This post arises from a brief discussion on Twitter recently of a comment by Jock Bruce that 'If amateurs talk tactics, and professionals talk logistics, then intelligencers talk comms' to which I answered 'Part of agreeing with @jock_bruce here is a belief that environmental awareness is an essential precursor for Sigint, and that all is a waste of time without adequate Sigint Comms from intercept site to HQ. Sigint is about the whole of Comms.' This post addresses environmental knowledge, the first part of my reply.
Everything below refers to Sigint as practised in the Second World and Cold Wars. This is mainly because it's simpler and easier to explain and understand, but also because none of it is in any way classified. The principles are as true today as they always have been, but I don't intend to explain how they have been adapted in the digital era. How does an Analyst Catch a Terrorist? might give you a start if you are interested. Also, and for the record, no Danes were harmed in the production of this blog post, and the memory of regular attendance at a NATO committee whose Chair, a (retired) Danish Army officer, offered a shot of Gammaldansk to all attendees at 8.00 each morning the committee met, has always drawn me to an idea that Denmark's marauding past might be a lot nearer to the surface than people think.
Let us imagine that the UK and Denmark have become bitter enemies and that the threat of armed conflict is no longer a matter of fantasy. GCHQ's Director goes to a series of meetings in Whitehall and is told that GCHQ must start producing intelligence on the Danish military to assess the level of threat posed to the UK. He gets back to Cheltenham and finds that GCHQ has never really targeted Denmark: there are a few diplomatic and Comintern reports, as well as a bit of Venona, but nothing since the early 1940s, and nothing of significance ever. So what does it do?
We know that the Danish armed forces will be highly structured and that there will be a radio communications system that closely mirrors the command structure, and therefore the order of battle, of the Danish military. We know that there will be formal processes for transmitting orders from higher to lower levels in the hierarchy and for these orders to be acknowledged, as well as for other information to be exchanged. We know that these processes will be highly structured. We know this because military communications are pretty well standardised. There is a best way of using the electromagnetic spectrum to support military activity and this was discovered and developed in the first half of the twentieth century in much the same way by everybody.
So
GCHQ's first stop is Defence Intelligence to ask what it knows about the Danish
armed forces. Through the Defence Attaché in Copenhagen they will have at least
a top level understanding of the structure of the Danish military. It is likely
that they will quickly be able to come up with a diagram like this from open
source (NB not Osint – more on this later):
I will stick to the Danish Army from now on, but developing intelligence on the other two arms of service will happen in the same way.
This
is the first concrete information GCHQ has about the organisation of the Danish
Army and is of great importance because we can predict from the order of battle
how different elements of the Danish Army will communicate with each other. For
example, there will be a top level Command network linking Army Command, 1 Bde
and 2 Bde. It may well include each of the regiments listed on the Orbat (plus
or minus the Guards units: are they purely ceremonial or do they have war
roles?) depending on how the military is structured to transition from
peacetime to war. Defence Intelligence will be developing its understanding of
how the rectangles on the Orbat diagram translate into working relationships
with the Danish Army and there will be an ongoing dialogue between DI and GCHQ
over this. There will of course be a host of subordinate units: each regiment
is likely to have battalions, and each battalion companies: but how many, and
where, and what comms structures support them?
GCHQ's collection sites will have been tasked to look for Danish military comms. This is like looking for needles in a haystack, but search specialists have a range of skills and tools which make this less frightening that it might seem to the layman. Direction Finding (DF), for example, makes it easy to say that various unidentified comms aren't from Denmark, as well as giving more or less confidence that other comms are. Linguists will be preparing working aids to teach operators basic differences between Danish, Norwegian and Swedish, so that operator chat can be made use of.
Typically at each level of the hierarchy, from the top level Command network described above, to brigade or regimental networks, the search specialists will be looking for patterns: a Control station calls up subscriber stations to its network at fixed times (say morning and late afternoon) one by one. They acknowledge the call up. Control then says which stations it has messages for, and the subscribers say whether they have messages for Control. Some of the messages in both directions will be relays: for example Control asks the subscriber to forward the message to a subordinate subscriber on a subordinate network or the message might be travelling upwards.
But who is who is not very clear: each entity will have a callsign by which it is identified, and it is highly likely that the callsign will be encrypted and so will change every day. Networks at each level of the hierarchy will work in the same way, so it won't be immediately obvious whether an operator is listening to a top level or a low level. Operator chat will give clues; DF will help; analysis of the messages being relayed to see how many levels of hierarchy they pass through; information from allies will give other clues. You will notice that the content of messages doesn't need to be decrypted for this activity to be carried out. Decryption is a very-nice-to-have short cut, but most of this traffic analysis needs to be done anyway. Hopefully, after a few months, a reasonably clear idea of how the Danish Army communicates will have been developed.
But this is no more than a snapshot. Periodically, each network will change the frequencies it works on and its callsign systems. It will have different procedures for use in wartime, procedures which may or may not be the same as the procedures it uses when the units with which each subscriber is linked deploy on exercise.
But the Danish Army has been brought to the same position as the military forces of countries which GCHQ has been monitoring to 'maintain continuity'. There is an art in making sure that the minimum amount of collection resource (because nobody has ever been able to collect everything) can be applied to making sure that the maximum amount of information about the comms structures of potential targets will be produced. For example, a fortnightly check on the comms structure of a logistics battalion in northern Jutland may be enough to reassure you that nothing has changed; a monthly DF check that the callsign associated with a Headquarters element in a bunkered command post is still in situ may be enough for reassurance, but the frequency with which these checks take place has to be adequate to give adequate notice if there is any change.
The key aim of 'maintaining continuity' is ensuring that regular patterns are known and understood. No country can afford to keep its military on high alert for long, and certainly can't keep it on any sort of alert level for ever. Units have to be rotated between more or less forward roles, have to be reskilled to take on new responsibilities, have to be adapted to new roles, as well as having to respond to random events like weather, but these are all more or less predictable, and the manner in which units adapt, as seen from their comms, can give the clue to how they might adapt to future conditions: to war.
So after a few months we have a good handle on the Danish Army. We know what normality looks like. We know what it looks like when it changes its alert level. We know how its comms are likely to change when readiness levels change. We are confident that if they are ordered to war stations, we will be aware and will be able to report it, and to follow them as their comms move to wartime modes.
But none of this is intelligence. We have developed all of the sources of information available to us to be able to keep a handle on how the Danish Army is communicating. But it is only when we take that information and extrapolate from it, for example to say that a major comms change is a regular occurrence rather than an indicator that the Army is preparing for its war role, that we are producing intelligence.
I said above that the organogram showing the high level Danish Army Orbat wasn't intelligence: it's information. It assembles readily available data into readily usable information, but it doesn't answer what for a Sigint organisation – as well as the subsequent all source assessment that Sigint feeds into – is the key question: 'so what?' The same question applies to Osint: yes, finding the data and assembling it into information is important, but the 'intelligence' part of Osint should mean that it explains how the information illuminates what the target's intentions and realistic capabilities are.
All of this is environmental knowledge. Until this level of knowledge has been built up, a Sigint organisation can't begin to produce intelligence. It has to expend significant resource to maintain the environmental information that enables it to turn into an intelligence producer when a target turns active, and is no longer just watched on a 'care and maintenance' basis. And if it has been difficult and complicated with a nation state's military forces, how much more difficult is it with an individual with a telephone? And if state interception of HF signals in free space where users had 'no expectation of privacy' was once unconstrained by the law, as the state (in the UK at least) 'owned' the way in which the electromagnetic spectrum was used, how much more complex is it today to navigate all of the necessary oversight and legislative constraints to obtain and retain information which might never be used?
I suppose that what I want you to go away with is that Sigint is a much more complicated business than you might have thought, and certainly isn't about intercepting and listening to every telephone conversation between London and Washington. The art and science of Sigint happens a lot further back than the point at which intelligence reports are produced, much as a military force's achieving significant effect on the battlefield owes almost everything to what had happened in the background, over a long period of time.
No comments:
Post a Comment