Recently I was having a discussion with one of our Patriot friends and the topic of OPSEC surfaced. The person asked would I provide some additional information on the topic. To ensure I practice good OPSEC, I won't reveal the person or where the person is from. OPSEC
Often times, OPSEC is a convenience and overlooked. Face it, we get in habits and practices because of time, cost, and laziness. Then folks wonder how the adversary knew. Trails, patterns, out of the norm actions, too much chatter on what we don't want to be known, things we overlook and discard to a place others will look for the information.
Operations security (OPSEC) is a process that identifies critical information to determine if friendly actions can be observed by your adversary who then determines if information obtained could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary your ability to stay safe or keep your plans close hold. You do not want to have friendly detectable actions and open-source information that can be interpreted or pieced together by an adversary to derive critical information.
In the military we used to say "Lose Lips Sinks Ships" and that is correct, as corny as it may sound. There is a difference between information that is classified and information we would protect that is not classified. As civilians you don't have to deal with classified information in your personal life so your sensitive information would need to be considered what you want to protect under OPSEC.
There are five basic steps to the OPSEC process:
1. Identifying what you deem critical information; (What do you not want others to know?)
2. Analysis of threats; (How do you identify what is a threat to you?)
3. Analysis of vulnerabilities; (Where are you weak?)
4. Assessment of risk; (Evaluating what could harm you and then prioritizing the threats in order of high to low.)
5. Application of appropriate countermeasures. (How will you mitigate the threat to ensure it doesn't impact you?)
One of the things folks often overlook is how to outsmart the threat. Avoiding it is key. Deception to avoid it can be critical. A good adversary will lay a trap for you. They may think ahead and project your steps and use psychological ops to let you feel safe and past their first trap. Then they get you because you ran from the threat not thinking a secondary trap is ahead. You must consider operational and logistical measures, technical measures, administrative measures, and operational deception.
If you have read Hope For survival or attended my class on Risk Analysis and Mitigation, none of the five tips above are new. I tell folks the least attended class I teach is Risk Analysis and Risk Assessment yet it is the most important process in everything we do. To understand how to think out of the box you must understand and practice risk assessment, analysis, and mitigation. It is as simple as this. If you want to avoid the collision you turn the wheel. OPSEC and Risk Analysis is just that. You must see the collision before it happens. Identify, adjust, overcome, and move on.
In my former life, a Red Team (Adversary who monitors actions to identify vulnerabilities) once stated he could always tell when a military base went in to generation mode to launch more jets for a mission because of the number of pizza delivery vehicles entering the base after 5 pm. Simple huh? Sure. People at work ordering delivered dinners because they couldn't leave work for chow. A second clue was the number of garbage trucks running on base compared to normal.
So, what do you do in your life that would be free information for someone wanting to cause you harm? What you throw away? Mail with private information on it? Dumpster divers collect large amounts of sensitive information on people. Some use it against the person and others sale the information about you on the internet.
Another huge vulnerability is information people post on the internet. "I'm so excited, we are flying to Hawaii for two weeks and won't be home to enjoy your neighborhood party. Sorry." Great, now we know the Jones will not be home. Great opportunity for a robbery of the home. It may be totally innocent chatter that eventually lands in the hands of a threat. A teen friend of a Jones family member will be stopping by to water the flowers and plants. She tells a group of friends what she is doing. One of the friends receiving this information then tells someone else. That someone else then targets the home. In the home is valuables, but also lots of sensitive information. Another threat would be photographs people post on the net. Maybe from a trip, while on the trip. Who's at home while the person is away? Maybe consider waiting to post the pics upon returning home. Another thing folks must consider is there is a way to click on the photograph and determine the grid coordinates where the photograph is taken. I'm talking about photographs taken at your home. A person is cautious and take steps to protect the family and information. Then, a family member post a photo by the pool in a swimsuit to show off a tan. Totally innocent, except to the individual out to cause harm. They can track the picture right to the house. Need I say more?
People also leave mailboxes full of mail because the family failed to stop delivery while away. Oh, the bug man also stopped by and left the statement hanging from the Jones front door knob. It will hang on the door for the duration until the Jones family returns home. Anyone notice how the always beautiful grass at the Jones place looks uncut? They must be away. Ask yourself, what do you do and then not do when you change status from home to away? Lights on and off at night? Paper box full of newspapers? Mail box full of mail? Grass uncut? You do not want to stick out. Now if you always let your mail box fill up and leave your newspaper in the box, don't change it to where it is no longer obvious.
In your daily routines, you don't want to be predicable. Your goal is to be a hard target. A lot of this is the topic I preach on a lot, be an outside the box thinker and doer. What do you see that others fail to see? What does your gut tell you. What do you sense. A lot of these skills play in to building a strong OPSEC barrier around you and your family. Do you drive the same routes to and from work daily? How about shopping? Same route every time? When I teach Bugging Out and also the Family Communication Planning, I talk having a plan A, B, and C route planned out. This is part of your OPSEC plan to ensure you are capable of identifying and changing up your plans when you believe you have been targeted and a threat looms. Having multiple plans is risk mitigation.
OPSEC in a simpler concept is converting your Gray man practices to now include your entire life style, home, mobile routes, and virtual life. OPSEC must include all family members in order to be successful. When an adversary ask a neighbor about you, you want the neighbor to then say "you know, he/she is a nice person but I really don't know much about him/her." What would your neighbor say about you?
Ol' Festus practices OPSEC very well. Mr. Flip phone himself is very cautious and conscious of everything he says, does and how he communicates, where he communicates it, and ensuring he leaves minimal to no footprint. I swear, sometimes when I go visit him I think he hides around the corner for a few to make sure I wasn't followed. (Wink) Not sure how he sees me because I normally hide to make sure he wasn't followed. Seriously, he has excellent OPSEC practices.
Take a break and think about all the norms in your life that goes unchecked and unchanged. Now, think to yourself, if you stepped out of your life and became your own adversary, where are you vulnerable? Now, adjust and fix your shortfalls to become a harder target to predict. Good luck.
Bravo Echo Out,