Once an adversary or competitor acquires critical information, significant harm or damage may occur to an operation or program. To acquire this damaging critical information the adversary may choose to indirectly acquire pieces of sensitive information (possibly unclassified or unclassifiable) and then infer and aggregate. Hence, it is important to protect both critical and sensitive information from adversaries. To be effective, one must first determine which information is indeed critical or sensitive. This manual presents a step-by-step procedure to aid a decision maker in determining the critical information and the sources of sensitive information for which he’ has responsibility by identifying:
C. Adversaries, Goals, and Objectives
D. Generic Operation Categories
E. Critical Information Components
F. The Critical Information (an aggregation from step 5)
G. Sources of Information
H. Major Vulnerabilities
1. Sources of Sensitive Information (Indicator Categories).
Sections II and 111 contain the procedure and an example scenario, and Section IV includes tips from the discipline of Operations Security (OPSEC). The two appendices are an important reference for the procedure.
- THE PROCEDURE
The steps for determination of Critical and Sensitive Information are:
- Set the organizational boundaries. Determine which organization, organizations, or suborganization uses the information whose sensitivity is in question. Call this group the Organization-occasionally called the Good-Guy.
- Determine the Operations. Determine which of the Organization’s operations, projects, programs, and so forth, will be considered. One possibility is to consider all of the Organization’s operations. Another possibility is to choose only one. Call the set of all of those chosen as the Operations.
In the next step, step 3, the reader is asked to determine the Adversaries. To fully understand who the Adversaries to an Operation are, the decision maker needs to know the intentions of any entity that is a possible Adversary. Because intentions (goals and objectives) usually are known only through capabilities, detailed information may be needed to understand capabilities and analyze into intentions. The decision maker may need further help in gathering and analyzing possible Adversary information to complete step 3: consultation with personnel having intelligence expertise may be in order.
- Determine each Adversary, his Goals, and Objectives. An Operation may have several Adversaries. An Adversary —occasionally called the Bad-Guy—is a group, country, set of countries, company, set of companies, and so forth whose Goals are in conflict with the Good-Guy’s goals. Furthermore, an Adversary’s knowledge of an objective of one of the Good-Guy’s Operations might result in short-term or long-term harm or damage to the Operation or might result in short-term or long-term loss of operational effectiveness. Call these results the Adversary’s Objectives.
- Fit each combination of Operation and Adversary into the best Generic Operation Category. Appendix I has a list of Generic Categories into which an Operation might fall [Appendix I may not list all Generic Operation Categories – imagination may be required). For each combination of a Good -Guy Operation and an Adversary with a Bad -Guy Objective to impact the Operation, choose the best Generic Category. If the Operation-Adversary pair fits into several Generic Categories, choose just those Generic Categories that are really critical to the effectiveness of the Operation. If several Generic Categories of the Operation-Adversary pair are chosen, then split the Operation into Operations (same Adversary) with just one Generic Category. Appendix I may suggest additional Operations; if so repeat steps 3 and 4 for each new Operation.
The author is aware of at least three ways that the term “Critical Information ” is used by OPSEC professionals. Hence, for the sake of clarity the terms “Critical Information Components” and “The Critical Information” are introduced in the next two steps. Also in the next step, the reader is asked to determine Critical Information Components of an Operation Adversary pair using Appendix II. Readers with an intelligence background will notice that these components are similar to the steps in a Hostile Intelligence Service Collection Strategy – HOIS Collection Strategy. In fact, the components listed in Appendix 11 probably look like a generalized statement of a HOIS Collection Strategy.
- Determine the Critical Information Components of each Operation-Adversary pair. For each Operation-Adversary pair consider all those Critical Information Components (CIC) under the chosen Generic Operation Category (in Appendix 11) that actually apply to the Operation; it may be helpful to answer the following question about a possible CIC:
Could knowledge of this Critical Information Component (CIC) about this Good-Guy Operation be of value to the Adversary in causing any Bad-Guy Objectives?
The CICs in Appendix II are intended only as a guide. Do not use ClCs that do not apply to this Good-Guy Operation. There may be additional ClCs of an Generic Operation Category. Include any other ClCs that also yield a positive response to the question above. Please notice that this appendix may not always cover the situation; imagination may be required. The completed set is known as the Set of Critical Information Components (similar to HOIS Collection Strategy).
- For each Operation, Generic Operation Category. and Adversary, do a completion check on the chosen Set of Critical Information Components and. hence, develop The Critical Information. The Critical Information for an Operation is information that, if learned by the Adversary, could cause the Objectives from step 3 (short-term or long-term harm or damage to the Operation or short term or long-term loss of operational effectiveness). To complete this step, aggregate the Critical Information Components in one sentence connected with “and’s.” Edit the sentence so that it is easier to read and to understand. The resulting sentence should be a statement of The Critical Information in this Operation (from this Generic Operation Category) to be kept from this Adversary. Satisfaction of the completion check requires that The Critical Information must be information that satisfies the following question:
Could knowledge of The Critical Information by the Adversary be sufficient to allow the Adversary to initiate actions that would lead to short-term or long-term harm, damage, or loss of operational effectiveness?
If the answer to this question is not yes, then additional Critical Information Components (ClCs) are needed; repeat step 5 to determine additional ClCs. Continue repeating step 5 and this step until (1) each CIC gets a “yes” response to the question in step 5 and (2) the aggregated Set of ClCs, The Critical Information, gets a “yes” response to the preceding question.
- Determine the Sources of Information for each Operation-Adversary pair. Make a list of the “medium”, “event”, and “thing” Sources of Information involved in the Operations that might contain or indicate any Critical Information Components about any Operation. Call these the Sources of Information. Examples of Sources of Information are:
i)radio messages (voice and data).
ii)telephone messages (voice, data, FAX),
iii) stored machine data,
iv) paper documents,
vi) chalk/dry/bulletin boards,
vii) interpersonal conversations including meetings.
viii) predictive activities,
ix) unusual activities.
x)physical signatures and profiles,
xi) physical residuals (includes odors, sounds, seismic waves, and so forth),
xii) intentional and unintentional electromagnetic emanations.
Note that, for the last five Sources of Information, the existence of the Source of Information is, in fact, really information. On the other hand, for the first seven, the information is, in some sense, embedded in or imprinted on the Source of Information.
- Determine the Major Vulnerabilities to be protected for each Operation-Adversary pair. For each location and functional area where the Operation is conducted, list the Major Vulnerabilities (not known by the Adversary] in the safeguards system protecting the location and functional area from the Adversary (if the Adversary knows the Vulnerability, there is no need to call it “sensitive”). Particular attention should be given to access-control, personnel, and communications Vulnerabilities. Note that a Major Vulnerability exists independent of the strength of the Adversary to exploit the Major Vulnerability. Note also that successful completion of this step may require expertise in the security disciplines of Physical, Personnel, and Communications Security.
- Finally. determine the sensitive information sources for each Operation-Adversary pair. Using each of the chosen Information Sources from steps 7 and the Major Vulnerabilities from step 8, determine those instances of that Source that indicate a Critical Information Component or a Major Vulnerability as follows:
(1) List the “event” and “thing” Sources of Information.
(2) For each “medium” Source, list that Source but specify the instances of all the “event” and “thing” Sources (again!) from step 7 and the Major Vulnerabilities from step 8.
These identified items are the Sources of Sensitive Information (in the language of Operations Security, these are categories of “indicators”) for the Operation-Adversary pair.
This concludes the procedure; an example of using this procedure follows.
III. AN EXAMPLE
A chemical company is about to start a project to develop a new plastic glove. Following is a breakout of the nine steps in the procedure to determine the critical and sensitive information about project activities that would help a competitor discover the nature of the plastic glove project.
First, the Organization is the project manager, the clerical staff, and the chemists working on the project.
Second, the Operation to be analyzed for critical and sensitive information is only this new plastic glove project even though the chemists are working on many other projects.
Third, all the other plastic glove manufacturers are Adversaries in this Operation; the Goal for each is increase their market-share by cutting into the Good-Guy Organization’s market-share. Also, the following are examples of Bad-Guy Objectives against the Good-Guy Operation:
– raw materials made unavailable,
– key personnel made unavailable,
– manufacturing facilities made unusable,
– similar new product released by another manufacturer about the same time as glove release,
– major advertising campaign by another manufacturer to counteract release of the new glove, and
– saturation give-away campaign of gloves by another manufacturer to decrease initial sales.
Fourth, there are two possibilities. The Operation clearly fits Generic Category 111: “Research, Development, Testing, Evaluation (RDT&E), and Production of Sensitive Technology.” Also, the lead chemist is virtually irreplaceable in this project; therefore, the Operation also fits into Generic Category Xla: “Safety of Important Personnel – Permanent Site.” However, even though the safety of the chemist is extremely important, this person can be replaced (and there is an insurance policy ); therefore, Generic Category 111 is the best choice.
Fifth. from the suggested Critical information Components in Appendixing preliminary list is considered: research, development, testing, evaluation, and production project.
WHO – the company, and, in particular, the project manager, clerical staff, and chemists
TYPE – a plastic glove project
LOCATION – a suite on the third floor of Building 3 in the company’s main complex in the Midwestern city of Metrotown
LOCATION’S TIME FRAME – from now until product release in six months
CONCEPTUAL DESIGN – none
CAPABILITY – thinness of the new plastic glove (The value of thinness is better tactile sensitivity, in particular for health care professionals. The new glove will probably capture the market.)
BREAKTHROUGH – the use of a new catalyst, Catalyst Y. extracted from the root of a somewhat rare Philippine shrub, in the manufacturing of the plastic. (Plastic gloves manufactured with Catalyst Y are twice as thin as any known plastic glove, cost about the same, and have the same properties of gripping, strength, and so forth, as the best selling gloves.)
INTEGRATION TECHNIQUE – none
MANUFACTURING TECHNIQUE – none
QUANTITY – 20,000,000
PRICE – $1.99 per pair
TARGET MARKET – eastern United States
MARKETING STRATEGY – saturation publicity campaign
UNRELIABLE/LOST PRODUCTION – not applicable
CUSTOMER LOSS – not applicable
Next, the preceding list is reviewed for criticality relative to the following tailored question:
Could knowledge of this Critical Information Component (CIC) about the new plastic glove project be of value to any of the competitors in hurting the release and sales of the new plastic gloves?
The possible ClCs – QUANTITY – is excluded because it would not be of value to the competitors to know that the quantity of gloves produced is 20,000,000.
Sixth, aggregation of the list of Critical Information Components yields a possibility for The Critical Information:
(1) There is a research, development, testing, evaluation, and production project
(2) The project manager, clerical staff, and chemists are doing the project
(3) The project is a plastic glove research, development, testing, evaluation, and production project
(4) The location of the Organization’s project is a suite on the third floor of Building 3 in the company’s main complex in the Midwestern city of Metrotown
(5) Product release is in six months
(6) The product is twice as thin as any industry product
(7) Catalyst Y from the root of a somewhat rare Philippine shrub is the new feature of the manufacturing process
(8) The price will be $1.99 per pair
(9) The target market is the eastern seaboard.
(10) The marketing strategy is a saturation publicity campaign.
The edited version of this possibility for The Critical Information is:
In the company suite the project manager, clerical staff, and chemists are engaged in the research, development, testing. evaluation, and production of a new plastic glove. The plastic glove is twice as thin as any other industry product due to manufacturing with Catalyst Y– from the root of a somewhat rare Philippine shrub. The saturation publicity campaign of the two-dollar glove will be in six months.
Checking this possibility against the following bon:
Could knowledge by competitors of this information be sufficient to allow them to initiate actions leading to damaging our projected glove release?
yields a “YES”, and the preceding is a statement of The Critical Information.
Seventh, the Sources of Information that exist due to the plastic glove project are:
(1) telephone messages,
(2) FAX messages,
(3) stored machine data stored machine data in two computers and on floppy disks,
(4) paper documents,
(6) chalkboards, dryboards, and bulletin boards,
(7) interpersonal conversations including meetings,
(8) unusual activities, and
(9) physical residuals.
Eighth, the Major Vulnerabilities in the safeguards system protecting the suite from the competitors are:
- Rear laboratory emergency door – Any visitor, repairperson, or so forth, could unlock this door for future or accomplice access to the lab; furthermore, there is no provision for escorts or monitoring of this door. Upon access through this door, a knowledgeable competitor could easily discover The (complete) Critical Information (an Adversary targeting the Lab probably already knows Critical Information Components 1, 2, and 3).
- Lead scientist’s alcohol problem – A competitor knowing Critical Information Components 1, 2 and 3 could join this chemist at a bar, buy drinks, and easily elicit other Critical Information Components.
Ninth, the Sources of Sensitive Information (Indicator Categories) are by category:
1. delivery of packages from the Philippines,
2. manufacturing waste liquids contain traces of Catalyst Y.
3. telephone messages that mention any Critical Information Component, the Philippine packages, the traces of Catalyst Y in waste liquids, the rear lab door problem, or the lead scientist’s alcohol problem,
- FAX messages that transmit any Critical Information Component, or a reference to the Philippine packages, the traces of Catalyst Y in waste liquids, the rear lab door problem, or the lead scientist’s alcohol problem,
- computers or floppy disks that store any Critical Information Component or a reference to the Philippine packages, the traces of Catalyst Y in waste liquids, the rear lab door problem, or the lead scientists alcohol problem,
- paper documents that mention any Critical Information Component, the Philippine packages, the traces of Catalyst Y in waste liquids, the rear lab door problem, or the lead scientist’s alcohol problem,
- vugraphs that mention any Critical Information Component, the Philippine packages, the traces of Catalyst Y in waste liquids, the rear lab door problem, or the lead scientist’s alcohol problem,
- chalkboards, dryboards, and bulletin boards that mention any Critical Information Component. the Philippine packages, the traces of Catalyst Y in waste liquids, the rear lab door problem, or the lead scientist’s alcohol problem, and
- interpersonal conversations including meetings that mention any Critical Information Component, the Philippine packages, the traces of Catalyst Y in waste liquids, the rear lab door problem, or the lead scientist’s alcohol problem.
This completes an example illustrating the method for determining critical and sensitive information and the sources of sensitive information. Some tips from the discipline of Operations Security (OPSEC) follow.
III. FINAL TIPS FROM OPSEC
The discipline of operations security (OPSEC) offers the following perspectives to aid in effectively using the Sources of Sensitive Information (step 9) for protection of Critical Information Components (step 5) and their aggregation, The Critical Information (step 6):
First, in the dissemination of information in a sensitive operation, two factors surface as reasons for allowing this dissemination to an individual working on the operation: (1) “need to know” and (2) “accepted accessibility” – the realization that the individual will be exposed to the information because of physical working proximity and unacceptably high costs of resources to attempt to deny disclosure of the information.
The decision maker may want to order dissemination of (1) each Critical Information Component, (2) the time frame of protection of that Component, and (3) and Sources of Sensitive Information to each employee working on the sensitive operation with the following restriction:
Each Critical Information Component and each Major Vulnerability will be disseminated only to those workers who have a “need to know” or who the decision maker determines must be granted “accepted accessibility.”
In the latter case a non-disclosure statement may be helpful.
A second tip is about the fact that timing or phasing of an operation may change the critical and the sensitive information in the operation. In particular, as the operation progresses through time, certain Critical Information Components may be discovered, exposed, leaked, and so forth; trying to protect this information afterwards may be deemed unwise. This piece of information would no longer be “critical” nor would any information referring to this former Critical Information Component be sensitive.
Also, the use of this manual gives a perspective at a “slice in time”; the decision maker may want to evaluate the operation using this manual’s procedure at appropriate times during the operation.
Finally, experience has shown that the best time to start protecting critical and sensitive information is in the planning stages of an operation. This author highly recommends that the decision maker develop a plan for such protection during operation planning stages.
A useful planning technique used by Operations Security (OPSEC) practitioners is to put the different phases of the operation next to a time line. Then, as each Critical Information Component is determined, the time frame during which protection of that Component is needed is also marked. The resulting graph is a presentation of how the Critical information Components in the Operation changes over time.
Being able to effectively identify the instances of sensitive information that “mention” or “refer” to Critical Information Components, Sources of Information, or Major Vulnerabilities is not a simple task. In fact, it takes Operation Security (OPSEC) practitioners years of study and practice to become proficient in this identification (usual training also includes evaluation of Adversary strength and suggestion of countermeasures against a strong Adversary). The decision maker who needs further help in protection of critical and sensitive information should contact an OPSEC practitioner for assistance.