By Lisa KlebbaJune 21, 2016
It's pre-dawn on a spring day. The breeze blows the dried-out fall leaves in little cyclone patterns across the parking lot. The installation is still sleepy as the dawn peeks over the horizon in a breath-taking array of color reflected against the clouds.
As the employee gets out of his car, he pauses and admires the sun creeping over the perimeter fence. He snaps a photo, shares it on social media and forgets about it.
That shot was exactly what the adversary was looking for.
The command's policy is that all personnel are responsible for OPSEC and success requires active involvement from everyone. Practicing good OPSEC can help protect critical information from being released to the general public, which includes our adversaries.
One of the common misconceptions is taking photos around the installation and posting them to social media is okay. "Why should I worry about what's in a picture?" "The program is unclassified and in the field already." "It's no big deal."
The command understands that you are proud of where you work and the programs you work on but the entire installation is deemed a restricted area. The sun rising over the horizon is obviously not classified, but there may be items in the background that our adversaries are interested in. According to the Detroit Arsenal Policy 21 Operations Security, photography is strictly prohibited unless permission is obtained from the approving authority.
Also what the individual may fail to realize is, that when snapping a photo of a vehicle, some of its components or the condition it is in, may be classified. According to AR530-1, if the vehicle happens to show damage from an improvised explosive device, your photo is giving our adversaries intelligence on vulnerabilities of U. S. vehicles and armor protection capabilities.
Another common OPSEC error is personnel discussing work related issues and wearing their badges while off the installation. "Who cares if we talk about Jane Doe and her financial problems while at lunch?" "We are on our personal time." "What's the big deal?"
We understand you are not on the clock at all times of the day, but caution needs to be taken when speaking about the programs you work on or speaking about co-workers outside of the installation. You may say just enough, that the adversary sitting behind you now has an opening with Jane Doe and can exploit her vulnerability. The adversary knows where she works because you left your badges visible.
Personnel should be aware of their surroundings and pay attention to who is paying too much attention to them, according to OPSEC for Operators Level II training. Once information has been released, it is irretrievable.
One other common OPSEC concern is employees posting their travel plans to social media. "Who would anyone have any interest in me or what I do?" "I'm just an administrative assistant" "The cold war ended in the late 80s."
We understand you have a life outside of work and that it is fun to share with your families and friends however caution is needed over how widely the information is shared.
"Adversaries glean up to 80 percent of their intelligence from open source intelligence," says Steve Ball, PAO officer for the Detroit Arsenal. "OSINT includes photographs, newspapers, magazine advertisements, government and trade publications, contract specifications, congressional hearings, computers, and other public media."
"Posting vacation plans could lead to a list of vulnerabilities a criminal or adversary could use to break into and steal items from your home when you're not there, to find you or your family which could lead to a kidnapping, and so on," said Ball. "It's best to never post your vacation plans or use the "check in" feature at any time, or post photos while you're on vacation. Enlist the help of a family member or friend to collect your mail, take out your trash and retrieve the cans, turn lights on and off, keep up with lawn care or snow removal, and in some towns, police will drive by while you're gone if you give them advance notice."
All individuals are responsible when blogging, posting photographs or video clips to the Internet, or posting information to a personal Web page to ensure that the content of the posting does not violate the disclosure of critical information. All personnel must be cognizant of critical information content when describing experiences, locations, or places in e-mail according to AR 530--1, annex C.
OPSEC basics can help protect critical information from being released to the general public when personnel are consciously aware of the damages that could occur at the workplace as well as their home. Take an OPSEC refresher course.