Operational Security Part 2: Commercial Self-Defence
By Richard McEachin
Part 1 explained the nature of security intelligence (SI) and its OPSEC challenges. This installment explains the OPSEC challenges facing security intelligence in an iconic commercial enterprise or location.
By Richard McEachin
Iconic Attractions & SI OPSEC
If your facility, product, or company happens to be iconic, then while establishing a security intelligence operation, expect existing security and facility management information systems to be open to outside forces.
Expect outsiders to monitor all unencrypted radio communications. Some outsiders know the strengths and weaknesses of the CCTV system. Frontline personnel unwittingly generate many security leaks. In some locations, expect the opposition to use drone videos to plan disruptive actions. The opposition may identify, investigate, and surveil management and security personnel. SI operatives should identify leaks of security information that appear in open sources while the security department should limit the opposition’s surveillance opportunities. Surveillance usually precedes an unpleasant commotion.
Always presume that you face a technologically sophisticated opposition and adopt the “security through obscurity” model. To add a formidable obstacle to penetrating your SI operation, make it entirely separate from existing networks and information systems. The SI output provides strong indicators to how you will respond to the opposition’s actions. Safeguarding this is an OPSEC priority for senior management. Senior management sets the OPSEC parameters, practices, and allocates support services. Without senior management’s understanding and participation, OPSEC efforts will fail.
Ideally, staff members that conduct SI activities should never become openly associated with your firm or facility, let alone your security staff who typically talk to far too many people about matters they should not. SI staff cannot fraternize with the security personnel and senior management or they risk exposing their identity to the opposition. Assume that any such observable or documented associations will create a problem at the most inopportune time.
If the opposition uncovers the identities of your SI staff, then you will experience attempts to disrupt their activities. This may manifest itself as flash mobs at their homes or aggressive, overt surveillance of their movements. Online intimidation and vandalism is a certainty, along with distribution of their personal identifiers and pictures.
This type of OPSEC failure will make the SI staff useless. It may also cause long-term and damaging consequences to an employee’s career prospects, which in turn raises possible liability issues for their employer.
Security and other frontline staff should only receive instructions and briefings that percolate down through the chain of command from the executive suite. Never disclose the origin of any intelligence material or let frontline staff engage in online intelligence gathering. Do this and confusion or chaos will follow. Gathering online intelligence and the associated investigative tasks are specialist skill sets that require their own support systems.
Do not commit the unpardonable operational sin of being surprised, as Napoleon said, “To be defeated is pardonable; to be surprised — never!” You need an agile intelligence system to inform management decisions, especially when dealing with riotous protest movements that appear and disappear overnight. For example, Mondawmin Mall in Baltimore on April 27 2015 when a protest started using social media and flyers turned into rioting resulting in police casualties and looting.
A photograph of rioters standing on a Baltimore police car was distributed with the superimposed text “All HighSchools Monday @3 We Are Going To Purge From Mondawmin To The Ave, Back To Downtown #Fdl” This is not the first time that the movie The Purge has appeared in threats of violence. Your SI operation should constantly search for this type of pop-culture reference.
Riots in Baltimore, like other dramatic events, created a surge of activity on social media including pictures and video of the rioting and looters displaying their stolen goods. One image promoted on Twitter as a KFC outlet looted and vandalized in Baltimore during the riots was actually that of a KFC franchise attacked in Karachi, Pakistan in 2012.
The danger of this type of fraud is that it promotes criminal behaviour and if it promotes doing it to your firm, then you have a serious problem. Worse, misattributed photos may put real people at risk by connecting them to criminal acts against your company.
Planning, preparation, agility, and the ability to respond quickly and appropriately starts in your security intelligence process. OPSEC protects your ability to conduct SI.
Part 3 will address OPSEC issues surrounding information management for the security intelligence process.
Richard B. McEachin is the principal of McEachin & Associates Ltd. (ConfidentialResource.com).