Operations Security (OPSEC) General
General Peter J. Schoomaker said In the global war on terrorism, we face an insidious and adaptive adversary capable of gathering open source information on our operations and intentions. Do not provide him assistance through uncontrolled release of information that may compromise our own force protection. We are an Army at war and our Soldiers deserve the best Operations Security we can provide.
Joint Pub 3-54, Joint Doctrine for Operations Security defines OPSEC as: The process of denying adversaries information about friendly capabilities and intentions by identifying, controlling, and protecting indicators associated with planning and conducting military operations and other activities.
Interagency OPSEC Support Staff (IOSS) defines OPSEC is an analytic process used to deny an adversary, information generally unclassified concerning our intentions and capabilities by identifying, controlling, and protecting indicators associated with our planning process or operations. OPSEC does not replace other security disciplines; it supplements them.
According to the definition in FM 3-11.22, Weapons of Mass Destruction Civil Support Team Tactics, Techniques, and Procedures (TTP), OPSEC denies the adversary information critical to the success of friendly military operations. It contributes to the security of Army forces and their ability to surprise enemies and adversaries. OPSEC identifies routine activities that may telegraph friendly intentions, operations, capabilities, or military activities. It acts to suppress, conceal, control, or eliminate their indicators. OPSEC includes countersurveillance, signal security (SIGSEC), and information security (INFOSEC).
What is OPSEC?
- Continuous process
- Methodology for denying critical information
- Typically deals with unclassified or open source information.
- OPSECs most important characteristic is that it is a process and not a collection of specific rules and instructions that can be applied to every operation.
- In command and control warfare (C2W), the threat to OPSEC is ultimately the adversary commander.
- Joint OPSEC planning and execution occur as part of the commanders or organizations C2W effort.
- OPSEC should be one of the factors considered during the development and selection of friendly courses of action.
- OPSEC, is a key component of antiterrorism and force protection. It helps protect service members, civilian employees, families, facilities, and equipment everywhere by denying information.
Who is responsible for OPSEC? Army Regulation 530-1, OPSEC, Chapter 2, 2-19, states that it is everyones responsibility, not just the commander or security officer or security noncommissioned officer (NCO).
Operations security is serious business and everyones responsibility. Failure to properly implement OPSEC procedures can result in serious injury or death to personnel, damage to key equipment and logistics stockpiles, and/or loss of critical technologies. All Department of the Army (DA) personnel (active component, reserve component, DA civilians), and Department of Defense (DOD) contractors will:
- Be aware of and support the Armys OPSEC program.
- Reinforce the vital importance of OPSEC at all times. OPSEC is a continuous process and an inherent part of military culture and, as such, must be fully integrated into the execution of all Army operations and support activities.
- Know what their organization considers to be sensitive and critical information.
- Protect from disclosure any and all sensitive and critical information to which they have personal access.
- Be aware of the vulnerabilities exposed as a result the disclosure of sensitive and critical information on the Internet. In particular, avoid disclosure of photos, destroyed or damaged equipment, and access to military facilities.
- Actively encourage others (including family members and family readiness groups) to protect sensitive and/or critical information.
- Consult with their immediate supervisor and their OPSEC program manager, prior to publishing or posting information that might contain sensitive and/or critical information in a public forum. This includes, but is not limited to letters, e-mail, Website postings, Web log (Blog) postings, discussion on Internet information forums, discussion on Internet message boards, or other forms of dissemination or documentation. Supervisors will advise personnel to ensure that sensitive and critical information is not disclosed. Each units OPSEC representative will advise supervisors on means to prevent the disclosure of sensitive and critical information.
- Handle any attempt by unauthorized personnel to solicit sensitive information, critical information, or essential elements of friendly information as subversion and espionage directed against U.S. Army (SAEDA) incident in accordance with AR 381-12. Report all facts immediately to the nearest supporting counterintelligence office and inform the chain of command. If counterintelligence offices are not readily available, report such incidents to the organizational security manager and to the unit commander.
The OPSEC Process
The OPSEC process consists of five distinct actions:
- Identification of critical information
- Analysis of threats
- Analysis of vulnerabilities
- Assessment of risk
- Application of appropriate OPSEC measures.
In discussing Critical Information be aware of the different perspectives. Identify friendly objectives and strategies, and adversarys objectives and strategies. Focus on :
- Information the adversary needs to prevent our success
- Information friendly forces must protect to ensure success
Types of critical information:
- Capabilities: Make up of task force, team or squads, personnel, and equipment.
- Intention: Operation plans (OPLANs), fragmentary orders (FRAGOs).
- Place: Where is the unit traveling from, to, and what is the route?
- Time: What time does the unit leave arrive?
- Strength: What is unit manning?
- Technology: What communications and equipment does the unit possess?
- Tactics: What TTP does the unit use, have they been updated or changed (example improvised explosive device [IED] TTP)?
- Vulnerabilities: What are unit weaknesses (e.g., range and type of communications)?
Factors to consider:
- What is the mission or project?
- How long do I need to protect information?
- What does the adversary need to know?
Analysis Of Threats
THREAT = INTENT + CAPABILITIES
- Who are the potential adversaries?
- Where can they get the information?
- Potential adversaries:
- Terrorist threat
- Targets fit their priorities
- Demonstrated intent to hurt the U.S.
- Capable of collecting unprotected information
- Capable of acting on information
- Foreign intelligence threat
- Military, economic, technology targets
- Demonstrated intent to collect
- Wide range in capability to collect and to act on information.
- Domestic threats
- Organized crime
- Domestic militia groups
- Extremists groups and cults
- Hackers and crackers
- Bloggers (Web loggers)
- A blog is a personal diary.
- A daily pulpit.
- Your own pictures posted for everyone
- A collection of links.
- Your own private thoughts.
- Memos to the world.
Who has demonstrated their intent to harm the organization?
- What are the capabilities of those that have demonstrated intent to do the unit harm?
- Collection methods: About 90% of all intelligence is gathered from open source information. The adversary doesnt have to use legal means to obtain information.
- Freedom of Information Act (FOIA)
- Internet (Web Pages, Blogs, and Chat Rooms)
Address three areas to determine friendly vulnerabilities:
- Who are your adversaries?
- What are the capabilities of each?
- What are the intentions of each?
Examples of areas of vulnerabilities:
- Public affairs department
- Critiques and after action reports
- Operating procedures
- Physical environment
Remember, the greatest vulnerability is yourself:
- Web Pages
- Unprotected communications
- Sharing too much with strangers
In summary remember this about vulnerabilities:
- Every operation has vulnerabilities
- All indicators cannot be eliminated
- We are our greatest vulnerabilities
Does the possible loss of information about my operation or activity warrant taking steps to reduce or (hopefully) negate the adversarys potential efforts to thwart my operation or activity?
RISK = THREAT x VULNERABILITY x IMPACT
- What is the significance of each threat?
- What is the significance of each vulnerability and indicator?
- What is the impact if the threat acted on the vulnerability or indicator?
The result is the level of risk.
Lack of Awareness
Cell Phone Use
- Look at all vulnerabilities, indicators, and threats in light of each adversary.
- Impact answers the so what question.
- All three components must be present for there to be risk.
Countermeasures are the solutions that a leader employs to reduce risks to an acceptable level, whether by eliminating indicators or vulnerabilities, disrupting the effective collection of information, or by preventing the adversary from accurately interpreting the data
Consider the threat analysis for the cell phone:
Cell Phone Use
By applying a limiting use of cell phones you can reduce the risk to an acceptable level. You can restrict by person, by information available to be discussed, etc.
Remember, the bottom line is always weigh the cost versus the benefit of a countermeasure.
Consider the threat when you:
- Use the phone (Use secure communications).
- Answer strangers questions (Refer to public affairs officer (PAO)/designated representative)
- Discuss work in a public place (Stay alert)
- Remember to shred all paper
- Practice good security procedures (Stay alert to your surroundings)
OPSEC for Civil Support During Catastrophes
The world changed on September 11, 2001. We learned that a threat that gathers on the other side of the earth can strike our own cities and kill our own citizens. Its an important lesson; one we can never forget. Oceans no longer protect America from the dangers of this world. Were protected by daily vigilance at home. And we will be protected by resolute and decisive action against threats abroad.
President George W. Bush
September 17, 2002
In responding to civil support catastrophe missions the military personnel will have to be integrated in with other civilian federal, state and local governmental agencies.
The following outline is provided for the OPSEC officer as a planning aid:
- Ensure that your predeployment checklist is available for implementation. This check list should include, but is not limited to:
- What briefings need to be given (OPSEC update, media guide for Soldiers and family members)
- Family members/support group briefing
- Soldiers specific OPSEC briefing
- Schedule briefings on training schedule
- Have a checklist and load plan for what items need to be packed (e.g., lap top computers, pens, pencils, office supplies).
- What regulations, software, resources are needed?
- Update unit OPSEC operations standing operating procedures (SOP).
- Information that by regulation you will have in place and will need updated:
- Essential elements of friendly information (EEFI) to reflect current incident.
- Start up the OPSEC planning process to update plan with current intelligence.
- Ensure that OPSEC officer and NCO have been appointed and are aware of their responsibilities and duties and have met the qualification criteria.
- Personnel or teams that need to be appointed or requested
- Appoint or request Army PAO
- Request a PAO team
- Establish a OPSEC workgroup team that is headed by the OPSEC officer.
- Ensure that information operations (IO) is addressed to coordinate a united response.
Once you have arrived, you will need to establish communications with lead federal agency (LFA) or joint task force (JTF) command and local area authorities (LAA).
- Coordinate communications
- For local law enforcement response
- Medical support
- Higher headquarters responsibilities
- Phone numbers/frequencies for LFA or JTF
- Do you give them communication equipment (i.e., radios or do they provide radios/cell phones, etc.)
- Coordinate for reports
- What reports are required; provide examples.
- When are the reports due?
- Who are the reports to go to, and what if any classification level?
- Determine if Secure Internet Protocol Router (SIPR) or Nonsecure Internet Protocol Router (NIPR) is available.
- Coordinate with the public information officer (PIO) at the joint information center (JIC) and the JTF PAO if applicable:
- Receive update on current operational information.
- Get the latest media plan for briefing back to command structure.
- Coordinate with local/national media through the media coordination center (MCC) at the JTF level or the JIC and PIO at the National Incident Management System (NIMS) Incident Command System (ICS).
- The OPSEC officer will set up a time slot for the OPSEC workgroup. This will be coordinated through the S3/J3. Continual updating of the EEFIs and employing the OPSEC process will ensure a smooth transition and successful operation.
After the recovery phase and stand down, an after action review (AAR) covering all aspects of the operations will be captured with 72 hours. The S3 Operations Section is responsible for capturing documents and situation reports (SITREPS) for inclusion in the AAR.
When unit returns to their base, the AAR will be reviewed and all sections will participate. A completed copy will then be sent to the Center for Army Lessons Learned for inclusion in the CALL database.
AR 530-1, Operations Security (OPSEC)
FM 3-13, Information Operations (IO)
FM 3-11.22, Weapons of Mass Destruction Civil Support Team TTP, June 2003,
JP 3-13, Joint Doctrine for Information Operations (IO)
JP 3-54, Joint Doctrine for Operations Security (OPSEC)
JP 3-57.1, Joint Doctrine for Civil Affairs
Local OPSEC Policy Letters
Unit OPSEC SOP
DOD Strategy for Homeland Defense and Civil Support, June 2005