In this series, we’ve looked at the steps of a critical information analysis, which is the core of OPSEC. We’ve talked about how to decide what information is critical, who wants it, what they could do with it, how likely it is they can get it, and where the holes in your current system are. Now it’s time to answer the last question: What are you going to do about it?
The Rules of OPSEC
As you begin designing countermeasures, you need to be asking yourself the following questions (and truth be told, if you went through the last few sections of this series with a very short list of vulnerabilities or think that this isn’t worth your time, you should start over with these questions in mind):
- If you don’t know what threatens you and your information, how do you know which information to protect and how to to protect it?
- If you don’t know what you’re protecting, how do you know you’re protecting it effectively?
- If you aren’t protecting it, you lose. End of story.
It’s pretty simple. If you need to go back and re-do your analysis, go ahead. It’s important that you’ve been as complete as possible in terms of the previous steps in the process. If you missed things in Step 1-4, then Step 5 is not going to help you. Once you’re ready, read on.
Everything Is On the Table
You should have a very good idea of your current situation by now. So when discussing countermeasures, nothing is off-limits. That means you should be willing to initially consider any possible countermeasure. We will pare them down later. Right now you’re brainstorming. Be creative, think outside the proverbial box, etc. The following is a very partial list. Add your own.
- Extra training
- Ceasing of an activity
- Beginning a new activity
- Changing information (phone numbers, contact info, or anything else)
- Changing practices (codes, protocols, routes, anything else)
- Cutting a person from your group or changing/decreasing their access level
Some of these may make you feel a little uncomfortable or even annoyed. That’s okay. We’ve spent the last several weeks setting emotion aside and being brutally honest about vulnerabilities and unsafe practices, and we need to keep that mindset as we move forward through the last step of the process.
The whole point in the countermeasure step is two-fold:
- Lower or mitigate threat risk
- Remove threat access to the critical information in question
If you can do either one of these, you’ll be on your way. If you can do both, you’re in a good place.
This one was on top of the list because it’s one of the things that people generally refuse to do. Training is work; it’s annoying, it’s a time suck, it requires effort. As humans, we tend to put far more effort into things we like, and for many folks involved in this sphere, that means a lot of pew-pew, a lot of sign-waving, a lot of public stuff, and not a lot of anything else. The bottom line is that unless you’re willing to do what it takes to fix a knowledge gap, you’ll continue to have that gap — and that makes you a liability in that area. If you need to learn how to use encryption or how to run an operating system that is NOT Windows, for instance, then do that. If you need to understand more about how data mining works, or even about how human terrain mapping works, then do that too. There are resources out there (and here); ask what you don’t know.
At least one piece of your critical info is probably vulnerable because of something you’re doing or not doing. This is sometimes one of the easier countermeasures. If you have been putting up all kinds of training videos showing you and all your militia buddies out in the woods, stop. If you have been publishing all of your group’s stuff on social media, stop. If you haven’t ever bothered with the concept of “need to know,” start. If your group constantly meets on a trackable schedule and you notice the same (or even different) car always sitting a block away with clear line of sight to your meeting’s doorway, for instance, or the same homeless guy is always hanging out across the street but somehow has a smartphone he takes out sometimes, you’re going to want to change some practices. (Wait, you don’t notice things like that? There’s another practice that needs changing.)
You have probably done this at least once without realizing that you were engaging in countermeasures. Ever change your phone number so you could stop getting so many telemarketer calls? Ever abandon an email address due to spam? Ever get a mailbox at a UPS store or post office in an effort to hide your home address? Change your ATM PIN or get a new card because you gave it to your buddy once while drunk and needed Taco Bell? Same principle. If you have information that needs changing, change it.
Cutting the Internal Threat
Not everyone who is a threat is external, and not every threat is a malicious one. Sometimes the biggest threats of all are the people who mean well but engage in things that put you, your family, or your group in danger. The guy who will show up at 3am if you need him to but also likes to post all over social media about every ‘patriot’ thing he does. The guy who is all about helping with anything that needs doing…as long as everyone knows it was him who did it. The guy who refuses to learn basic online safety practices, or who claims that there is no point to OPSEC because “the government knows everything anyway.” The guy who is prone to running off at the mouth after a few beers. The guy who can’t stand up to his wife (a sure sign they’ll cave everywhere else). The guy for whom loyalty and/or privacy is a fluid or situational issue. You may want to run some canary tests before making a decision on what to do next, and you may not end up cutting them at all; you may just end up changing their access, or working around it. Sometimes, as the saying goes, the devil you know is better than the devil you don’t.
You’re Never Done
Now that you’ve spent the last few weeks learning all of this and putting it into practice, you might be feeling pretty awesome and a lot more secure. The bad news is that you’ll need to do it again, probably sooner than you think. OPSEC isn’t a one-and-done exercise; you should constantly be assessing and reassessing. The principle of need to know alone is a constantly morphing thing; while someone might have needed to know about something one time doesn’t mean they should have carte blanche for all related things for all time. Circumstances change, sometimes dictated by the actions and conduct of the people you’re working with or even based on your own increasing knowledge as you realize, “Hey, I know this is a problem now and I didn’t before.” Don’t be afraid to notice things that might need to be added to the next assessment, or reassessed, or even dropped from your next assessment if need be. What is critical NOW might not be in a year or 6 months; and what’s no big deal now might be later — which means the thing you didn’t need to worry about now might need changing and protecting in the future.
As you get more familiar with the process, you’ll be able to do it faster and more efficiently. The most important thing, however, is doing it at all.