OPSEC by Any Other Name

OPSEC doesn’t live, or happen, in a vacuum. It’s but one facet of military rules and regulations that were not so much designed, as grew organically. “Don’t get behind the OPSEC power curve,” a USAF training aid warns, but rapidly-evolving technologies mean that the U.S. military is almost perpetually behind the “power curve” in addressing OPSEC – and other technology – issues.

The military isn’t necessarily going overboard with OPSEC concerns about blogs and emails; rather, they’re overreacting in typical fashion to the belated realization that their “enemies” are technologically literate. That sort of knowledge used to be a staple of cold-war counterintelligence training, as this neat handbook shows. But having their attention focussed squarely on under-educated, transient militants living in caves for too long means – gasp! – the military suddenly has to deal with an enemy they had been, ahem, misunderestimating.

Another part of the problem is an increasing tendency for all branches of the government to over-classify, and overstate the importance of, their “intelligence”, where intelligence is interpreted very, very broadly indeed. The FBI’s been doing it, the DOJ’s been doing it, everyone has been playing the “grave and dangerous national secrets” game. Both inside and outside the military, it’s led to such wonderful almost-classification levels as “Law Enforcement Sensitive”, and the increasing use – and abuse – of terms like “FOUO.”

Just consider the instructions in the recent “OPSEC in the Blogosphere” presentation we first published here. FOUO, it says, will be the standard marking for all unclassified products which “could cause harm to Army operations or personnel” if released to the public. The catch is that FOUO is not a classification level, and darn near anyone can pseudo-classify their documents as such.

Of course, if there are guidelines for determining whether something “could cause harm”, they haven’t been leaked to the public. Yet. 🙂 And that, really, seems a kissing cousin of the biggest part of this no-blogging, no-emailing OPSEC boondoggle – despite all the mealy-mouthed reassurances from Army spokesmen, nobody’s said anything about giving OPSEC officers blog, or even internet, training. Consider the “second commandment” of critical information OPSEC from this 2002 OPSEC presentation (340KB PowerPoint file):

Operational Security commendments

“Thou shall not try to protect everything.” Wiser words may never have been incorporated into a clip art-laden PowerPoint presentation, ever.

If the whole premise is – as it seems to be – that soldiers, contractors, and their families are going to be asked to register their blogs with their OPSEC officers for periodic spot checks, this would seem to have two fatal flaws that even I can spot:

First, a fundamental point of OPSEC is that a lot of small details, put together over time by a determined adversary, can become compromising information. Are spot checks really going to accurately identify potentially damaging data sets in a soldier’s blog? What of milbloggers who post with Atrios-like frequency, several times a day? Is an OPSEC officer really going to wade with fine-toothed comb through over a hundred posts, per blog, once a month?

Secondly, are OPSEC officers aware of things like Google caches and the Internet Archive? Do they understand syndication feeds? Splogs and scraper sites? Newsgroups, and websites that mirror newsgroups? Public mailing lists? Do they, when you get right down to it, realize that very, very little, once put on the internet, can ever be made to disappear forever?

Until now, OPSEC decisions have been more or less left to the judgement of the bloggers themselves. Yet, it’s clear that, at least for the moment, compromising information is kind of like pornography (i.e. hard to describe accurately, but you recognize it when you see it.) I, and many, many others, have doubts about whether the new de-facto censorship of milbloggers is workable. A much better plan, I think, would be to spell out very explicitly, in small words, the things the military would prefer soldiers not disseminate to the world at large. Now, it’s no secret, pardon the expression, that soldiers are being deployed with grossly abbreviated, and arguably even inadequate, training. But, come on, how hard is it to find two hours to drill the importance of good OPSEC practices into soldiers’ heads?

Is it our OPSEC practices that are failing, or our OPSEC training? You tell me.

Other commitments call, but I’ll end this with a few entertaining links:

Want to know how bad the OPSEC-related paranoia has gotten? Read this training document (24KB PDF) for MARS operators. “Treat every MARS document as if it were marked FOUO whether it is or not,” the training instructions state, and suggest three methods of secure disposal of such documents – including, we presume, this one. (Oops.) Like we said at the beginning of this post, OPSEC doesn’t live in a vacuum. There’s also this training document from the USAF (256KB PDF) on, among other things, “Information Assurance.” Lastly, the much-neglected fifth branch of our military (the Coast Guard) have a SATE program, whose rather long-in-the-tooth manual is, obviously, online.

Published in: Geekiness, General, Security | on May 3rd, 2007| Comments Off on OPSEC by Any Other Name

Both comments and pings are currently closed.

Comments are closed.