Operations security (OPSEC) in the military is usually approached from the point of view of deploying to or operating within a combat zone. Because of this, many definitions and concepts of OPSEC, when applied to a domestic incident, may seem belligerent or even paranoid. As an open society, the United States demands open access to information, especially when dealing with a serious incident. This has to be balanced against the need to protect our forces as well as citizens.
OPSEC is a subset of information operations (IO). While IO has an offensive piece best suited to combat, there is defensive IO that protects and defends friendly information, command and control systems, and information systems. Effective defensive IO assure friendly commanders an accurate common operational picture based not only on a military perspective, but also on nonmilitary factors that may affect the situation (Field Manual [FM] 3-13, Information Operations (IO): Doctrine, Tactics, Techniques, and Procedures).
Joint Publication (JP) 3-13.3, Operations Security, describes OPSEC as "a methodology that denies critical information to an adversary. Unlike security programs that seek to protect classified information, OPSEC measures identify, control, and protect generally unclassified evidence that is associated with sensitive operations and activities." This is critical information.
Critical information is information important to the successful achievement of U.S. objectives and missions, or which may be of use to an adversary of the United States. Critical information consists of specific facts about friendly capabilities, activities, limitations (includes vulnerabilities), and intentions needed by adversaries for them to plan and act effectively so as to degrade friendly mission accomplishment. Critical information is information that is vital to a mission that if an adversary obtains it, correctly analyzes it, and acts upon it will prevent or seriously degrade mission success. Critical information can be classified information or unclassified information. Critical information can also be an action that provides an indicator of value to an adversary and places a friendly activity or operation at risk. The term "critical information" has superseded the term "essential elements of friendly information (EEFI)" according to FM 3-13, EEFI now refers to critical information phrased in the form of a question to protect classified and sensitive information.
Sensitive information is information requiring special protection from disclosure that could cause compromise or threat to national security or to an Army organization, activity, family member, Department of the Army civilian or Department of Defense contractor. Sensitive information refers to unclassified information while sensitive compartmented information refers to classified information. Examples that may be deemed sensitive include but are not limited to: personal information; structuring; manning; equipment; readiness; training; funding; sustaining; deploying; stationing; morale; vulnerabilities; capabilities; administration and personnel; planning; communications; intelligence, counterintelligence, and security; logistics; medical; casualties; and acquisition plans.
Operations Security Defined
Army Regulation 530-1, Operations Security, defines OPSEC as a process of identifying critical information and subsequently analyzing friendly actions attendant to military operations and other activities to:
a. Identify those actions that can be observed by adversary intelligence systems.
b. Determine indicators that hostile intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries.
c. Select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation.
So what threats exist for DOD forces providing defense support to civil authorities within the United States?
Domestic threats: Domestic adversaries are not as readily identifiable because they are part of the local population. They may not have a formal intelligence collection service but they will have the advantage of detailed knowledge of the area and the people where they live and operate. The information domestic adversaries seek and obtain is readily available as open-source and unclassified information.
Criminals: The criminal threat is not as readily identifiable. Criminals will collect open-source and unclassified information that is publicly available; information they can obtain through means such as money or coercion, and information they can obtain from insiders in the unit or organization they target. The supporting criminal investigative unit may be able to assist both in identifying crime-conducive conditions that increase the risk of compromise of critical information and in mitigating or eliminating the criminal threat.
Hackers: A hacker is a highly skilled computer programmer who specializes in computer and network systems security. Some hackers apply their skills for legitimate uses; others have malicious intent motivated by ideology, criminal intent, revenge, thrill-seeking, or bragging rights. Malicious hackers can easily obtain information on computer systems and networks and have the skills to penetrate through sophisticated defenses. Hackers are extremely difficult to identify because they are able to remain hidden and anonymous through the vast expanse of the Internet. For these reasons, critical and sensitive information on publicly accessible Internet websites are easy targets for hackers and must not be posted on unclassified computers and networks.
Insiders: The insider threat consists of personnel who work inside the unit or organization. Insiders constitute the most dangerous threat because they have access to information for which they are cleared and because they can perform critical actions within the organization. Insiders who pose a threat are also very difficult to identify if they have taken steps to keep their collection activities unnoticed. For these reasons, sensitive and critical information should only be shared with personnel who need to know.
Internet: In recent years, the Internet has become a growing source of open-source information for adversaries of the United States. Websites, especially personal websites of individual Soldiers (including blogs and pages on other social media sites), have the potential of posing significant vulnerability. Other forms of open-source information include public presentations, news releases from units or installations, organizational newsletters (both for official organizations and unofficial organizations, such as alumni or spouse support groups), and direct observation.
Social media: Sites such as Twitter and Facebook can become sources of information dissemination - accurate or inaccurate - to Soldiers, family, and the public faster than the chain of command does. News sources may also pose a threat; with 24-hour news services constantly demanding data, inaccurate, incomplete, and out-of-context stories can run almost instantly.
Terrorists: Terrorist actions range from gaining unauthorized access to command and control systems to physical attacks against commanders and decision makers. Terrorist groups have been identified as using commercial information systems - especially computer bulletin boards - to pass intelligence and technical data across international borders.
Methods of attack (FM 3-13) can include:
The Center for Army Lessons Learned has actively collected observation, insights, and lessons learned (OIL) in three major domestic operations: The G-8 Summit in 2004, hurricanes Katrina and Rita in 2005, and Operation Jump Start in 2006. In each of the three operations, credentialing of personnel has been noted as a finding. At the G-8 Summit, the U.S. Secret Service developed a common credentialing process. This process started two months before the event and continued until two days before the president's arrival. All agencies and personnel involved in the event required credentialing by the Secret Service. This process was important as a final check to verify the trustworthiness of personnel and to establish a common basis for trust between agencies.
Problems with this process included:
This challenge resurfaced in Operation Jump Start when CBP required clearances from Guard personnel separate from their DOD security clearances. The lesson "take ways" from this experience are:
Operations Security Planning Considerations (JP 3-13.3)
1. The commander plays the critical role. OPSEC planning guidance must be provided as part of the commander's IO planning guidance to ensure that OPSEC is considered during the development of friendly courses of action (COAs).
2. OPSEC is an operations function, not a security function. OPSEC planning is performed by the operations planners. The planners are assisted by the organization's OPSEC officer and appropriate planners from other staff elements. Intelligence support, as early as possible in the planning process, is particularly important in determining the threat to friendly operations and assessing friendly vulnerabilities.
3. Joint task forces (JTFs) should establish a fully functional IO cell. The JTF staff (including the IO cell and OPSEC officer) develops IO plans that are passed to all elements of the JTF.
4. Planning must focus on identifying and protecting critical information. Denying all information about a friendly operation or activity is seldom cost effective or realistic.
5. The ultimate goal of OPSEC is increased mission effectiveness. By preventing an adversary from determining friendly intentions or capabilities, OPSEC reduces losses to friendly units and increases the likelihood of achieving mission success.
6. OPSEC is one of the factors considered during the development and selection of friendly courses of action. COAs will differ in terms of how many OPSEC indicators will be created and how easily those indicators can be managed by OPSEC measures. Depending upon how important maintaining secrecy is to mission success, OPSEC considerations may be a factor in selecting a COA.
7. OPSEC planning is a continuous process. During all phases of an operation, feedback on the success or failure of OPSEC measures is evaluated based on measures of effectiveness and the OPSEC plan is modified accordingly. Friendly intelligence and counterintelligence organizations, communications security (COMSEC) monitoring, and OPSEC assessments are the primary sources for feedback information and are continuous throughout the OPSEC planning process.
8. The public affairs officer participates in OPSEC planning to provide assessments on the possible negative effects of media coverage and all other public release of information by members of the command and for the coordination of OPSEC measures and public affairs ground rules to minimize those effects. The public affairs office (PAO) ensures that the media pool, media clearances, media releases, and authorization of video transmissions are within established OPSEC measures. The PAO also ensures the command (internal) information program addresses OPSEC and ground rules for the release of information (officially or unofficially) by military members through the internet and other communications mediums subject to public access or monitoring. See JP 3-61, Public Affairs, for more details.
The five-step OPSEC process includes:
For detailed explanations of the OPSEC process, see Chapter 3 of FM 3-13.
Physical security consists of protective measures to deny unauthorized personnel access to specific areas, facilities, material, or classified information.
Force protection consists of actions taken to prevent or mitigate hostile actions against all DOD personnel (Service members, DOD civilians, DOD contractors, and family members), resources, facilities and critical information. Force protection does not include actions to defeat the adversary or protect against accidents, weather, or disease. OPSEC plays a vital role in the following ways:
An example of force protection would be actions taken by JTF Zia during Operation Jump Start in New Mexico. Army National Guard Soldiers deployed to the southwest U.S. border initially were housed in local hotels with no security. Local gangs had been identified as possible adversaries, so the JTF commander instituted force protection requirements that included removing uniforms as soon as returning to the hotel and traveling in groups of at least four Soldiers. Later, a forward operating base was built, and Soldiers were centrally housed with 24-hour security.
Communications Security (AR 530-1)
Measures and controls taken to deny unauthorized persons information derived from telecommunications and ensure the authenticity of such telecommunications. (Note: This is different from the joint definition (from JP 6-0) of "The protection resulting from all measures designed to deny unauthorized persons information of value that might be derived from the possession and study of telecommunications, or to mislead unauthorized persons in their interpretation of the results of such possession and study.")
An example of COMSEC is from the National Guard's weapons of mass destruction civil support teams (WMD CST). These specialized units arrive on an incident scene with their own robust communications suite, capable of operating on military or civilian first responder communications networks. Per FM 3-11.22, Weapons of Mass Destruction-Civil Support Team Operations, December 2007, the commander has the discretion to determine whether or not encryption should be used during WMD-CST response operations. (Note: According to AR 25-2, Information Assurance, WMD-CSTs are not required to be encrypted when conducting activities with civil agencies.)
Measures and controls that ensure confidentiality, integrity, and availability of the information processed and stored by a computer.
AR 530-1, Operations Security (OPSEC), 19 April 2007.
FM 3-13, Information Operations (IO): Doctrine, Tactics, Techniques, and Procedures, 28 November 2003.
FM 3-11.22, Weapons of Mass Destruction-Civil Support Team Operations, December 2007.
JP 3-13, Information Operations, 13 February 2006.
JP 3-13.3, Operations Security, 29 June 2006.
JP 3-57, Civil-Military Operations, 8 July 2008.