Giving it Away On-Line?—Dissecting an OPSEC Case Study
A recent Air Force briefing suggests that an on-line forum revealed extensive information about the F-22 fighter, but much of the data was already in the public arena. Was it a violation of Operational Security (OPSEC)--or simply a veiled effort to discourage internet activity by military personnel?
Part II of II
By Nate Hale
In December 2007, a "vigilant witness" approached members of the Air Force Office of Special Investigations (AFOSI), the service’s clandestine investigative service. The "witness"—an AFOSI term for a confidential informant—voiced concerns about suspicious information regarding the F-22 stealth fighter, posted at a popular on-line forum about military and civilian aircraft.
The tip eventually mushroomed into an OSI inquiry. Monitoring the website—and its participants—government agents found literally hundreds of posts about the F-22, the Air Force’s newest fighter jet which incorporates sensitive, state-of-the art technology. By one estimate, posts on the stealth jet attracted new users to the forum, and generated almost 70,000 page views.
More disturbingly, the probe revealed that many of the posts had been written by an Air Force F-22 pilot. For more than 18 months, the pilot (who used the handle dozerf22) shared information about his aircraft and responded to on-line queries. That raised concerns about a potential breach of operations security (OPSEC), through the disclosure of sensitive data in a public forum—in this case, a website that could be easily accessed by potential adversaries, anxious to learn more about the F-22.
Concerns about the possible, on-line disclosure of critical data were recently summarized in an OPSEC case study, reportedly produced by the AFOSI, the Navy’s Criminal Investigative Service (NCIS), the FBI and the Department of Homeland Security.
According to a PowerPoint briefing based on their analysis, "Dozer’s" various postings provided a wealth of information on issues relating to the F-22, including aircraft "lot" numbers at different bases; the function of specific doors and flaps on the fifth-generation fighter; fuel loads and their impact on performance, the status of radar upgrades, and operational details about the jet’s weapons systems. A copy of the briefing--which is unclassified--was obtained by this blog.
But the study fails to address an essential question; how much of the information discussed by the F-22 pilot—and other forum participants—was already in the public domain, provided through press releases and media coverage, or through on-line comments on other web sites?
The answer to that question is surprising, and suggests that OPSEC concerns raised by the assessment may be overstated. Using search engines available to anyone the internet, In From the Cold found scores of references to the F-22, covering many of the topics addressed by Dozer at the aircraft site he frequented. That "discovery" tends to confirm something suggested by the various queries cited in the OPSEC study. Based on the tone and phrasing of their questions, any foreign "spies" on the forum were looking for confirmation of already-available information.
Consider a question about the Raptor’s lack of a Joint Helmet-Mounted Cueing System (JHMCS), which slaves the aircraft’s weapons to the pilot’s line of sight. The Air Force’s decision to forego this capability in the F-22 has been discussed publicly for more than eight years, and Aviation Week’s Bill Sweetman provided an update on the issue last June:
Most fighters today are available with a high off-boresight missile and its essential complement, a helmet-mounted display (HMD) to point it accurately at its intended victim. Big exception: the air-dominance F-22 Raptor. Plans to put the USAF-standard Joint Helmet Mounted Cueing System (JHMCS) on the Raptor were deferred some years ago, the intention being to use the JSF's bug-eyed helmet instead, but there is still no firm timetable for either that or the AIM-9X missile, leaving the F-22 as the only fighter limited to the old AIM-9M. Program executive vice-president and general manager Larry Lawson defers the question to the air force.
The most logical answer is that there is only so much money and only so many test assets available and that the USAF's priorities are elsewhere. Just getting under way are development tests of the GBU-39 Small Diameter Bomb, which quadruples the fighter's count of air-to-ground weapons and - launched a t high altitude and supersonic speed - gives it a 60-mile standoff range. Weapon releases are due late in 2008 and the SDB should enter service on the F-22 in 2010.
Similarly, another Aviation Week piece—from January 2007--detailed the F-22’s ability to locate mobile ground targets and share information with other platforms. The article was based on the fighter’s first deployment outside the CONUS--to a major exercise in Alaska. Aviation Week writers David A. Fulghum and Michael J. Fabey were invited to watch the exercise, and they interviewed a number of participants. From their report:
The F-22's advanced electronic surveillance sensors also provided additional awareness of ground activity.
"I could talk to an EA-6B Prowler electronic attack crew and tell them where a surface-to-air missile site was active so they would immediately know where to point their electronic warfare sensors," Tolliver says. "That decreased their targeting time line considerably."
In addition, the F-22 can use its electronic surveillance capabilities to conduct precision bombing strikes on emitters--a capability called destruction of enemy air defenses.
"And future editions of the F-22 are predicted to have to have their own electronic attack capability so that we'll be able to suppress or nonkinetically kill a site like that," he says.
The same account described the Raptor’s impressive abilities in air-to-air combat, providing details sought by questioners on the aviation forum:
The F-22 is proving it's a dogfighter after all.
While it wasn't part of a hard-turning furball, an F-22--with its Amraams and Sidewinders expended--slipped into visual range behind an F-16 and undetected made a simulated kill with its cannon during the stealth fighter's first large-scale exercise and deployment outside the continental U.S.
Those and other revelations about the F-22's emerging capabilities are increasingly important as the first combat unit, the U.S. Air Force's 27th Fighter Sqdn., begins its initial Air Expeditionary Force deployment this month to an undisclosed site. And the first F-22 unit, the 94th Fighter Sqdn., will participate in Red Flag in February.
The gun kill is a capability Air Force planners hope their F-22s won't use. The fighter is designed to destroy a foe well beyond his visual and radar range. Within visual-range combat and, in particular, gun kills are anachronisms. In amassing 144 kills to no losses during the first week of the joint-service Northern Edge exercise in Alaska last summer, only three air-to-air "kills" were in the visual arena--two involving AIM-9 Sidewinders and one the F-22's cannon.
With its high-resolution radar, the F-22 can guarantee target altitudes to within a couple of hundred feet. Its ability to identify an aircraft is "sometimes many times quicker than the AWACS," he says. "It was a combination of high-resolution sensors and being closer to the targets."
The F-22's radar range is described only as being more than 100 mi. However, it's thought to be closer to 125-150 mi., which is much farther than the standard F-15's 56-mi. radar range. New, active electronically scanned radar technology--optimized for digital throughput--is expected to soon push next-generation radar ranges, in narrow beams, out to 250 mi. or more.
In Alaska, because the F-22 remained far forward at high altitude, with an advanced radar it could monitor rescue missions that the AWACS 150 mi. away could not. "We could see the helicopters down in the valleys and protect them," Tolliver says.
In addition to AWACS, the F-22 also can feed data to the RC-135 Rivet Joint signals intelligence aircraft to improve situational awareness of the battlespace.
"If a Rivet Joint is trying to get triangulation [on a precise emitter location], he can get more [voice] information" from an F-22, Keys says. "If an AWACS sees a heavy group 40 mi. to the north, Raptor can come up and say it's two F-18s, two F-15s and four F-16s."
It also proved easy to find information on another forum topic—Dozer’s planned move to a new assignment. In June 2006, an Air Force press release identified him as the commander of the "Ready Elmendorf" detachment, who would command the first F-22 squadron at the Alaskan base.
There were also multiple references to aircraft tail numbers and production lots—two other bits of sensitive information identified in the OPSEC study. A Lockheed-Martin media release from March 2002 listed the tail numbers and delivery location for aircraft in Production Lot 3. The highly popular defense site GlobalSecurity.org has even more information the F-22 production schedule, including the number of aircraft in each lot.
With that information—and a January, 2007 entry from defense-update.org, it was possible to calculate the introduction of Active Electronically Scanned Array (AESA) radars in the F-22 fleet, and the number of aircraft with that capability. Those sources—and others—were the first to report what Dozer later confirmed; incorporation of AESA technology in the Raptor began with Lot 5 jets.
Google and Yahoo searches also turned up substantial reporting—and speculation—about reported training between the Raptor and Royal Air Force Eurofighter Typhoons. According to various accounts, the Typhoons deployed to Nellis AFB, Nevada in 2005, and participated in mock dogfights with the F-22, with (supposedly) surprising results. Aviation Week provided a summary of the event in its October 3, 2005 issue:
Unconfirmed reports--that is, rumors-- making the rounds in European aerospace industry circles contend that Royal Air Force Eurofighter Typhoons, temporarily operating from Nellis AFB, Nev., were able to pick up U.S. Air Force F/A-22s on their radars, stealth notwithstanding. Similar reports appeared during the 1991 Iraq war concerning the ability of British ships, using large radar arrays, to detect the F-117 and, in later conflicts, the B-2. U.S. officials confirm that the Typhoons were at Nellis to fly with the 422nd Test & Evaluation Sqdn. However, they discount that the Typhoons had seen an F/A-22 in full-configuration stealth. First, they say, the Typhoons and F/A-22s were never in the air at the same time. Second, the F/A-22s always have an enhanced signature for positive air control, except when they go to war or when the range has been cleared for F/A-22-only operations"
Other unclassified sources offered details on the Raptor’s supercruise abilities. Then-Air Force Chief of Staff General John Jumper alluded to the jet’s performance after a 2005 flight:
"Today I flew the Raptor at speeds exceeding (Mach 1.7) without afterburners," General Jumper said. "To be able to go that fast without afterburners means that nobody can get you in their sights or get a lock-on. The aircraft’s impressive stealth capability, combined with its super cruise (capability), will give any adversary a very hard time."
An F-22 pilot at Langley AFB, Virginia was even more revealing. As he told Defense Daily in February of last year:
Raptor pilots are cleared to fly the aircraft up to Mach 2.0 and altitudes up to 50,000 feet, he said.
"To be able to operate at those altitudes at milpower is not something I am used to in an Eagle," he said.
This combination of speed and altitude offers advantages when firing one of the F-22's complement of air-to-air missiles, such as Raytheon's [RTN] AIM-120 Advanced Medium-Range Air-to-Air Missile (AMRAAM), against an opponent, he said.
"If I am at 50,000 feet and going Mach 2, that AMRAAM loves that. It will go forever and it will give [the missile] increased endgame energy," he said.
Other open-source publications suggest that the Raptor can operate at altitudes approaching 65,000 feet.
For virtually every example cited by the OPSEC study, it was possible—with only a little effort—to find other sources that provided as much (if not more) information on questions addressed by the F-22 pilot in the on-line forum.
And, that doesn’t account for intelligence gathering by our adversaries. In some cases (say Dozer’s comments about F-22s pulling alert at Langley), such claims could be confirmed by spy satellites, which could spot aircraft configured for alert duty.
The same holds true for assessments on the Raptor’s various external features. The aircraft has appeared at numerous airshows that are open to the public, with ample opportunities for close-up photography. U.S. intelligence agencies have devoted considerable resources to such collection efforts in the past; there is no reason to believe that our adversaries don’t engage in similar efforts, using hand-held photos, along with classified data, to determine the capabilities and performance features of American aircraft.
So, if much of the information discussed by Dozer on-line was already available in other sources, why did four government agencies devote considerable time (and effort) to their OPSEC study?
For one thing, it’s their job. Ferreting out security threats in cyberspace represents a growth industry, particularly for organizations like the AFOSI and NCIS. The F-22 incident could be used to justify greater on-line surveillance of military personnel and IT systems—and the budgets needed to support that mission.
Secondly, there is little doubt that web sites, chat rooms and discussion boards represent a security risk. Sometimes, the simple confirmation of a bit of data can save time and money for hostile intelligence powers, or allow them to focus collection on higher-priority targets. "Waaay too many spies on this forum," observed one poster, questioning the disclosure of F-22 information on the discussion board.
But the Raptor case also highlights the conundrum facing the Air Force and other military organizations in the information age. While the service can limit or block internet access on its own systems, personnel can still access—and participate--in blogs, chat rooms, message boards and other forums from computers at home, in libraries or other locations.
Faced with that reality, the USAF has imposed even tighter information restrictions. Last month, the service began blocking virtually all websites with "blog" or "blogspot" in their URL. The service maintains that blogs are not legitimate news outlets, and shouldn’t be available to airmen at work.
By comparison, the U.S. Army takes a slightly more liberal approach, allowing soldiers to blog, but mandating that commanders approve their posts before publication. However, the Army has also banned access to many blogs and other websites through its computer systems.
While the military has long maintained that individual blogs and other internet venues pose a security risk, that claim runs counter to the Pentagon’s own data. Last August, Noah Shachtman of the defense site The Danger Room published results of an Army OPSEC audit, which revealed that official military sites pose a far greater security threat than blogs:
The audits, performed by the Army Web Risk Assessment Cell between January 2006 and January 2007, found at least 1,813 violations of operational security policy on 878 official military websites. In contrast, the 10-man, Manassas, Virginia, unit discovered 28 breaches, at most, on 594 individual blogs during the same period.
The results were obtained by the Electronic Frontier Foundation, after the digital rights group filed a lawsuit under the Freedom of Information Act.
Against that backdrop, opponents argue, the military needs a more coherent policy on internet activity and information sharing. As illustrated by the case of the F-22 pilot, members of the armed forces will inevitably find a way to blog, or share their thoughts on-line, regardless of "official restrictions" or other forms of discouragement.
Rather than trying to deflect the information tsunami, critics say it might be easier for the military to set realistic guidelines for on-line activity, and train personnel to required standards.