Saturday, March 31, 2018

Operational Security (OPSEC) - Part 1: Theory and Overview

World War II Operational Security poster
The following article is intended as an overview of Operational Security (OPSEC) as it relates to preppers and survivalists. It is a simplified version of the OPSEC training that is provided to the military, national security agencies, government officials, and government contractors. I say simplified for two reasons:
  • I've tried to remove most of the jargon, acronyms, and buzzwords of the military/government training
  • My aim is to protect against  nosy neighbors, local bureaucrats, and everyday criminals, rather than enemy-nations and terrorist organizations.
If you want the flavor of military OPSEC training, I suggest starting with the Operational Security (OPSEC) page of the U.S. Department of Defense Education Activity website.

What is Operational Security?  In two words: Information protection. In more words: Keeping critical information away from those who do not need to know it, or who may seek to use it against you in some way. OPSEC seeks to protect both your privacy and your security. 

The definition begs some questions. What is critical information? Who does, and doesn't. need to know that information? Who may seek to use that information against you, and how? How can you protect that information from those people who shouldn't have it?

OPSEC attempts to answer these questions through a five step process.

1- Identify Critical Information - Answers the questions: What information do we need to protect? What do we want to keep private?What information could be used against us in some way? 

Examples of potentially critical information for preppers and survivalists include financial information, social security numbers, passwords and PINs, medical information, political & religious affiliation, membership in certain organizations (NRA, GOA, OathKeepers, prepper/survivalist groups, tea party groups, etc.), gun ownership, presence of valuable items in the home (guns, gold, silver, cash, tools, electronics, etc.), and purchases of large amounts of food and other supplies. It also may include certain plans (when & where to "bug out", home security measures, personal security measures, etc.). What exactly you consider critical information will depend on your own personal circumstances and concerns.

2- Identify Potential Threats - Answers the question: Who really needs to know this information? Everyone else doesn't need to know this information, and represent a potential threat to abuse or misuse the information, or unwittingly reveal the information to those who might.   


Every neighborhood has at least one Gladys Kravitz.
Examples of potential threats: Identity thieves, criminals, local bureaucrats, school officials, nosy neighbors, and untrustworthy family, friends, co-workers, etc. Even politicians and the government at all levels are potential threats (look at the recent misuse of the IRS and DOJ to go after tea party groups and other political enemies of Obama; doctors being encouraged to ask patients about guns in the home; schools questioning students about their parent's political views, gun ownership, and other private information).

3- Identify Vulnerabilities - Answers the question: How do potential threats get our critical information?  The answer is we give it to them, most often without realizing it. 

Examples of how we give away our critical information:
  • Public conversations can be overheard by anyone nearby.
  • Private conversations can be revealed, accidentally or on-purpose, by anyone involved.
  • Our trash/recyclables can reveal our purchases, financial and medical information, even the supplies we are stockpiling.
  • Nearby neighbors can physically see much of our activities and preparations. 
  • Children, especially young children, tell EVERYTHING to their friends, schoolmates, teachers, neighbors, and other parents (even if you've told them not to).
  • Social media and over-sharing online, even if you are "hiding" behind a screen name or other fake identity (sorry, you are never really hidden online).
  • Smart phones & cell phones  - all calls and texts are logged, and its crazy easy for folks with the technology & know-how to hack or track your phones even when they are in airplane mode or turned off completely.
  • Gmail, hotmail/outlook, yahoo mail, and all other free (and many paid) email services log and archive all email and will cooperate with authorities when asked to provide your information to them. It is also fairly easy to hack into most email accounts.
  • Other technology - affinity cards, credit/debit cards, even modern library cards - log all activity, which is then available to the company (for their use or even resell), government officials with warrants (and sometimes without), and even hackers.
4- Assess the Risks -Answers the questions: What critical information is most important to protect? What threats are the most active? What vulnerabilities are the most likely to reveal critical information?

Not all information is equal. Some critical information is more critical than other critical information - meaning it can more easily or effectively be used against you. Not all threats and vulnerabilities are equal - some are greater than others. Risk assessment involves a subjective analysis of importance of critical information and the likelihood that it can become compromised. Most of the time and effort of OPSEC should be aimed at protecting the most important information against the most realistic threats.

5- Apply Countermeasures - Answers the question: How can the bad guys be stopped from getting our information? This is probably why you came to this article, but you do need to understand all the prior information before you can figure out what countermeasures to take. This is because:

The first and most important part of protecting your critical information is to make sure that everyone in your family/group understands what information to protect. Share this critical information on a "need to know basis" only. Even within your family/group, not everyone needs to know everything. This doesn't mean that you don't trust your family or group members. Rather, the less people that know something, the less chance of it accidentally being revealed. 

If you have children in your family, you need to talk to them about not sharing certain information with non-family members. Teach them to respond to questions, even from teachers and other authority figures, about the family's finances, religion, or politics by responding "I don't know," and "You'll have to ask Mommy or Daddy about that." Young children will need to be reminded of this often. Be careful about what information you share with and around your children (they do have ears).

Additional countermeasures may include:
  • Avoid public conversations or comments about critical information. This includes phone conversations in public. 
  • Shredding/burning of receipts, bills, and documents after they are no longer needed.
  • Be careful of what trash & recyclables you leave at the curb. Even empty boxes may reveal to those nosy neighbors what, and how much. 
  • Cautious use of social media, email, and text messaging. Realize that if you are emitting electronically, your use is being monitored, logged and stored.
  • Wise computer use (no illegal activities; keep your operating system and other programs up-to-date; use firewalls, antivirus, and anti-malware programs; use privacy search engines such as Duck-Duck-Go and StartPage instead of Google, Bing, or Yahoo...). 
  • Always take basic home, office, travel, and personal security precautions.
  • Limit affinity cards. These can be great ways to get special deals, but it comes at the cost of allowing the company to collect information on you. This information may be used by the company, shared with its vendors, sold to other companies, or stolen by company employees or outside hackers. It could also be obtained by the government. 
This list only scratches the surface of the OPSEC countermeasures you can take.  I will expand on this list in several future articles. 
-----------------

Please follow me on GAB at https://gab.ai/TimGamble and on Twitter at https://twitter.com/TimGamble