Think like the wolf protect your critical information with an OPSEC program

Stephen Larsen

We all know what operations security, or 'OPSEC,' is--even if we don't realize it.

You don't just give out your credit card number to a stranger. You

don't randomly tell people your social security number, or your home phone number.

Why? Because these people don't have a need to know this information ... and if we give it out carelessly, someone with bad intent could use it to compromise our lives in some way, such as identity theft. So, in our personal lives, we religiously protect this information, carefully considering each request for it and whether the requestor has a legitimate need for it and will protect it.

So why don't we, as members of government organizations, practice OPSEC as religiously on the job?

"We in government agencies shoot ourselves in the foot with information we publish on our Internet websites," said Charlie Reeder, course manager for the Interagency OPSEC Support Staff, which has the mission to help government organizations develop self-sufficient OPSEC programs and includes representatives from the National Security Agency, Central Intelligence Agency, Federal Bureau of Investigation, Department of Defense, General Services Administration and Department of Energy.

Reeder said he's seen government websites that have included maps of installations ... listing of names, phone numbers and room numbers of key officials ... locations of organizations and units ... specifications of weapons and communications systems ... and much more.

"When we publish this information on the Internet, we might as well fax it directly to our adversaries," said Reeder. "Because, in effect, we have. Once it's out there, it's gone. One problem with the Internet is you don't know who's out there, looking at your information."

According to DoD sources, For Official Use Only and other sensitive but unclassified information--such as concepts of operations, operation plans and standard operating procedures--continues to appear on DoD public websites. In 2002, reviewers found more than 1,500 such discrepancies in government websites.

"Our adversaries know and depend on this information," said Reeder.

Terrorists get intel from 'open source' information

According to a message sent by Secretary of Defense Donald Rumsfeld on Jan. 14, 2003, an Al Qaeda training manual recovered in Afghanistan states "using public sources openly and without resorting to illegal means, it is possible to gather at least 80 percent of information about the enemy."

"Open source information is where our adversaries get the bulk of their intelligence," said Harvey Thomas, an instructor with the IOSS. "So why do we keep on giving it to them?"

Internet websites are just one example on the list of open source information, said Thomas, adding to that list items such as telephone directories, travel orders, job announcements, budget documents and newsletters.

"Our adversaries can take bits and pieces of information from all of these open sources," said Thomas, "and piece it together to form a complete picture."

Five-step OPSEC process

The way to combat such leaks, according to Reeder and Thomas, is establish a formal OPSEC program, employing the five-step OPSEC process.

Step 1. Identify your critical information. Critical in formation is any information the adversary needs to prevent our success--and that we must protect to ensure our success. Critical information includes items such as capabilities ... intentions ... times ... places ... locations ... strengths ... weakness ... technology ... and tactics.

Step 2. Analyze your threats. There are two elements of a threat--you must have an adversary with first, intent to do you harm; and second, with the capability to do you harm. If there's a terrorist who wants to do you harm, but doesn't have the means to get to you, you don't have a threat ... but if that terrorist has a friend with the means to reach you--now you have a threat.

How do you get the data you need to analyze your threats? Organizations should get in touch with their intel folks and ask for a threat assessment. Given the changing world situation, you should do this once a quarter--but be as specific as you can be, so you are not inundated with information and get it in a timely fashion.

Step 3. Analyze your vulnerabilities. Vulnerabilities are opportunities for adversaries to exploit your critical information--such as publishing sensitive information on public websites or talking about sensitive matters via cell phones or nonsecure phone lines, which are easily monitored. Often "indicators" can point to vulnerabilities. Did your organization suddenly put a fence around a location where there was no fence before? That can be an indicator that 'something is up' at that location and cause an adversary to take a closer look.

Step 4. Assess your risks. There are three elements to risk, which can be expressed as a mathematical equation: Threat x Vulnerability x Impact = Risk. Without any one of the three--threat, vulnerability or impact--you don't have risk.

Step 5. Apply appropriate countermeasures The fifth step in the OPSEC process is to apply appropriate countermeasures. The nation of India successfully applied OPSEC countermeasures to protect the critical information that they were conducting underground nuclear tests in May 1998. For one, their workers avoided going outdoors at the nuclear test sites at times when satellites were passing overhead. For another, they launched missiles from other sites as a diversion. The result? India totally fooled the U.S., and the rest of the world, when they conducted their tests--other nations knew only after-the-fact, when seismographs picked up the explosions.

Think like the wolf

"You need to look at your organization through the eyes of your adversary," said Reeder. "You need to put on the black hat and ask yourself, 'if I were a bad guy, could I use this information to harm the organization or disrupt the mission?'"

Both Reeder and Thomas agree that, as a start, senior leadership must support OPSEC with policy and the appointment of an OPSEC program manager. The IOSS, located in Greenbelt, Md., offers courses to properly train personnel involved with OPSEC programs, including these courses: OPSEC Fundamentals, OPSEC and Web Content Vulnerability, OPSEC Practitioner's Course, OPSEC Program Manager's Course, Threat Research for OPSEC Course and OPSEC for Public Safety Course. The IOSS can be reached at 443-479-4677. Their website, http:// www.ioss.gov/, provides course descriptions and a schedule of course dates.

"We have an obligation--and the power--to protect our critical information," said Reeder. "We need to start doing it."

ACRONYM QUICKSCAN

1MEF--1st Marine Expeditionary Force

2ID--2nd Infantry Division

3MAW--3rd Marine Aircraft Wing

ADA--Air Defense Artillery

AKO--Army Knowledge Online

ALC--Air Logistics Center

ARMS--Armament Retooling and Manufacturing Support

ASD--Assistant Secretary of Defense

ASCP--Army Small Computer Program

ASR--Alternate Support Route

ASA ALT--Assistant Secretary of the Army for Acquisition

B2Bi--Business-to-Business Integration

BIAP--Baghdad International Airport

BRAC--Base Realignment and Closure

C3I--Command, Control, Communications and Intelligence

C4I--command, control, communication, computer, and intelligence

CECOM--Communications-Electronics Command

CJTF--combined joint task force

CNR--Combat Net Radio

CONOPS--Concept of Operations

COMSEC--Communications Security

CRD--Capstone Requirements Document

CY--calendar year

DoD--Department of Defense

DOIM--Directorate of Information Management

EAC--Emergency Action Center

EOC--Emergency Operation Center

EPLRS--Enhanced Position Location Reporting System

ENM--EPLRS Network Manager

ERB--Enlisted Records Brief

FBCB2--Force XXI Battle Command Brigade and Below

FCS--Future Combat Systems

FOB--Forward Operating Base

FOUO--For Official Use Only

FY--fiscal year

GBS--Global Broadcast System

GCS--guidance and control systems

GIG--Global Information Grid

HFRD--High Frequency Radio Division

HHD--Headquarters and Headquarters Detachment

Humvee--High Mobility Multipurpose Wheeled Vehicle

HRC--Human Resources Command

IDM--Information Dissemination Management

IDM-T--Information Dissemination Management--Tactical

IED--Improvised Explosive Devices

INFOSEC--Information Security

INMARSAT--international maritime satellite

IOSS--Interagency OPSEC Support Staff

IT--Information Technology

JTF--Joint Task Force

JTRS--Joint Tactical Radio System

LAN--Local Area Network

LEN--Large Extension Node

LSA--Logistical Support Area

LW--Land Warrior Future Combat Systems

MEF--Marine Expeditionary Force

MI--Military Intelligence

MIDS--Multifunctional Information Distribution System

MIDSLVT-2--Multifunctional Information Distribution System Low Volume Terminal--2

MRE--meals ready to eat

MSRT--Mobile Subscriber Radio Terminal

NCS--Network Control Station

NET--New Equipment Training

NETOPS--Network Operations

NOC--Network Operations Center

NTDR--Near Term Digital Radio

NWAS--Naval Warfare Assessment Station

OP--Observation Posts

OPSEC--operations security

ORB--Officer Records Brief

ORD--Operational Requirements Document

PATRIOT--Phased Array Tracking Radar to Intercept of Target

PEO EIS--Program Executive Office for Enterprise Information Systems'

PM--Program Manager

PM DMS-A--Product Manager, Defense Message System-Army

PKI--Public Key Infrastructure

PM TRCS--Program Manager, Tactical Radio Communications Systems

Q--quarter

RAU--Radio Access Unit

Recap--Recapitalization

RETRANS--Retransmission Team

RFQ--Request for Quote

RPG--Rocket Propelled Grenades

SBCT--Stryker Brigade Combat Team

SBCT-3--Third Stryker Brigade Combat Team

SCA--Software Communication Architecture

SETAF--Southern European Task Force

SINCGARS--Single Channel Ground to Air Radio System

SSL--Secure Socket Layer

TACSAT--tactical satellite

TOC--Tactical Operations Center

TRCS--Tactical Radio Communications Systems

U.S.--United States

USARHAW--U.S. Army Hawaii

USARJ--United States Army Japan

WIN-T--Warfighter Information

Network--Tactical

COPYRIGHT 2003 U.S. Army Signal Center
COPYRIGHT 2004 Gale Group