Milcord Participates in Cobra Gold 12 Military Exercises in Thailand

From January-February 2012 Milcord participated in Cobra Gold military exercises in Thailand, demonstrating our MARCIM (US Marine Corps Civil Information Management) Semantic Wiki. This is the second year we have participated in the exercises; last year, Laura Cassani represented Milcord by presenting our sociocultural knowledge base. You can read Laura's post here for background on the exercises, and details about our participation in Cobra Gold 2011. Since then, we’ve developed another knowledge base built upon a Semantic Wiki platform, tailored to support the Civil Information Management needs identified in Thailand.

The MARCIM Semantic Wiki supports real time data collection, visualization, and analysis by automatically ingesting assessments and surveys conducted by Civil Military Operations (CMO) teams submitted via mobile devices, and semantically tagging and generating relationships with the field collected data. During Cobra Gold 2012, the MARCIM Semantic Wiki was placed in the hands of the exercise’s planning and operations team. This team, stationed at the CJCMOTF (Combined Joint Civil Military Operations Task Force) in Korat, Thailand, is responsible for overseeing all CMO activity within the country. I spent three weeks observing, interacting with, and supporting the users, and, based on their feedback, we customized the Wiki so that it could best assist and advance the efforts of CMO personnel. It was incredible to see how the Wiki evolved throughout the exercises from being something that was built on a conceptual level by Milcord to being a living, breathing tool that took shape around user feedback as we worked continuously to tailor the Wiki so that it could confer the utmost benefit to the troops. On a daily basis within the CJCMOTF, the staff used the Wiki to submit their daily reports, analyze demographic information within the area of operations, monitor team activity, and visualize responses to surveys and assessments.

During my time in Thailand, I gained an appreciation for the nature of the data collected during CMO missions; information is collected about the local infrastructure, medical needs of the population, progress being made at engineering sites, as well as sentiments of the Thai people toward the troops. Instead of placing this data onto inaccessible hard drives where it is unlikely to be utilized, the Wiki structures the data and places it into an analyzable form for users, thus presenting the value of the aggregated data to the troops. In addition to helping the troops understand the impact they’re making on the ground, the aggregation and analysis of this data also prevents duplication of effort by CMO teams by alerting them to what has already been achieved within the area of operation, and what activities and projects should be prioritized in the future.

Although our work within the CJCMOTF kept me busy, I was still able to sneak in some sightseeing. I visited the Weekend Market in Bangkok (the largest market in Thailand), toured the Royal Palace and Wat Pho, and visited Khmer ruins within Korat. The entire trip was a culinary escapade, and I quickly developed an appetite for som tam (spicy papaya salad with shrimp) and chai yen (Thai iced tea).

Since our participation in Cobra Gold 2012, we have been invited to participate in a number of other exercises, including Balikatan 2012 exercise in the Philippines, Pacific Partnership 2012 exercise in Southeast Asia and Oceania, and Black Sea Rotational Force 2012 operation in Eastern Europe. We look forward to posting further updates on the evolution of the MARCIM Semantic Wiki as we progressively gain insights from these operations and exercises!

Milcord Participates in Cobra Gold 11 Military Exercises in Thailand

This past month Milcord participated in the  Cobra Gold military exercises in Thailand, demonstrating our Office of the Secretary of Defense Human Social Cultural Behavior (HSCB) Modeling Program project, a Socio-Cultural Knowledgebase using a Semantic Wiki. Cobra Gold is an annual joint training exercise held in Thailand and sponsored by the U.S. Pacific Command and the Royal Supreme Thai Command. One of the world's largest multinational exercises, it draws participants from 24 nations, including the armed forces of Thailand, Republic of Singapore, Japan, Republic of Indonesia, Republic of Korea and the United States. Nearly 13,000 military personnel, approximately 7,300 of them American troops, participated in Cobra Gold 2011. The event improves participating nations' ability to conduct relevant and dynamic training while strengthening relationships between the militaries and local communities.

Participating in the exercises was a fantastic experience, as we traveled across the country speaking with Soldiers and Marines at various bases gaining valuable feedback regarding how our tool can support socio-cultural data management for complex operations with the ultimate objective of transitioning our ONR supported R&D into operational use in the field.

One of the highlights of the trip, in meeting with a group that had recently deployed to Afghanistan, we used the Socio-Cultural Knowledgebase to look up the exact area of their deployment and view information about the tribal dynamics, provincial and district contextual knowledge, and data on political figures and powerbrokers relevant for their area. For the Afghanistan and Pakistan area, the Semantic Wiki covers more than 3,000 tribes and ethnic groups, documenting their traditional alliances, disputes, human terrain map, and other pertinent information to operations. The wiki also has articles for almost 700 individuals of significance for the region.

Our use of a semantic wiki platform enables the representation of the human terrain knowledge as facts and relationships. The representation of this knowledge in a semantic wiki has the additional advantage for faceted browsing and answers engine queries. For instance, the semantic wiki can answer questions like “What are the tribes in Kandahar Province and their traditional disputes?” as a table which dynamically is generated every time a new fact is added that fits this question. Getting firsthand feedback from the very people you want your research to support is a rewarding experience. We hope to be able to return next year and participate in the field exercises, showing how our tool can directly support socio-cultural knowledge management for civil affairs and humanitarian operations.  The picture above is from the opening ceremony of the exercise in Chiang Mai as I present our Socio-Cultural Knowledgebase using a Semantic Wiki to the dignitaries in attendance while the picture below is from our travelling road show.

Additionally, while it was quite the busy schedule for the two and half weeks I was there, we were still able to find time for sightseeing, taking in historic temples, a Muay Thai boxing match, and even a visit to a fish spa. And of course, sampling the incredible array of Thai street food was amazing; I still dream of the delicious steamed pork buns I had in Bangkok and Chiang Mai.

Operation Aurora - Searching for Stars, Finding Comets

When the ‘Operation Aurora, AKA trojan.hydraq’ controversy surfaced, we investigated the role, if any, of fast-flux botnets in the reputed exfiltration attacks from Chinese-supported actors against 33 US technology companies. Our preliminary results using FastFluxMonitor found no direct indication of fast-flux activity associated with the reported domain names. But just as astronomers may detect comets when observing stars, we did find associations between nameservers with fast-flux history and some of the domains and IPs involved in the attacks. In the FastFluxMonitor table below, we see that three of the reported domains used in these attacks share the same nameserver,, which is registered to Chinese network operator, CHINANET, ASN 4134, the leading ASN worldwide in terms of Conficker activity. domains-table-feb-11

Building on this finding, we then used FastFluxMonitor to discover more than 600 bots associated with fast-flux behavior registered to this ASN. In the FastFluxMonitor table below, we see that a few of the nameservers associated with a known-spamming IP from this ASN,, are classified as fast-flux. While the IP in question is not classified as fast-flux, its association with nameservers that are fast-flux is reason for suspicion.


With guilt-by-association, domain names or IPs associated with these nameservers are suspicious, irrespective of whether the individual IPs or domains are classified as fast-flux. Cyber-defenders can apply this intelligence as a proactive measure to filter access to or from these domains, IPs, and nameservers. As exfiltration attacks are often complex attacks preceded by social engineering probes such as spear-phishing, proactive measures such as real-time filtering are essential. Perimeter and vulnerability-based defenses are necessary, but insufficient, measures against social engineering attacks.

News Scan – Cyber Security

  • “… unless Google had told us about the attack on it and other companies, we probably never would have seen it. When you think about that, it’s really scary.” – “In Digital Combat, U.S. Finds No Easy Deterrent”, NY Times, Jan 26, 2010
  • ‘Had this attack employed more sophisticated hosting or resolution techniques like fast flux, even the IP addresses would have been useless..” – “Finding Aurora (googlehack)”, NetWitness Blog, Jan 15, 2010

Cyber-Terrorism/Warfare – The Emergent Threat: Strategies for Survival

Last night I attended a panel discussion entitled, Cyber-Terrorism/Warfare – The Emergent Threat: Strategies for Survival” at Boston University. While the cyber threat is not a new one, it is something that the intelligence community and the Department of Defense have more recently become invested in examining in some depth. One of the first questions raised to the panel involved defining the problem. What is the difference between cyber-crime, cyber-terrorism, and cyber-warfare? To give my own humble two cents, it would seem that the distinction is the same as in conventional operations. What distinguishes between criminal acts and terrorist attacks is the end goal. In crime, the action, for example robbing somebody, is the end goal. The point is to get the money. In terrorism, the end goal is beyond the intended target. There is a political message inherent in the act that is targeted at an audience beyond the victims. Additionally, cyber-warfare would also have a political motive, and to quote Clausewitz, the action would simply be a continuation of politics by other means. To make the distinction between cyber-warfare and cyber-terrorism, it would matter what the intended target was.  Terrorism is usually distinctive from war because it targets noncombatants, or individuals not in a "declared state of war".  Therefore, the attacks against the Marine barracks in Lebanon in 1983 that killed more than 200 servicemembers was considered terrorism, because the barracks, while being a military target, was housing Marines that were part of a peacekeeping force in the country, and therefore, not in a declared state of war.


The tricky part comes in when one tries to attribute a cyber-attack to a particular actor. Dr. Leonid Reyzin, a cryptology expert stated that our best defense against an attack is to harden our systems. Many government systems do not employ state-of-the art cryptology mechanisms (e.g., many sensitive systems currently use one password for numerous people). Additionally, he pointed out that life-critical systems, systems that if comprised could result in loss-of-life, should be completely disconnected from business networks altogether. He gave an example of a computer virus that spread through email systems, and eventually infected the business system of a nuclear power plant. Due to the fact that the power plant’s business system and critical systems were on the same network, the virus comprised and actually shut off the safety mechanisms of the plant.

Arthur Hulnick, a veteran of 30+ years in the intelligence community, stated that resources to address the cyber threat would best be spent on hiring the best and brightest people. He added that there were too many hurdles to hiring the right people in the intelligence community due to security concerns. Reliance on the polygraph and issues with traveling abroad or having foreign connections (despite the fact that you want bi-cultural or foreign language speakers that often have spent time in these places) prevent people from contributing to the effort.

Another question that was brought up to the panel involved the development of cyber-warfare doctrine. How can one reliably develop a strategy for engagement when there is the issue of attributing an attack to a particular state or actor? Is there a proportional response? Does one respond with offensive cyber capabilities against a country that may not have known their systems were breached? Is there a way to declare this policy for deterrence purposes? Joseph Wippl, another career CIA officer, stated that a robust international effort to share information and best practices would be the best preventive defense against cyber attacks. Dr. Robert Popp, a former DoD official in OSD and DARPA, stated that resources would best be allocated to develop offensive capabilities that could overwhelm our adversaries, hopefully providing some level of deterrence.

Overall, it was interesting and informative evening however, it seems that while there has been much discussion on the subject, there are many more questions than answers.

NAACSOS Annual Conference

Last week we presented work entitled, “A Systems Dynamics Model of Counterinsurgency in Southern Afghanistan” at the North American Association for Computational Social and Organization Sciences at the Center for Social Dynamics and Complexity at ASU. NAACSOS (which will be changing its name soon to the much more digestible acronym CSSS – Computational Social Science Society) is scholarly society seeking to advance social science through the application of computer simulation and other computer-based methods to the analysis of complex social systems and processes. In a break from our normal conference circuit, there were a small number of presentations focusing on global security issues. The largest percentage of papers addressed developments in agent-based modeling. In particular, the most interesting advance from this perspective involved the integration of GIS technologies and 3-D agents for visualization in agent-based models. Capturing more realistic movement of humans as agents in a model will allow for greater complexity, with particular implications for evacuation and disaster management and planning.

Our paper focusing on Southern Afghanistan was well received and fostered a lively debate. Our presentation related to our work to build a campaign design tool for counterinsurgency and stability, security, reconstruction, and transition (SSTR) operations. In this project we are researching the root causes of insurgency and instability and fusing this knowledge to doctrinal components to find vulnerability points in the insurgent system, modeling the insurgent environment for use by operational commanders in answering what-if type strategic planning and resource allocation questions in the design of campaigns. Our approach supports analysts, planners, and practitioners involved in asymmetric operations by providing operationally relevant information on the relationships between factors driving the insurgency and leverage points identified through counterinsurgency measures, helping to build a more effective campaign design for complex operations.

Integrated Feedback Loops of Instability in Southern Afghanistan:

Integrated Feedback Loops of Insurgency in Southern Afghanistan

The main questions that were raised during the presentation revolved around the utility of relying on the Counterinsurgency Field Manual, given its conceptual approach to operations. This is a familiar criticism we have heard regarding the Field Manual, which was released in 2006. Additionally, a major focus of the conference was on validation of models. Given that our model is more of a conceptual framework for critical thinking as opposed to a black box model, that our project is based on qualitative rules from peer-reviewed and authoritative sources, we offered a different approach to traditional model validation requirements.

The most relevant presentation for our work in complex operations was from the U.S. Army TRADOC Analysis CenterCultural Geography Model Use in Support of Human in the Loop Experimentation”. This project involved developing an agent-based model of a civilian population to determine responses to government and stability force actions in a counterinsurgency environment. The population was based on data from the city of Amara in Iraq. This model was interesting in that the population was the center-of-gravity, to use Clausewitzian terms, rather than more traditional insurgency-focused representations.

An additional paper of interest involved work out of George Mason University focusing on an agent-based model of kinship relationships in Pakistan. This presentation focused on developing a model based on qualitative rules from anthropological research that informs a template for the actual computer code. While this work is still in its early stages, the goal is to enable prediction of alliance formation.

A personal highlight of the conference revolved around the presentation by Zachary Schaffer on “The Foundress’ Dilemma: An Agent-Based Model of Colony-Founding Strategy in Ants”. This research was looking at the phenomenon whereby unrelated ant foundresses (queen ants essentially that found new colonies) can form seemingly altruistic cooperatives with other foundresses in establishing new colonies. In learning about cooperative colony foundation, I was able to tour the various species of ant colonies kept at the Center for research. Satisfying my itch for an ant farm growing up, it was a fascinating experience. - perennial incompetence

Over the last couple of years, we have used to submit proposals to civilian Federal agencies. Our experience has been uniformly dismal. After our recent experience, it is clear this system is getting worse. Let's start with the poor design that forces the applicant to use a rich client to cram each form and attachment into a single document. I guess it must have been designed when the majority of users were using dial up. Initially this client was a PureEdge Viewer, which was a clunky application. The replacement of PureEdge was applauded in the research community. Recently, replaced the PureEdge form with an Adobe Reader form, which is - sad to report - even worse. If you update Adobe Reader, you will lose all of the attached forms you filled. The application generates a single pdf file for submission but insists that you submit the document through the Adobe application, which does not work.

Why can't the user upload the final document??? Why can't review the best practices in the government like DoD proposal submission systems and emulate it? Why can't develop a Web based system?

Such a poor design will generate a huge amount of customer support calls. It does. The caliber of the support folks is not capable of resolving these issues. You get canned responses like try resetting your password. If you do, you get hung up in ether because of the heavy volume of use. If you want to speak with someone who is technical, good luck. Tier 2 support takes 2-5 days response.

If we were in the minority in such criticism, it would have been unfair to call incompetent. Alas we are not. Just look at the posts at blog. Here are some recent posts. Here is another. Here some academic workaround suggestions from BerkeleyOhio State, Michigan Tech, Clemson, University of Michigan. OMB Director is quoted as saying that is a casualty of increased usage. It is sad that agencies are using a system that is light years away from state of the art to seek innovation.

The Inheritance

Perhaps now more than at any other time in our nation's history, the United States faces a multitude of strategic threats and challenges. Rogue regimes, militant Islamist networks, and changing power balances from rising nations such as China, to failing states such as Pakistan, threaten to upend the security and stability of the United States. 


As a research assistant for The Inheritance: The World Obama Confronts and the Challenges to American Power, a book by David E. Sanger, Chief Washington Correspondent for The New York Times, I had the opportunity to dive deep into issues ranging from Chinese military modernization to cyber-security to the Iranian nuclear program. My research took me into the Pakistani nuclear establishment and the militant threat emanating from the tribal areas to the post-invasion environment in Afghanistan and the personalities shaping the debate on counterinsurgency in the post-9/11 world. 


The democratization of technology involving nuclear materials, cyber-attacks, and biological agents, has provided non-state actors access to weapons that were previously the purview of states. The multifaceted nature of these complex issues will require greater interagency cooperation and knowledge transfer, in particular in the civil-military field. Securing the homeland from the threat of radiological weapons will require a robust intelligence effort abroad to root out shadowy networks dealing in such materials, such as those of A.Q. Khan, increased focus on securing at-risk facilities in Russia and the former Soviet states through initiatives like Cooperative Threat Reduction, and increasing collaboration between the scientific community and government entities such as the Domestic Nuclear Detection Office to bring cutting edge research and technology to the detection of radioactive materials crossing our borders. 


In the cyber-security realm, bolstering public-private partnerships between government entities such as the military and intelligence community, and corporations, financial institutions, and public utilities, often the targets of cyber-attacks, will be important in developing detection and response capabilities and formulating comprehensive rules of engagement. In addition to the military component of COIN operations, civilian teams specializing in security-sector reform, judicial and political affairs, economic development, and infrastructure, will be operating in the battlespace to bolster host government legitimacy, the center of gravity in the campaign. Given the shared responsibilities in the civil-military field on these issues, fostering knowledge integration and cooperation between the various branches of government, military, and civilian stakeholders is of paramount importance to ensuring unity of effort. 


The Inheritance is a researched-backed analysis of the challenges we currently face, a legacy of the opportunities missed after 9/11.  While I may be biased because of my involvement with the book, I strongly recommend it to anyone interested in understanding the challenges confronting Obama and the complexities of the geopolitical environment. 

Military Logistics Summit

We attended IDGA’s Military Logistics Summit held on June 8-10, 2009 in Vienna, VA. The focus of this year's summit is to support major deployment, re-deployment, and distribution operations. Milcord's presentation entitled Risk-Based Route Planning for Sense and Respond Logistics for the Military Logistics University covered the technology behind our Adaptive Risk-based Convoy Route Planning solution. Our presentation had a diverse audience ranging from logistics contractors in Pakistan to Logisticians at large System Integrators, from high level US Army officers to academic researchers. A logistics contractor posed the question: "I love your risk based route planning system. I wish we had a system like this. Most logistics material are carried by private subcontractors like us (under contract to a Prime like Mersk) in Pakistan and Afghanistan. Even if the Army has this system, it won't do us any good." It was an interesting question that shined a light on the lack of information sharing between DoD and second /third tier military contractors in the supply chain, and generated a nice discussion among attendees.

Another interesting question on our presentation was the concern about the predictability of a route. Minimal distance routes are deterministic and pose a security risk because they can easily be determined by the adversary. In contrast, minimal risk route is not deterministic (changes with events on the field), which gives a better protection against predictability by the adversary. The risk surface (computed per road segment) changes with every incident, intel report, weather, traffic, etc., which, in turn, affects the route minimal risk route.

Another question: "If a bridge is blown down the road, how long does it take the Urban Resolve data set to update itself? " This is an issue that even commercial COTS GPS tools struggle with random events like road closings due to construction. Our current solution gives a manual workaround for such conditions by letting the user define an intermediate way point and  dragging the route away from the bridge. Crowd-sourcing can also help address this issue by arming users with power to dynamically update road availability by adding road blocks on their GPS units.  Crowd sourcing also brings about data integrity issues in that user specified changes would not be put into the database as every soldier would have a different viewpoint.

There were several other interesting presentations and exhibitions. Dr. Irene Petrick's talk on Digital Natives and 4'th Generation Warfare generated an active interaction with the audience.  She presented survey results that compare the value systems of Traditionals, Baby Boomers, Gen X and Gen Y, articulated where Digital Natives can add value to warfighting, and pose challenges organizational management. On the gadget front, Safe Ports demoed an eye scanner  based on infrared so it even recognizes you through your sun glasses.

Notes from CSIIRW-09

We attended and presented at the Cyber Security and Information Intelligence Research Workshop, April 13-15, 2009 at Oak Ridge National Labs (ORNL). . The audience numbered about 150 attendees, with academic and government representing the biggest segment, and a few representatives from government, systems integrator , and technology providers. In his keynote, Dr. Doug Maughan from DHS reviewed and assessed federal cyber initiatives from 2003 to the present. While noting that the amount of activity around cyber security is encouraging, Doug challenged the cyber security research community to be “bolder and riskier in their thinking”, to do a better job of capitalizing on the increased interest, and to come together on an agreement for a “National Cyber Security R&D Agenda”. In other featured presentations, Dr. Nabil Adam from DHS and Rutgers University introduced issues and programs at the intersection of Cyber and Physical Systems Security. SCADA and Smart Grid systems were highlighted. In his “Are we on the Right Road” presentation, George Hull from Northrop Grumman confronted basic challenges. With 5.4 million unique malware samples discovered in 2007, and companies like Symantec now doing up to 300 updates per day, signature-based systems don’t and can’t work. And as systems become ever more complex, the complexity works against security and reliability. Hull suggested that cyber security is not about the endpoints or the network. Rather, the real focus needs to be defending the information. Dr. Robert Stratton from Symantec presented findings from Symantec’s Internet Security Threat Report (April 2009). Of particular interest to Milcord was the finding that in 2008 “Symantec observed an average of 75,158 active bot-infected computers per day in 2008, an increase of 31 percent from the previous period.”

The panel discussions surfaced some points for pondering, including observations that as venture capitalists seem to be moving away from cyber security as an investment area the government needs to fill the void in R&D funding. Some questioned the effectiveness of some government cyber R&D programs like NSF, going so far as to refer to it as ‘welfare for scientists’, disconnected from real-world needs, and unlikely to produce innovation that results in deployable systems.

Milcord presented findings from its DHS-sponsored botnet research on the Behavioral Analysis of Fast Flux Service Networks. Specifically we discussed behavioral patterns of domains, name servers, and bots that we discovered from our FastFlux Monitor into the short-term behavior, long-term behavior, organizational behavior, and operational behavior of botnets that use fast flux service networks.

The Efficiency of Security

Last week I visited a number of military and civilian Federal agencies in DC, MD, and VA. My experience in getting into these agencies was uniformly the same - long, cumbersome, and confusing. Now we all agree that the Federal agencies should control access to their facilities for security after all we are talking about national security. However, the question that begs to be answered is: Is this the most efficient and effective process to enforce security for access to our Federal government agencies? At every entrance, the visitor hand writes in a log her/his name, organization, citizenship status, name of the person to be visited, etc. Any re-transcription of this ineligible content into a digital format would introduce typographical errors, thus defeating the very purpose of the data being collected. Most agencies also require the serial number of the laptop to be logged as well. I wonder how many visitors put down the serial numbers for their laptop battery or wireless card? This to me sounds more of an appearance of security than security itself. 

So how can this process be improved? There are so many effective online meeting solutions that can be used to emulate for physical access to a Federal government building like Cisco webex, GoToMeeeting, Office Live Meeting and so on. The common thread of these systems is that the person who is hosting the meeting (the official at the Federal government agency in our case) will specify the location (a physical instead of a virtual location in our case) , date, time and invite attendees, which result in the generation of a unique event ID. Such a system can be easily extended to obtain the additional information (e.g. citizenship, laptop serial number)  required. In addition, such event management systems would issue a password to be able to attend the meeting. 

Imagine visiting a Federal agency where you can generate the necessary paperwork at a kiosk by supplying the meeting ID and password. In such a world, the security personnel would do where they would add the greatest value: verifying the credentials of the visitor and authorizing access similar to boarding an airplane. Once the system is IT based then additional checks on the visitor's credentials can be performed using web services. If the tracking of a laptop is critical, then such a kiosk can automatically determine the MAC address of the laptop ensuring additional safety. Imagine the millions of hours saved if every Federal agency adopted such a system.