Operations Security

Course Welcome

The purpose of this course is to provide you with an understanding of and the key actions to take to ensure operations security.

Upon completing this course, you should be able to:

  • Define operations security (OPSEC).
  • Identify the five steps of the OPSEC process.
  • Describe common collection methods.
  • Identify indicators of potential espionage.
  • Describe countermeasures that can help maintain operations security.

 

Operations Security

Most of us go about our daily work without access to any sensitive or classified information. However, our adversaries may still be interested in the information in your workplace.

An Al Qaeda terrorist handbook highlighted the fact that Al Qaeda could get 80 percent of the information they needed from public sources. They were seeking information about things such as: transportation systems, city and town plans, pedestrian centers, security organizations, and government agencies. By gathering this knowledge, Al Qaeda believed they could use the information in potential attacks.

Operations security is the process through which we work to deny our adversaries access to this critical information and protect our sensitive activities and operations. This course will provide you with an understanding of operations security and key actions you can take to protect our country.

 

What Is Operations Security?

Operations security (OPSEC) is an analytic process by which an organization can deny potential adversaries access to unclassified (critical, sensitive) information by protecting evidence of the planning and execution of sensitive activities and operations.

Intelligence collection is much like assembling a picture puzzle. Little bits of information or “pieces” can form an overall picture. The goal of OPSEC is to deny an adversary pieces of the intelligence puzzle.

 

Importance of Operations Security

Operations security:

  • Prevents information from getting into the wrong hands.
  • Reduces risk associated with mission vulnerabilities.
  • Protects unclassified critical information.
  • Provides protection for our personnel, our operations, and our other assets.

 

Origins of OPSEC

The underlying principles of OPSEC have existed in governments throughout history. However, OPSEC as a methodology originated during the Vietnam War. A small group of individuals was assigned to find out how the enemy was obtaining advance information on certain combat operations.

This team was given the code name “Purple Dragon.” The group analyzed U.S. operations from an adversarial viewpoint and coined the term “Operations Security.”

A purple dragon often symbolizes OPSEC activities.

 

Operations Security Process

The five-step operations security process includes:

Diagram depicting OPSEC’s five-step process: 1. Identify Critical Information; 2. Analyze Threat; 3. Analyze Vulnerability; 4. Assess Risk; and 5. Apply Countermeasures

 

Step 1: Identify Critical Information

First, identify critical information and practices that require protection. This information, if available to adversaries, could harm an organization’s ability to carry out operations or activities.

Questions to ask include:

  • What do you want to protect? 
  • Why do you want to protect it?
  • Is it governed by a regulatory requirement? 
  • Can it be defined as Sensitive Security Information?

 

Examples of Critical Information

Examples of potential critical information:                

  • Operations planning information
  • Travel itineraries
  • Passwords
  • Inspection results
  • Budget information
  • Entry/exit security procedures

 

Step 2: Analyze Threat

The next step is to determine who your adversaries are and what information they might wish to acquire.

There are two elements of threat that must be analyzed and addressed:

  • Intent, and
  • Capability.

Questions to ask include:

  • Who would potentially want our information or knowledge of our practices? 
  • Is there more than one adversary? 
  • What is their objective?
  • What will they do to get to our sensitive information? 
  • What methods will they use to get it?

 

Step 3: Analyze Vulnerability

The third step looks at vulnerabilities, direct and indirect, that impact each step of operations. It is important to look at how things actually work rather than how people think things work, or would like things to work.

Questions to ask include:

  • Are our badges easily duplicated?
  • How is our information vulnerable? 
  • How is it protected or not protected? 
  • Is it properly protected?

Examples of vulnerabilities:

  • Critical information posted on the Internet.
  • Non-secure communications.

 

Step 4: Assess Risk

At this stage, you should evaluate the risk to your operation or activity. The costs associated with fixing the vulnerability must be weighed against the cost of loss of data and potential consequences.

Risk is determined by analyzing three factors:

  • Threat,
  • Vulnerability, and
  • Consequence.

Questions to ask include: 

  • What would be the cost of losing sensitive information?
  • Is the risk great enough to do something about the threat?
  • How would the loss of sensitive data affect our operations? 

 

Step 5: Apply Countermeasures

Countermeasures involve physical, information, and other security disciplines and practices that help to safeguard our personnel, assets, facilities, and information against threats. What countermeasures will block access to your information? You should adopt measures specific to your operation.

Examples of countermeasures:

  • Limit Web page access.
  • Shred sensitive hard copy.
  • Sanitize bulletin boards.
  • Monitor public conversations.
  • Do not use email to discuss sensitive operations.
  • Provide/complete training and heighten awareness.

 

Think Like Your Adversary

In essence, the operations security process involves placing ourselves in the adversary’s position and taking a look at our operations through their eyes to better judge what needs to be done to prevent knowledge of our operations.

 

The OPSEC Mission: Offensive and Defensive

The mission of OPSEC is comprised of both offensive and defensive measures.

The defensive mission of OPSEC is to protect the Nation’s assets against foreign intelligence penetration. 

The offensive mission is to determine what our adversaries are planning and prepare to defeat their aims.

 

Goals of Adversaries

Foreign and domestic adversaries may:

  • Attempt to collect information about our plans, technologies, activities, and operations.
  • Conduct covert influence operations to distort any information we may gather.
  • Seek to detect, disrupt, and counter our national security operations.
  • Acquire technology and information that will enhance their capabilities or their economic well-being.

If adversaries must work harder to get the information they need to plan their attacks, perhaps it will result in their activities being more susceptible to detection.

 

Think Like Your Adversary

Think through possible strategies your adversaries might use. You should:

  • Identify common collection methods.
  • Examine foreign espionage possibilities.
  • Evaluate insider threats (domestic espionage).

 

Common Collection Methods

Some common methods used to gain information about personnel and operations include:

  • Dumpster diving
  • Unsolicited email
  • Chat rooms
  • Electronic interception
  • Hacking
  • Eavesdropping
  • Elicitation
  • Visits

 

Elicitation

Elicitation is a frequently used technique to subtly extract information about you, your work, and your colleagues. Pieces of information collected, classified or not, during conversations may be useful to an adversary.

 

Visitors

Visitors to a facility may:

  • Ask probing or intrusive questions, seemingly as part of the normal course of conversation, in an attempt to elicit information.
  • Separate themselves from the main party. Once alone they will walk the halls or enter offices attempting to gather as much information as they can from bulletin boards, cubicles, etc.

 

Foreign Espionage

Foreign governments may gain access to information through the use of spies, both inside and outside of an agency. Government employees can be prime targets as potential recruits because they may have access to classified or sensitive information.

Even family or friends of employees may be viewed as a means to gain access to targeted persons, activities, and information.

 

Insider Threats/Domestic Espionage

Experts say that nearly 75 percent of security breaches are “inside jobs.”

Personnel engage in espionage for a variety of reasons, the most prevalent being financial. Possible espionage indicators include:

  • Foreign travel. If an employee frequently engages in unreported overseas travel, he or she might have an ulterior motive; for example, to transport information to a foreign entity.
  • Unexplained affluence, if a person appears to be spending in excess of his or her salary.
  • Excessive voluntary overtime or working during non-routine hours. An employee may volunteer to work nights and weekends to avoid having other personnel in the area to witness his or her activities.
  • Attempts to expand access to sensitive or classified information. If an employee continually attempts to gain access to information for which he or she does not have a valid need to know, it may be an indicator of espionage activity.
  • Voluminous reproduction of documents. If an employee spends an inordinate amount of time at the copying machine, it may be wise to question why he or she needs so many copies of documents, particularly if they are sensitive or classified.

 

The Unwitting Insider

There is one other type of insider. This is the “unwitting” insider – a trusted employee who is tricked into assisting in an attack or a security breach.

For example, an employee might find a USB thumb drive in the break room. Attempting to be helpful, this employee might plug it into his or her computer to identify the owner. Once the drive is plugged in to the computer, it releases malicious software that then transmits information.

 

The Untrained Employee

Untrained or poorly trained employees are often involved in the accidental release of information. Examples include the:

  • Employee who writes his password on a self-stick note and keeps it under his keyboard.
  • Worker who forwards sensitive information to her home computer.
  • Polite employee who neglects to challenge unescorted workers wandering through the work area.

 

Example: Presidential Itinerary

In 2006, a sanitation worker found President Bush’s detailed travel itinerary for a trip to Florida in the general trash. The itinerary included detailed flight information, lists of passengers on each plane, and the order of vehicles in the motorcade.

 

Operations Security Countermeasures

Make security part of your everyday routines by doing the following:

  • Be aware of sensitive and critical information.
  • Do not discuss official business in public.
  • Use good cyber security techniques.
  • Report all security issues promptly.
  • Report contacts on travel.
  • Conceal your ID badge and affiliation when out in public.

We will look at each of these countermeasures in more detail.

 

Be Aware of Sensitive and Critical Information

When engaging in conversation, be careful not to divulge information that the person does not have a need to know.

Remember that an elicitation technique is to try to engage you in conversation, making you feel comfortable, then attempting to gain information from you when your guard is down. You are under no obligation to answer questions that make you feel uncomfortable. You can ignore the question, provide nondescript answers, counter with a question of your own without probing them for information, or change the subject.

Be especially wary of personal questions about yourself or colleagues.

 

Do Not Discuss Official Business in Public

If you are engaged in discussion with an authorized person and the discussion pertains to sensitive information, be aware of who can overhear your conversation, especially in non-secure locations. Sometimes it is better to wait until you can move to a more secure location before sharing the information.

 

Use Good Cyber Security Techniques

These techniques include:

  • Using strong computer passwords and changing them often.
  • Not opening unsolicited email attachments.
  • Not introducing wireless risks to networks.

 

Report All Security Issues Promptly

You are responsible for reporting any suspicious activities that you encounter or are aware of in the workplace. Some examples of suspicious activities include:

  • Unauthorized intrusion into APHIS information systems, whether classified or unclassified.
  • Unauthorized transmission of information.
  • Attempts to bypass information security system security devices.
  • Unauthorized discussion of sensitive or classified information.

 

Report Contacts on Travel

If you have Sensitive Compartmented Information (SCI) access, there are specific requirements for reporting your travel to any foreign country for any length of time. Please check with your security officer for details. All personnel, with or without a security clearance, need to report certain activities when returning from a visit to a foreign country, including:

  • Requests from foreign nationals for information such as personal, sensitive, or classified information.
  • Contact with a known or suspected intelligence officer.
  • Activities related to planned or attempted terrorism, sabotage, or subversion.

 

Conceal Your ID and Affiliation

When out in public, do not display your work ID badge.

Close