Skip to content
Search

Latest Stories

Cyber Initiatives Group Fall Summit
cipherbrief

Welcome! Log in to stay connected and make the most of your experience.

Input clean

Loose lips can still sink ships: Protect your Critical Information

OPINION — In the early stages of the Vietnam War, Pentagon officials were puzzled why U.S. bombing missions against northern Vietnam were yielding meager results. Accordingly, the U.S. Government investigated and, in what became known as the Purple Dragon study, concluded that U.S. forces were inadvertently revealing flight plan information to North Vietnam, which could then take evasive action.    

Addressing the challenge of keeping information on U.S. military strengths and vulnerabilities away from hostile forces became known as operations security—or OPSEC.  Ultimately, in 1988, President Ronald Reagan directed elements of the Executive Branch that support classified or sensitive activities to establish formal OPSEC programs.  Since then, OPSEC has been applied not just across the U.S. military and Intelligence Community, but in various private industries and other sectors. 


As the digital age has progressed, OPSEC has become more challenging.  In 2018, the Defense Department barred its employees from using geolocation features on their mobile devices in operational areas after fitness app data appeared online revealing their exercise routines in sensitive overseas locations.  Recently, Russia’s war on Ukraine has highlighted the fatal consequences of poor digital OPSEC.  Press reports last year, detailed cases of Russian troops being killed by Ukrainian strikes after using cell phones to contact relatives or post photos online while leaving their geolocation tags on.

With adversaries today targeting not only the U.S national security community, but also extracting data and technology from virtually every sector of our economy, OPSEC is a concept all organizations should embrace. OPSEC is a proven discipline designed to deny adversaries the ability to collect, analyze, and exploit information that might provide them an advantage. It is a process of continual assessment that identifies and analyzes critical information, vulnerabilities, risks, and external threats.



It's not just for the President anymore. Cipher Brief Subscriber+Members have access to their own Open Source Daily Brief, keeping you up to date on global events impacting national security.  It pays to be a Subscriber+Member.



Of course, the first step in establishing an OPSEC program is acknowledging there are adversarial threats to your organization—and they can come in the form of crime, foreign espionage, terrorism, or subversion.  These threats—which are constantly evolving—can be manifested by ransomware delivered by cybercriminals, sabotage by insiders, theft of intellectual property by agents of a foreign power, or physical destruction of facilities by terrorists.  Robust OPSEC can help mitigate these threats.

The OPSEC cycle involves six steps.  First, identify the critical assets you want to protect.  Second, analyze threats—determine who may want your critical data or expertise and how they may try to get it.  Third, analyze your security vulnerabilities—determine how your assets, including data, may be vulnerable and whether your existing protection measures are sufficient.  Fourth, assess risks—determine the impact, costs, and stakes should such compromises occur.  Next, develop and apply countermeasures.  Finally, continually assess—and reassess—the effectiveness of your countermeasures.  

The same OPSEC strategies to protect government and business information are useful in protecting personal information.  Exercise caution when receiving unsolicited messages (including texts, emails, chats, etc.), particularly if they come from unknown senders and/or contain suspicious links or attachments.  Adding encryption to your emails, verifying where and whom a message is coming from, and exercising caution before downloading files and clicking on links are all ways to prevent a criminal or foreign adversary from gaining access to your private information.

January is National OPSEC Awareness Month, a month-long campaign across the U.S. Government to help raise threat awareness and share risk mitigation practices.  It is also an opportunity for organizations outside government to revisit and improve their security postures.  We encourage organizations to introduce OPSEC concepts to their employees and seek their support in protecting information.  For resources, visit NCSC’s OPSEC webpage at: https://www.dni.gov/index.php/ncsc-what-we-do/operations-security

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.

Threat Con 2025

Related Articles

Sabotage Without Warning: ​Why the Gray Zone Could Be America’s Biggest Blind Spot

Sabotage Without Warning: ​Why the Gray Zone Could Be America’s Biggest Blind Spot

EXPERT BRIEFING — Polish Prime Minister Donald Tusk announced this week that 32 people have been detained since the start of Moscow’s war with [...] More

Two Existential Threats: CIA’s Reputation vs. Democracy’s Survival

OPINION -- In his recent Cipher Brief essay, CIA's Latest Existential Challenge, former CIA senior officer Mark Kelton argues that the Central [...] More

To Counter China, Reform U.S. Intelligence for the Digital Age

EXPERT PERSPECTIVE / OPINION -- The United States is facing a quiet and rapidly growing threat across the digital landscape, an unseen mathematical [...] More

The Cipher Brief's Hottest Summer Reading

The Cipher Brief's Hottest Summer Reading

CIPHER BRIEF FEATURE REPORTING -- With the 4th of July holiday fast approaching, now is a good time for our annual summer list of recommended beach [...] More

Former CIA Director on the Priority Intelligence Requirement in Iran

Former CIA Director on the Priority Intelligence Requirement in Iran

EXPERT INTERVIEW – Tehran’s response on Monday to U.S. attacks against its nuclear facilities over the weekend was measured and possibly calibrated [...] More

Ukraine's Defense Export Pivot Is A Game-Changer

EXPERT PERSPECTIVE/OPINION -- Ukraine may have just fundamentally shifted the global defense landscape. On June 21st, Ukraine unleashed its "Build [...] More