Submissions     Contact     Advertise     Donate     BlogRoll     Subscribe                         

Monday, September 19, 2011

The Five Steps of OPSEC Assessment by Stone of Scone

Original Article

Operational Security (OPSEC) which is the evaluation and control of any critical information that could be used against you by an adversary. The result of good OPSEC is the elimination or withholding of the most damaging information that your adversary has the ability to gather and understand how to use against you. OPSEC happens everyday. When you go on vacation and hold your mail and newspaper delivery, and use timers to turn your radio and lights on and off to make it appear that you are home, you are practicing good OPSEC.

Here is a another example of OPSEC. A business contact I had worked as the Information Systems Director for the Department of Corrections in a populous state in the US. When he was at his office near the State Capitol, he wore a tie, nice shoes, and a business suit. But when he had to travel to the prisons, he would dress in jeans, tennis shoes, a faded work shirt, and would drive a State vehicle to and from the prison. He did not want the prisoners to know his appearance, or information about his personal car or license plate number. The reason is that he had intelligence that certain criminals said they were going to kidnap the Information System Director, as they thought he had access to the computer system and could lower their sentences by altering the computer files. Even though the computer system was set so that no one person could change anyone's sentence, the implications for this man and his family were the same. Some jobs, especially those dealing with criminals, require a lot of OPSEC in safeguarding your personal information. Once your information is compromised due to poor OPSEC, it is hard to ever regain it.

This last year I had the privilege to read my father-in-law's letters to his wife while he was a sailor during WWII. Each letter was stamped as approved by a Navy censor, and never once did he reveal his location, or his ship's location. He would state that the weather is better here, not as cold, the harbor is beautiful, but never so much as a hint of his location. Even the return address on the envelope was from a State-side mailing address, as the Navy made sure their ships could not be tracked. The Navy coined the term "Loose Lips - Sinks Ships", and studying the US Military's OPSEC procedures is a great exercise for anyone.

So how do we apply the military's OPSEC principles to our personal situation? What is the process? The steps for developing our own OPSEC are:

Step 1. Make a list of any critical information you have that can be used by an adversary.

Step 2.
Determine who your adversaries are.

Step 3.
Look at all the ways your critical information can be compromised.

Step 4.
Make an assessment and rate the items of information that are the most likely to be used by your adversary, and what countermeasures you can employ.

Step 5.
Consistently employ your countermeasures and other security for your most vulnerable assets, in priority order from the results of step 4.

The First Step
is to make a short list of critical information, which for my situation is:

(a) My name, SSN, and DOB (used for identity theft and other purposes).

(b) Bank and credit card information that could allow someone to fraudulently access my funds.

(c) My bank statements that show all of the purchases I have made, and any groups I fund or support.

(d) My garbage, which has old envelopes with their addresses still intact, and many personal items that reveal a wealth of information. (There was a group in Washington DC that would empty the garbage cans of powerful people, such as Henry Kissinger and others, and report the interesting items they found. Quite a find, and there are very few laws against taking someone's garbage.) The correct OPSEC for garbage is to [shred or] burn it, or take it to the landfill, instead of leaving it on the curb awaiting pickup.

(e) My home address.

(f) Information on any real estate or other large assets I own.

(g) A picture of what I look like.

(h) The number of guns and ammo I own and where they are located.

(i) The amount of food and other survival gear I have accumulated, and where they are located.

(j) The interior layout of my home, and its contents.

The Second Step
is to determine who are your adversaries. Everyone has different circumstances, but a general rule that would help identify your adversaries is to determine the types of controversy you are involved in. You may need someone else to look at you objectively and tell you what are the controversial areas of your life that make you visible to predators. For the more controversy you create the more visible you become, and your controversy will draw those that oppose you.

Some things that cause controversy are:

(1) Having more visible wealth than your neighbors or peers,

(2) Supporting and holding allegiance to various controversial groups in a public manner.

(3) The purchase, display and use of military style guns in a region where people do not understand the need for the 2nd Amendment.

(4) Openly using military grade equipment, such as dressing in fatigues or driving old Army trucks.

(5) Campaigning for election to a political office, or influencing the political process in a significant way.

(6) Having a national presence of some type, such as producing popular videos on YouTube, or having a popular radio talk show.

(7) Having a lifestyle that is unacceptable to other people. An example would be the polygamous marriages practiced by the Fundamental Latter Day Saints.

Just as your personal OPSEC assessment should always consider how your information is viewed at present, a good assessment should consider how your information may be used against you in the future. When you begin to engage in items of public controversy, the amount of public information you have revealed in the past will become critical. The best OPSEC is to keep amount of public information about you at the lowest possible level, as many people have so much information in the public domain that it is impossible to do anything about it once they become controversial. You should consider your public information and your potential adversaries before you become involved in a controversial area.

The Third Step
in developing your OPSEC assessment is to look at all of the ways your critical information can be compromised and used by the adversaries identified in step two.

Using LinkedIn may be good for business, and having a FaceBook account may be good for friends, but they can be really bad OPSEC. What you look like, your views and outlooks, and a list of all of your friends and business contacts are available to anyone that can access your account. YouTube videos, web sites, and other Internet activity provide a tremendous amount of information that can direct attention to you and cause problems with your OPSEC.

A good example of how critical information is compromised on the Internet is the case of the Hutaree Militia, who put their paramilitary training videos on YouTube. This raised their profile, and is probably the reason the Hutarees were infiltrated by a government agent. I don't think these people are more than talk, but their paramilitary training videos were very aggressive and probably frightened some people. The statements of the government infiltrator resulted with their arrests, even though they may have done nothing wrong. Paramilitary exercises are perfectly legal [in most jurisdictions], but should be done in secret as they can make you appear to be threatening to many people. You only have to "look" like you are dangerous to encounter problems, and good OPSEC should conceal all information of this type.

Another way your personal information is compromised to a potential adversary is through your property deed information, which is posted by your tax assessor's office on the Internet. A lawyer or anyone else can look up your name, how many parcels of land you own and what they are worth, and what types of buildings or other improvements have been made. Not only can someone find out where you live but they can tell if your home is free and clear of all debts. Having a house that has a lot of equity can make you appear to be rich enough to be a target of a lawsuit. To protect yourself, you will need to obscure your public ownership information.

To do this, you will have put the ownership of your home into a trust or partnership that hides your name on the tax records. This is crucial to avoiding a lawsuit, as lawyers routinely use the property assessor's tax records on the Internet to look for the assets of anyone their clients intend to sue. If you have a lot of known assets and the lawyer thinks he can win the case, the lawyer's proposed fee for his client will be to split the proceeds of the lawsuit that will come from the court's judgment against your assets. This way, it won't cost his client a dime to sue you. But if the public records do not reveal any ownership of real estate and other assets, the lawyer will demand his fee "up front" from his client before he will press a lawsuit against you. This will stop 99% of all lawsuits from ever being brought against you. Lawsuits are hardly ever brought against those that appear to be insolvent, because the lawyers and their clients are not likely to be able to recover their lawyer fees.

A good example of real estate lost due to compromised OPSEC is the lawsuit brought against Operation Ranch Rescue, a controversial group that provided security to farmers along the Mexican border. One of the owners of Ranch Rescue had a large farm in Arizona, apparently listed in the owner's name. Ranch Rescue was sued on the behalf of illegal immigrants by the SPLC, who set the damages slightly greater than the assessed value of the owner's farm. Their lawsuit was successful, and the ranch was taken to satisfy the judgment the court laid on the owner. If the owner had practiced good OPSEC and had put his ranch in a trust, the outcome may have been different.

I have a friend that is a wealthy real estate appraiser, and is often involved in local politics concerning the properties that he owns. He has been sued by county developers and other rascals for ridiculous reasons. He did not want to put his home in an irrevocable trust, so to protect his home from lawyers, he had a good friend file a large lien at the courthouse against his home for more than the property is worth. His friend also gave him a signed and undated quitclaim deed to terminate the lien, which the appraiser keeps in his safe. This makes him appear to have no equity in the property. When the appraiser wants to sell his home, he can file the signed quitclaim deed at the courthouse which will void the lien against the property at any time. None of the appraiser's vehicles are titled in his name, but are titled in his company's name, which is not directly tied to him. His other assets are handled the same way. When a lawyer researches the appraiser's assets, he appears to be insolvent, and so is protected from almost all lawsuits. Using a temporary lien would be one type of OPSEC when you cannot hide your ownership. Some of the best protection of your information from your adversaries is to obscure it with disinformation.

Another way your personal information can be compromised is when you don't know the background of people who suddenly befriend you. This has been the downfall of many people. Randy Weaver had visited a controversial group, and his OPSEC should have been to give everyone there a nickname or something besides his correct name. His next problem in OPSEC was to make friends with a government agent who was trying to infiltrate the group. This agent convinced Weaver to saw off a shotgun for him down to the legal limit. The agent then accused Weaver of sawing the shotgun barrel too short to be legal. The government used this to pressure Weaver to spy on the controversial group or face jail, and Weaver would not spy on the group, or come down from his home when a arrest warrant was issued for sawing off the shotgun. The lapses of OPSEC of using his real name and not investigating his new friend (and almost everyone has made the same mistakes) led to the standoff where Weaver's son and wife were killed by the government. Weaver was not at fault and won a civil judgment against the government, but that doesn't change the outcome. If you are involved with a controversial group, or have new friends that want to involve you in firearms, the lesson for all of us in this time of universal corruption is that we need to increase or evaluate our OPSEC. It may be legal to own guns and participate in groups that are under government investigation, but this is a deadly combination

Even friends that you trust, combined with guns, can be deadly. Those who are friends today can be your enemies tomorrow, and report to others your level of gun ownership, which will compromise your OPSEC. Consider the Branch Davidians in Waco Texas, who were first brought to attention of law enforcement by the complaints of a former member. This was followed by a damaging series of articles written by the local newspaper. Another incident that raised their profile was their mail order gun parts business. One package they ordered by US Mail had dummy hand grenades and other firearm parts. The carton was somehow opened at the Post Office, and law enforcement was notified. This incident, as well as the large number of guns the Branch Davidians were legally purchasing, and the complaints from neighbors of the sound of guns being fired on their property, brought them to the attention of the ATF. The final lapse of OPSEC was purchasing the legal-to-own [and BATF-approved] "Hellfire" trigger, which made their semi-automatic guns sound like they are fully automatic. The legal basis for the ATF raid that ended with the death of the Branch Davidians was that they had "possibly" not paid a $200 license fee for having a unverified fully automatic weapon on their property. I don't believe the Branch Davidians ever broke a law, but their OPSEC was terrible and is what made them the target of the ATF. Better OPSEC for the Branch Davidians would have been to rent a location for the gun parts business away from their compound, and to test fire their guns at a recognized rifle range. No outsider should ever have known that guns were on their property. If guns had not been involved, at most they would have been raided by Child Protective Services and not the ATF, and the outcome would have been much different.

Openly purchasing large amounts of guns and firing a lot of ammo on your property is perfectly legal, but a great way to compromise your OPSEC. No one, not even your closest friends, should know about all of your firearms. "Bump-firing" your semi-automatic rifle at fully automatic speeds is legal and a lot of fun, but who is listening to you shoot? What type of acoustic signature are you creating? Better yet, who are you making afraid? The neighbors that are afraid of you could be the "Human Intelligence" that law enforcement will use to investigate you. You need to appear harmless to everyone, especially your neighbors.

I know one person who claims to be a non-violent Mennonite to avoid any indication that he has a large gun collection. Any target practicing he does is just one shot at a time, to slowly zero in his "hunting" rifle. There is absolutely no need for anyone to rapidly fire a full 40 round magazine. It is just a waste of ammo, and reveals the size of the magazines that you have. Your best OPSEC is to never openly reveal the types or numbers of guns that you have through the sounds they make, or as some would say: "Never pull out a gun unless you are going to use it." For once you make known to the world what types of guns you have, your adversaries will counter with something better that will neutralize your advantage.

Your OPSEC is compromised when you do things that attract attention to yourself, such as wearing camouflage fatigues outside of hunting season, painting your vehicle OD green or camouflage, or stringing up miles of concertina wire around your property. When I see the ultimate mondo security gate, I remember what Jeff Goldblum [as "Dr. Ian Malcolm"] asked about the massive gate at Jurassic Park: "What have they got in there, King Kong?" A large security gate will make your neighbors wonder what you are hiding up there. A better solution is to install steel cables or hardened steel chains to run behind each gate that are hidden when not in use, but can be pulled taut and locked as needed. Bulking up your home with visible guard towers, LP/OPs, trip wires and sand bags is such poor OPSEC as to destroy everything you are trying to do. Security items that are visible to others makes you more vulnerable because it raises your profile.

A good solution for your retreat security improvements is that they provide double duty, one that is perfectly acceptable and normal for today, and one that is meant for when the balloon goes up. For a LP/OP, consider building a kid's "dream tree house", complete with a "fun field telephone" system connected to the house for emergencies. Instead of concertina wire, put electrified barbed wire on top of your fences with a separate "100 mile fence charger" for each strand of wire. The amount of electricity is not obvious, at least until you touch it. For trip wires, consider using High Tensile Electric wires. Not only do they trip, they can shock the pee out of you, as well as keeping your goats and other animals in the right area. Raising animals gives you a good reason for a lot of fencing in various places. Our last line of electric fence surrounding our house may give us protection from intruders after TEOTWAWKI, but right now it keeps the sheep and cows off our back porch. And our Great Pyrenees dogs provide protection from coyotes, as well as handling people that walk by our property. I even got challenged by my 1,500 lb bull one night while I was walking back from the barn. Once he knew it was me, he left me alone, but I would feel sorry for anyone else that tried to run. Our retreat security preparations are natural and out in the open, yet good OPSEC is to not mention any dual purpose they may have, or say anything about them at all.

The correct OPSEC for your radio communication system (more precisely termed COMSEC) will require careful planning. I think it is important that you hide or make invisible the shortwave and other types of radio antennas on your property so they cannot be confiscated. If you use only passive radio receivers on your property and not transmitters, then you will not have to energize your antenna wires, and they will be safe for human contact. This opens a lot of possibilities. A bare wire insulated at both ends that secures a flag pole or windmill, or a wire between two buildings that supports bird house gourds, or perhaps a section of electric fencing that is never charged, these may be good camouflaged passive antennas.

Active radio transmitters are different, as their transmission location is compromised every time they are used. Good OPSEC requires that any radio transmitters be mobile and all transmissions are made in different places away from your residence. If for some reason shortwave and other types of radio transmitters are banned and you have been transmitting for some time from your home, it would be easy through radio detection and triangulation to pre-determine where all of the radio transmitters are located before the ban was made public. If you want to keep your transmitter, use it away from your home.

Project Echelon is a signals intelligence network operated by the US, UK, Canada, Australia, and New Zealand. Echelon has the ability to monitor global communication, including cell phone conversations. Echelon may help identify the movements of people that the government has an interest in following, as it identifies certain types of spoken content. If your cell phone conversations frequently include words such as "jihad", or "nuclear bomb", you might end up on their list. Watch what you say on your cell phone, even in jest. No wireless communication is ever secure, and any information you release over a wireless transmitter should be considered compromised.

I don't think I am enough of a target for Echelon to monitor me, but I have seen a demonstration of the Verizon GPS tracking service called "Field Force Manager" that Verizon offers its corporate customers. If a company issues their employees a Verizon cell phone, Verizon has a new service that allows the company to see on a map where these cell phones are being used. If the cell phone is turned on and you drive a long distance, the map will show your route, your speed, and where you were at each moment of the day. This information is stored, and the company can call up any previous day's GPS locations and movements. It reminds me of a song: "There's an eye, a-watching you...". I don't want Verizon or anyone to track my movements. I always leave my cell phone turned off except when I call out on it. To be perfectly safe, I would need to pull the battery out of the phone, or get rid of it entirely. We had a friend with a domestic situation, and he discovered that a private investigator had placed a cell phone in his car, apparently to track his movements. He gave this cell phone to someone he met at a truck stop going the other direction, and told him to make all of the calls he wanted. For his own use, he bought a "throw-away" cell phone with pre-paid phone card minutes, for which he paid cash at Walgreen's. it is completely untraceable.

The Fourth Step
of an OPSEC plan is to rate a list of the most damaging information I have that could be used by my adversaries. First on my list is anything that would get me killed, either before or after a collapse of society. The knowledge that your home has large number of guns or precious metals can invite a home invasion with deadly results. What would you tell a robber who has a gun at your wife's temple when he asks you where your guns, gold, or survival food is stored? I would put my OPSEC for concealing information about my guns, precious metals, or survival items at the top of my list.

My next most valuable information would be my house and property. For this, you want to put your property into a trust, so that you do not show up as the owner when the property records are searched by a lawyer. I would also suggest an unlisted telephone number, as anyone can find your home address listed in the phone book. I had a Bible prison ministry for a while, and some of the prisoners would call me once they got out of jail. Some were saved, but most were not very repentant, and quite a few of them were dangerous. I finally realized that any of these former prisoners that knew I went to church on a regular basis could rob my house while I was at worship, but only if they knew my address. I unlisted my number, and have since moved to a new address. It is very wise not to have a listed phone number, as this is the number one way a criminal can determine your address.

Your home says a lot about you, and is your sanctuary and castle. You don't want anyone that is a criminal to know the location of your home or its contents. One of the most successful WWII spies for the Allies in France survived because kept his address a secret. He was never caught by the Germans because he changed his appearance often, paid his rent in cash, and he never, ever brought anyone to his home or revealed where he lived. Likewise the information of the contents of your home should not be revealed. King Hezekiah in 2nd Kings 20:12-19 proudly displayed his treasures to the Babylonian diplomats, thinking they were harmless. Babylon later attacked Jerusalem, and took all of the gold and other treasures, probably because they knew how much wealth Hezekiah had. I have a friend that competes in mounted shooting, which is the sport of shooting from horseback for competition. During a short period of time while they were gone, someone stole all of their guns, even the ones that were somewhat hidden. Only someone that knew the contents of their home could have done this. A lack of OPSEC, such as opening up your home to large groups of people that you don't know, can have negative results.

I don't have to hide from the world to have good OPSEC. I have various friends that visit our home, and we worship at each other's homes, but for strangers, we do not let them see the inside of our residence, as the layout and contents of our home is personal information.

The information that is last on my priority list is the "hard to get" information with less value that could only be a problem if something changed. For example if I decided to run for public office, or tried to get a high security clearance for a sensitive job, current records and associations, which are not a problem now, would be scrutinized. Changes to our legal system that might criminalize items in the future that are now legal (such as gun ownership, the possession of gold, using unpasteurized milk, etc) are good reasons to have a good OPSEC plan.

One item of information you should consider is your bank records. Any person or any government agency that can access your bank records can find everything you have purchased, and what groups or programs you support with your donations. Some people will deal purely in cash, but that also raises a red flag. The way I handle it is to buy all of the regular, "conformity" items with my debit card or by check. For anything that may in the future be a problem, such as buying raw milk from an unlicensed dairy (i.e. the farmer down the street), I always pay in cash. That way, I have a "public" persona that appears to be harmless, while my cash-based private life hides my secret consumption of various semi-legal dairy products. The benefits of raw milk are significant, and it should not be up to some bureaucrat to determine my health. But as time goes on, even the items that keep us healthy may be banned under Codex Alimentarius. Another item that may be banned in the future is the ownership of gold. In 1934, Franklin Roosevelt passed the Gold Reserve Act, which made the private ownership of gold [bullion and most coins] a criminal offense. It could happen again. If you are buying gold, guns, or anything that is legal now but may be a crime in the future, then it is critical that you use cash and not create any information "paper trail" concerning your purchases.

It is good to do an routine evaluation of how much compromised public information you have. On occasion, I try to "find myself" on the Internet to see how much information about me is out there. I go to Google and type in my full name surrounded by "double quotes". This makes Google search for the exact string of words in quotes, and sometimes I find public records I did not know I had. is another way investigators find people. I also type in all or part of my street address inside the double quotes, and then leave the city and state outside the quotes. This loosens up the match on Google, and gives a better result. I do the same for my P.O. Boxes, and my unlisted land line phone number and my cell phone number. It is surprising when you find your unlisted phone numbers on the Internet.
The reason I check my name, address and phone information on the web is to make sure they are not compromised, or posted by some company that I do business with. A few years ago I developed some Internet software that became popular. On the Authorship page, I stupidly put my name and old home address, and there has been no way to get this information off the Internet, even now. At my job, I had to fire an unbalanced person, who has since kept tabs on me, and has easily found this old address. For good OPSEC, when I moved my family to our new address, I made sure no connection between the old and new address existed. I forwarded all of my street mail to a P.O. Box at my old location's Post Office. I opened a new P.O. Box at my new location, and did not give a forwarding address. Next, I selectively notified friends, the electric company, and very few others of my new P.O. Box. Nothing else got forwarded. This also got rid of a lot of junk mail. And I did not get a street mailbox at my new home for two years.
The next item in building my OPSEC for my new home was to develop a bullet proof solution for having a street address. Various government agencies, such as our state's driver's license section, require that you have a valid "911" home street address and not a post office box. Some home deliveries and online purchases require a valid street address. Since we purchased raw land that did not have a residence, I had to tell the 911 section at our County where my new home would be located. I told the officials that we were building our house down the road near the paddock, past the barn. The 911office assigned our street number based on the distance from the beginning of the street to where they thought our house would be built. For example, if your 911 address is 1250 Jones Road, your house is located 1.25 miles from the beginning of Jones Road. Each address is based on the distance from the beginning of the road. Anyone using a GPS address locator to find your physical street address will go this exact distance down your road. So after I received my 911 address, I built a large shop building near the paddock, where we lived while we built our house. I put the 911 street number they assigned on the shop. Then I built my driveway about ¼ of a mile up the road from the barn, and put the house even further away up from the shop up on a hill where it is not easily visible. The result has been that whenever the census takers, the county appraiser, US Mail, UPS, FedEx or anyone that uses a GPS locator for my 911 address comes to my street address, they always go to the shop building. If they knock on the door at the shop, they think no one is at home. All deliveries and mail are left at the shop. I have never had anyone I did not know come to my real home, as my real home has no street address, only the shop does.

Your local 911 group will assign a latitude and longitude to your known street address, which Google uses to puts a pointer right on top of your home. Go to Google Maps, or you can download their Google Earth package. Enter in your complete street address, and Google will put a crosshair right on top of your home. The latitude and longitude coordinates for your home were also collected by the US Census Bureau. The only downside to not having a valid 911 address that points to your real home's location is that when an ambulance is called, it will go to the wrong place. In this rare emergency I will just send someone to flag them down to go to the correct location.

The Last Step
in my OPSEC Plan is to continuously employ countermeasures to safeguard the most valuable information I have that is most likely to be accessed by my adversaries. I have listed quite a few of our countermeasures already. One final countermeasure that everyone should have is to encrypt your computer's wireless router, otherwise anyone that drives by your house with a laptop can access your computer system. Even with encryption, your emails, Google searches, and web sites that you visit are recorded as all of your Internet history is kept on file at your Internet Service Provider and can be used by a government agency at anytime. Good OPSEC would be to use the Tor Anonymity Network or other means to control the Internet information you create.

The final countermeasure is to go back through the five steps of OPSEC assessment on a regular basis, namely, identify your information, consider your adversaries or threats, analyze your vulnerabilities, assess or rate your risks from high to low, and employ countermeasures. As your situation changes, so will your OPSEC. Completing and acting on a regularly scheduled OPSEC assessment may save your life.

1 comment: