OPSEC Briefingfor

Communications Managers

LtCol Ed Wolff, CAP/DOKS

Civil Air Patrol

CITIZENS SERVING COMMUNITIESUNCLASSIFIED

Consider some of the following “traditional” security programs:

• Personnel Security• Personally Identifiable Information

• Names, telephone numbers, addresses, call signs

• Physical Security• Security of repeater sites• Security of radio equipment

• Communications Security• Using encryption on VHF• Using off line encryption

• Information Security• Encrypting files posted to the internet• Using password protected, member access web sites

as compared to public facing sitesUNCLASSIFIED

UNCLASSIFIED

Do we need a security program?

• XX Wing- PDF file that provides calls signs• X Region Communications Guidebook providing calls signs• XX Wing- Communications Exercise Plan with names, phone

numbers, call signs, etc.• XX Region- CW15 Exercise Plan• XX Wing- Call sign list document• XX Wing- Call sign list• XX Wing- Call signs on web page• XX Region- Cal sign list• Non Cap sites:

• CAFED lists frequencies, maps of coverage, and code plug information, this can’t come from just monitoring radio traffic

• Radio Reference lists complete frequency lists, exactly as programmed in CAP code plug. This can’t come from just monitoring traffic.

When can OPSEC be used?

• Communications Training Exercises• Communications Plans and Standard

Operating Procedures• Communications Methods, Sources,

and Technical Tradecraft (Code Plugs)

• Software and Source Code • PIO/PAO releases• Personal social media published

informationUNCLASSIFIED

Every Person Is An OPSEC Sensor!

Every person in your squadron, group, wing, region is a part of the security solution by:

Knowing the threats Knowing what to protect Knowing how to protect

it!

UNCLASSIFIED

The OPSEC “5-step Process”

UNCLASSIFIED

Identify Critical Information

The first step in the OPSEC Process is to identify critical information.

• PII• Call signs• Frequencies• Net schedules• Mission specific details• Operations and Exercise Plans

UNCLASSIFIED

Definition: “Adversary”(AKA- “Bad Guy”)

An adversary is anyone who contends with, opposes or acts against your interest and must be denied critical information.

It could be as simple and obvious as your opponent in any game, or as complex and unknown as a spy, agent of a foreign government, or a criminal.

Remember that each adversary will have its own motivations and capabilities

Examples include:• Terrorist groups, foreign and domestic• Criminals• Organized crime groups• Extremists• Foreign Intelligence Services• Hackers/Crackers• Insider Threats

UNCLASSIFIED

Definition: “Vulnerability”(AKA- “Weakness”)

A vulnerability is a weakness that can be exploited by an adversary to obtain your critical information, and it can be present in any facet of your operations.

Vulnerabilities can come from many sources in your operation to include the physical environment of the work area, the office operating procedures, computers, or a myriad of other sources.

A vulnerability is weakness that can be exploited by an adversary if it is discovered. A vulnerability exists when critical information is susceptible to exploitation by an adversary.

Potential Categories:• Communications• Public Affairs Department• Critiques and after action reports• Mail• Trash• E-mail UNCLASSIFIED

Definition: “Indicator”(AKA- “Clue”)

An indicator is a piece of information or an activity that can be observed and combined with other information to reveal sensitive information.

An indicator acts as a “clue” to reveal information about an activity and will be the subject of analysis.

Examples of indicators:• Increased training• Unusual deliveries• Advanced parties• An increase in related personnel actions,

such as TDY/business travel, financial preparation, etc.

• Large and frequent meetings• Increased overtime• Press releases and news items

UNCLASSIFIED

Definition: “Threat”

“Threat” refers to the combination of an adversary and their intentions to undertake actions detrimental to friendly activities or operations. A threat can be thought of any potential danger that a vulnerability will be exploited by a threat agent.

Both intent AND capability must exist to be considered a threat.

Ask yourself:“Does this person/group want to cause me/us harm?”

And, if so:“Are they able to do so?”

UNCLASSIFIED

Definition: “Risk” and “Impact”

“Risk” is the probability that an adversary will compromise your critical information.

“Impact” is the effect that this compromise would have on your organization. Impact is the “what would it mean” factor.

UNCLASSIFIED

Open Source Intelligence

AKA- One of the greatest threats to any organization

1. Publically available information that any member of the public may lawfully obtain my request or observation.

2. Unclassified information that has limited public information or access

3. 80-85% of intelligence can be gathered using OSINT

Source: re-configure.orgUNCLASSIFIED

The enemy is watching…

In this digital world, there are very few truly “primitive” enemies. The enemy is:

Sending social engineering email (“phishing”)

Monitoring Forums

Following Tweets

Connecting on Social Media

Watching Chatrooms

Listening

UNCLASSIFIED

“It” never goes away!

When you put information on the net, via your blog, MySpace, email, etc., you have to assume that it’s going to stay there forever.

Same thing with newspapers, magazines, and other media.

The only safe bet is to make sure that it never gets there in the first place!

UNCLASSIFIED

For Example:

UNCLASSIFIED

1,524 saved “snapshots” for UN.org, with saved content and information

UNCLASSIFIED

For Example:

“BlackWidow” downloads all pages and files from a website, which can reveal pages and entries not meant to be publically accessible.

UNCLASSIFIED

For Example:

A note on public websites:

Certain things should not be found on public websites, blogs, etc., including:

• Sensitive Operations Plans• Sensitive Communications Plans• Alerting Lists, With Names• By Name Personnel Lists• Locations of Sensitive Assets (Vehicles, Airplanes,

Radios, etc)• Locations of Sensitive Facilities (EOC's, COOP

Sites, etc)

UNCLASSIFIED

REMEMBER

It is the responsibility of the security professional to answer those questions for the end-users

It is the responsibility of the end-users to do it!

UNCLASSIFIED

Conclusion

OPSEC is what you make of it.• The way ahead

• Annual OPSEC training requirements in compliance with AFI 10-701

• OPSEC Survey• OPSEC evaluations of CAP web sites (already

started from the DOK side)• OPSEC awareness emphasis at the Squadron,

Group, Wing, Region and National levels.• New emerging missions will drive this

requirements for enhanced OPSEC awareness

UNCLASSIFIED

CITIZENS SERVING COMMUNITIESUNCLASSIFIED

Civil Air Patrol