Veterans Day: How Military OpSec Can Transform Your Cyber Security Planning

Every organization has data and cyber security policies. This is a non-negotiable protection that companies rely on to maintain privacy over intellectual property, customer data, and more. It allows them to stay compliant with government and industry regulations, preserve their advantages over competitors, and retain customer trust.

And while these security measures can be effective at safeguarding technology and data, business security measures simply can not compare to military security. Within the military, operational security—or OpSec—and security training is treated very seriously, especially for personnel with security clearances. The reason for this is the simple fact that security in the military can often be a matter of life or death—or at least very real consequences.

What is OpSec?

At its core, OpSec is simply the protection of information that is sensitive, classified, or need-to-know. It is a method used across the various divisions of the military for making itself a ‘hard target’ (i.e. an institution that enemy combatants can’t easily infiltrate).

OpSec uses the hierarchy within the Department of Defense to delegate responsibilities, laying out clear duties and tasks for everyone with access to sensitive information. It also has a plan for program management, where different types of information are given different OpSec program levels:

Level I : This OpSec level requires a minimal amount of oversight, protection, and resources.

: This OpSec level requires a minimal amount of oversight, protection, and resources. Level II : This is midlevel OpSec that necessitates moderate management and resources.

: This is midlevel OpSec that necessitates moderate management and resources. Level III: This data or technology falls under the highest level of security and must be managed around the clock with comprehensive cyber security measures.

The military’s implementation of OpSec goes beyond security level categories and the delegation of responsibilities. There is also an exhaustive process that is systematic in providing security. The point of this process is to identify information that needs to be secured, control this critical data, and protect it.

Identify Critical Information: The first step in the process is to identify the information that needs to be protected. This is the information that, if it is revealed, puts the organization or the organization’s stakeholders at risk. For the Department of Defense, this could be information about a technological advantage or about troop movements. For a business, this could be private customer data or an innovative product that is being developed. The final aspect of this step is to alert those involved that the information or data is critical and falls under OpSec. Threat Analysis: During this step, organizations need to determine potential threats, whether that be competing organizations, malicious hackers against cyber security, and so on. Then they need to determine the potential threats’ capabilities, as well as their desire to find and use the data or information. Vulnerability Analysis: During the third step, it is necessary to identify if the organization has any vulnerabilities. This will require an analysis of all operations. Risk Assessment: The risk assessment weighs the vulnerability of the data to how damaging the data loss would be. Organizations will need to consider how much time, labor, and money it will cost to implement OpSec countermeasures and how effective those countermeasures will be. They should then compare this to the cost associated with third parties gaining access to the data. Apply OpSec: During this step, organizations need to decide whether the data falls into level I, II, or III OpSec. They also need to identify which countermeasures can be applied to sufficiently reduce risk. The potential countermeasures could include everything from limited distribution of data to isolated storage. However, it is important to mention that there is no pre-set list that countermeasures can be pulled from. Each situation is different and information technology specialists should be consulted to design the ideal security procedures.

How is OpSec Different From Computer Security?

Operations security and computer security are not one and the same. On one hand, OpSec is about ensuring that information about operations is secure. Computer security, on the other hand, is dedicated to ensuring that the hardware and software that an organization uses is secure from third-party tampering.

However, OpSec and computer security are closely related—computer security is an important function of OpSec, but it is one of many functions that OpSec includes. So while OpSec harnesses the power of computer security, its broader goal is to protect information from being intercepted through any of the following means:

Human Intelligence (HUMINT): This type of information is gained from individuals who are on the ground. Signals Intelligence (SIGINT): This information is gathered from signals being intercepted. There are three main categories for this type of intelligence. The first is Communications Intelligence (COMINT), which is messages and voice information that is intercepted. The second is Electronic Intelligence (ELINT), which is electronic signals that don’t contain text or speech. The third is Foreign Instrumentation Signals Intelligence (FISINT), which is the interception of telemetry data from aircraft tests and missiles. Imagery Intelligence (IMINT): This information is gained from aerial and satellite photography, as well as other forms of visual photography, radar sensors, infrared sensors, electro-optics, and lasers. Measurement And Signature Intelligence (MASINT): This intelligence all comes from technical collection systems in an effort to help find identifiers that can determine the source of the information. This includes gathering everything from geophysical intelligence to radiofrequency intelligence.

In short, the point of OpSec is to prevent third parties from using any of these four methods to gain information about an organization’s activities, plans, and current data. Cyber security is one method for OpSec to utilize as a countermeasure.

OpSec For Military and Beyond

At first glance, it seems that OpSec really only applies to the Department of Defense. It almost seems somewhat extreme for most businesses to be concerned about espionage or outside parties gaining intelligence about their operations, systems, and data. The truth is, though, with some businesses holding valuable intellectual property, collecting bulk amounts of data, and making up a significant portion of any given industry’s market share, there are plenty of individuals and entities that regularly attempt to gain access to sensitive information. To put it simply, OpSec is an important method for identifying non-typical threats to any business’ cyber security.

Russian Military in Ukraine

One example of OpSec failure can be seen through the Russian military. President Putin, and those associated with the Russian government, have stated again and again that they are staying out of Ukraine—no troops are there, they are not sending weaponry to pro-Russian separatists, and they are not training forces in Ukraine.

However, several newspapers did a little bit of digging and found that this is clearly false. Multiple Russian soldiers have posted on social media, giving away their location. Some have posted pictures on Instagram that have been geotagged in Ukraine. Others posted on the Russian version of Facebook, discussing bringing rocket systems to Ukraine and shelling the neighboring country. The proof that Russia is currently deploying troops to Ukraine is undeniable.

Fitness Tracking and Secret Army Bases

Strava is a fitness tracking app that allows athletes from all different disciplines to map out their routes. Recently Strava released a map that shows 3 trillion GPS data points—running, cycling, kite surfing, and many more routes around the globe that Strava users had tracked with their smartphone or fitness tracker.

Military analysts came to a frightening realization—the routes of military and government personnel were clearly shown on the map. The reason that it was so obvious is that many military bases are in areas that are not heavily populated or in countries where apps like Strava are not popular. Therefore, the bases are both identifiable and mappable.

From Government and Military to Business

But, as previously stated, this example extends far beyond military and government actions. Businesses can learn from this too. Companies need to understand how social media can impact their senstive information. It seems simple, but even the U.S. military has to train soldiers and their families to not overshare on social platforms.

Adopting OpSec could allow businesses to analyze the information that they have and identify how much damage could come from that information being intercepted. They could then use this to classify the data into OpSec Levels I, II, and III. Finally, they could work with IT specialists to develop countermeasures to protect the information with cyber security. In all likelihood, one of the most common countermeasures will be workforce training on social media and geo-tracking apps. Employees should know what information they can and can not share, as well as how their posts could be used against the company—even down to posting on Instagram with geolocation turned on.

One of the biggest threats to company data security comes from a website that reputation-based security products will never block: LinkedIn. Because the website is so useful for recruiting for HR departments, as well as for marketing and making strong professional connections, most companies see it as innocuous. However, cyber security attackers have recently been using a method call Spear Phishing. They will send users a message with an offer, such as a free gift or a job offer. When the individual clicks on the link, they are sent to a site and asked for their name, email address, location, company name, and to set up a profile with a password. Because many people reuse passwords, the attacker can then use this information for logging into the individual’s work systems and servers.

Learn More About How OpSec Can Transform Your Cyber Security

In short, the information security threats that companies are now facing are becoming more complex each day. Businesses need to start rethinking their security protocols. Agile IT is Veteran operated, with former Marines, Army, and Navy all working together. Our team can help you identify how to get OpSec in Cyber Security for your company. For more information, please contact us.