350 likes | 379 Views
Operations Security (OPSEC). DEFENSE-SENSITIVE INFORMATION. Summer cruises Required training OPNAVINST 3432.1. DEFINITIONS & BACKGROUND. OPSEC is one of three components used to maintain the secrecy needed to achieve surprise. OPSEC is not a security function, but an operations function.
E N D
DEFENSE-SENSITIVE INFORMATION • Summer cruises • Required training • OPNAVINST 3432.1
DEFINITIONS & BACKGROUND • OPSEC is one of three components used to maintain the secrecy needed to achieve surprise. • OPSEC is not a security function, but an operations function. • Security programs and OPSEC are mutually supportive.
DEFINITIONS & BACKGROUND • OPSEC identifies & controls information that indicates our: • Friendly Intentions; • Friendly Capabilities; • Friendly Activities.
DEFINITIONS & BACKGROUND • Security programs: • Deny classified information to adversaries. • Physical security • Personal security • Information security • Information systems security
DEFINITIONS & BACKGROUND • Counterintelligence programs: • Support both security and OPSEC programs by identifying intelligence threats and methods of an adversary.
FREEDOM OF ACTION • By maintaining operational security of plans, we gain the fullest possible surprise. • This, in turn, gives us freedom of action.
GOOD OPSEC • OPSEC, properly applied: • Contributes to operational effectiveness. • Enhances probability of surprise. • Causes adversaries to make bad decisions due to lack of critical information about our forces and equipment.
WHEN OPSEC IS REQUIRED • OPSEC measures are required for: • Operations and activities relating to the equipping, preparing, deploying, sustaining, & employment of the Navy and Marine Corps team in time of war, crisis, or peace. • To protect the information in our plans and orders.
OPSEC MEASURES • Inadequate OPSEC degrades operational effectiveness by hindering surprise. • Conversely, excessive OPSEC can degrade operational effectiveness by interfering with required activities.
SUMMATION • OPSEC is the control of info by: • Knowing the threat; • Knowing what to protect; • Determining risks; • Knowing how to protect information.
OPSEC PROCESS • OPSEC planning is accomplished via the OPSEC process. • The OPSEC process consists of 5 distinct actions applied in a sequential manner during OPSEC planning: • Identification of Critical Information; • Analysis of Threats; • Analysis of Vulnerability; • Assessment of Risk; and • Application of Appropriate OPSEC Measures.
OPSEC TERMINOLOGY • CRITICAL INFORMATION: Specific facts about friendly intentions, capabilities, and activities vitally needed by adversaries for them to plan and act effectively to guarantee failure or unacceptable consequences for friendly mission accomplishment.
OPSEC TERMINOLOGY • OPSEC INDICATORS: Friendly detectable actions and open-source information that can be interpreted or pieced together by an adversary to derive critical information.
OPSEC TERMINOLOGY • OPSEC VULNERABILITY: A condition in which friendly actions provide OPSEC indicators that may be obtained and accurately evaluated by an adversary in time to provide a basis for effective adversary decision making.
OPSEC ACTION #1 • Identification of critical information • What will our adversary want to know about our intentions, capabilities, and activities? • Essential Elements of Friendly Information (EEFI) - What we protect from exposure to an adversary.
OPSEC ACTION #1 (con’t) • Critical information is a subset of EEFI. • Only the information that is vitally needed by an adversary • Identifying critical information allows us to focus efforts on protecting it, instead of trying to protect all classified or sensitive information.
OPSEC ACTION #2 • Analysis of threats Researching & analyzing intelligence information, counterintelligence, reports, and open source information to identify who the likely adversaries are to the planned operation.
OPSEC ACTION #2 (con’t) • Through this analysis, we seek answers to the following questions: • Who is the adversary? • What are the adversary’s goals? • What is the adversary’s strategy for opposing the planned operation? • What critical information does the adversary already know about the operation • What are the adversary’s intelligence collection capabilities?
OPSEC ACTION #3 • Analysis of vulnerability Friendly actions/activities provide OPSEC indicators to an adversary that may be obtained and accurately evaluated in time to provide a basis for effective decision- making and action against us.
OPSEC ACTION #3 (con’t) • Questions when analyzing vulnerability: • What indicators of critical information not known to the adversary will be created by the friendly activities in preparation for the operation? • What indicators can the adversary actually collect? • What indicators will the adversary be able to use to the disadvantage of friendly forces?
OPSEC ACTION #4 • Assessment of risk • Two components: • Analyze OPSEC vulnerabilities identified in the previous action and consider OPSEC measures to erase or counter each vulnerability • Select specific OPSEC measures for execution based on a risk assessment.
OPSEC ACTION #4 (con’t) • Assessment of risk • These OPSEC measures reduce the adversary’s capability to analyze our actions.
OPSEC ACTION #4 (con’t) • OPSEC measures can be used to: • Prevent the adversary from detecting an indicator. • Provide an alternative analysis of an indicator. • Attack the adversary’s collection system.
OPSEC ACTION #4 (con’t) • OPSEC measures include: • Cover; • Concealment; • Camouflage; • Deception; • Intentional deviations from normal patterns; • Direct strikes against the adversary’s intelligence system.
OPSEC ACTION #4 (con’t) • Goal of OPSEC measures: Highest possible protection with the least impact on operational effectiveness.
OPSEC ACTION #4 (con’t) • Risk assessment: • Requires comparing the estimated cost of implementing particular OPSEC measures to the potentially harmful effects on mission accomplishment resulting from an adversary’s exploitation of an OPSEC vulnerability. • In the end, can the adversary do much damage if we don’t implement an OPSEC measure?
OPSEC ACTION #4 (con’t) • Costs of implementing OPSEC measures: • Resources (funding/time/personnel); • Interference with normal operations. • Do costs outweigh the harmful effect?
OPSEC ACTION #4 (con’t) • Typical questions for analysis: • What is the risk to our operational effectiveness if we implement? • What is the risk to mission success if we don’t implement an OPSEC measure? • What is the risk to mission success if an OPSEC measure fails to be effective?
OPSEC ACTION #4 (con’t) • The interaction of OPSEC measures must be analyzed. • Certain OPSEC measures may actually create indicators of critical information. Example: Camouflaging of previously unprotected facilities could be an indicator of preparations for military actions.
OPSEC ACTION #4 (con’t) • Selection of measures must be coordinated with other command and control components to ensure actions do not compromise security. • Conversely, deception and PsyOp plans may require that OPSEC measures not be applied to certain indicators in order to project a specific message to the adversary.
OPSEC ACTION #5 • Application of appropriate OPSEC measures: • The command implements the OPSEC measures selected in Assessment of Risk. • The reaction of adversaries to OPSEC measures is monitored to determine effectiveness and to provide feedback. • Feedback is used to adjust OPSEC measures and for future OPSEC planning.
OPSEC & THE PUBLIC • The military is held accountable for their OPSEC actions. • OPSEC is not an excuse to deny the public access to non-critical information.