Operations Security (OPSEC)
OPSEC is the shorthand term for operations security. OPSEC is not a specific category of information. Rather, it is a process for identifying, controlling, and protecting generally unclassified information which, if it becomes known to a competitor or adversary, could be used to our disadvantage.
The OPSEC process is applied to a wide variety of situations in a competitive or adversary environment. If you have ever given a surprise party or attempted to make your house look lived in while you were away, by arranging for someone to pick up your newspapers or installing a light timer, you have practiced OPSEC.
The following are just a few examples of things that, under certain circumstances, might provide clues that tip off a competitor or adversary to your plans or capabilities: supply and equipment orders, transportation plans, mission-specific training, changes in communication patterns, leaders' travel, inspection results.
OPSEC is used by government agencies and contractors in the development and acquisition of new equipment, in intelligence collection, by warfighters at all levels, by crimefighters in many roles, as well as by private enterprise -- all to supplement traditional security measures for protecting potentially exploitable information.
The OPSEC process is a risk management instrument that enables the manager or commander to view an operation or activity from the perspective of an adversary. The key feature of this approach is to look at our own methods and activities from the adversarys viewpoint by putting ourselves in an adversary's shoes and asking the question: "What information do I need to know to thwart the other sides intentions and actions, and what are the paths to the information I need?"
The OPSEC process traditionally involves five interdependent phases.
The first identifies critical information. That is, what are we trying to protect? Is it a single set of data relating to the timing (or other details) of a military operation? Or might it be a whole process embedded within an acquisition? Or perhaps the patterns or profile of an undercover police officer? In each of these examples, there are data that need to be kept from someone (an opposing force, a foreign government, a foreign competitor, or a criminal).
This leads to the second element -- an analysis of the threat. Who wants or needs our critical information? Who is our adversary (not necessarily an enemy)? An integral part of this phase is the identification of how our adversary might collect our information. Would he be likely to review open source literature, send corporate or state-sponsored spies to infiltrate or seek out the data, or use technical means such as eavesdropping, photographing, etc.? OPSEC considers a variety of potential adversaries -- ranging from the active (target or enemy or main competitor) to the passive (sympathizer or someone who supplies data to the active adversary) to the inadvertent (someone who accidentally gives away information) -- all of whom warrant recognition, assessment, and resolution of the particular level and type of threat they pose.
The third phase looks at vulnerabilities, direct and indirect, surrounding our operation. We look at how the activity actually works, rather than how people think it works. We study the chronology and timing of events, along with the flow of information, to ascertain which adversary would be interested in what data, and how he would be able to obtain them. Are there things that we do to give away our data directly, or are there certain signs that would lead a prudent adversary to deduce our data (indicators or clues)? We consider the magnitude of the vulnerabilities, as well as the impact of the loss of our data. In other words, how big is the problem, and how bad is it?
At this stage, the manager evaluates the risk to his or her operation or activity, asking: "Does the possible loss of information about my operation or activity warrant taking steps to reduce or (hopefully) negate the adversarys potential efforts to thwart my operation or activity?" The costs associated with fixing the vulnerability are weighed against the cost of the loss of the data, keeping in mind the likelihood of our data being lost as well as the impact such loss would entail. One method to reach a reasonable conclusion of the practicality of solution(s) might be to multiply the estimated loss in dollars, by the impact of risk, by the likelihood of risk. The solution, in dollars must then be less expensive for the solution to be feasible.
Countermeasures, finally, are the solutions that a manager employs to reduce risks to an acceptable level, whether by eliminating indicators or vulnerabilities, disrupting the effective collection of information, or by preventing the adversary from accurately interpreting the data. Countermeasures are dictated by cost, timing, feasibility, and the imagination of the personnel involved. The most effective tend to be simple, straightforward, and inexpensive procedural adjustments that fit the solution to the need. Countermeasures are instituted in rank order to protect the vulnerabilities having the most impact (in dollars, lives, mission failure, etc.). Multiple countermeasures, enacted together, often provide a synergistic effect that compounds the benefits without unduly raising the cost level.
While OPSEC is not a cure-all, it is a vital, easy-to-use tool that ideally is instituted at the very onset of an activity. If the personnel involved develop an "OPSEC mindset," effectiveness is enhanced and mission success is more likely. OPSEC is neither difficult nor time-consuming; instead, it can easily become a "matter-of-course" process.