Welcome to the SecAware blog

I spy with my beady eye ...

23 Aug 2016

The Navy lark

The official US navy report into an embarrassing incident in the Arabian Gulf at the start of this year is well worth reading.

In short, the incident involved two US navy patrol boats straying into Iranian territorial waters around Farsi Island, one of them suffering a mechanical failure, then both being intercepted by an armed force of Iranians from the island. Without a shot being fired, the navy crews were 'captured', taken to the island, interrogated, video'd and released the next day. No big deal in the grand scheme of things ... but distinctly embarrassing for the US navy and government, as well as those directly involved.  

The lightly-redacted report was produced by an official investigation into the incident and, as usual for such things, it points the finger at a number of contributory factors, systemic issues or root causes that failed to prevent or avoid the incident. As usual, the wording is quite formalized, stilted and circumspect in places but if you read it carefully, the core messages sing out like one of Dame Kiri Te Kanewa's most powerful arias.  Here are just a few of the issues mentioned in the report (I'm paraphrasing, somewhat cynically):

  • The boat crews were new to the Gulf, not acclimatized to the heat, and poorly prepared for their new roles
  • The boats were poorly maintained, with various issues around the on-shore maintenance facilities and budget/resource constraints: they should not have set to sea in the first place
  • The mission was substantially longer than normal with a nighttime refuelling stop at sea and the crews were inexperienced in both regards - in other words, it was known to be a risky venture
  • All manner of proper procedures were not followed, with a substantial amount of miscommunication and numerous communications failures (exacerbated by the mixture of classified and nonclassified comms, a multitude of systems and technical issues)
  • Even the written logs have conflicting, missing and erroneous information, making them unreliable as formal records hence frustrating the post-incident investigation
  • Some people were certified competent without, it seems, completing the corresponding schooling and qualification, at least not to the appropriate level of assurance due in part to inadequate training
  • Genuine concerns about the mission and more generally were repeatedly dismissed or disregarded by more senior officers, thanks in large part to the predominant 'yes sir' culture and morale issues 
  • The roles and responsibilities among the boat crews (including navigation, crucially, as well as their command and control structure, hierarchy or authority) were unclear
  • The on-board GPS system was not 'loaded with crypto' ... and would presumably have reverted to the normal civilian resolution (surely good enough to identify Farsi Island?)
  • The pre-notified route through the middle of the Gulf would have been well clear of the island but having left port late due to earlier issues, the boats took a more direct straight-line route to save time and avoid bad weather, despite continuing communications issues and concerns
  • Some messages were passed to shore including several positions indicating they were well off the planned course, but they were not all passed on correctly or plotted, hence the course deviation that led to the incident was not properly flagged up as an issue
  • At one point, an on-shore navigation system was out of action as it was being rebooted, a planned daily occurrence (!)
  • As Farsi Island came into sight, the boats were essentially lost. One captain realized they must be in territorial waters but didn't know which nation (!!). The Island sighting was not reported up the line. The crews claimed they thought they were 3 to 5 miles away whereas in fact they were just 1.6 miles from the island. They did not adopt defensive positions
  • The navy crews were unable to communicate with the approaching Iranians
  • During and following their capture and interrogation (i.e. under duress), crew members only partially recalled and followed the code of conduct and training for such eventualities, perhaps reflecting a lack of clarity in the official guidance concerning the particular circumstances of this incident
The sting in the tail is that this incident could easily have been much worse. Aside from the likely injuries or deaths if the navy crews had defended themselves and resisted capture (assuming they were actually capable of using their weapons - some of which weren't properly mounted), the incident could have sparked an escalation of the conflict in the area, leading to serious military and political consequences at least. One of the navy captains reportedly thought about the possibility of sparking a US-Iran war by over-reacting to the approaching Iranian boats, repeatedly referring to the incident as a 'misunderstanding'. 

The report claims quite indignantly, repeatedly and at some length, that the navy boats should have been allowed "innocent passage" by the Iranians and had "sovereign immunity", but notes also that Iranian laws impose special conditions for military vehicles. This whiffs of sour grapes to me, perhaps an attempt by the powers that be to deflect attention from the numerous shortcomings.

The context and lead-up is far more complex than my comments imply and, despite the effort that went into the investigation and the report, there is undoubtedly much more to it than was reported - such is the nature of incident investigation and auditing, both in general and especially in such highly-charged situations, within an embarrassed military organization no less. The published report is the tip of a huge iceberg of findings, concerns and suspicions that remain largely out of sight. Only the few findings that are substantiated by credible if not undeniable evidence gathered by the investigators (the "Findings of fact", in the stilted language of the report) are officially reported, at least in theory. However, diligent investigators and experienced auditors have creative ways to put their real points across, despite the interminable 'file reviews' and private discussions that no doubt took place between them and their subjects - or rather their respective bosses. What we see in print leaves out more than it says, but gives clues as to what we're missing.

Juxtaposition for instance. In one paragraph we read very matter-of-factly that a senior navy officer denied knowing that there were any maintenance issues with the boats. The very next equally matter-o'-fact paragraph points out that the officer chaired a regular meeting about boat maintenance (clearly implying that he either did know, or should have known about the problems that led to a boat being stranded in Iranian waters). The report often gives such hints but leaves the reader to draw their own conclusion. It's not hard.

As to determining and bottoming-out the root causes, the investigation does not appear as comprehensive or effective as I would have liked. It only went a fathom or two down into a deep sea trench. Most of the issues identified in the report presumably result from issues further upstream, and additional contributory factors and decisions that were not explored, or not reported anyway. I wish the investigator/s had continued probing instead of moving on to other issues after each revelation ... but it is what it is.

Aside from the obvious value of this report to the navy, it has much wider application, raising awkward questions for all organizations such as:
  • Does our corporate culture enable and support dissent, giving people legitimate opportunities to speak up about issues and concerns, knowing that they will be investigated and taken seriously? Or do we deliberately or inadvertently stifle bad news and (inappropriately) 'refuse to take no for an answer'?
  • Do our people have the wherewithal to spot and report issues and concerns? Is it expected of us all, in fact? Are we encouraged and motivated, as well as enabled, to speak up?
  • Does our command structure clearly allocate responsibilities and accountabilities, to people who are in fact fully competent to fulfil their obligations even under especially challenging and stressful situations such as serious incidents or inappropriate/dangerous commands? 
  • Are our policies, procedures, training courses and exercises sufficiently clear and effective in preparing people for all the situations we may face, including special arrangements for high-risk and novel situations? Do we remember and follow our training, in fact? Are we even checking that?
  • Do we identify and manage information risks properly, with the appropriate early-warning and response mechanisms in place to escalate matters if risks are becoming unacceptable, and to strengthen and monitor key controls?
  • Do our networks, IT systems and associated processes adequately facilitate effective, timely communications, even when under intense pressure? Are they reliable and resilient, for sure? Do they enable critical messages to be prioritized and monitored (e.g. mechanisms to ensure that they are delivered, received, acted upon and closed off, rather than being ignored, with fall-back mechanisms such as out-of-band messaging)?
  • Do we have the right governance arrangements and capabilities to investigate and learn from incidents, squeezing every drop of value from situations that those involved might wish were swept under the carpet?
At least those are my take-aways. What about you? What do you think?


No comments:

Post a Comment