Tradecraft: Introduction to OpSec

(TFC) – Operations Security sounds like something that would only concern spies and special operations soldiers. The reality is that since your government is likely spying on you, even if you “have nothing to hide”, OpSec concerns you. It’s a concept you need to become familiar with and begin to apply in your daily life. Maintaining Operational Security is simply the practice of taking small steps to secure the information you don’t want disclosed.

OpSec Professionals describes it as:

“Operations security (OPSEC) is an analytic process used to deny an adversary information – generally unclassified – concerning friendly intentions and capabilities by identifying, controlling, and protecting indicators associated with planning processes or operations. OPSEC does not replace other security disciplines – it supplements them.” (Wikipedia)
OPSEC is simply denying an adversary information that could harm you or benefit them. OPSEC is a process, but it is also a mindset. By educating oneself on OPSEC risks and methodologies, protecting sensitive information becomes second nature.
OPSEC is unique as a discipline, because it is understood that the OPSEC manager must make certain decisions when implementing OPSEC measures. Most of these measures will involve a certain expenditure of resources, so an estimate must be made as to whether the assumed gain in secrecy is worth the cost in those resources. If the decision is made not to implement a measure, then the organization assumes a certain risk. This is why both OPSEC managers and leaders at all levels must be educated on and aware of the OPSEC process.
OPSEC is not only for Military or Government entities. More individuals and Corporations are realizing the importance of protecting trade secrets, personal security and intentions. Whatever the organization and purpose, OPSEC can, and will, increase the overall security posture.”

To practice OpSec, you have to determine what information aids your opposition. Many people aren’t even sure they have an opposition, so it becomes difficult to assess what information aids them. Luckily, there are certain types of information that always need to be protected.

Means and Methods: In military terms, this consists of troop numbers, advanced tactics, operational plans, sensitive technologies, and so on. In your personal life, this would be information like your personally identifying information, bank account, pin number, and personal habits related to your daily routine. In your activist life, this would include travel itineraries, organization affiliations, and so on.

Exploitable information: What information can be leveraged against you? How can you be blackmailed? Securing information that might be used to influence your actions is a large part of OpSec. Everybody has dirty laundry and things they’d prefer not to have known. Whether it be infidelity, a drug habit, or even embarrassing pornographic tastes your secrets can be used to manipulate you. This also includes information that can directly be used against you. Recently, a well-known far-right figure was punched while being interviewed. If that person’s identity was discovered, it could directly lead to his arrest.

How do you practice good OpSec?

Shut up. In today’s world of social media, the tendency to disclose your every move and action is very common. It can lead to trouble. When you post something on the internet, this information is essentially public to anyone at any point in the future. Generally speaking, your safest method of maintaining OpSec is making sure you never say more than is necessary. You’ve certainly heard the phrase “need to know” before. That is an OpSec mantra. If someone does not have a genuine “need to know,” they should not be given potentially damaging information.

What are the biggest activist OpSec violations?

Bragging about being in the know: How many times have you seen someone admit to being somewhere an illegal action took place? Or hint that they know the identity of a person who performed an illegal action? Each person who does this is providing a piece to the puzzle for security services. If 10 people hint they know person X’s identity, it wouldn’t take a genius to look at their mutual friends and narrow it down by who is in the same geographic area and belongs to similar organizations.

Being too timely with updates from events: People who aren’t at an event do not need you to provide a play-by-play unless you are completely uninvolved with the activities. There has never been an activist movement with a more sympathetic media. Many indie journalists often choose between covering an event and participating. Let them provide the people at home with updates. If you post you are currently at a specific location and then seconds later something happens at that location, you have made yourself a suspect or a material witness.

Trying to talk around something: Little bits of harmless information add up. For example, let’s say you’re attempting to talk about me without using my name. “The bearded guy” might be enough to identify me to the person you’re talking to, but if he describes me as “the guy at TFC” to the next person, and that person describes me as “JK”, you might as well have used my name. If you shouldn’t talk about it, just don’t talk about it.

Posting travel itineraries: Nobody needs to know you are picking up Johnny and the Suzie on the way to an event except for Johnny and Suzie. This information endangers everyone if one of the people in the car gets into trouble.

Failing to engage in disinformation: If you are completely honest with your online activity, you might as well provide the security services in your country with a written list of everything you do. Follow accounts you aren’t interested in, check in places you haven’t been, accept invites to events you won’t be attending, and make certain that there is so much inaccurate information in your social media profile that it can’t be used against you for either surveillance purposes or in a kangaroo court.

Failing to compartmentalize: It’s important enough to repeat. If someone doesn’t have a need to know, don’t tell them. This isn’t a sign of distrust, it’s a sign you are trustworthy. Remember that when you disclose unnecessary information about yourself, you are probably disclosing it about others.

Here is a giant list of free training materials concerning OpSec for further reading.

Here is the US Army’s OpSec guide.