Categories
Saved web pages

Allies and Open Sources: Lessons from Northern Raven, the Largest OSINT Collection Operation in NATO’s History – Modern War Institute

“It’s not my work. It is my existence.”

This simple statement from a Latvian captain participating in the Northern Raven combined collection operation clarified the grave importance he, and many of his fellow analysts from the Baltics, placed on this particular mission. To them, Russia is an existential threat, and the insight this week-long combined open-source intelligence collection operation—the largest in NATO’s history—provided was critical to understanding Russian actions and intentions. Under the auspices of Northern Raven—US Army Europe and Africa’s multinational open-source intelligence (OSINT) program—thirty analysts representing eleven countries had gathered in Finland to collect OSINT, guided by a collection plan developed six months earlier.

While this operation marked the culmination of months of work, its roots stretched back to 2019 when Soldiers from the 66th Military Intelligence Brigade (Theater) met with Polish partners in Bydgoszcz, Poland to collect OSINT on Russian cyberattacks. The operation demonstrated the powerful effect partners can achieve when they align their capabilities: the Poles provided linguistic knowledge while the Americans employed data-mining tools to streamline collection. More bilateral exchanges followed with Canadian, Finnish, Croatian, and Romanian partners. By 2023, Northern Raven had expanded to include staff visits as well as training events and seminars in OSINT tradecraft best practices.

Though Northern Raven had grown in number of participants, its members were not collaborating with one another, just with their American partners. The program’s hub-and-spoke structure—with the United States at the center—didn’t encourage communication among other participants. To maximize its effectiveness and leverage partners’ collection strengths, Northern Raven needed to expand its charter. The solution was to provide a common purpose and operationalize the network—to bring everyone under one roof for a combined collection operation that would harness the expertise of all members and incorporate each step of the intelligence cycle: plan and direct, collect, process and exploit, analyze and produce, disseminate, and assess.

Merging the intelligence priorities, collection methods, and analytic techniques of eleven countries required careful planning. In December 2023, the Army Europe Open Source Center (AEOSC)—the OSINT cell of the 66th Military Intelligence Brigade (Theater)—hosted partners in Wiesbaden for a working group to define and direct collection requirements. This led to the creation of the first standing Northern Raven collection plan, which set requirements for fiscal year 2024. Rather than attempting during the operation to temporarily synchronize collection efforts designed to address divergent priorities, partners hardwired interoperability into their intelligence activities from the start.

In the months after the working group, partners communicated regularly on the results of their collection. They shared requests for information, refined the collection plan, and uploaded relevant products to the National Geospatial-Intelligence Agency’s Protected Internet eXchange (PIX) website, a secure but unclassified US government-sponsored information dissemination and sharing tool. Such routine collaboration transformed intelligence sharing from ad hoc exchanges—uncoordinated and often reliant on strong personal relationships—to formalized practice. Cooperation was persistent and focused on shared requirements, rather than episodic.

Eleven NATO nations gathered in Riihimäki, Finland in May 2024 for the culminating combined collection operation. Once in Finland, the group divided into five collection teams based on preassigned requirements. Each was structured to reflect a range of skills, nationalities, and collection capabilities. Partners with access to nonstandard tools such as the AI-powered Babel Street Insights platform were placed on different teams while each team was allocated at least one Russian speaker. The fact that most European partners were permitted to use burner phones to create accounts on social media platforms significantly enhanced the group’s ability to provide critical information to commanders. The organizational structure was decidedly flat: participants operated as a constellation of dynamic teams, experimenting and improvising with the best techniques for collection, processing, and exploitation.

For example, when a partner stumbled across a Telegram post by a Ukrainian milblogger that listed towns where Russian forces were alleged to be unloading equipment, he passed the locations to a member of his team currently serving in a cyber defense unit. Using a Python script he developed, the programmer-turned-intel officer was able to extract usernames and photos associated with Telegram accounts in the area. (Several photos featured soldiers posing in uniform, their unit patches clearly visible.) The partner plugged the usernames into other Russian social media platforms to gather more information before passing the photos to another colleague who proceeded to geolocate some of the buildings. After performing additional searches, the partner discovered videos of the same unit in three of the identified locations, corroborating his colleagues’ earlier findings. With this information, the team was able to map the logistical and transit routes taken by units moving toward Kharkiv.

By leveraging partners’ complementary strengths—whether regional knowledge, language ability, or access to specialized tools—Northern Raven created powerful synergies. Months of planning had bred trust and a shared sense of the operation’s overarching purpose. Everyone owned the mission. This made the teams agile and adaptive, able to craft a coordinated response to real-time developments.

Pooling partners’ skill sets and best practices expanded and sharpened the collection and processing of intelligence. It also reinforced the need to better integrate emerging technologies into OSINT operations. Northern Raven presents a unique opportunity to combine these activities: improving interoperability with partners and embracing new technologies to collect and evaluate open-source information. To that end, partners are creating a repository on a software developers’ platform that allows members to create, store, manage, and share their code. This enables partners to exchange tools and technical data, including software, map layers, AI models, and OSINT source lists. Its goals are twofold: to improve efficiency by sharing resources and increase interoperability through the use of common formats for data exchange. The platform could also serve as a test bed for technologies that hold the potential to unlock deeper and wider data-driven insights. By tapping the rich vein of Northern Raven’s growing network, NATO allies can capitalize on existing efforts to develop and adopt new capabilities.

While it is too soon to draw firm conclusions about the impact of Northern Raven’s approach to partner relationships, several initial takeaways emerge. First, it is not enough to set requirements and build collection plans together; to increase buy-in, the United States must empower partners to shape the collection effort in areas of particular importance to their intelligence enterprises. An approach that centers partners in the pursuit of their own priorities—areas where they are likely to possess special expertise—also optimizes collection capabilities, allowing for greater burden-sharing.

Second, partners must build ownership for Northern Raven among their leadership and secure resources. While AEOSC has lent structure and predictability to multinational OSINT—formalizing its processes and programming—long-term success will depend on sustained funding and organizational buy-in. As NATO members establish permanent OSINT organizations within their militaries, Northern Raven can serve as a unifying operation by which all analysts regularly coordinate and communicate, but that will also require programmed, predictable budgets.

Next, from a US Army perspective, Army OSINT must develop a rigorous framework for assessing the effectiveness of Northern Raven’s burgeoning suite of programs. Doing so will require the AEOSC to articulate what it wants to accomplish and identify the causal relationships that link Northern Raven’s activities to those outcomes. The team’s members must continuously ask themselves: What is working, what is not, and how does this achieve commanders’ requirements?

To meet the demands of this comprehensive approach to partner engagement, OSINT teams may also need to create new roles and responsibilities for their soldiers. The AEOSC created a new position, the partner integration lead, responsible for securing PIX and Digital Globe accounts for partners, as well as a dissemination manager to improve the reach—and track the circulation—of multinational products. To mitigate training shortfalls among partners, the AEOSC developed an exportable OSINT course, tailored for both in-person and virtual learning environments, which noncommissioned officers on the team instruct.

These types of activities not only present US soldiers with unique and meaningful opportunities, but also provide a purpose that increases their commitment to Army service. Exposure to new tools and data practices deepens their OSINT tradecraft knowledge while frequent interactions with partners prepare them to operate in culturally diverse coalition environments. Northern Raven also serves as a retention incentive. As one soldier remarked recently, “If I got out of the Army, I wouldn’t be able to call my mom and say, ‘Today I helped Sweden stand up its OSINT shop.’”

In less than a year, Northern Raven has evolved from a series of bilateral engagements into persistent cooperation across the entire intelligence cycle. Northern Raven enhances units’ readiness, preparing soldiers from all nations to write OSINT products that can be quickly released for consumption across the coalition. Training between partners, with real data on real networks, builds OSINT capacity across Europe, bringing us closer to a world in which every ally is a sensor. Finally, Northern Raven’s evolution into a multifaceted program integral to day-to-day operations creates opportunities for professional growth while exposure to partners’ analytic techniques upskills every analyst in the operation.

Though barriers to cooperation remain, relationships are no longer confined to physical engagement. Partners plan, train, and operate as one multinational team. With US and NATO military planning increasingly integrated, the ability to merge national-level processes into a single operation that capitalizes on partner expertise has never been more important. Knowing the enemy through open-source intelligence is not just our work, it is our intelligence team’s central purpose.

Colonel Christina Bembenek is the commander of the 66th Military Intelligence Brigade (Theater). She has served in multiple tactical, operational, and strategic intelligence assignments and was the first commandant of the Military Intelligence Corps.

Captain Chels Michta was the former officer in charge of the Army Europe OSINT Center and currently serves as an intelligence officer in the 66th Military Intelligence Brigade (Theater) All Source Control Element. She is also a 2023 Atlantic Council Millenium Fellow.

The views expressed are those of the authors and do not reflect the official position of the United States Military Academy, Department of the Army, or Department of Defense.

Image credit: Staff Sgt. Chad Menegay, US Army