Thursday, January 17, 2013

Real OPSEC, Real Training-A Lesson From the Cold War

Operations Security (OPSEC) is a great tool to help protect sensitive information. The five step process is an outstanding resource and exercise to determine exactly what should be protected and how to do it. Understanding OPSEC and its application to a program, event or activity empowers the user to control information.

Having said that, many organizations miss the mark on OPSEC and security training. Too many times OPSEC is nothing more than a “bumper sticker” slogan. Meaning, if we invoke the magic words, we’ll be fully protected. However, nothing could more harmful.

Here’s a few examples of misguided OPSEC training from various security and OPSEC seminar and training venues. The word OPSEC was used many times, but the application and relevance never connected. In one event OPSEC meant to not throw away your plane tickets because a dumpster diver at going through your home garbage would know that you had recently traveled  At another venue, attendees were told not to use family stickers or names on their cars because kidnappers would take their children.  At another event others were taught to never, ever, EVER have a Facebook account because it would jeopardize national security.  There are many more examples not including the many posters with other irrelevant OPSEC slogans.

Though there is nothing inherently wrong with helping employees protect their families and homes, it has nothing to do with protecting sensitive parts of a program or mission. Such training could result in employees losing focus on what is important.

Okay, before you get upset with me for raining on the OPSEC parade, a little background is necessary. I’m a cold warrior. I served in Germany in the 80s when a threat was just behind the Iron Curtain. At the time we were well trained in what we could write home about, what we could say on the phone, and how to communicate our mission when we went on training exercises.

At the time OPSEC practitioners understood that soldiers traveled, communicated, and performed their duties in very public settings. However, they knew to focus protection efforts on what was not so visible. It was well worth the effort to train on how to determine what was sensitive and how to communicate effectively without giving the sensitive information away. So, they applied the Five Step OPSEC Process:

  • Identify Information You Want to Protect-Testing a big Cold War Antenna
  • Analyze the Threat-Cold War Bad Guys Looking at Our Capabilities
  • Analyze Vulnerabilities-Antenna Can Be Seen From Several Miles Away
  • Assess Risk-If Cold War Bad Guys See Our Antenna, They’ll Understand Our Capabilities
  • Apply Countermeasures-Erect Antenna Only On A Military Base And At Night, Don’t Discuss Antenna Or Mission Parameters Outside Of The Office, Etc.

This OPSEC asssessment might be a little oversimplified, but hopefully relays the intent of good OPSEC training. In many venues, OPSEC seems to teach risk avoidance, seemingly ignoring the first step of the OPSEC process. Instead of identifying information to protect (critical information) we ask everyone to stay off the internet or we direct training to protecting our homes and families. We never hit the essence.

These lessons also propose that security and OPSEC professionals to go against enterprise policy. For example, I attended training where the instructors made comments such as “I hope you are not still using a mailbox” and “You and your cleared employees should NEVER use (insert your favorite social network: Facebook, LinkedIn, Twitter, etc.).” However, this is conflicting advice as almost every government agency and defense contractor has a social network page. Enforcing such policy would go against existing enterprise practices. A security practitioner could never enforce it and would instantly lose credibility.

So, why not take a lesson from the Cold War and get back to basics. It’s better to understand what OPSEC is and identify and mitigate risks. Otherwise we lose focus and credibility by not assessing and protecting what is important.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

No comments: