PDA

View Full Version : The History of CARVER


The Fat Guy
29 July 2009, 16:33
Fellas,

In 2003 while serving as the Director of the US Army Homeland Security Threats Office, I reversed engineered the CARVER Targeting tool to conduct vulnerability assessments on critical infrastructure. We called it CARVER+Shock. As I continue to develop and refine the process, some of my colleagues are looking into the history of CARVER. I know back in the 70's it was initially CARVE as per the 1972 version of FM 34-36. Does any one know more about the history? Have a copy of the older FM? know when we added the R at the end etc?

Any historical insight would be greatly appreciated.

Thanks

Tracy
30 July 2009, 05:14
Fellas,

In 2003 while serving as the Director of the US Army Homeland Security Threats Office, I reversed engineered the CARVER Targeting tool to conduct vulnerability assessments on critical infrastructure. We called it CARVER+Shock. As I continue to develop and refine the process, some of my colleagues are looking into the history of CARVER. I know back in the 70's it was initially CARVE as per the 1972 version of FM 34-36. Does any one know more about the history? Have a copy of the older FM? know when we added the R at the end etc?

Any historical insight would be greatly appreciated.

Thanks

The Demo and Phase-3 committees taught CARVE and CARVER in 1977 and 1978. We (Officer's Committee) taught CARVER in 1981. The key difference was the 'E': It could stand for 'Espy' or "Effect on populace". The Demo Committee decided to replace 'Espy' with 'R' for 'Recognizability'; which is both easier to memorize and ensures both effects are considered.

Contrary to the "Gospel According to Booze-Allen-Hamilton", the CARVE/CARVER target analysis process was first developed and used by US Army Special Forces back as far as the late fifties. The reason I know was my exposure and tutelage under the first-generation SF Soldiers. It was not invented by the Ranger Regiment or NSW. They use it extensively the way it was designed, but the progenitors were SF and the OSS in WW2.

Sabotage as a part of Unconventional Warfare was heavily emphasized. This meant using tradecraft techniques to clandestinely gather the necessary information germane to sabotage. The mnemonic CARVE(R) was the "aide-memoire" to help gather the right information.

CARVER is a six-column by five-row matrix. For each target, a rating of 1-5 is given for each column. A '5' rating meant it favored the saboteur; whereas a '1' meant it favored the target. The best score for the saboteur was 30 (6 x 5); the worst being a 6 (6 x 1).

CARVER is not a two-hour class and a piece of software. It's a program designed to help US Army Special Forces personnel destroy selected target sytems in support of National Objectives. Initial training last weeks and requires a minimum SECRET security clearance. Refresher training lasts for years without ever repeating; and the assessments themselves are only good for one year at the maximum. After that, they need rework.

CARVER is almost as subjective as it is objective. It also requires peer-review to ensure the assessor didn't overdose on 'Hollywood' when making the assessment.

Some very common mistakes made by untrained personnel using CARVER:
1) Lack of knowledge of the target system or it's components.

2) Lack of knowledge of the type threats prevalent, or can be used, in the area.

3) Using the CARVER process as a means of protection; rather than as a means of sabotage. The matrix can be adjusted to support force protection, but most don't know how.

4) Using one CARVER assessment to address multiple types of threats.

5) Doing CARVER assessments at the wrong scope level. This is especially dangerous because of the "false-positive" results it can generate.

6) Using computers to do the assessment. A numeric rating is a "quick look" to help filter through entire target complexes. Every CARVER assessment requires a detailed written narration for each column rating. I never saw a good CARVER assessment less than two handwritten pages long; for one component using one means of sabotage.
I served in an SF unit where we perfomed real-world CARVER assessments for close to 10 years; as well as keep those assessments continuously updated. I spent the last six years doing the same thing as a civilian on a part-time basis. Used them too.

I was a keynote speaker on Critical Infrastructure Protection at the 2003 and 2004 TREXPO Conferences. I spent half of the seminar just going over how to apply CARVER as a force protection tool for small municipalities through the police, fire and rescue units.

Certain contract teams got blown out of the water when they tried a "Wizard of Oz" presentation on me for their software that will stop terrorism. Not so much. :smile: Admittedly , I had fun with that chew toy...

The biggest mistakes I see in pitching CARVER support is the target audience. The folks that need proper assessment can't afford what the Fortune 1000 Companies are selling. If the city hall for a town of 30,000 people can't afford it, it's worthless. On the flip side municipalities that think that an S&P-500 Rating is a better indicator of performance than anything else, is in for a rude surprise.

That's why I always ran "Train the Trainer" programs for CARVER vice "Miracle-Gro Target Protection". For free to municipalities.

Training, common sense, continuous review, index cards and a good number-2 pencil are the key ingedients.

End of message, end of transmission.

Enough history? :biggrin:

ExSquid
30 July 2009, 15:24
I just assumed Ernie invented it.

x/S

MakoZeroSix
30 July 2009, 18:04
CARVER rules. No better tool for convincing nervous staff officers to let an SF team knock down a door...

The Fat Guy
30 July 2009, 22:36
Tracy,

Finally, someone who feels my pain. I have been refining the use of CARVER (CARVER+Shock) to assess vulnerability for the last 7 years. My first notable effort was assessing food and Ag products for the White House Homeland Security Counsel. I have since then done power sector, IT systems, Ports, LNG facilities and pipelines to name a few. I agree that there are many rookies out there, especially from the USDA that worked with me that called themselves experts. I had one lady whom I never met state at the 2006 Agroterrorism conference that she was the Nation's expert in using CARVER to assess vulnerability in Food and Ag. I hated to pull her player card but it had to be done.

My refinement process includes concentrating on target characterization from systems into subsystems complexes and components which I broke doen into Service Providers (Normally humans, sometimes service animals) Equipment and Infrastructure (trucks, equipment etc things not consumed in the process) consumables (fuel, air water, food ammo etc) and Cyber and Commo which includes frequencies, intellectual property and software and hardware. Every system can be broken down into these four components.

Another thing I do is teach the importance of establishing good definitions for each part of the mnemonic and ensuring your scoring is sensitive enough to separate out the risk.

I also teach how not to share the numbers but let them tell the story as to where the risk lies within the system.

I was called about the software that is out there, it was written by a national lab. I told them this was art and analysis and not a software solveable solution. They received millions to produce a tool that is, well useless.

I can PM some other info if you are interested.

Thanks for the note.

Justaclerk
30 July 2009, 23:03
I deal with software integration of complex systems everyday and I'm here to tell you (and shout from the rooftops): WITHOUT CONSIDERING THE HUMAN FACTORS ELEMENT SOFTWARE IS A COMPLETE WASTE OF BANDWIDTH.

Thank you Tracy and FG for your historical insights into this remarkable program.

Tracy
31 July 2009, 02:08
CARVER rules. No better tool for convincing nervous staff officers to let an SF team knock down a door...

A decent Target Analysis briefing usually closed out with a non-SF person saying "You People are some scary SOBs."

Then the Group SGMs come by and pop the ego balloon... :biggrin:

SdAufKla
31 July 2009, 03:16
I see the results about every other month as some new smart guy tries to use CARVER or some variation thereof to predict terrorist targets. The Power Point slides come across the system, and the boss gets his chair seat all wet.

All of them are looking for the easy way out, a way that requires little to no thought or real analysis. They just want to plug in the numbers and have the answers miraculously appear.

The fundamental problem that they all eventually run into, and that most fail to see when they do, is that to use this system one must first know the objectives of the attacking group. With out knowing what they want to do and why they want to do it, no rational analysis of most of the criteria is possible.

When we in SF use it, we know what we are trying to do with our own strategy and goals, and that knowledge allows us to make the rational comparisons across all of the selection criteria for the particular mission. We are also able to put the results in the context of our own METT-T-P situation. The best targets are not always the ones that are actually "attackable" in a practical sense. Even the best CARVER analysis cannot be used in a vacuum.

When intell analysts attempt to use this system (or variations) as a predictive tool for terrorist COAs, it fails because they haven't done the initial work on determining the goals of and resources available to the predicted threat group.

You have to first be able to think like a terrorist before you can apply CARVER to the terrorist's situation. CARVER is a tool that you use after you know what you want to do.

Tracy
31 July 2009, 04:47
Tracy,

...I was called about the software that is out there, it was written by a national lab. I told them this was art and analysis and not a software solveable solution. They received millions to produce a tool that is, well useless.

I can PM some other info if you are interested.

Thanks for the note.

Ten point scale, one size fits all, highlights everything but the DTG the terrorists will kill you? If it's the program I think it is, no thank you... :smile:

Tracy
31 July 2009, 05:33
I see the results about every other month as some new smart guy tries to use CARVER or some variation thereof to predict terrorist targets. The Power Point slides come across the system, and the boss gets his chair seat all wet.

All of them are looking for the easy way out, a way that requires little to no thought or real analysis. They just want to plug in the numbers and have the answers miraculously appear.

The fundamental problem that they all eventually run into, and that most fail to see when they do, is that to use this system one must first know the objectives of the attacking group. With out knowing what they want to do and why they want to do it, no rational analysis of most of the criteria is possible.

When we in SF use it, we know what we are trying to do with our own strategy and goals, and that knowledge allows us to make the rational comparisons across all of the selection criteria for the particular mission. We are also able to put the results in the context of our own METT-T-P situation. The best targets are not always the ones that are actually "attackable" in a practical sense. Even the best CARVER analysis cannot be used in a vacuum.

When intell analysts attempt to use this system (or variations) as a predictive tool for terrorist COAs, it fails because they haven't done the initial work on determining the goals of and resources available to the predicted threat group.

You have to first be able to think like a terrorist before you can apply CARVER to the terrorist's situation. CARVER is a tool that you use after you know what you want to do.

For all the Federal, State and Local Agencies: Take the whole quote above, print it out and post it on your wall. The highlighted areas are key.

The reason I don't like working with FEMA or DHS is every stinking time (twice in six years) I try to set up an FID grant program for local organizations for this stuff; it either gets shut down; or a billion-dollar corporation has some magical silver bullet that has no basis in reality.

Here's my fantasy: Gather up qualified retired SOF, Intelligence (Weather, Enemy & Terrain) and other MOSs; and form a few civilian FOBs in the USA. Their mission is to train and assist local municipalities with indentifying and analyzing their infrastructure. Use the KISS principal. Paid for by the Federal government; completely free of charge.

We do this same mission overseas every single day on every major continent. Yet we can't focus enough to help our own.

Instead of just terrorism, focus on natural disasters, major accidents, special security events AND terrorism.

Here's a BIG clue: Watch the SOF Bubbas. If they start edging away from you or call in sick, you're about to have a Bad Day. ;)

MakoZeroSix
31 July 2009, 09:27
Then the Group SGMs come by and pop the ego balloon...

Yeah, and they do it like this:

"Nice brief, SFC Mako- now CUT THOSE GODDAMNED SIDEBURNS!" :biggrin:

Greenhat
31 July 2009, 15:07
Here's a BIG clue: Watch the SOF Bubbas. If they start edging away from you or call in sick, you're about to have a Bad Day. ;)

:biggrin:

The Fat Guy
31 July 2009, 19:28
Ten point scale, one size fits all, highlights everything but the DTG the terrorists will kill you? If it's the program I think it is, no thank you... :smile:

Roger that, no thanks. They brag about doing in hours what takes me days. people call and aask me about the software and I tell them "If you were having open heart surgery that 18 hours, would you want someone to use software to get it done in 30 minutes? If they say yes, I ask them the last time their computer crashed or they had a malformed table in MS Word. Normally I get "Hmmmm, I see your point"

Ref the next terror target, All it does is identify the relative risk of all of the components for a specific set of infrastructure. Once I identify the system characterization (All the subsystems, complexes and components, it normally takes me about 4-5 days to do it right, assuming a reputable threat assessment.

I have started using it to assess strategic risk in ports by using the port as a system, the services provided by the port are subsystems and then the complexes etc. When all is done, I go back up to the subsystem (Port strategic Function) and manage the risk at that level. We also incorporate analysis for resiliency and long term economic impact to finalize the true strategic risk.

Always somoe smart guy thinking a good idea will over come good solid target analysis.

SDAUFKLA,, PM me and I will help your boss the latest flashes in the pan.

SdAufKla
1 August 2009, 03:32
PM sent. However, you probably won't find it very receptive in content.

Target-centric analysis cannot work as a predictive tool. Allocating your protective resources based on establishing priorities is rational. There are better ways than CARVER to determine those priorities, though.

mcdude
15 August 2009, 00:43
Tracy,

I KNEW that I could depend on you for a good answer on this one!

The truly funny part about this post....I was cleaning up and throwing away a bunch of old manuals, books, etc., for a garage sale yesterday. I just happened to open an old notebook and came across my notes from SOFDOQC. Guess what was staring at me on the last page i looked at? The unclass notes from this very class. I thought, "Wow, that's been a few days. I better keep these."

I learned it (CARVE, at first) as an SF brat, and relearned it as an officer. Old CPT Brown would have been proud of me. You guys taught a good course!

My 2 cents....the guys most familiar with the parts of a sytem are the ones who can help the most. That is usually guys like the crusty, 62 y/o union electrician who can tell you from experience, that dead squirrel in the back side of a ground mounted transformer can ground out an substation next to a major metropolitan airport's substation, and shut down Fortune 100 companies for literally hours, much cheaper that 100 pounds of C-4 and an ODA. (That actually happened!).

TA folders need to be done by getting 'down in the weeds'. You gotta get dirty, plain and simple, to get the ground truth. We tend to overlook the simple solutions for the shiny, sexy methods. Ain't no computer software ever gonna replace good old experience, ingenuity and common sense.

CARVER is a tool. Like any tool, it is only as good as the technician who is using it. I remember when the acronym was classified. I am getting old.

End of rant....

Mick

P.S. Does the word 'gravity' mean anything to anybody anymore? I think that we overthink that one, too!

Think of sugar in somebody's gas tank, versus a laser-guided bomb. Both do the job. If the car don't move, you still have accomplished the mission, yes?

The Fat Guy
15 August 2009, 08:00
Tracy,

My 2 cents....the guys most familiar with the parts of a sytem are the ones who can help the most. That is usually guys like the crusty, 62 y/o union electrician who can tell you from experience, that dead squirrel in the back side of a ground mounted transformer can ground out an substation next to a major metropolitan airport's substation, and shut down Fortune 100 companies for literally hours, much cheaper that 100 pounds of C-4 and an ODA. (That actually happened!).

Like any tool, it is only as good as the technician who is using it. I remember when the acronym was classified. I am getting old.


Dude,

Good Points,

When we use CARVER to target infrastructure / combat systems, we know EVERYTHING about the attacking force, because its us. We have to collect data on the system, subsystems, complexes and components to plan the mission.

Post 9/11, when we use it to assess vulnerability in OUR infrastructure, we know everything about the system and have to speculate / analyze the attackers capability.

You are spot on with the 62 year old electrician comment. I always ask to have the Janitor present at my assessments. You would be amazed at how many executives make a comment like "We have a laser security system to prevent that...." and the janitor syas "We shut that off because we get 50 false alarms a day. It has not been on for 2.5 years...." As you said, they also have tremendous insight as to what the critical nodes are on a system.

Another technique I use is to have a disinterested team build a Red Team target folder using CARVER. That way we get the inside view of how the target vulnerabilities look to us, but we can further refine the results by looking at it from the open source perspective of a potential foe and seeing what vulnerabiities they will likely identify and attempt to exploit.

Lastly, you said it right, it is a tool. In this case, I use it as a tool to apply the Risk-based decision making model and the national Infrastructure Protection Plan. Too many ASIS 30 day wonders are looking to find / develop a panacea. Sorry guys, there is no substitute for experience and hard work.

The Fat Guy
15 August 2009, 08:07
PM sent. However, you probably won't find it very receptive in content.

Target-centric analysis cannot work as a predictive tool. Allocating your protective resources based on establishing priorities is rational. There are better ways than CARVER to determine those priorities, though.

Agreed,

CARVER (or CARVER+Shock) in its purest form does not give predictive analysis. It merely states where the vulnerabilities are within the system. While I think that predictive analysis of terror attacks is just shy of voodoo, I do have some additonal Threat analysis I do to try and represent the likelihood that the threat used in the assessment will attack a certain target, In a relative sense more so than in a universal sense.

In other words, the threat is more likely to attack this complex, than that complex within the system as opposed to trying to predict the next 9/11 location. That's where the voodoo comes in.

Like McDude and you and I have stated, it is s tool box that is only as good as the tools the mechanic places inside. That is what determines its true value.