06/10/2015

U.S. Intelligence Support to Find, Fix, Finish Operations

In recent military operations such as Operation Enduring Freedom (OEF) and Operation Iraqi Freedom (OIF), US commanders have adopted F3EAD, an operational methodology created in the 1980s for US Special Operation Forces (SOF) supporting Host Nation forces in Latin America. [1] F3EAD stands for Find, Fix, Finish, Exploit, Analyze and Disseminate. The first two phases rely on intelligence capabilities to find and locate high value targets or individuals, in order to proceed with a "kill or capture" operation (Finish phase). In the exploitation phase, US forces conduct on-site collection of intelligence material, before analyzing it and making it available to commanders, and to the broader Intelligence Community (IC). F3EAD is a key component of the doctrine known as Attack the Network, a strategy designed to neutralize unconventional threats such as criminal organizations, terrorist groups and insurgencies.

High Value Individuals (HVI) are the focal point of most F3EAD missions and are defined in official doctrine as “person(s) of interest (friendly, adversary, or enemy) who must be identified, surveilled, tracked and influenced through the use of information or fires”. [2] A High Value Individual may become a target for a kill or capture operation after an evaluation by intelligence officers, and then placed on a target list approved by the commander. Targets on the list are ranked by priority, based on a method called CARVER to assess the final impact that the removal of each target would have on the adverse network. “CARVER assigns weighted values for a target’s criticality to his insurgent cell, accessibility for capture, recognizability for positive identification after capture, vulnerability to capture, positive effect on the environment if captured, and the lack of recuperability within the insurgent network if captured.[3]. As intelligence officers reported in official litterature, the target selection process, even though based on common standards, differs among targeting teams both in the priority given to certain targets and in the choice of lethal action over capture.

In Iraq and Afghanistan, the targeting of high value individuals was often connected to a large effort to suppress the threat of Improvised Explosive Devices (IEDs) led by the JIEDDO. [4] Targeting cells were responsible for identifying key militants providing ressources or technical know-how regarding IEDs, in order to disrupt and eventually eliminate their networks. These targeting cells were closely collaborating with intelligence officers from the CIA and DIA, and with special operations forces (SOF). The effort against bomb makers was backed by other branches of the military, such as MISO (Military Information Support Operations), formerly known as PSYOP (Psychologic Operations). In 2011, after the end of Operation Iraqi Freedom, US Army MISO kept coordinating with counter-IED units from the Iraqi Army in order to incite Iraqi citizens to provide information against people suspected of helping bomb makers, using dedicated tip lines.

Specialized targeting teams from military intelligence units and intelligence agencies have become essential to military operations against insurgents and terrorists. They are sent to help theater commanders and combat units in need of their expertise, receiving intelligence support from all branches of the US armed forces and from the wider Intelligence Community. The National Security Agency (NSA) is a major contibutor to key aspects of F3EAD operations through its military branch, the Central Security Service (CSS). NSA/CSS provides training for SIGINT and COMINT technicians and analysts, maintains essential computer networks, develops and hosts software and databases used for targeting tasks, and pushes its own intelligence products to the battlefield.

Detail from an NSA "love note" published on NSA.gov on Sept. 26, 2015

In the course of the last decade, F3EAD operations have grown extremely reliant on contractors from a large number of defense companies, such as well-known Leidos and L-3 Communications. These contractors, most of them former military or intelligence personnel, work daily with men and women in uniform. They are found in many restricted areas working alongside intelligence officers, either abroad on Forward Operating Bases (FOBs) or tagging along soldiers on lower-risk missions, or back in the US in military bases and intelligence facilities, such as NSA's Fort Meade and Fort Gordon. Some contractors are even allowed inside SCIFs (Sensitive Compartmented Information Facilities) for maintenance or security jobs. Inside targeting teams, contractors often hold key roles such as analyzing sensitive data, training military personnel, maintaining equipment and software, or translating classified documents. In some cases, contractors work from their company's office, using computers provided by the Department of Defense and connected to restricted networks.

In order to target High Value Individuals, intelligence analysts resort to all sources at their disposal, including satellite imagery, airborne reconnaissance missions, interrogations from captured enemy combatants, signals intelligence and interception of telecommunications. Analysts and technicians gather imagery from various optical sensors and radars, but they often depend on signals intelligence (SIGINT), both for narrowing an area to properly task sensors and in the final phases of kill / capture operations.

In the air, intelligence technicians can count on a growing family of SIGINT and COMINT sensors, feeding their collected data back to ground stations and populating large national databases at the disposal of the  US Intelligence Community. A variety of these sensors are fitted on heavily modified airplanes such as the RC-12 Guardrail derived from the Super King Air 200 and the MC-12W based on the King Air 350. These aircrafts are crammed full of electronics, computers and communication relays, in order to collect, process and broadcast intelligence to ground stations. Several variants of the C-12 were produced, fitted with a set of sensors including electro optical gyro balls such as the Wescam MX-15, infrared imaging sensors, and the VADER (Vehicle And Dismount Exploitation Radar) GMTI (Ground Moving Targer Indicator) radar. But most of all, the MC-12 has been fitted with several SIGINT and COMINT sensors dedicated to hunting High Value Targets, codenamed TYPHON, NEBULA, WINDJAMMER and PENNANT RACE.

The mission of the MC-12's crew is to stay in the air, for missions up to 12 to 16 hours, and monitor radio and mobile phone communications. When required by ground operators, the crew provides geolocation support using both SIGINT and imagery sensors, in order to precisely locate a target and send back GPS coordinates. PENNANT RACE provides COMINT collection, using nine antennas simulating base stations as an IMSI-catcher would. TYPHON and NEBULA are used for radio frequency (RF) monitoring and direction finding. Collected data from all sensors are centralized onboard using off-the-shelf Cisco routers, encrypted through a KG-250 encryption module and broadcasted back to targeting teams using satellite communications. These sensors can be remotely tasked by analysts and technicians at theater level or even from the US, coordinating with air cews using Jabber and mIRC. MC-12 are flown by US Air Force units such as Expeditionary Reconnaissance Squadrons (ERS).

A patch for the 361st Expeditionary Reconnaissance Squadron,
depicting an MC-12 airplane followed by two A-10 close
air support aicrafts and an AC-130 Gunship. 


The calm before the storm 
Source : flightlineinsignia.com

Several SIGINT and COMINT systems are fitted on Unmanned Aerial Vehicles (UAV) such as the RQ-4 Global Hawk, the MQ-1 Predator and the MQ-9 Reaper. Some sensors have been adapted specifically to fit UAVs, such as GILGAMESH or AIRHANDLER, a SIGINT sensor used extensively by operators for advanced geolocation. Smaller UAVs such as the MQ5B Hunter are also employed to monitor enemy frequencies and provide target coordinates to soldiers or air support. Some units have specialized in hunting targets using their frequencies, such as the 224th Military Intelligence Battalion which has dedicated two companies to this task.

A patch from the 224th Military Intelligence Battalion

On the ground, small teams are responsible for monitoring radio traffic and providing direction finding to locate High Value Targets. These Low Level Voice Interception (LLVI) teams are often embedded with combat units and establish enemy presence at a distance. LLVI operators can guide combat teams toward enemy positions, or send warning of possible ambushes and IED operations. They participate in hunting SOF targets and coordinate whit air support, sometimes at a danger close distance.

A patch for an LLVI Team from the Delta company,
125th Military Intelligence Battalion
deployed in Operation Iraqi Freedom

LLVI operators rely on handheld and vehicle-mounted monitoring systems, such as the DRT suite from Digital Receiver Technology [5], or the AN/PSS-7 Wolfhound, a system transferred to the Afghan National Army. The PROPHET suite of SIGINT systems, the man-portable PRD-13(V)3 and the AR/PRC-148, have also been widely used by the US Army to monitor and locate HF/VHF/UHF signals in Iraq and Afghanistan.

The AN/PSS-7 Wolfhound system deployed in Afghanistan

The use of SIGINT sensors to detect, locate and designate targets is known as SIGINT Terminal Guidance (STG). Terminal guidance traditionally refers to systems providing guidance to weapons in the last phase before impact. STG operators lead aicrafts and weaponry to their targets, but also tactical teams conducting capture operations, even though the term “terminal guidance” retains implied lethality. Analysts and operators take advantage of large databases filled with data from SIGINT and COMINT systems, augmented with imagery and GPS coordinates. SIGINT and COMINT data is often collected by codenamed systems, such as ARTEMIS, a SIGINT and Direction Finding system related to GSM communications or the RED RACE airborne system used to monitor VHF communications. Intelligence databases are broadly used by STG teams, including DISHFIRE, an NSA database for SMS messages, and several databases used for tipping and reporting, such as GISTQUEUE or HOMEBASE, a database often used to find the best keywords and selectors for a target. SIGINT and COMINT databses are cross-referenced with geolocation data from other databases such as OILSTOCK and GEMINI, a large geolocation database maintained by the DIA.

Most of the targeting process is done using databases, from which analysts produce target packages, a set of intelligence products including the target designation, GPS coordinates and a priority rank, often supplemented with imagery and other data. High priority targets are added to the Joint Prioritized Effects list (JPEL), a list of targets to be killed or captured, approved by the commander after a nomination process. While engaged in Afghanistan in 2013 and 2014, a brigade level SIGINT targeting team from the US Army was responsible for the delivery of more than 70,000 pounds of ammunition on designated targets.

In some missions, the targeting process occurs in a very short timespan, during which STG operators use available sensors to lead military units to their objectives in real-time. These operations, either “kinetic” kill missions or capture raids, put a heavy responsibility on STG teams, both in choosing targets and ensuring that operations succeed. Targeting analysts and operators are well-aware of the “life and death” decisions they have to make, sometimes in a few minutes. This kind of fast-paced SIGINT targeting is a specialty of Special Operations Teams Alpha (SOT-A), elite units deployed around the world to provide support and training to US and allied forces. SOT-As were deployed many times for extended tours in Iraq and Afghanistan. Alpha teams were also sent in support of foreign military forces engaged in counterterrorism operations, such as the Colombian army and the Philippine army.

On many occasions, private contractors were are at the forefront of terminal guidance operations, including in the final phases of kill / capture missions. Some contractors were even responsible for producing dozens of target packages, at times during short contracts of only a few months.

In order to always provide enough intelligence to targeting teams and analysts, the Intelligence Community has to continually adapt to technological evolutions and to changes in the telecommunications networks covering their areas of interest. This involves creating new SIGINT and COMINT systems that are customized to fit the analysts and operators needs.

One of these systems has recently been developed by a defense company founded by former SIGINT experts from the US military, which received contracts from the NSA and DIA. This system is a fully integrated monitoring solution able to detect any WiFi routers or GSM / 3G base stations in a specified area. Once base stations are detected, the system will record their unique identification and location, before using them in order to appear as legit base stations and force phones and devices in the area to register and connect. The system will then automatically record the identification and location of all registered devices. All this data is stored in a database and provided to intelligence analysts as a map of all known base stations and devices in the area. The same defense company developed systems used to remotely extract data from mobile phones and communication devices.

Targeting teams use telecommunications metadata found in large databases such as ASSOCIATION, MAINWAY and DISHFIRE, in order to map the structure of insurgent and terrorist networks. This analytical process known as “call chaining” and “contact chaining” is achieved using a set of commercial tools like Analyst Notebook and Palantir, and software created for the Intelligence Community, including Thunderbunny, Metrics and Renoir, a contact chaining tool also used by GCHQ.

Broadcast events visualized using Renoir,
in a 2009 GCHQ document released by The Intercept

US intelligence agencies have deployed a vast network of technical assets to intercept communications and metadata, which are passed to targeting teams. These assets are deployed close to theater of operations and in primary areas of interest, such as Eastern Africa and the Gulf of Aden. Some COMINT systems are operated remotely but still require scheduled maintenance provided by contractors. Over time, new capabilities are added to these assets, in order to monitor various type of telecommunications, such as LTE, WiMAX or commercial satellite communications including Inmarsat, Iridium and Thuraya networks. These COMINT and SIGINT installations are managed from FOBs and smaller covert compounds under the authority of intelligence officers and special operations operatives.

Ground based and airborne COMINT systems are used in support of the military and special operations forces conducting capture missions, direct action (DA) operations and drone strikes. A major intelligence effort is still ongoing in the Horn of Africa and in Yemen, involving the use of UAVs and manned airborne platforms used for reconnaissance. They are mainly operated from Camp Lemonnier in Djibouti and the close-by airfield of Chabelley, which was refurbished and expanded in 2013. [6]

A view of Chabelley airfield during expansion works

Large COMINT initiatives in support of military operations are not always consensual inside the intelligence workforce, as Cobra Focus has shown. Cobra Focus was a dedicated intelligence fusion cell created to support military operations and counter-terrorism efforts in the region. The main role of this cell was to provide tips to ground forces in Iraq and provide them with enemy locations for kill / capture operations. Cobra Focus relied heavily on communications interception processed and analyzed with the support of the NSA Georgia Regional Security Operations Center (GRSOC) in Fort Gordon. As James Bamford reported in his book The Shadow Factory, two intercept operators working at GRSOC voiced concerns about phone calls they had to transcribe, as some of them were from American citizens working in the Baghdad Green Zone and calling back to the United States. Both operators chose to become whistleblowers and revealed to the press that hundreds of calls from American citizens wre monitored. [7] This operation shows how dodgy the legal framework of COMINT support to military operations can be. Signals intelligence is also a politically sensitive matter for host nations, as the revelation of the MYSTIC program demonstrated. This program involved bulk collection of metadata and mobile communications in Afghanistan, and was revealed by documents from Edward Snowden. In september 2015, Director of National Intelligence James R. Clapper stated that documents leaked by Edward Snowden lead to the shut down of a key intelligence program by the government of Afghanistan, presumably the MYSTIC program. He called this program “the single most important source of force protection and warning for our people in Afghanistan”. [8]

COMINT exploitation has also induced a growing need for linguists from the Intelligence Community. This led to outsourcing contracts with private companies to find linguists and interprets fluent in languages such as Farsi, Pashto, Urdu and Somali. DIA and NSA both issued several large contracts for linguist support programs such as MOSAIC and PONYTAIL. Linguists and interprets were recruited in the United States and abroad to translate communications and documents for intelligence agencies, even though some of them did not hold security clearances, which may have led to management and sanitization issues.

Gaining access to new COMINT and SIGINT sources is a continual challenge for intelligence officers and technicians. Intelligence agencies recruit and train analysts who specialize in locating and identifying new vulnerabilities to exploit. NSA's Special Source Operations (SSO) has a dedicated office named Environment Analysis Branch where analysts monitor all activities related to large communications cables, both terrestrial and submarine. They locate and identify cable landing points, keep track of all incidents and put cable laying ships under surveillance. They also pay close attention to communications companies investing in cable technologies. Analysts from the NGA also take part in the surveillance of telecommunications cables, providing maps of landing points and vulnerable locations which can be exploited for intelligence collection. The NSA has a similar team dedicated to the monitoring of foreign communications satellites (FORNSAT) and the study of technical changes in satellite communications. SIGINT and COMINT technicians can also get help from analysts who create and update presets for the fine-tuning of collection systems, placed in dedicated databases.

Once a high value individual has been detected and identified, the “Fix” phase of the F3EAD process comes in, which means locating and keeping track of a target before proceeding with the “Finish” phase. This tracking can be done using observation tools and cameras, or with satellite and aerial imagery. In many cases, tracking a target also involves SIGINT geolocation and radio frequency direction finding. In addition, intelligence operatives and special forces have been using specially designed devices known has Tagging, Tracking and Locating (TTL) systems. They range from small beacons broadcasting in the radio spectrum coupled with GPS-like microchips, to more exotic tagging devices such as various radiation-based tagging systems. The Blackbird defense company, acquired by Raytheon in 2014, created a set of TTL systems known as the Close Access Target Reconnaissance (CATR) and Enhanced CATR, specially designed for the US SOCOM. [9] The CATR tagging system was designed to provide uninterrupted tracking in remote areas where friendly forces may not be available to track a tag using direction finding or where communication coverage is poor. This device is able to jump between a set of communication modes, including GSM, 3G or low-orbit communication satellites. This change of communication mode can occur either when the device registers signal loss or when it is remotely required to jump to another network in order to remain undected.

At the end of the process, when the target has been reached, intelligence personnel proceed to the “Exploitation” phase. During a process called Sensitive Site Exploitation (SSE) all available documents, digital supports, equipments and clues related to the target are surveyed and collected. Teams take pictures and videos of every rooms they inspect. Trained personnel use forensics techniques to collect evidence and tools such as UV lights, metal detectors and nonlinear junction detectors to discover any concealed object or electronics. Combatants and suspects are identified and their biometrics such as fingerprints, photographs and measurements are collected and added to large databases shared with the Intelligence Community. DNA samples are also collected for analysis. SSE can sometimes conclude in a large haul of captured materials which can take months to fully analyze.

All captured materials are then processed by analysts and technicians using methods known as DOCEX (Document Exploitation), MEDEX (Media Exploitation) and CELLEX (Cellular Exploitation). Documents are digitized, translated and analyzed, before all meaningful information is put into databases such as HARMONY, one of the largest databases for document and media exploitation. During Operation Iraqi Freedom, a single team of over a hundred intelligence analysts added several million of entries into this database over the course of a few months.

As intelligence operatives sometimes need to collect data quickly and discreetly from mobile phones and other electronic devices, they asked for special tools to do so. A defense company which received contracts from the intelligence community created a kit able to connect up to 30 different types of devices, automatically download their contact lists, pictures and a set of pre-defined files from their memory, then upload all data to a dedicated database. Another prototype has a similar function and is designed to be concealed as a small book or bottle, implying a potential covert use.

Information extracted from mobile phones and computers are analyzed for contact-chaining and COMINT targeting. This data is also exploited to gain access to a growing source of intelligence called Digital Network Intelligence (DNI), based on intelligence collected from computer networks. Analysts specializing in DNI are supported by specialized units conducting computer-network exploitation (CNE), such as NSA's Tailored Access Operations (TAO).

The study of “Find, Fix, Finish” operations reveals a large scale intelligence effort to provide information for a targeting process that focuses down to an individual level. Intelligence support to F3 operations comes from all sources of intelligence, but SIGINT and COMINT certainly play a bigger part in identifying, locating and tracking individuals. This type of operations also shows an intelligence process were bulk collection, automation and data mining became essential to intelligence professionals who are sometimes working far from the battlefield. The involvement at all decision levels of a diverse workforce including military personnel, intelligence analysts from national intelligence agencies and private contractors makes it hard to keep track of complex chains of responsibility.

F3EAD operations are conducted daily around the world, including by the military coalition against ISIS in Syria and Iraq, which is coordinating at a Joint Targeting Board.

This article is based exclusively on open sources. Due to data anonymization concerns, most source documents are not provided.

[1] See J.A. Gomez, “The Targeting Process: D3A and F3EAD”, Small Wars Journal, July 2011
[2] See FM 3-60, The Targeting Process, November 2010
[3] See C. Burgess, “Targeting in the COIN Fight: Observations and Recommandations”, MIPB 34-10-3, July-September 2010, p.25
[4] For more information about JIEDDO and counter-IEDs operations, see Rick Atkinson, "Left of Boom. The Struggle to Defeat Roadside Bombs", Washington Post, 2007 and Noah Schachtman, "The Secret History of Iraq's Invisible War", Wired, 2011
[5] For more information about the DRT Suite, see Electrospaces "DRT Box and DRT surveillance systems", Nov. 2013
[6] For more information about drone operations in the Horn of Africa, see Ty McCormick, "US operates drones from secret bases in Somalia", Foreign Policy, July 2015; Craig Withlock, Greg Miller, "U.S. Moves drone fleet from Camp Lemonnier to ease Djibouti's safety concerns", Washington Post, Sept 2013.
[7] See James Bamford, The Shadow Factory, pp.131-134; Brian Ross, Vic Walter and Anna Schechter, "Inside Account of U.S. Eavesdropping on Americans", ABC News, october 2008
[8] Ellen Nakashima, "Top spy bemoans loss of key information-gathering program", Washington Post, Sept 2015.
[9] For more information about Blackbird Technologies, see Noah Shachtman "Manhunt Inc. : Firm 'Tags' terrorists for special ops", Wired, May 2011

Related readings
Commander's Handbook for Attack the Network, USJFCOM, May 2011

William M. Arkin, Unmanned: Drones, Data and the Illusion of Perfect Warfare, Little, Brown and Co., July 2015
Dana Priest, William M. Arkin, Top Secret America: The Rise of the New American Security State, Back Bay Books, Sept. 2012
James Bamford, The Shadow Factory: The NSA from 9/11 to the Eavesdropping on America, Anchor, July 2009
Matthew M. Aid, The Secret Sentry : The Untold History of the National Security Agency, Bloomsbury Press, June 2009

Ken Dilanian, “Rare US success in Syria, Iraq: Finding senior militants”, Associated Press, Sep 28, 2015

Ressources
Electrospaces, NSA Nicknames and Codewords
Snowden Doc Search

Aucun commentaire:

Enregistrer un commentaire