Historical Perspectives

Even though the chances for superpower confrontation appear to be diminishing. most security experts would agree that there is still a need for counterintelligence (Cl) programs and assets due to the fact that there are defense technologies, intelligence operations and other activities requiring security protection. During this interim period, both the United States and the Commonwealth of Independent States (CIS) are trying to gauge the appropriate mix and focus of Cl programs. Part of this introspective look should include an examination of security strategies and programs in both countries over the past 25 years. This article will examine the role of operations security as a developing security discipline, provide a brief history of OPSEC in the U.S. Army, and compare and contrast the U.S. program with the past Soviet counterpart program, Maskirovka. There is no public information indicating that the Russian or other CIS military service has dropped Maskirovka from its military jargon; therefore it must continue to be considered a viable part of Russian and CIS military strategy.

DEFINITION

Operations security, according to National Security Decision Directive 298, is "a systematic and proven process by which the U.S. Government and its supporting contractors can deny to potential adversaries information about capabilities and intentions by identifying, controlling and protecting generally unclassified evidence of the planning and execution of sensitive Government activities.") There are various interpretations of the term OPSEC and what it means for individual commands and agencies. According to NSDD 298, the U.S. National OPSEC Program is to be implemented not only in the Department of Defense but also in "each Executive Department and agency assigned or supporting national security missions with classified or sensitive activities." There is no definitive explanation of "sensitive activities" or which Executive departments or agencies are engaged in same.

Most of the traditional security disciplines are regulatory in nature and do not allow for a great deal of interpretation, analysis or direct correlation to a multi-disciplined threat. Traditional security programs are neither threat related nor critical information oriented. OPSEC, on the other hand, is a security discipline that can be called upon after traditional security programs have been established but some unidentified or ill-defined "system" vulnerability exists, allowing an adversary to acquire valuable knowledge about a program. The operations security evaluation or assessment is an ideal vehicle for performing a comprehensive "systems analysis" of the key elements of information needed by an adversary to detect the existence of a particular operation, the information sources vulnerable for exploitation, and perhaps even the evidence that such exploitation is ongoing. Risk analysis is then conducted and countermeasures designed and implemented.

The comparable CIS equivalent to the U.S. OPSEC program is called Maskirovka, which is defined in the Soviet Dictionary of Basic Military Terms as:

"a form of support for combat operations, its purpose being to conceal the activities and disposition of friendly troops. and to mislead the enemy with regard to the grouping and intentions of such troops. Camouflage measures are also implemented in the deep rear within the framework of civil defense."

Note that this definition differs from that of NSDD 298 regarding the scope of activities conducted under OPSEC and Maskirovka. OPSEC is mandated in both civil and military elements of the United States Government; Maskirovka in the former Soviet Union was primarily a defense function (combat operations). Maskirovka also infers that it includes deception (mislead the enemy) whereas the National OPSEC Program directive does not mention deception. Charles L. Smith, in his article "Soviet Maskirovka", describes the Soviet program as "a very broad concept that encompasses many English terms (including) camouflage, concealment, deception, imitation, misinformation, secrecy, security, feints, diversions and simulation." This is obviously a much broader definition than that of OPSEC but, as we will explore further, the former Soviet structure supporting Maskirovka facilitated the planning and execution of multiple security functions under one program.

The term "operations security" first evolved in the military as the result of several studies, nicknamed Purple Dragon, conducted during the Vietnam War. Teams composed of operations and intelligence analysts were tasked to determine the reasons for apparent enemy foreknowledge of U.S. military operations in Southeast Asia. These teams were successful in pinpointing the vulnerabilities in United States security practices and implementing countermeasures.

The Army capitalized on the lessons learned from Purple Dragon and, when some Army Cl missions were transferred to other agencies, started an OPSEC program in the mid-70s. The test and evaluation (RDT&E) system, particularly weapons programs located on test ranges. These weapons programs, many of which were employed in Desert Storm, were scheduled for production during the 1980s and consumed a substantial amount of the Army budget. Secure development using sound OPSEC principles could protect that investment into the 21st century.

Several surveys of Army test ranges and Army RDT&E programs were conducted during the period 1974-1979. The test and evaluation phase of the RDT&E cycle seemed to be the period in which weapons programs were most vulnerable to adversary intelligence collection, particularly from technical sensors. Other services and the National Security Agency shared that concept, resulting in joint OPSEC surveys of Army, Navy and Air Force test ranges during the 19791980 timeframe.

In spite of the success of the original OPSEC program within the RDT&E community, during the 1980s several events occurred which damaged the credibility of the OPSEC concept. The quality of OPSEC surveys suffered as untrained Army Cl personnel, under pressure to conduct OPSEC surveys of Army organizations in their area of operations, completed surveys of seemingly every aspect of Army life except RDT&E operations. The Army also lumped all the other security disciplines, such as TEMPEST, COMSEC and technical surveillance countermeasures, under an "OPSEC umbrella." Integrating these elements into the OPSEC program violated its advice and assistance nature and created an erroneous concept of OPSEC in the rest of the Army. The philosophy behind the original Army OPSEC program was to tap into the other autonomous security disciplines if needed as part of an OPSEC endeavor but primarily to provide advice and assistance within the broader goals of Army counterintelligence. Inspectors General also included an evaluation of a command's OPSEC program and its salient features in their annual inspections. In late 1980, the Holloway Report on the aborted rescue mission in Iran was very critical of the overindulgence in OPSEC to the detriment of comprehensive planning.

During the 1980s, traditional OPSEC took a back seat to two developments: (1) counter-espionage operations as a fallout from the rise in spy cases and (2) the growth of special access programs (SAPs). The majority of the resources devoted to traditional OPSEC were redirected to the management and execution of SAPs, especially those devoted to RDT&E. This was probably the logical evolution of the program, because lessons learned from the OPSEC surveys conducted in the 1970s indicated the probability that some, if not all, of the weapons programs undergoing OPSEC surveys during that period were compromised very early in their development cycles and not during the field testing stage. Special access programs were designed to prevent the unwarranted revelation of data that might disclose quantum leaps in technology, clever applications of current technology, or the discovery of devastating vulnerabilities in a currently fielded weapons system. To support these programs and gain an even greater payoff for each procurement dollar expended, a more comprehensive set of security countermeasures had to be developed or borrowed from other government agencies.

The development of these countermeasures programs was not a priority Cl effort during the 1970s and consisted mostly of ad hoc methods pursued separately by several different agencies. The services and national intelligence agencies made a concerted effort during the 1980s to jointly develop comprehensive countermeasures. These programs were relatively ineffective due to the fact that they were not centrally managed; the data was not easily obtained by all elements with Cl and OPSEC interests and responsibilities: and compliance was largely voluntary. Obtaining timely all-source intelligence information on hostile intelligence organizations and capabilities to support OPSEC programs was also a significant detriment to effective implementation of countermeasures.

The Soviets, until the advent of Glasnost, Perestroika and the eventual dissolution of the Communist state, possessed one of the most comprehensive Cl and security programs of any country. The Party's control of all aspects of Soviet society eliminated some of the most basic OPSEC problems faced by U.S. Cl and security personnel. Through the principal security elements in the former Soviet Union, the KGB and GRU, the elements in the former Soviet Union, the KGB and GRU, the Party developed strict procedures for controlling human observation of anything of military significance. Past KGB control and surveillance of western diplomatic, commercial and scientific visitors as well as students and tourists is well documented.

Maskirovka appears to be much more comprehensive and aggressive than the U.S. OPSEC program and contains various levels of employment (strategic, operational and tactical). Under the former Soviet system, the Soviet Supreme High Command conducted strategic deception and maskirovka activities; senior Army, Air or Fleet commanders conducted similar activities at the operational level, while low-level military units executed tactical deception and maskirovka. The centralized nature of the Maskirovka program allows for directed and enforced security countermeasures and deception programs. Enforcement of OPSEC procedures has historically been a high priority for the former Soviet military forces, much more so than for the U.S. military. Strict signal security practices, including the publication of names of officers guilty of loose COMSEC practices, was not uncommon. Use of camouflage and decoys was practiced intensely during exercises.

The Maskirovka program also includes countermeasures to technical collection. A former Soviet Army officer, writing under the pseudonym of Victor Suvorov, outlined an organization in the former Soviet military called the Chief Directorate of Strategic Deception of the General Staff or GUSM. GUSM reportedly had the mission of collecting and processing information on hostile satellites, forming orbital predictions and determining the times these platforms will pass over sensitive areas. GUSM then enforced a warning program whereby camouflage, concealment and decoys were used to prevent reconnaissance. According to Suvorov:

"A huge U.S. computer, which has been installed at the Central Command Post of the Chief Directorate of Strategic Deception, maintains a constant record of all intelligence gathering satellites and orbiting space stations and their trajectories. Extremely precise short- and long-term forecasts are prepared of the times at which the satellites will pass over the various areas of the Soviet Union and all the other territories and sea areas in which the Armed Services of the Soviet Union are active. Each army, division and regiment receives constantly updated schedules showing the precise times at which enemy reconnaissance satellites will overfly their area with details of the types of satellite concerned and the track it will follow, "

 The former Soviet Union may have initiated its Maskirovka program as early as 1965 and blended security countermeasures with an active deception program, designing countermeasures to cover the entire gamut of military activities. The applicability of the Maskirovka program to all phases of Soviet weapons programs is unclear from the open literature; there is ample evidence that security for the field tests of the SS- 16, SS-20, SA- 12B and SS-24 fell under the auspices of the Maskirovka program. False telemetry, reduced telemetry transmitter power, night testing and bogus impact points were some of the countermeasures employed during these tests.

The foundation for the threat assessment portion of the Maskirovka program was knowledge gained through intelligence operations and leaks in the western press concerning U.S. and Allied intelligence capabilities. Several widely publicized espionage cases William Kampiles, Christopher Boyce and Daulton Lee, Geoffrey Prime, the Walker family and others - contributed to the evaluation of the threat and development of countermeasures.

 Examples of the use of Maskirovka are evident in the open literature; among them:

 1) the use of announced exercises, radio silence and chaff dispersal, along with deceptive statements of peaceful intent by the political leadership prior to and during the invasion of Czechoslovakia in 1968. The political leadership of the former Soviet Union always played an active role in the Maskirovka program, usually in the form of misinformation disseminabon.'¡

 (2) heavy reliance on radio-electronic combat, which includes spoofing, jamming, intrusion, etc., along with an aggressive communications security programs.

 (3) the use of environmental covers over submarine and ICBM silo construction sites as well as the employment of decoys such as inflatable tanks and submarines.

 (4) interference with strategic arms verification, by construction of decoy missiles, encryption of missile and warhead telemetry, jamming of U.S. collection assets and camouflage of active missile silos.

 In summary, the OPSEC program in the United States and the Maskirovka program in the CIS have many similarities but yet some glaring. Regarding military operations, both programs appear to be combined efforts between operations and intelligence elements. Both borrow heavily from traditional security disciplines, such as communications and electronic security, and incorporate aspects of each into their respective programs.

The CIS appears to have initiated its program earlier, was dedicated to its conduct and enforcement under the Soviet military system, and directed its activities from a central body. The U.S. OPSEC program, on the other hand, lacks focus, is largely voluntary in nature, and is not centrally oriented, with the exception of those activities covered under NSDD 298 (advice, assistance and training!. The U.S. OPSEC program employs basically defensive security practices and does not include deception or jamming, which are basic elements of Maskirovka. OPSEC is barely recognized as a security discipline in the United States, even in military circles, whereas Maskirovka has been practiced diligently in some fashion by many echelons from the political leadership to the military industrial complex and on down to the lowest tactical elements.

What does the future hold for OPSEC and Maskirovka? Maskirovka will probably continue as a viable security program in CIS military forces. The scope of the program probably will be reduced to strictly tactical operations due to the fact that the breakdown in discipline is not conducive to the rigid security practices employed under the former Soviet Union. Economic and financial pressures will force a reduction of resources devoted to the program but it will remain a basic ingredient in Russian military philosophy. This reduced emphasis in Maskirovka does not mean the U.S. should emulate that example. On the contrary, because we are not proficient in this military discipline, we should increase our efforts to develop OPSEC practitioners, techniques and programs.

OPSEC was cited many times during Desert Shield/Desert Storm by General Powell and Secretary Cheney as the primary reason for concealing information from reporters about the disposition and composition of U.S. forces. The military as a whole is probably just beginning to recognize the value of OPSEC as a force multiplier, especially when employed with tactical deception. However, OPSEC still has not recovered from its earlier setbacks and is not recognized in professional security circles as a viable security discipline. Its primary client will continue to be the RDT&E community. which will still draw the most benefit from a well organized and executed OPSEC program, particularly as part of a SAP.

Congress has recently directed the Pentagon to upgrade the security of RDT&E installations, procedures and programs. An Acquisition Systems Protection Office (ASPO) has been created on the DOD staff to establish security standards for RDT&E facilities and programs, conduct OPSEC and related security evaluations of all the major facilities, pinpoint systemic security vulnerabilities and apply corrective action through funding or procedural changes. Creation of this office represents a major effort to coordinate weapons systems protection at a central level, which should ultimately result in a coordinated level of protection for similar weapons system technologies and programs. U.S. weapons technology is now a high priority intelligence collection target for both friendly and potentially hostile countries, given its performance in the Gulf War.

Systems Security Engineering or SSE, a recent Air Force innovation, is a program designed to plan for the security needs of a weapons program from Phase 0, Concept Exploration and Definition, through Phase IV, Operation and Support. Like OPSEC, SSE calls on traditional security disciplines for support and outlines the security needed during each phase of the RDT&E life cycle in a practical and pragmatic approach. The difference in the two programs is that SSE forces the 'security engineer" into planning security protection for the entire life cycle of the program and incorporating security countermeasures into formal plans. SSE has become a formal part of many defense contracts.

Other than defense contractors, there has not been a substantial transition of OPSEC processes or systems security engineering into U.S. industry. Traditional security practices and programs are still predominant in most businesses. Application of the OPSEC approach could help businesses isolate their critical proprietary information, identify security weak points, and assist in the development of protective countermeasures. Given the state of the U.S. economy and the strength of the international competition, it's only a matter of time before OPSEC becomes a viable concept in protecting valuable information and competitive advantages.