May the 4th be with you!

Today is May 4th- also known as Star Wars Day. Live long and prosper!

Kidding, kidding.

Whenever I watch the movie, I think about the hardest working person in the galaxy: the Empire’s OPSEC Manager. Probably some part-time Stormtrooper somewhere on Coruscant, who had to worry about military missions light years away. And to top it all off, that poor OPSEC manager is trying to keep information from a group that can literally read minds. Not an easy task.

After the battle of Endor, that person better have gotten a raise. Sure, it wasn’t exactly a military victory for the Empire, seeing as how the death star was destroyed and the elite ground forces were decimated by teddy bears, but that was hardly the OPSEC manager’s fault. From an OPSEC perspective, it was a resounding success.

There will be no spoiler alerts. The movie’s an American classic and it’s over three decades old. If you haven’t see it yet, you really shouldn’t be doing anything else today.

Although the location of the Death Star was known and an attack was expected, the Emperor had a secret: the death star was actually fully operational. His plan was to destroy the unprepared rebel force when they showed up to attack. And much of that fell on our poor OPSEC manager, who was tasked with making sure that secret plan remained a secret. Of the million or so people on the small moon space station, how many could have known that the station was operational? The crews that were on standby to fire it? The technicians that checked out the specs? Everybody with a window when it was tested and confirmed to be operational?

So next time you watch the series, give some thought to those hard working OPSEC managers out there in the far-away, long-ago galaxy. Whether you’re for the Empire or a rebel, you gotta admire their OPSEC game.

Remember: Loose lips destroy starships.

“That’s not OPSEC!”

“That’s not OPSEC!”

The scene is a small office. It’s day one of the OPSEC assessment. It’s John’s first time out with the team, so he’s still trying to feel out how they go about the process.

While the team is in the badging office waiting for their badges, John notices that there’s a computer screen with red SECRET stickers on the top and bottom. What’s more, the screen is facing the group at the customer service desk.

The assessment team wasn’t the only ones trying to gain facility access that day. Among the other people waited was a janitor, a few new employees, and other people- both cleared and uncleared. John turned to one of the senior members of the team and mentioned that they should identify that in their report, and the senior member replied simply: “that’s not OPSEC.”

John didn’t want to get into an argument about what is and isn’t OPSEC. But he did mention that he thought they had a responsibility to the office supervisor to tell him that he should turn the screen around, and to keep it turned around, so uncleared personnel couldn’t possibly see potentially secret information. But once again, he was told in no uncertain terms that it wasn’t OPSEC and therefore not their responsibility.

The Assessment Chief did later correct the problem, but the senior team member never once wavered from his stance.

So, what is OPSEC? Is anything OPSEC?

A strong case can be made that just about every item in an OPSEC Assessment report can be matched to the requirements of some other security program. The scenario above was clearly an Information Security issue. FOUO in the trash? Information Security again. Not locking the computer screen when you leave the desk? Computer security. Downloading attachments from unknown sources? Cybersecurity. Allowing people to piggyback into the facility? Physical Security. Give long time visitors the safe combo and then don’t change it when they leave?  Catching on yet?

There are many more examples, but you probably get the point. On the other hand, can you think of any instances that weren’t already covered? What about staging convoy vehicles at the same time in the same place? What about using the same routes every time? What security program covers business, mission, or even personal indicators? What do you call it when unclassified information that no one knew needed to be protected is pieced together to reveal details of a classified operation?

It’s ALL OPSEC when it comes to our responsibilities as an OPSEC Program Manager or a member of an assessment / survey team. Bottom line: our job is to make our organization more secure, and we don’t do that by arguing whether a vulnerability, indicator, or security violation is OPSEC or not. See a problem, fix a problem.

Wheres the “I” in OPSEC?

This is one from the archives. Guest blogger Rick Millikan is a member of OSPA, a Major in the US Army and an all-around good guy. Enjoy! 

It’s been said that Operations Security (OPSEC) is everyone’s responsibility; that no person alone can make OPSEC work. On the other hand, it only takes one person to ignore items on the Critical Information List (CIL) and disclose sensitive information over non-secure media or during open discussions in public. The “I” in OPSEC can be viewed from several angles.

The very foundation of OPSEC involves a five-step process: 1) Identify critical information, 2) Threat analysis, 3) Vulnerability analysis, 4) Risk assessment, and 5) Apply countermeasures. The OPSEC Program Manager (OPM) should coordinate the five-step process. Meaning, he/she should ensure the appropriate personnel complete each step. This process is a team effort. No “I” here.

To identify critical information, the OPSEC officer should work with the Operations section and the commander to determine what unclassified, yet sensitive, information must be protected. The list of critical information items should then be placed on a Critical Information List, or CIL. Each command will have a unique list of critical information for day-to-day operations and/or each specific mission or Operations Plan (OPLAN). Again, the OPSEC officer cannot do this alone. There is no “I” in this step.

The Intelligence section supplies the OPM with information regarding the current threat. Normally, the OPSEC Officer does not have the expertise to conduct a thorough threat analysis. Even if the OPSEC officer is the same person as the S2, it still requires assistance from others within the Intelligence section. Demonstrating again, there is no “I” in this step.

To complete a thorough vulnerability assessment, the OPSEC officer must again work with the Operations section, the “Staff”, and the Antiterrorism Officer (ATO) and the Force Protection officer (one person may perform both duties, depending on the unit). There is no “I” in this step, either.

The OPSEC officer can conduct the risk assessment step, but usually the Operations officer or the commander must approve it. This step involves subjectivity as to how much risk is acceptable and the severity of the consequences should something go awry. Therefore, the commander must be aware of the risks and give the ultimate approval for the taking certain risks. There is no “I” in this step.

Applying OPSEC measures must certainly be the job of the OPSEC officer. However, the OPSEC officer can only advise the commander on the OPSEC measures. If the commander deems the OPSEC measures too costly, time consuming, or would delay the mission, the OPSEC measures may be rejected. If the OPSEC measures are accepted, it is up to the leadership of the unit to ensure they are implemented. There is no “”I”” in the last step of OPSEC, either.

OPSEC is everyone’s responsibility. It is not solely the responsibility of the OPSEC officer to make sure OPSEC is “good” at the unit. OPSEC is a team effort. So, the “”I” in OPSEC rests with every single individual who is assigned to, attached to, under operational control (OPCON), or is in some manner responsible to the commander of a specific unit where the OPSEC officer has put together an OPSEC plan.

In all actuality, everyone is the ““I”” in OPSEC. Your careless words or the “they aren’’t listening to this phone call” attitude may cause mission failure or the deaths of allied troops and innocent civilians. You must be cognizant of the information you disclose in public, in emails, and over non-secure phones and faxes. OPSEC is everyone’s responsibility. Do your part to keep sensitive information from the adversary.

There is a saying that goes something like, “I am but one, but I am one.” The adversary only has to be right once. We have to be right all the time. The ““I”” in OPSEC means everybody needs to be aware of OPSEC 100% of the time. The lone OPSEC Officer or OPSEC Working Group member in your organization cannot do it for you.

Be the “I” in OPSEC!

Richard E. Millikan, MAJ, USAR

Chief, OPSEC Assessments Joint OPSEC Support Center (JOSC)

“Criminals don’t wear suits”

Once upon a time, in a land not-so-far-away, a small group of individuals walked to the doors of a multinational corporation, and walked out with millions of dollars worth of company secrets and assets.

Through days of patient research and study, they were well equipped to work their way through the company, obtaining small pieces of information and compiling it into unmitigated access. Could this happen to you?

First, they learned the names of key employees by calling Human Resources and social engineering the information from them. They would have preferred to find a company phone roster in the dumpster, but no one had thrown one away lately. Although the passwords and internal memos that they did find certainly helped cushion the blow.

This company had a very friendly climate, and prided itself on hiring friendly and courteous employees. The friendly employee at the entrance was more than happy to hold the door for one of the individuals when he jogged to catch the closing door. Why not? Criminals don’t wear suits and ties, right? They got inside the moat.

Another friendly employee was more than happy to help out the stressed out intern who lost his access badge on the first day, and just had to get the report to his boss before he gets fired! Why not? Were all on the same team, right?

No matter how strong a castles walls, it does no good once the enemy’s inside.

Inside the secure area, they found a gold mine of unshredded documents both in the trash and piled by the shredder. In a stroke of inspiration, a hastily scrawled note was placed on a busy shredder: Shredder out of order. Put materials in this box to be picked up by security. Also, traditional hacking techniques allowed unrestricted access to key computer systems, which is often superfluous if the password is written down and hidden. (No one would ever know that this is my password, even if they do look in the drawer!)

Lucky for them, the CEO had let them know (through his out of office auto reply) that he would be gone that day. His assistant was very helpful when the new janitor forgot his keys and had to stay on schedule!

Could it get worse than this? It very well could. There’s a good chance that your organization may never suffer a planned, organized intrusion such as this. But basic OPSEC, often at little or no cost to the organization, can help prevent such a disaster. Never forget how important you are!

If it can track a thief…

The Coachella Valley Music and Arts Festival, generally referred to simply as “Coachella” is an annual festival held in Indio, California. People come from all over the country to listen to music on several stages, enjoy art exhibits, camp, and other recreational activities.

During the 2017 event, many festival-goers found that their cell phones were missing. Presumably, they had been stolen. The victims used their “find my phone” function (which are available on iDevices and Android) to locate the devices, eventually centering on attendee Reinaldo De Jesus Henao.

When the police arrived, they searched Henao and found more than 100 phones in his backpack. He was arrested on suspicion of grand theft and possession of stolen property.

This is exactly how the “find my phone” feature is supposed to work. The phones were stolen from the rightful owner, who were then able to locate them using the built-in features. But if those features can be used to track a thief, they may also be used to track you.

Be aware of your phone’s settings and features. Could someone access your Apple or Google account and track you that way? Are your pictures also recording location data? What does your phone tell someone that wants to find you?