30. November 2007 by Revelator.

Posted in Media | Print | No Comments »

28. November 2007 by Revelator.

As promised this is the first entry from what I hope will be many guest bloggers. Rick is a member of OSPA, a Major in the United States Army and an all-around good guy. Enjoy…

It’s been said that Operations Security (OPSEC) is everyone’s responsibility; that no person alone can make OPSEC work. On the other hand, it only takes one person to ignore items on the Critical Information List (CIL) and disclose sensitive information over non-secure media or during open discussions in public. The “I” in OPSEC can be viewed from several angles.

The very foundation of OPSEC involves a five-step process: 1) Identify critical information, 2) Threat analysis, 3) Vulnerability analysis, 4) Risk assessment, and 5) Apply countermeasures. The OPSEC Program Manager (OPM) should coordinate the five-step process. Meaning, he/she should ensure the appropriate personnel complete each step. This process is a team effort. No “I” here.

To identify critical information, the OPSEC officer should work with the Operations section and the commander to determine what unclassified, yet sensitive, information must be protected. The list of critical information items should then be placed on a Critical Information List, or CIL. Each command will have a unique list of critical information for day-to-day operations and/or each specific mission or Operations Plan (OPLAN). Again, the OPSEC officer cannot do this alone. There is no “I” in this step.

The Intelligence section supplies the OPM with information regarding the current threat. Normally, the OPSEC Officer does not have the expertise to conduct a thorough threat analysis. Even if the OPSEC officer is the same person as the S2, it still requires assistance from others within the Intelligence section. Demonstrating again, there is no “I” in this step.

To complete a thorough vulnerability assessment, the OPSEC officer must again work with the Operations section, the “Staff”, and the Antiterrorism Officer (ATO) and the Force Protection officer (one person may perform both duties, depending on the unit). There is no “I” in this step, either.

The OPSEC officer can conduct the risk assessment step, but usually the Operations officer or the commander must approve it. This step involves subjectivity as to how much risk is acceptable and the severity of the consequences should something go awry. Therefore, the commander must be aware of the risks and give the ultimate approval for the taking certain risks. There is no “I” in this step.

Applying OPSEC measures must certainly be the job of the OPSEC officer. However, the OPSEC officer can only advise the commander on the OPSEC measures. If the commander deems the OPSEC measures too costly, time consuming, or would delay the mission, the OPSEC measures may be rejected. If the OPSEC measures are accepted, it is up to the leadership of the unit to ensure they are implemented. There is no “I” in the last step of OPSEC, either.

OPSEC is everyone’s responsibility. It is not solely the responsibility of the OPSEC officer to make sure OPSEC is “good” at the unit. OPSEC is a team effort. So, the “I” in OPSEC rests with every single individual who is assigned to, attached to, under operational control (OPCON), or is in some manner responsible to the commander of a specific unit where the OPSEC officer has put together an OPSEC plan.

In all actuality, everyone is the “I” in OPSEC. Your careless words or the “they aren’t listening to this phone call” attitude may cause mission failure or the deaths of allied troops and innocent civilians. You must be cognizant of the information you disclose in public, in emails, and over non-secure phones and faxes. OPSEC is everyone’s responsibility. Do your part to keep sensitive information from the adversary.

There is a saying that goes something like, “I am but one, but I am one.” The adversary only has to be right once. We have to be right all the time. The “I” in OPSEC means everybody needs to be aware of OPSEC 100% of the time. The lone OPSEC Officer or OPSEC Working Group member in your organization cannot do it for you. Be the “I” in OPSEC!

Richard E. Millikan, MAJ, USAR

Chief, OPSEC Assessments - Joint OPSEC Support Center (JOSC)

210-925-4781 / DSN 945-4781

Posted in Program Management | Print | No Comments »

23. November 2007 by Revelator.

One of the driving thoughts behind the creation of the OSPA has always been to create a web site that would be populated with everything an OPSEC professional might need. Everything. Piece of cake, right? Or as we used to say when I was stationed in Germany - Stück Kuchen. Well, I wish it were that easy. But I think we are well on our way to being a one stop shop for all your OPSEC needs. And before I move on to discuss some of these let me ask each of you right now to please contact the OSPA to let us know what else you would like to see on our main web page. 

While this entry is essentially designed to let you know some of the things you may be missing out on it is also a call to action. We are happy to provide services and materials but we need active participation from our members to make the site viable and worth the effort to sustain it. Spend some time checking out all we have to offer and contribute to those things that interest you. It let’s us know that our members are engaged and will help in the information sharing we hope to facilitate.

The main page: check out all that is there. Check out all the links, read the board member bio’s, check out the reading room, look at the posters, check out the “News and updates” scroll and while you’re there subscribe to the OSPA Mailing List and the OPSEC RSS Feed. Also, while you are checking out the offerings keep in mind that we need content. We need our members to share posters or articles or PowerPoint presentations that you think others might be able to use.  In creating this virtual OPSEC community we want to encourage sharing of information among our community members. The more we help each other the better off the whole community becomes.

Speaking of sharing and building; click on the OSPA Forum link while you are there. There are many discussions going on that you can contribute to or you can create a new discussion. If you have any questions or need help in any way the Forum is a great place to go.
Check out the Job Board also - it’s no Monster.com but then again OPSEC jobs are precious and few. If you hear of ANY OPSEC related job please pass this information on so we can post in on the board.

SME’s - The OSPA is fortunate to have many seasoned OPSEC professionals among it’s membership. We are even more fortunate that some of these people have volunteered to act as Subject Matter Experts (SMEs) for you the member. Please feel free to contact any one of our SMEs directly if you have any questions. Also, as you look at our SME list if you feel that you can contribute as an SME in an area please let us know and we’ll add you to our list.
OPSEC Wiki - yup, we’ve even got an OPSEC Wiki. Check it out. And when you get done with that click on the OPSEC Game and give that a whirl. It’s fairly easy once you’ve played a time or two. The forum has been abuzz with high score smack talk so go there (in the “OPSEC Discussion” section) and let us know how you did.

The OSPA OPSEC Academy - This is a huge project and will essentially be the culmination of all of our efforts. If the OSPA leaves nothing else behind we hope this on-line learning environment is a lasting legacy. Via the Academy we envision providing you with all your OPSEC knowledge and training needs. Once registered, students will be able to enroll in self-paced lessons and courses that will be created to satisfy specific OSPEC related knowledge needs. We hope to create tracks of learning geared toward specific environmental needs such as military, corporate and federal. If you are paying attention, you’ve noticed words and phrases such as “envision”, “hope to”, “will be” and “culmination.” The academy will take time to create. While most of our other efforts to support the member can be created and grown as a living entity, the Academy is something that needs to be cultivated within until it is ready for a full launch. To that end we are extremely fortunate that Mr. Tom Mauriello has volunteered as our OSPA OPSEC Academy President. I won’t go into why this is so important right now but check out his bio on our web page (and if it isn’t there yet then ping our Founder and President, Chris Cox). If any of you have any thoughts concerning the Academy please make them known. We are still in the planning and creation stage of development and welcome any contributions you may have.

One more thing - when you finish reading this scroll on down and on the right you will see the link to ”Register” - please do this before you leave the page. 

The OSPA and all we are trying to provide are simply vehicles to facilitate open and free communications between our members and the OPSEC community at large.  Many have complained about much - what are you willing to contribute to make it better?

Keep the Faith!

Revelator

Posted in OSPA | Print | No Comments »

19. November 2007 by Revelator.

Does Hollywood do a good job of portraying OPSEC in the movies? Can anyone provide a movie and describe a scene where OPSEC comes into play? Was it good OPSEC or was it poor OPSEC? I don’t really care if it was good or poor acting.

One that comes to mind for me is the movie “MIDWAY” which came out in the summer of 1976 and is available on DVD. It tells the tale about “the most decisive naval battle in U.S. history” which turned the tide of the war in the Pacific.  Directed by Jack Smight, it has an ALL STAR cast: Charlton Heston, James Coburn, Henry Fonda, Glenn Ford, Hal Holbrook, Pat Morita, Robert Mitchum, Cliff Robertson, Robert Wagner, Toshiro Mifune, James Shigeta, Christina Kokubo, Edward Albert (the son of Eddie Albert), and - if you look close enough - Tom Selleck (a.k.a. Magnum P.I.).

At the risk of turning this into a movie critic forum or movie trivia challenge, I thought the movie did a pretty good job of historically portraying this watershed event. It was also really fun if you got to see it in theaters enabled with “SENSOR-ROUND!”

Two items of OPSEC significance come to mind:

“AF is Midway”  Does anyone know the movie well enough to know what I am referring to? Some might call this a feedback loop. The scene is where we employ poor OPSEC in a smart manner…in a “Measurement of Effectiveness” sort of way…to use to our advantage.  When we get to this scene, the film establishes that we are “copying the Japanese mail” but the US is not quite sure what their intentions are for Midway. Maybe it would all become clear if they could just figure out what the two letter abbreviation “AF” refers to in the enemy’s message traffic.

Commander Joseph Rochefort, a US Navy Intel officer (a crypie) played by Hal Holbrook, convinces Admiral Nimitz, played by Henry Fonda, to buy off on a little ploy to have the comms center on Midway Island send out a “fake message” in the clear about a degrading fresh water situation on Midway. Admiral Nimitz gives the okay. Ultimately – just a minute or so in movie time, Commander Rochefort and his personnel intercept and de-code a Japanese message that confirms that “AF” is indeed Midway.

Could you consider this a nice OPSEC coup? Maybe a small victory for OPSEC? If nothing else, it clearly demonstrates that the enemy was listening…and something like that could be useful in reinforcing OPSEC awareness; then and now.

“Admiral Nimitz is notified”  What happens next is my favorite OPSEC moment in the film. Just seconds after CDR Rochefort – Hal Holbrook - gets the news confirming “AF” is Midway, he turns to Charlton Heston, playing the fictional character of Captain Matt Garth, and relays the information. Charlton Heston is then sprayed with water from a fire hose and exclaims that the place is a “madhouse!”

Oops, sorry; wrong movie.

Charlton Heston quickly rushes to the nearest telephone…still within easy earshot of the Intel crew who just broke the message traffic…to call Admiral Nimitz.

Can you say “phone’s up” or “this line is not secure”? Well, neither could Mr. Heston or Mr. Fonda; maybe it just wasn’t in the script. Captain Garth tells Admiral Nimitz that Intel has confirmed that “AF is Midway” over the telephone. Was this poor OPSEC? I don’t think so; this was a security violation plain and simple not to mention just poor headwork. Of course CDR Rochefort was too busy celebrating with his shipmates to admonish the good Captain on his security procedures.

Upon hearing the news, Admiral Nimitz requests that Captain Garth assemble the staff at a particular time the next morning to begin planning. Was this critical information? I’d say sure! This part of the scene is an example of poor OPSEC.

Anyway, I doubt Hollywood was thinking about the finer points of good OPSEC when they were striving for historical accuracy combined with dramatic effect. The take-away here is that you can use this 2 – 3 minute scene to improve your own organization’s OPSEC awareness thanks to Hollywood’s literary license.

For those of you who have seen the movie, what do you think? Please share other films and movie scenes that directly or indirectly involve OPSEC.

You can get more details about the “AF is Midway” ploy, by searching Commander Joseph Rochefort on the web.

Don Sidro - The GodFather of OPSEC                 

Posted in Movies, General OPSEC | Print | 3 Comments »

14. November 2007 by Revelator.

Bottom line - there is no OPS versus OSPA. Doesn’t exist. Though apparently many people think it does.

OSPA leadership has received numerous phone calls and email concerning this topic:
Why are you trying to kill OPS?
What did OPS ever do to you?
Are you mad because you’re not on the OPS Board any more?
Why do you want to split the OPSEC community?
Is this personal?
Do you think you’re better than the OPS?

People we respect have questioned our integrity and motives. Some have called us on the carpet for this outrage and others are simply turning a blind eye to what OSPA has accomplished and what we intend to accomplish in the future.

On the plus side, we do enjoy the support of many OPSEC community leaders. By the way, I’m not going to attempt to answer all the questions posed above. No; rather I’ll tell you that I am an OPS member, an OPSEC Certified Professional (OCP), a former member of the OPS Board of Directors and am currently on the OPS Education Committee. And if you look at other OSPA Board members you will find current OPS members, one “Lifetime Member” and another OPS certified OCP. No one here discounts OPS’s contribution to the OPSEC community. In fact, they are a large part of why we have an “OPSEC Community” and all OSPA members are encouraged to join the OPS.

Earlier this year an Army E-5 saw a need. And from that need grew a web site and from that web site grew an Association. Pretty simple really. There were no hidden agenda’s, ulterior motivations, or anything sinister about it. Not then - and not today.

Revelator

Posted in OSPA | Print | 1 Comment »

9. November 2007 by Revelator.

Good Day All - This is The Revelator and I’m here to tell you that The Godfather of OPSEC (Don Sidro) and I have taken over this blog. While it didn’t necessarily take much coersion to force the OSPA Prez to hand it over we still bumped chests and high fived at his willing submission.
Don Sidro and I will be the main contributers to this blog. While we think we have a great deal to contribute to the OPSEC community at large we understand that you will need changes of pace every once in a while and to that end we promise to invite many distinguished personnel from the OPSEC world to contribute guest entries. Also, if you feel you have something to contribute beyond a comment and would like to be a guest contributor please let us know.
Via this blog we will attempt to keep you up to date on OSPA happenings as well as happenings in the OPSEC world in general. We also hope to stimulate your OPSEC brain with musings about the state of the OPSEC world and anything else OPSEC related that floats across our consciousness.
Please feel free to comment as much as you want as often as you want.
Have a great OPSEC day and always remember to keep the faith!
Revelator

Posted in Uncategorized | Print | 1 Comment »