What is OPSEC?

March 6, 2018

"Operations Security (OPSEC) is a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information." -Wikipedia article: Operations Security

When talking about Operations Security (OPSEC) it is hard to not view everything in a military context. Indeed, the term was created during the Vietnam war by the U.S Military, however the idea has been around for a long time. "Loose lips sink ships" dates back to World War II, as well as "Keep mum, loose talk costs lives" and "I pledge allegiance and silence about the war".

Though it has military ancestry, the idea of OPSEC is something that activists, companies, and even you practice every day.

Let me give you an everyday example of OPSEC. Sarah runs a small coffee shop in a busy city. One day, during the peak of their lunch rush, she approaches one of her employees working the cash register and says, "I need you to close up by yourself tonight. Jamie is sick". How does this action threaten their Operational Security? By announcing this within ear shot of customers Sarah runs the risk that a potential adversary will hear that the shop will be staffed by only one person that night, and may seek to take advantage of the situation by robbing the store.

While this example is very physical in nature, the same principles apply to the digital space as well (which is why I’m interested in it).

There have been a huge number of well known OPSEC failures over the years. Most recently was the incident regarding the 2018 Hawaii false missile alert. As part of the fallout related to that incident, people went back and applied greater scrutiny to the facility. They then found a picture dated to July 2017 in which an employee of the facility is pictured alongside what appears to be a sticky note that contains a password.

There are other concerns with this image as well including the ability to see what appears to be an internal message board and an external security camera feed.

Another popular OPSEC fail relates to the 2014 Russian attack on the Ukraine. Here, Putin claimed that his forces were not involved with these attacks, however his own soldiers proved this was false. A young soldier made the mistake of posting images to Instagram with the geo-location features turned on, meaning you could see where the picture was taken.

Troop movements are actually something Military Organization are very protective of, and it is something they are regularly trained in. Even military parent organizations teach their members not to post on social media regarding where their children are located during deployments.

For more example of OPSEC fails I’d highly recommend two talks, DEF CON 22’s Don’t Fuck It Up! and Black Hat 2013’s OPSEC Failure of Spies.

So how do you improve your operational security? Find out in part 2 of this series :)