OPSEC Part 2: Nuts, Bolts, and Process
Exactly how to work for your cause without making yourself a target.
In the last issue, I talked about the why of OPSEC, or operational security. Today we will look at the actual process. Whether you’ve never even heard of OPSEC or you already use the general principles, read on. We’re going to break the whole thing down to something you can start doing right away.
Assess critical information.
That’s a fancy way of saying you need to figure out what pieces of your information would harm you if it was in the hands of the wrong people. You’ve already determined that things like your credit card number, bank login, or debit card PIN are considered critical; that’s why you aren’t putting them on websites.
What else might be critical for you if you’re politically active and/or involved in activism? Start simply and branch out from there.
WHO you hang out with, work with, engage in activism with
WHAT you’re doing for the cause
WHERE you’re doing it
WHEN you’re doing it
HOW are you facilitating it?
That could lead to more ideas about what you may want to protect.
WHO: family members, personal information, contacts in your cause, connections you use for information, supplies, or other needs
WHAT: Any secrets or habits you have that you keep on the down low and can be leveraged against you, purchases, activities, goals, etc
WHERE: Your house, work, gym, bank, kids’ school
WHEN: What your schedule is, and how easy is it to plan where you’ll be at a given time
HOW: Funding for your cause work, sponsors, or anyone/anything that makes your work possible or more effective.
When you get done with this part, you’re going to have a huge list. Remember: if everything is critical, nothing is. Prioritize. What will hurt your cause, or take you out of the game if it’s used?
Determine the threat type.
Who would want your information, and what is their capability? If your neighbor decides that they hate the kind of flag you’re flying in the yard, chances are good they don’t have the means or ability to follow you around all day, hack your mobile device, or get you fired.
If, however, you’ve been a “loud and proud” kind of activist, announcing to all and sundry exactly what you’re doing and when you’re doing it and why, or you’ve been seeking attention and clout for your group, doing interviews, etc., then you’ve now opened yourself up to a whole other set of fans. If you’re engaged in activities deemed “bad” by any groups, now you have them interested in you too.
Some groups have incredible technological and analytical capability. Remember: a group of folks on the internet were able to find the location of a video feed that was literally a flag flying against the sky.
Who wants to see your cause derailed, and who’s willing to put time and effort into doing it? Figure out who wants your info and what they’re capable of doing to get it.
Assess vulnerabilities.
This is the step no one likes. It’s where you have to be honest with yourself and figure out what you’re doing—or not doing—that is making it easy for the enemies in step 2 to get what you’re trying to protect in step 1.
Got a spouse or kid that posts everything online? I used to have a friend who checked in on Facebook for everything, even getting a haircut. I used to tell her that after reading her feed for two weeks, I could predict with fairly scary accuracy where she would be at any given moment in the future. Between Facebook, Instagram, and the myriad of other social networks, it’s not a stretch to think most people are like that.
Are you part of a group that’s led by a guy who really wants attention? Does your group have members that just can’t keep their mouth shut, or have a glaring secret out there just waiting to be exploited? Are you so focused on recruiting new people that quantity has taken a back seat to quality?
All of these things and many more can be contributing to your own demise, whether that be figuratively, ideologically or even literally. This is the step where you take a hard look at what you’re doing and where the holes are.
Assess risk and potential countermeasures.
Here you continue the hard work in the previous step, and figure out how bad things could get. If you’re posting a blog with complaints about work under your real name, from your home IP address, for instance, that’s a lot riskier behavior than posting under a fake name, changing a few details and using a public library computer in the next town over. One could get you fired pretty fast; the other might take a while or may even never get you caught. The same principle applies here. If someone did get a hold of your critical information, how could they hurt you or your cause? How much risk are you taking on, and is all of it necessary?
Also think about things you might be able to do that either counteract the action, or mitigate any damage.
Make and apply your plan.
Now you have all the information you need. You know what you need to protect, who wants it, how they could get it, and what they could do with it. It’s time to do something about it.
For some people, that may mean ditching social media or posting less. For others, it may mean scraping the bumper stickers off the car, blending in a bit more, and not being so open at work about your activities. For a few, it may even mean leaving a group you’re in, or choosing to no longer publicly identify with them. Only you can determine the level of risk you’re willing to take, and what that means for you. Keep in mind before you yell “damn the torpedoes,” however, that your actions affect your family, your contacts, and even your cause. If you’re willing to take on unnecessary risk simply because you can’t bear to not have people know you’re willing to “go all the way” for your cause, then the risk to your cause and family isn’t some other group who disagrees. It’s you.
The OPSEC process doesn’t need to take weeks or even days. It’s a simple exercise that merely requires honesty and an unemotional, logical look at what you’re doing and how to do it more effectively. If your cause is that important to you, you’ll want to do everything possible to stay in the game and maximize your work while minimizing your risk. Not all risk can be mitigated, and that’s another thing you’ll need to decide. Figure out how much risk you’re willing to live with…but also how much risk you’re willing to subject your family and contacts to in the process.
In the next issue, we’ll look at cover for action and cover for status—two phrases that will help you further protect yourself while getting stuff done. Subscribe now to make sure you see it! And in the meantime, please share with other discerning Americans!