TLO 2: Action: Plan operational security. Intermediate-level training

 Target Audience: Intermediate-level Training  TLO 2: Action: Implemented OPSEC measures based on unit indicators and vulnerabilities; protected unit essential elements of friendly information against threat collection efforts and prevented compromise.  Condition: In a classroom, given an OPSEC SOP with all EEFI, indicators and vulnerabilities and AR 530-1, Operational Security.  Standard: The individual Soldier identified the actions required to properly implement OPSEC measures based on unit indicators and vulnerabilities; protected unit essential elements of friendly information against threat collection efforts and prevented compromise.

AR 530-1, Operational Security places responsibility on Commanders at all levels for:  Ensuring that their units, activities or installations plan, integrate and implement OPSEC measures to protect CCIR in every phase of all operations, exercises, tests or activities.  Educating their personnel on the impacts of poorly practiced OPSEC practices.

- It’s been part of operations throughout history. - Affects those who are most at risk to compromise. - Threat will never end. - There are methods to counter.

- Commanders at all levels are responsible for issuing orders, directive and policies to protect their command’s critical and sensitive information. - This is done to clearly define the specific OPSEC measures that their personnel should practice.

The regulations are straightforward…and you know the enemy has information collectors…but how do you, as a commander, comply with the regulation (and protect your unit, mission and families), and make OPSEC really work?  Essential Security  5-Step OPSEC Process

The condition achieved from the denial of Critical Information to adversaries. (AR 530-1)

Operations security maintains essential security: - Essential Security:  is a necessary prerequisite for effective operations.  depends on the combination and full implementation of two approaches to protection: 1. Traditional security programs to deny adversaries access to classified information. 2. Operations security to deny adversaries access to critical information and indicators of sensitive information.

AR 530-1, Operational Security, dictates that an OPSEC officer be assigned at Battalion and above. That OPSEC officer is primarily responsible for implementing OPSEC measures. However, the OPSEC officer takes part in the OPSEC Process.  Identify the Critical Information  Analysis of Threat  Analysis of Vulnerabilities  Analysis of Risk  Implement OPSEC Measures

 It’s a process…  …continuously applied….  …performed throughout all phases of operations…  …recognized by Soldiers, their families and their friends…  …acknowledged as necessary and accepted practice…  …monitored by all leaders…  …at all levels of Mission Command…  …from before the start past the mission accomplishment…  …without an ending point…  …dictated by Army Regulations

Identify Critical Information Essential Secrecy The purpose of this step is to determine what information needs to be “protected”: Information or data An activity, event or operation Classified or Unclassified Anything that could impact information about friendly: - Capabilities - Activities - Limitations - Intentions

Analyze Threat Essential Secrecy The purpose of this step is to identify adversary collection capabilities against critical information compromise: Coordinate with staff and staff elements to answer these questions: 1)What critical information does the adversary already know? 2)What OPSEC indicators will friendly activities create concerning critical information the adversary is not aware of now? 3)What indicators can the adversary actually collect from? 4)What indicators will the adversary be able to use? 5)Which indicators can be used to friendly advantage (Military Deception or PSYOP)?

Analyze Vulnerabilities Essential Secrecy The purpose of this step is to identify each vulnerability and consider tentative OPSEC measures - OPSEC measures are methods and means to gain and maintain effective OPSEC practices: 1)Action control consists of measures to control friendly activities 2)Countermeasures disrupt adversary information gathering 3)Counter analysis is directed at the adversary analyst and is meant to prevent accurate analysis Select at least one tentative OPSEC measure for each identified vulnerability Assess the sufficiency of routine security measures

Assessment of Risk Essential Secrecy In this step, select one of the tentative OPSEC measures and implement it. Consider the following questions for each measure: 1)What is the likely impact of an OPSEC measure on operational effectiveness? 2)What is the probable risk to mission success if the unit does not implement an OPSEC measure? 3)What is the probable risk to mission success if an OPSEC measure does not work? 4)What is the impact on future missions if this measure is adopted and is successful? 5)What is the impact to other units of practicing an OPSEC measure? 6)Will the OPSEC measures conflict with one another? 7)How will OPSEC be coordinated with other capabilities? Submit the final OPSEC measures to the Commander for approval.

Application of OPSEC Measures Essential Secrecy The purpose of this step is to apply approved OPSEC measures. There are two aspects of this step: 1. The OPSEC officer implements OPSEC measures. - The OPSEC officer generates guidance and tasking(s) which may appear as annexes to Operations Plans, OPSEC plans, SOPs and unit memorandums. 2. Personnel within the organization implement OPSEC measures. - Unit personnel comply with published guidance or tasking.

Your Soldiers are using social networking sites at an unprecedented rate. What are you doing to ensure that they are in compliance with Army Regulations concerning Social Networking Sites (SNS)?

Identify the Critical Information Analysis of Risk Implement OPSEC Measures Analysis of Threat Analysis of Vulnerabilities Identify the Critical Information Unit Name DTG Operation Information Location

Analysis of Threat Identify the Critical Information Analysis of Vulnerabilities Analysis of Risk Implement OPSEC Measures Analysis of Threat There are over 4,000 sites dedicated to the collection and analysis of US critical information Over 90% of enemy intelligence is developed using Open Source Intelligence (OSINT) The enemy exploits our Soldier’s social networks (dependents, friends, unit web pages) and capitalizes on OPSEC compromises with remarkable speed and accuracy Our own OPSEC classes are posted online and the enemy has analyzed our OPSEC protection measures In this instance, we are our own worst enemy

Analysis of Vulnerabilities Identify the Critical Information Analysis of Threat Analysis of Risk Implement OPSEC Measures Analysis of Vulnerabilities Soldiers can update SNS via the web or cell phone (usually over unsecured foreign-operated networks) Soldier’s dependents relay Critical information from the Soldier on their own SNS Unit web pages and FRG sites may contain Critical Information concerning casualties and re/deployment info You have no control over dependent’s and friend’s SNS It is difficult to verify “friends” on most SNS sites as rudimentary social engineering can easily provide enough information to make an adversary appear to be someone the Soldier knows (and trusts)

Analysis of Vulnerabilities Analysis of Vulnerabilities continued Soldiers feel safe transmitting personal/operational information via networks that are not owned or controlled by USG or trusted vendors (BIG MISTAKE) There are multiple points for signal intercept between the Soldier’s computer and the message’s destination (SO MANY COOKS INVOLVED) Soldiers lose thumb drives and other mass media devices (LOOK WHAT I’VE FOUND) The media can report on events in real time, potentially leading to OPSEC compromise (JUST DOING MY JOB)

Analysis of Risk Identify the Critical Information Analysis of Threat Analysis of Vulnerabilities Implement OPSEC Measures Analysis of Risk OPSEC compromise via SNS can compromise missions and needlessly endanger Soldiers and Coalition partners

Identify the Critical Information Analysis of Threat Analysis of Vulnerabilities Analysis of Risk Implement OPSEC Measures Assign SNS review responsibilities at the Squad Leader level Ensure Soldiers register all SNS with OPSEC officer Spot check Soldier’s SNS Enforce measures outlined in SNS memorandums and AR are implemented at the lowest levels Enforce network outage after casualties/incidents occur Exercise tight control of FRG news releases Ensure embedded media comply with OPSEC measures Have a buddy check any SNS activity prior to posting

While your input is vital to the OPSEC process, application of the OPSEC measures identified during the process will be your responsibility.

AR requires you to coordinate and synchronize your OPSEC measures with your higher command’s security programs such as, but not limited to:  Information Security (INFOSEC)  Information Assurance (IA)  Physical security  Force protection  AR also requires you to submit all official information to be released to the public for an OPSEC review prior to determination.

 Information collection by our friends and enemies serves to compromise our operations.  Loss of Soldier’s “freedoms” could emerge from poorly conducted OPSEC procedures.  Nothing impacts a Soldier’s family more than the Soldier him/her self.  Information collection is a business to many, and business is good.  For more information concerning OPSEC: AR 530-1, Operational Security FM 3-13, Information Operations