The OpSec Blog

Security and privacy information and advice at home and abroad.

What is OpSec?

leave a comment »

OpSec, or “Operational Security” is a broad term defined loosely as a series of actions undertaken as a method of masking your whereabouts, mission, or purpose. Since this term tends to be a bit foreign to those outside of the military (and even to some within), I’ll try to illustrate it with some examples.

The majority of Foreign Service employees practice operational security mostly as a matter of personal safety.  While serving in countries in which crime or terrorism is a significant threat, operational security issues regarding personal safety are emphasized during an in-brief upon arrival at post by the Regional Security Officer (RSO).  Good OpSec practices overseas in the Foreign Service are typically varying one’s routes (both in geography and time) to work, not frequenting the same haunts, avoiding areas deemed unsafe by the Regional Security office, avoiding large crowds, etc.  By now it is well known that American diplomats are surveilled and targeted abroad.  By avoiding routines, Foreign Service employees reduce the odds of an attacker being able to prepare an ambush in the correct location.

OpSec is also important on the information side.  Foreign Service employees all have Top Secret security clearances as a requirement for their position; a fact that is listed on the State Department’s career pages.  In countries in which foreign intelligence services are known to operate and actively target Americans (read: most of the countries in the world), something as simple as mentioning you’re an American and work at the Embassy can raise your profile as someone worth more attention.  When I’m at a bar or making a new acquaintance, I always respond to the obligatory “what do you do?” question with something vague and boring;  “I do project management,” or “I’m sent around the region to manage infrastructure projects.”  Key words I avoid include, but are not limited to, “security”, “electronics”, “information technology”, and “technical.”  The fact is that security professionals throw up an instant red flag even with the good guys (Are they investigating me?).  Volunteering you work on security in a foreign country also leads to further questioning, which is a situation I really don’t want to be in. They don’t need to know what I do, and odds are I don’t need to know what they do either.

Social media presents a huge threat to operational security, as evinced in high-profile incidents like the head of MI6 being outed on Facebook.  The proliferation of mobile GPS receivers in smartphones and the rise of Twitter and its geolocation services has implications for American diplomats as well as people back in the States.  Frequent geo-located tweets make the job of building your profile that much easier, as it gives away the shops you frequent, what you are doing/did at a certain location, and who you might be with at a certain place with an accuracy of about 3 meters.  Domestically, if you tweet that you’ve gone to pick up the kids from school and will be back in an hour, that’s an hour-long window in which your house can be broken into and robbed.  Even without geolocation, posts on Facebook “via iPhone” or “via Blackberry” can indicate you are in a vulnerable spot, or give away where you aren’t.  Overseas you do not want to give away any more information than you have to on social networks (and never mind that your name and profiles are probably viewable to a lot more people than you think).

Practicing good OpSec is difficult. The list of blunders is long and the number of agencies affected are many.  Before (and during) any major military effort by the Department of Defense, pizza shops near the Pentagon are flooded with late-night orders.  A Congressman tweeted about a secret trip to Iraq… as he was arriving.  OpSec is often one of the most overlooked aspects to privacy, security, and safety, especially (and sadly) in the US diplomatic community.  Diligence and careful consideration are the keys to practicing good OpSec. The next time you go on a vacation, consider having a neighbor pick up your newspapers and mail for you.  For those Foreign Service employees currently abroad, consider some of the examples and advice in this post and think about how you can improve.

Got any OpSec suggestions or best practices?  I’d love to hear about them.  Drop me an e-mail or leave a comment.


Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: