As January ends, so does NCSC’s OPSEC Month. NCSC has provided a plethora of advice to assist all entities and individuals in understanding the operational security (OPSEC) threat and how to take steps to mitigate that threat. This is not new. There’s not an entity within the defense or Intelligence Community (IC) that hasn’t been directed to invest in OPSEC when it comes to their classified engagements with government, be it within the aegis of NISPOM or DCID.
Indeed, it goes well beyond a suggestion, it is mandated, “NSPM-28 requires all Executive Branch departments and agencies to implement OPSEC capabilities that identify and protect their most critical assets, identify and mitigate vulnerabilities, consider foreign adversarial threats in their organization’s risk management activities, and apply sufficient threat mitigation practices to counter the threat.”
The Power of OSINT
NCSC’s first bulletin of the month emphasized how adversaries collect much of their information about the United States via open source intelligence (OSINT), with only a small percentage from clandestine/covert collection methodologies (spies, signals intelligence, etc.). “When an adversary such as a foreign nation, corporate competitor, criminal enterprise, or terrorist group gathers a sufficient amount of unprotected information pertaining to operations, capabilities, or other critical information, the outcome can be disastrous.”
The second bulletin focused on the OPSEC Cycle and included six tips to avoid feeding adversaries OSINT efforts.
- Identify sensitive data;
- Identify possible threats;
- Analyze vulnerabilities;
- Assess risks;
- Apply countermeasures; and
- Periodic assessments and reassessments.
The third bulletin was all about the individual, and the threat posed by social engineering and carelessness when it comes to protecting information. If an adversary can touch you, be it via phone, email, messaging apps or in person, they have the opportunity to engage in elicitation or manipulation. Adopting a healthy OPSEC mindset in one’s daily life will go a long way toward preventing adversaries “gaining access to private information.”
FSO’s need to promote OPSEC
The fourth, and last bulletin wraps up the discussion on why poor OPSEC feeds adversary’s OSINT, with emphasis on the need for a holistic approach within organizations on the implantation of OPSEC stratagem. Facility Security Officers cannot over emphasize to their constituencies the need to implement basic OPSEC mindset into both their personal and professional lives. NCSC continued how, “This reality can be useful in helping workforces embrace a security mindset, as research shows that organizations with a security “culture” are less likely to be victimized and suffer losses.’