Editor’s note: This article is the eighth in a series, “Full-Spectrum: Capabilities and Authorities in Cyber and the Information Environment.” The series endeavors to present expert commentary on diverse issues surrounding US competition with peer and near-peer competitors in the cyber and information spaces. Read all articles in the series here.
Special thanks to series editors Capt. Maggie Smith, PhD of the Army Cyber Institute and MWI fellow Dr. Barnett S. Koven.
On October 26, 2020, Philip Walton, a US citizen living in Niger, was kidnapped from his farm by seven men armed with AK-47s and other weapons. Within three days, US Navy SEALs successfully conducted a high-risk and immensely complicated mission to rescue Walton, executing a high altitude – low opening (HALO) parachute insertion onto the objective and killing six of the seven kidnappers before recovering Walton unharmed. This operation demonstrated the truly global reach of US special operations forces (SOF) and, most importantly, the speed with which the United States can and will act to protect its citizens abroad.
However, Walton’s rescue—a tactical success at every level—was “outed” in near real time by a Dutch aircraft spotting website, which provided live tracking of the operation using open-source software and crowd-sourced data. Using tail numbers and live flight tracking apps, web sleuths unraveled the network of military and civilian aircraft that took part in the operation, exposing tactics, techniques, and procedures and jeopardizing future operational capabilities.
Walton’s rescue was not the first time sensitive SOF operations were revealed through the analysis of open sources, leaky apps, or user-generated data. In 2018, a data leak at the fitness tracking app Strava compromised sensitive military base locations and patrol routes in Syria. But the quickness with which the operational security and secrecy of the Niger rescue mission unraveled demonstrates how SOF organizations have a digital signature security problem that needs to be addressed as they take the lead in the transition from counterterrorism to great power competition. Conventional forces have the same problem—but at a far greater scale. It is not unreasonable to suspect that SOF and conventional forces’ digital signatures are etched in foreign-held databases, gathered from more than twenty years of counterterrorism operations. It is also not unrealistic to expect that similar signatures have been compiled and stored for other operations, occurring outside the counterterrorism arena. Ultimately, we know that our near-peer adversaries are aware of US SOF digital signatures and are watching and waiting for them to appear in the “gray zones” where the newest chapter of great power competition will play out.
SOF, Cyber and Great Power Competition
Recognizing the superior performance of SOF in executing the counterterrorism fight for the last twenty years, policymakers have clearly articulated that SOF will have an integral role in executing operations below the level of armed conflict in this new era of great power competition. As a result, commanders and decision makers throughout the SOF community have emphasized building exquisite cyber capacity and the ability to conduct effective OIE—operations in the information environment. The new “door kickers” will be “coders” according to US Special Operations Command (USSOCOM) commander General Richard Clarke. But regardless of whether they wield a keyboard, an MP-7, a Raspberry Pi, or a SCAR, the new generation of SOF operators will carry with them detectable digital signatures that can serve as early-warning mechanisms of future operations for our adversaries. USSOCOM identified the digital signature issue in 2018, framing it as “signature management” of no-fail missions, but failed to account for the type of digital signatures that leave no trace in the physical world. This was a major oversight—one that will not be overlooked by our great power competitors.
As an example, a recent task force that was stood up in the Indo-Pacific is charged with countering Chinese disinformation operations by establishing partnerships in the region and utilizing military information support operations. As the task force’s partnerships mature and operations below the level of armed conflict increase in number and intensity, it is reasonable to anticipate an increase in the offensive nature of operations in both the cyber and physical environments. The Indo-Pacific mission also gives SOF new physical proximity to the great power competition OIE battlespace. Our adversaries are aware and are watching to see if any familiar digital footprints pop up in their backyards.
Great power competition and the next generation of operations will allow us to deny or undermine our adversaries’ cyber and OIE advantages. It will also give our forces the ability to execute their own exclusive cyber capacities from unique platforms abroad. Unfortunately, we risk our newly tasked forces and the mission if we do not examine and modify the SOF digital footprint before deployment into contested zones.
Digital Signature Management
Continuous collection of our digital signatures gives adversaries access to patterns and profiles that provide stunning insight into our operations, plans, and personnel. The constant stream of data emitted from our force’s personal cellphones, laptops, and social media accounts—devices and platforms that intertwine our military’s personal and professional lives—draws a distinct outline around troop movement and physical location and creates a trackable, traceable, and near-real-time record of activity. Further, implementing strictly disciplined avoidance of susceptible devices and applications is not only burdensome and limiting to both personnel and operations, but may in itself provide a significant indicator to adversaries in an environment where use of such devices and applications is the universal norm. Commanders and decision makers are now realizing this new domain applies globally, at all times, and for all of their personnel.
Advantages we currently maintain as critical to our operational success, such as human performance, overwhelming force, superior technology, phenomenal logistics, and insightful intelligence, are significantly degraded by ignorance of SOF digital signatures. SOF operations will continue to be betrayed by poor digital hygiene unless SOF addresses its digital signature problem now. If the problem is not addressed throughout USSOCOM, the intermingling of personal and operational electronic devices in training events and deployments will continually contaminate the command.
So, what can be done to secure SOF operations now and in the future?
Protect the Force, Preserve the Mission
Prohibiting our adversaries’ ability to “pull us from the ether” and identify our personnel and operations within the white noise of the global data environment is achievable. But, it requires a new strategy. This new strategy to protect the force and preserve our operational advantage should be built on three pillars: digital signature awareness training, technical systems architecture, and compliance auditing.
Digital signature awareness training should support a baseline behavioral standardization for the force, to ensure understanding and best practices. Training must include periodic refreshers as technology changes, understanding of how technology supports and hinders operations, and the extent of the current and future threat posed by technology and how we use it. Training can also address specific aspects of exercises to add realism to the ubiquitous collection of data and associated threats, as well as simulating the OIE battlespace. Technology is constantly changing the operational environment and training should reflect the realities of the terrain. As members of the force become more educated on the threat environment, they will be able to adapt in response to unanticipated threats and navigate this terrain more quickly and securely.
Technical systems architecture begins with mission need and requires an understanding of what technologies are needed to accomplish the mission, what technologies will secure the mission, and how easily these technologies can scale securely. Teams should ensure that the architecture can democratize data and make it available to as many users as possible for internal and external analysis. Democratizing data serves two purposes: it demystifies the data itself; and it empowers personnel to develop tools, ask questions, and produce insights using various techniques. Ultimately, technology should support operations, not be a limiting factor. Additionally, as technology continues to evolve, it will require persistent monitoring by technical subject matter experts to incorporate new systems into existing infrastructure and phase out the older and more obsolete technologies.
Compliance auditing is necessary to ensure policies, training, and systems are protecting the force and advancing the mission. From another perspective, compliance auditing is really creating and fostering cyber situational awareness. Continuous monitoring for compliance is necessary to make better, more informed decisions as new technological threats to personnel and mission are identified. Over time, the auditing will be adopted as doctrine, providing great insight into internal processes that will reinforce the overall security of personnel and mission.
“Defend Forward”
The constant defensive management of our digital signatures and personal data is critical for the security of the force as well as the success of future operations within the context of great power competition. When we use the same methodologies to examine our adversaries’ data, we will be able to identify their operations before they commence, leading to their compromise, and enhancing the effect of OIE and other kinetic or nonkinetic campaigns. Surveying and analyzing our adversaries’ leaky data also acts as a reconnaissance tool that will lead to the identification, development, and exploitation of follow-on cyber operations.
Persistent digital situational awareness is a double-edged sword. Collection and analysis of such data creates a digital unblinking eye that can provide key, targetable insights into adversary operations, personnel, and force movements. But when our adversaries turn their own unblinking eyes in the direction of US SOF’s past, current, and future activities, these SOF organizations lose operational and technological advantages.
US SOF must recognize the realities of the digital threat environment, how current SOF operational profiles fit within it, and what continuing the status quo will mean for future operations against near-peer adversaries. Above all, SOF must understand that failure to take corrective, protective, and proactive actions to manage their digital signatures will result in operational compromise, mission failure, and strategic loss in this new era of great power competition.
Chris Cruden is a former senior advisor to the under secretary of defense for intelligence and security. Prior to that, Chris worked in the private sector in emerging technology and served as an intelligence officer conducting HUMINT and SIGINT operations in support of special operations. Chris is currently a member of the Ridgeline International, Inc. team ensuring DoD clients have the necessary technology and training to carry out their missions securely and successfully.
The views expressed are those of the author and do not reflect the official position of the United States Military Academy, Department of the Army, or Department of Defense, or that of any organization with which the author is affiliated.
Image credit: Master Sgt. Scott Thompson, US Air National Guard