Page 1 of 2
Interesting research:
After analyzing reams of publicly available data on casualties from Iraq, Afghanistan, Pakistan and decades of terrorist attacks, the scientists conclude that “insurgents pretty much seemed to be following a progress curve—or a learning curve—that’s very common in the manufacturing literature,” says physicist Neil Johnson of the University of Miami in Florida and lead author of the study.
Paper here.
Rare common sense:
But Gen Richards told the BBC it was not possible to defeat the Taliban or al-Qaeda militarily.
“You can’t. We’ve all said this. David Petraeus has said it, I’ve said it.
“The trick is the balance of things that you’re doing and I say that the military are just about, you know, there.
“The biggest problem’s been ensuring that the governance and all the development side can keep up with it within a time frame and these things take generations sometimes within a time frame that is acceptable to domestic, public and political opinion,” he said.
[…]
Shadow defence secretary Jim Murphy told the BBC Gen Richards was “right” that there was no purely military solution and said there would be “no white flag surrender moment”.
“This is a complicated issue. It will be for the long haul. It’s got to do with history.
“But I think he’s right to talk about the different ways that this has got to be taken on – militarily yes but diplomatically and in a peaceful sense of nation building in Afghanistan is also important,” he said.
Now this is an interesting development:
In the wake of strong U.S. government statements condemning WikiLeaks’ recent publishing of 77,000 Afghan War documents, the secret-spilling site has posted a mysterious encrypted file labeled “insurance.”
The huge file, posted on the Afghan War page at the WikiLeaks site, is 1.4 GB and is encrypted with AES256. The file’s size dwarfs the size of all the other files on the page combined. The file has also been posted on a torrent download site.
It’s either 1.4 Gig of embarrassing secret documents, or 1.4 Gig of random data bluffing. There’s no way to know.
If WikiLeaks wanted to prove that their “insurance” was the real thing, they should have done this:
That would be convincing.
In any case, some of the details might be wrong. The file might not be encrypted with AES256. It might be Blowfish. It might be OpenSSL. It might be something else. Some more info here.
EDITED TO ADD (8/9): Weird Iranian paranoia:
An Iranian IT expert warned here on Wednesday that a mysterious download file posted by the WikiLeaks website, labeled as ‘Insurance’, is likely a spy software used for identifying the information centers of the United States’ foes.
“The mysterious file of the WikiLeaks might be a trap for intelligence gathering,” Hossein Mohammadi told FNA on Wednesday.
The expert added that the file will attract US opponents and Washington experts can identify their enemy centers by monitoring individuals’ or organizations’ tendency and enthusiasm for the file.
Long and interesting article from The Toronto Star on the Toronto 18, a terrorist cell arrested in 2006. Lots of stuff in this article I had not read before.
The Atlantic on stupid terrorists:
Nowhere is the gap between sinister stereotype and ridiculous reality more apparent than in Afghanistan, where it’s fair to say that the Taliban employ the world’s worst suicide bombers: one in two manages to kill only himself. And this success rate hasn’t improved at all in the five years they’ve been using suicide bombers, despite the experience of hundreds of attacks—or attempted attacks. In Afghanistan, as in many cultures, a manly embrace is a time-honored tradition for warriors before they go off to face death. Thus, many suicide bombers never even make it out of their training camp or safe house, as the pressure from these group hugs triggers the explosives in suicide vests. According to several sources at the United Nations, as many as six would-be suicide bombers died last July after one such embrace in Paktika.
Many Taliban operatives are just as clumsy when suicide is not part of the plan. In November 2009, several Talibs transporting an improvised explosive device were killed when it went off unexpectedly. The blast also took out the insurgents’ shadow governor in the province of Balkh.
When terrorists do execute an attack, or come close, they often have security failures to thank, rather than their own expertise. Consider Umar Farouk Abdulmutallab—the Nigerian “Jockstrap Jihadist” who boarded a Detroit-bound jet in Amsterdam with a suicidal plan in his head and some explosives in his underwear. Although the media colored the incident as a sophisticated al-Qaeda plot, Abdulmutallab showed no great skill or cunning, and simple safeguards should have kept him off the plane in the first place. He was, after all, traveling without luggage, on a one-way ticket that he purchased with cash. All of this while being on a U.S. government watch list.
Fortunately, Abdulmutallab, a college-educated engineer, failed to detonate his underpants. A few months later another college grad, Faisal Shahzad, is alleged to have crudely rigged an SUV to blow up in Times Square. That plan fizzled and he was quickly captured, despite the fact that he was reportedly trained in a terrorist boot camp in Pakistan. Indeed, though many of the terrorists who strike in the West are well educated, their plots fail because they lack operational know-how. On June 30, 2007, two men—one a medical doctor, the other studying for his Ph.D.—attempted a brazen attack on Glasgow Airport. Their education did them little good. Planning to crash their propane-and-petrol-laden Jeep Cherokee into an airport terminal, the men instead steered the SUV, with flames spurting out its windows, into a security barrier. The fiery crash destroyed only the Jeep, and both men were easily apprehended; the driver later died from his injuries. (The day before, the same men had rigged two cars to blow up near a London nightclub. That plan was thwarted when one car was spotted by paramedics and the other, parked illegally, was removed by a tow truck. As a bonus for investigators, the would-be bombers’ cell phones, loaded with the phone numbers of possible accomplices, were salvaged from the cars.)
Reminds me of my own “Portrait of the Modern Terrorist as an Idiot.”
Sometimes mediocre encryption is better than strong encryption, and sometimes no encryption is better still.
The Wall Street Journal reported this week that Iraqi, and possibly also Afghan, militants are using commercial software to eavesdrop on U.S. Predators, other unmanned aerial vehicles, or UAVs, and even piloted planes. The systems weren’t “hacked”—the insurgents can’t control them—but because the downlink is unencrypted, they can watch the same video stream as the coalition troops on the ground.
The naive reaction is to ridicule the military. Encryption is so easy that HDTVs do it—just a software routine and you’re done—and the Pentagon has known about this flaw since Bosnia in the 1990s. But encrypting the data is the easiest part; key management is the hard part. Each UAV needs to share a key with the ground station. These keys have to be produced, guarded, transported, used and then destroyed. And the equipment, both the Predators and the ground terminals, needs to be classified and controlled, and all the users need security clearance.
The command and control channel is, and always has been, encrypted—because that’s both more important and easier to manage. UAVs are flown by airmen sitting at comfortable desks on U.S. military bases, where key management is simpler. But the video feed is different. It needs to be available to all sorts of people, of varying nationalities and security clearances, on a variety of field terminals, in a variety of geographical areas, in all sorts of conditions—with everything constantly changing. Key management in this environment would be a nightmare.
Additionally, how valuable is this video downlink is to the enemy? The primary fear seems to be that the militants watch the video, notice their compound being surveilled and flee before the missiles hit. Or notice a bunch of Marines walking through a recognizable area and attack them. This might make a great movie scene, but it’s not very realistic. Without context, and just by peeking at random video streams, the risk caused by eavesdropping is low.
Contrast this with the additional risks if you encrypt: A soldier in the field doesn’t have access to the real-time video because of a key management failure; a UAV can’t be quickly deployed to a new area because the keys aren’t in place; we can’t share the video information with our allies because we can’t give them the keys; most soldiers can’t use this technology because they don’t have the right clearances. Given this risk analysis, not encrypting the video is almost certainly the right decision.
There is another option, though. During the Cold War, the NSA’s primary adversary was Soviet intelligence, and it developed its crypto solutions accordingly. Even though that level of security makes no sense in Bosnia, and certainly not in Iraq and Afghanistan, it is what the NSA had to offer. If you encrypt, they said, you have to do it “right.”
The problem is, the world has changed. Today’s insurgent adversaries don’t have KGB-level intelligence gathering or cryptanalytic capabilities. At the same time, computer and network data gathering has become much cheaper and easier, so they have technical capabilities the Soviets could only dream of. Defending against these sorts of adversaries doesn’t require military-grade encryption only where it counts; it requires commercial-grade encryption everywhere possible.
This sort of solution would require the NSA to develop a whole new level of lightweight commercial-grade security systems for military applications—not just office-data “Sensitive but Unclassified” or “For Official Use Only” classifications. It would require the NSA to allow keys to be handed to uncleared UAV operators, and perhaps read over insecure phone lines and stored in people’s back pockets. It would require the sort of ad hoc key management systems you find in internet protocols, or in DRM systems. It wouldn’t be anywhere near perfect, but it would be more commensurate with the actual threats.
And it would help defend against a completely different threat facing the Pentagon: The PR threat. Regardless of whether the people responsible made the right security decision when they rushed the Predator into production, or when they convinced themselves that local adversaries wouldn’t know how to exploit it, or when they forgot to update their Bosnia-era threat analysis to account for advances in technology, the story is now being played out in the press. The Pentagon is getting beaten up because it’s not protecting against the threat—because it’s easy to make a sound bite where the threat sounds really dire. And now it has to defend against the perceived threat to the troops, regardless of whether the defense actually protects the troops or not. Reminds me of the TSA, actually.
So the military is now committed to encrypting the video … eventually. The next generation Predators, called Reapers—Who names this stuff? Second-grade boys?—will have the same weakness. Maybe we’ll have encrypted video by 2010, or 2014, but I don’t think that’s even remotely possible unless the NSA relaxes its key management and classification requirements and embraces a lightweight, less secure encryption solution for these sorts of situations. The real failure here is the failure of the Cold War security model to deal with today’s threats.
This essay originally appeared on Wired.com.
EDITED TO ADD (12/24): Good article from The New Yorker on the uses—and politics—of these UAVs.
EDITED TO ADD (12/30): Error corrected—”uncleared UAV operators” should have read “uncleared UAV viewers.” The point is that the operators in the U.S. are cleared and their communications are encrypted, but the viewers in Asia are uncleared and the data is unencrypted.
Good essay on “terrorist havens”—like Afghanistan—and why they’re not as big a worry as some maintain:
Rationales for maintaining the counterinsurgency in Afghanistan are varied and complex, but they all center on one key tenet: that Afghanistan must not be allowed to again become a haven for terrorist groups, especially al-Qaeda.
[…]
The debate has largely overlooked a more basic question: How important to terrorist groups is any physical haven? More to the point: How much does a haven affect the danger of terrorist attacks against U.S. interests, especially the U.S. homeland? The answer to the second question is: not nearly as much as unstated assumptions underlying the current debate seem to suppose. When a group has a haven, it will use it for such purposes as basic training of recruits. But the operations most important to future terrorist attacks do not need such a home, and few recruits are required for even very deadly terrorism. Consider: The preparations most important to the Sept. 11, 2001, attacks took place not in training camps in Afghanistan but, rather, in apartments in Germany, hotel rooms in Spain and flight schools in the United States.
In the past couple of decades, international terrorist groups have thrived by exploiting globalization and information technology, which has lessened their dependence on physical havens.
By utilizing networks such as the Internet, terrorists’ organizations have become more network-like, not beholden to any one headquarters. A significant jihadist terrorist threat to the United States persists, but that does not mean it will consist of attacks instigated and commanded from a South Asian haven, or that it will require a haven at all. Al-Qaeda’s role in that threat is now less one of commander than of ideological lodestar, and for that role a haven is almost meaningless.
Oops:
Wikileaks has cracked the encryption to a key document relating to the war in Afghanistan. The document, titled “NATO in Afghanistan: Master Narrative”, details the “story” NATO representatives are to give to, and to avoid giving to, journalists.
An unrelated leaked photo from the war: a US soldier poses with a dead Afghani man in the hills of Afghanistan
The encrypted document, which is dated October 6, and believed to be current, can be found on the Pentagon Central Command (CENTCOM) website.
Really interesting article on snipers:
It might be because there’s another side to snipers and sniping after all. In particular, even though a sniper will often be personally responsible for huge numbers of deaths—body counts in the hundreds for an individual shooter are far from unheard of—as a class snipers kill relatively few people compared to the effects they achieve. Furthermore, when a sniper kills someone, it is almost always a person they meant to kill, not just someone standing around in the wrong place and time. These are not things that most branches of the military can say.
But, for a well-trained military sniper at least, “collateral damage”—the accidental killing and injuring of bystanders and unintended targets—is almost nonexistent. Mistakes do occur, but compared to a platoon of regular soldiers armed with automatic weapons, rockets, grenades etc a sniper is delicacy itself. Compared to crew-served and vehicle weapons, artillery, tanks, air support or missile strikes, a sniper is not just surgically precise but almost magically so. Yet he (or sometimes she) is reviled as the next thing to a murderer, while the mainstream mass slaughter people are seen as relatively normal.
Consider the team who put a strike jet into the air: a couple of aircrew, technicians, armourers, planners, their supporting cooks and medics and security and supply people. Perhaps fifty or sixty people, then, who together send up a plane which can deliver a huge load of bombs at least twice a day. Almost every week in Afghanistan and Iraq right now, such bombs are dropped. The nature of heavy ordnance being what it is, these bombs kill and maim not just their targets (assuming there is a correctly-located target) but everyone else around. Civilian deaths in air strikes are becoming a massive issue for NATO and coalition troops in Afghanistan.
Those sixty people, in a busy week, could easily put hundreds of tons of munitions into a battlefield—an amount of destructive power approaching that of a small nuclear weapon. This kind of firepower can and will kill many times more people than sixty snipers could in the same time span – and many of the dead will typically be innocent bystanders, often including children and the elderly. Such things are happening, on longer timescales, as this article is written. Furthermore, all these bomber people—even the aircrew—run significantly less personal risk than snipers do.
But nobody thinks of a bomb armourer, or a “fighter” pilot”, or a base cook as a cowardly assassin. Their efforts are at least as deadly per capita, they run less personal risks, but they’re just doing their jobs. And let’s not forget everyone else: artillerymen, tank crews, machine gunners. Nobody particularly loathes them, or considers them cowardly assassins.
I generally avoid commenting on election politics—that’s not what this blog is about—but this comment by Barack Obama is worth discussing:
[Q] I have been collecting accounts of your meeting with David Petraeus in Baghdad. And you had [inaudible] after he had made a really strong pitch [inaudible] for maximum flexibility. A lot of politicians at that moment would have said [inaudible] but from what I hear, you pushed back.
[BO] I did. I remember the conversation, pretty precisely. He made the case for maximum flexibility and I said you know what if I were in your shoes I would be making the exact same argument because your job right now is to succeed in Iraq on as favorable terms as we can get. My job as a potential commander in chief is to view your counsel and your interests through the prism of our overall national security which includes what is happening in Afghanistan, which includes the costs to our image in the middle east, to the continued occupation, which includes the financial costs of our occupation, which includes what it is doing to our military. So I said look, I described in my mind at list an analogous situation where I am sure he has to deal with situations where the commanding officer in [inaudible] says I need more troops here now because I really think I can make progress doing x y and z. That commanding officer is doing his job in Ramadi, but Petraeus’s job is to step back and see how does it impact Iraq as a whole. My argument was I have got to do the same thing here. And based on my strong assessment particularly having just come from Afghanistan were going to have to make a different decision. But the point is that hopefully I communicated to the press my complete respect and gratitude to him and Proder who was in the meeting for their outstanding work. Our differences don’t necessarily derive from differences in sort of, or my differences with him don’t derive from tactical objections to his approach. But rather from a strategic framework that is trying to take into account the challenges to our national security and the fact that we’ve got finite resources.
I have made this general point again and again—about airline security, about terrorism, about a lot of things—that the person in charge of the security system can’t be the person who decides what resources to devote to that security system. The analogy I like to use is a company: the VP of marketing wants all the money for marketing, the VP of engineering wants all the money for engineering, and so on; and the CEO has to balance all of those needs and do what’s right for the company. So of course the TSA wants to spend all this money on new airplane security systems; that’s their job. Someone above the TSA has to balance the risks to airlines with the other risks our country faces and allocate budget accordingly. Security is a trade-off, and that trade-off has to be made by someone with responsibility over all aspects of that trade-off.
I don’t think I’ve ever heard a politician make this point so explicitly.
EDITED TO ADD (10/27): This is a security blog, not a political blog. As such, I have deleted all political comments below—on both sides.. You are welcome to discuss this notion of security trade-offs and the appropriate level to make them, but not the election or the candidates.
Sidebar photo of Bruce Schneier by Joe MacInnis.