Operations security (OPSEC) is a vital component in developing protection mechanisms to safeguard sensitive information and preserve essential secrecy. To develop an effective operations security program, the organization's OPSEC officer must understand the range of threats that confront his activity. This handbook provides unclassified threat information that can be used by OPSEC program managers in developing protection regimes and training organizational personnel. It was developed as an unclassified document to allow the widest possible circulation of threat data within organizations that may be targeted by intelligence collection activities.
Implementing an effective OPSEC program prevents the inadvertent compromise of sensitive or classified information concerning an organization's activities, intentions, or capabilities. For an OPSEC program to be effective, personnel must be aware of OPSEC concerns, implement OPSEC countermeasures when appropriate, and be observant of potential collection activities directed at their organization. This is only possible if the members of the organization understand the range of threats affecting their organization and actively support the OPSEC program. This handbook is designed to assist the OPSEC Program Manager in gaining organizational support for OPSEC countermeasures by providing data on the significant collection threat targeting U.S. Government activities and industry.
Despite extraordinary changes in the world geopolitical environment in recent years, many nations and non-governmental organizations are actively engaged in intelligence operations against the United States. According to one senior official of the Federal Bureau of Investigation, over 90 nations are currently conducting intelligence operations targeting the United States. In testimony before the House of Representatives, then Director of Central Intelligence Robert Gates, stated that 20 nations are actively collecting economic intelligence within the United States, and that at least 50 nations have the ability to conduct sophisticated intelligence operations targeting the United States. These intelligence operations range from classic human intelligence operations to technical intelligence collection capabilities such as signals intelligence and imagery intelligence. Countries that have signif'cant intelligence operations targeting the United States include Russia, the Peoples' Republic of China, Cuba, France, Taiwan, South Korea, India, Pakistan, Israel, Syria, Iran, Iraq, and Libya.
Intelligence collection activities range from the traditional political and military collection activities conducted by known adversaries of the United States, which most people equate with espionage, to the collection of economic and proprietary data by friendly nations and industrial competitors. The intelligence organizations involved in collection activities use a wide range of collection capabilities to obtain information on targeted activities in the United States. Intelligence operations can be categorized in terms of the collection discipline used. There are four principal intelligence disciplines:
HUMINT uses human beings as both the source of information and primary collection instrument. When the majority of Americans think of espionage, they think of the human collector, or spy. SIGINT involves intelligence information derived from signals intercept. Included under SIGINT are communications intelligence (COMINT), electronic intelligence (ELINT), and foreign instrumentation signals intelligence (FISINT). IMINT concerns intelligence derived from the exploitation of information collected by visual photography, infrared sensors, lasers, electro-optics, and radar sensors such as synthetic aperture radar. To permit analysis, images derived from these sensors are reproduced optically or electronically on film, on electronic display devices, or using other media. MAS1NT concerns intelligence derived through technical collection systems for the purpose of identifying distinctive features associated with the source, emitter, or sender that will permit the subsequent identification of these collection targets. Common sub-disciplines of MASINT are acoustical intelligence (ACOUSTINT), laser intelligence (LASINT), and radiation intelligence (RADINT).
Open source material and overt observation of sensitive activities and operations are major sources of information for groups targeting organizations in the United States. With the ongoing explosion of information resources, the challenge to OPSEC program managers posed by open source collection is likely to grow exponentially in coming years. OPSEC program managers must be keenly aware of the threat posed by open source collection and ensure this threat is recognized in the organization's OPSEC program.
Operations security procedures and requirements were formalized in 1988 under the provisions of National Security Decision Directive 298, The National Operations Security Program. OPSEC was not intended to be a replacement for security programs created to protect classified information such as physical security, information security, and personnel security. OPSEC was developed to promote operational effectiveness by denying adversaries publicly available indicators of sensitive or classified activities, capabilities, or intentions. The goal of OPSEC is to control information and observable actions about an organization's capabilities, limitations, and intentions to prevent or control exploitation of available information by an adversary. The OPSEC process involves five steps, which will be discussed in greater depth later in this section. These steps are:
The OPSEC process begins with an examination of the entire organization or activity to determine what exploitable but unclassified evidence of classified or sensitive activities may be acquired by an adversary through known collection capabilities. Evidence indicating sensitive activities can often be derived from publicly available information and pieced together to derive critical information. Indicators of sensitive activities may result from routine administrative, logistics, or operational activities that are known to precede the execution of a plan or activity. Once identified, indicators are analyzed in terms of the known collection capabilities of an adversary. Program managers then use threat and vulnerability analysis to develop risk assessments to assist in selecting and adopting countermeasures.
The OPSEC Process
Operations security considerations must be integral to the process of planning for classified and sensitive operations or activities. Early implementation of OPSEC planning promotes the consideration of elements to maintain essential secrecy throughout the life cycle of the program. OPSEC planning requires a clear understanding of the activity's mission and organizational plans. The OPSEC program must be integrated into organizational activities by personnel familiar with the operational aspects of the activity in coordination with supporting counterintelligence and security activities. OPSEC plans should identify countermeasures that are required to complement physical, information, personnel, signals computer, communications, and electronics security measures to ensure a total integration of security countermeasures. OPSEC countermeasures may include, but are not limited to: modification of operational and administrative routines; the use of cover, concealment, deception; and other measures that degrade the adversary's ability to exploit indicators of critical information.
Although the OPSEC Process has been described as having five definitive steps, these steps were never intended to be strictly adhered to in sequential order. A recognized strength of the OPSEC process is that its elements are fluid, enabling the OPSEC planner to adapt the process to the particular needs of the organization. The strength of the OPSEC process was recognized by the Joint Security Commission in its final report when the OPSEC process was made the basis for risk management activities conducted by the U.S. Government. The key benefit of the OPSEC process is that it provides a means for developing cost-effective security countermeasures tailored to meet the identified threat. As stated above, the five steps of the OPSEC process are:
Identification of Critical Information. Critical information is factual data about an organization's intentions, capabilities, and activities that the adversary needs to plan and act effectively to degrade operational effectiveness or place the potential for organizational success at risk. The OPSEC process identifies critical information and determines when that information may cease to be critical in the life cycle of an operation, program, or activity.
Analysis of Threats. Threat analysis consists of determining the adversary's ability to collect, process, analyze, and use information. The objective of threat analysis is to know as much as possible about each adversary and their ability to target the organization. It is especially important to tailor the adversary threat to the actual activity and, to the extent possible, determine what the adversary's capabilities are with regard to the specific operations of the activity or program.
Analysis of Vulnerabilities. Vulnerability analysis requires that the OPSEC analyst adopt an adversarial view of the activity requiring protection. The analyst attempts to identify weaknesses or susceptibilities that can exploited by the adversary's collection capabilities. The vulnerability analysis process must identify the range of activities that can be observed by the adversary, the type of information that can be collected, and the specific organizational weaknesses that the adversary can exploit. Based on this knowledge, the OPSEC analyst determines what critical information the adversary can derive based on the known threat and assessed vulnerabilities.
Assessment of Risks. Risk assessment is the heart of the OPSEC process. In a risk assessment, threats and vulnerabilities are compared to determine the potential risk posed by adversary intelligence collection activities targeting an activity, program, or organization. When the level of vulnerability is assessed to be high and the adversary threat is evident, then adversary exploitation is expected, and risks are assessed to be high. When the vulnerability is slight, and the adversary's collection ability is rated to be moderate or low, the risk may be determined to be low, and no protective measures may be required. Based on the assessed level of risk, cost/benefit measures can be used to compare potential countermeasures in terms of their effectiveness and cost.
Application of Appropriate Countermeasures. In the final step, countermeasures are developed to protect the activity. Ideally, the chosen countermeasures eliminate the adversary threat, the vulnerabilities that can be exploited by the adversary, or the utility of the information. In assessing countermeasures, the impact of the loss of critical information on organizational effectiveness must be balanced against the cost of implementing corrective measures. Possible countermeasures should include alternatives that may vary in terms of feasibility, cost, and effectiveness. Based on the probability of collection, the cost effectiveness of various alternatives and the criticality of the activity countermeasures are selected by the program manager. In some cases, there may be no effective means to protect information because of cost or other factors that make countermeasure implementation impossible. In such cases, the manager must decide to accept the degradation of effectiveness or cancel the activity.
As we have seen, threat analysis is a key part of the OPSEC process. The threat assessment is the basis for both the vulnerability analysis and the risk assessment. Essentially the degree of vulnerability and risk is determined by the extent of the assessed threat. As a result, it is critical that threat assessments accurately reflect the totality of the intelligence collection effort targeting the organization. This document provides an overview of the potential range of threats that may affect an activity or organization. Specific threat data should be obtained from supporting counterintelligence activities in preparing OPSEC plans.
The remainder of this handbook examines the threat posed by intelligence collection activities to friendly organizations and activities. Section 2 examines intelligence collection activities and the various intelligence collection disciplines used to target various activities. Section 3 focuses on adversary foreign intelligence services targeting the United States to collect sensitive economic, proprietary, political, and military information. It examines the activities of these organizations and the types of information that these nations are seeking. Section 4 examines collection activities by nations supporting terrorism and collection by terrorist groups targeting U.S. activities in the Continental United States and abroad. Section 5 looks at economic intelligence collection against the United States being conducted by nation states and by corporations. Section 6 examines the growing threat posed by open source collection made possible by the increasing availability of information and the expansion of information systems that permit the comparison and analysis of massive amounts of seemingly disparate information. The final section examines the effect of the threat on OPSEC programs and presents threat analysis requirements for OPSEC program managers.
1 - U.S. House of Representatives, The Threat of Foreign Economic Espionage to U.S. Corporations, Hearings before the Subcommittee on Economic and Commercial Law, Committee on the Judiciary, April 29, May 7, 1992, Washington, DC: USGPO.
2 - Bruce w. Nelan, "A New World for Spies," Time, July 5, 1993, pp 28-31; Noreen Alster, "The Valley of the Spies," Forbes, October 26, 1992, pp. 200-206; and Frank Greve, "French Techno-Spies Bugging U.S. Industry," San Jose Mercury News, October 21, 1992, p. F1.
3 - Interagency OPSEC Support Staff, Compendium of OPSEC Terms and Definitions, April 1991, Greenbelt, MD: IOSS.
4 - National Security Decision Directive 298; The National Operations Security Program, January 22, 1988, Washington, DC: The White House.
5 - Interagency OPSEC Support Staff, The National OPSEC Program, Greenbelt, MD: IOSS, April 1992.
6 - Joint Security Commission, Redefining Security: A Report to the Secretary of Defense and the Director of Central Intelligence, February 28, 1994.
7 - Interagency OPSEC Support Staff, The National OPSEC Program,
Greenbelt, MD: IOSS, April 1992.