The arrival of threat actors at the United States border has been an issue at least since the nation’s boundaries were confirmed with the Treaty of Paris in 1783.
Things are a bit different today, but perhaps only in volume and modes of transport. A bevy of boats, motor vehicles, trains, and aircraft bring millions of travelers to U.S. border crossings and ports of entry. The task for border agents, of course, is to identify and separate the threat actors from the crowds of innocuous families, vacationers, and businesspeople – not an easy assignment even in the best of times. The current environment, as it happens, features the complications of a global pandemic, mass movements of displaced persons, and the ongoing danger of drug cartels, gangs, and terror groups.
The efficient collection and processing of threat intelligence becomes a must for protecting the nation’s boundaries. But border agents must confront numerous challenges in doing so. Here are the top six with a few observations on methods and practices for overcoming the obstacles.
1. Identity deanonymization
The key query at the border is whether the person wanting to enter the U.S. is who they claim to be. That’s perhaps the ultimate in frequently asked questions. In 2020, a year in which COVID-19 curtailed travel, the U.S. Department of Transportation documented more than 93 million land border crossings.
Most checks are routine, of course. But threat actors’ ability to mask their identities in the online world makes for some complicated outliers. Fake accounts abound on well-known and widely used social platforms, forums, and websites, providing threat actors with a degree of anonymity. A threat actor may also link his or her bogus account with other fake accounts to create the appearance of legitimate connections. This activity occurs on the surface web of indexed websites and everyday use. Threat actors, however, can burrow into the deep and dark web layers, which are not indexed through conventional search engines. Here, sophisticated users can employ anonymizing browsers and proxy servers to better conceal identities and achieve a much higher level of anonymity.
Border agents, however, can deanonymize identities. This process involves making connections among pieces of information obtained from the surface web and the internet’s underground tiers. Even savvy threat actors end up leaving digital footprints in their online journeys. An email address or phone number may link a threat actor’s activity on a dark website to a social platform on the surface web, for example. WEBINT, or web intelligence, provides a structured way to collect and analyze data gleaned from the various web layers. To build such intelligence into an organization’s set of investigative methods, a border agent will need insight into how the dark web works and some tools such as specialized browsers for accessing otherwise hidden websites.
Increasingly, automation plays a role in augmenting threat intelligence methodologies. Manual searching and analysis across the multitude of surface and dark websites quickly become time-consuming and untenable amid the volume of travelers that agents must process at border crossings. Automated methods, however, let an individual investigator comb through vast amounts of information in a reasonably short amount of time.
2. Determining network connections
The ability to analyze social connections can serve as one of the most powerful investigative methods for agents protecting the border. This approach sheds additional light on a threat actor. In some cases, a threat actor’s lack of social connections could indicate a fake identity. For example, a conjured social profile will often follow many accounts but have few followers. A barrage of newly created connections could also flag a fake identity, since a threat actor may hastily concoct a few “friends” to create a fictitious backstory.
In other cases, however, social analysis helps to uncover a threat actor’s broader network, which could include gang, cartel, or other threat-group affiliations. Here again, automation can help accelerate the investigation methodology, enabling agents to quickly and accurately identify the would-be entrant’s associates and the risk they pose to the homeland.
Agents can also use social analysis techniques to zero in on smuggling operations. Threat actors across the border have taken to messaging apps, where they use social engineering to identify likely collaborators in the U.S. Threat actors use the promise of quick cash to entice their targets — teenagers from low-income families, for example — to pick up and transport people coming from across the border. Officials can disrupt such transactions if they can determine where the recruitment is happening online and keep tabs on suspicious activity.
3. Analyzing big data
Organizations that can’t harness data effectively can’t realize its potential to expose threat actors and their networks. Border agents must be able to sift through massive amounts of data when processing people and cargo — and discover the telling bits of data that make all the difference. The mission for investigators: turn the big data problem into a big data advantage.
Agencies need a plan and a repository to ingest and analyze data. But to target the right data, they also need to create a dictionary of specific keywords, search terms, and objects that reflect the investigative priorities of a given jurisdiction. The terminology will differ from one area to another based on active threat groups, locally used languages, and regional colloquialisms, among other factors.
The dictionary helps automate the process of searching for the critical pieces of data in a threat investigation. A generalized parsing of data won’t work. The search criteria contained in the dictionary must be highly specific. This necessity calls for more than methodological rigor and technical capability: Organizations will need to tap into the institutional knowledge that only highly experienced border agencies will possess.
An automated search takes that knowledge, applies it across large volumes of data, and rapidly brings back results. A manual search could take hours, if not days, when conducted on a per-platform, per-individual basis. Think about an organization searching through photos to identify possible threat actors. A single social presence could contain hundreds of images. A manual, image-by-image investigation can’t be accomplished within a reasonable timeframe.
This search method also lets organizations assign a risk score to potential threat actors, based on specific criteria. The more “hits” a person accumulates regarding keywords, search terms and objects, the greater the urgency for a second look. While not a perfect science, this investigative approach helps agents rapidly triage an influx of arrivals at the border and prioritize those calling for additional investigation. The alternative is to become overwhelmed by numbers.
4. Assessing travel footprints
Border agents need access to an arrival’s travel history, or footprints, before clearing a tourist, business traveler, or emigrant to enter the United States. Geolocation intelligence plays a pivotal role here.
Travelers may leave a trail of digital breadcrumbs when they check in at different locations. Exchangeable image file metadata can also shed light on recent journeys. Such sources offer non-traditional location attribution, providing geolocation intelligence that develops a strong pattern of life.
Social asset analysis, meanwhile, can shed light on a traveler’s connections. So, agents can potentially learn who a person has been meeting with during recent journeys. The geolocation intelligence lets agents determine the veracity of a traveler’s claims regarding their recent activity and the social analysis can reveal associations with threat actors or threat groups.
Automation, as previously noted, accelerates the task of analyzing geolocation intelligence across a multitude of platforms. And timely decision support is precisely what’s needed at the border.
5. Detecting irregular activity
The more a border agent understands a traveler’s context, the better they can assess the risk of entry. Identifying unusual patterns in their international movement, however, proves difficult without a wide-angle view of travel history.
Quality geolocation intelligence pays dividends in this area as well. Indeed, if the assessment of geolocation intelligence creates a strong pattern of life, it also offers a behavioral baseline for detecting irregular activity. Digital vetting can raise red flags that a border agent could otherwise miss.
6. Detecting illegal border crossing points
Digital vetting can help agents at conventional border crossings and ports of entry. But what about illegal crossing points? In this case, signals intelligence, or SIGINT, can help agents locate illegal entry areas. SIGNIT identifies threat actors’ cells phones and other mobile devices as they travel off the beaten path. The constant activity of a threat actor carrying various mobile devices contributes to a larger data pool of identified SIGINT which ultimately creates a pattern of life for the device holder. This is ultimately a data gold mine for border agents as it delivers deep insights into unidentified routes, stash houses, and rendezvous points. It will also help law enforcement agents pinpoint porous border zones that are being exploited and construct important timelines from the point of origin, the journey to the border, and into the United States. SIGINT can play a critical and decisive role in border security.
A force multiplier
The challenges of threat intelligence acquire higher levels of complexity at the border. Gaining an edge in this high-volume and high-stakes field requires a mix of human investigative expertise, a well-thought-out methodological approach to investigation, and judiciously applied technology.
As for the latter, automation augmented with emerging artificial intelligence technology can serve as a force multiplier. AI’s processing capacity and ability to find correlations in troves of data serves as a force multiplier. An individual border agent can dramatically extend his or her experience, captured in a keywords for automated searching, across scores of travelers and their associated digital footprints. The upshot is faster data analysis plus the ability to quickly unearth obscured identities and hidden connections. Speed isn’t the sole advantage. The precision of carefully selected keywords contributes to operational accuracy.
In addition, border agents have an opportunity to merge WEBINT, a dynamic data source that offers insight into recent events, with static government datasets, which lend historical background. Government records on a threat actor’s past activities – previous incidents and border crossing locations, for example – can place current actions into a new context. The combination offers another multiple effect: the two sets of data become stronger together than they were individually. That’s the type of edge border agencies need as they deal with mass movements of people and cargo.