A very small zoo was thrown into chaos when the star attraction- a gorilla named Chuck- unexpectedly died right before they opened for the day.
The owners were worried, because people came from all over just to see Chuck’s antics. Surely, the gorilla’s passing would spell the end of the beloved zoo.
But then, the owner had an idea. He called Jason, one of his employees, and offered him an extra $100 a day if he would wear a gorilla costume and pretend to be chuck- just until they could get a live replacement. Jason agreed, and minutes before opening he was suited up and ready in the enclosure.
Everyone loved Jason’s antics. The children clapped and laughed, and even the adults enjoyed watching the fake Chuck run around and beat his chest. Eventually, however, business started to die down. Chuck was still a popular attraction, but people could only watch an animal do the same tricks so many times. So Jason began changing things up. He would throw a ball out of the enclosure and wait for people to throw it back. He’d dance in a very gorilla-like way. But everyone got the biggest thrill when he would climb over the divider and hang over the lion’s pit. It was truly a death-defying spectacle.
One day, while Jason was hanging over the very hungry lion’s pit, the aging costume gave way and Jason fell hard onto the ground. The lion started circling menacingly, ready to pounce and tear the costumed man to bits.
“Help! Help!” Jason started shouting, scrambling madly to get up and out of the lion’s grasp.
“Quiet you, fool!” the lion whispered. “Are you trying to get us both fired?”
Sometimes, things aren’t what they appear. What we think is a friendly gorilla is a man in a costume. A dangerous lion is a friend. Appearances can be deceiving, so it’s important that we verify that what we’re seeing or hearing is correct.
Much like in this story, sometimes people don’t want you to know who they really are. The man with a clipboard that comes into your facility- are they really an inspector? The woman that shows up from IT saying she needs your computer for maintenance- did IT actually send anyone down?
Sometimes, it only takes a little bit of vigilance to see through someone’s disguise. And we should always be checking.
Today is May 4th- also known as Star Wars Day. Live long and prosper!
Whenever I watch the movie, I think about the hardest working person in the galaxy: the Empire’s OPSEC Manager. Probably some part-time Stormtrooper somewhere on Coruscant, who had to worry about military missions light years away. And to top it all off, that poor OPSEC manager is trying to keep information from a group that can literally read minds. Not an easy task.
After the battle of Endor, that person better have gotten a raise. Sure, it wasn’t exactly a military victory for the Empire, seeing as how the death star was destroyed and the elite ground forces were decimated by teddy bears, but that was hardly the OPSEC manager’s fault. From an OPSEC perspective, it was a resounding success.
There will be no spoiler alerts. The movie’s an American classic and it’s over three decades old. If you haven’t see it yet, you really shouldn’t be doing anything else today.
Although the location of the Death Star was known and an attack was expected, the Emperor had a secret: the death star was actually fully operational. His plan was to destroy the unprepared rebel force when they showed up to attack. And much of that fell on our poor OPSEC manager, who was tasked with making sure that secret plan remained a secret. Of the million or so people on the
small moon space station, how many could have known that the station was operational? The crews that were on standby to fire it? The technicians that checked out the specs? Everybody with a window when it was tested and confirmed to be operational?
So next time you watch the series, give some thought to those hard working OPSEC managers out there in the far-away, long-ago galaxy. Whether you’re for the Empire or a rebel, you gotta admire their OPSEC game.
Remember: Loose lips destroy starships.
“That’s not OPSEC!”
The scene is a small office. It’s day one of the OPSEC assessment. It’s John’s first time out with the team, so he’s still trying to feel out how they go about the process.
While the team is in the badging office waiting for their badges, John notices that there’s a computer screen with red SECRET stickers on the top and bottom. What’s more, the screen is facing the group at the customer service desk.
The assessment team wasn’t the only ones trying to gain facility access that day. Among the other people waited was a janitor, a few new employees, and other people- both cleared and uncleared. John turned to one of the senior members of the team and mentioned that they should identify that in their report, and the senior member replied simply: “that’s not OPSEC.”
John didn’t want to get into an argument about what is and isn’t OPSEC. But he did mention that he thought they had a responsibility to the office supervisor to tell him that he should turn the screen around, and to keep it turned around, so uncleared personnel couldn’t possibly see potentially secret information. But once again, he was told in no uncertain terms that it wasn’t OPSEC and therefore not their responsibility.
The Assessment Chief did later correct the problem, but the senior team member never once wavered from his stance.
So, what is OPSEC? Is anything OPSEC?
A strong case can be made that just about every item in an OPSEC Assessment report can be matched to the requirements of some other security program. The scenario above was clearly an Information Security issue. FOUO in the trash? Information Security again. Not locking the computer screen when you leave the desk? Computer security. Downloading attachments from unknown sources? Cybersecurity. Allowing people to piggyback into the facility? Physical Security. Give long time visitors the safe combo and then don’t change it when they leave? Catching on yet?
There are many more examples, but you probably get the point. On the other hand, can you think of any instances that weren’t already covered? What about staging convoy vehicles at the same time in the same place? What about using the same routes every time? What security program covers business, mission, or even personal indicators? What do you call it when unclassified information that no one knew needed to be protected is pieced together to reveal details of a classified operation?
It’s ALL OPSEC when it comes to our responsibilities as an OPSEC Program Manager or a member of an assessment / survey team. Bottom line: our job is to make our organization more secure, and we don’t do that by arguing whether a vulnerability, indicator, or security violation is OPSEC or not. See a problem, fix a problem.
This is one from the archives. Guest blogger Rick Millikan is a member of OSPA, a Major in the US Army and an all-around good guy. Enjoy!
Its been said that Operations Security (OPSEC) is everyones responsibility; that no person alone can make OPSEC work. On the other hand, it only takes one person to ignore items on the Critical Information List (CIL) and disclose sensitive information over non-secure media or during open discussions in public. The I in OPSEC can be viewed from several angles.
The very foundation of OPSEC involves a five-step process: 1) Identify critical information, 2) Threat analysis, 3) Vulnerability analysis, 4) Risk assessment, and 5) Apply countermeasures. The OPSEC Program Manager (OPM) should coordinate the five-step process. Meaning, he/she should ensure the appropriate personnel complete each step. This process is a team effort. No I here.
To identify critical information, the OPSEC officer should work with the Operations section and the commander to determine what unclassified, yet sensitive, information must be protected. The list of critical information items should then be placed on a Critical Information List, or CIL. Each command will have a unique list of critical information for day-to-day operations and/or each specific mission or Operations Plan (OPLAN). Again, the OPSEC officer cannot do this alone. There is no I in this step.
The Intelligence section supplies the OPM with information regarding the current threat. Normally, the OPSEC Officer does not have the expertise to conduct a thorough threat analysis. Even if the OPSEC officer is the same person as the S2, it still requires assistance from others within the Intelligence section. Demonstrating again, there is no I in this step.
To complete a thorough vulnerability assessment, the OPSEC officer must again work with the Operations section, the Staff, and the Antiterrorism Officer (ATO) and the Force Protection officer (one person may perform both duties, depending on the unit). There is no I in this step, either.
The OPSEC officer can conduct the risk assessment step, but usually the Operations officer or the commander must approve it. This step involves subjectivity as to how much risk is acceptable and the severity of the consequences should something go awry. Therefore, the commander must be aware of the risks and give the ultimate approval for the taking certain risks. There is no I in this step.
Applying OPSEC measures must certainly be the job of the OPSEC officer. However, the OPSEC officer can only advise the commander on the OPSEC measures. If the commander deems the OPSEC measures too costly, time consuming, or would delay the mission, the OPSEC measures may be rejected. If the OPSEC measures are accepted, it is up to the leadership of the unit to ensure they are implemented. There is no ”I” in the last step of OPSEC, either.
OPSEC is everyones responsibility. It is not solely the responsibility of the OPSEC officer to make sure OPSEC is good at the unit. OPSEC is a team effort. So, the ”I” in OPSEC rests with every single individual who is assigned to, attached to, under operational control (OPCON), or is in some manner responsible to the commander of a specific unit where the OPSEC officer has put together an OPSEC plan.
In all actuality, everyone is the “I” in OPSEC. Your careless words or the they aren’t listening to this phone call attitude may cause mission failure or the deaths of allied troops and innocent civilians. You must be cognizant of the information you disclose in public, in emails, and over non-secure phones and faxes. OPSEC is everyones responsibility. Do your part to keep sensitive information from the adversary.
There is a saying that goes something like, I am but one, but I am one. The adversary only has to be right once. We have to be right all the time. The “I” in OPSEC means everybody needs to be aware of OPSEC 100% of the time. The lone OPSEC Officer or OPSEC Working Group member in your organization cannot do it for you.
Be the I in OPSEC!
Richard E. Millikan, MAJ, USAR
Chief, OPSEC Assessments Joint OPSEC Support Center (JOSC)