OPSEC, the OOBs and the Myopic Mis-Focus of Security Personnel
By DJ Elliott, IS1(SW), USN(Ret)
What is wrong with this photo's caption? U.S. Army Soldiers move to the UH-60 Black Hawk after searching the area for items of interest during an aerial response force mission, Iraq, March 31. Soldiers are assigned to the 1st Platoon, Alpha Company, 2nd Battalion, 35th Infantry Regiment, Schofield Barracks, Hawaii. U.S. Air Force photo by Master Sgt. Andy Dunaway. [Link]
Most people do not realize that Chris and I were bouncing Order of Battle [OOB] data between each other for a year before the OOBs were finally published. I started my collection of data as a hobby to see just what the real status of the Iraqi Security Forces was since the published press reports were far off base and contradictory in their own stories. My principle motivations for my involvement in publishing these OOBs are somewhat contradictory. First, I wanted to get the principle operational security [OPSEC] violators to tighten their OPSEC. Second, I want to further an understanding of the development of the Iraqi Security Forces and the Baghdad Security Plan. As a retired intelligence analyst, I could not believe that the Public Affairs Officers [PAOs] and Commanders were releasing this much operational data in a time of war.
Since we started to publish the Iraqi Security Forces OOB and the Baghdad OOB, Bill has received the occasional complaint about the reports being a violation of OPSEC. The complainers continually miss the point.
The Order of Battles we have published are not OPSEC violations, they are reports of OPSEC violations. All of the data contained within the OOBs is available with a simple word search on the Internet and any intelligence operation worthy of its name already has the data in far greater detail than what we publish in these OOBs. Most of the information used to compile the OOB comes from the PAOs and senior officer briefs. By far, these are the source of the greatest OPSEC violations in this war.
Also since we started publishing these OOBs, the reported unit IDs have dropped by more than half. Some of the previous OPSEC violators have either rethought what they were doing or been "counseled". Good. The harder it is for the OOB to be updated the better I feel.
The worst OPSEC violator in the senior staffs is the Pentagon. I get more advance notice from a Pentagon Press Brief of US movements from Kuwait into Iraq than I get from all other sources combined. The Pentagon acts as if it is not at war, and the leaks emanating from Arlington are enormous.
The following are the in-theater organizations and their level of OPSEC for Iraq from the perspective of an open-source OOB researcher/writer:
· 10. Multinational Division-North: Shoot your Air Force photographers as enemy spies. [Statement retracted. See comment posted May 9, 2007 3:26PM.] Their captions include names, platoon level unit IDs and activities, and are released within 24-48 hours of event. OPSEC is improving and is quite good in Ninawa but, Saladin/Tirkrit/Diyala is shaky.
· 9. Multinational Division-Central: Before they even stood up I knew which Brigades were officially in their command and what area they were getting. Since then the Commanding General has told the press that 2nd Brigade Combat Team, 3rd Infantry Division, and 3rd Combat Aviation Brigade are also joining them, I have their full OOB and the units are not even all there yet. The elements of 6th Iraqi Army Division in their area get ID'd all the time, however the security on unit IDs of 8th Iraqi Army Division is maintained.
· 8. Multinational Division-Baghdad: The OPSEC was poor in the past, but it has improved over last three months. There is no reason to advertise unit IDs below brigade. Giving a press release that says which Company is in which Combat Outpost in which District of Baghdad is doing the enemy intelligence's job for them.
· 7. Multinational Force-West: The Marines in Anbar are so closed mouth on Iraqi Security Forces unit IDs and locations that they might not be there. They are not so closed mouth about their own and their commanders like to expound a bit too much in their end-of-tour briefs. There is no reason to provide a battalion level location and ID of every formation in your Area of responsibility. The brigade manning percentages by brigade of the Iraqi Army is also not a good thing to advertise.
· 6. Training Teams: The teams in the field are good at talking about the Iraqi Security Forces without giving specific IDs but, the Team IDs give away which Iraqi Security Forces battalion/brigade/division they are assigned. The lack of reporting of locations and DBE battalion IDs from the BTTs put them at the Korean scale of "most closed mouth". Most of the data comes from their bosses' briefs and not from the teams.
· 5. Multinational Division-South East: The Brits have years of experience in talking around a subject and it shows. The occasional mention of Iraqi Army battalions activity is rare and usually after that data is already in press by other sources. However, their own forces OOB and locations are completely open.
· 4. Multinational Division-Central South: The Polish lead force occasionally provides unit IDs and locations but, normally well after the fact of the operation. Even then they tend to report Iraqi Security Forces at brigade level and not disclose the specific. My biggest source for data in this AOR is US PAOs when US units are assisting or US senior officers are visiting.
· 3. Military Bloggers: Despite the worries by the hierarchy, I have seen only five valid OPSEC violations in two years from Military Bloggers concerning ISF/Coalition forces (only 1 in the last year). MilBloggers tend to lose unit IDs and details in their writings in a way that PAOs should study and learn from.
· 2. Special Operations Forces: We have SOF? All joking aside their security is good and the Iraqi Security Forces is following their lead, except they do acknowledge that I SOF conducts operations now.
· 1. Multinational Division-North East/Zaytun Division (Republic of Korea Army): The best in-theater OPSEC. Period. The only thing I see from their AOR is what new project or jobs training is ongoing. Unit identification of coalition/Iraqi Security Forces below Division does not get released by the Koreans. I get my data on Iraqi Security Forces in that area from US PAO releases and briefs.
Look at that list again. Despite the misfocus of the OPSEC Czars in the Army [Army OPSEC Reg], the Milblogs are comparable to SOF in the quality of their OPSEC. The troops and their families are not the problem. That is probably because they are the ones most personally affected by the results of a violation. The senior officers in their briefs and PAOs in their press releases are the ones that tend to brag on their unit(s). They provide a level of detail that is unnecessary and only useful to an intel collector. I know that they are proud of their troops and want to get their story out but, think about their lives before you speak. The following are the major sources of OOB data:
· Photo Captions: There is no real reason for identifying a military unit below Brigade level in photo captions (I see Company and Platoon IDs all the time). If you wish to provide that level of unit ID, those photos of operations should have a one week delay so as not to tell the enemy where and what is next.
· Press Releases: The job of a PAO is to advertise their command. The trick is to do so without providing the enemy useful or current data. The Brigade areas of operation are already common knowledge so, use the words: "Elements of ___ Brigade conducted ____" in near real-time press releases. Giving out Platoon/Company/Battalion IDs is only useful to an intelligence collector. Most of the major media do not know the meaning of those subordinate unit IDs anyway and will drop them in editing rather than admit their ignorance. However, your press release, with all of that detail, will still show up in a simple search of the Internet long afterwards for any intel collector to exploit. One more piece of the enemy's OPINTEL puzzle.
· Commander's Briefs and Pentagon Briefs: Good commanders are proud of their troops, they want to get their story out, they want to brag on them. I know you want to praise your troops but, the bragging of what your Battalions are are doing (and where) to the press also tells the enemy. The press almost never uses that level of detail and those transcripts/video are available for review by anyone with an Internet connection. Keep your briefs at Brigade level IDs and do not specify locations. If you wish to give that level of detail, wait at least one week after completion of the operation. Never give future/current plans, unit assignments or areas of focus out unless you are performing OPDEC.
· Unclassified Reports to Congress. Why are an allied country's security forces detailed to the extent of the planned locations of the new forming SOF Companies? Our own force appraisals at this level are SECRET/TOP SECRET in peacetime and we are releasing our appraisal of an allied country's security forces capabilities and plans to the world in wartime. Fortunately, the reports from State are so inaccurate as to be OPDEC [operational deception].
The PAOs job is to advertise their unit and a good commander will want to give recognition to his troops. They both need to temper the level of detail or their unit/troops will suffer the consequences. The troops understand that well and have consistently been more cautious than their commanders in their statements and blogs. It is up to the senior officers and PAO bureaucracy to remind themselves that this is not peacetime and to punish their own violators. If the real leaks are not plugged, we will have no real OPSEC and the enemy will continue to reap the intel advantage.
(DJ Elliott is a retired US Navy Intelligence Specialist with 22 years of service and the primary author of the Iraqi Security Forces Order of Battle and co-author of the the Baghdad Security Operation Order of Battle .)