Indicators are everywhere in the information environment. For example, you can purchase your own ads-b receiver for less than $200.
By Jared Freeman
Leaders in the US military must balance the need for multi-domain information sharing while ensuring we continue to disrupt enemy decision making by controlling what information our enemies receive. This is a difficult process. Achieving this balance will only be possible through active involvement of commanders across all levels of war and leaders within their formations across each domain. Throughout this article, the reader should keep one theme in mind: The US military continues to become more dependent on technology without concurrently educating all of its users on their vulnerabilities or providing awareness of what indicators each new piece of equipment presents to the information environment.
Operations Security (OPSEC) focuses on controlling the dissemination of critical information. One part of OPSEC ensures friendly forces are communicating the appropriate amount of information to achieve their military goals while another part, countermeasure development, the core capability of effective OPSEC, is needed to prevent adversaries from learning of operational plans. This countermeasure development will need to evolve rapidly over the next one to three years to ensure our military can continue protecting its critical information.
What is OPSEC and where does it fit in the multi-domain conversation?
OPSEC focuses on protecting critical information — its success relies heavily on the involvement of commander and unit leaders to identify what information must be protected to allow friendly forces to achieve and maintain tactical advantage. This tactical advantage relies on denying the adversary access to important pieces of information thereby influencing the enemy’s decision calculus. This is achieved through the OPSEC process: identification of critical information, threat analysis, vulnerability analysis, risk assessment, and countermeasure development.
Two important concepts discussed in Over the Horizon’s most read article of 2017, Multi-Domain Strategic Thinking, include how military action can be used as a communications tool and the importance of orienting multi-domain thinking around the human domain. OPSEC permeates all domains with a focus on how different types of information will be received, and ultimately acted on, within the human domain by adversarial leaders.
Effective OPSEC implementation acts as a force multiplier by controlling what information adversary leaders have available. Creating decision ambiguity that causes enemy commanders to spend significant resources building alternate, useless plans can save hundreds or thousands of lives and millions of dollars. This ambiguity created by effectively managing what indicators are made available to the enemy about our operations will be impossible to achieve without OPSEC experts who understand how information permeates through all domains.
While OPSEC aims to control or limit information dissemination, it is also important to remember that “OPSEC practices must balance the responsibility to account to the American public with the need to protect critical information”. Not only is there a moral imperative to account to the American public, there is also a functional imperative to not restrict our information flow between friendly units, both within the classified and the unclassified information realms. As Douglas Creviston effectively points out in his article discussing secrecy vs. innovation, stifling information flow can lead to disastrous results within formations. Ensuring that countermeasure development does not inadvertently inhibit the flow of friendly information requires significant work on the part of OPSEC practitioners. This calls into question the current state of OPSEC across the services.
Currently, OPSEC program management is an over-burdensome, extra security responsibility tasked to a junior officer or mid-level NCO as an additional duty. Current DoD-level directives and service-level instructions heavily rely on administrative actions disguised as measures of performance for effective countermeasure implementation, mainly through the inadvertent disclosure of FOUO information by sending unencrypted emails. This disproportional focus on administrative actions is a real problem that threatens OPSEC’s utility. To effectively tackle this problem, we must first ensure we understand why OPSEC was created, identify themes that still hold true in the current multi-domain environment, explore how technology will affect multi-domain OPSEC, and leverage those themes to protect our critical information in the future.
The Creation of OPSEC
The genesis of the United States OPSEC program came from mistakes we made during the Vietnam War. In 1965, two different missions, code-named ROLLING THUNDER and ARC LIGHT, began against Viet Cong (VC) and North Vietnamese Army (NVA) targets. Throughout the first year, it became obvious these missions were not effective. The US government established a team of experts and launched an investigation, code-named PURPLE DRAGON. The investigation uncovered some key findings, mainly that we did not understand how indicators from our required processes projected into the information environment. These indicators, through publicly available information, served as advanced warning for the timing and tempo of those missions. This gave ample time to warn potential targets, allowing them to make defensive preparations and move key equipment out of the stated target area with enough time to ensure its protection or removal. In addition to the tactical-level findings associated with ROLLING THUNDER and ARC LIGHT, the PURPLE DRAGON team was successful enough at identifying indicators and producing countermeasures for future missions that the DoD officially stood up an OPSEC program in all US military commands before the end of the Vietnam War.
There are two important takeaways from the Vietnam War example: 1) the information the VC used to drive effective evasion from air bombing and reconnaissance was not classified and 2) the US military’s lack of threat replication resulted in unwitting continued disclosure of critical information indicators. These takeaways are important to consider as we examine how technology will affect the role of the OPSEC practitioner.
What Now? Technology’s Effects
The vital role of the OPSEC practitioner will continue to increase in importance as technological advancements demand a constant review of new equipment and how each advancement presents its own indicators of our operational activities within the information environment. Ultimately, understanding how enemy decision makers use indicators within the information environment to inform their strategic decisions is vital to effective countermeasure development.
As Louis Cook discussed in his article, IO Effectiveness, it is worth remembering that tactical actions have strategic effects in the multi-domain and information environments. Technological advancements have placed handheld information dissemination devices into the hands of almost every member of the military, enabling everyone throughout the chain of command to intentionally or unintentionally disclose an operating location, aspects of personnel and equipment we possess, and how we plan to use them to the entire world. These disclosures can come in the form of a Twitter update, an unintentional disclosure through the use of a Strava enabled fitness device, or a poorly positioned selfie with key indicators in the background of the picture.
Photo Source: army.mil
This is a real dilemma our military members face when pressed for time and an operational requirement to transmit information.
While advancements in technology have made OPSEC more important, they have also made indicator awareness much more difficult. The signatures produced in the information environment continue to increase in availability to the general public, and the amount of detail available on many activities is enough to warrant countermeasure developments.
For example, tools such as FlightAware can watch individual airports for flights and are searchable by flight number, tail number or individual city. Subscriptions include flight data, complete with aircraft ownership data. Other similar tools, such as FlightRadar 24, use ADS-B technology to track flights in progress and can passively monitor any aircraft in their repository once the user sets up simple recurring search protocols, either from their website or their smartphone-based app.
While both of these examples focus primarily on commercially available air-domain indicators within the information environment, it is safe to say land- and maritime-indicator examples through commercially available information are available to anyone with the correct skills to identify the right indicators who chooses to seek it out. Commanders and operators within their respective formations must know what indicators are available regarding their activities, and they must know how that potential knowledge, in the wrong hands, can affect their ability to carry out their military objectives. Without that knowledge, countermeasure development would not be possible, and thus successful OPSEC would not be possible.
As Julie Janson described in her introduction to the human domain series: “There is no way to accurately predict the projection of technology, and a dependence on any traditional or technological domain shows a complete lack of appreciation for human ingenuity. Adversaries will persist in exploring asymmetric ways to employ basic and advanced technologies to exploit friendly vulnerabilities.”
As our problem sets get more challenging and we shift our military preparation efforts toward near peer adversaries, we must take into account their overwhelming investment in developing a military force focused on continuing to find asymmetric advantages through technological innovation. These asymmetric advantages are gained by finding new ways to use military power to affect the human domain. This knowledge should drive our assumptions about adversary ability to derive and access data from all commercially available options and should drive our actions designed to produce countermeasures associated with our reliance on increasingly complicated technology. Below are recommended starting points for consideration and further critical discussion:
- Provide each service an adequate amount of resources to conduct vulnerability analysis of commercially available information-sharing platforms that US military members routinely use
- Develop multi-domain monitoring programs to adequately address and correct mistakes in the information environment during exercises and steady-state operations
- Create a DoD-level specialized team of experts representing multiple domains with the goal of developing countermeasures to our most prevalent indicators, both within the physical and information environments
In the meantime, OPSEC leaders across the services should focus their efforts on removing administrative requirements within their instructions that distract from filling the direct need of the OPSEC program, countermeasure development for our most prevalent indicators. This will place significant responsibility on OPSEC leaders to revisit why these requirements were initially created and to characterize the risks associated with their removal. Correctly doing so will allow commanders at all levels to make informed decisions about where their unit should focus their efforts to ensure they are protecting their critical information. Knowing that countermeasure development will continue to grow in complexity as technology continues to provide more tools to more people, we must focus on developing OPSEC practitioners that are up to the task.
Jared Freeman graduated from the USAF Academy with a Bachelor’s Degree in Behavioral Sciences, is a Distinguished Graduate of the United States Army JFK Special Warfare Center Psychological Operations Qualification Course, and is a member of the Air Force Information Operations Community. He is currently serving as the Information Operations Branch Chief at Headquarters Air Force Special Operations Command at Hurlburt Field, Florida.
The views expressed are those of the author and do not necessarily reflect the official policy of position of the Department of Defense or the US Government.