OPSEC OPSEC

Operation NameOperation Name

SGT Artemis O’Conan SGT Artemis O’Conan

Operations CenterOperations Center

80%+ of all intelligence is from unclassified 80%+ of all intelligence is from unclassified sourcessources

Tidbits of information are pieces of a puzzleTidbits of information are pieces of a puzzle

Even Even youryour tidbits help complete the picture tidbits help complete the picture

Objective: make yourself & your mission the hard target. Let the bad guys find a softer target somewhere else!

Information and Value

Foreign NationalsForeign Nationals Drug CartelDrug CartelTerroristsTerrorists HackersHackers CriminalsCriminals

The Adversaries

You and Your FamilyYou and Your Family

Your Friends & Neighbors Your Friends & Neighbors

Your fellow soldiersYour fellow soldiers

Your JobYour Job

Your MissionYour Mission

Your UnitYour Unit

Your CountryYour Country

“The Manchester Document”A Terrorist Handbook

Consider YOURSELF a Target

So What Is OPSEC?So What Is OPSEC?“Operations Security”“Operations Security”

OPSECOPSEC deals primarily with protecting sensitive but deals primarily with protecting sensitive but unclassified information that can serve as unclassified information that can serve as

indicators about our indicators about our missionmission, , operationsoperations and and capabilitiescapabilities

A Five Step ProcessA Five Step Process 1. Identify 1. Identify Critical InformationCritical Information (CI) (CI) 2. Analyze the threat to the CI2. Analyze the threat to the CI 3. Determine OPSEC vulnerabilities3. Determine OPSEC vulnerabilities 4. Determine the acceptable level of risk 4. Determine the acceptable level of risk 5. Implement appropriate countermeasures5. Implement appropriate countermeasures

The OPSEC ProcessThe OPSEC Process

COUNTERMEASURECOUNTERMEASUREAPPLICATIONAPPLICATION

CRITICAL CRITICAL INFORMATIONINFORMATION

THREAT THREAT ANALYSISANALYSIS

VULNERABILITY VULNERABILITY ANALYSISANALYSIS

RISK ASSESSMENTRISK ASSESSMENT

PROGRAM REVIEWPROGRAM REVIEW

You already practice OPSEC at You already practice OPSEC at homehome

When most of us leave home for vacation, we When most of us leave home for vacation, we take actions to protect our homes while we’re take actions to protect our homes while we’re away.away.

We may:We may: Stop newspaper deliveriesStop newspaper deliveries Have the yard mowedHave the yard mowed Buy light timersBuy light timers Have a neighbor get the mailHave a neighbor get the mail In short, we want our houses to look like In short, we want our houses to look like

someone is homesomeone is home

What is Critical Information?What is Critical Information?

Critical Information (CI) is information which Critical Information (CI) is information which can potentially provide an adversary with can potentially provide an adversary with knowledge of our intentions, capabilities or knowledge of our intentions, capabilities or limitations. It can also cost us our technological limitations. It can also cost us our technological edge or jeopardize our people, resources, edge or jeopardize our people, resources, reputation and credibility. reputation and credibility.

Controlled unclassified information, is often Controlled unclassified information, is often

identified as Critical Information.identified as Critical Information.

Information DesignationsInformation Designations

For Official Use Only (FOUO)For Official Use Only (FOUO) Sensitive But Unclassified (SBU)Sensitive But Unclassified (SBU) Law Enforcement Sensitive (LES)Law Enforcement Sensitive (LES) Trusted Agent – Eyes Only, etc.Trusted Agent – Eyes Only, etc.

Control of Critical Control of Critical InformationInformation

• Regardless of the designation, the loss or compromise of Regardless of the designation, the loss or compromise of sensitive information could pose a threat to the sensitive information could pose a threat to the operations or missions of the agency designating the operations or missions of the agency designating the information to be sensitive.information to be sensitive.

• Sensitive information may not be released to anyone who Sensitive information may not be released to anyone who does not have a valid “does not have a valid “need to knowneed to know”.”.

Examples of Critical Examples of Critical InformationInformation

Where are the TXSG Soldiers living during the Where are the TXSG Soldiers living during the deployment deployment

What is the make and model of the soldiers vehiclesWhat is the make and model of the soldiers vehicles

What is the capabilities of the OperationWhat is the capabilities of the Operation

What type of technology does the Operation haveWhat type of technology does the Operation have

Who are participationsWho are participations

Location of law enforcement Location of law enforcement

Locations of ResourcesLocations of Resources

The ThreatThe Threat

Others constantly study us Others constantly study us to determine our weaknessesto determine our weaknesses

Their Tools:Their Tools: HUMINTHUMINT

Human Intelligence Human Intelligence SIGINTSIGINT

Signals IntelligenceSignals Intelligence COMMINTCOMMINT

Communications IntelligenceCommunications Intelligence ELINTELINT

Electronic IntelligenceElectronic Intelligence Many more “INTs”Many more “INTs”

HUMINT – You could be a HUMINT – You could be a target!target!

Watch what you say to:Watch what you say to: The public/mediaThe public/media FriendsFriends Professional Colleagues in and outside of TXSGProfessional Colleagues in and outside of TXSG

Places to be especially waryPlaces to be especially wary At schoolAt school Bars and restaurantsBars and restaurants Conventions/symposiumsConventions/symposiums

Don’t try to impress people with your knowledgeDon’t try to impress people with your knowledge Loose Lips Sink Ships!Loose Lips Sink Ships!

SIGINT, COMMINT, ELINTSIGINT, COMMINT, ELINT

TXSG is perform a non-combat TXSG is perform a non-combat military missionmilitary mission and is and is operating operating on state communications systemson state communications systems

TXSG is being entrusted with more sensitive information TXSG is being entrusted with more sensitive information than you may thinkthan you may think

Don’t assume we’re immune because we’re out of the Don’t assume we’re immune because we’re out of the mainstream presence mainstream presence

For that reason we can actually be For that reason we can actually be MOREMORE vulnerable vulnerable Watch what you transmit on:Watch what you transmit on:

Radios, phones, Fax, and emailRadios, phones, Fax, and email

Marking DocumentsMarking Documents

Documents containing FOUO info should be markedDocuments containing FOUO info should be marked

UNCLASSIFIED//FOR OFFICIAL USE ONLYInformation contained in this document is designated by the

State of Texas as For Official Use Only (FOUO) and may not be released to anyone without the prior permission of the and/or

the

Documents containing LES info should be markedDocuments containing LES info should be marked UNCLASSIFIED//LAW ENFORCEMENT SENSITIVE

Information contained in this document is designated by theState of Texas as Law Enforcement Sensitive (LES) and may

not be released to anyone without the prior permission of the and/or the

Marking DocumentsMarking Documents

Material other than paper documents (for example, Material other than paper documents (for example, slides, computer media, films, etc.) shall bear markings slides, computer media, films, etc.) shall bear markings that alert the holder or viewer that the material contains that alert the holder or viewer that the material contains FOUO or LES information. FOUO or LES information.

Each part of electrically transmitted messages Each part of electrically transmitted messages containing FOUO of LES information shall be marked containing FOUO of LES information shall be marked appropriately. appropriately.

Protection of FOUO & LES Protection of FOUO & LES InformationInformation

FOUO & LES information should be stored in locked FOUO & LES information should be stored in locked desks, file cabinets, bookcases, locked rooms, or similar desks, file cabinets, bookcases, locked rooms, or similar items, unless Government or Government-contract items, unless Government or Government-contract building security is provided.building security is provided.

FOUO & LES documents and material may be FOUO & LES documents and material may be transmitted via first-class mail, parcel post or -- for bulk transmitted via first-class mail, parcel post or -- for bulk shipments -- fourth-class mail.shipments -- fourth-class mail.

Electronic transmission of FOUO & LES information Electronic transmission of FOUO & LES information (voice, data or facsimile) should be by approved secure (voice, data or facsimile) should be by approved secure communications systems whenever practical.communications systems whenever practical.

It’s Everyone’s ResponsibilityIt’s Everyone’s Responsibility

The purpose of the security program is to protect The purpose of the security program is to protect against unauthorized disclosure of official against unauthorized disclosure of official information. Keep your information secure at all information. Keep your information secure at all times.times.

OPSEC is mostly common sense. If we all take the OPSEC is mostly common sense. If we all take the time to learn what information needs protecting, and time to learn what information needs protecting, and how we can protect it, we can continue to execute how we can protect it, we can continue to execute our mission effectively. our mission effectively.

Disclosure of InformationDisclosure of Information

Disclosure of information, quite simply is when information passes from one party to another.

When dealing with sensitive information, it is the responsibility of the party possessing the information to ensure it is not disclosed to parties who do not have a need for or a right to the information.

Authorized DisclosureAuthorized Disclosure

Disclosure of sensitive information is authorized only when the party receiving the information can be properly identified and has a “need to know.”

“Need to Know” does not mean, because a person holds a high management position, he or she automatically needs access to the information.

Unauthorized DisclosureUnauthorized Disclosure

Unauthorized disclosure of sensitive information is when the party receiving the information does not have a “Need to Know.”

In most cases, unauthorized disclosures are unintentional and due to poor planning or a failure to think by the possessing party.

Unaware of SurroundingsUnaware of Surroundings

One of the leading causes of unintentional disclosures is simply people not being aware of what is happening around them.

Discussing sensitive information when you are unsure or unaware of your surroundings can quickly lead to this information being disclosed to the wrong people.

Awe Of PositionAwe Of Position

We all want to please our commanders, and work very hard each day to do so.

However, even if a superior officer requests something that is sensitive in nature, we must still make sure they meet all the requirements for access to this information just like everyone else.

Unclassified

OPSEC and the WebOPSEC and the Web

Photos (with captions!)

Installation maps with highlights of designated points of interest (sleep/work, CDR, chow hall, etc)

Security Operating Procedures

Tactics, Techniques and Procedures

Our capabilities

The morale of you and the soldiers in your unit

Undermining your senior leadership Sensitive Information?Sensitive Information?

Web Log Vulnerabilities

This photo can be used against us both from the adversary and our own people. Perceptions can be your WORST enemy. If you were a bad guy, could you use this?

A US soldier stands guard as a suspected looter begs to be released after they were caught while fleeing a building on fire in Baghdad, Iraq (news - web sites) Saturday June 28, 2003. The suspects were allegedly looting gasoline from the building. 12-year old Mudhr Abdul Muhsin, bottom, was released later

Web Log Vulnerabilities

COULD YOUR FAMILY BE A A TARGET?

(JOURNAL OF A MILITARY HOUSEWIFE)

INFORMATION WAS OBTAINED FROM A FAMILY WEBSITE:1. HUSBAND’S NAME, HOMETOWN, UNIT,

AND DATES OF DEPLOYMENT.2. PICTURE OF SPOUSE3. EXPECTING THEIR FIRST CHILD ON

DECEMBER 8, 2005.4. BABY SHOWER SCHEDULED FOR

OCTOBER 22, 20055. DATE SPOUSE FAILED HER DRIVER’S

TESTA GOOGLE SEARCH ON INFORMATION

OBTAINED FROM WEBSITE REVEALED:1. SPOUSE’S A.K.A. (Screen Name)2. COUPLE’S HOME ADDRESS3. SPOUSE’S DATE OF BIRTH4. HUSBAND’S YEAR OF BIRTH5. DATE SPOUSE OBTAINED HER DRIVER’S

LICENSE.

Web Log Targeting

Personal web pages can expose something the Personal web pages can expose something the unit would like to protectunit would like to protect

A picture is worth a thousand wordsA picture is worth a thousand words

We enlisted – our families didn’tWe enlisted – our families didn’t

Individuals expose information because:Individuals expose information because:

• They’re proud of their workThey’re proud of their work

• They’re marketing the unit or they want public They’re marketing the unit or they want public supportsupport

• They’re miffed or frustratedThey’re miffed or frustrated

Personal Web Page Vulnerabilities

Lets go GooglingLets go Googling

Time: No more than 10 minTime: No more than 10 min Info: First and Last Name’sInfo: First and Last Name’s Info: RankInfo: Rank

Now let see what we can seeNow let see what we can see

Rank NameRank Name

Who: Who: Home: Home: Hometown: Hometown: Children:Children: E-mail:E-mail:

InterestsInterests Favorite Music: Favorite Music:

Favorite Books:Favorite Books:

Favorite Movies:Favorite Movies:

Favorite TV Shows, Actors: ‘Favorite TV Shows, Actors: ‘

Interests and Activities:Interests and Activities:

AffiliationsAffiliations

Political Affiliation:Political Affiliation:

Religious Affiliation:Religious Affiliation:

Employers:Employers:

Colleges:Colleges:

Major:Major:

High Schools:High Schools:

Other Affiliations:Other Affiliations:

Anything that effectively

negates or reduces an

adversary’s ability to exploit

our vulnerabilities.

If the answer is NO, DON’T PUT IT ON THE WEB!

Countermeasures

Would you want the

enemy to read this?

• Post information that has no significant value to the adversary

• Consider the audience when you’re posting to a blog, personal web page or EMail

• Always assume the adversary is reading your material

• Believe the bad guys when they threaten you

• Work with your OPSEC Officer – follow policies and procedures!

What YOU Can Do

Think like the bad guy

beforebefore you post your

photographs and

information in a blog, a

personal web page, or

in your EMail

Sometimes we can be our own worst enemies

The Challenge

The “Message”The “Message”

Operations Security is everyone’s businessOperations Security is everyone’s business Good OPSEC saves lives and resourcesGood OPSEC saves lives and resources Always use common sense and stay alertAlways use common sense and stay alert Only release info to those with a valid need-to-knowOnly release info to those with a valid need-to-know Identify vulnerabilities to your commanderIdentify vulnerabilities to your commander

The Bottom LineThe Bottom Line

OPSEC is a time-tested process that analyzes threats, OPSEC is a time-tested process that analyzes threats, identifies identifies Critical InformationCritical Information, and develops appropriate , and develops appropriate countermeasurescountermeasures

OPSEC is used by all of us in everyday life OPSEC is used by all of us in everyday life

OPSEC is not so much a bunch of security rules, but a OPSEC is not so much a bunch of security rules, but a common-sensecommon-sense approach to viewing your operations approach to viewing your operations through the adversary’s eyesthrough the adversary’s eyes

OPSEC increases opportunities for mission OPSEC increases opportunities for mission successsuccess by by protecting protecting Critical InformationCritical Information

You are the key to making OPSEC work!You are the key to making OPSEC work!

Vulnerabilities: Weaknesses the adversary can exploit to get to the

critical information

Are You the Weakest Link?

QUESTIONS ?