JOINT BASE MYER-HENDERSON HALL, Va. – Sharing critical information about an organization and its people doesn’t have to be done intentionally or on a grand scale. Sometimes it’s the smallest thing that can have the largest impact.
“It may just be the small little pieces that somebody tells their spouse,” said Don Draper, security manager at Joint Base Myer-Henderson Hall. “Or they're doing this cool thing and they tell their neighbor, and now it's out on CNN and everybody knows about it.”
The month of January has been designated OPSEC Awareness Month. OPSEC, or operations security, is a systematic process of denying adversaries access to critical information about the capabilities, movements and plans of a person or organization.
The process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks and application of appropriate countermeasures.
Critical information analysis and risk assessment
Draper identified critical information as, “troop movements, concentrations and activities as well as things like access control points and procedures. There are other things as well, like TTP's – tactics, techniques and procedures – that aren't commonly known that we don't like to share.”
Draper said before making information public, people need to look at how that information affects the mission and whether people need to know the information.
“We ask ‘what is our mission? What is it we're about to do? Which of these do we not want to share with the public?’” he said. “We determine critical pieces of that mission, and that's the stuff we don't want to share.”
“There are certain things that you want the public to know,” he added.
Sharing all the pieces that are happening in the background could create targets of opportunity, said Draper. “Like buses of people coming or going. If somebody knew the routes of buses and how many people were on them all the time – like the band or Old Guard – those could be targets. They have big signs on the side of the band bus, but people higher up made the decision that they're willing to take that risk to get the message out that the Army Band is in town wherever they see the buses, so there's value and there's risk that's associated with these assessments.”
People can also refer to their organizations’ critical information list, if they have questions about what can and can’t be shared.
“A lot of places have it on their computer system. You can click on it and know what is not classified but we don't want to share,” Draper said.
Where the information comes from
Adversaries will stake out places where large numbers of people gather to collect information, he said. They scour the internet and social media sites for tidbits of information that could be used to gain access to larger and more critical mission information.
“The adversary can probably pull 90 percent of the open-source data right from the Internet because people love to share stuff,” Draper said. “They don't realize that what they're doing is a problem because it's a small piece. But when the small pieces are all put together, they paint a bigger picture. You're making it easy for them. People need to be aware of what they put on social media and how they tag things. Do you really want everybody to know the age of your children and all these other things?”
People share a lot of information online. Although social media is great for connecting with friends and family far away, adversaries use sites like Facebook, TikTok and Twitter to gather information about possible targets.
A current trend on Facebook is posts asking for seemingly innocuous bits of information.
“Do you prefer cats or dogs?” “Who was the last band you saw live?” “Does pineapple belong on pizza?” If a person answers enough of these questions, an adversary can put together a profile impersonating the person and use that profile to infiltrate their circle of friends and gain even more information.
The questions being asked are also about common things people use when they create passwords, which can lead to online hacking and identity theft.
Easy countermeasures to take
The National Counterintelligence and Security Center has put together a website of sources people can access to tighten up their OPSEC practices including a comprehensive guide for cleaning up social media accounts and tightening online security settings.
Draper said it’s important that people be aware of their surroundings and what they’re talking about.
“If it's over social media, encryption is the way to go,” Draper said. “Do they really need to know everything you're sending? Keep what you send to need-to-know. Is that the right format to be sending it? If it's that important, maybe upgrade it or at least send it on a classified system. But encryption is the way to go and know your surroundings. In public, don’t talk about things that you don't need to be talking about. We should be in the right environment.”
Whether its shredding documents no longer needed, cleaning up and securing social media accounts or simply not talking about business associated with an organization and its mission and practices, these choices can keep critical information out of the hands of an adversary. Being vigilant and employing good OPSEC can ensure the safety and security of an organization and its people.