“That’s not OPSEC!”

“That’s not OPSEC!”

The scene is a small office. It’s day one of the OPSEC assessment. It’s John’s first time out with the team, so he’s still trying to feel out how they go about the process.

While the team is in the badging office waiting for their badges, John notices that there’s a computer screen with red SECRET stickers on the top and bottom. What’s more, the screen is facing the group at the customer service desk.

The assessment team wasn’t the only ones trying to gain facility access that day. Among the other people waited was a janitor, a few new employees, and other people- both cleared and uncleared. John turned to one of the senior members of the team and mentioned that they should identify that in their report, and the senior member replied simply: “that’s not OPSEC.”

John didn’t want to get into an argument about what is and isn’t OPSEC. But he did mention that he thought they had a responsibility to the office supervisor to tell him that he should turn the screen around, and to keep it turned around, so uncleared personnel couldn’t possibly see potentially secret information. But once again, he was told in no uncertain terms that it wasn’t OPSEC and therefore not their responsibility.

The Assessment Chief did later correct the problem, but the senior team member never once wavered from his stance.

So, what is OPSEC? Is anything OPSEC?

A strong case can be made that just about every item in an OPSEC Assessment report can be matched to the requirements of some other security program. The scenario above was clearly an Information Security issue. FOUO in the trash? Information Security again. Not locking the computer screen when you leave the desk? Computer security. Downloading attachments from unknown sources? Cybersecurity. Allowing people to piggyback into the facility? Physical Security. Give long time visitors the safe combo and then don’t change it when they leave?  Catching on yet?

There are many more examples, but you probably get the point. On the other hand, can you think of any instances that weren’t already covered? What about staging convoy vehicles at the same time in the same place? What about using the same routes every time? What security program covers business, mission, or even personal indicators? What do you call it when unclassified information that no one knew needed to be protected is pieced together to reveal details of a classified operation?

It’s ALL OPSEC when it comes to our responsibilities as an OPSEC Program Manager or a member of an assessment / survey team. Bottom line: our job is to make our organization more secure, and we don’t do that by arguing whether a vulnerability, indicator, or security violation is OPSEC or not. See a problem, fix a problem.

Wheres the “I” in OPSEC?

This is one from the archives. Guest blogger Rick Millikan is a member of OSPA, a Major in the US Army and an all-around good guy. Enjoy! 

It’s been said that Operations Security (OPSEC) is everyone’s responsibility; that no person alone can make OPSEC work. On the other hand, it only takes one person to ignore items on the Critical Information List (CIL) and disclose sensitive information over non-secure media or during open discussions in public. The “I” in OPSEC can be viewed from several angles.

The very foundation of OPSEC involves a five-step process: 1) Identify critical information, 2) Threat analysis, 3) Vulnerability analysis, 4) Risk assessment, and 5) Apply countermeasures. The OPSEC Program Manager (OPM) should coordinate the five-step process. Meaning, he/she should ensure the appropriate personnel complete each step. This process is a team effort. No “I” here.

To identify critical information, the OPSEC officer should work with the Operations section and the commander to determine what unclassified, yet sensitive, information must be protected. The list of critical information items should then be placed on a Critical Information List, or CIL. Each command will have a unique list of critical information for day-to-day operations and/or each specific mission or Operations Plan (OPLAN). Again, the OPSEC officer cannot do this alone. There is no “I” in this step.

The Intelligence section supplies the OPM with information regarding the current threat. Normally, the OPSEC Officer does not have the expertise to conduct a thorough threat analysis. Even if the OPSEC officer is the same person as the S2, it still requires assistance from others within the Intelligence section. Demonstrating again, there is no “I” in this step.

To complete a thorough vulnerability assessment, the OPSEC officer must again work with the Operations section, the “Staff”, and the Antiterrorism Officer (ATO) and the Force Protection officer (one person may perform both duties, depending on the unit). There is no “I” in this step, either.

The OPSEC officer can conduct the risk assessment step, but usually the Operations officer or the commander must approve it. This step involves subjectivity as to how much risk is acceptable and the severity of the consequences should something go awry. Therefore, the commander must be aware of the risks and give the ultimate approval for the taking certain risks. There is no “I” in this step.

Applying OPSEC measures must certainly be the job of the OPSEC officer. However, the OPSEC officer can only advise the commander on the OPSEC measures. If the commander deems the OPSEC measures too costly, time consuming, or would delay the mission, the OPSEC measures may be rejected. If the OPSEC measures are accepted, it is up to the leadership of the unit to ensure they are implemented. There is no “”I”” in the last step of OPSEC, either.

OPSEC is everyone’s responsibility. It is not solely the responsibility of the OPSEC officer to make sure OPSEC is “good” at the unit. OPSEC is a team effort. So, the “”I” in OPSEC rests with every single individual who is assigned to, attached to, under operational control (OPCON), or is in some manner responsible to the commander of a specific unit where the OPSEC officer has put together an OPSEC plan.

In all actuality, everyone is the ““I”” in OPSEC. Your careless words or the “they aren’’t listening to this phone call” attitude may cause mission failure or the deaths of allied troops and innocent civilians. You must be cognizant of the information you disclose in public, in emails, and over non-secure phones and faxes. OPSEC is everyone’s responsibility. Do your part to keep sensitive information from the adversary.

There is a saying that goes something like, “I am but one, but I am one.” The adversary only has to be right once. We have to be right all the time. The ““I”” in OPSEC means everybody needs to be aware of OPSEC 100% of the time. The lone OPSEC Officer or OPSEC Working Group member in your organization cannot do it for you.

Be the “I” in OPSEC!

Richard E. Millikan, MAJ, USAR

Chief, OPSEC Assessments Joint OPSEC Support Center (JOSC)

“Criminals don’t wear suits”

Once upon a time, in a land not-so-far-away, a small group of individuals walked to the doors of a multinational corporation, and walked out with millions of dollars worth of company secrets and assets.

Through days of patient research and study, they were well equipped to work their way through the company, obtaining small pieces of information and compiling it into unmitigated access. Could this happen to you?

First, they learned the names of key employees by calling Human Resources and social engineering the information from them. They would have preferred to find a company phone roster in the dumpster, but no one had thrown one away lately. Although the passwords and internal memos that they did find certainly helped cushion the blow.

This company had a very friendly climate, and prided itself on hiring friendly and courteous employees. The friendly employee at the entrance was more than happy to hold the door for one of the individuals when he jogged to catch the closing door. Why not? Criminals don’t wear suits and ties, right? They got inside the moat.

Another friendly employee was more than happy to help out the stressed out intern who lost his access badge on the first day, and just had to get the report to his boss before he gets fired! Why not? Were all on the same team, right?

No matter how strong a castles walls, it does no good once the enemy’s inside.

Inside the secure area, they found a gold mine of unshredded documents both in the trash and piled by the shredder. In a stroke of inspiration, a hastily scrawled note was placed on a busy shredder: Shredder out of order. Put materials in this box to be picked up by security. Also, traditional hacking techniques allowed unrestricted access to key computer systems, which is often superfluous if the password is written down and hidden. (No one would ever know that this is my password, even if they do look in the drawer!)

Lucky for them, the CEO had let them know (through his out of office auto reply) that he would be gone that day. His assistant was very helpful when the new janitor forgot his keys and had to stay on schedule!

Could it get worse than this? It very well could. There’s a good chance that your organization may never suffer a planned, organized intrusion such as this. But basic OPSEC, often at little or no cost to the organization, can help prevent such a disaster. Never forget how important you are!

If it can track a thief…

The Coachella Valley Music and Arts Festival, generally referred to simply as “Coachella” is an annual festival held in Indio, California. People come from all over the country to listen to music on several stages, enjoy art exhibits, camp, and other recreational activities.

During the 2017 event, many festival-goers found that their cell phones were missing. Presumably, they had been stolen. The victims used their “find my phone” function (which are available on iDevices and Android) to locate the devices, eventually centering on attendee Reinaldo De Jesus Henao.

When the police arrived, they searched Henao and found more than 100 phones in his backpack. He was arrested on suspicion of grand theft and possession of stolen property.

This is exactly how the “find my phone” feature is supposed to work. The phones were stolen from the rightful owner, who were then able to locate them using the built-in features. But if those features can be used to track a thief, they may also be used to track you.

Be aware of your phone’s settings and features. Could someone access your Apple or Google account and track you that way? Are your pictures also recording location data? What does your phone tell someone that wants to find you?

 

The Video Clerk

In January of 2006, six terrorists were preparing for the final phase of their plan. Their intent was to storm Fort Dix with automatic rifles, with the goal of killing as many soldiers as possible. They considered the soldiers to be a viable military target, but also planned to kill as many civilians as they could.

In addition to the rifles, they had prepared explosives to target groups of people and vehicles. They had trained on a local paintball range and in the woods around the installation, and they had practiced shooting at targets at a local range. One of them men, whose father owned a pizza parlor nearby, used his pizza delivery job to scout potential targets. They had video surveillance and detailed maps. They had even traveled to other military installations to surveil their next targets. They were prepared.

How did we uncover this insidious terrorist plot? Was it international law enforcement cooperation? An insider? Maybe a paid informant or intercepted communications?

It wasn’t any of those. It was a video clerk.

The terrorists had recorded themselves on VHS video initiating a call to jihad and practicing “military-like” drills. They brought those VHS tapes to a nearby video store to convert to DVDs, which is where the clerk noticed the content. He then called the FBI, who investigated the group and arrested the men.

Not all terrorists are internationally-trained and educated sophisticates. Sometimes, they can be careless or stupid. They can be caught by people like you or me, or by a video clerk.

“I can’t do anything, I’m just a file clerk.”

“I just do badges.”

“I’m only an office worker.”

“I just make copies and burn CDs all day.”

“It’s not my job.”

There are a million excuses. But then again, who knows how many lives that clerk saved when he reported something out of the ordinary? Stay vigilant and contact designated authorities when you see anything unusual, suspicious, or strange.

One person can make a difference. Will that person be you?