Tag: opsec

“That’s not OPSEC!”

“That’s not OPSEC!”

The scene is a small office. It’s day one of the OPSEC assessment. It’s John’s first time out with the team, so he’s still trying to feel out how they go about the process.

While the team is in the badging office waiting for their badges, John notices that there’s a computer screen with red SECRET stickers on the top and bottom. What’s more, the screen is facing the group at the customer service desk.

The assessment team wasn’t the only ones trying to gain facility access that day. Among the other people waited was a janitor, a few new employees, and other people- both cleared and uncleared. John turned to one of the senior members of the team and mentioned that they should identify that in their report, and the senior member replied simply: “that’s not OPSEC.”

John didn’t want to get into an argument about what is and isn’t OPSEC. But he did mention that he thought they had a responsibility to the office supervisor to tell him that he should turn the screen around, and to keep it turned around, so uncleared personnel couldn’t possibly see potentially secret information. But once again, he was told in no uncertain terms that it wasn’t OPSEC and therefore not their responsibility.

The Assessment Chief did later correct the problem, but the senior team member never once wavered from his stance.

So, what is OPSEC? Is anything OPSEC?

A strong case can be made that just about every item in an OPSEC Assessment report can be matched to the requirements of some other security program. The scenario above was clearly an Information Security issue. FOUO in the trash? Information Security again. Not locking the computer screen when you leave the desk? Computer security. Downloading attachments from unknown sources? Cybersecurity. Allowing people to piggyback into the facility? Physical Security. Give long time visitors the safe combo and then don’t change it when they leave?  Catching on yet?

There are many more examples, but you probably get the point. On the other hand, can you think of any instances that weren’t already covered? What about staging convoy vehicles at the same time in the same place? What about using the same routes every time? What security program covers business, mission, or even personal indicators? What do you call it when unclassified information that no one knew needed to be protected is pieced together to reveal details of a classified operation?

It’s ALL OPSEC when it comes to our responsibilities as an OPSEC Program Manager or a member of an assessment / survey team. Bottom line: our job is to make our organization more secure, and we don’t do that by arguing whether a vulnerability, indicator, or security violation is OPSEC or not. See a problem, fix a problem.

Wheres the “I” in OPSEC?

This is one from the archives. Guest blogger Rick Millikan is a member of OSPA, a Major in the US Army and an all-around good guy. Enjoy! 

It’s been said that Operations Security (OPSEC) is everyone’s responsibility; that no person alone can make OPSEC work. On the other hand, it only takes one person to ignore items on the Critical Information List (CIL) and disclose sensitive information over non-secure media or during open discussions in public. The “I” in OPSEC can be viewed from several angles.

The very foundation of OPSEC involves a five-step process: 1) Identify critical information, 2) Threat analysis, 3) Vulnerability analysis, 4) Risk assessment, and 5) Apply countermeasures. The OPSEC Program Manager (OPM) should coordinate the five-step process. Meaning, he/she should ensure the appropriate personnel complete each step. This process is a team effort. No “I” here.

To identify critical information, the OPSEC officer should work with the Operations section and the commander to determine what unclassified, yet sensitive, information must be protected. The list of critical information items should then be placed on a Critical Information List, or CIL. Each command will have a unique list of critical information for day-to-day operations and/or each specific mission or Operations Plan (OPLAN). Again, the OPSEC officer cannot do this alone. There is no “I” in this step.

The Intelligence section supplies the OPM with information regarding the current threat. Normally, the OPSEC Officer does not have the expertise to conduct a thorough threat analysis. Even if the OPSEC officer is the same person as the S2, it still requires assistance from others within the Intelligence section. Demonstrating again, there is no “I” in this step.

To complete a thorough vulnerability assessment, the OPSEC officer must again work with the Operations section, the “Staff”, and the Antiterrorism Officer (ATO) and the Force Protection officer (one person may perform both duties, depending on the unit). There is no “I” in this step, either.

The OPSEC officer can conduct the risk assessment step, but usually the Operations officer or the commander must approve it. This step involves subjectivity as to how much risk is acceptable and the severity of the consequences should something go awry. Therefore, the commander must be aware of the risks and give the ultimate approval for the taking certain risks. There is no “I” in this step.

Applying OPSEC measures must certainly be the job of the OPSEC officer. However, the OPSEC officer can only advise the commander on the OPSEC measures. If the commander deems the OPSEC measures too costly, time consuming, or would delay the mission, the OPSEC measures may be rejected. If the OPSEC measures are accepted, it is up to the leadership of the unit to ensure they are implemented. There is no “”I”” in the last step of OPSEC, either.

OPSEC is everyone’s responsibility. It is not solely the responsibility of the OPSEC officer to make sure OPSEC is “good” at the unit. OPSEC is a team effort. So, the “”I” in OPSEC rests with every single individual who is assigned to, attached to, under operational control (OPCON), or is in some manner responsible to the commander of a specific unit where the OPSEC officer has put together an OPSEC plan.

In all actuality, everyone is the ““I”” in OPSEC. Your careless words or the “they aren’’t listening to this phone call” attitude may cause mission failure or the deaths of allied troops and innocent civilians. You must be cognizant of the information you disclose in public, in emails, and over non-secure phones and faxes. OPSEC is everyone’s responsibility. Do your part to keep sensitive information from the adversary.

There is a saying that goes something like, “I am but one, but I am one.” The adversary only has to be right once. We have to be right all the time. The ““I”” in OPSEC means everybody needs to be aware of OPSEC 100% of the time. The lone OPSEC Officer or OPSEC Working Group member in your organization cannot do it for you.

Be the “I” in OPSEC!

Richard E. Millikan, MAJ, USAR

Chief, OPSEC Assessments Joint OPSEC Support Center (JOSC)

“Criminals don’t wear suits”

Once upon a time, in a land not-so-far-away, a small group of individuals walked to the doors of a multinational corporation, and walked out with millions of dollars worth of company secrets and assets.

Through days of patient research and study, they were well equipped to work their way through the company, obtaining small pieces of information and compiling it into unmitigated access. Could this happen to you?

First, they learned the names of key employees by calling Human Resources and social engineering the information from them. They would have preferred to find a company phone roster in the dumpster, but no one had thrown one away lately. Although the passwords and internal memos that they did find certainly helped cushion the blow.

This company had a very friendly climate, and prided itself on hiring friendly and courteous employees. The friendly employee at the entrance was more than happy to hold the door for one of the individuals when he jogged to catch the closing door. Why not? Criminals don’t wear suits and ties, right? They got inside the moat.

Another friendly employee was more than happy to help out the stressed out intern who lost his access badge on the first day, and just had to get the report to his boss before he gets fired! Why not? Were all on the same team, right?

No matter how strong a castles walls, it does no good once the enemy’s inside.

Inside the secure area, they found a gold mine of unshredded documents both in the trash and piled by the shredder. In a stroke of inspiration, a hastily scrawled note was placed on a busy shredder: Shredder out of order. Put materials in this box to be picked up by security. Also, traditional hacking techniques allowed unrestricted access to key computer systems, which is often superfluous if the password is written down and hidden. (No one would ever know that this is my password, even if they do look in the drawer!)

Lucky for them, the CEO had let them know (through his out of office auto reply) that he would be gone that day. His assistant was very helpful when the new janitor forgot his keys and had to stay on schedule!

Could it get worse than this? It very well could. There’s a good chance that your organization may never suffer a planned, organized intrusion such as this. But basic OPSEC, often at little or no cost to the organization, can help prevent such a disaster. Never forget how important you are!

What is EEFI?

Essential Elements of Friendly Information (EEFI) are defined as the answers to an intelligence agent’s questions about your system, support, deployments and force protection, otherwise known as the mission. Some examples of the questions they want to answer relates directly to your critical information listing (CIL). What is America’s space capability now and in the immediate future? Can Peterson Air Force base protect NORTHCOM? Does the Air Force care about its people? What measures will the Air Force take if their computer systems or installation are attacked? The program we all know as OPSEC is the program to deny your enemy the answers to these questions. OPSEC protects our official use and controlled unclassified information.

The purpose of the OPSEC program is to reduce the vulnerability of Air Force missions from successful collection and exploitation of your critical information providing the adversary answers to their critical questions surrounding Peterson AFB. OPSEC applies to all activities that prepare, sustain, or employ forces during all phases of your operations.

Do you post recall rosters in your cubicle? Do you post your retirement orders with your social on your overhead or desk in the open? Do you copy personal checks on the office copier and throw them into a recycle bin? Do you tear out your notes on a sensor system management meeting on future state space operations and put them into a dumpster or outdated recycle bin under your desk? Do you shred 100% of all official information? Do you shred your personal information at home? Do you have a unsecure router at home while you work on official business? Do you use a personal flash drive at work? Do you or your family members talk about your mission to your friends and young children at home with access to the internet? Do you allow your family to post deployment pictures on a social engineering sites located on the internet? Do you blog with unknown folks on the net and talk about the military and vent about weaknesses of leaders you witness on base? These are all examples of vulnerabilities that everyone in the Air Force must consider. I recommend a ready, aim fire approach to protecting information. The game Tic-Tac-Toe comes to mind. How does it apply to OPSEC?

OPSEC can be seen by your adversary as a game of tic-tac-toe. If you use OPSEC preventing collection of intelligence you place the “X” in the center square. Be smart, be a hard target. Make sure your folks use and think OPSEC and place that “X” in the center square. Ensure the answers to your enemy’s questions to go unanswered.

Nothing in the straw

Charlie worked at a factory that manufactured all sorts of things. He liked his job, and so did the gate guard, Albert.

One Friday, when everyone was getting ready to leave for the weekend, Charlie showed up at the gate with a wheelbarrow full of straw.

“Where’d you get the straw, Charlie?” Albert asked.

“Bought it,” Charlie answered, producing his receipt. Sure enough, he had bought the straw.

“What are you gonna do with all that straw?”

“Feed my horses,” Charlie replied.

Albert was suspicious. He was pretty sure Albert didn’t own any horses. “Mind if I take a look?” he asked.

Charlie waved his hand towards the wheelbarrow. “Help yourself.”

Albert poked through the straw, making sure nothing was hidden inside. Sure enough, he didn’t find a thing. “Have a good weekend,” he said, waiving Charlie through.

The following Friday, Charlie showed up once again at the gate with a wheelbarrow full of straw. Once again, he had a receipt and Albert didn’t find anything hidden in the straw. This went on for twenty years, with Charlie leaving with a wheelbarrow full of straw and nothing else. Albert was pretty sure Charlie was up to something, but he couldn’t ever figure out what it was.

Over the years, the two became close friends. One day, it was to be the final time they’d perform their weekly ritual. Charlie was retiring, and that Friday was going to be his last day.

Charlie came to the gate. Albert didn’t even bother checking the wheelbarrow; he knew he wouldn’t find anything hidden in the straw.

“Charlie,” he said. “I’ve seen you walk out of here every week for twenty years. I know you’ve been stealing something, but what? Now that you’re retired, tell me what it is. It’s driving me crazy.”

Charlie simply smiled and said. “Sure. Wheelbarrows.”

Wheelbarrow theft may or may not be your biggest concern, but even if it’s not this message still applies. Sometimes, the biggest threats are hiding in plain sight. Sometimes, what we assume is our biggest concern is actually only a distraction.