“That’s not OPSEC.” The scene is day one of an OPSEC assessment. This is my first time out with this team so I’m still trying to feel out how they go about the process. While the team is in the badge office waiting for badges I notice there is a computer screen with red ”SECRET” stickers top and bottom facing the gathered group at the customer service desk. Mind you, we’re not the only ones there trying to gain facility access. Among those waiting with us were gardeners, janitors, plumbers and other uncleared day workers. So, I turn to one of the senior members of the team and mention that we should identify this in our report and was told; “That’s not OPSEC.” While I didn’t want to get deep into what is and isn’t “OPSEC” I did mention that I thought we had a responsibility to the office supervisor to tell him that he should turn that screen around, and keep it turned around, so that uncleared couldn’t possibly see potentially “SECRET” information. I was told in no uncertain terms that this was not “OPSEC” and therefor not our responsibility. The Assessment Chief later corrected this problem but the individual in question never once waivered from his stance.
So what is OPSEC? Is anything OPSEC? A strong case can be made that every item in an OPSEC Assessment report can be traced back to requirements of some other security program. The scenario above was clearly a Computer Security issue but it is also an Information Security issue. FOUO in the trash? - Information Security. Not locking your computer screen when you leave your desk? - Computer Security. Privacy Act info in the recycle? - Information Security. Allowing people to piggyback into the facility? - Physical Security. Organization member talking about sensitive information during a speech at a conference or putting sensitive information in a professional publication? - Information Security. Talking around sensitive or classified on the phone or email? - Communications Security, Computer Security, Information Security. Cell phone in a secure area? - Physical Security. Public release of new product or emerging technology? - Information Security, Personnel Security. Give long time visitors the safe combo and then don’t change it when they leave? Catching on yet?
There are many more examples I could give but hopefully you get the point. On the other hand, did you think of instances that weren’t covered by my examples? What about always marshaling convoy vehicles at the same time in the same place? What about using the same routes? What security program covers mission or business indicators? Who is the security rep responsible when your unit doesn’t have a program in place to change its call-signs? What program to you call on to stop the intel dissemination capabilities of the spouses club?
I’ve spent many hours in debate with people I respect and while we may disagree in one or two of the gray areas we all (but one) agree that it is essentially ALL OPSEC when it comes to our responsibilities as OPSEC Program Managers or members of an assessment/survey team. Bottom line: Our job is to make our unit or company more secure. And we don’t do this by arguing over weather a vulnerability, indicator or security violation is OPSEC or not. See a problem - fix a problem.
One last thought - if you see me at the National Conference and I hear you say “That’s not OPSEC” - you owe me a cold one.
Keep the faith!
Revelator
7. April 2008 at 17:30
Quote: “I’ve spent many hours in debate with people I respect and while we may disagree in one or two of the gray areas we all (but one) agree that it is essentially ALL OPSEC when it comes to our responsibilities as OPSEC Program Managers or members of an assessment/survey team.”
Well, I certainly hope I’m that one who doesn’t agree. You are absolutely right in the first paragraph about you having a responsibility to report a potential Info Security program violation like the one you saw, but that does not make it OPSEC and your responsibility ends there.
IMHO, this is the downfall of many an OPSEC program, and one of the main reasons why there is such a dearth of in-depth risk analysis going on out there. Too many people have been trained to keep themselves busy picking the ‘low hanging’ fruit, identifying obvious violations to other security programs and calling it OPSEC. This is exactly why so many items in an OPSEC assessment report can be traced back to other programs while saying that was an OPSEC job well done. The problem is, there is often little OPSEC analysis going into the process.
As OPSEC professionals we absolutely MUST consider the capabilities and intent of the threat along with the magnitude of impact to our mission or operation should they gain critical information or observe operations indicators. But that’s not all. We also have to consider the probability of the threat gaining, processing, and exploiting that information in time to affect the mission.
So many times I see the worst case scenario identified. That’s like saying if you and I were in a room, I could punch you in the nose. Put that in your OPSEC report and recomment the protective measure of you wearing a full face helmet when I’m around. Well, the probability of me punching you in the nose is not very high so that would be a waste of your money besides being a huge incovenience… Now the probability of me goading you into buying me a drink at the bar is very high, so be sure to leave your cash and credit cards at home. /me winks….