Iran War Shows Adversaries Can Exploit Big Data, Too
As the war between the United States and Iran reaches a ceasefire, U.S. Central Command (CENTCOM) has received reports of an alarming activity, the first known of its kind: a U.S. adversary using commercial location data to track and target U.S. forces in the Middle East. This likely refers to data on the latitude, longitude, and identifiers of a specific mobile device, obtained via advertising technology, data-selling, or other systems. It is far more than an isolated incident in one region. An adversary, likely Iran, using commercial location data in this fashion—tapping into the sea of commercial data to enable military or intelligence operations—spotlights a major vulnerability in the United States’ digital footprint.
Some in the U.S. government may view the availability of open-source and commercial data as wholly advantageous to U.S. national security, thinking only about how open data could be used for U.S. missions. But the Iran war has exposed just how easily U.S. foreign adversaries can access much of the same data for their own ends—including tracking and targeting military service members. Decision-makers must overhaul their data security thinking to plug current gaps and mitigate these risks in future security and warfare.
Open-source information has absolutely exploded online in the past few decades. This data, accessible without a paywall to anyone with an internet connection, spans websites, public-facing social media sites, free commercial satellite imagery platforms, and even artificial intelligence (AI) models that let users query them, for free, without an account. Some open information sources are global in reach and coverage, such as Meta’s Facebook or Google’s free Google Earth. Other sources are more region specific, such as the social media platforms VK in Russia and Weibo in China (even though their “open” nature is variable if you are not within the country in question).
Beyond what anyone with an internet connection can view, thousands of data brokers operate businesses focused on collecting, inferring, packaging, and selling people’s data. The data broker industry collectively aggregates and sells information about people’s marital status, religious beliefs, sexual orientation, income, debts, health conditions, prescriptions, medical procedures, IP addresses, devices used, travels, and even real-time GPS locations from smartphones. Some data brokers sell thousands of data points on a single person, often with horrendously weak background checks and vetting—almost always without any semblance of consumer consent. Bad actors can outright or deceptively purchase this data.
The Iran war has further exposed how naive it would be to assume that only the U.S. government can leverage this open and commercial data explosion for military and other ends.
Before the recent allegations about Iran came to light, private-sector firms in China were exploiting this current state of affairs on the open-source information side. As the U.S. struck Iran in March and the war erupted, a number of Chinese companies, including some with ties to China’s People’s Liberation Army, began marketing capabilities purporting to “expose” U.S. military movements in the Middle East. For example, as the Washington Post described it, the firm MizarVision uses “a mix of Western and Chinese data filtered through AI to catalogue activity at U.S. bases in the Middle East, track naval movements, and identify the position and number of specific aircraft and missile defense systems.” This represented the fusion of AI technologies, open-source information, and privately marketed analysis into a capability that China’s military could ostensibly use—including, if it wanted, to share insights with other adversarial governments.
More recently, a bipartisan letter from two senators publicized reports to CENTCOM about the adversarial use of commercial location data in the Middle East. CENTCOM said it “has received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theater.” While CENTCOM did not name the country, it is fair to assume it is probably Iran, because it is the one involved in the war, and if not, then China or Russia, because they are technologically sophisticated and interested in the war. Calling the location data “commercial,” though, clearly refers to the exploitation of U.S.-related data that could be transmitted through advertising technology systems, sold by data brokers, and more.
To better protect their personnel and missions in future conflicts and intelligence activity, Western military, intelligence, and national security decision-makers must address three pressing shifts in big data: the interplay of privacy and security, adversaries’ comparative advantages in exploiting big data, and how data exposure can shape security planning.
The first shift centers the privacy-national security intersection. Gaps in consumer privacy laws, including those left in for national security reasons, can backfire on governments and become national security threats. For example, many countries, even in Europe, have failed to strongly regulate data brokers trafficking in people’s data (which can itself then impact U.S. national security, too). Such a failure enhances the targeting risk that a U.S. adversary (again, ostensibly Iran) allegedly demonstrated against U.S. forces. More data can be collected, inferred, bought, and sold about populations, locations, and activities, including those in the national security sphere. When the commercial data ecosystem is so expansive and porous, engaged in so many data sales every single day, it is even easier for adversaries to slip in under the radar.
Second, U.S. decision-makers must recognize that the actors who can do the most national security damage with open and commercial data are sophisticated foreign adversaries. Having access to open-source information and commercial data is one thing. But having the money and data storage to acquire it, computing power to process it, knowledge to contextualize it, and rigorous analytical processes to turn it into decision-enabling intelligence—that is an entirely different animal.
In this data-pervasive world, organizations with advanced military and intelligence capabilities, such as Iran, China, Russia, and the like, are best positioned to acquire, process, and use open and commercial data to recruit Western spies, analyze Western government facilities, profile key decision-makers, and even track and target armed forces. Policies to reduce open-source data exposure, restrict data brokers’ data sales, and limit data collection at the source will fail in the national security arena if the main and only threat actors in mind are ill-intentioned hobbyists or meandering cybercriminals. Systemic risk mitigations for the open and commercial data explosion must focus on sophisticated nation-states, too, and their persistent interests in government personnel, locations, and activities.
Third, the United States will need to account for this reality in any future strategic or operational planning. Cybersecurity experts, counterintelligence professionals, and war planners cannot assume that the adversary only has access to data and information it has hacked (as prolific as its hacking may be). Indeed, MizarVision in China said it “quickly identified” the locations of U.S. equipment and weapons in the lead-up to the war as well as U.S. carrier groups’ refueling patterns. Understanding what governments in Iran, China, and Russia, among others, can know about U.S. military deployments, security experts, or government facilities through open-source information and commercial data will be vital to developing mitigations. It will also be essential for the United States (and its key allies and partners) to not botch a covert or surprise action.
Even if the U.S.-Iran war has reached a ceasefire for now, the connection between data privacy and national security—even operational security for deployed military personnel—persists. Any future military action will feel its impact. What matters now is whether U.S. decision-makers will act to plug the many gaps that still threaten national security.
