Look at this, sir,” calls out Petty Officer First Class Lin, an analyst for the People’s Liberation Army Navy’s 324th cyber intelligence unit. “A USS Lake Champlain sailor just tweeted a complaint that their port call to Darwin, Australia, is delayed. He’s upset he’s had to pay a hotel cancellation fee.”
“Excellent, Lin; update the tracker,” Lieutenant Shen replies, looking at a large-screen display of the South Pacific. For years, the 324th has been tracking U.S. ships and aircraft and monitoring the activities of Department of Defense (DoD) personnel ashore, providing their intelligence community with critical information to be somehow exploited.
“Hold on!” calls a voice from the other side of the room. “I’ve got Facebook posts from a wife bragging about her Tasmanian vacation; she says she’s watching her husband’s ship pull into Hobart. And an Instagram page seems to be showing the ship live in the Solomon Islands!”
“Where are these reports coming from? Are any of them correct? You need to get this sorted out immediately!” Lieutenant Shen’s shock quickly turns to dismay. The admiralty already had vectored assets to search for ships based on his earlier reports.
Realizing his unit lacks the resources to sort through this mess, he sighs, calls up HQ, and begins to explain that all morning reports have been downgraded to confidence level 0.
The next day in Darwin, a young Lake Champlain sailor checks into his hotel while, 400 miles away in Perth, a Chinese electronic warfare signal collection team angrily loads up their nondescript white van, annoyed at the all-night drive ahead if they hope to get anything from the ship before it leaves port.
What went wrong for Lieutenant Shen? Where did all the false reports come from? The answer is that DoD finally adopted a military deception (MilDec) campaign that put the old chestnuts about loose lips and purple dragons in the history books for good. That campaign? Operation Overload.
Operation Overload is exactly what it sounds like: Put so much false information into the environment that when a real operational security breach occurs, there is no good way for a potential adversary to identify and exploit it.
The first step in adopting Operation Overload is to accept that the spilling of any secret is not so much a matter of if as it is when. In the past, targeting, collecting, transmitting, and processing intelligence data could take hours, days, or weeks. This lag meant OpSec didn’t have to be perfect; it just had to delay the inevitable long enough for adversary intelligence efforts to go stale. Today, the collection of actionable intelligence often can be reduced to minutes or even seconds, thanks to the interconnectedness of global databases, advances in computer processing and artificial intelligence, and humans’ continuing proclivity for lapses in judgment when it comes to protecting potentially sensitive information. Operation Overload ensures critical information can hide in plain sight amid a storm of misinformation. Here’s how it might work:
MilDec should be decentralized. Certainly it would be valuable to have Cyber Command work with the intelligence community to spin calculated narratives to mask real-world activities and promote false ones. But it would be foolish to assume adversary forces would not be able to track this information to the source.
Instead, unit commanders and their assigned information operations professionals should work with their commands so the entire DoD community treats their every-day online activities—from community message boards to online dating—as an opportunity to confuse the enemy’s intelligence picture.
Operation Overload should not become so specific that it limits its own potential. For example, when a ship is giving tours to civilians in a foreign port, there is a high probability foreign national intelligence officers may be in the crowd, recording conversations, images, and even electronic signals that may be of use for their analysts. During this time, why not discuss a new air-defense system with capabilities many times more effective than anything DoD actually fields? Why not “accidentally” mention a false Achilles heel an adversary might want to exploit? Together, these little snares could cost adversaries countless hours and invaluable research and development funds chasing wild geese.
During World War II, German and Japanese overconfidence in their information security and underestimation of Allied cryptology proved fatal. For the United States to make similar mistakes in the 21st century would be tragic. To continue using obsolete operational security practices when simple MilDec solutions are available would be inexcusable.