OPSEC: Operations Security When Nothing Seems Secure

white badge with red star to signify security with

This summer has been a wild ride of examples showing our vulnerabilities. With August being Operations Security (OPSEC) Awareness Month, it seemed like a good time for a deep dive and review. It is no longer just that “loose lips sink ships,” but now it is a lack of awareness that can lead to long-term problems.

As of the date of this writing, the following have happened: 

  • A major oil pipeline for the eastern seaboard of the US halted after a ransomware demand, causing shortages of gasoline and jet fuel.
  • 30,000+ organizations, including some small government entities and lots of small businesses, had their emails exploited through a Microsoft exchange server security hole. 
  • A major US beef processing company was unable to operate while it dealt with a ransomware demand.
  • The biggest password leak in history dumped 8.4 billion (yes that’s a b) passwords.
  • McDonald’s in South Korea and Taiwan encountered a breach that affected their customers and employees.
  • An East Coast moving company in the US shut down due to ransomware.
  • Top secret nuclear locations and other details were uploaded to an unsecured internet app, where anyone could view them (I wish I were making this one up).
  • In the wake of the Afghanistan crisis, the data breach at T-Mobile was almost overlooked. The personal data of 54 million customers was accessed just last week, to include Social Security numbers, birth dates, and addresses. 

It’s bad. This is all in 2021.

There are more reports here, here, and here.  Although the last one about cyber criminals failing to follow basic security protocols, made me a little happy.

Some of these issues occurred because of programming errors that were exploited. But companies with ever-more-interconnected online processes are especially vulnerable to human error. 

The first security lesson I learned when I was newly married was not to leave my purse on my chair if I got up in a public place, even with my husband sitting right there.

He told me this while we were in the waiting room to get my first military ID card. He said that people on post were generally good people, but that I needed to be alert to my surroundings and keep my belongings close. That was nearly 30 years ago. In an increasingly digital world, that awareness has grown to be more and more helpful.

Since that day, I have learned many more terms.

PERSEC, INFOSEC, etc. The military uses OPSEC to make sure that troops, missions, and critical assets are kept safe and information can’t be used by “bad actors” to harm them. OPSEC can also be helpful here at home, as it is the process that is used to decide what to share, what not to share, and what might be useful to people who don’t have your best interests at heart. 

But there are things that we can do to protect ourselves.

This is a site and community that centers around military-connected moms and other parents, so it’s understood that we have very personal reasons to know about OPSEC. It directly affects our servicemembers’ safety and our effectiveness as a nation’s military. 

It’s fairly common that we will get a quick “OPSEC OPSEC!” comment if we should lose ourselves in the excitement of a homecoming (or the stress of an upcoming deployment) while we are on Facebook.

But OPSEC is for everyone, and there are things we can do to protect ourselves and our own information as well. Whether you live and breathe OPSEC or are a brand new military spouse, it’s time for a refresher.

What OPSEC isn’t

OPSEC isn’t just a set of rules, stating what to share and what not to share. It isn’t the password we use, the lock on the door, or the type of wallet we carry. 

What OPSEC is

OPSEC managers refer to it as a process that the military uses when deciding what information is sensitive. It is deciding what information is shared, to whom and how. It is the mindset that helps us remember that some people have bad intentions, and that they can use information about us to help them in their intent. 

When talking to family members about OPSEC, my G uses the analogy of keeping your family safe at night.

You lock the doors, but you also make sure that windows are secure. You know your neighbors, ideally. There are things you would share outside your home, such as work you’re doing on the yard. But there are also things you would do in private. Your personal information and the information surrounding our military are similar in that some things are OK on the outside while some things really should be kept more buttoned up.

Obviously there are some things that are important to remember

We don’t talk about troop movements, deployment dates, troop locations (Middle East, for example, not Forward Operating Base XYZ). It’s OK to post photos, if nothing sensitive is being shown; check that your GPS data on the photo doesn’t also post (Android and iPhone). 

Think carefully about what you are sharing out in the world. Those cute stick figures and other bumper stickers may be sharing more than you think.

OPSEC Nightmare on your minivanWhile some disagree, someone who sees your child’s name, the school they attend, and your business website on your car can have conversations with your child that might be enough so they forget they don’t actually know that person. This could be harmful to your child! It could also be dangerous depending on the role your service member plays in the military. The biggest point to be made here is that we should ask ourselves how much information we want out in the world.

And no, your turn signal isn’t a breach of OPSEC. I promise.

We lock doors, close gates, etc. at home. But what about our behaviors online: what are we inadvertently sharing?

Those fun little quizzes may be mining your personal information. Facebook has experienced some big breaches with those, too. Even Pokemon Go, if done in certain areas, needs to be done with security and safety in mind. Our fitness apps likely share more than we realize.

One thing I do as part of my everyday security mindset: I don’t click on links in emails unless I am 100% sure who they are from and where the link is likely to take me. If my bank sends me an email, I open up my banking website in a separate tab instead of clicking on any links in the email. I don’t click on links that are sent via texts that I don’t recognize or that I did not request. If someone sends me something, at work or personally, I ask them about it separately before considering what to do with a file or a link.

We can protect ourselves and our kids.  We can use smart passwords or a password manager. We can stay informed. There is a FCC (Federal Communications Commission) email newsletter that shows new scams and ways to protect ourselves. We can learn from others about ways to protect ourselves. There is even online training that we can take to learn about military OPSEC.

The thing is, our military members are vulnerable. Our data is vulnerable.

Our Ring doorbell or Amazon items may be sharing more than you want (and here’s how to turn it off). We can remember that when we share information on a free website, that information no longer belongs to us – it can and likely will be used by others. 

When the military is considering their OPSEC protocols or processes, they have what’s called a Critical Information List. These are categories of information and how they are shared. We can do that, too, when we think about what we are posting online or sharing with friends or just talking about with family.

We can all practice OPSEC and take comfort in knowing that our information, family, and privacy is protected.