Michael C. Casey
Director of the National Counterintelligence and Security Center (NCSC)
OPINION — In the early stages of the Vietnam War, Pentagon officials were puzzled why U.S. bombing missions against northern Vietnam were yielding meager results. Accordingly, the U.S. Government investigated and, in what became known as the Purple Dragon study, concluded that U.S. forces were inadvertently revealing flight plan information to North Vietnam, which could then take evasive action.
Addressing the challenge of keeping information on U.S. military strengths and vulnerabilities away from hostile forces became known as operations security—or OPSEC. Ultimately, in 1988, President Ronald Reagan directed elements of the Executive Branch that support classified or sensitive activities to establish formal OPSEC programs. Since then, OPSEC has been applied not just across the U.S. military and Intelligence Community, but in various private industries and other sectors.
As the digital age has progressed, OPSEC has become more challenging. In 2018, the Defense Department barred its employees from using geolocation features on their mobile devices in operational areas after fitness app data appeared online revealing their exercise routines in sensitive overseas locations. Recently, Russia’s war on Ukraine has highlighted the fatal consequences of poor digital OPSEC. Press reports last year, detailed cases of Russian troops being killed by Ukrainian strikes after using cell phones to contact relatives or post photos online while leaving their geolocation tags on.
With adversaries today targeting not only the U.S national security community, but also extracting data and technology from virtually every sector of our economy, OPSEC is a concept all organizations should embrace. OPSEC is a proven discipline designed to deny adversaries the ability to collect, analyze, and exploit information that might provide them an advantage. It is a process of continual assessment that identifies and analyzes critical information, vulnerabilities, risks, and external threats.
Of course, the first step in establishing an OPSEC program is acknowledging there are adversarial threats to your organization—and they can come in the form of crime, foreign espionage, terrorism, or subversion. These threats—which are constantly evolving—can be manifested by ransomware delivered by cybercriminals, sabotage by insiders, theft of intellectual property by agents of a foreign power, or physical destruction of facilities by terrorists. Robust OPSEC can help mitigate these threats.
The OPSEC cycle involves six steps. First, identify the critical assets you want to protect. Second, analyze threats—determine who may want your critical data or expertise and how they may try to get it. Third, analyze your security vulnerabilities—determine how your assets, including data, may be vulnerable and whether your existing protection measures are sufficient. Fourth, assess risks—determine the impact, costs, and stakes should such compromises occur. Next, develop and apply countermeasures. Finally, continually assess—and reassess—the effectiveness of your countermeasures.
The same OPSEC strategies to protect government and business information are useful in protecting personal information. Exercise caution when receiving unsolicited messages (including texts, emails, chats, etc.), particularly if they come from unknown senders and/or contain suspicious links or attachments. Adding encryption to your emails, verifying where and whom a message is coming from, and exercising caution before downloading files and clicking on links are all ways to prevent a criminal or foreign adversary from gaining access to your private information.
January is National OPSEC Awareness Month, a month-long campaign across the U.S. Government to help raise threat awareness and share risk mitigation practices. It is also an opportunity for organizations outside government to revisit and improve their security postures. We encourage organizations to introduce OPSEC concepts to their employees and seek their support in protecting information. For resources, visit NCSC’s OPSEC webpage at: https://www.dni.gov/index.php/ncsc-what-we-do/operations-security
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.
Michael C. Casey is the Director of the National Counterintelligence and Security Center (NCSC), where he leads and supports the counterintelligence (CI) and security activities of the U.S. Government, and serves as the principal CI and security advisor to the Director of National Intelligence.