OPSEC — Not Just for the Military

Try It at Work and Home!

OPSEC. For those of you who may have served in the military, that word may bring up a mix of emotions. Boring mandatory lectures, online slide shows you were forced to click through, faded OPSEC posters in your workspace. Or, even if you weren’t in the military, you may have heard that word in a movie or TV show. But just what is OPSEC?

OPSEC stands for Operations Security. According to the National Security Agency’s declassified history of the United States’ OPSEC program, OPSEC originated from the need for military commanders to maintain secrecy on their soldiers’ movements. In American history, the first example of keeping our troop movements secret was General Washington’s crossing of the Delaware River to attack British General Rall’s soldiers.

But it wasn’t until the Vietnam War that the US military made a concerted effort to review their information security as their failures mounted. Military analysts believed that the North Vietnamese were not engaging in significant direct espionage nor were they decoding their military encryption. The only source of information that was left were America’s military personnel.

Operation Purple Dragon was formed to test that theory. The operation was a “success” in that the military confirmed that the North Vietnamese was gathering information piecemeal from various sources such as flight plans filed with civilian air traffic control, information found in trash cans and overhearing conversations in bars and restaurants.

Lesson Learned: Secure your information

As a result, the military realized that even routine administrative and unclassified communications can contain valuable information for an adversary. To correct this, the military began to compile a list of what sort of information is sensitive. Once they figured out what they wanted to protect, then they figured out ways to protect that information.

So what information is important to you or your employer? In the Homeland Security Enterprise, there could be dozens of categories of information you may need to protect. Personally identifiable information (PII) is a common source of sensitive information that agencies and companies are legally bound to protect. One of the most recent examples of a major loss of PII was the hack of the Office of Personnel Management’s (OPM) database. It was reported that hackers removed over 20 million records of current and formal Federal employees’ and contractors’ personal information. And this information was not just date of birth, social security number and address. This hack also removed information about people’s family, colleges, debts, personal family issues and foreign contacts as well as over 5 million fingerprint records.

While that example is on the catastrophic end of the spectrum, think of other types of information that could compromise your Homeland Security mission. For police departments, vehicle repair invoices might reveal the identity of undercover officer’s vehicles. For emergency medical agencies, a compromise of patient records could expose you to liability. Even if you don’t work for a Homeland Security agency or the government, there is probably sensitive information that you do not want to get out.

Chew on this: Have you ever seen an iPhone before Apple reveals it?

Ok, great. But that sounds like a lot of work.

OPSEC is not some extremely complex program. In fact, you’ve probably been practicing OPSEC since you were a child. Did you ever try to steal a cookie and hide it somewhere? Did you make sure that your siblings didn’t see you take it? That’s OPSEC! As a teenager, you probably became a master of OPSEC and didn’t even know it. If there was a party, can you think of someone you didn’t tell because you knew that person would talk openly about the location? If you stayed out late past curfew, did you make sure that you didn’t leave your laptop behind with incriminating emails open on the screen about where you were going?

You knew you had valuable information (the fact that you had a cookie, the location of the party or you were breaking the rules), you identified your adversary (your parents) and you took active measures to ensure that the information stayed out of your adversary’s hands (you controlled the information and did not release it to non-approved parties).

OPSEC at Home

As an adult, you (hopefully) don’t need to hide your cookies or your parties from your parents. But you probably still have information you want to keep safe. Besides the common recommendations of securing and cross cut shredding your important documents and safe cyber practices on the computer, are there other ways you are letting your information “leak” into the world?

Great, now the house is empty!

Think of the information that you reveal on social media. Do you post from the airport on the first day of your vacation? As a bad guy, that’s great information. You’ve just informed many that you won’t be home! So why post while you’re gone? Can’t it wait until you get home?

What about your personal car? What does your car “say” about you? Maybe we can use that information to lower your guard. Hey, you’re a Texas longhorn too!? Or maybe we’ll use it to target your car for theft or vandalism. Thin blue line sticker? Maybe there’s a gun in there or we’ll just flatten the tires.

OPSEC is easy. Think about the information a bad guy could want and ways he could get it. Then take the appropriate precautions to secure it. Just don’t make your family sit through any PowerPoints.

WeSeeHSE: Seeing, Sharing, Informing