Information Warfare: Death by OPSEC

Archives

September 30, 2023: OPSEC (Operational Security) in Ukraine is more difficult to achieve because of widespread cell phone use. Ukraine has several advantages over the Russians in OPSEC and one is better control of misuse of cell phones while exploiting the less-disciplined Russian troops misusing their cellphones. While tracking sloppy use of cellphones by enemy troops provides lots of useful information and the location of important targets, this works both ways. The Russian troops have been sloppier and the Ukrainians have taken advantage of that. Ukrainian troops are more disciplined using cell phones but mistakes are still made. Fortunately, the Russians are not as effective at detecting and exploiting Ukrainian troops misusing the phones or as diligent in getting Russian personnel to avoid those fatal errors.

Some countries are very effective at achieving effective cell phone OPSEC. Even so, mistakes still happen. For example, in 2022 Israel revealed that it had suffered another OPSEC failure following an investigation into who leaked details of the Israeli war on Iranian maritime smuggling. That leak occurred before the attack on an Iranian smuggling operation was to take place and forced the mission to be called off. The leak came from one of the 1,200 military personnel who knew about the operation. Only 450 of them had signed the confidentiality agreement that everyone with knowledge of these operations was required to do. Those who signed the agreement are told that violation of the agreement is a criminal offense because leaks endanger the lives of Israelis. Western nations, especially Israel and the United States have long had problems with OPSEC failure. In Israel a lot of reserve soldiers are regularly called up for a few months of active duty and often have a hard time adapting to the OPSEC rules. This got a lot worse in 2007 with the appearance of advanced cell phones in the form of the iPhone. The iPhone made existing cell phones obsolete and other phone manufacturers soon adopted the new features of the iPhone. The iPhone and similar cheaper phones were enormously popular. Smart phone OPSEC problems soon developed and have proved impossible to completely suppress.

A good example of the problem is the situation in Israel, where military reservists called to active duty often took their cell phones with them and made videos while on duty for the friends and family back home, or to post on social media. They did this at home afterwards as well as while on active duty. Israeli security officials became aware of this when they found that Palestinian and other Islamic terror groups were using this to plan operations to develop anti-Israel propaganda. Israel let the reservists, and Israeli military personnel in general, know how serious this problem was and told the troops to leave the cellphones home or someplace where the geolocation features of the cell phones could not be used by enemy groups. Islamic terrorists in general have a worse problem with members using their cellphones in ways that reveal their location and operations. Many successful counter-terrorism operations are the result of exploiting poor cellphone OPSEC by the terrorists.

Most armed forces have this problem and some are more successful dealing with it than others. An example of this can currently be seen in Ukraine, where the Ukrainian have much better cell phone OPSEC than their Russian adversaries, which is one reason why the Russians have suffered much higher losses than the Ukrainians. Another reason is that personal cell phones are often the only communications that Russian infantry have.

It’s not just cell phones. Over a decade ago an NSA (National Security Agency) employee conducting an unclassified briefing of NSA activities let slip that the NSA found a way to listen in to Islamic terrorist phone calls and halt attacks. The capability was top secret, but not after the NSA briefer screwed up.

An earlier example occurred in 2018 when the U.S. Department of Defense banned all personnel in “operational areas”, especially overseas combat zones, from using commercial devices with geolocation capability (GPS). This included cell phones and PSMs (Physiological Status Monitors) like Fitbit. What triggered this was the discovery that a social network for athletes called Strava had developed software that enabled anyone to track users wearing a Fitbit or other GPS enabled PSMs. Dedicated, often professional, athletes joined Strava to exchange PSM information and that led to Strava developing features that enabled user locations worldwide. Turns out that intelligence agencies had discovered Strava as well and reported that they could not only detect PSM users anywhere in the world, but could often identify these users by name. Turned out that many intelligence and military personnel used their Fitbits while overseas, often on secret missions. From January to July 2018 the extent and implications of this became quite clear. The intel agencies quickly (and quietly) ordered their personnel overseas, and often at home as well, to stop using PSMs that made their data accessible to public networks, even ones that were not open to the public. These could be hacked. Now there is a market for “secure (encrypted) PSMs for military and intelligence personnel. OPSEC will always be with us and those who are better at it tend to win.