April 17, 2014

OPSEC and PERSEC for Military Families

What is OPSEC? OPSEC stands for operational security. Intelligence collection and analysis is very much like assembling a picture puzzle. Intelligence collectors are fully aware of the importance of obtaining small bits of information, or “pieces” of a puzzle, from many sources and assembling them to form the overall picture.

What is PERSEC? PERSEC stands for personal security. Service members and military family should be careful to not post personal information anywhere on the internet, especially an address, phone number, workplace, etc.

This week has been full of surprises for me, both good ones and bad ones. My mom’s debit card number was stolen, and the thieves went crazy shopping with her number. She’s not sure how they got it because she doesn’t use her card online at ALL! A young professionals group that I am a part of had their website hacked and had the site’s words were changed to a different language. Who knows what it said. My email account for the non-profit organization I work with was also recently hacked.

So this got me thinking, wow… what is this world coming too? If these people wanted to, they really could have messed me up. Just crazy! It seems like everything around me was hacked or stolen this week. It has taken a lot of work and care to build up my personal image. So I was taken aback at the possibilities recently when I saw a couple of pictures in which my friend had photo-shopped me into certain places. It looked SO REAL!

I watched this weekend on Facebook, nearly, and all my friends were posting things like “at the mall with so and so” or “checked in at Pretzel Palace, 30 min ago.” I was amazed that these people were posting this type of information while the rest of their families were at home and left unprotected. If someone was stalking you or wanted to find out more information about you, all they would need to do would be to check Facebook (or impersonate one of your friends on Facebook) to find out your every move.

I also saw statuses about my friends dropping their spouses off at train stations or airports. To me, that just said, “Hello, I am vulnerable now. Come get me.” Seriously no matter who we are, women or men, we need to practice just a little bit more OPSEC and PERSEC.

I once read a quote  from the Chief of Staff of the Army:

“The enemy aggressively reads  our open source and continues to exploit such information for use against our forces. Some soldiers continue to post sensitive information to Internet websites and blogs, e.g., photos depicting weapon system vulnerabilities and tactics, techniques, and procedures. Such OPSEC violations needlessly place lives at risk and degrade the effectiveness of our operations. Our mission success and soldiers’ lives depend on aggressively denying the enemy any advantage.”

I really take this serious. Now don’t get me wrong – 6 months ago I was in love with Four Square, but now I just don’t find it as important. I now feel that this kind of technology has changed the world of cyberspace – everything is public and you can’t take back what is posted. Little pieces of information can cause serious trouble, not just for you but for other military families as well.

Comments

  1. Vanessa Milliman says:

    OPSEC is NOT Operational Security! OPSEC IS Operations Security!

    • OK thanks for pointing that out! Still, it is in the same word family and still the message has the same meaning.

      • Same word family? Are you going for accuracy or not? Operational Security and Operations Security are not the same thing. I have no problem with your message but I do have a problem with the label.

        • Vanessa, I have searched the web and I have come up with this from the US MARINES, it is the title section,

          Operational Security

          As a family member of the military community, you are a vital player in our success and we could not do our job without your support. You may not know it, but you also play a crucial role in ensuring your loved ones’ safety just by what you know of the military’s day-to-day operations. You can protect your loved ones by protecting the information that you know. This is known in the military as, “Operations Security”, or OPSEC.

          http://www.usmc.mil/unit/13thmeu/Pages/OperationalSecurity.aspx

          • I personally believe my story is accurate,

            I have looked it up on the airforce, Operational security goes digital (http://www.af.mil/news/story.asp?id=123236422)

            A Direct Quote from the AF Website,

            “A lot of people think (operational security) is just military but it’s also your personal information,” said Tech. Sgt. Andrew Maresh, the 1st Special Operations Wing operations security manager. “If somebody is deployed, I don’t think they would be able to focus on their job if their wife called them up because of identity theft.”

          • While they may have incorrectly titled their page Operational Security, they have still defined OPSEC correctly as you point out “This is known in the military as, “Operations Security”, or OPSEC.” I would direct you back to the IOSS at https://www.iad.gov/ioss/index.cfm. “In 1988, President Ronald Reagan signed National Security Decision Directive 298 (NSDD 298). This directive established the National Operations Security Program as a means to identify, control, and protect unclassified information and evidence associated with U.S. national security programs and activities. Adversaries or competitors working against the interests of the United States can exploit this information if it is not properly protected.”

            Operational security includes things list card access, computer access, perimeter security etc. NOT the same thing.

          • Have to second what Vanessa’s saying. It’s a deceptively important difference, especially when dealing with regulations and professionals in each field. When OPSEC was formally established, the term was, by presidential directive, Operations Security. When one speaks of Operational Security, one tends to engage the traditional (and often non-analytic) personnel.

            I think this article helps to clear things up: http://www.opsecprofessionals.org/articles/two_opsecs.html

  2. Potato, PotAHto… it’s the SAME thing. I’ve always seen it translated as “operational” security myself. If you look up the variations of the word in common American linguistic usage, you’ll see they mean the same thing.

    • Anyone referring to OPSEC as Operational Security does not know what tjey are talking about and should be corrected.

      http://www.opsecprofessionals.org

      http://www.opsecsociety.org/

      • It’s the same argument that one hears once in a while about “personal security” versus “personnel security”. Very similar names (a difference of only one ‘n’), but when the terms are used interchangably, it causes significant confusion by potentially putting the proverbial ball into the wrong court.
        Perhaps to be dramatic, a professional in the medical field would be very concerned with the very slight difference between the words “hypertension” (high blood pressure) and “hypotension” (low blood pressure). They’re very different things, which can be critical to those who are in the field.

  3. William Johnston says:

    With no disrespect intended, I feel obligated to correct you and other commenters on this. You are making a common, but egregious, error in using that definition. It distracts people from its true meaning. Now, before you get your panties in a knot, let me tell you why I know this to be true and all other definitions and rationalizations of the term to be false, misleading, and potentially dangerous.

    The fact that the error is perpetuated by appearing in various high level publications means nothing. Whoever wrote it was in error, Flag Officer or not.

    How can I be so brazen and confrontational with high authority? Here’s why: I can speak with complete authority on the subject: because I personally participated in establishing the definition of the term.

    How is this possible? It is not only possible, but it is a fact. I am one of the few remaining surviving members of the original 17-man team that originated and developed the Operations Security concept and methodology in use to this very day. I worked for Admiral U.S. Grant Sharp, USN and Admiral John S. McCain, III, the CINCPACs under whose command I served during the Vietnam War. The team had the unclassified nickname PURPLE DRAGON. Through usage, members of the team became known, individually, as PURPLE DRAGONS. It was based on our team’s work that, years later, President Ronald Reagan signed National Security Decision Directive 298. This NSDD implemented the Operations Security Program within the U.S. government.

    Back in the day, long and heated discussions were conducted deep in the heart of the CINCPAC Command Center by the members of the team. Because we were breaking new ground, we had to be careful what we called things so that people would not get confused as to what we were doing. Certainly, one of the things that we discussed was what to call what we were doing. Many terms hit the table and were rejected for various reasons. “Operational” was one of them. This term was rejected in favor of “Operations.” When understood, Operations Security is clearly an Operations function more in line with command itself than with a staff function, such as intelligence. Neither was it intended to be narrowly construed as a security function as defined by the traditional security disciplines. These include physical, communications, information, cyber, and the lot.

    Among the reasons that were considered most important were that the term was intended to be attached to a discipline that would be clearly differentiated from others, in particular, Intelligence, even more specifically Operational Intelligence. The intent was to define the discipline in such a way that it would always be connected clearly with the Operations function of command so that its importance corresponded in importance to the importance of command itself.

    The bottom line is this: you can nit pick all you want, but resistance to the facts is futile. I know the facts, because I was there at the beginning, and I helped establish the facts.

    If anybody, and I mean anybody, regardless of rank or position, wants to know more, I can be contacted.

  4. Wow. Clearly the “OPSEC” lobby has put out an action alert for their three members to come comment on this one blog post. LOL. All this freaking out over two letters is quite hilarious. I think this “opsecprofessionals.org” group needs to find a few new tasks to keep them busy. This was absolutely hilarious, to the point that I’m forwarding these comments around to friends to lighten their day today.

    • William Johnston says:

      I thank Centurion for his forwarding actions. I hope I helped “make your day.” I think less of your motivation, but any motivation is better than none. Thanks, again. Please hurry and get all those messages out as soon as possible.

    • You’re taking this really personally, aren’t you?
      It’s just a matter of correcting a common misunderstanding. If you don’t want to use the technically correct term, no one’s going to force you to. But I really don’t see why it’s a problem if professionals IN the field point out the error, slight as it may be. Why do you?

  5. On a side note- please don’t think, Crystal, that my comments regarding the term itself in any way reflects on the quality of the article. I think you make an excellent and timely point.

    Other aside- Bill, would you mind if I added some of your posted concepts to the “history of OPSEC” article on the OSPA website?

    • William Johnston says:

      Chris,

      I’d prefer to discuss this with you offline…another venue.

      Warm regards,

      Bill Johnston
      PURPLE DRAGON

  6. Thanks I found this really interesting that’s why I stopped but it really got people to the blog which is wonderful! Thank Chris for your support!

    • It is an interesting subject, you’re right about that. It’s amazing how versatile OPSEC actually is, especially in these modern times, where even my elementary school-aged kids have a facebook account.
      It’s okay though, because they only use it after 3PM when they get home from school, before which time no one’s at home after the wife and I leave the house NLT 8AM, when she takes the kids to their school, classrooms 1K and 701…
      …Wait… OPSEC! ;)

  7. William Johnston says:

    Crystal:

    Please pardon me for concentrating my attention on what seems like strictly a “technical” issue, to the exclusion of making comment on the rest of the content. You made good points, particularly in the area of PERSEC.

    The real issue, however, goes way beyond some mere “technical” argument brought up by General Bat Guano, USAF, or someone who has nothing better to do than to fixate on minutiae. That is the reason I came in as I did.

    Although I have slowed down a bit, coming from the vantage point of my knowledge and experience, I can perceive, more easily than most, the danger inherent in what I will call, for lack of a better term right now, “indiscriminate” use of the term OPSEC. For example, I think everybody understands, conceptually, that when “everyone is responsible for something,” in reality, “nobody is responsible for anything.”

    To many people, OPSEC” is a buzzword; a cool term to use. Not very many get it right. Here’s the problem with that: the more the term gets used out of context, the harder it becomes to keep the proper context alive. The true sense of the term becomes so diluted and so adulterated that clarity is lost and the proper use of the term sinks into a morass of “noise.” Confusion builds up. Actions become confused with results. When OPSEC becomes part of the background noise, it doesn’t really help anyone.

    Please accept that what I have said does not detract from the good information in your post. Carry on.

  8. Steve Simpson says:

    Hi Crystal,
    New here. I just tried to read these posts. Your article was well written and informative. Thanks for your article, Crystal. You made your point well and I’m sure many people learned the lesson you were trying to get across. Actually, it is a simple point, but an important one. Please don’t let other people’s egos get in the way of the great job you do. I’m sure I will be grouped into one of the people who doesn’t understand, however as a Viet Nam veteran and the father of a FMF Corpsman putting his life on the line for our country, I do understand the importance of caution when dealing with personal or sensitive information. What I don’t understand is why people show off by picking apart or “grading” a well written story. Keep up the good work.

Speak Your Mind

*