Exclusive: Pentagon is Combining Corporate Records and Social Media Surveillance to Guide Hacking and Influence Operations
Exclusive: Pentagon is Combining Corporate Records and Social Media Surveillance to Guide Hacking and Influence Operations
Corporate records provider Sayari claims that the U.S. uses its platform for "Offensive Cyber Operations". And its tools have been integrated alongside cellphone-location tracking by Babel Street.
[Update: April 28, 2023] Sayari scrubbed its capability description within 24 hours of publication of this story.
Exactly one month after Russia’s February 2022 invasion of Ukraine, corporate surveillance firms were meeting with U.S. Army Cyber Command (ARCYBER) to discuss how they could provide bulk surveillance data from social media platforms such as Facebook and Twitter to — among other things — protect the “brand” of the North Atlantic Treaty Organization.
It would be made clear throughout the presentation by then DevSecOps Lead of ARCYBER’s Technical Warfare Center, Lt. Colonel David Beskow, that data such as from social media surveillance and corporate registries — “business entity data like supplier relationships, organizational hierarchy, vendor location, organizational ownership” — would contribute “across [the] mission spaces” of the Army’s cyber operations, including “to influence [the network], operate the network, defend the network, um, and when necessary, attack”.
(On the subject of NATO, Beskow asserted that “We should understand all conversations around NATO…on social media…And we would want to do that long term to understand…what's the NATO brand and how does the world view that brand across different places [in] the world.” Dr. Beskow, who is now an Assistant Professor at West Point, declined a request for comment by way of West Point’s Media Relations Division. For more on the Pentagon’s protection of the “NATO brand”, see the simultaneously published piece from The Intercept.)
The four Army cyber operations categories of “influence”, “operate”, “defend”, and “attack” are terms of art which — much like the infamous National Security Agency definition of “collect” — can differ significantly from colloquial usage. While the “attack” category unambiguously involves hacking, ARCYBER’s own definition of its “defend” mission involves a mix of defense and offense: to “deliver integrated offensive and defensive cyberspace effects and electromagnetic warfare and information operations capabilities against global adversaries.”
When reached for comment on Beskow’s presentation, ARCYBER stated that it “does not have any additional context to add to the referenced presentation or remarks. Beyond that, ARCYBER does not comment on specifics regarding cyber operations, plans, intelligence, and capabilities.”
While the U.S. military’s usage of social network analysis for target development is widely reported, the incorporation of corporate registries is often filtered from high-profile reporting. The trade publication Nextgov quoted senior counsel from the American Civil Liberties Union in 2013 on U.S. Special Operations Command’s questionably legal collaboration with U.S. Immigrations and Customs Enforcement on anti-money laundering through the fusion of social media surveillance and financial data. But subsequent headlines in The Washington Post and The New Yorker would — perhaps justifiably — center the Twitter surveillance.
Thanks to a leaked copy of a corporate intelligence firm’s pitch to U.S. Special Operations Command, we now have a clearer picture how some so-called “Publicly Available Information” contractors collaborate with U.S. military and intelligence agencies on offensive information operations.
(A future article will dive into the fact that the SOCOM/ICE collaboration centered around software developed by Creative Radicals, a “Publicly Available Information” surveillance company which the author recently investigated as: a subcontractor on a SOCOM tactical information warfare contract, a close partner of a company which commercially subverts both leftwing and rightwing protestors, and connected to the training of the Saudi operatives which assassinated Washington Post journalist Jamal Khashoggi.)
Sayari’s Pitch for Military Deception and Offensive Cyber Operations
While previously unreported, a pitch from the corporate records analysis firm Sayari to U.S. Special Operations Command viewed by the author reveals striking details about the tactics, techniques and procedures of offensive U.S. cyber operations, and how they build upon corporate registries. The author is also revealing based upon observing a product demo that the corporate records analysis component of the social media and cellphone location-tracking data broker Babel Street has in recent months simply been a thin wrapper around Sayari.
(Neither Sayari nor Babel Street responded to requests for comment.)
Founded in 2015 by two former staffers of an influential US government funded think tank which describes itself as a “testbed” for controversial data fusion company Palantir, Sayari is in some ways an unofficial corporate spinout of The Center for Advanced Defense Studies (C4ADS). One of C4ADS’s primary tools for its US government funded sanctions advocacy is its international corporate records database, Seamless Horizons, which arguably served as the inspiration for the for-profit company Sayari.
Given C4ADS’s sustained high profile influence on coverage of U.S. sanctions policy, as well as their collaboration with prominent counter-disinformation organizations such as the Centre for Information Resilience (CIR), it is notable that C4ADS is closely associated with a company selling its services for offensive U.S. information operations. Especially given that one of the advisors of CIR, former Estonian president Toomas Hendrik Ilves, is a public advocate of the pro-NATO online trolls known as NAFO.
According to a section of Sayari’s pitch entitled “Information Operations”:
Utilizing our underlying hard target data and [Publicly Available Information] Intel Graph Database, our DoD partners use us for the following Info Op workflows... Psychological Operations (target development using our graph database to build targeting packages),
Military Deception (Using our graph database to fully understand a targets broader network to fully understand an adversaries [sic] industrial base),
Operations Security (our global data holdings and graph database allow extra layers of planning as our data and platform allow analysis of adversarial environments and corporate holdings),
OCO (Many of our IC and DOD clientele use our data and platform for a variety of offensive cyber operations [emphasis added], I can put you in touch with them on [The Joint Worldwide Intelligence Communications System] to have that conversation.)
Sayari’s pitch underscores the U.S.-aligned focus of its product by asserting its “deep concentrations in near peer and hard target regions including China, Russia, Iran, DPRK [emphasis theirs], as well as other hard to access regions like Venezuela, Mexico, Africa, Malta, et al.” Sayari’s published reports further emphasize a focus on official U.S. adversaries, including through analyzing Chinese Community Party cells within private companies and mirroring public blacklists from China’s “social credit system”.
The company’s overview also bragged in a section headlined “Targeting” that its platform contains “over 500 [million] unique entity profiles on persons around the globe with GEOINT lat[itude] and long[itude] coordinates on any known addresses”.
Beyond Sayari’s well-known funding from the primary venture capital arm of the U.S. Intelligence Community, In-Q-Tel, and contracts with the Office of Naval Intelligence, the company’s pitch explicitly named several lesser known partners, including: Army Special Operations Command, Air Force Special Operations Command’s 11th Special Operations Intelligence Squadron, and the Air Force’s 67th Cyberspace Operations Group. But public records analysis suggests that Sayari’s largest federal payout has been from its ongoing $7.9 million ceiling licensing contract with U.S. Customs and Border Protection.
Despite Sayari’s close ties to high profile media sources, polarization surrounding the proxy war in Ukraine and ongoing tensions with China seems likely to blind media coverage to the U.S. military and intelligence community’s overt development of a global, offensive information warfare industry built upon social media surveillance, corporate records analysis and — as the author recently reported — cellphone location-tracking.
Several years ago the author’s FOIA requests revealed that Babel Street — which has since wrapped Sayari for its corporate records capabilities — was selling its cellphone location-tracking product Locate X to the sanctions enforcement arm of the U.S. Treasury (the Office of Foreign Assets Control). An obvious question is whether Babel Street’s full suite of tools, including Sayari, social media surveillance, and cellphone location-tracking data, is being used for target development in U.S. offensive cyber operations.
Perhaps the most concerning issue is the generally unstated proximity of this industry to counter-disinformation organizations and high-profile reporting on U.S. sanctions policy. I’m not quite ready to detail how I gained access to Sayari’s pitch to SOCOM, but, suffice it to say, there is more where it came from.
(If you have any tips about Sayari, Babel Street, or the usage of Publicly Available Information to guide offensive cyber or influence operations, please contact the author, Jack Poulson, on Signal at +1.646.733.6810. You can find Tech Inquiry’s daily-updated feed on the procurement and lobbying activities of Sayari here. Poulson is the Executive Director of Tech Inquiry.)
Appendix
Sayari’s full pitch to U.S. Special Operations Command — which the company categorized under labels including “Military Intelligence”, “Unconventional Warfare”, “Target Detection and Finding”, and “Information Operations” — follows:
High level we are a [Publicly Available Information] Intel provider with multiple funding streams from the [Intelligence Community] (via [In-Q-Tel] work programs) and have multiple DOD clients including [Army North], [Office of Naval Intelligence] (NIMITZ, BROOKS and KENNEDY) [Army Special Operations Command], [Air Force Special Operations Command] 11th [Special Operations Intelligence Squadron], [Air Force] 67th [Cyberspace Operations Group], a growing [Combatant Command] J2 and J3 presence as well many others.
We collect hard to access PAI from around the globe with deep concentrations in near peer and hard target regions including China, Russia, Iran, DPRK, as well as other hard to access regions like Venezuela, Mexico, Africa, Malta, et al.
Think of our capability as being a robust PAI Intel platform and data set that allows your teams of analysts to quickly understand corporate ownership, control and influence while being able to quickly unravel deeply nested foreign ownership/control and/or connectivity to persons or orgs that may compromise national security.
Our primary DOD use cases are as follows:Information Operations Utilizing our underlying hard target data and PAI Intel Graph Database, our DoD partners use us for the following Info Op workflows... Psychological Operations (target development using our graph database to build targeting packages), Military Deception (Using our graph database to fully understand a targets broader network to fully understand an adversaries industrial base) , Operations Security (our global data holdings and graph database allow extra layers of planning as our data and platform allow analysis of adversarial environments and corporate holdings), OCO (Many of our IC and DOD clientele use our data and platform for a variety of offensive cyber operations, I can put you in touch with them on JWICS to have that conversation.)
Economic Impact Offensive and Defensive Analysis (In our platform and with our underlying data you can fully analyze the effect sanctions may have on a specific foreign entity X, but also the ripple effects on entities Y and Z
DOD CFIUS Analysis (using our link analysis and GEOINT to fully understand the organization and person that are purchasing land around our military installations, and quickly understanding their broader network and ties back to adversarial ultimate beneficial ownership)
Mapping Foreign Industrial Bases (our data holdings, graph database allows for link analysis of our adversaries complete industrial base, where an analyst can filter by aviation, naval, munitions manufacturing, etc)
Counter Intelligence Investigations (our platform allows CI units to quickly understand a person's broader network for potential money laundering/ kickback payment concerns or connections to persons or orgs that could compromise national security... we have data and show connections that would not come up in a typical SF 86 based Investigation)
Targeting (We have over 500M unique entity profiles on persons around the globe with GEOINT lat and long coordinates on any known addresses)
Counter Threat Finance (Our global data holdings and platform allow an analyst to "follow the money" in a variety of CTF workflows
The point of contact for Sayari’s pitch, Brian Kesecker, states on his LinkedIn that he joined Sayari’s National Security and Law Enforcement Customer Group to work on Business Development in January 2020. While the pitch is undated, it stands to reason that its last modification took place since January 2020.
Mr. Kesecker did not respond to repeated requests for comment.