IED component data can illuminate networks of bomb-builders
Just as you would not expect a sniper to engage the enemy while blindfolded, we should not expect forces fighting improvised explosive device forces to attack bomb-building networks in the blind.
Yet this is essentially what we have been doing, despite our best efforts to illuminate those networks through human and signals intelligence. These methods are of limited value in counter-IED operations, for the information they produce is generally incomplete and potentially untrustworthy. Moreover, it takes too long to process and compile such information into usable multi-intelligence reports. Unless we can do better, successful attacks on IED networks will remain difficult to achieve with consistency.
There will never be an IED “silver bullet,” but there is a better way. By structuring data already being collected and applying social network analysis, we can rapidly and efficiently develop a broader understanding of IED networks. The result: You can see what you are trying to attack and then develop an appropriate targeting strategy.
It may surprise those not intimately involved in C-IED to learn that there are dozens of types of IEDs, and dozens of subtypes within types. At its base, each weapon is composed of a power source, switch, detonator and explosive. If there were only six types of power sources, switches, detonators and explosives, that would mean there were 1,296 potential types of IEDs. In fact, there are hundreds of available components.
Yet this variety is the key to our ability to learn about bomb-building networks. If we can identify similarities in the physical makeup of the IEDs, we can potentially illuminate the bomb-making cells. Thus, we need a way to isolate a given network, extract its attributes, compare and weigh component similarities, geo-locate the remaining isolated IEDs — and do all of this quickly.
Explosive ordnance disposal (EOD), weapons technical intelligence (WTI) and combined explosive exploitation cell (CEXC) technicians have long recognized that IED components are both a bomb-maker’s “thumbprint” and a potential light into his shadowy network. This notion is gaining credence among senior officials in the Joint IED Defeat Organization (JIEDDO) and elsewhere. “We want bomb-making for insurgents to be an inherently dangerous business. … To meet this problem, you have to understand the components,” Mitchell Howell, the organization’s deputy director of rapid acquisition and technology, said at a JIEDDO-led C-IED conference in November.
Current IED reporting procedures and component analysis methods fail to capture and authenticate this thumbprint in any institutional way. Component analysis has largely been a quest to isolate supply-chain similarities. Individual units and small groups of analysts have succeeded with local efforts to analyze components, but such efforts frequently get lost during a unit’s relief in place. In any case, such efforts have not meaningfully spread between units, services or agencies.
Today, when an IED is exploited, any data collected by the C-IED operator is fed up the chain via significant activity reporting and eventually parsed into — it is fair to say buried within — the Combined Information Data Network Exchange (CIDNE) database. As anyone involved in the C-IED fight can attest, this database’s near-total lack of structure prevents the practical extraction of data. Unless the data is important (i.e. requires further exploitation), it is never analyzed or pushed back down to the tactical level, where it is needed most.
Like many C-IED initiatives, CIDNE was a top-down approach to solving a problem: how to provide strategic and operational commanders instant access to a centralized database. It answered the mail in that regard, yet completely failed to allow tactical operators to extract component data and visualize the IED networks they are trying to counter.
We propose a bottom-up approach to IED data collection and analysis that would close the loop and answer the information requirements at all three levels. The first requirement is a streamlined system that allows structured and consistent IED data collection and analysis. To help create this, we turned to the Common Operational Research Environment laboratory (CORE) at the Naval Postgraduate School. Run by the school’s Department of Defense Analysis, CORE is essentially an intel-ops fusion center that exists largely to attack problems presented by Defense Analysis students, the vast majority of whom are special operators (Army Special Forces, Navy EOD and SEALs). CORE’s specialty is using operator experience to improve data collection platforms and pulling value from extremely robust data sets. Among other successes, CORE developed a platform currently in use by Army Special Forces in Afghanistan to facilitate village stability operations by mapping the human terrain.
With CORE’s assistance, we developed IED Network Analysis (IEDNA), an application for hand-held devices that allows rapid, streamlined, structured on-scene data collection. The application reduces the burden of on-scene investigators — no more grease pencils on windows and sweat-soaked notebooks — but more importantly, produces consistently reported data that allows better analysis at the tactical level.
Arriving on the scene of an IED event, an operator can use IEDNA to display guides to ordnance, homemade explosives, components, tactics, techniques and procedures, etc. This improves situational awareness and report accuracy.
As the exploitation unfolds, the operator calls up a list of EOD/IED response types, picks the one that generates the proper data-collection form, and navigates an intuitive set of standardized pick-list menus that reminds him what to look for and ask. If necessary, he can capture photos and video that automatically get attached to the report. The embedded lexicon is universal. The intelligence isn’t scribbled down and deciphered hours later; it is logically collected and structured. When the IED event is over, the application can output a report neatly formatted in HTML or Excel, and dispatch the data to an IED database.
charting the network
To illustrate the value of analysis made possible by structured data, we used the IEDNA application to create reports about 63 notional IEDs.
Next, we imported the data into a social network analysis application. There are several such available free of charge. We chose Organization Risk Analyzer (ORA), developed at the Carnegie Mellon Center for Computational Analysis of Social and Organizational Systems.
ORA begins its work by comparing every IED in the group to every other one, looking for commonalities in their physical components. After crunching the data, ORA assigns a “tie” to each possible pair of IEDs, expressed as a percentage called the similarity correlation. For a similarity correlation of 50 percent, two IEDs will be “tied together” if they share at least 50 percent of their components.
ORA then displays sociograms, charts that display ties between the IEDs at various levels of similarity. If the similarity correlation is set too low (10 percent) or too high (90 percent), the resulting sociogram is not useful. The idea is to find the network “sweet spot,” that percentage that begins to illustrate potential bomb-making cells.
At 50 percent similarity, the IEDs began to cluster into interesting groups. At 60 percent, the groups became too fragmented. Ultimately, we found the sociogram with a similarity correlation of 52.5 percent divided the IEDs into groups that likely reflected their origins in different bomb-making networks.
In this case, using our notional data, the chart shows two main groups: victim-operated IEDs (VOIEDs) and remote-controlled IEDs (RCIEDs). Having properly divided the IEDs, we could respond, and quickly, to the kinds of questions a C-IED task force commander might ask. For example, a commander might demand to know about all VOIEDs that have used passive infrared detectors (PIR) to detonate explosively formed projectiles (EFPs), a particularly deadly kind of IED. Answering such a request using today’s reporting and analysis procedures would be at best difficult and time-consuming, if not impossible. But an analyst equipped with ORA and connected to a well-structured database filled with data collected by EOD techs using the IEDNA application could answer this in matter of minutes.
Starting with the 52.5-percent socio-gram, we can strip out non-VOIEDs, then color the remaining points by trigger mechanism — in this case, pressure switch, tripwire and PIR/EFP. The resulting chart reveals, among other things, that the vast majority of victim-operated IEDs are activated by pressure switches. An analyst can then — in seconds — remove those nodes inapplicable to the requested analysis and visualize only those IEDs that are VOIEDs of the PIR/EFP type.
As we continue to strip away IEDs that are not relevant to the specific sub-network being analyzed, it is important to ensure that the similarity correlation is as high as possible without fragmenting the network. This is done to confirm we are not artificially tying together IEDs that are not related to the same bomb-making cell. At this point in our analysis, the similarity correlation is set to 60 percent: an IED tied to another shares at least 60 percent of its physical characteristics. This is an important step. As we further drill down on sub-networks, IEDs will inevitably have more in common. The remaining IEDs are then exported from ORA and displayed on a map using Google Earth.
It is worth noting that the limited analysis conducted on the IED network up to this point has been performed without the benefit of more specific intelligence sources, such as local residents or signals intelligence. Should such a source emerge, its value would be magnified by component-level intelligence. For instance, if a separate intelligence report links an individual or group to IED Incident No. 1, we can assess with a high level of confidence that he is also linked to Incident Nos. 3, 8 and 39.
The value of narrowing the geographic area of interest cannot be overstated. The competition for high-demand, low-density intelligence, surveillance and reconnaissance assets is fierce and constant. The ability to state explicitly an area that needs to be scrutinized, and show that need in an empirical way, can mean the difference between gaining immediate access to the requested asset and losing it to operations deemed more pressing.
Ultimately, figuring out what IED components are most prevalent in a given area may be among the most valuable services IEDNA can provide. What brand of PIR devices are most employed? Where are they manufactured? Who is selling the devices? Who is importing the devices? Can we intercept and/or disrupt the supply chain? If IEDs No. 10 and 49 have 60 percent of their components in common, suggesting the same IED architect was at hand, yet are noticeably separated, does this mean that the PIR/EFP technology and knowledge are diffusing? If so, how quickly? These are important questions, and our analysis can assist by being able to rapidly filter through massive datasets and geo-locate items of interest.
IEDNA can rapidly identify potential bomb-making cells by virtue of the overall similarities of IEDs. It allows us to narrow the geographic areas of interest and boosts the value of any SIGINT, HUMINT or biometrics data that can be layered atop the component analysis. And, perhaps most significantly, IEDNA is inexpensive, easy to manage, applies to all C-IED forces and is not being done.
Globally, the number of IED attacks has doubled since 2009. In asymmetric warfare, where the IED is the preferred weapon and the enemy is borderless, IEDNA becomes that much more powerful. The ability to rapidly illuminate subnetworks, identify and associate IEDs by component similarities, and tailor network attack strategies accordingly can no longer be ignored.
LT. DEAK CHILDRESS, a Navy intelligence officer, and LT. JOHN TAYLOR, a Navy explosive ordnance disposal officer, are completing their graduate studies at the Naval Postgraduate School.