OSPA regularly receives questions from the OPSEC community. In an effort to better support and reach out to the community, OSPA, with the permission of the authors, posts some of the more frequently asked questions here. Not all questions are on this list, but submitted questions that are representative of frequent questions may be posted.
Q: Which is correct, Operations Security or Operational Security? (Brian P., USA)
A: That’s actually a very common question, and you’ll often see it presented both ways in the same context. The formalized tried and true process that we all know and love, the one that teaches us to view our own mission or organization from an adversarial perspective- that’s Operations security. Operational Security is best described as the security that is in place to secure a particular Operation. In simpler terms, Operations Security refers to the program, procedures, mindset, etc., while Operational Security refers to a specific Operation, and is on a case by case basis.
More information may be found in this article.
Q: Is DOM (donut of misery) against OPSEC? (Christa H., USA)
A: Essentially, when you ask if something is “against” OPSEC, the question is really whether or not it can serve as an OPSEC “indicator”. In other words, can it serve as a piece of the puzzle that would allow an adversary to gain sensitive of critical information. In this case, the DOM is one of many things that could -potentially- give away more information that would be intended, in the same vein as a countdown timer.
To break it down, let’s assume that the critical information is the redeployment schedule of a unit. If I’m the “bad guy”, I might want to know when a unit will be ready to cycle out, when the new unit will be in, and when I may expect to see complacency being an issue. There’s several ways that the DOM could reveal this information; for one, by calculating the rate of change over a short period of time, it’s possible to extrapolate the timeframes represented. Another way is by making a realistic assumption based on historical data. For example, if I already know that a particular branch and installation deploys for one year, I could assume that the 50% mark would be approximately six months.
So, long answer short, the DOM could very easily give additional information to enemy forces, even if the specific dates aren’t displayed. And we know that the enemy is watching, as well. According to a captured Al Qaeda document (referred to as the “Manchester Document”), they expect to be able to obtain no less than 80% of actionable intelligence from public sources, including blogs and personal webpages. Having a countdown timer is a great idea, and can help pass the time, but posting it online may be more risk than its worth.
Q: According to OPSEC Rules, can we send exercise information like unit name, location of exercise, date of exercise, types of equipment or systems being supported, etc, over the NIPR? (Anonymous, USA)
A: This is a great question, with a vague answer. The answer is “maybe,” depending on the specific information being transmitted, the destination and the specific elements of the Critical Information List. To be more specific, unless specifically noted by the commander or organizational leadership, thee are no OPSEC “rules.”
Remember that OPSEC isn’t the same as the security discipline Information Security (INFOSEC); OPSEC is concerned with protecting Critical Information from adversarial exploitation. So is that information something that shouldn’t be sent to the enemy? Very likely. But since it’s not classified information, it can be sent via NIPR as long as your Critical Information is protected via encryption or other means referred to as “countermeasures” or “OPSEC measures.”