Canadian Army v. The Internet

Some interesting comments by a General in Canada’s army went largely unreported outside our neighbor to the north. It’s largely the same thing the U.S. military – and others – have been saying for a while now, that soldiers need good OPSEC practices to avoid disclosing potentially damaging information online. (Never mind that perhaps 90% of OPSEC leaks are made at a high level, and not by your average enlisted MySpace user…)

What really gets me, though, is this: According to Brigadier General Peter Atkinson, as much as eighty percent of insurgent intelligence is “gleaned” from postings to YouTube, MySpace, and personal blogs. That sound alarming, I know, but it really isn’t.

Now, I spend a large amount of my time collecting, analyzing, and exploiting information from the internet, much of it open-source – i.e., “public”. I also do counterintelligence things – including searching for potentially exploitable information disclosures made by my employers or clients. Based on my experience, if the Brigadier General is even broadly correct, and “insurgents” really are getting the vast majority of their “intelligence” from open internet sources, that’s a good thing, because it means they are either devoting too few, or too inept, resources to other, more traditional – and generally more rewarding – avenues of intelligence collection. Every man-hour spent perusing MySpace comments is a man-hour not spent carefully observing a Canadian Forces base, or bribing local staff to steal flash drives, or listening to a scanner and monitoring radio traffic. Every insurgent who reads English (or French), and who is scouring forums and newsgroups for information is one that isn’t digging through soldiers’ garbage for interesting papers.

Internet content can make good propaganda fodder – your average internet-savvy twenty-something enlisted soldiers tend not to be the most careful or politically correct creatures on the planet, and it’s very easy to take a lot of comments, photos, and so on out of context and make them look quite reprehensible. Yet, while you can get a lot of information off of the internet, there’s a very, very big difference between information and intelligence, and those tidbits of intelligence gleaned from the internet are, for the most part, stale. I can’t really put this any more clearly: Intelligence gathering on the internet is an option of last resort, appropriate only when you cannot identify (in real-world terms) or get close to your target – neither of which is true of the terrorists and insurgents in question…

What I really wonder about is this: The American military has identified the internet as an OPSEC risk. The British military has identified the internet as an OPSEC risk. The Canadian military has identified the internet as an OPSEC risk. Who is going to be the first one to take the next logical step and use MySpace, a blog, forum postings, YouTube, or some similar means of communication for counterintelligence purposes – namely, disseminating strategic disinformation? If “insurgents” and “terrorists” really are scouring the internet for “intelligence” like everyone says they are, why aren’t we feeding them a steady stream of carefully-crafted disinformation designed to mislead them? I’m not talking about our domestically-targeted propaganda about the “surge”, by the way, or similar stuff, but carefully-faked tidbits of apparently-valuable information akin to those tens of thousands of such tidbits which, if the talking heads are to be believed, are putting the men and women of the free world in grave danger…

Published in: Geekiness, General, Security | on February 16th, 2008| 1 Comment »

Both comments and pings are currently closed.

One Comment

  1. On 3/3/2008 at 4:15 am Mekhong Kurt Said:

    Your points are all quite valid.

    I, too, was stunned when I first read the General’s statement that up to 80% of intelligence the bad guys get comes from the entire Internet, let alone just social networking sites. And frankly, I doubt that — a lot. (Full disclosure: I have no experience in intelligence at any level in any capacity, so may be utterly wrong.)

    Those things acknowledged and stated, there are, of course, certain basics people in the forces should avoid doing. Posting photos showing potentially sensitive, even damaging, information, for instance. What I mean, to whip up an example out of the ether, is let’s say a certain platoon has been given a knew piece of equipment to field test in real combat mode. And let’s say that field test is classified. And let’s say someone involved in that unit, in perfect innocence and without even thinking, posts a photo with three bits of information that could come back to haunt that country’s armed forces: visual information that identifies the unit (a shoulder patch, maybe), that includes the equipment being tested — and, perhaps most damaging of all, a text identification of what the equipment is. But even without the text part, the other two pieces of information could indeed be useful to the nogoodniks (and not just terrorists).

    Though in a lot of cases bandwidth considerations alone are enough to ban military personnel from using social networks, if such use isn’t banned, especially in non-combat environments, if a military hasn’t yet drawn up a detailed, clear manual for personnel to follow when posting information to a social network (or anywhere on the Internet, for that matter). I mean, this is as basic as a soldier being told not to leave his M-16 anywhere untended, isn’t it? (Well, okay, so maybe that’s too simplistic to be a parallel, but you get my point.)

    On the broader canvas, it’s sometimes disturbing to discover just what info is out there about oneself on the Internet. I ran across one of my e-mail addresses just today — as one in a long list at some site I never could figure out, and trying just the dot-com version of the file name got me nowhere.

    In sum, concerns aren’t entirely misplaced.