OPSEC and the Internet of Things

The Department of Defense (DoD) announced an OPSEC (operational security)  review has been ordered by Secretary of Defense, Jim Mattis, following the revelation of the “global heat map” which Strava Labs had compiled of the exercise patterns of millions of users, including US military service men and women.  According to the Military Times, service members’ exercise activity was prominently featured and DoD Press Secretary Dana White said, “revealed a potential vulnerability.”

Mattis had been considering banning all electronic devices from the Pentagon, an OPSEC step which is routine for those going into secure environments, like SCIFs (Sensitive Compartmented Information Facility).  Those who are familiar with SCIFs know they are designed to provide a secure environment against any and all electronic threat and to keep secret the activity and information taking place within the environment.  This author remembers when cell phones first hit the market in the 1980s-90s that such were banned from the Central Intelligence Agency headquarters (employees were instructed at that time to leave their devices in their vehicles in the parking lot or at home).

Intelligence Community Wide OPSEC Threat

The Strava Labs revelation is not just an OPSEC threat to the DoD. All members of the intelligence community who have employees and contractors operating clandestinely run the risk of the same data showing a connection between their place of residence and place of employment. For example, if a member of the clandestine service of the CIA jogs at the local high school track in Fairfax, Virginia on the weekends and then also jogs around the perimeter of the CIA campus during the week, they have effectively provided anyone harvesting the geolocation data sufficient information to connect the dots of one’s daily routine.

Similarly, the threat to those serving in denied areas or war zones, be they diplomats, intelligence officers or military personnel, this same information can be used to mount a terrorist attack against personnel based on patterns of movement. The first piece of advice provided to all personnel assigned outside of the continental United States (CONUS) is to vary one’s pattern of movement. Patterns play into the hands of both the counterintelligence entity of the host nation, as well as into the planning matrix of those bent on more nefarious activities.

Not Just a U.S. OPSEC Issue

India recently banned more than 40 apps from the mobile devices of their military, identifying the OPSEC threat posed by the apps from the government of China. Similarly, according to C4ISRNET, other apps with geolocation capabilities have provided OPSEC risks in the past. These would include apps as mundane as Pokemon Go, and as universal as SnapChat.

What Should We Do?

First and foremost, disable the geolocation capabilities of your devices (exercise monitors, smartphones, tablets, cameras, etc.).

More and more of us have the Internet of Things touching our lives, with our home security apps and door bells on our devices.

If you must use your device for directions via a map application, remember that your routes will be captured. If you are using apps which capture your business and personal driving mileage for tax purposes, do ensure the location feature (if any) is disabled.

Similarly, if your insurance company offers you a discount to attach a monitoring fob to your vehicle, make sure that their knowledge of your movements will not present an OPSEC risk to your employer.

Remember, as DoD Press Secretary White so eloquently said, “Information is power, and our adversaries have used information to plan attacks against us.”