Command Indoctrination Operations Security (OPSEC)

Operations Security Operations Security (OPSEC) is a process that identifies unclassified critical information (CI), outlines potential threats and the risks associated and develops countermeasures to safeguard critical information. Success of operations depends on protection of CI. Operations Security: 1. A systematic, proven process by which a government, organization, or individual can identify, control, and protect generally unclassified information about an operation/activity and, thus, deny or mitigate an adversary's/competitor's ability to compromise or interrupt said operation/activity (NSC 1988). 2. OPSEC is a process of identifying critical information and subsequently analyzing friendly actions attendant to military operations and other activities to (a) identify those actions that can be observed by adversary intelligence systems, (b) determine indicators adversary intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries, and select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation (DOD JP 1994; JCS 1997). Operations Security process: An analytical process that involves five components: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures (NSC 1988). Source: http://www.ioss.gov/glossary.html#o

OPSEC A 5 step process that … Identifies, controls and protects sensitive, critical unclassified information about a mission, operation or activity Assesses potential threats, vulnerabilities, and risk Utilizes countermeasures to mitigate an adversary's effectiveness against a friendly operation Operations Security process: An analytical process that involves five components: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures (NSC 1988). OPSEC is centered around accepting a level of Risk (Risk-based decision process). Go through the five steps We all posses critical information, on a personal level (PII) and professional level in our jobs Its important to know and understand the threat. It can be a military organization, foreign intelligence agency or even the local thief. There is never a “zero” vulnerability, but protecting CI from the Threat makes you less vulnerable We’re always at risk in our lives, but by reducing your vulnerabilities, you can reduce your risk Employ countermeasures to reduce your risk.

Threat Capabilities and intentions of an adversary to undertake any action detrimental to the success of friendly activities or operations. Conventional Threats Military opponents Unconventional Threats Terrorism (foreign and domestic) Hackers Insiders (Spies) Thieves, stalkers, pedophiles Ask yourself, how could any one on this list be called an ‘adversary’? Do they have, intentional or unintentional motives, the capability to collect information on you/your organization, that you wouldn’t want them to know? Threats can be your conventional military opponent, or the more unknown, unconventional threats like terrorists, hackers, insiders (known or unknown), thieves, stalkers, pedophiles. Many people do not view the unconventional threats as actual threats until a terrorist attack happens, they’ve been hacked or had their credentials stolen, or one of their children were stalked by a pedophile. Threat information can be obtained from either a command’s N2 shop or any local NCIS area office. Much of what NCIS provides in the US is available from the NCIS MTAC site or other on line sites.

What are they looking for? Names, photographs of important people Present/future operations Information about military facilities: Location Number of personnel Ammo depot locations Dates and times of operations Family details Spouse, children Location of work, school Adversaries (threats) are always gleaning information from the military and it’s personnel. Some information may seem very mundane, but remember each piece of information actually does paint a clearer picture for the adversary. Even though much of our information is readily available on the internet, it does not mean we should confirm the information or provide additional personal information to the public. Think before posting. Official shipboard social media sites can also reveal ship operations over a period of time. Remember data aggregation issues.

Critical Information Information we must protect to ensure success Information the adversary needs to prevent our success Capabilities Operations Personnel Security procedures Critical Information (CI) as it pertains to OPSEC is detail specific, unclassified information that an adversary needs to obtain to act against an individual or unit. For example, the watch rotation of a unit, while not classified information, is vital to the security posture and is a detail that should be protected. Critical information: Specific facts about friendly (e.g., U.S.) intentions, capabilities, or activities vitally needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable consequences for accomplishment of friendly objectives. Source: http://www.ioss.gov/glossary.html#c

Personal Critical Information Some examples of critical information that apply to your family life: Names and photos of you and your children Usernames and passwords Length and location of spouse’s deployment Social Security Numbers Credit card/banking information Significant dates (birthdays, anniversaries) Addresses and phone numbers Everyday schedules Travel itineraries We all possess critical information. Don’t just think about operations, but also your personal lives and what unclassified critical information you protect on a day-to-day basis. For example, you do your best to protect your SSN or your banking PINS – yet none of this information is classified.

Indicators Friendly, detectable actions that reveal critical information and vulnerabilities Longer working hours Rehearsals Sudden changes in procedures Onloads Large troop movements Emblems/logos Routine predictable procedures Not all indicators are bad Indicators are friendly detectable actions that reveal critical information, which then leads to vulnerabilities. For example, huge stores on-loads on a pier could indicate a ship getting underway for a major deployment. Twenty busses full of Marines departing Camp Pendleton could indicate an amphibious deployment. On a personal note, grass not cut and mail piling up on the door step could indicate no one is home. Avoid indicators. Not all indicators are bad. That ADT sign in the front yard indicates a house that is alarmed, whether or not it even works. That one indicator could potentially keep a thief (adversary) from hitting your home.

Avoid Indicators Common indicators: Uncut grass Mail piling up Family composition CO of a nuclear powered aircraft carrier Etc.

Data Aggregation Information collection from multiple sources Open source collection provides enemy most of their intelligence Manchester Document: 80% of information collected is done so legally Internet Trash Media Small details put together give big picture Many do not understand how easy it is to aggregate information on the internet. There are several hundred search engines available, all providing different types of aggregation software. Google is perhaps the most popular. Understand the aggregation issues. And once again, for information that is already made public, there is no reason to verify the information by posting additional details about missions or personal information.

Vulnerabilities Weakness the adversary can exploit to get CI Some common vulnerabilities are: Lack of awareness Social media Social engineering Data aggregation Technology Trash Poor policy enforcement Unsecure communications Predictable actions/patterns Vulnerability: A weakness the adversary can exploit to get critical information. A vulnerability is anything that makes your critical information susceptible to intelligence collection. Your Essential Elements of Friendly Information (EEFI) or CI list, threat analysis, and considering the adversaries perspective will point to the vulnerabilities in the planning process Some of the most common vulnerabilities: Lack of awareness. Many just are not aware of the vulnerabilities when posting information Social media. There are billions of users, and none of the sites are 100 percent secure. Essentially, you could be posting information to billions Social engineering. We are naturally friendly and like to talk about our work or personal experiences. Don’t share this information with strangers, regardless of home harmless they may seem. Understand the aggregation issues and how the internet/world wide web makes it easy Technology. For every new gadget that’s developed, you can be sure there is a vulnerability associated with it. Trash. Be sure to shred/burn all personal of official correspondence, to include junk mail Poor policy enforcement. Policies are only as good as how they are enforced. An all shred policy is great as long as everyone participates. No cell phone policy in the spaces for security purposes must be enforced. Many people think cell phones are secure. Most methods of communications used today are not secure Don’t be predictable.

Risk The probability an adversary will gain knowledge of your CI and the impact if they are successful Impact: How much will it cost if your CI is lost? Lives Mission Money Time How much are you willing to risk by displaying this indicator or not correcting that vulnerability? Risk is the probability an adversary will gain knowledge of your critical informaton and the impact it will have on your mission if they are successful. When assessing Risk, you must think about how it could impact the lives of personnel, the mission, how much the organizations stands to lose in money, and finally time lost as a result of the mission being impacted. Bottom line up front: Commanders have to decide what level of risk they are willing to accept if their critical information is exploited and acted upon.

Countermeasures Anything that effectively negates or reduces an adversary's ability to exploit vulnerabilities or collect & process critical information Hide/control indicators Vary routes Modify everyday schedules Influence or manipulate an adversary’s perception Take no action React too late Take the wrong action You may require multiple countermeasures to reduce risk to an acceptable level. One countermeasure may work for more than one vulnerability. Countermeasures are not always required. The use of countermeasures are determined by the decision maker after an assessment has been completed. Good countermeasures may include: Hide/control indicators: don’t give away clues Reduce signatures: change things that stand out- don’t let the adversary interpret your indicators Procedural changes: Reduce your predictability by changing the process Planning options: OPSEC is applicable all of the time, but is most effective when implemented in the planning phase.

RECOMMENDED Command OPSEC Team OPSEC Program Manager (PM): Assistant OPSEC PM: Working Group Members Public Affairs: Web Master: N1: (Name) N7: (Name) N2: (Name) N8: (Name) N3: (Name) N9: (Name) N4: (Name) N5: (Name) N6: (Name) RECOMMENDED Command OPSEC programs typically consist of an OPSEC Program Manager and an Assistant. These individuals should be appointed by the CO in writing via a letter of designation. Working group member should be assigned from each department, depending on how the command is organized. It is also recommended to include the security manager, public affairs officer, web master and anyone else who projects or protects command information. Working groups assist the PM and Assistant in facilitating the command OPSEC program as well as conducting training and annual assessments.

RECOMMENDED E X A M P L E Need to know CMDINST 3432.1A OPSEC Command Critical Information: Capabilities / Limitations Current Operations ETC. Realistic Threat RECOMMENDED E X A M P L E All command members should be familiar with the command policy/instruction on OPSEC. OPSEC applies to everyone….similar to safety. They should also know what the command’s critical information is as well as the most realistic threat. Everyone should know what information to protect (CI) and who to protect it from (Threat)

Summary OPSEC five step process Command OPSEC Team Command Instruction Command Critical Information

Questions