Free Republic
Browse · Search
Topics · Post Article

Skip to comments.

Reading Saddam's Email
Weekly Standard ^ | 1/28/2006 (2/6/06 edition) | Michael Tanji

Posted on 01/28/2006 7:53:20 AM PST by wjersey

STEPHEN F. HAYES has written extensively in these pages about a large cache of documents and digital media captured in the course of Operation Iraqi Freedom and Operation Enduring Freedom. As a former intelligence officer who dealt with digital media exploitation and analysis issues at the Defense Intelligence Agency for nearly four years (2001 to 2005), I am prohibited from speaking publicly about what these documents may contain. What I can do is share my professional opinion on how one might solve some of the major problems associated with media exploitation.

Let us assume hypothetically that the United States has overthrown a hostile regime, and a vast amount of paper and digital media has been looted or otherwise removed from the regime's ministries, industrial centers, and other facilities. A great deal of this material has been obtained by the U.S. military and eventually the U.S. intelligence services.

Because of the lack of context--reliable information about where each item was obtained, who it belonged to, and so on--U.S. intelligence is faced with trying to make sense of a massive, amorphous heap of paper and digital data.

The demands are tremendous. Combat commanders need actionable intelligence so they can turn around and capture or kill more of the enemy (and obtain still more media to exploit). But technical expertise and high-end equipment are hard to come by. So is good, trustworthy linguistic support. Subject matter experts are by and large still back in Washington. Given the problems, how does U.S. intelligence perform deep analysis on data that clearly need it?

The process of exploitation begins with the recognition that neither human intelligence nor signals intelligence is the be-all and end-all. Human sources can lie. They can hide parts of the truth. Unwitting dupes in a deception scheme can honestly tell you what they think is the truth. Intercepted signals generally reveal only part of the intelligence picture. In a complex web of bad guys, tapping the phones of one or two leaves a lot of gaps, especially when your adversary is a whole network of webs.

Digital media, on the other hand, are less prone to be a means of deception, and even one node of a network can reveal a significant amount about the entire network. Think about the data that you keep on your computers at work and at home. Unless you write fiction for a living, these are the most accurate and factual data that can be obtained about you (short of reading your mind). The memos and letters you write, the financial information you calculate, the websites you visit, and the people you email or instant-message--all this is a gold mine for anyone looking to know who you are, what you do, and with whom you cavort. Now imagine having access to the same data about your adversary.

Enter "computer forensics." Exploiting paper documents is a relatively simple matter of reading and, if necessary, translating. Exploiting digital media is another story. Before you can read the data, you have to find it.

Outside the intelligence field, computer forensics is the process by which data are extracted, preserved, and analyzed for pertinence and meaning. The computer forensics community has worked very hard to bring its practices up to the level portrayed on TV in shows like CSI, where digital evidence is now accepted in court as much as fingerprints or blood splatters.

It stands to reason that the same people, tools, and methods used in computer crime labs are also used in intelligence efforts. However, the courtroom-centric, linear, law-enforcement mindset is actually a hindrance to effective exploitation for purposes of intelligence. A military intelligence unit is not interested in going to court; it is interested in helping soldiers put steel on target. This is not to say that a law enforcement approach has no use in the larger intelligence business (for example, in counterintelligence investigations), but if the goal is good data fast, then what is good for cops is not good for soldiers.

ASSUME OUR HYPOTHETICAL hostile regime was a fairly large country with a population around 25 million. It was not the most technically advanced nation in the world, but it had ministries and industries and was believed to have advanced weapons capabilities. All these needed computers to function. How much data does this translate into? Consider some rough calculations.

One floor of an average-sized university library full of academic journals contains about 100 gigabytes of data, the size of a large but not uncommon hard drive. The data in 100 such hard drives are comparable to the print holdings of the Library of Congress. Care to guess whether our formerly hostile regime had more than 100 computers?

As if sheer quantity of data were not problem enough, remember that the materials have almost no supporting contextual information. A computer forensics examiner in a crime lab generally has access to the investigators, knows the nature of the crime, and knows the most common places to look for evidence. A piece of evidence comes to him in a plastic bag with a tag on it saying where it was found, what kind of computer it came out of, and so on.

On the battlefield there is no time to "bag-and-tag" evidence. You find something that looks useful; you grab it, secure it, and move on. When the mission is over, you head to the tent where the Military Intelligence guys hang out and drop off your goods, covered in dust and a lot worse for wear. Under such conditions, context beyond a label reading "hard drive found on Monday" is scarce.

You have a huge store of data and only the slightest idea where it came from, a vague idea of what to look for, and you must do the job to a standard of proof mindlessly imported from law enforcement and far exceeding what is necessary for your work. Is it any wonder that some consider the job hopeless? How can we hope to make any real sense of this mass of stuff?

Technology can help. First, when data come without any meaningful context, we have to re-create it after the fact. We begin to do this by building lists of keywords, phrases, personalities, and other data that pertain to the topics of interest to our intelligence services. These lists can easily include tens of thousands of terms, names, figures, and data formats.

The next step is to create a forensically sound process to spin off the more meaningful pieces of data (user-created documents, emails, spreadsheets, etc.) while leaving behind data that have less utility (files associated with the operating system and software applications). Let's call this our forensic centrifuge.

Ideally our centrifuge will be built out of a cluster of computers: dozens of cheap processors networked together and scaled to rival a supercomputer in power. Cluster computers have been used by academia and the government for years, notably in places like NASA and the Department of Energy.

Computer programs written to take advantage of the multiprocessor capabilities of the centrifuge will extract the easy-to-obtain data files, recover deleted files and those that have been obfuscated by various means, and find the data stored in web browsers, email software, and other programs. There are commercial applications that do this, but our applications will have to be custom-made.

Once we have this notional system, we can aim it at our amorphous heap of captured data. The result should be large but much more meaningful subsets of data that we can be reasonably assured were created by members of the former regime. The problem of authenticity that sometimes complicates the exploitation of paper documents virtually does not arise.

While we now have all the meaningful data we can obtain, there is one more step to take before we can overlay what is called our "contextual appliqué." Our extracted data files must be compared with files of the same type--another computer process easily crafted--for both physical and content similarities. Through this process we should be able to determine things like:

* the names of people who drafted, edited, and were expected to receive memorandums, letters, and orders, and sometimes which computers they worked on;

* which computers were likely networked together, within the same ministry or between trusted associates;

* discussions between former regime elements in the form of both memorandums and email exchanges, as well as the personal thoughts revealed in private letters between confidants; and

* the foreign contacts of former regime elements in the form of email addresses and website data.

This information and more can be used to reconstruct both the physical and social networks of our former hostile regime. It can show who was talking to whom and who was working on what prior to the war. Our contextual appliqué is now complete, and many gaps left by insufficient prewar human and signals intelligence can be filled in.

THE SYSTEM JUST DESCRIBED for sorting and organizing data is notional, but not fanciful. The technology exists, the mental wherewithal exists, and the contract vehicles exist. The problem of finding enough qualified, trusted Arabic speakers and translators is great, but familiar. If we want to do this, we know how. If we want to do it fast, and provide sufficient resources, we can see significant results this year.

Adapting widely accepted technical methodologies to the unique challenges our intelligence services face is merely good sense. Modern technologies could be put to good use by the intelligence community to solve data extraction, processing, analysis, and display problems, if only certain elements in the community could get over the "not-invented-here" syndrome. There are signs of progress, but it is slow. Let's face it: You've probably got more powerful software on your computer at home than the average intelligence analyst has on the job.

There is of course a strong political aspect to media exploitation. Which end of the political spectrum will come out ahead is not clear going in. We could very well have in our possession ample material to support all the reasons the public was told justified going to war--or we could find the opposite, or find there are no clear conclusions to be drawn. But unless we look, we will always be faced--in the immortal words of Donald Rumsfeld--with a huge cache of "unknown unknowns."

After all the detainees have been interrogated, and all of the sand at suspected facilities has been sifted and tested, the only way finally to close the book on what our hypothetical former hostile regime was up to is to analyze every last reliable source of data available to us. That is, if we are really interested in the truth.

Michael Tanji is an associate of the Terrorism Research Center. He opines on intelligence and security issues at

TOPICS: News/Current Events; War on Terror
KEYWORDS: gwot; intelligence; stephenfhayes
Still a lot of work to do.
1 posted on 01/28/2006 7:53:22 AM PST by wjersey
[ Post Reply | Private Reply | View Replies]

To: Dog


2 posted on 01/28/2006 7:54:36 AM PST by Mo1 (Republicans protect Americans from Terrorists.. Democrats protect Terrorists from Americans)
[ Post Reply | Private Reply | To 1 | View Replies]

To: wjersey

Fortunately, terrorists are too dumb to follow good security practices. This makes our job a lot easier.

3 posted on 01/28/2006 8:22:11 AM PST by proxy_user
[ Post Reply | Private Reply | To 1 | View Replies]

To: wjersey
One problem with the program above is that all bureaucracies are to some extent designed to tell their leadership what they want to hear.

This is a pressing problem even in countries with formal systems to provide oversight of the process - witness the debate over the quality of the information that led to the decision to invade Iraq, and whether the intelligence services many have slanted it to provide what their bosses wished to hear.

This problem is an order of magnitude greater in a place like Saddam's Iraq, where summery execution rather than a pension was often the reward for impolitic candor- we know for example that in many cases the military simply lied to Saddam about their readiness and technical capability, and that Saddam lied to his Generals and his technical advisors (and probably to himself) on many of the same questions.

So even if we extract and correlate the sort of material discussed above we would just be a start of the real work - the bigger task would be to separate out fact from the elaborate fictions that likely characterized many communications in both directions.

4 posted on 01/28/2006 8:22:49 AM PST by M. Dodge Thomas (More of the same, only with more zeros at the end.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: wjersey

Wonder how it is the public seems to grasp this yet the MSM and Dem leadership does not?

Who's the dummy?

5 posted on 01/28/2006 9:04:54 AM PST by Smartaleck
[ Post Reply | Private Reply | To 1 | View Replies]

To: M. Dodge Thomas

summery execution

what do they call execution if it takes place in spring, fall or winter? (joking)

6 posted on 01/28/2006 12:38:46 PM PST by sgtyork (If Osamma calls someone in the US, should the NSA hang up?)
[ Post Reply | Private Reply | To 4 | View Replies]

To: sgtyork

It's encouraging to know that someone bothered to read it that closely!

7 posted on 01/28/2006 1:44:21 PM PST by M. Dodge Thomas (More of the same, only with more zeros at the end.)
[ Post Reply | Private Reply | To 6 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794 is powered by software copyright 2000-2008 John Robinson