I just read a very thought provoking statement:  "...everything is
a headline, no one even reads magazine articles in their entirety."
This statement is disturbing to me on a number of different levels.
First, it's somewhat true for me.  I generally read a headline, I read
the first few paragraphs, skim much of the rest of an article and then
the last few paragraphs I read in detail.  I just don't have time to
read everything available that I would like to read.  If the article
is poorly written, has poor grammar or doesn't have any logical flow,
I generally return to the beginning of the article and re-read the
author's name - branding that author with either that style of writing
or a certain perspective.  I generally don't read an article with the
author's history or perspective forming a preconception, I feel it
would unduly bias my conclusions.  That is, IF I am drawn to read the
entire article.
Second, I know that a lot of thought goes into writing an article.  I
recently put fingers to keyboard and wrote a one-pager Op-Ed and
expanded on an outline that's been developing for the past few months.
 I fully intend to expand this further, into a full-length article,
complete with references, citations and all the other proper research.
 When I read the statement in my first paragraph I began to wonder:
"Is it worth my time?"  If most of us only read the headline and
perhaps skim the rest, what is the utility of writing a full-blown
research article?
Third, I think back to when I, a youngish intelligence officer, first
began reading and writing intelligence reports. My boss stated that in
many cases the headline of what we write was even more important than
the actual report, we only had one chance to grab someone's attention
and entice them to read what we had written in its entirety.  In
direct contrast, many of us here read sensationalistic headlines and
have dismissed the article as misleading or sensationalistic.  I have
to wonder how most headlines or subject titles are made?
Fourth, I must admit a certain amount of arrogance.  I read almost all
articles as fully as I have time but generally within the first page
or so I dismiss many as being uninformed, underinformed, misguided or
just a plain whack job.   I also dismiss many as overtly pushing an
agenda.  It is those articles that I mentally categorize as just 'not
worth fully reading', there are too many demands on too little time to
waste fully reading a highly biased or a bad article.
Fifth, I pride myself in being intelligent but when my brain hurts I
stop reading.  Okay, that's an exaggeration, but if I have to suspend
reality to read an article, my brain goes into overload and I
occasionally shut down.  I recently read an article that was so
analytic in its approach that I could not discern what they were
trying to say.  I loved the introduction, loved the point they were
trying to make and loved the conclusion, but the mathematical
gyrations by which they came to their conclusions made my eyes gloss
over.
Are we a 'headline only society'?

Comment (1)

During the last week of January 2010 I was at the Army War College for a Cyberwarfare Symposium where all the US Combatant Commanders, Service representatives, Joint Staff and  Cyber and/or IO leaders were present.  The publications we were required to read prior to our participation were voluminous, but when we were finished we all had a very good understanding of how a cyberwar will play out from a variety of perspectives.  I came out of this symposium a shaken man; to my core.  In many ways this was good and in many ways I was shaken in a bad way.   I was surrounded by very intelligent, insightful, learned and experienced professionals.  These would be the kind of people I would want on my team if I were to ever pick and choose.   The participants spoke with a surprising amount of candor, revealing capabilities and limitations I had not even considered, and I’ve been working in this field for 15 years and around the military for over 30.  When I finally sat down and considered all the ramifications from written notes, briefing slides and from conversations, it felt like all the tumblers in a lock were finally opening, opening up and revealing its contents to me.

There seem to be a few schools of thought about offensive cyberwarfare:

1.         Official US ‘units’ will perform cyberwarfare

2.         Cyber mercenary or even militia ‘units’ will perform cyberwarfare.

3.         Patriotic hackers who support US objectives will wage cyberwarfare on behalf of the US

My thoughts are very clear on this issue:  Future cyberwarfare will contain all three elements.

In the first case, the lines are fairly clear under United States Code, Title 10 and Title 32, active duty fighters and the national guard will wage a war of sorts via the internet.  During the symposium we had the usual talks about crossing international borders, using civilian networks, and unintended consequences.  In the past 15 years as an insider I have not met even one person in this field who would even remotely consider planning or executing an operation in cyberspace outside the law and this group was certainly no exception.   Their frustration with the speed of the legal system, their pain was obvious in other issues, but their professionalism enabled them to overcome this angst.  Title 18, law enforcement and Title 50, governing intelligence operations, are necessary ‘evils’ but cause the defenders of our networks heartache and worry and make our attackers sit on their hands for inordinate periods of time.  As a planner for one of the US Combatant Commanders stated, “it is easier for me to launch a tomahawk missile downrange and kill someone than it is for me to release one single electron into someone’s computer”.

Cyber mercenary or even militia units were briefly discussed, but they would be highly illegal, even if they were somehow part of a National Guard unit.   I submit, however, that if tensions were to increase, groups of already close-knit computer professionals would form themselves into units of sorts and seek to attack and defend.  I am also certain some would have some sort of a healthy relationship where they could operate outside the law but their actions would not be official in any capacity.  More than likely this is the type of organization we may be seeing inside China, Russia or even Iran, but without better attribution we may never know for sure.

Patriotic hackers operate completely outside the law but it is extremely unlikely anyone will ever be apprehended or prosecuted for performing these acts outside the law.  It is widely acknowledged that the vast majority of the hacking emerging from Russia during the 2008 Russia-Georgia conventional and cyberwars came from patriotic hackers.   Toolkits were made available to those supporting the Russians, so that anyone capable of turning on a computer could act as a proxy for the Russian side, complete with targeting instructions and cyber weapons.  Timelines were issued and the conventional attack was accompanied by an attack intended to create an information vacuum on many official computers, cutting off information to Georgian citizens.  Georgia reacted in many ways, some wrong, some right and showed a surprisingly amount of resiliency and innovation.   At one point they were disconnected from the internet, but then nobody got information.   At one point they blocked all sites with the .ru domain association, but many of their information sources were effectively stifled. The Georgians moved many of their services to servers in the United States, even then the attacks continued, obviously illegal.

Many of these attacks showed elements of pre-planning, code had been written months prior to the conflict.  Attribution was difficult and remains one of the most difficult aspects of cyberwar today; not only which computer was being used to launch botnet attacks against the target, but who controlled the zombie computers and, more importantly, determining which person or organization was responsible.  Many of the attacks used previously unknown vulnerabilities, known as zero day exploits, showing a surprisingly complex form of sophistication, leading many to believe there must have been at least tacit Russian government approval.

The really good news is that those responsible for conducting a cyber war on behalf of the United States are not waiting for congressional approval for a US Cyber Command; they are already planning and rehearsing through a wide variety of situations.

Comment (0)

The Real Psychological Operation for Afghanistan

By Matt Armstrong

Originally posted at http://mountainrunner.us/2009/12/psyop_for_afghanistan.html

On December 1, 2009, President Obama announced his Afghanistan strategy and what immediately followed was an expected and unoriginal cacophony of sound bites based on selective memories of the past and shallow and ignorant visions of the present and future. The decline in the public’s support for the struggle is surely a delight for Al Qaeda and the Taliban who, unlike our pundits and some in Congress, understand this is foremost a psychological struggle for the minds of people in “Af-Pak” and around the world to affect their will to act.

It is time to stop accepting the propaganda of our enemies. This is about them not us. But exposing the Taliban and Al Qaeda for what they are – a threat to all societies, rapists of men and women, killers of children, drug users and traffickers, violent criminals, and religious hypocrites – is just part of the solution. Denying ideological and physical sanctuary to our enemy requires military and police operations as well as conscious yet subtle efforts to bolster the morale and hope of the people to foster the development of the physical and functional institutions of society. The people must believe that they, not the Taliban or Al Qaeda (or Afghanistan President Hamid Karzai), own and can shape their own future. This creates the incentive to construct schools, expand commerce, and build on their own culture of lawfulness.

We must understand and undermine the real mechanisms that empower the enemy and take “aggressive actions to win the important battle of perception,” as General Stanley McChrystal wrote in his August assessment. US Special Envoy Richard Holbrooke called it an information war. “We are losing that war… We can’t succeed, however you define success, if we cede to people who present themselves as false messengers of a prophet, which is what they do. We need to combat it.” Besides the challenges on the ground, the Taliban’s global propaganda campaign clearly works: according to the CIA the Taliban pulled in $100 million this year in outside donations.

A successful strategy in Afghanistan, and elsewhere, requires assistance directed “against hunger, poverty, desperation, and chaos” to “permit the emergence of political and social conditions in which free institutions can exist” without which “there can be no political stability and no assured peace.” Success is not derived on the dollars spent or the contracts let but how whether locals feel self-empowered, hopeful, and secure. The true value of such a plan is “not so much in its direct economic effects, which are difficult to calculate with any degree of accuracy, as in its psychological political by-products.” Written sixty years ago by Secretary of State (and 5-star General of the US Army and later recipient of the Nobel Peace Prize) George C. Marshall and his policy advisor George Kennan, these statements are just as applicable to Afghanistan today.

The Marshall Plan was based on development requested by and owned by the people. There are signs such a bottom up approach would succeed in Afghanistan. The National Solidarity Program, a community driven development effort where Afghans contribute capital, labor, and materials, is not targeted by the Taliban because they know it would incur an unmanageable backlash. Instead of envisioning Afghanistan like post-war Germany, as many have, we should think of it more like post-war Europe considering Afghanistan is perhaps the most decentralized “country” on the planet.

Such plans require proactive engagement, follow through, and an invigorated and aggressive public diplomacy to counter the lies and distortions of our enemy. It is not ironic that what we today call public diplomacy was institutionalized by Congress to support the Marshall Plan, a program that was under considerable propaganda attack before it was even funded.

The Taliban coined an expression which our tactical and US-centric approach has only reinforced: the Americans have the watches but we have the time. Six years after Afghanistan was abandoned for Iraq, the cost of both success and failure has risen tremendously. Considerable time has been wasted and after eight years – enough time for TWO Marshall Plans – it is understandable that patience in the US and our allies has worn thin, but that is not the fault of this Administration, senior leadership at the Defense Department today, or even many in Congress. Failure in Afghanistan would be a propaganda coup for the enemy and embolden them, increasing the security risk to the region and the West, but we cannot succeed if Afghans do not take ownership of their future and reject the Taliban and Al Qaeda.

This article is cross-posted at the George C. Marshall Foundation.

Comment (3)

I admit I stole something today. Well, maybe not, I didn't exactly steal it. There is a saying that the greatest form of flattery is plagiarism.  I read a joke today that really made me sit up and notice. It was sent around by the OPSEC Professionals Association and I was sure glad I received the following joke, so I'm reproducing it here:

There was a man who had worked at a factory for twenty years. Every night when he left the plant, he would push a wheelbarrow full of straw past the guard at the gate.

The guard would look through the straw, and find nothing and pass the man through. On the day of his retirement the man came to the guard as usual but without the wheelbarrow.

Having become friends over the years, the guard asked him, "Charlie, I've seen you walk out of here every night for twenty years. I know you've been stealing something. Now that you're retired, tell me what it was. It's driving me crazy."

Charlie simply smiled and replied, "Okay, wheelbarrows!"

Information is such an awesome weapon. In this case the information was always available, the guard saw the man with the wheelbarrow but it never occurred to him to think that the man was stealing wheelbarrows. This is exactly how we were surprised on 9/11/2001 when terrorists crashed airplanes into the World Trade Center, the Pentagon and into a field in Pennsylvania. Just last week we heard of insurgents using $26 software to view videos shot by US UAVs, and many were shocked, SHOCKED, that we hadn't encrypted the video signals. Perhaps, during the design phase, someone thought ‘we should encrypt the signal’ but it might have made their proposal more expensive, thus a good idea was left behind.

Superior technology is useful when fighting a technologically advanced adversary. Recall during World War II the advances made in mine detection systems, mine sweepers became easy to use, portable and technologically advanced. The Soviets realized they did not have the technology to outwit western mine detectors, so they began putting their mines inside wooden cases, practically negating mine detectors. A recent assassination attempt used an explosive device actually inside the assassin, making exterior searches not quite enough. Lax procedures and the pressure to keep a plane on schedule on Christmas Day 2009 may have enabled 80 grams of PETN explosive, enough to peel off the entire roof of an airliner, to be snuck on board. It was only due to the rapid actions of a fellow passenger as well as lack of talent by the 'alleged' crotch-bomber that the attempt was unsuccessful.  These are examples of superior technology being thwarted by "Aw shucks, why didn't I think of that?"

Electronic Warfare is all about stopping communications, deceiving or preventing information from flowing, in communications, radars or even completely overpowering a system, but it all boils down to information. If I can make your radar look left when I am going right, just for a split second, you will not see the information on your screen. If I can blind you, you don’t know where I am.

Cyberwarfare is all about information. Destroying it, denying its use to someone, damaging it, making it unreliable, copying it, manipulating it or just sitting, watching and waiting and putting the tools in place to do all those things sometime in the future.

What in the heck does all this have to do with operational security? One of the greatest 'hackers' of all time was Kevin Mitnick. Kevin was a good hacker, skilled, experienced and dedicated. But what set Kevin apart from his peers was his preparation for the computer penetration. He used a skill called social engineering, but only after doing extensive research, dumpster diving and putting the picture together. Kevin might call up a company and just ask for a password, he said he was working for computer security and had to work on their system. Sometimes he would discover a password was the person's dog's name. He was so good at this that he wrote a book called "The Art of Deception". This book is not about operational security, but it should be assigned reading for all OPSEC professionals. It should also be required reading for anyone in security. As a matter of fact it should be required reading for anyone with a computer or dealing with information.  In other words, everybody should read this book. 

The bottom line is that no matter what we are doing we should protect our information. It’s a simple concept; it would make a great New Year’s resolution as well, but one that we should keep.

Comment (1)

What is Information Operations

Information Operations (IO) are activities conducted in or via the information environment with the intent to affect and protect cognition, cognitive processes, information, and the connectivity and processing systems necessary to create and exchange information. IO uses any or all means, in integrated and coordinated means, to create cognitive effects. IO span the full range of activities in human interaction from person to person through complex, multi-state, intercultural, and international communications.

The focus of IO is to affect human beliefs, expectations, decision making and behavior; whether individuals or groups. As a US DoD-originated term, the general intent of conducting IO has been to affect the outcome of military operations; whether to head off combat altogether, undermine the ability of potential opponents to muster effective combat forces, enable the defeat of an opponent, or to ease the stand down from combat operations and transition to peace. The field is not limited to military applications however and the increasing focus of inter-agency efforts has been on inform, persuade, and influence (IPI) activities supporting nation building and strategic communication beyond the edges of typical military operations.

Perhaps the greatest difficulty in IO is identifying the measures of effectiveness for desired outcomes because the means used to achieve them can vary considerably depending on whether the application occurs during peacetime, crisis, pre-hostilities, battle, or transition to peace. An additional significant problem is developing measures of effectiveness that enable evaluation of the efficacy of IO on the perceptions of foreign leaders or groups in crisis.

Whatever the situation, IO is critically dependent on and a voracious consumer of intelligence and technical information. The ability to affect decision makers appropriately, precisely, and legally may require, depending upon the specific effect desired, considerable background information about topics as diverse as the cultural mores of a leader, the internal processing algorithms of radar receivers, telecommunications system protocols, images trusted by various cultures, the extent of foreign intelligence penetration of friendly
diplomatic communications, or nearly any other topic describing what someone knows, how they found it out, how reliable they think the information is, and how information is processed.

The trade-craft and expertise of IO continues to evolve through a number of doctrinal and intellectual approaches. Modern IO began with the command and control warfare (C2W) concepts employed during Desert Shield/Storm integrating operations security, electronic warfare, military deception, psychological operations, and kinetic operations. The original C2W term was eventually replaced by information warfare and now IO. The list of disciplines and missions has swelled and contracted over time; sometimes including
concepts as diverse as counterintelligence, strategic communication, perception management, and information assurance. The more recent additions to the panoply of IO-associated disciplines are anything using the term “cyber” and the various disciplines involved in inter-agency IPI.

The debate about the scope of IO and what is ‘in’ or ‘out’ has sometimes been referred to by
participants as the Definition War. The existence of such vigorous debate is indicative of the importance that modern military and political theorists place on the evolving ability of governments, NGOs, and individuals to effect decision makers at all levels of competition. DoD is once again internally debating a change in the definition intended to reflect the evolving maturity of real world IO and the increasing importance of the integrated application of multiple capabilities to achieve desired soft power outcomes.

Comment (1)

The Unvarnished Truth about Information Operations

Joel Harding

We have some really great news about Information Operations!   Recent reports from the ongoing Quadrennial Defense Review in the US Department of Defense confirm that there should be a new definition of IO soon that is much easier to understand, focused on integration and effects, and enables more tools to be used because it does not list components as a part of the definition!

To illustrate what a huge development this is, let me quickly review the history of IO.  In the early 1990s the concept of Command and Control Warfare was recognized, but it was quickly replaced by the term Information Warfare, which was also quickly replaced by the term Information Operations.   Information Operations are an integrating strategy using information to focus on another country’s population and ultimately their decision maker to do something of your choosing.  Compounding the misunderstanding of IO was the definition in United States Joint Publication 3-13, which was widely regarded as the authoritative guiding document, even for non-Department of Defense or non-US entities.  The definition of IO began by listing its components and a relative afterthought was what IO was supposed to do.  Thus began the definitional wars which are still being waged today.   Therefore the US IO policy and doctrine lags behind much of the rest of the world.

About the same time of the publication of Joint Pub 3-13, the cold war had ended and the United States, in an effort headed up by Senator Jesse Helms to save money for a peace dividend, dissolved the United States Information Agency.  The missions were absorbed into the Department of State but the practice and policies were decentralized to the embassies with no central coordinating figure.  This created an interruption, not only in getting a coordinated message to the rest of the world, but also hindered gathering critical feedback needed to adjust planned and ongoing operations.   This has created a problem for the Department of Defense in their ongoing campaigns in Afghanistan and Iraq, forcing DOD to do Strategic Communication in support of their ongoing missions, globally.  The United States is considered less effective than many other countries in presenting a credible message to foreign audiences. 

There is no National Information Strategy to coordinate the information efforts of the United States Government, so there are no guiding principles, doctrine or strategy to integrate into the execution of the National Security Strategy and nothing to integrate Joint Publication 3-13 with the U.S. National Strategy for Public Diplomacy and Strategic Communication at the governmental level.  The message of the United States sometimes appears uncoordinated without an integrating strategy, directly impacting information operations.

Recently the US House of Representatives attempted to remove $500 million from DOD worldwide IO programs associated with Combatant Commands, stating that the US Department of State had adequate Strategic Communication and Public Diplomacy capabilities to perform the mission.  The Senate’s version removed only $58.8 million and senior officials at DOD are comfortable with the compromise.   The Afghanistan/Pakistan Task Force and the chief diplomat for this area, Richard Holbrooke, have the authorities to perform these missions.  With adequate funding some experts feel this will indicate a growing awareness in Congress of the monumental problem with US foreign policy in the information realm.

All is not doom and gloom in the world of Information Operations.  As an integrating strategy IO holds the promise to enable any efforts by any organization, government or military, to spread coordinated messages, maximizing their accumulative effects.   The impediments to properly conduct IO by the United States are not insurmountable; the importance of not implementing proper organizations and authorities to conduct IO must be emphasized before tragic, uncoordinated mistakes lead to disaster. 

Comment (0)

Cyberwar Redefines War

Joel Harding

The definition of war is going to have to change in the future.  After listening to the Russians in October and November of 2009, after cogitating what the Chinese are 'allegedly' doing, having read the Chinese PLA publication “Unrestricted Warfare”, I believe the threshold for war, or for aggressive actions which may lead to war, will have to be established at a lower level.  I believe we are being conditioned to accept a certain amount of intrusiveness via the cyber domain, I believe we are being conditioned to accept a certain amount of cyber damage, I believe we have set the conditions which will continually put us on the brink of war in the cyber realm and the nuance between war and non-war will be subtle.  I can no longer call it peace, it's non-war in my opinion, because we read about being continually attacked, continually being targeted and consistently being probed, pinged, exploited and hacked. It seems to be no longer important who is doing these actions, it is the 'why' and eventually determining the who behind the why...  but that takes human intelligence and criminal investigations simultaneously.  Human Intelligence and current criminal investigative techniques are too slow; they do not work at the speed of our networks.  By the time law enforcement builds a prosecutable case, the time for action is well over and all law enforcement can do is to prosecute with little to no chance of conviction, at least not the way the net is currently configured.  This will not change in the foreseeable future.

Comment (1)