CI in information operations: enabling operators and defining emerging roles for CI in Army IO.
Army counterintelligence (CI) awareness briefings have long identified espionage as the "second oldest profession." Criminal trades have embraced 21st century technologies to further their efforts, as have the practitioners of espionage and intelligence. CI, the intelligence discipline charged with identifying, detecting, exploiting, and neutralizing foreign intelligence collection efforts, has begun to make strides into the 21st century information technologies. However, we are behind the other elements of Army information operations (IO) in defining roles, missions, and tactics, techniques, and procedures (TTPs) for how to operate in cyberspace, the newest military operating environment. Many talented and innovative CI Agents have begun developing ways CI can provide value and additional depth to Army IO and technical CI. Senior intelligence and CI operators, managers, and leaders must now further define, capture, and formalize these efforts into policy, doctrine, TTPs, missions, and the necessary support areas to bring CI fully into the 21st century and meet the threat in the new battlespace and operating environment.
Army CI and human intelligence (HUMINT) functions and elements exist at all operational levels; our thoughts and actions on support to IO should be no different. HUMINT is part of this discussion since CI and HUMINT use similar methodologies despite a distinct difference in mission and implementation. Many of the efforts in CI support to IO have crossed discipline lines and involve HUMINT missions, such as document exploitation (DOCEX) and machine language-translation technologies. From a HUMINT perspective, we have only scratched the surface. Therefore, one can challenge the HUMINT community to analyze its tasks and missions and provide input on how it can apply what it does to IO, in terms the IO community understands, and leverage technology to enhance mission efficiency. Currently, CI elements involved in IO only exist at a few of the U.S. Army Intelligence and Security Command (INSCOM) theater intelligence brigades and groups (TIBs/ TIGs), and a few other separate elements. Most of these elements focus on investigations and investigative methodologies to support DOCEX of computer media. The Army should analyze and appropriately mature all functional areas of CI and HUMINT to take full advantage of technology and fully identify exploitable information in whatever environment or medium our adversaries operate.
Intelligence and CI are both vital support functions to IO under current doctrine as defined in FM 3-13, Army Information Operations Tactics, Techniques, and Procedures, but are not defined to the level of other "pillars" of IO. CI and HUMINT professionals working in IO and technology have developed very progressive and solid methodologies and TTPs to accomplish emerging mission areas. The 902d MI Group's Continental United States (CONUS) Sub-Control Office (SCO) Handbook has addressed computer investigations and Category 6 (Automation) Subversion and Espionage Directed Against the Army (SAEDA) incidents for several years. The Army is rolling most of that guidance into its G2 CI Investigative Handbook, with some additions from other theater SCOs and Department of Defense (DOD) Law Enforcement Counterintelligence (LECI) agencies.
The 513th MI Brigade and Defense Intelligence Agency (DIA) both have methodologies to support DOCEX of computer media. These references cover the "how" of investigations and operations at the most fundamental level--their existence is the basis for defining the requirements. These references have grown from a need by units in the field to document best practices for a recurring mission or task. Therein lies the requirement. Our adversaries are presenting a threat or operating in a new environment in which we need to enter and operate to accomplish our respective intelligence disciplines' missions and tasks in support of intelligence and operations planning.
Although agents in the field have developed some great TTPs, current doctrine, policy, and guidance are scarce concerning CI and HUMINT as they relate to IO. We must fill in the gaps to ensure these TTPs can be effective. Without policy, doctrine, and the senior- and executive-level programs and staff officers to support these efforts, they will suffer. Mission efficiency degrades while operators are working to synchronize missions, define standards across commands, and the other tasks normally handled by program offices and staffs.
Once we have defined the basic requirements, the Army must think them through fully in terms of doctrine, training, leader development, organizations, materiel, personnel and facilities (DTLOMS-PF), perhaps using an integrated concepts team (ICT) to do so.
Doctrine Note: A working CI and HUMINT ICT has existed for years; the author intended merely to explain the process to the readership.
Personnel issues are the cornerstone to all other factors regarding this issue. A critical component for success of technology-based IO is a program to identify, recruit, train, retain, and provide career management for operators. Additionally, such a program must include the identification of mission areas, elements, training, and other factors to develop these capabilities fully for overall benefit to the Army. We must identify and specially manage a core cadre of subject matter experts and technically qualified personnel outside the traditional Army models to explore and establish these processes. The reason for this special management is that most assignments are from 24 to 36 months, after which personnel rotate to different operational level assignments. For CI, this normally equates to a tactical-to-strategic-to-tactical cycle. Since there are no defined requirements for missions spanning the operational levels, there is no real opportunity to allow the Army assignments model to "grow" or "spread the knowledge" of these soldiers. The Army is not optimally using the money for training and the soldiers' experience, since 24 to 36 months out of the technology field renders one's skills, training, and knowledge ineffective in the operating environment. The current trends in personnel rotations and transitions will continue to hinder the efforts of transformation and developing a set of programs to support commanders and operators at all levels. Stabilizing the right people (with the right skills and abilities) to develop the DTLOMS-PF considerations and follow-on recommendation documents is critical to providing relevant CI and HUMINT to the Army.
The use of technology enhances all four functional mission areas of CI--investigations, operations, collection, and analysis and production. We also need to take into account our adversaries' use of these technologies. HUMINT, as well as CI, needs to embrace technology as a tool fully and be prepared to use and exploit the employment of technology by our adversaries. These technologies currently exist or are emerging at the national and strategic levels. However, CI and HUMINT soldiers trained in the operation and exploitation of technology and assigned at all levels of the Army will only enhance the quality of the intelligence we provide to commanders and operators at every level. The nature of the threat and the locations where we react to the threat and engage our targets are not supportable by small, centralized elements of specially trained operators.
With an understanding of technology, intelligence discipline fundamentals, supported unit mission, and their interrelations, both the technical CI agent and HUMINT specialist can conduct tasks in support of an all-source effort to support a local commander. The technical CI agent could conduct a counterespionage investigation relating to foreign intelligence and security services' use of digital methodologies and computer network operations. Meanwhile, a technical HUMINT specialist can execute digital media exploitation as a subdiscipline of DOCEX under existing DOCEX TTPs, authorities, and reporting procedures. At an appropriate time and after suitable analysis, this data may support efforts to protect our information and computer networks through Army Computer Emergency Response Team (CERT) computer network defense efforts, additional CI or HUMINT operations, or form the basis for computer network operations target development. To reach the point where this is a reality, we must challenge ourselves and change prohibitive mindsets, practices, and outdated policy. The Army must do all of this while maintaining security, need to know, and sight of who we are supporting and why.
The nature of the operating environment and the threat require us to ensure the new technical and administrative methodologies allow for speed. Espionage and other collection operations are very hard to investigate, because by their nature they are secretive and often applied with varying degrees of stealth. However, we cannot use this rationale as an excuse to spend two months on an investigative subject's computer hard drive to determine if he was hiding information on it. A trained CI agent using media forensics technologies--coupled with the elements of espionage and known cases, incidents, and facts, as well as other intelligence--should be able to produce information in a matter of hours or days to be considered usable intelligence. In the realm of digital media exploitation, network incident investigations, and reactive CI operations, the timeline needs to be just as fast. Proactive CI operations may work on a more traditional timeline since they are not designed to respond to an immediate threat. However, the environment of these operations--cyberspace--epitomizes the asymmetrical and fast-moving field in which we must operate.
Technology is a small part of this speed. We must streamline administrative and management processes to enable the operators. The approval authority for most technical CI operations is the Secretary of the Army or higher. Dedicated staff sections that would rapidly staff operational plans would help, as would a cyber SCO to manage, deconflict, and synchronize streamline operations for the Army Central Control Office (ACCO) and the Army G2. The management is critical because there is no worldwide visibility on Army CI interests in cyberspace. Dedicated "tactical" analysis is also crucial. The Army Counterintelligence Center (ACIC) produces some great products concerning IO from a CI perspective. However, the ACIC is the Army's strategic CI analytical shop. The Information Dominance Centers at the TIBs/TIGs are better suited to provide tailored, relevant analysis to a theater and lower echelon commander. Changing how we investigate and operate is important but we must also change the supporting elements. Changing how we provide analysis to and manage those investigations and operations further enhances investigations and operations in support of the overall intelligence effort.
The Army is at a critical decision point in CI and HUMINT concerning technology and support to IO. Do we continue the status quo or bring CI and HUMINT into the fold on senior- and executive-level visibility and guidance on IO and technology issues? Formally stating requirements and implementing new and innovative ways to conduct CI and HUMINT operations in cyberspace and in support of IO will provide true value to Army intelligence. This requires policy, guidance, and programs in these areas. Radical changes are not necessary. Simply analyzing what we do now and modifying how and where we do CI makes a much more viable intelligence discipline in support of all-source intelligence to support the Army's operations.
CW2 Jason Morton is currently assigned to the Saudi Resident Office, Field Office Southwest Asia, 202d MI Battalion, 513th MI Brigade. He previously served as the Chief of Network Investigations and Future Operations for the Cyber-CI Activity (formerly Information Warfare Branch), 902d MI Group. He has served several assignments in Europe and is a graduate of Advanced Foreign CI Training Course (AFCITC), Computer Investigations Course for Special Agents (CICSA), Advanced CICSA (ACICSA), and several DOD investigative and technology courses. Readers may contact him via E-mail at firstname.lastname@example.org.