Schneier on Security
A blog covering security and security technology.
« Chairman of Qantas Stopped at Airport Security |
| Security Through Begging »
March 20, 2006
Writing about IEDs
Really good article by a reporter who has been covering improvised explosive devices in Iraq:
Last summer, a U.S. Colonel in Baghdad told me that I was America's enemy, or very close to it. For months, I had been covering the U.S. military's efforts to deal with the threat of IEDs, improvised explosive devices. And my writing, he told me, was going too far -- especially this January 2005 Wired News story, in which I described some of the Pentagon's more exotic attempts to counter these bombs.
None of the material in the story -- the stuff about microwave blasters or radio frequency jammers -- was classified, he admitted. Most of it had been taken from open source materials. And many of the systems were years and years from being fielded. But by bundling it all together, I was doing a "world class job of doing the enemy's research for him, for free." So watch your step, he said, as I went back to my ride-alongs with the Baghdad Bomb Squad -- the American soldiers defusing IEDs in the area.
Today, I hear that the President and the Pentagon's higher-ups are trotting out the same argument. "News coverage of this topic has provided a rich source of information for the enemy, and we inadvertently contribute to our enemies' collection efforts through our responses to media interest," states a draft Defense Department memo, obtained by Inside Defense. "Individual pieces of information, though possibly insignificant taken alone, when aggregated provide robust information about our capabilities and weaknesses."
In other words, Al Qaeda hasn't discovered how to Google, yet. Don't help 'em out.
Posted on March 20, 2006 at 11:53 AM
• 41 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Shit, my grandmother could probably look up all of the information needed to build a nuclear weapon in less time than it takes for these morons to talk about how having an honest and free press "helps the enemy"--and she doesn't even know how to use Google!
On the contrary, articles such as these help us by showing us how much someone without access to confidential sources can put together. I somehow doubt that the enemy won't be looking through these materials, and they'd be a lot less likely to share what they find.
It doesn't hurt, does it, to ask some people to be tight lipped? Esepcially embedded reporters specifically researching the efficacy of IED detection devices? Even if it is a tiny factor. Look at the extent we go as a society to save one life in non combat spheres.
There are numerous groups battling in the streets out there with no affiliation to a larger think tank. They are in fact the majority. These people have marginal English and internet skills, that too if they can access the internet given the 20 hour / day power blackouts in the country.
I disagree with the colone's assertion that this aggregation is a "world class job" that needs to be contained. Yet, it is still a decent aggregation by someone with unique experience on the ground. Given the credentials of such a reporter, isn't it likely that his inferences are likely valid. If I google for information like this, I will greatly appreciate such a summary: wouldn't you?
This is very far from ideal security, but when dealing with a threat (IEDs) that defy detection, FUD and every inch of half-reasonable obscurity helps. Provided it is not detracting from the effort of more effective measures. As long as the colonel was not spending significant time hounding such reporters or constantly complaining about such stuff and doing nothing else, his blunt expression of displeasure seems apt.
Aggregation is a problem, but not the media's problem.
The responsibility is on the military to limit the leaks of sensitive but unclassified information (that could lead to aggregation).
Trying to shame a reporter isn't the best tact.
Honestly, having read the Wired article, I didn't think the article was giving much away.
Being able to Google is easy, sorting out the wheat from the chafe is the hard part. Having information from a source that can be verified is of value.
Posting information about general chemistry is one thing. Detailed instructions on how to create an explosive device that will defeat bomb detectors, written by a well known reported who just interviewed the bomb detector inventor, might be another thing altogether. Where is the line?
Have you ever seen someone take the subject of a failed Google search and produce solid results almost immediately?
I have. Reasearch skills still apply in the modern world. His aggregration skills may indeed have been useful for terrorists.
That said, just telling reporters to not write articles on certain subjects is not the answer. The Government should make sure the needle is not in the haystack, instead of complaining to someone for printing a map of the haystack.
Reminds me of a reporter who asked, "So, why are there rules against the media taking photos of sensitive installations when anyone with a camera can rent a plane for $150 a day and do the same thing?"
The answer is illuminating: "Because if you do it, we don't have the chance to catch the enemy espionage agents doing it."
If American counterintelligence is not looking at server logs for such allegedly critical "sources and means" articles -- and far more importantly, the public Web sites for companies who do manufacture critical and/or classified equipment, then why do we bother with an information warfare capability at all?
Probably for the same reason that we park military vehicles and aircraft in neat lines . . . sheer laziness.
I am pleased that the reporter puts his life where his mouth is by doing ride-alongs with American soldiers. Certain colonels should consider doing the same.
The real problem is the military officer failing to do his job, not the reporter pointing it out.
Then, the higher level brass (all of them) take the same stance, that this is the reporter's fault!
So, why didn't they stop the reporter? Because they needed a scapegoat.
Here's a paragraph a couple paragraphs below Bruce's quote that sums up quite effectively why the self-censorship is foolish.
> After years of relatively small investments, the U.S. is spending several billion dollars of our public money to
> try to stop roadside bombs. 40 American soldiers are dying every month, because of these IEDs. The public
> has a right to know how that money is being spent, and how those soldiers are being protected. Period. And this
> attempt to demonize the media for handmade bombs is just a way to keep folks from asking why more wasn't
> done sooner to deal with the IED threat.
The point is that there's more to the situation than than the battlefield. If we are living in a democracy, then the public has to be well-informed in order to steer the government. Without a truly free press reporting the facts, a democracy cannot function.
So, if he was an embedded journalist, why wasn't the military reviewing his material before it was published? That is certainly allowed, and has been in previous conflicts (censoring the battlefield reports.) His job is to report: theirs is to make sure he isn't saying things he shouldn't be.
As to this obsession over secrecy, soemtimes I think the military (and society in general) have it all wrong. Sure, the baddies might be able to do the research, and might stumble across these articles. However, it is more likely that they will find out what we are doing by looking at how we react, than by reading/listening to our news media. You have empirical evidence to the contrary (e.g. the fact that we let it be known that we were tapping into OBL's satellite comms), but I think that is just empirical, and not something to draw general conclusions from.
If it's secret information, it should be classified. You can't have 'embedded' journalists, not vet their articles, and then hope to keep details of your army's operations out of the papers.
If anyone should be in trouble, it's whoever should have been scanning his articles for things that need to be classified.
@arl: On "where is the line", you also have to consider that the same people asking to keep quiet about this may very well be asking to keep quiet about an alleged protection that doesn't actually work. How do you tell the difference without open reporting?
I'm not advocating open reporting, just suggesting that without it, you have a very hard job of determining whether the information you receive is truthful or accurate.
"In other words, Al Qaeda hasn't discovered how to Google, yet. Don't help 'em out."
If the information this journalist is gets is equivalent to researching on google, why does he bother putting his life at risk by traveling around Baghdad with a bomb squad?
If I was a person who defused IEDs, then I suspect I would be annoyed by someone making it easier for the people who want to kill me to succeed, even when they might have found the information in other sources with a little more research.
Fortunately for me (and I suspect, also for the people in the convoys) I do not. So I would say, while you are embedded with the troops watching this stuff happen, ask them what they think of your reporting it. Not the Generals or Colonels - the privates and sergeants who are liable to perforation with extreme prejudice. If they say no, then dont publish it. We back home dont need to know the specifics.
Free press unquestionably helps the enemy. It helps them learn what democracy is really about. It helps them on the road to not being our enemy.
If they see us limiting free press, they become disallusioned about the true nature of democracy. The Colonel and the Defense Department are in fact doing more harm in the war against the insurgents than the reporter is.
"If the information this journalist is gets is equivalent to researching on google, why does he bother putting his life at risk by traveling around Baghdad with a bomb squad?"
My guess is that he doesn't get all his information on Google. I believe he writes about more than what he finds on Google, although it seems that the President complained about the stuff he found on Google.
"It doesn't hurt, does it, to ask some people to be tight lipped?"
It does hurt, though. Muzzling the press hurts a great deal.
"Honestly, having read the Wired article, I didn't think the article was giving much away."
Of course not. The whole point of this issue is to feed into the press-is-against-America myth.
@ bob: That's exactly right. The point is, the folks on the Baghdad Bomb Squad themselves seem to be perfectly happy to talk to Noah, so shouldn't that tell us something? In fact this is a particularly neat case, since here the reporter is getting his facts from the very people who are most qualified to judge what knowledge would be dangerous for the enemy to have - and have the most incentive to choose carefully what they say.
I have no military experience of my own, but it seems self-evident that when a colonel wants to keep sensitive operational information out of the press, he quietly censors it from embedded reports - and when he wants to flex some muscle and show some reporters who's boss, he vents and fumes and tongue-lashes some civilians.
It's apalling to see both the military and civil government failing to understand the concepts of security by obscurity, free press and, in the end, democracy. As Churchill quipped, the administration seems to be in the process of still exhausting all those things not to do...
Remember Richard Feynman, he demonstrated that the safes on the Manhattan project weren't secure, the memo went round saying "Keep Feynman away from your safe" rather than "Change the combination away from the default".
Military mentality and human nature hasn't changed much in 42 years, it took 6010 years come October 23rd to evolve this far. (Thanks to Bishop Ussher for the precision)
If the military doesn't want reporters doing their jobs, why do they get to ride along? Wouldn't the space on board a humvee or helicopter be better used by a soldier?
Somehow, I can't think the reporters can print their pictures and words without some oversight, so it sounds like this colonel is just offering his unsolicited opinion. But scary was his advice to "watch your step." With all the covering up this administration has been doing, it would be right in line to make a journalist's death appear to be an accident.
Bush would like the public to think the best defence of a democratic republic comes from the end of a gun. But wiser minds know that the best defence of a democratic republic comes from the end of a pen.
Where's the line? The line is exactly where the activity becomes illegal.
It's not a reporter's job to keep information secret, it's the military's job. If the reporter can find information legally, and that information needs to be kept secret, then it is the military which has failed and needs to change what it's doing, not the reporter. Expecting the media to do the government's job out of patriotism is just idiotic.
Oh, the Army just kills me. I mean if you want to talk about leakage and information mismanagement that undermined the US mission(s) in Iraq, perhaps we should start with the weak/nonexistant controls around actual ordinances after invasion (e.g. the primary source material for IEDs):
"The Pentagon admits that a breathtaking 250,000 tons of heavy ordnance (out of 650,000 tons total) -- aircraft bombs, artillery and tank shells, mines, rockets -- were allowed to be looted by our undermanned army in the four-30 weeks after the invasion. That's equivalent to 1 million 500-pound bombs. At 20 250-pound roadside mines or market closeouts a day, that's enough for 274 years of attacks."
Perhaps someday historians will debate why Rumsfeld wasn't removed from office after the first year or so of proving himself incompetant...even though he is a great source of quotes:
"I believe with every bone in my body that free people, exposed to sufficient information, will, over time, find their way to the right decisions."
Apologies for the long post, but I thought some more data might be interesting. For example, here's a whole presentation on how to defeat IEDs, given by (surprise) members of the US military:
"Threat Assessment, Tactics and Technologies Utilized in the Fight Against IED's"
Or perhaps you would prefer a webcast (event is yet to be scheduled) that suggests it will present "the latest technologies in the fight against Improvised Explosive Devices" as told by "Brigadier General Joseph L Votel, Director, Joint IED Defeat Task Force, US ARMY"
If the military is openly participating in and advertising these events to the public, how can you really blame the media for noticing? And that's not just any branch of the military, it's the "IED Defeat Task Force"...impressive creds, no?
Anyway, I noticed that Noah wrote in his article,
"After years of relatively small investments, the U.S. is spending several billion dollars of our public money to try to stop roadside bombs. 40 American soldiers are dying every month, because of these IEDs. The public has a right to know how that money is being spent, and how those soldiers are being protected. Period. And this attempt to demonize the media for handmade bombs is just a way to keep folks from asking why more wasn't done sooner to deal with the IED threat."
I agree. Although the IED crisis was emerging and more controllable at many stages along the way, the warning signs and calls for action in the field were apparently downplayed by the Pentagon until the significance was impossible to ignore. As with any major change, there was going to be some dislocation and a time lag before the new paradigm could be accepted. The traditional military obviously struggled with this obsolescence and "in the spring of 2004 nearly every attack from an improvised explosive device (IED) resulted in a Coalition casualty."
In particular, the Special Forces teams were adamant about farming and maintaining local intelligence networks in order to identify/convert resistance elements and eliminate the risk of IEDs -- they listened to the locals' concerns and therefore anticipated and understood the threats better. I've commented about this before but the fact is that for whatever reason SF recommendations were apparently totally dismissed by Rumsfeld who preferred instead to "modernize" through bloated technology contracts and stilted propoganda (talking instead of listening).
For what it's worth some other insightful SF recommendations/warnings were also ignored...take for example this field commentary from July 13th, 2005:
"Long before the war had started, many of the Special Forces soldiers stationed there told me of their certainty that Iraq would devolve into civil war after the invasion. Searching my memory now, I can’t recall a single Special Forces soldier who predicted otherwise; history has proven they were correct."
Hindsight's 20-20 but you just can't blame poor leadership skills and bad decision-making in the Pentagon on the press. The IED measure / countermeasure race is now by definition an incredibly expensive and embarassing game of catch-up for the US military, mainly as a result of a security strategy gamble that simply did not reflect reality.
"Individual pieces of information, though possibly insignificant taken alone, when aggregated provide robust information about our capabilities and weaknesses."
If I had a dime for everytime I heard that phrase, this is the catch-all for anything people in the government do not want told. Although its true, individual pieces together that are not classified can become classified when pieced together. I understand both sides of the situation, but seriously, if you're concerned about a reporter seeing too much and then reporting on it, why on earth are you letting him ride with you?
"In other words, Al Qaeda hasn't discovered how to Google, yet. Don't help 'em out."
Send them to China.
Then we need not worry any longer.
Does President Bush really want a democracy with freedom of speech or just drab newpapers and TV channels that filter everything down to state and corporate propaganda?
On the topic of aggregations. I haven't seen the story about it, but I noticed Frsirt.com has closed their exploit section to the public siting problems with French law. I don't know if that is true. I am curious about that. Anyway, I am sad to see it is gone. I suppose now I will have to consider if it was worth a subscription. I don't know of another RSS feed like it. I am still looking.
IEDs are a real and nasty threat not only to military personel but to civilians as well, next to land mines they are probably responsible for more "peace time" deaths and injuries than any other kind of designed wepon.
However IEDs come in lots of varieties ranging from hand detonated upto very sophisticated triggering devices. There is no universal solution to remotly triggered IEDs all you can do is block what you think is most likley.
Back in the 70's/80's there was an armed conflict going on in part of the UK (N.I.) the military patroles where issued with a 27MHz RC jammer/pre-detonator system, and RC equipment was prohibited from sale in the area as was nitro chalk fertiliser and a large number of other possible bomb making components such as aluminium dust and one or two cake making ingredients.
However a bomb was discovered and defused that did not involve radio but a simple optical system involving a couple of telescopes and a flash gun.
The point is that IED development and detection/defusing is a learning process for both sides as they evolve stratagy and counter stratagy. Often High Tec solutions can only combat High Tec threats, and are worse then useless against low tec threats in that they give a false sense of security.
The only practical way to deal with IED's is,
1, Good intel
2, Very random behaviour and very high manoverability
3, Mark one eyeball in good condition
4, Experiance and healthy paranoia
The last two can be augmented by active detection systems but at the end of the day should not be relied upon. After all it does not take overly much ingenuity to make a simple gun detonator and a long piece of fishing line to activate it.
Here's another reason to suspect this to be a smoke screen to draw attention away from the real problem -- that the US Government itself supplies technology to the bad guys: http://news.independent.co.uk/world/americas/...
Now is a good time to remind ourselves that the Iraqi insurgency is the most lavishly armed insurgency in history. Once the invasion of Iraq was complete, the coalition went hunting phantoms ('WMD') for most of a year, while the budding insurgency cleaned up all the arms and ammunition laying around. Armories were deliberately left unprotected, and when they were raided nobody was allowed to interfere. When the last of the munitions was safely stashed, the hunt for phantoms stopped.
The coalition troops getting maimed and killed by IEDs in Iraq should express their thanks to those who armed their enemies.
> Does President Bush really want a democracy with freedom of speech
> or just drab newpapers and TV channels that filter everything down to state
> and corporate propaganda?
Is this still open to debate ?
Sounds like the standard play on xenophobism (which sounds like racism to me) the current administration is very fond of using. The bad guys are not American (are Arabs) therefor they are too stupid to aggregate public information thenselves, thus anyone doing so for them (and publishing it) is non-patriotic and an enemy of the state unless proved otherwise.
This reminds me of the time the Progressive magazine published an article on the "secret" of hydrogen bombs.
I was taking a seminar in law school at the time, and the professor was a member of the team working on behalf of the Progressive and/or the ACLU (opposing the government's attempt to stop publicaiton). We spent at least one class session on the case. I told the professor I didn't think they had a chance of winning the case. Boy, was I wrong.
When the article came out, I found out one of the possible reasons I was so wrong. The big "secret"? Neutron reflectors. I was astonished that that was considered secret. (The last physics class I took was in high school, so it's not like I'm an expert on hydrogen bomb design.)
So why is it, exactly, that you have a blog? After all, most of the information that's in this blog is available by Google search. Clearly you don't add any value... not.
The reporter has experience, research skills, access to first-hand information, assessments from troops fighting the battles as well as their commanders. The reporter has information, and especially assessments, that are invaluable to the enemy.
I will remind you that during WWII this same dynamic played out many times: the public's right to know versus the free press. The US press didn't publish weather reports during WWII except for their local cities to deny spies the ability to predict weather in the Atlantic. Could the spies get it in local cities? Yes -- but a collection's value was greater than the sum of their parts.
And you know as well as I that a collection of information can have a different security stamp than single pieces of information.
This reminds me of the logic our Fearless Leader (President Bush) employed when he criticized the divulging of the NSA warrantless evesdropping, saying that it aided "the enemy".
Look, either al-Queda et. al. is dumber than dirt not to think that they weren't already being monitored (and hence their threat is overestimated), or al-Queda is wily enough that they would have long ago assumed that they're being tapped and employed countermeasures. So, rather than fix the mess of an unpopular war, Bush/Cheney (like Nixon/Agnew) blames the press.
Militarily, in Iraq, the U.S. has unwittingly honed the development of ad-hoc weapons (IEDs) that are permanently changing the face of low-intensity warfare. If the insurgents haven't already figured out ways around the new countermeasures, they will very soon, with or without anyone's help. Technological superiority is a fleeting advantage.
[[It's not a reporter's job to keep information secret, it's the military's job.]]
True enough. But restraint is part of the reporter's job. I'm not in the business myself, but my understanding is that reporters do run across information where the harm of publishing it outweighs the benefit. But I don't see that being the case here. I wonder if embarassment rather than concern over security is at the root of the complaint here. (Though I see little to be embarassed over either).
The colonel is right. These people are experts at pulling bits from a multitude of sources and reassembling a significant presentation of information. Every little bit of "harmless" news that leaks to the world is one small step for them. Reporters shouldn't be in the battlefield anyway, able to get this intimate knowledge first-hand. If you're going to be there, pick up a gun. Stop being a liability to our soldiers in the field, and an enemy to them on the home front.
"Reporters shouldn't be in the battlefield anyway, able to get this intimate knowledge first-hand."
The US Mil has had a strange relationship with reporters since WWII.
By and large all reporters are vetted in some way before the are allowed near a conflict zone, however they are only there because the millitary or their political masters want them there.
If a reporter makes an insecure report then the colonel should have asked further up the chain of command for the reporter to be pulled.
He either did not, or was over ruled, either way he should not have made the comments he did in any kind of official capacity. What is not clear from the way the reporter phrased the artical is if the colonel made the comments on or off the record.
The problem is not reporting the news or reporting your research. The problem is, as embedded media, you have access to data that isn't on Google. For this reason, among others, I disagree with embedded media. The reasons? Having to provide fuel that was once reserved for missions to embedded media (travelling with other units) because they failed to carry enough fuel. Loyalty--their loyalty is not to the men and women that are providing them security, fuel, food--their loyalty is to themselves and their profession. They are a security risk, as this blog highlights. Well, the article was printed regardless of the security concerns of the Soldiers, wasn't it? Somebody wrongly believed that embedded media would result in reporting with conscience; unfortunately, this decision was made by the same folks who told us there were WMD.
I suppose that's why we left our embedded media in Kuwait.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.