An experienced OPSEC professional was once asked to address a small class of intelligence professionals on the subject of Operations Security. As a way of introducing his subject, he asked the group this question: "All of you are intelligence professionals. I'd like to know how much of the intelligence product that you produce is based on direct sources--a captured document or manual, a photograph, a HUMINT source, a SIGINT intercept--and how much, on the other hand, is the result of careful analysis--assembling many little pieces of information to form a complete picture?" The class discussed this question briefly among themselves before coming up with a collective answer. "Ten and ninety," they replied. "Ten percent is based on direct information and ninety percent is the result of analysis and inference." "Well," said the OPSEC professional, "I'm in the business of protecting the ninety percent."

There are two points to this story. The first is that the 10/ 90 split was not what the intelligence professionals would have preferred. The reason that only ten percent came from direct sources was because the traditional security disciplines were doing their job in limiting access to those sources. The second point, however, is that in spite of the effectiveness of the traditional security disciplines, the intelligence analysts were not put out of work: there was still plenty of intelligence to produce. The analysts simply had to work harder to get it. By specifically addressing the indirect sources, the ninety percent, the discipline of OPSEC seeks to make that analysis work harder still.

Particularly because it addresses these indirect sources, Operations Security or OPSEC has never been easy to define or even to describe, and one finds many definitions in use among the venous departments and agencies of the U.S. Government. Some describe Operations Security as an "umbrella" comprising all defensive disciplines; others, as a program requiring the allocation of resources; still others describe it as the mortar filling in the cracks left by other security disciplines and binding them together; while the relevant national directive defines it as a process. Every one of these characterizations falls short in one way or another. The first is inaccurate; the second and third, misleading; and the fourth, incomplete. None of them succeeds in fully capturing the nature of the activity.

The closest thing to an official definition of Operations Security is contained in National Security Decision Directive (NSDD) 298, dated January 22, 1988. It states:

OPSEC is a systematic and proved process by which the U.S. Government and its supporting contractors can deny to potential adversaries information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive Government activities.

This is not a very good definition. First of all, it defines OPSEC as a process. I see it more as a professional discipline that embraces a process. Secondly, it would have us believe that Operations Security is the sole province of the Government (and, by extension, its supporting contractors) and that only "sensitive Government activities" can be protected by it. Clearly, sensitive non-Government activities can also be protected through the application of OPSEC. Nor is OPSEC's protection limited to activities. For example, OPSEC measures could be used to help protect one party's negotiating position from the opposing party. The wording of the definition reflects the era in which it was written (mid to late 80s) and a national security orientation on the part of the original drafters.

Nevertheless, in spite of its shortcomings, the definition contains some important and useful concepts. A key word in the definition is evidence. The word evidence suggests indirect revelation, which was a major lesson from the "ninety percent" story presented above. Other security disciplines aim generally at protecting classified or very sensitive information from direct revelation. However, that same classified or very sensitive information can be revealed indirectly as well, through what the definition calls evidence, which, as the definition states, is "generally unclassified."

This unclassified evidence may be either open source material or "certain detectable activities," called indicators, that 'may be pieced together or interpreted to discern critical information." More often than not, these indicators occur in activities involving the movement of people, money or things in other words, in support areas like personnel, travel, finance, and logistics. From an analysis of actions and data associated with these activities, one can deduce ways in which adversaries might obtain an organization's critical information, even when effective security measures to deny access to all relevant classified and sensitive information are in place. This analysis of actions and data, as well as the protection from indirect revelation, is basic to the practice of Operations Security.

Ultimately, OPSEC protects against inference. It seeks to limit the adversary's ability to infer. Inference has innumerable sources, some of which can be very obscure. S. l. Hayakawa defines inference as "a statement about the unknown made on the basis of the known." With respect to its sources, he goes on to say:

We may infer from the material and cut of a woman's clothes her wealth or social position: we may infer from the character of the ruins the origin of the fire that destroyed the building; we may infer from a man's callused hands the nature of his occupation; we may infer from a senator's vote on an armaments bill his attitude toward Russia; we may infer from structure of the land the path of a prehistoric glacier; we may infer from a halo on an unexposed photographic plate its past proximity to radioactive materials; we may infer from the sound of an engine the condition of its connecting rods.

Inferences can be made from stereotypical patterns or deviations from such patterns--from some particular activity or from the absence of such activity. Because inferences can be drawn even from events that do not take place, OPSEC can extremely subtle. OPSEC, to be effective, must consider and deal with all possible sources of inference.

According to recently published national doctrine, "OPSEC involves the application of a systematic analytical process to determine how adversaries derive critical information in time to be of value to them." This process is further described as consisting of five phases or steps:

1. identification of critical information--that information the adversary needs to achieve his or her goals:

2. analysis of threat--identification of adversaries, their goals, intentions and capabilities;

3. vulnerability analysis--an examination of the total activity for indicators of critical information that can be exploited by an adversary;

4. risk assessment--an estimate of the potential effects of a vulnerability on an operation and a cost-benefit analysis of possible corrective actions; and

5. application of appropriate countermeasures--cost effective actions which deny or reduce the availability of critical information to an adversary or competitor.

Each of these phases is important to the integrity and efficacy of the overall process. Although each of them has value in and of itself, it is only when all five are employed together that the full synergistic value of the OPSEC process accrues. Identification of critical information provides focus; threat analysis assures realism; vulnerability analysis lends objectivity; risk assessment guarantees rationality; and the application of countermeasures ensures utility and value. Together they represent a logical and balanced approach to contending with risk. The approach, which is applicable to any competitive or adversarial situation, seeks not so much to avoid risk, as this is impossible, but rather to manage it.

OPSEC is especially geared to competitive, i.e. zero-sum, situations. In a competitive situation, a competitor's success comes at the expense of our own. Therefore, our cause is advanced whenever that of our competitor is foiled. And since our adversary's strategy involves trying to thwart our success, we increase our effectiveness whenever we can frustrate our adversary's efforts.

Operations Security, or OPSEC, is not to be confused with Operational Security. Operational Security generally describes a "state of safety" or an entity's capability "to carry out those functions for which it was designed despite the acts of adversaries." Although closely allied with operational effectiveness, which admittedly is a major goal of OPSEC, Operational Security describes a desired end condition and thus relates more to the result of a process than it does to the process or discipline employed to attain the result. Operational Security, then, is usually more associated with ends; Operations Security, or OPSEC, is usually more associated with means.

Very often, people, in their eagerness to sell OPSEC, describe it as nothing more than common sense or as quite easy. If OPSEC is common sense, it certainly is not common. OPSEC only becomes common sense after one has thought of it herself or had it suggested by someone else. Furthermore, it is definitely not easy. OPSEC is hard! There are several fundamental reasons why this is so.

OPSEC is a defensive discipline: it is aimed at thwarting the offensive efforts of someone else. Offensive disciplines, i.e., forms of intelligence gathering, always enjoy an advantage over defensive disciplines like Operations Security. The offense only has to succeed once: the defense has to succeed each and every time. The offense has only to discover a secret in one way by funding one offensive strategy that works; the defense has to defend against all offensive strategies. Furthermore, the offense learns immediately when it succeeds; the defense never knows whether it is succeeding or not. The defense occasionally finds out when it has failed but typically this is many years after the fact.

A second reason that OPSEC is hard is that it tends to be quite subtle. I recall a conversation I once had with a Secret Service agent. The agent had formerly served as a member of the presidential protection detail and was explaining to me how their advance teams work. He related how these teams would be sent to a distant city a few days before the scheduled arrival of the president. He stated that the advance team always carried with it a checklist and that this checklist, although not formally classified, was considered quite sensitive. By way of explanation, he pointed out that the Secret Service agents would not want any would-be assassins to get hold of the list, to see what was on it, and therefore to know what the agents were checking. I told him that I understood that the checklist was sensitive but that he had explained it wrong. Looking slightly offended at my bluntness, he asked what I meant. I said that if I were the would-be assassin, it is not what is on the list that would interest me. What I would want to know is what was not on the list; I would want to know what the agents were not checking. He looked at me rather strangely and said, "Gee, that's right. I never thought of that." He had been viewing the situation from his own point of view. Years of prior experience in intelligence allowed me to see it more readily from the point of view of the would-be assassin.

However, the story does not end there. In spite of the fact that I was able to make this specific observation immediately, it was a full year later before I came to a full understanding of what I had observed. What finally occurred to me, as I was relating this story, was that frequently it is not what is present that is most significant or revealing; rather it may be what is missing. Important inferences can be drawn both from what is present and what is absent. OPSEC can indeed be subtle.

A similar situation has sometimes arisen during the questioning of persons arrested and charged with espionage. Such persons, when apprehended, are interrogated with the objective of assessing damage. In such circumstances, the interrogators are very interested in the questions asked by the accused's former handlers and by what he told them. But occasionally, the questions not asked are even more revealing. When significant information to which the accused had access generated no interest on the part of his handlers, the interrogators might reasonably conclude that there is still another spy who has not yet been caught.

To succeed in OPSEC, one has to think of everything ... in advance. It is exactly what one forgets or fails to consider that can lead to an OPSEC failure or breakdown. Even when planning something as mundane as a surprise birthday party, it is very cliff cult to anticipate and deal with ahead of time all of the possible ways the secret might be revealed--particularly if the person for whom the party is being planned is a spouse or roommate. Suppose, for example, that when placing the cake order with the bakery, the party planner neglects to caution the bakery that, in the event of any question with the order, not to call him or her at home. For, should such a clarification be necessary and the bakery makes the call, there is a very reasonable chance that the spouse or roommate might answer the phone, and once the bakery identifies itself and the reason for the call, the secret is blown.

There is yet another reason that OPSEC is difficult. When two or more organizations are involved in a sensitive activity requiring OPSEC protection, it is imperative that the organizations involved closely coordinate their activities--particularly their cover stories--because if they do not, inconsistencies in their respective cover stories could make it obvious that something else is going on. Additionally, inconsistent cover stories can easily confuse the participants as much as they do the adversary.

One way to ensure close coordination is to centralize the activity--to put one person in charge. Unfortunately, OPSEC does not lend itself to this solution. OPSEC efforts are not amenable to being centralized. Operations Security, by its very nature, must be distributed or decentralized. To be effective, OPSEC must be an integral part of the operation itself and all of those involved in the activity or operation must also be involved in its Operations Security. It is no accident that the organizations that have carried out OPSEC most effectively are those that have integrated it into their operations.

In this regard, OPSEC is different from other security disciplines. It is possible, for example, to hire an outside company to install or implement a physical or personnel security program within one's installation or activity. This cannot be done with OPSEC. No one can be hired to perform OPSEC for someone else. All elements involved must practice OPSEC themselves.

One of the issues confronting organizations establishing OPSEC programs for the first time is where to place the OPSEC function organizationally. Unfortunately, there is no good answer, because there is no right place for the OPSEC function. Anywhere it is situated is likely to end up wrong, About the only general statement that one could make about its placement is that the closer to the top, the better.

Of course, the function does have to be situated somewhere and there are basically three places within an organization that the OPSEC function tends to be located: with operations, with intelligence, or with security. Each has its advantages and its disadvantages.

Locating it with operations, as military organizations normally have done, has the advantage that an operational focus is retained and that the ultimate purpose of OPSEC, i.e., to enhance operational effectiveness, is not lost. And because those involved with planning an operation are the same ones involved with its Operations Security, OPSEC becomes an integral part of the planning.

Placing it with intelligence also has its advantages. Since the methodology of OPSEC is basically that of intelligence analysis, intelligence analysts usually make good OPSEC analysts and most intelligence analysts are to be found in the intelligence organization. Collocating OPSEC with intelligence also locates OPSEC nearest the best source of threat information. Additionally, it couples OPSEC more closely with counterintelligence with which it has a close kinship and with which it must work closely.

Finally, placing it with other security disciplines is helpful because it facilitates the development of a comprehensive security strategy for the organization. It is also helpful at the point in the OPSEC process at which countermeasures must be applied because many of the countermeasures are likely to involve other security disciplines, such as physical or communications security.

The problem is that with any of the three choices, there is no way to accrue the advantages of all three placements, and the absence of the other advantages becomes a disadvantage.

Operations Security has assumed even greater importance in today's changed world. With the collapse of the former Soviet Union, the U.S. has entered a period during which its expenditures for security are being challenged. The changed world situation, and the altered security threat that it has brought with it, have caused many to question the continued need for security protection. An oft heard question is, "Where's the threat?" It is a reasonable question. Most would answer that there is still a threat, but that it is reduced and is directed differently--focused more on economic and technological information than on military secrets. Motivated by a need to reduce expenditures and encouraged by this generally-accepted reduction in threat, resources for security are being cut. As these reductions are made, it becomes increasingly important to apply the remaining resources where they are most needed and where they can do the most good. We must distinguish between what really needs protecting and what does not.

Our decision process needs to weigh the importance of the information, the motivation and the capability of our adversary, the ease with which that adversary could obtain that information, and the risk of leaving the secret unprotected versus the cost of protecting it. All of this is precisely what the familiar five-step OPSEC process does. The more important it is to be selective in the application of our security resources, the more relevant the OPSEC methodology becomes.

A basic premise of the OPSEC discipline is that not all information justifies protection. Currently, far too much money is spent trying to protect information that is either not worth protecting, is already known, or is fundamentally unprotectable. This makes no sense and no organization can afford to continue to do it. The application of the Operations Security discipline and its methodology can be extremely useful in sorting out what most needs protection and in making sensible decisions about where and where not we can best afford to cut resources.

A second basic premise of the OPSEC discipline is that not all vulnerabilities are worth correcting. A vulnerability is significant only as it applies to a particular element of critical information and with respect to a specific adversary. A weakness or vulnerability in the protection afforded to a particular element of information is worth correcting or reducing only if there is some adversary who wants it. Because the objectives of different adversaries are different, what we need to protect from one is likely to be quite different from what we need to protect from another. And, if all of the various ways in which a particular piece of critical information might be revealed to an adversary are ranked as to their ease or likelihood, it may not make much sense to correct the fifth vulnerability on the list if there is nothing that can be done with the second. In addition, sometimes the elimination of one vulnerability introduces another. The OPSEC methodology independently assesses the gain vs. the loss resulting from the elimination of each vulnerability.

The OPSEC process imposes a rigor that can be profitably employed in many security resource decisions, sometimes with dramatic results. For example, when the U. S. was preparing for the arrival of Soviet inspectors as a result of the Strategic Arms Reduction Treaty, teams went around to a number of contractor facilities and Air Force bases looking at what special security arrangements would be required. Applying the OPSEC methodology, the teams were able to reduce the projected expenditures for security by several tens of millions of dollars.

Once having identified the information most in need of protection, it is equally important that such information be protected consistently and completely that money is not spent on a robust lock for the front door while the back door is left unbolted. Here again, OPSEC can be helpful.

The various traditional security disciplines do an effective job of protecting against direct disclosure. However, our secrets can be revealed indirectly as well as directly, and OPSEC complements these other disciplines by seeking also to protect those same secrets against indirect disclosure. Failure to consider ways in which an adversary might piece together the same secret from bits and pieces of information could mean that we spend a considerable amount of money in security protection and give away the secret anyway. Without Operations Security, the envelope of protection is incomplete.

Operations Security is the security discipline that helps to focus security protection, to rationalize it, and to complete it. OPSEC provides a context within which security resource decisions can be made sensibly. If applied or implemented properly, it should yield a cost savings, either by avoiding unnecessary or ineffective expenditures for security, or by averting larger downstream costs that would result in our adversary or competitor deriving advanced information regarding our intentions or plans. In fact, what many in the OPSEC profession have come to realize is that if OPSEC isn't saving you money, you haven't gotten it right yet! This is more than a slogan. As indicated above, there are real situations in which the application of the OPSEC methodology has yielded millions of dollars in direct cost savings.

During the last four or five years, more and more organizations have come to recognize the value of the OPSEC discipline. As a result, OPSEC is now seeing application in a rapidly widening set of circumstances and activities. Since its initial application to military operations during the Vietnam War, the Secret Service has applied it to personnel protection: the FBI, to law enforcement: the defense community, to weapon system acquisition: the Coast Guard and the Customs Service, to drug interdiction; and the Intelligence Community, to sensitive operations. Although there is very limited experience in applying OPSEC in fields or situations other than these, it should prove relevant and useful in any situation involving at least two participants, each seeking some advantage over the other, as in any form of competition.

 Summary

 The purpose of OPSEC is to enhance operational effectiveness; it employs the methodology of intelligence analysis; its point of view is that of an adversary or competitor: its focus is on information critical to that adversary and to his purpose; and it is unique in that it does not exclude any useful sources of information. even indirect and inadvertent ones. OPSEC specifically protects against inference and is applicable in any competitive situation.

The value of Operations Security lies in its ability to complement other security disciplines by augmenting and completing the security protection provided by them. It offers an effective means of managing risk and can be useful in security resource decisions by providing both a context for those decisions as well as a reasonable means by which such decisions can be made.

Because it is subtle and abstract. OPSEC is hard to explain and is often misunderstood. Although usually straightforward and logical, it is nevertheless very difficult to master. But because it can yield important and tangible benefits, particularly in today's world of uncertain threat and reduced security resources, mastering OPSEC is worth the effort it takes. Beyond all this, OPSEC can be stimulating, challenging, and often even fun!