The underlying principles of denying an adversary information are centuries old. In fact, George Washington was quoted as saying: “Even minutiae should have a place in our collection, for things of a seemingly trifling nature, when enjoined with others of a more serious cast, may lead to valuable conclusion.” Millennia before, Sun Tzu wrote, “If I am able to determine the enemy’s dispositions while at the same time I conceal my own, then I can concentrate and he must divide.”
OPSEC as a methodology was developed during the Vietnam War, when Admiral Ulysses Sharp, Commander-in-chief, Pacific, established the “Purple Dragon” team in order to determine how the enemy was able to obtain advanced information on military operations.
The team realized that current counterintelligence and security measures alone were not sufficient. They conceived of and utilized the methodology of “Thinking like the wolf”, or looking at your own organization from and adversarial viewpoint. They discovered that US forces were unvarying in their tactics and procedures, and were able to make certain predictions based on that knowledge.
When developing and recommending corrective actions to their command, they then coined the term “Operations Security.”
Read the declassified version from the NSA’s FOIA website.
Today, OPSEC is an established methodology used by Military, Federal entities and Civilian Agencies and Businesses. More and more, private sectors are realizing the importance of Operations Security in day to day operations. This helps to protect proprietary and sensitive information from accidental disclosure, corporate espionage, internal espionage and more.
OPSEC awareness also helps to instill confidence in clients, who can be assured that their trust is well placed.
From the source
What follows is a summary of two rather enjoyable and informative conversations with Sam Fisher and Ron Samuelson.:
Sam served for 4 years in the Air Force and was an Intel Analyst in the Korean War. After the Korean War, he went on to work with the NSA in the same capacity. Fast forward to Vietnam, when it became apparent that the enemy was somehow getting advanced information regarding upcoming operations. Admiral Sharp formed two working groups in order to determine the cause.
One of these groups was the CI group. After a long analysis, they concluded that “the enemy was everywhere”. That wasn’t exactly the smoking gun that they were hoping for.
Fisher’s group was the COMSEC group. They decided to institute a then-experimental COMSEC survey, which involved interviewing mission participants and planners and determining organization structure. At first, there was resistance as to the format of the survey, but it was concluded that an interview structure was the best.
But then who to do the interviews? CI and Comm. folks both said that they were “too busy” to do it, so they approached the Operations group. Col. Chance took the idea and elaborated on it to include vulnerability analysis and exploits. Then, he formed TDY teams to officially conduct the analysis.
Now here’s the interesting part. According to Sam, they requested that they be able to keep the name “purple dragon”. See, the name was given to the particular study, and was not meant to be a permanent name. In fact, the name was chosen from a list of available program names provided by JCS, and was chosen because it sounded good.
I also asked him about the dragon itself (which prompted the above answer), as I was curious how they saw it. There was never an official determination, but he likes the idea of the dragon as the good guy, and guarding the “treasure”.
According to Sam, the team was putting the final touches on the report in Col Chance’s office, when they realized that they needed a name for what they were doing. Looking at it, they felt that it was essentially Operations Analysis, but felt that they were doing something unique, and it shouldn’t share a name with thousands of other programs. That’s when Sam mentioned that the NSA wouldn’t contribute personnel (namely, him) without a security element. Col. Chance suggested the name Operations Security, and the rest is history.
After Vietnam, Sam, Ron Samuelson and Tom Kerry tried to pitch the principles of OPSEC to other government organizations. Although they all seemed to think that it was a great idea, none of them wanted to work together. That’s when they saw a need for an interagency OPSEC group. (See where this is going?)
They tried to pitch this idea to every conceivable group, and achieved only limited success. The NSA (Adm. Bobby Inman, specifically) liked the idea, but didn’t want official involvement. The military branches wouldn’t touch it with a ten-foot pole. The DOE, however, liked the idea and committed some support to it, but it was the GSA that contacted Sam and offered its full support.
Sam drafted up a document describing the need for and use of this type of organization and gave it to his friend, Ken DeGraffenreid liked it, and wanted to get it to the President (Reagan) as soon as possible. Unfortunately, the re-election campaign took priority, but several years later, NSDD298 made it to the desk of General Colin Powell for review. A “friend” at the White House contacted Ron Samuelson to inform him that the draft was going to be rejected because Powell objected to the phrasing. Ron quickly dictated a new introduction and other elements.
Shortly after that day, NSDD298 was officially drafted and signed, forming the Interagecy OSPEC Support Staff (IOSS).