Network Graphs – The Future of Counter-Intelligence Investigations

Fragmentary Evidence, Complex Threat Group Structures, and New Advancements in the Strategic Data Aggregation Capabilities of Network Graphs

From IC Insider Siren

By Dr. Ryan Clarke, Siren Asia

Strategic Overview

National security agencies face an exponentially increasing number of geographically distributed, networked, and highly adaptive threat groups that are actively engaged in illicit strategic technology acquisition as well as psychological operations, sometimes simultaneously. These groups operate seamlessly across national borders and generate often-fragmented, disparate data trails behind them in faint signal form. For example, in recent years we have witnessed continuously expanding interoperability between organized criminal syndicates and terrorist groups, hostile states and non-state proxies, and even the infiltration, subversion, and hostile nation-state capture of key domestic and international institutions across the world.

These developments pose a range of network mapping and targeting challenges for governments and critical national infrastructure providers in the private sector. Previous notions of ‘red lines’, or actions that a threat group is perceived to be risk-averse to taking, demonstrably no longer have validity in the current threat environment. This has been evidenced by the increasingly number of direct actions that are being witnessed and the patterns that are being discovered and assessed by those working at the cutting edge of the field of multi-domain network graph generation.

Deliberate Decompartmentalization, But Always with a Multi-Group Network Connector Node

While the various nations that are engaging in these types of hostile activities against democracies are driven by different strategic goals and desired end-states, the most aggressive and capable can trace at least the initial components of their programs back to the Tools, Techniques, and Procedures (TTPs) of the Soviet Union. Soviet concepts such as:

  • Active measures.
  • Demoralization.
  • Destabilization.
  • Normalization combined with the formation of United Fronts.

These concepts have transmogrified across multiple geographies and are being put into direct application on a daily basis. While this is problematic for a range of reasons, this overall consistent superstructure provides unique analytical opportunities to develop more universal methods for precision targeting through the use of network graphs.

Given the continuously adapting and amorphous network structures of these threat groups, cross-examination of suspects often do not yield strategic-level results for investigators and other counter-intelligence personnel. Sometimes these less-than-optimal results are attributed to an individual being a fully committed ideologue. While this is occasionally the case, more often it can be attributed to the fact that this individual is simply not aware of the overall networked structure that they operate as a single node within.

However, as is the case with all human organizations, there is always at least one connector node in the form of an individual or small group that is required to move across (mostly) compartmentalized cells. This is often necessary to ensure consistency and compliance with the overall strategic intent and direction of the organization’s leadership and to also aggregate material information to ‘report up the chain’.

While information regarding who these individuals are and how they operate can be restricted and effectively controlled at the human-to-human level, these ‘cross-pollinators’ emit faint but detectable and interpretable signals through their mobility patterns, financial activities, electronic communications, and a range of other unavoidable human activities that enable a pattern of life to be established by investigators. This fragmented data aggregation and analysis is accomplished by the use of multi-domain network graphs that ingest, structure, and characterize these fragmented data streams and convert them into a clear situational intelligence picture.

Challenges of Consequence Anticipation – Target, Approach, or Observe?

Once the key individual/s of a networked threat group that pose serious counter-intelligence risks is identified and a pattern of life is generated, a whole new range of strategic-level questions arise:

  • Do we immediately arrest this individual?
  • Do we approach and attempt to convince them to work with us?
  • Do we not alert this individual in any way and observe them for maximum intelligence collection?

The answers to these questions involve going down very different investigative pathways and involve literal life and death decisions in some cases, such as if a threat group is known to engage in acts of terrorism.

This is the fundamental question that has challenged investigators, counter-intelligence specialists, and other national security professionals for generations. How can we more reliably determine what the direct and indirect consequences of our actions on this networked threat group are going to be over the near, medium, and long term? How do we calculate cost-benefit analyses of specific courses of action more precisely?  While these are by no means trivial questions, their answers lie in the newly emergent field of multi-domain network graph analytics.

This set of methods and technologies enable an individual/s to be placed within a broader organizational network context and to identify and determine the nature of strong, moderate, and weak connections to other members. This enables determinations to be made as to how these connections will be specifically impacted by various courses of action over various timeframes.

This approach also enables investigators to surface critical structural vulnerabilities, such as overreliance on one specific bank account or private wealth manager, front company, or even a car. It is within this framework where the primary, secondary, and even tertiary impacts of a particular course of investigative or intelligence action can be empirically determined using threat group-specific aggregated data represented in network graph form.

The Solution: Network Graphs

These accelerating international risks in the counter-intelligence domain clearly represent new types of threats at greater scale, sophistication, and with intentionally fragmented organizational structures designed to frustrate investigations. These threat groups have been able to temporarily outpace many law enforcement and national security agencies due to the latter’s current reliance on software and other analytical tools that were developed during a previously less complex period; a different battlespace.

However, recent breakthroughs in advanced search, multi-domain data aggregation, and knowledge representation via network graphs have provided these dedicated security professionals with a new arsenal to defeat these threat groups who currently believe that the future belongs to them.

In order to enable a full strategic understanding of the emerging national security situations such as those outlined in this analysis, multi-domain network graphs are essential. Network graphs represent the most effective method for aggregating data from multiple sources, distilling down complexity, and representing key strategic intelligence information in the most high-fidelity form for precision targeting applications.

This is Siren’s unique vision for the future of national security technology and for our shared future more broadly.

About Siren

Siren provides the leading Investigative Intelligence platform to some of the world’s largest and most complex organizations for Investigative Intelligence on their data. Rooted in academic R&D in information retrieval, distributed computing and knowledge representation, the Siren platform provides integrated investigative intelligence combining previously disconnected capability of search, business intelligence, link analysis and big data operational logging and alerting.

Among Siren awards are Technology Innovation of the Year and the Irish Startup of the Year (Ireland’s National Tech Excellence awards). In 2020, Siren was named as a Gartner Cool Vendor in an Analytics and Data Science Report. For more information, visit

About IC Insiders

IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.