Why OPSEC Won’t Work

By Layne Marino

To Whom It May Concern:

Welcome to my nightmare. My name is Tom Jones. I am currently a security manager in a mid-sized company and the OPSEC Program Manager for my Air Force Reserve unit. I’m writing this because the frustration level of both jobs is killing me and I’m about ready to give up. My wife tells me that I hold too much inside and that I should try letting some it out once in awhile, so don’t mind me if I get off on a rant for a minute. It’s either that or give up entirely and head to Guam to study ancient tattoo techniques.

It all started when I arrived at my reserve unit and the first thing they gave me to read was an article was titled “The Nature of OPSEC” written by George F. Jelen who, at the time, was Director of OPSEC at the National Security Agency. About half way through this article Mr. Jelen says, and I quote; “To succeed in OPSEC, one has to think of everything in advance.”

That’s all!?! Well, that sounds easy enough doesn’t it? And I think to myself, why anyone in his or her right mind would commit to a career where the initial requirement is to “think of everything in advance?” I should have realized right then a there that as an OPSEC professional I was in a no-win situation.

But alas, I’m just not that bright so I pressed on.

I guess what I’m trying to say is that, in my humble experience, OPSEC won’t work, can’t work and will never work. Apparently, I can beat my head against the wall all I want but I will never win the war. I can’t figure out how to stop the flow of critical information to the people and organizations that want it. I feel like the little boy with his finger in the dike. As soon as I think I’ve got the problem solved another leak springs forward and I’ve only got so many fingers. I can’t hire more people to stick their fingers in the dike, because management won’t give me any more money. And the boss doesn’t think the leak is that big a deal anyway! Sound familiar? It sounds like my whole career. Or, maybe I’m overreacting. Maybe I’m a tad jaded, cynical even. Have some of you retained your innocence? Do you still think you can fight the good fight? Bully for you. You’re wrong of course.

As for myself, I’ve had it. I’m throwing in the towel. Not coming out for the next round. Calling it quits. Crying uncle. Giving up. Bowing out. Heading to the pits. Hitting the showers. Filing to divorce this demon goddess we call OPSEC But you may ask yourself, why is Tom going to such extremes? What caused this defeatist attitude? What could have soiled his once pure innocence?

Since we have this bond now and I’ve grown rather fond of you, I’ll tell you. But you’re not going to like it.

Let me start with the highlights, new and old.

  • CIA Director Deutch
  • DOE (lack of) security
  • Palm Pilots for all military officers
  • lost laptops – 700,000 person backlog for security clearances
  • critical information on military and corporate web sites
  • commercially available imagery
  • foreign students
  • disgruntled workers
  • hackers – social engineers

If you read newspapers, magazines and other open source material on a regular basis, I don’t have to go into detail on these subjects for you. If not, then let me be so bold as to say that you’re part of the problem. Quit reading now. The rest will seem more like the ravings of a power/money hungry security idiot than the frustrated declarations of someone who’s just trying to do his job. For those of you still with me, let me start with some ideas that are less concrete than those mentioned above.

1. The first problem that comes to mind is people that just can’t seem to keep their fool mouths shut, the “Talkers.” Have you noticed that we, as a society, can’t wait to impress each other with what we know or what we do? Sit next to someone on an airplane and start up a friendly conversation. Within minutes you’ll know where this person works, what they do and what project the boss has them busting their hump on. Act suitably impressed and you’ll soon hear why the CFO wants to charge 42 cents more for their new product than this guy recommends. Of course that’s a little secret between him and you because another company is coming out with a similar product and it could mean life or death for his company and more importantly a possible promotion for him. But this person isn’t your only threat. That would be too easy.

2. Up next we have the “Boy Scouts” or “Terminally Friendly.” These are those people who just want to help, always ready to assist a stranger in need – sometimes without even being asked!. Those annoying little people who smile on Monday mornings. And being the friendly Americans that we are, we are so ready to give out all the information we can to help some poor soul. It makes us feel good about ourselves and is an ego boost for some. We say, “I did my good deed for the day.” For example, if you really want to know something about an organization, military or civilian, just call them and ask. No need to use pretext conversations, no CIA super spy tactics or high tech penetrations required. Just call and ask. It’s really that simple – friendly Americans are standing by to take your call. Do you really think the adversary is not aware of and uses these techniques to collect information on individuals and organizations?

Allow me to illustrate how doing a good deed can hurt you. As a reservist I work in a “secure” compound. Just outside the compound is the snack area where I frequently eat my lunch. While eating one day I noticed a well-dressed man standing at the cipher-locked door looking bewildered. I was about to go tell him that the Entry Control Point was around the corner when a co-worker asked him if he could use some help. I heard the gentleman say something about the commander and while I watched, my friendly American co-worker assured him that this was no problem as he slid his badge through the reader, punched in his four numbers, opened the door to the “secure” compound and sent him, unescorted, off in the direction of the commanders office. In this one instance I was able to grab the gentleman and escort him to the Entry Control Point before he wandered off but I had to wonder how many times this, and similar lapses of security, had happened without being detected?

After changing the combo – which our visitor surely saw – I briefed this at the next staff meeting and much to my surprise the staff failed to appreciate the issue. It was even suggested this was not such a big deal and maybe I should lower my caffeine intake. Talk about throwing a wet towel on a new OPSEC Program Manager! Most of us agree that management support can make or break any type of program. Not just an OPSEC program – any program. How many commanders or managers have you known that make sure they appointed an OPSEC Program Manager or Security Officer but didn’t really care much beyond that? How many times have you been given a lot of lip service, but not a lot of actual support? I’m talking money and personnel; the kind of support you can wrap your fingers around, not some talking head at meetings telling everyone the importance of security. The same person, who, after the meeting says, you can’t have a dime for security training or an additional body to help with an important security initiative. How frustrating is that? And by the way, if the boss doesn’t care why should you? And is this attitude going to spread throughout the company or organization? Absolutely!

So what does the boss care about? Here’s a hint. Money, money, and mo money. It’s all about the Benjamin’s. The almighty dollar. Unfortunately, for us, security programs cost money. Training costs money, or at least time and, of course, time is money. You see, we as annoying little OPSEC types don’t really fit into the money making side of the house do we? We don’t generate funds for the company. In my experience managers seem to think that all we do is impede the money making process. Pop quiz, Einstein. How does business attract more business? Through advertising. Word of mouth. If you’re operating a business and you never tell anyone about it and your product, how can you expect to succeed? Well, you can’t.

But I’m not just talking about a print ad or a TV commercial. What about a contractor who develops a new idea, product or technology? What happens next? Well, for professional or personal reasons they want that knowledge to get into the open don’t they? They want the respect of their peers and a better paying job when their contract runs out. So they’re out there spreading the gospel to whoever will listen. You’ll find them on the Internet, at a symposiums or conferences, spreading the good news about their discovery without giving due regard to their companies’ proprietary information. Is this a problem? You bet. And even though there are a lot of significant examples out there, some companies still haven’t stopped to consider that good OPSEC practices can SAVE money for their company. I say again; good OPSEC saves money. You don’t believe me and I’m not surprised. No one has yet. So to you I offer some anecdotal evidence.

What about a price list for an upcoming sale at your local grocery store? Can a rival grocery chain benefit from this information?

Or a conversation in the smoking area about a contract your company is going to bid on?

What about a draft proposal for Steel Wheels Brewing Company to come out with a new type of beer? I don’t know, call it, uh, Honey flavored Micro-Dry-Ice-Light-Draft. So the VP of Proposal Drafting takes this proposal to the New Beer Drafting President who red inks all over it and sends it back to the VP. He has his personal assistant type the corrections into the computer and then places the edited copy of the original proposal into the recycle stack. Then, at the end of the day, the lowest bid contractor picks up the recycling, rifles through it, realizes what he has and sells it to the Rolling Stoned Beverage Company for roughly four times the amount his recycling operations made last year. Steel Wheels goes on to lose the beer wars and suffers losses in the hundreds of millions. All for want of a defined and enforced OPSEC policy ($0.00) and some basic equipment; e.g., a shredder ($200).

Not yet convinced? How about this? What about a product prototype that gets tossed aside because a rivet is in backwards, or there is a typo on the faceplate? Is this valuable to a rival company? Can that company reverse engineer the product, and with a little effort, beat the original company to the patent office and to store shelves? No doubt. I’ve seen it happen. One last thought; about 25 years ago, Steve Miller wrote a song called “Your Cash Ain’t Nothing But Trash.” Let me update this for you; “Your Trash Ain’t Nothing But Cash.” I guarantee you that if I were to dive into the dumpsters of some local corporations I would find annual reports, financial reports, phone books, organizational charts, vision statements, milestone timetables, research paper drafts, visitor logs, customer survey questionnaires, environmental impact statements, contract proposals, performance appraisals, and many other nuggets of valuable intelligence. That’s right, I said “Intelligence.” Deal with it.

You know, as I sit here writing this I can still hear CEO’s out there pooh-poohing what you’ve read so far because they had a 14.7% increase in profits last quarter. Good for you Sparky. Laugh all the way to the bank this one time because it could very well be your last trip. Unless you count the time you arrive with your hat in hand and your tail between your legs trying to get a business loan because you didn’t shred the draft formula for “Yuppie-Flavored Water (Light)” and have lost your share of the lucrative water market.

In his book “Corporate Espionage”, Ira Winkler reported that the stealing of corporate secrets costs U.S. companies anywhere from 24 billion to 100 billion dollars a year. That’s Billions with a capital B!

O.K., I can take that to my civilian boss but what about my military supervisor? Hmmm. How about this? Air Force Magazine recently said that the Presidents Commission on Critical Infrastructure Protection reported that “National defense is not just about government anymore, and economic security is not just about business.” I’ll repeat this for those of you who are just skimming this looking for your name. “National defense is not just about government anymore, and economic security is not just about business.” This from a Presidential Commission! How can people still argue that security isn’t worth the time, effort, and especially money? Believe it or not, some still would.

Here’s another quote for you. I’m sure most of you have heard at least a variation of it sometime in the not too distant past. “I can’t meet this deadline if I have to take into account all the BS OPSEC and security stuff you keep trying to shove down my throat!” Sound familiar? Feeling any better about your lot in life yet? Granted, you may work with some cranially challenged personnel but they aren’t the only problem you need to worry about.

In 1992, former KGB Major Stanislaw Levchenko said “for the first time in history, high tech, industrial, and economic espionage has become the most important priority. Russian leaders do not have the resources, or the time, to modernize obsolete industries. To survive they will steal proprietary secrets of foreign nations.” This is pretty scary to me. When I talked about this at Commander’s Calls and staff meetings, I was sure people would start listening to me, but they haven’t. And you know why? Because there is obviously no problem to worry about. That’s the only rational conclusion I can come up with. People say I worry too much -that I’m too paranoid. Damn right I am! Somebody needs to be.

And fortunately some folks are in fact concerned about this issue. Hundreds show up every year for the National and Regional OPSEC Conferences and some of you reading this may actually agree with at least some of what I’m talking about. Even big brother is scared. The Economic Espionage Act of 1996 requires that the information owner “take reasonable measures to keep such information secret.” And this applies to military,  civilian- whatever. They MUST “take reasonable measures to keep such information secret.”

I tell you, if you can’t convince the boss to respect that then you don’t have much of a leg to stand on do you? Isn’t it funny that we get hired by reasonably sane people to perform a service that they refuse to use? And yet, commanders, CEOs and COOs tell me that OPSEC is an inconvenience, not a problem. “Profits are up so we must be doing a good job OPSEC-wise. Now go away OPSEC Nazi until somebody tries to steal my companies crown jewels.” Great attitude, huh? Have you ever stopped to consider what’s exposed when you have your head stuck in the sand?

Part of what we’re up against is the lack of overwhelming historical evidence. Sure, you can find the occasional example of poor OPSEC causing minor irritation, but nothing that can’t be overcome. Stealing from the distinguished Ms. Iris Puentes here, if you go looking for “smoking guns” you’re lucky if you can find some
smoldering fires. But certainly the potential is there.

Here’s yet another quote. This one is from then Director of the FBI, Louis Freeh, at a Hearing on Economic Espionage, February 1996. “The theft, misappropriation, and wrongful receipt, transfer, and use of United States proprietary economic information, particularly by foreign governments and their agents and instrumentalities, but also by domestic malefactors, directly threatens the development and production of that information and, hence directly imperils the health and competitiveness of our economy.” Now, let me break this down for you, put it into words we can all understand. What he really said was “bad guys ripping off our technology and intellectual property really screws up our nation’s economy.”

Pretty basic. Yet again, as an OPSEC’er I though I would be helped by this revelation from such a high-placed and distinguished gentleman. But it didn’t help. My miserable lot in life didn’t change. I don’t know why I thought it would. It didn’t change with the Presidential Commission report or when Major Levchenko spoke out. The Economic Espionage Act came out and now the Director the FBI speaks out and what happens? Nothing, nada, zilch, zippo.

Obviously either the word isn’t getting out or we just don’t care. I sincerely hope (against considerable odds) that it’s not that we don’t care.

Lately I’ve been getting good at reading between the lines, so I know that computer intrusions, disgruntled workers, and plain stupidity are causing the military and the business world some serious problems. But how often does a story about OPSEC problems appear on page one of USA Today or as the lead story on CNN? Not too often. But why not? Is it not happening? Do we just not care? Maybe those stories just aren’t sexy enough for the public. Or is it that large corporations with huge economic concerns don’t report, for example, computer intrusions because the company will look bad and it will hurt their customer base?

For example, it is estimated that less than 20% of all monies lost, stolen or misappropriated from banks and other financial institutions gets reported. In many cases, these millions are available to thieves because of poor security practices and OPSEC procedures. Understand now that hundreds of millions of dollars DO get reported. So we’re talking the potential loss of BILLIONS of dollars per year due to loss, theft, or misappropriation and no one seems to care (at least not publicly).

But hey, put yourself in the place of a bank chairman. Do you really want to report that one, two, or twenty million dollars of your customers money was stolen because you weren’t bright enough to have effective passwords, firewalls or encryption on your systems? How would that make you look? You are responsible to your shareholders and your customers. Can you now see the dilemma? I’ll be honest with you – in that situation I might not report the loss to the authorities either. Because then I really will be on the front page of USA Today. See? This is just part of what you’re up against. But alas, this is not all.

A long time ago an old Chinese guy cursed his neighbor by saying “May you live in interesting times.” Welcome to the new millennium. Has history ever given us more interesting times? Just part of this is the World Wide Web. Many of us have access to the WWW at home and at work now don’t we? Connectivity they call it. Of course, that means that we can now reach out and touch people around the world. But how many stop to realize that all those people we can reach out and touch – can now reach in and touch us? Try explaining that to reasonably intelligent people and wait for the blank stare. Some people just don’t, and will never, get it.

Passwords written on stickys and put under mouse pads. Passwords in the Rolodex under “P”. No password at all. Leaving your computer on-line while you go to lunch. I’ve been on a number of OPSEC assessments and have personally experienced each of these numerous times. And let’s not forget that every military organization and civilian company has to have its’ own web site. So, to impress people, we cram this web site with all kinds of “useful” information. But useful to whom? You see, I don’t go to my organizational or company website because I know all the stuff that’s on it already. Most web sites aren’t made for the people who work there. It is designed to attract new customers – to make more money. So not only are we probably putting too much information on our web sites we are also allowing outsiders access to our vulnerable information. The Web is so wonderful that few people are in tune with the inherent dangers a monster like the World Wide Web brings into our world. I love it – I hate it. Let’s change the subject.

In the military, the vast majority of OPSEC Program Managers are part timers who have numerous other “more important” duties to be performed. So they do some training and spruce up the continuity book before the inspection but not much else. And those conscientious enough to try to actually do something with their program might not get the leadership support I complained about earlier. For you non-military types, how many of you are Security Managers who spend most of your time dealing with a myriad of additional duties and other responsibilities and don’t ever get a chance to tackle the serious security issues of your company? I would wager that all but a chosen few of you (if you’re honest with yourself) would be able to admit that there have been times when some fairly pressing security issues were ignored, because you had to spend time working other issues at the direction of your boss. Bosses who may not be as serious about OPSEC or security as you.

In my experience most organizations, military or civilian, will probably spend more money on the annual Christmas party than on a viable OPSEC program. But this doesn’t make me bitter. Hell no! I’m bitter because there are no teeth in the OPSEC program. I see problems every day and all I can do is politely recommend countermeasures that may, or may not, work. I can’t thump an idiot on the head and say “Don’t badge me in zipperhead. You don’t know who I am!”

All I can do is threaten and hope for the best. Lose a military SECRET document or a “Company Confidential” document and you know darn well what will happen to you. Have the company laptop full of proprietary information stolen in an airport and you understand that there will be consequences. Leave a safe open and you will be hammered. Sell company information to a competitor and you can pack your bags (maybe for jail). But what about an OPSEC violation? How can you get in real trouble for accidentally giving away “unclassified” information?

How many of you know of people who write down their passwords and “hide” them on their desk somewhere. How clever. And isn’t using a secure telephone or fax just a royal pain in the you-know-what? I mean secure fax machines never work right so we just fax the stuff in the clear. No big deal. No one ever gets in trouble for those kinds of things anyway, right? I mean, so what if I throw away company financial documents? The shred machine is all the way down the hall for heavens sake. I’m a busy man. I don’t have time for all this security nonsense.

Finally just what the heck is it we’re doing anyway? I mean, we can’t even come up with a name that we can all agree on. OPSEC, INFOSEC, Information Protect, Information Operations, Information Warfare, Analytical Risk Management, Risk Assurance, Defensive Information Operations, Risk Avoidance, Infrastructure Assurance. One guy I interviewed thought OPSEC stood for “Optional Security.” Maybe in his ignorance is the true light. Optional Security. Do it if it feels right. If it’s not too much hassle. If it doesn’t cost any money. Don’t worry, be happy.

Now, before I start sounding too cynical about this I should tell you that there have been times, not many mind you, but there were a few times when I had an understanding commander or Chief Information Officer who gave me the necessary resources and allowed me to do what I though was best. I guess I shouldn’t give you the wrong impression. I have had a success or two. Every once in a while I felt that I actually contributed to the security of my squadron, my Air Force, my nation. So I feel I know a little about what we need to do to fix this little problem of ours and I want to tell you what I would do if I were King-For-A-Day. You know, the top dog, the head cheese, the big honcho, the man in charge, El Jefe.

First, I would select, or hire a person who has the experience and ability to perform the duties required. Not someone who just has some time to kill. Someone who knows how to spell OPSEC and actually believes in the process. Also, this person needs to have enough rank and/or authority within the organization, to be able to work on my behalf to actually get things done.

Then I’m going to make sure that everyone in the organization knows that this person has my full support and is acting on my behalf. Then this person is going to put together an OPSEC working group and I’ll give them my full support. Then we’ll really hammer the OPSEC process hard.

We’ll write a concise and useable Critical Information List. We’ll look at the threat to our information from all angles. Then we’ll take an honest and perhaps painful look at our vulnerabilities and apply the threat to our vulnerabilities and indicators.

Next we’ll assess the risk to our information/operation and implement some OPSEC measures that will have a feedback mechanism built in so we can monitor the success or failure of those measures. Then we’ll keep monitoring the process so we can update and/or fix vulnerabilities as they arise. How simple was that?

You know, there is a reason that this process has gone from 12 steps to 9 steps down to the five accepted around the free world. It works. Five very simple things:

  1. Identify your critical information
  2. Analyze the threat
  3. Analyze your vulnerabilities/indicators
  4. Assess the risk
  5. Implement OPSEC measures

Or in even easier verbiage:

  1. What is important to you?
  2. Who wants it?
  3. How can they get it?
  4. Is it worth protecting?
  5. Put protection in place and monitor feedback.

Drop dead simple. For those of you who haven’t figured it out yet, all I’ve really been doing here is playing Devils Advocate in a weak attempt to make you think a bit. And maybe, just maybe, to let you see that you are not the only one facing challenges on a daily basis.

I believe in the OPSEC process. I sincerely hope you didn’t take my negative attitude too seriously. So while I still have a job (as of this writing), I think we all need to remember that we have been tasked, or hired, to do an extremely important job. We are fortunate that we do something that can have real impact. Like this or don’t, but I think the bottom line is that you are either committed to OPSEC and its importance or you need to find another career. Pretty simplistic approach, huh? I try to keep it simple. I find that’s the easiest way. Stick with basics.

In the first paragraph I quoted Mr. Jelen who said, “To succeed in OPSEC, one has to think of everything in advance.” I must admit that even though I was in Devils Advocate mode when I first relayed those words; there is still something I’ve got to tell you. What he said was right on. And it is a tall order isn’t it? This is when you need to remember those five simple steps. Remember that it’s a continuous process. And realize that on a very real level our jobs could be the difference between life and death. Information in the wrong hands can destroy a corporation, put people out of work, bankrupt local merchants, and devastate local families.

And don’t forget that soldier, sailor, airman or marine out there who loses his or her life because we didn’t do our job well enough and the wrong information became known to the wrong people.

It’s a tough job with a lot of responsibility – good luck and Keep the Faith!

Lawrence L. Marino
The Revelator