, I am hoping to attend. So we will meet in person then, which I am very much looking forward to.

Cynthia Hetherington: We are very excited to see you there, to see Janes there. The conference is in its seventh year now. It's growing every year. Even through the pandemic, we've been growing in numbers. And again, it's starting to get on the desks of those small, singular OSINT houses, where they're really expert at what they do, but they're not surrounded by the entire military organization. Too, the large military organizations. We're all coming here because we all have open source intelligence in common. And we will talk tradecraft. We'll talk a lot of tradecraft when we're there.

Kyle: Which is great. And the nice thing is, we'll learn from each other, which is fantastic because there is a very collaborative spirit within people who do this for a living. And that is something that I enjoy very much so. I'm not the hyper competitive librarian that you mentioned earlier.

Cynthia Hetherington: You can get in the ranks with us. I'm sure you can mix it up with the rest of us in our Dewey decimal system.

Kyle: I will do my best. Cynthia, thank you so much for taking the time. And hopefully, we speak before... I'm sure we'll speak before October. But if not, I will see you there.

Cynthia Hetherington: Kyle, thank you so much. It's been a real pleasure to be on this podcast with you today. My email address is out there on the Internet. If anyone has any questions, or wants to throw any ideas at me, please feel free to reach out. I'm looking forward to seeing you and Janes at OSOMOSIS, and hopefully some of your listeners.


Most Open Source Intelligence training focuses on tradecraft, and rightfully so. Less common is the inclusion of other factors that impact the ability of an analyst’s ability to deliver effective open source intelligence Products. In in this conversation Cynthia Hetherington, Founder and President of the Hetherington Group and Kyle McGroarty of Janes Intelligence Unit discuss Cynthia’s experience of open source research, from physical archives as a librarian, to managing research, and providing security investigations to a wide range of customers. The success of the Hetherington Group and Cynthia’s enthusiasm for the subject also inspired her the establishment of OSMOSICON, an annual conference for practitioners of open source intelligence. OSMOSISCON this year will be held from 10 to 12 October in San Diego.

Today's Host

Guest Thumbnail

Harry Kemsley

|President of Government & National Security, Janes

Today's Guests

Guest Thumbnail

Cynthia Hetherington

|Founder and President of Hetherington Group