WEBVTT 00:05.320 --> 00:06.910 - Must be ice cream time. 00:06.910 --> 00:07.960 Look at this. 00:07.960 --> 00:09.700 Everybody's off getting ice cream. 00:09.700 --> 00:11.390 So good afternoon. 00:11.390 --> 00:15.350 I'm Jeanie Layton from DIA, the CIO office, 00:15.350 --> 00:18.260 specifically the Open Source Integration Cell, OIC, 00:18.260 --> 00:21.080 which, OSINT Is Cool I like to say it stands for, 00:21.080 --> 00:23.740 but the Open Source Integration Cell. 00:23.740 --> 00:25.620 My colleagues here are Mr. Lawrence Cooper. 00:25.620 --> 00:28.910 He heads up the training, tradecraft and policy, 00:28.910 --> 00:30.540 and I'm gonna actually have him kind of 00:30.540 --> 00:33.620 delve into some of that today. 00:33.620 --> 00:36.260 And then to my left, Major McCabe heads up our 00:36.260 --> 00:39.290 tools and capabilities team on the staff. 00:39.290 --> 00:41.780 So what we'll do is give you kind of the 00:41.780 --> 00:46.170 broad brush on the OIC, and then leave a lot of time 00:46.170 --> 00:48.100 for Q and A, should you have any. 00:48.100 --> 00:49.990 So I don't have any nice slides. 00:49.990 --> 00:51.380 I obviously didn't get the memo 00:51.380 --> 00:53.090 there was a monitor here today. 00:53.090 --> 00:56.550 But just to kind of help set the stage, 00:56.550 --> 01:00.080 I just wanted to define initially 01:00.080 --> 01:03.020 the difference between PAI and OSINT, okay? 01:03.020 --> 01:05.482 When we refer to those terms, 01:05.482 --> 01:08.130 PAI, Publicly Available Information. 01:08.130 --> 01:08.963 Can you hear me? 01:08.963 --> 01:10.620 You can hear me. 01:10.620 --> 01:14.420 PAI, we often think of things you could Google, 01:14.420 --> 01:15.760 search for on the internet, 01:15.760 --> 01:18.120 information you can subscribe to, 01:18.120 --> 01:20.930 anything that basically you probably are 01:20.930 --> 01:23.730 at home now trying to get your arms around. 01:23.730 --> 01:25.820 Whether you have to pay for the subscription, 01:25.820 --> 01:29.650 or you just based on a portfolio it's fed to you. 01:29.650 --> 01:32.710 You have public access to the information. 01:32.710 --> 01:35.810 When we talk about OSINT, specifically what that is 01:35.810 --> 01:40.720 is PAI that you're seeking as an intelligence professional 01:40.720 --> 01:42.940 in response to a need. 01:42.940 --> 01:46.180 So if you have a requirement for some information 01:46.180 --> 01:49.360 that you've gotten because of your intelligence role, 01:49.360 --> 01:51.783 then that is what we define OSINT to be. 01:53.360 --> 01:55.230 So to just tell you a little bit 01:55.230 --> 01:58.400 what the OIC mission is, I'm gonna read this to you. 01:58.400 --> 02:01.680 The OIC executes the director DIA's 02:01.680 --> 02:04.500 OSINT functional management responsibilities 02:04.500 --> 02:07.440 for DIA and the enterprise, 02:07.440 --> 02:09.970 and provides mission management for the DOSC, 02:09.970 --> 02:12.350 which is our Defense Open Source Council, 02:12.350 --> 02:14.250 and I'll talk a little bit about that. 02:15.260 --> 02:18.853 The OIC coordinates strategic objectives within DIA, 02:20.200 --> 02:21.450 and we operate in concert 02:21.450 --> 02:24.120 with its CIA counterpart, the CFMT, 02:24.120 --> 02:26.610 which is the Collection Functional Management Team. 02:26.610 --> 02:29.130 So we have a very, very close relationship 02:29.130 --> 02:30.340 with everything that's going on 02:30.340 --> 02:32.570 at the national level as well. 02:32.570 --> 02:36.030 When we talk about OSINT, and again I'm gonna 02:36.030 --> 02:38.420 have Lawrence kind of deep dive in some of this, 02:38.420 --> 02:41.400 I like to think of it as the baby INT. 02:41.400 --> 02:42.670 So when you think of babies, 02:42.670 --> 02:44.940 some people love babies, they embrace babies. 02:44.940 --> 02:47.620 Some people are less likely to want to handle a baby 02:47.620 --> 02:48.770 because they're not quite sure 02:48.770 --> 02:52.040 how it's gonna react or are they gonna do something wrong. 02:52.040 --> 02:53.760 So when you kind of think of it 02:53.760 --> 02:56.160 in terms of being a baby INT 02:56.160 --> 02:58.393 and the culture associated with that, 02:59.360 --> 03:01.680 there's a lot of emphasis right now 03:01.680 --> 03:03.760 on training and trade craft and policy, 03:03.760 --> 03:06.500 which is why he's standing next to me. 03:06.500 --> 03:08.890 I think we've made a lot of progress 03:08.890 --> 03:10.280 just in the last couple of years. 03:10.280 --> 03:12.620 I've only been on the team for about a year now. 03:12.620 --> 03:16.240 But in terms of the analytical community embracing it, 03:16.240 --> 03:18.810 they're starting to see the value 03:18.810 --> 03:21.210 of how they can corroborate kind of their assessment 03:21.210 --> 03:23.800 and what they've done, based on information 03:23.800 --> 03:27.110 that we've had trained OSINTers go out, 03:27.110 --> 03:29.483 get information, and show the value of that. 03:30.360 --> 03:34.030 In order to kind of push that agenda, 03:34.030 --> 03:37.360 the OIC has three teams, and I touched on them 03:37.360 --> 03:38.210 a little bit ago. 03:38.210 --> 03:41.770 One very focused on policy, training, and tradecraft, 03:41.770 --> 03:44.560 and we partner very, very closely. 03:44.560 --> 03:46.920 Army and Marine Corps have made a lot of progress 03:46.920 --> 03:47.860 in terms of training. 03:47.860 --> 03:50.250 I don't know if you're gonna talk about any of that. 03:50.250 --> 03:53.520 Tools and capabilities, lot of rich sources, 03:53.520 --> 03:55.260 in fact we have some vendors here today 03:55.260 --> 03:56.440 that we're making the rounds with 03:56.440 --> 03:58.720 to see what capabilities exist. 03:58.720 --> 04:01.510 And then we also do have an activity, 04:01.510 --> 04:04.890 if you've heard of Cagnu, which doesn't stand for anything, 04:04.890 --> 04:07.070 it's a collection activity where we have 04:07.070 --> 04:09.630 a team of experts actually going out, 04:09.630 --> 04:13.570 trying to glean what they can from OSINT information, 04:13.570 --> 04:15.600 they're getting requirements now, 04:15.600 --> 04:17.290 and they're going out and they're trying to just 04:17.290 --> 04:20.700 gather, assess, exploit, and make available to the analysts 04:20.700 --> 04:23.090 open source information in hopes that 04:23.090 --> 04:25.380 they can validate some of the work 04:25.380 --> 04:26.690 that they're currently doing, right? 04:26.690 --> 04:30.310 Glean new insights from this publicly available information. 04:30.310 --> 04:31.865 So it's a big job. 04:31.865 --> 04:34.000 There's no shortage of work, 04:34.000 --> 04:36.900 and we work very, very closely across the commands, 04:36.900 --> 04:40.120 the services, and our partner nations. 04:40.120 --> 04:43.230 So that said, the way we do that, 04:43.230 --> 04:45.650 the governance group are referred to the DOSC, 04:45.650 --> 04:47.884 the Defense Open Source Council. 04:47.884 --> 04:51.770 There is a formal membership associated with that, 04:51.770 --> 04:55.170 so all the command services and our partners 04:55.170 --> 04:57.340 have membership on there. 04:57.340 --> 05:00.560 We meet monthly, and to be quite honest, 05:00.560 --> 05:03.330 if you've heard of that or participated in that before, 05:03.330 --> 05:05.960 we're starting to take a step back 05:05.960 --> 05:08.680 and try to put more rigor around that, 05:08.680 --> 05:12.520 because as with many things in our world, 05:12.520 --> 05:14.330 we tend to take on working groups 05:14.330 --> 05:15.780 or we have people go to a meeting 05:15.780 --> 05:17.360 and then they go back to their day job, 05:17.360 --> 05:19.950 and sometimes things languish a bit. 05:19.950 --> 05:21.730 We're trying to get some rigor. 05:21.730 --> 05:24.150 We're revisiting the type of members. 05:24.150 --> 05:28.180 We want to put some accountability measures in place 05:28.180 --> 05:31.460 so we can try to harness the value of open source 05:31.460 --> 05:32.980 and get more and more people on board 05:32.980 --> 05:36.270 with using it and understand what it's about, okay? 05:36.270 --> 05:38.940 We do have some tools that we do deploy. 05:38.940 --> 05:40.920 We're starting to put polices out there 05:40.920 --> 05:45.050 that will, I guess, enforce the utility 05:45.050 --> 05:46.690 and the usage of those tools. 05:46.690 --> 05:48.400 Some of these things are costly. 05:48.400 --> 05:49.880 So we want to make sure that if we're 05:49.880 --> 05:53.830 issuing licenses to people, they're actually using them. 05:53.830 --> 05:55.740 So we're putting some policies out there 05:55.740 --> 05:57.990 to enforce the usage of some of these tools, 05:57.990 --> 05:59.760 or we're actually gonna pull licenses back 05:59.760 --> 06:01.090 and redistribute them. 06:01.090 --> 06:04.240 So we're really starting to take a hard look at 06:04.240 --> 06:06.380 how do we make this work better for everybody, 06:06.380 --> 06:08.390 not only the analytical and collection community, 06:08.390 --> 06:11.184 but how do we make it work better for the taxpayers? 06:11.184 --> 06:12.984 So we want to do right by everybody. 06:14.420 --> 06:17.270 I think I want to kind of give you some time, 06:17.270 --> 06:19.210 Lawrence, to talk on that. 06:19.210 --> 06:22.000 We have working groups that are associated 06:22.000 --> 06:24.300 with the DOSC as well, so we bring in 06:24.300 --> 06:27.110 community members to participate on that. 06:27.110 --> 06:30.170 And let me have him delve into policy 06:30.170 --> 06:31.830 so I don't get in trouble, 06:31.830 --> 06:34.190 and then if you have any questions after that, 06:34.190 --> 06:35.810 we'll be happy to take some questions. 06:35.810 --> 06:37.189 Thank you. 06:37.189 --> 06:38.022 Lawrence? 06:38.022 --> 06:39.440 - Thank you, Jeanie. 06:39.440 --> 06:44.440 Let me go further depth on what is OSINT and its value. 06:44.590 --> 06:48.970 So public available information, 06:48.970 --> 06:50.420 it's more than just electronic media. 06:50.420 --> 06:51.253 It's the mass media. 06:51.253 --> 06:54.260 Newspapers, radio, television, things that 06:54.260 --> 06:57.040 were traditionally what OSINT was, 06:57.040 --> 06:58.380 public information was in the past, 06:58.380 --> 07:01.110 and since then, it's not just what's on Google. 07:01.110 --> 07:02.970 There's publicly available databases, 07:02.970 --> 07:04.260 your library databases. 07:04.260 --> 07:05.570 There's government reports, 07:05.570 --> 07:07.700 there's foreign government reports, 07:07.700 --> 07:10.180 things like FAA publishes airline schedules, 07:10.180 --> 07:12.840 even airline positional data. 07:12.840 --> 07:17.680 Anything anybody can get freely or find freely 07:17.680 --> 07:19.940 or pay for, that's all publicly available 07:19.940 --> 07:21.690 and those are the things we go for. 07:22.810 --> 07:23.883 Why do we do that? 07:25.070 --> 07:27.380 Basically, publicly available information 07:27.380 --> 07:28.750 is able to satisfy probably 07:28.750 --> 07:31.320 80% of intelligence requirements. 07:31.320 --> 07:34.770 It's the first thing to go to, 07:34.770 --> 07:38.070 because you can find it easily, it's lower cost, 07:38.070 --> 07:40.270 and that frees up your really expensive assets 07:40.270 --> 07:42.911 like satellites and other systems 07:42.911 --> 07:44.960 for the really hard things to get. 07:44.960 --> 07:47.700 We can also then use that to tip off 07:47.700 --> 07:51.920 our other ends so that GON and SIGA and all the other ones 07:51.920 --> 07:53.840 can go ahead and have more information 07:53.840 --> 07:54.673 to what they're looking for, 07:54.673 --> 07:57.020 and it all gets combined together into AllSource 07:57.020 --> 07:59.290 and helps answer an intelligence issue. 07:59.290 --> 08:02.120 So another one is gray literature. 08:02.120 --> 08:05.550 Gray literature is open source, 08:05.550 --> 08:08.200 but it's not normally what's considered published, 08:08.200 --> 08:11.280 so all these pamphlets around here are gray literature. 08:11.280 --> 08:12.400 You're not gonna find them anywhere 08:12.400 --> 08:14.376 unless you show up and you grab it. 08:14.376 --> 08:16.803 Those are those sort of things. 08:19.090 --> 08:21.242 Other things could be economics reports, 08:21.242 --> 08:24.940 travel reports, working papers, discussion papers. 08:24.940 --> 08:29.440 If IEEE or AIA publishes a report or a white paper, 08:29.440 --> 08:32.593 that's more of gray literature they call it. 08:35.750 --> 08:39.770 So, lost my train of, 08:39.770 --> 08:43.003 So once you've done all that, 08:44.190 --> 08:46.080 we go ahead, we take that publicly available information, 08:46.080 --> 08:47.640 then we've collected it, 08:47.640 --> 08:51.290 and now we want to put it in context, 08:51.290 --> 08:53.670 do some analysis, and disseminate it 08:53.670 --> 08:55.500 to the AllSource analyst. 08:55.500 --> 08:56.870 Then it's intelligence. 08:56.870 --> 08:58.330 It's not finished intelligence, but it is an 08:58.330 --> 09:01.080 intelligence product because it's not finished. 09:01.080 --> 09:03.740 So that's the reason it's going from PIA to intelligence. 09:03.740 --> 09:05.573 We've giving it a little bit of processing, 09:05.573 --> 09:10.407 put a little bit of context on it, and it's focused now 09:10.407 --> 09:13.740 on a particular intelligence requirement. 09:13.740 --> 09:17.923 So right now there is a DOD 09:22.287 --> 09:24.413 instruction on OSINT. 09:25.609 --> 09:28.400 That's the only thing out there giving anybody in DOD 09:28.400 --> 09:30.920 guidance on who's responsible for what, 09:30.920 --> 09:33.510 and what powers the DOSC. 09:33.510 --> 09:35.550 There's no other guidance beyond that. 09:35.550 --> 09:39.090 But DIA is supposed to be the lead component 09:39.090 --> 09:42.450 for OSINT and DOD, so we're not, 09:42.450 --> 09:43.690 we don't have a lot of authorities, 09:43.690 --> 09:45.160 but we're leading the way. 09:45.160 --> 09:49.490 So right now we're in the process of staffing through 09:49.490 --> 09:53.950 the final stages a DIA instruction on OSINT, 09:53.950 --> 09:57.040 which states for DIA who does what. 09:57.040 --> 10:01.450 It empowers the senior advisor for open source, 10:01.450 --> 10:03.230 which is currently Annie Roberts 10:03.230 --> 10:06.860 with authorities to oversee what OSINT is being done 10:06.860 --> 10:09.060 in the agency, and that allows us from that 10:09.060 --> 10:11.010 to be able to come up with 10:11.010 --> 10:12.980 further instructions and standards, 10:12.980 --> 10:16.083 but because we are the lead component in DOD, 10:17.110 --> 10:19.550 even though we're only writing for DIA 10:19.550 --> 10:22.670 that sort of instructions will be taken 10:22.670 --> 10:23.820 by the rest of the components. 10:23.820 --> 10:28.540 So we come out with something, Army, Navy and Marine Corp, 10:28.540 --> 10:29.770 their components, look at it, 10:29.770 --> 10:32.590 and they use that as some sort of guidance. 10:32.590 --> 10:34.670 So along those lines, providing guidance, 10:34.670 --> 10:36.250 another thing that's in the works, 10:36.250 --> 10:38.620 it's also in the final stages of staffing, 10:38.620 --> 10:40.660 we're hoping that when I get back from here 10:40.660 --> 10:45.660 I'll be able to put it in for a signature, 10:45.810 --> 10:50.810 is a open source intelligence security classification guide. 10:51.110 --> 10:54.160 The Army finally came out with one last month, 10:54.160 --> 10:57.837 and so this is one that provides needed guidance 10:57.837 --> 11:00.670 to people to know what they can talk about 11:00.670 --> 11:02.110 and at what level they can talk about it. 11:02.110 --> 11:04.203 Those are all very important things. 11:07.463 --> 11:11.100 A last thing that I'm working on right now, 11:11.100 --> 11:12.929 is we're starting talking about tradecraft. 11:12.929 --> 11:16.055 How do we do things, what works, 11:16.055 --> 11:18.040 and how do you do it to make sure that it works? 11:18.040 --> 11:20.070 So we're looking at all the different tools 11:20.070 --> 11:21.060 that are available and we're gonna try to 11:21.060 --> 11:23.360 come up with a handbook that states 11:23.360 --> 11:25.640 this is what publicly available information is, 11:25.640 --> 11:27.550 this is how you make it into OSINT, 11:27.550 --> 11:29.940 these are the tools you can use, 11:29.940 --> 11:32.350 and here are the various techniques out there 11:32.350 --> 11:34.930 that you as an analyst could use 11:34.930 --> 11:37.330 to find that publicly available information 11:37.330 --> 11:40.710 and then to contextualize it, analyze it, 11:40.710 --> 11:42.493 and give it some meaning. 11:43.400 --> 11:45.940 And so we reach out through the DOSC. 11:45.940 --> 11:48.550 We have one of the various committees 11:48.550 --> 11:50.570 is the Training and Tradecraft Subcommittee. 11:50.570 --> 11:54.150 On that we gets SMEs from all the services, 11:54.150 --> 11:57.042 all the service intelligence centers, 11:57.042 --> 11:59.220 and various other duty organizations, 11:59.220 --> 12:01.697 including the combat support agencies, 12:01.697 --> 12:04.340 and they send their SMEs in and we discuss this 12:04.340 --> 12:08.440 both in person and virtually and try to find all those 12:08.440 --> 12:12.320 really cool and hot topics to talk about, 12:12.320 --> 12:13.937 and then capture that. 12:13.937 --> 12:16.390 The things I'm looking to do in the future 12:16.390 --> 12:20.470 is bring to our high side a tradecraft hub, 12:20.470 --> 12:23.728 where people can talk and publish 12:23.728 --> 12:25.520 their insights on tradecraft, 12:25.520 --> 12:29.810 where we can host what we consider to be best practices, 12:29.810 --> 12:33.060 and then other things like bringing in videos 12:33.060 --> 12:35.760 so that an analyst uses a tool in a certain way 12:35.760 --> 12:37.330 and he wants to share that way, 12:37.330 --> 12:41.040 like gamers do on YouTube, or streamers do, 12:41.040 --> 12:43.310 so they can make a video and publish it 12:43.310 --> 12:45.360 in the tradecraft hub and somebody else can go, 12:45.360 --> 12:47.410 hey, I can use that, and now we've shared 12:47.410 --> 12:48.960 a cool new way of doing things. 12:49.970 --> 12:52.710 So that's pretty much the state 12:52.710 --> 12:54.870 of what's going on in training and tradecraft. 12:54.870 --> 12:59.870 What's next in my docket to do once the policy's in place 13:00.460 --> 13:02.300 and the security classification guide's in place, 13:02.300 --> 13:05.030 we're gonna work on managed attribution guidelines, 13:05.030 --> 13:06.620 instructions for how to do it, 13:06.620 --> 13:09.124 why it's important, and there will be 13:09.124 --> 13:11.850 tradecraft in there also. 13:11.850 --> 13:12.683 So um, 13:13.572 --> 13:15.352 - Just touch. - You want to go in some more? 13:15.352 --> 13:17.660 - Yeah, I just wanted to touch on one other point, 13:17.660 --> 13:21.440 as you were talking about some of the data, Lawrence. 13:21.440 --> 13:23.210 The other thing that we're doing 13:23.210 --> 13:25.900 really with the DOS Cat across the community, 13:25.900 --> 13:28.160 and we're getting a lot of attention around it 13:28.160 --> 13:30.930 is data acquisition, right? 13:30.930 --> 13:33.330 How do we gain efficiencies? 13:33.330 --> 13:36.120 Everybody's out there buying the same thing, 13:36.120 --> 13:38.450 perhaps multiple times, so we're trying to 13:38.450 --> 13:41.620 get our arms around who is subscribing to what, 13:41.620 --> 13:44.783 what they're paying for it, and devise some kind of 13:44.783 --> 13:49.460 enterprise acquisition model going forward around the data. 13:49.460 --> 13:53.053 I would say the same applies to tools. 13:54.290 --> 13:57.170 So you know, data's the new oil, right? 13:57.170 --> 13:58.980 Many of our industry partners 13:58.980 --> 14:02.050 who are sitting here and that we love very much 14:02.050 --> 14:05.130 provide all this oil, all this data, 14:05.130 --> 14:07.160 all these rich and meaningful tools 14:07.160 --> 14:09.103 that we need to do our mission. 14:10.000 --> 14:15.000 Again, as an enterprise, how do we gain efficiencies? 14:15.040 --> 14:17.380 Who's buying what tools and what makes sense 14:17.380 --> 14:19.680 and how do we vet those and how do we ensure 14:19.680 --> 14:21.613 that what we buy into is going to 14:21.613 --> 14:25.750 meet the ATO criteria and be able to deploy it 14:25.750 --> 14:27.293 and be able to train it? 14:27.293 --> 14:29.240 So much like on the high side, 14:29.240 --> 14:31.290 that's probably nothing new. 14:31.290 --> 14:33.320 It's just I think because at least 14:33.320 --> 14:36.570 what I have come to understand over the last year, 14:36.570 --> 14:40.230 that because OSINT is kind of the new baby INT, 14:40.230 --> 14:41.550 it's kind of the cool thing 14:41.550 --> 14:43.790 and people are really starting to understand 14:43.790 --> 14:46.052 the power associated with that. 14:46.052 --> 14:48.857 It's certainly getting a lot of attention 14:48.857 --> 14:50.380 and a lot of good business. 14:50.380 --> 14:52.110 So how do we as a government 14:52.110 --> 14:56.620 kind of embrace that and get together as a community 14:56.620 --> 15:00.870 to move smarter for our mission folks. 15:00.870 --> 15:03.450 And I think, barring your questions, 15:03.450 --> 15:06.450 we just wanted to give you the broad overview. 15:06.450 --> 15:07.283 You have more? 15:07.283 --> 15:08.780 - I got more. - Okay. 15:08.780 --> 15:09.750 Okay, all right. 15:09.750 --> 15:11.060 I'll let Lawrence talk a little more. 15:11.060 --> 15:14.068 I think we're gonna have plenty of time for questions. 15:14.068 --> 15:15.480 - So let me go through the training real quick. 15:15.480 --> 15:18.930 So right now DIA has certain 15:18.930 --> 15:20.520 enterprise-wide training available. 15:20.520 --> 15:21.830 We have computer-based training 15:21.830 --> 15:24.490 and we do managed attribution, 15:24.490 --> 15:28.020 and we have a thing called General OSINT Awareness 15:28.020 --> 15:29.820 that gives people the basics for open source, 15:29.820 --> 15:33.250 what it is, what are the risks, what are the benefits. 15:33.250 --> 15:36.690 And those are online and available right now. 15:36.690 --> 15:38.030 The General Open Source Awareness, 15:38.030 --> 15:40.360 we call the GOA is being revised, 15:40.360 --> 15:43.033 and a brand new updated one is gonna be deployed, 15:46.110 --> 15:48.510 I think by the end of September. 15:48.510 --> 15:52.650 Now, classroom we have Open Source One, 15:52.650 --> 15:55.740 which is our in-class analysis course 15:55.740 --> 15:58.800 on how to do OSINT, hands-on sort of training. 15:58.800 --> 16:01.290 That is being revised right now. 16:01.290 --> 16:03.090 We are busy storyboarding it, 16:03.090 --> 16:07.810 developing the courseware, and that's going to be 16:07.810 --> 16:09.210 available in October. 16:09.210 --> 16:11.420 Because that's being revised, 16:11.420 --> 16:14.670 right now we're using the Marine Corps curriculum. 16:14.670 --> 16:16.793 Marine Corps has certified curriculum. 16:17.720 --> 16:18.890 The Army has certified curriculum. 16:18.890 --> 16:20.170 As soon as we've revised ours, 16:20.170 --> 16:21.480 we're going to get that joint certified. 16:21.480 --> 16:23.400 So the Army has the most available. 16:23.400 --> 16:27.310 They have OS 301, which is their foundational OSINT, 16:27.310 --> 16:29.803 and 302 which goes really in-depth on tools. 16:30.750 --> 16:32.810 The Marine Corps has just deployed 16:32.810 --> 16:36.973 a brand new OSINT course that's two weeks long. 16:37.920 --> 16:39.650 Our was three days. 16:39.650 --> 16:41.290 It's going to go to a week. 16:41.290 --> 16:44.550 But they're beta testing it starting, 16:44.550 --> 16:46.210 this is still August, right? 16:46.210 --> 16:47.990 So I think they're starting later this month, 16:47.990 --> 16:51.160 or early September, they're gonna be beta testing it. 16:51.160 --> 16:53.680 So that's that for training at the moment. 16:53.680 --> 16:55.760 We're gonna be developing new courses 16:55.760 --> 16:57.020 once ours get done. 16:57.020 --> 17:00.560 We're gonna develop an enhanced or advanced OSINT course 17:00.560 --> 17:02.060 which will go more into tools. 17:03.040 --> 17:05.030 Haven't figured out what we're gonna go into yet on that, 17:05.030 --> 17:06.660 but once we're done we're gonna get 17:06.660 --> 17:09.613 our community together and discuss what they want to have. 17:10.880 --> 17:12.490 So that covers all of our training. 17:12.490 --> 17:13.570 There's other training out there, 17:13.570 --> 17:14.980 but it's tool-specific, 17:14.980 --> 17:17.940 and the tool-specific training that's being done, 17:17.940 --> 17:22.200 one-on-one, one-on-many, are being done over VTC. 17:22.200 --> 17:24.670 That's sort of being done through our 17:24.670 --> 17:28.760 tools and technology branch, which is Major McCabe. 17:28.760 --> 17:30.940 So I'm done with training, 17:30.940 --> 17:32.050 and if you all have any questions, 17:32.050 --> 17:33.826 go ahead and you can ask directly to me, 17:33.826 --> 17:35.700 ask Jeanie, and if it's tools, 17:35.700 --> 17:37.820 we'll get Major McCabe up here. 17:37.820 --> 17:38.653 Go ahead, sir. 17:40.000 --> 17:42.620 - Two questions, not exactly related. 17:42.620 --> 17:45.710 First off, any special issues, concerns, 17:45.710 --> 17:47.040 matters with social media? 17:47.040 --> 17:49.990 Because you really didn't say anything about social media. 17:49.990 --> 17:54.990 And the second thing is, if I'm somebody in DIA 17:55.330 --> 18:00.260 and I've gotta do a unclassified presentation, 18:00.260 --> 18:03.290 can I query the data set and say, 18:03.290 --> 18:05.960 I need to know everything unclassified 18:05.960 --> 18:08.853 about the current terrorist situation in Tripoli? 18:09.900 --> 18:10.733 - Security guy. 18:10.733 --> 18:13.260 - Well right now, publicly available information 18:13.260 --> 18:14.600 is unclassified. 18:14.600 --> 18:15.433 - Well, that's not what I asked. 18:15.433 --> 18:18.323 That's not what I asked, I know that. 18:18.323 --> 18:21.980 I asked you, in the pantheon of DIA data, 18:21.980 --> 18:24.100 I assume that, you know, the analysts do 18:24.100 --> 18:27.110 whatever they do and they commingle the data, 18:27.110 --> 18:28.860 please don't tell me they don't, 18:28.860 --> 18:30.030 they commingle the data. 18:30.030 --> 18:33.430 Now I've got to do a press availability 18:33.430 --> 18:36.767 and I've been directed by somebody 18:36.767 --> 18:41.767 to provide a credible explanation of DIA's view 18:42.310 --> 18:45.780 of the terrorist situation in Tripoli, 18:45.780 --> 18:48.270 and I can't use any classified information. 18:48.270 --> 18:50.320 Can do I data query like that? 18:50.320 --> 18:51.337 - Yes, you can. 18:51.337 --> 18:52.540 But so here's the situation: 18:52.540 --> 18:56.470 so that will use, by nature, some PIA. 18:56.470 --> 18:57.810 There is other information that's 18:57.810 --> 18:59.159 been gathered by other means 18:59.159 --> 19:01.880 that can be declassified or is unclassified 19:01.880 --> 19:05.660 depending upon that subject's security classification guide. 19:05.660 --> 19:07.610 So I can speak directly to our 19:07.610 --> 19:10.260 security classification guide, because I wrote it. 19:10.260 --> 19:11.187 But... 19:11.187 --> 19:12.727 - [Man] I'm done with you. 19:12.727 --> 19:15.551 No, seriously, if I'm a user, I'm done with you. 19:15.551 --> 19:17.170 I'll go do a newspaper (off-mic) 19:17.170 --> 19:18.003 - People do. 19:18.003 --> 19:19.010 People do that a lot. 19:19.010 --> 19:22.560 But we're careful on that because 19:23.890 --> 19:26.889 even giving out unclassified information can reveal-- 19:26.889 --> 19:29.048 - Stop the (off-mic). - No. 19:29.048 --> 19:32.690 - [Man] You're not helping here, trust me. 19:32.690 --> 19:34.730 - So stuff that's even classified, we can, 19:34.730 --> 19:35.991 depending upon the purpose, we can-- 19:35.991 --> 19:37.602 - [Man] I don't want you to do that. 19:37.602 --> 19:39.215 - He just wants unclassified. 19:39.215 --> 19:40.377 Unclassified. 19:40.377 --> 19:42.167 - [Man] I'm gonna do it tomorrow morning. 19:42.167 --> 19:44.359 I've done this a couple of times at DIA. 19:44.359 --> 19:47.100 You're going down to Congress here in six hours. 19:47.100 --> 19:47.933 - Yeah. 19:47.933 --> 19:49.280 - [Man] Nothing classified news. 19:49.280 --> 19:51.033 I don't want to hear about security manuals. 19:51.033 --> 19:53.484 I don't want to here about foreign disclosure. 19:53.484 --> 19:55.183 I don't have time for any of that. 19:55.183 --> 19:57.502 I need to know that I can have a hard data link, 19:57.502 --> 20:01.670 unclassified, (background noise drowns out speaker) 20:01.670 --> 20:05.059 I'm a government official, been there, done that. 20:05.059 --> 20:06.230 - It can be, yes. 20:06.230 --> 20:07.063 - Yeah. 20:07.063 --> 20:09.640 I don't know, honestly, without taking that back. 20:09.640 --> 20:14.050 I think it's a good question to have the DOSC visit, right? 20:14.050 --> 20:16.330 Because you're absolutely right, it doesn't make sense. 20:16.330 --> 20:18.299 Doesn't make sense to not be able to do that, right? 20:18.299 --> 20:19.171 Right. 20:19.171 --> 20:21.903 And our adversaries sure aren't getting permission, right? 20:21.903 --> 20:23.358 So I think it's-- 20:23.358 --> 20:25.708 - [Man] We're not really adversaries (off-mic). 20:26.610 --> 20:28.177 - Understand. 20:28.177 --> 20:33.177 - [Man] Congress (off-mic) 20:34.560 --> 20:37.729 you're losing your whole value of doing this-- 20:37.729 --> 20:40.556 - Well, the problem that subject is that that 20:40.556 --> 20:43.470 will fall under our Congressional Affairs office. 20:43.470 --> 20:44.303 - Yeah. 20:44.303 --> 20:46.370 - Yeah, but I'm saying we can't talk for them. 20:46.370 --> 20:47.250 - I agree with you. 20:47.250 --> 20:49.190 I agree with you, but I can't speak 20:49.190 --> 20:50.500 without taking the question back. 20:50.500 --> 20:52.290 I can't speak knowledgeably about 20:52.290 --> 20:54.310 what their position might be. 20:54.310 --> 20:56.600 But yeah, it doesn't make sense, right. 20:56.600 --> 20:58.465 - But it is done. 20:58.465 --> 21:00.970 But it's done with the people who deal with Congress 21:00.970 --> 21:02.540 and they run it through the wickets 21:02.540 --> 21:03.610 and get it done the right way. 21:03.610 --> 21:06.184 - [Man] Can you summarize (speaking off mic). 21:06.184 --> 21:07.135 - No. 21:07.135 --> 21:07.968 - We don't know. 21:07.968 --> 21:09.080 - No, that's not the answer. 21:09.080 --> 21:12.030 The answer's not no because people do brief Congress. 21:12.030 --> 21:13.620 And they do brief them unclassified. 21:13.620 --> 21:14.477 - Yeah. 21:14.477 --> 21:17.727 (man speaking off-mic) 21:28.919 --> 21:30.167 - [Man] Let's get unclassified information-- 21:30.167 --> 21:31.840 - I'm not saying you can't. 21:31.840 --> 21:34.230 I'm saying I would want to ask the question 21:34.230 --> 21:36.638 of somebody that could answer that. 21:36.638 --> 21:37.750 (man speaking off-mic) 21:37.750 --> 21:39.270 I agree with you. 21:39.270 --> 21:40.662 It would seem to make sense 21:40.662 --> 21:41.940 that you should be able to do that. 21:41.940 --> 21:43.430 - Social media's a special topic. 21:43.430 --> 21:45.470 Social media is publicly available, 21:45.470 --> 21:47.391 but we have restrictions on it. 21:47.391 --> 21:49.260 We want to make sure we do not 21:49.260 --> 21:54.260 access US persons' information because there is 21:54.366 --> 21:56.640 legal restrictions we have on us. 21:56.640 --> 22:00.080 So if we come across that, we have to be very careful 22:00.080 --> 22:02.180 and follow very specific rules. 22:02.180 --> 22:03.446 So, and Joan speak-- 22:03.446 --> 22:04.575 (man speaking off-mic) 22:04.575 --> 22:07.050 - Is it a specific question query? 22:07.050 --> 22:09.160 Is it a scrape? 22:09.160 --> 22:10.880 What are we talking about, right? 22:10.880 --> 22:13.190 - [Man] Does it really have issue there? 22:13.190 --> 22:14.023 But I need to-- 22:14.023 --> 22:16.040 - That's our challenge, thank you. 22:16.040 --> 22:19.500 - Social media is PAI, and yes, you can access it, 22:19.500 --> 22:21.300 but there's a lot of rules for that. 22:22.350 --> 22:23.270 - I'm gonna bring that up. 22:23.270 --> 22:24.560 That's a good question. 22:24.560 --> 22:26.923 - [Woman] We have one question in that back, over here. 22:27.950 --> 22:29.130 - [Man] I've got a couple quick questions. 22:29.130 --> 22:32.070 The first one is could you speak a little more 22:32.070 --> 22:34.190 about maybe some of the challenges you're having 22:34.190 --> 22:35.640 that you're looking for industry to help with 22:35.640 --> 22:37.090 to achieve this mission? 22:37.090 --> 22:38.850 And the second one is could you speak a little bit more 22:38.850 --> 22:43.360 to any tech, or like, is there a potential for application 22:43.360 --> 22:46.230 development to process this data, or things like that? 22:46.230 --> 22:47.680 Because I've seen certain things like this 22:47.680 --> 22:50.160 in other agencies that are very beneficial, 22:50.160 --> 22:52.040 but it seems like I may not be understanding 22:52.040 --> 22:54.220 exactly, is it just the data's there, go get it? 22:54.220 --> 22:58.670 Like what tools and things are in place to enable 22:58.670 --> 22:59.650 people to get it? 22:59.650 --> 23:02.490 - Well some of the challenges are knowing what's there 23:02.490 --> 23:03.620 and how to get it. 23:03.620 --> 23:07.390 So you have a lot of analysts who they say oh, open source? 23:07.390 --> 23:09.160 I'm gonna go and I'm gonna Google it, 23:09.160 --> 23:12.613 which is the very shallow order. 23:12.613 --> 23:16.370 There's your World Wide Web, there's your deep web, 23:16.370 --> 23:18.757 there's your dark web, and those are all have 23:18.757 --> 23:20.210 publicly available information on them, 23:20.210 --> 23:21.640 and not all of them understand that, 23:21.640 --> 23:24.440 or know what tools already exist to get there. 23:24.440 --> 23:27.260 So we're slowly getting people through training 23:27.260 --> 23:29.090 and learning, and so that's the challenge 23:29.090 --> 23:31.020 is getting information out and showing them 23:31.020 --> 23:33.003 what's available and what's possible. 23:34.110 --> 23:36.437 But do you want to talk about tools at all? 23:36.437 --> 23:37.470 You don't want? 23:37.470 --> 23:39.141 There are already a lot of tools out there. 23:39.141 --> 23:40.740 So that's another thing is what tools can we get, 23:40.740 --> 23:42.200 what are the best tools, 23:42.200 --> 23:43.550 what tools are duplicative? 23:45.560 --> 23:47.380 - So more for the second part of the question, 23:47.380 --> 23:48.430 not necessarily the challenges, 23:48.430 --> 23:49.600 more of what we are looking for. 23:49.600 --> 23:52.310 To be completely honest, it's ever-changing. 23:52.310 --> 23:54.760 So one of the challenges that I have when it comes to 23:54.760 --> 23:57.530 tools is we have so many different customers. 23:57.530 --> 23:59.100 You have to think about all the different people 23:59.100 --> 24:02.160 that we try to support at DIA, as he mentioned. 24:02.160 --> 24:03.680 Different co-coms, et cetera. 24:03.680 --> 24:06.230 So how can I choose an enterprise solution, 24:06.230 --> 24:08.700 a single tool, that will solve everybody's problem? 24:08.700 --> 24:10.110 It's not possible. 24:10.110 --> 24:11.630 There are certain people that need very specific 24:11.630 --> 24:14.820 niche things, but it's really only for them, 24:14.820 --> 24:17.690 and yet that's one out of 10 customers, 24:17.690 --> 24:19.210 if you were to break it down to that level. 24:19.210 --> 24:20.990 Where we need to find something that's like, 24:20.990 --> 24:22.630 okay, hey, eight out of 10 need this. 24:22.630 --> 24:23.910 This is what I need to focus on. 24:23.910 --> 24:26.060 So I think for me, from a tools perspective, 24:26.060 --> 24:28.100 that's my challenge, is that there's so many 24:28.100 --> 24:30.750 different types of things out there that we could 24:30.750 --> 24:34.670 provide to our customers, basically, 24:34.670 --> 24:37.420 for lack of a better word, that need certain things, 24:37.420 --> 24:39.960 but we can't help them with all of it because we just 24:39.960 --> 24:42.200 can't, it just doesn't make sense. 24:42.200 --> 24:43.890 So I know not quite exactly what you're looking for, 24:43.890 --> 24:46.400 but when it comes to challenges, that's really what I face. 24:46.400 --> 24:48.710 A lot of people come to me and go hey, I really need this. 24:48.710 --> 24:50.400 I need access to shipping data. 24:50.400 --> 24:53.110 Well, that's one maybe little aspect of something 24:53.110 --> 24:54.650 where there's so many other things that I really 24:54.650 --> 24:56.550 need to focus because that's the majority of what 24:56.550 --> 24:57.403 people are doing. 25:00.200 --> 25:03.710 - Let me just finish one more thing and we'll get to you. 25:03.710 --> 25:05.960 So other thing is the ever-changing technology. 25:05.960 --> 25:09.320 So back when Myspace, now we've got Facebook, 25:09.320 --> 25:13.360 then Twitter, now Instagram (mic cuts out) got Signal. 25:13.360 --> 25:16.350 So the technology changes, certain data streams go away 25:16.350 --> 25:18.550 and now you've gotta replace them with something else, 25:18.550 --> 25:20.570 and so you've gotta keep up with the technology. 25:20.570 --> 25:22.970 You've gotta get tools, and the tools gotta get deployed 25:22.970 --> 25:24.890 before they go obsolete. 25:24.890 --> 25:27.630 So we've gotta worry about how fast can a tool be developed 25:27.630 --> 25:29.500 and how fast can we procure it. 25:29.500 --> 25:31.397 Those are all competing challenges. 25:31.397 --> 25:33.100 - So let me just chime in. 25:33.100 --> 25:35.450 I don't know if it's helpful, but that's why we're here. 25:35.450 --> 25:39.120 We want to make our rounds to the expo booths here. 25:39.120 --> 25:43.380 So one of the processes we went through to acquire 25:43.380 --> 25:45.313 our current Berber Hunter toolkit, 25:46.400 --> 25:48.720 it's a suite of four commercial tools that we have 25:48.720 --> 25:52.280 right now, was we worked with SOCOM, US SOCOM, 25:52.280 --> 25:54.850 and through their ISO process for things 25:54.850 --> 25:55.770 that they were working on. 25:55.770 --> 25:59.200 So as we discover different methodologies 25:59.200 --> 26:02.460 around the community, we certainly want to explore that. 26:02.460 --> 26:05.730 It goes back to my earlier point of vendor vetting. 26:05.730 --> 26:07.750 Getting to know what's out there, how do we vet 26:07.750 --> 26:10.360 these different capabilities, how do we ensure 26:10.360 --> 26:12.970 that we can actually deploy them, that they can 26:12.970 --> 26:15.450 reach ATO and meet all the credentials? 26:15.450 --> 26:18.673 So we're certainly open to that. 26:21.625 --> 26:22.542 - Go ahead. 26:23.380 --> 26:25.232 - Hi, Diane Balgard with SoundWay. 26:25.232 --> 26:28.790 Before I get to my question, I had a friend who was 26:28.790 --> 26:31.640 building a house and wife wanted this and that, 26:31.640 --> 26:33.820 and my friend said he had to look at her at one point 26:33.820 --> 26:36.520 and say, you know, we do have a budget. 26:36.520 --> 26:39.960 And I know, I've been working DIA since 1995 26:39.960 --> 26:42.350 so I know that if you just look around here 26:42.350 --> 26:44.320 there's three of you up there and there are so many 26:44.320 --> 26:47.450 hundreds of us, so I can totally empathize with 26:47.450 --> 26:50.300 you're but three people, or a group, that are trying 26:50.300 --> 26:52.300 to answer the masses' questions, 26:52.300 --> 26:54.113 and you have a finite budget. 26:55.316 --> 26:57.510 I think in all our personal lives we can understand that, 26:57.510 --> 26:59.910 but we tend to want more because we see cool stuff 26:59.910 --> 27:01.610 and then it's frustrating when it can't be brought 27:01.610 --> 27:06.290 into the IC because of all of the security gates 27:07.170 --> 27:10.170 that it has to go through before it can go on the high side. 27:10.170 --> 27:12.650 So I totally get that, and I know you guys, 27:12.650 --> 27:14.730 especially dealing with OTS and it's gotta be 27:14.730 --> 27:16.530 even harder because now you have a lot more people 27:16.530 --> 27:17.920 can see what you're doing. 27:17.920 --> 27:19.270 So thank you for that. 27:19.270 --> 27:21.880 But anyway (laughs) my question was, 27:21.880 --> 27:24.247 you mentioned about, see if I can get this right, 27:24.247 --> 27:25.803 I have to be able to read. 27:29.380 --> 27:31.280 You said you wanted to look at ways 27:31.280 --> 27:34.350 of improving efficiencies, to gain efficiencies. 27:34.350 --> 27:36.950 Then you spoke about training and how you are putting 27:36.950 --> 27:39.330 together your open source class is being revised, 27:39.330 --> 27:40.950 and your storyboarding, and whatnot. 27:40.950 --> 27:43.880 And then you mentioned, and we've got two or three days. 27:43.880 --> 27:45.810 The Marine Corps has a one or two week, 27:45.810 --> 27:47.930 I think a two-week class, you mentioned. 27:47.930 --> 27:51.730 To what level are you reaching out and leveraging 27:51.730 --> 27:54.540 other people's OSINT training that's already in place 27:54.540 --> 27:57.943 to reduce the amount of work you have to do in-house? 27:59.200 --> 28:01.760 - Well, in the development of the courses, 28:01.760 --> 28:04.230 we reached out to the Army trainers, 28:04.230 --> 28:06.320 we reached out to the Marine Corps trainers, 28:06.320 --> 28:08.250 we reached out to the Navy, 28:08.250 --> 28:12.040 and so those people work in the Training and Tradecraft 28:12.040 --> 28:16.110 Subcommittee and they provide input to our ISD's 28:16.110 --> 28:19.650 doing the course design, and when we come up with 28:19.650 --> 28:20.940 a finished product they go and they review 28:20.940 --> 28:23.052 the lessons plans, the lesson content. 28:23.052 --> 28:27.568 So we're not offbeat, we're not doing the wrong thing. 28:27.568 --> 28:31.848 We also have to meet the same critical task list. 28:31.848 --> 28:34.530 So when you get joint certified, 28:34.530 --> 28:37.160 we're all meeting the same criteria. 28:37.160 --> 28:40.360 So each class teaches the same material, 28:40.360 --> 28:43.610 but Marine Corps teaches more to their flavor 28:43.610 --> 28:45.880 of how they do things, and the Army has their unique 28:45.880 --> 28:49.270 things, and we tend to have some unique DIA things, 28:49.270 --> 28:51.430 but provide insights into the others. 28:51.430 --> 28:53.995 So it's all meeting the same requirements, 28:53.995 --> 28:57.640 and we all get input to make sure that all the experts 28:57.640 --> 29:00.290 agree we're saying the right things in the right way. 29:02.270 --> 29:03.330 - We have one more? 29:03.330 --> 29:04.163 One more? 29:07.380 --> 29:09.950 - [Man] Can you talk about some of the boundaries 29:09.950 --> 29:11.720 in the policy that's coming out 29:11.720 --> 29:13.690 on what you can and can't do? 29:13.690 --> 29:14.523 - Say that again please? 29:14.523 --> 29:16.360 - [Man] Some of the boundaries in the policy 29:16.360 --> 29:17.840 about what you can and can't do? 29:17.840 --> 29:21.500 You mentioned US persons, as far as can you login 29:21.500 --> 29:23.790 to get information, or is it only stuff 29:23.790 --> 29:25.770 that's freely available without a login, 29:25.770 --> 29:27.203 without purchasing? 29:28.740 --> 29:32.123 - Right now we do not login. 29:33.315 --> 29:36.539 Basically, it's something that's not allowed. 29:36.539 --> 29:41.539 So there's certain things that we're barred from doing 29:42.380 --> 29:47.360 because those sort of things that because if we login. 29:47.360 --> 29:48.483 One of the things we have to train our analysts 29:48.483 --> 29:50.417 is that when you go out on the internet, 29:50.417 --> 29:52.650 you're out in public. 29:52.650 --> 29:53.900 So everyone can see what you're doing. 29:53.900 --> 29:57.580 If you go ahead and logon, you're logging on, 29:57.580 --> 30:00.040 if I logon as Lawrence Cooper, well okay, 30:00.040 --> 30:02.780 and I'm coming from a DIA URL, now they know 30:02.780 --> 30:05.390 where I'm coming from and they can discern 30:05.390 --> 30:07.612 what I'm looking for and why I'm looking for it. 30:07.612 --> 30:11.560 So we don't want to reveal what we're doing. 30:11.560 --> 30:14.940 We want to operate openly, but not have a big, 30:14.940 --> 30:17.760 giant banner going DIA is here. 30:17.760 --> 30:20.203 - So what's your managed attribution solution? 30:23.038 --> 30:24.365 - Yeah, so we have to find 30:24.365 --> 30:27.341 a proper managed attribution solution. 30:27.341 --> 30:28.920 - I think we're getting the hook, 30:28.920 --> 30:30.440 so we're happy to hang around 30:30.440 --> 30:33.090 if anybody wants to continue the conversation. 30:33.090 --> 30:34.395 Thank you. 30:34.395 --> 30:36.750 (light applause) 30:36.750 --> 30:39.140 - [Woman] Yes, feel free to meet our great staff 30:39.140 --> 30:41.110 in the back of the booth at the high tables, 30:41.110 --> 30:44.110 and thank you so much for coming out and speaking for today.