SPACE Analysis

Pinterest LinkedIn Tumblr +
Print Friendly, PDF & Email

Last Updated on August 6, 2015

With the focus on NSA and regime surveillance still at the front of our minds, I just wanted to write some thoughts (and doctrine) regarding friendly indicators of communication.  I still need to finish the prior OPSEC article but consider this an addendum in advance.

On the subject of link analysis (of which I still need to pen a lengthy dissertation, as it’s the bread and butter of just about any analysis of an insurgency or resistance movement), consider yourselves pegged.

During my last tour in Afghanistan, Palantir was quickly becoming the sweetheart analysis software of the Army and Marine Corps.  Before I deployed, I sat through a class offered by the company, and immediately recognized that it’s great software.  Intelligently designed, easy to use, top-notch functionality, and categorization options allow an end-user to drill down and really dissect the adversary and surrounding events.  It is, however, only as powerful as the end-user allows it to be.

By the time I left the intelligence community, I had become disillusioned with the state of the average analyst (though not every analyst) and his leadership which is more interested in developing the latest tools instead developing the minds of their analysts.  Intelligence analysis is, and likely will be for as long as I’m alive (which I’m hoping is a long time), 80% investigation and 20% tools.  Without a highly inquisitive mind motivated to find the solutions to unanswered or seemingly unanswerable questions and the proper analytical methods to pick apart your adversary, your analysis of information of intelligence value will be found wanting.  But I digress…

SPACE is an acronym that every good analyst should use in link analysis, among other methods.  Its roots are in our operational security (OPSEC) manual, and when the adversary doesn’t care enough to implement SPACE into his OPSEC considerations, it’s our job as collectors and analyzers of information to exploit their mistakes.

One of the things an analyst should consider of his adversary are his vulnerabilities, which makes OPSEC so damned important to both parties.  In SPACE, we are presented with invisible vulnerabilities: indicators that aren’t often considered and don’t appear to be vulnerabilities on their faces, but are useful nonetheless when applied to the enemy operating picture through link analysis.

Keep SPACE in mind when inventorying your own OPSEC measures.  It may be the case that the analyst assigned to you fails to consider them.  Then again, maybe he doesn’t.  And, as with most topics that appear on this blog, each piece of information from the SPACE method is cumulative; each on its own isn’t as powerful as when they are all taken into consideration.  Also take into consideration that SPACE is useful when analyzing many different types of information and organizations, and so the example I use don’t pertain to any one particular type of analysis.

S – Signature.

Signatures are identifiable, unique, and stable to an individual or group of individuals.  A signature is an encrypted or signed email, or a message from a specific phone or email address, or a semantic tell [the way you write things, or a reference or colloquialism like “jeebus” or “y’all” in communication (h/t LastBox for the reminder)].  These are pieces of a puzzle that can be collected and analyzed to form a better understanding of individual standard operating procedure or tactics, techniques, and procedures.  A signature is something standardized (or roughly standardized) in the way you operate that may identify you as being separate from someone else, much like a signature recipe is to a chef.  Serial killers have signatures.  Gangs and gang members have signatures.  You will never mistake the sound of a monster truck for that of a Toyota Prius, or a dog’s bark for a cat’s meow.  PEOPLE WHO ALWAYS WRITE IN ALL CAPS IS A SIGNATURE.  Observed over time, the way you communicate likely presents a signature.  A signature may not always be deliberate, but it’s a calling card that helps an analyst identify a specific, and perhaps anonymous, individual.

P – Profile.

Signatures may develop a pattern of indicators called a profile.  When presented with two separate but anonymous individuals, our first step towards identification is to develop a profile.  For instance, in Afghanistan a convoy of jingle trucks led and followed by a couple gun trucks fits the profile of a supply convoy.  No one would mistake this profile for that of a US security patrol or raid.  In each case, the jingle truck differentiates itself from others by its signature, the same as a gun truck would.  You’d never mistake a jingle truck for a gun truck; but, added together, we get the supply convoy profile.  Another example would be a customer wearing a Ford baseball cap in a gas station purchasing $50 of diesel fuel.  If forced to guess, would you conclude that he drives a 3/4-ton Ford pickup or a Toyota Prius?  If you stopped at a red light behind a camouflage-painted Ford Ranger with two Browning stickers and a Size Matters deer antler decal, would you expect the driver to be wearing an Obama ’16 t-shirt and a drinking a cup of Starbucks blended no-fat mango mocha latte frappachino, extra whipped cream?  No, because his signatures fit a specific profile.

A – Associations.

Associations help adversaries to interpret actions. Good analysis is about identifying indicators and patterns in order to predict a future event.  We aks ourselves, is one event associated to another and, if so, what does that tell us about the two events?  These events could be phone calls, emails, travel patterns (such as to and from dead drop locations) – all indicators of communication – associated to specific events like a source meet, surveillance route, or direct action mission.  In any specific case, we might identify a pattern of control-to-actor communication before an event, and therefore associate the two.  In Iraq, perhaps it’s the case that when one specific phone number calls another specific phone number, there’s a sectarian bombing against the civilian populace the next day, but only when those two specific numbers communicate.  That communication is an indicator and we form associations.  The next time we see those two phones light up, maybe we beef up security, harden our fixed targets, or remove the possible target altogether.

C – Contrast.

What are the expected communications, actions, battle rhythms, or operational tempos from a profile?  If Phone A usually calls and speaks to other phones, but he only sends texts to one phone in particular, that’s a contrast.  It’s something outside the normal range of operations.  That could be an indicator of a specific, future event.  If every day for a month you make five phone calls, but one day you make 15, then I will observe a contrast in what I’m expecting from you.  That may indicate nothing significant by itself – maybe your kids are sick and you’re calling the babysitter every half hour for an update – but when considered in SPACE, this could alert us to something significant.  If your weekly grocery store purchases are generally in the range of $100-200, but one week you spend $600, then we see a contrast.  What does that signal?

E – Exposure.

Exposure consists of three factors: duration, repetition, and timing, and they each affect importance and meaning.  Phone calls placed at random iterations, each lasting for two hours, is an example of duration exposure.  The same is said for phone calls twice a day that last for ten seconds.  If a message is sent out every night at 1900, that’s both repetition and timing exposure.  Identification of exposure can help us form a pattern of life.  From then, when combined with other SPACE factors, we can really flesh out a lot about you, even if you remain anonymous to us.  These things give us a much better idea of where you fit into your organization.


Use these five considerations to build a better mousetrap for yourself (re: OPSEC), and also to become a better analyst.  Many analytical methods we use today are the result of dozens of years of refinement.  Some are probably refined and pondered enough so that no improvement is necessary.  I think this might be one, but I’m sure the community could fit one more letter in.  Just make sure it’s a real word because all the best systems and functions fit into acronyms that are real words.

Samuel Culper III is former intelligence, a combat veteran, three percenter, and proud resident of the American Redoubt.  He can be reached at sam (at) guerrillamerica dot com.

0 0 votes
Article Rating
Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x