Lieutenant Colonel Richard Millikan
Since the dawn of warfare, warfighters have realized the need to protect information from their adversaries’ collection efforts. While not always referred to as Operations Security (OPSEC), the concept of protecting friendly information has remained the same for centuries. Yet after ten years of ongoing combat operations, the Department of Defense (DOD) continues to struggle with the importance of applying OPSEC to operations. Per DOD Directive 5205.02,” as an operations activity, OPSEC will be considered during the entire life-cycle of military operations or activities.” Hence, it is imperative that commanders ensure planners understand and integrate OPSEC throughout the planning process.
For decades, the US military has viewed OPSEC as a simple program that required little more than an annual briefing and some posters to be successful. OPSEC was the commander’s program normally assigned to junior officers as an additional duty and managed within the ship or halls and walls of a unit. This mindset has seen a marked transformation since the attacks of 9/11. OPSEC programs have improved dramatically across all services. Beyond the ship/unit, OPSEC has spread to Family Readiness Group meetings, unit websites and unit weblogs. However, the one place OPSEC has remained dormant is integrating OPSEC into the planning process and into operations beyond the halls and walls of the unit.
Commanders, OPSEC-trained personnel, and planners must work together to operationalize OPSEC; that is, OPSEC must be properly integrated into a plan from start to finish. It must also be enforced by leaders at all levels during each phase of the operation. When this occurs, OPSEC becomes more than an additional duty, it becomes a force multiplier. The key to operationalizing OPSEC is the commander’s endorsement and leadership enforcement at all levels.
To make OPSEC a force multiplier, the planner and commander must coordinate with the unit OPSEC Officer or OPSEC Program Manager (OPM). The planner must address concerns about the operation where vulnerabilities to disclosing critical information exceed the level of risk set by the commander. Once vulnerabilities are identified, corrective actions and training can be implemented. Implementation of OPSEC measures that minimize disclosures to the adversary sets OPSEC in motion. Minimizing the adversary’s ability to identify friendly forces’ intentions and reducing his ability to collect critical information cannot be understated.
With constant command-wide enforcement of OPSEC measures, troops develop habits (shredding or burning all papers, not referring to future activities in unsecure emails or phone calls, etc.) that limit the adversary’s ability to collect information. When the adversary cannot collect friendly operational information easily, the probability for successful mission accomplishment increases.
A plan without OPSEC puts lives at risk. Understanding the definition of OPSEC and properly applying OPSEC in operations is imperative to the mission’s success. Per DOD Directive (DODD) 5205.02 dated 6 March 2006, the definition of Operations Security is:
A process of identifying critical information and analyzing friendly actions attendant to military operations and other activities including:
− Identify those actions that can be observed by adversary intelligence systems.
− Determining indicators, that hostile intelligence systems might obtain that could be interpreted or pieced together to derive critical intelligence in time to be useful to adversaries.
− Selecting and executing measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation.
Reviewing the definition, commanders and planners must learn to think like the adversary. For example, when developing the plan for an activity or operation, the planner must ask, “If I were the adversary, what I would need to know to make this operation fail? If they see my troops doing X and know my pre-mission routine is Y, can they determine we’re going to do Z?” Finally, the planner should ask, “Okay, what methods will the adversary use to collect information about my intentions?” By looking at their plan through the eyes of the adversary, as well as from the friendly point of view, planners are more likely to integrate OPSEC throughout the entire plan.
Unclassified information critical to the success of an operation must be denied from the adversary’s collection methods. The adversary must also be denied information allowing him to determine friendly forces operational indicators such as unit morale, equipment readiness, discipline and other unit dynamics that effect friendly forces’ ability to conduct daily operations. These aspects of protecting unclassified, critical information are often missed during the planning process.
To gain our unclassified critical information, adversaries use various collection methods. Planners must request information from the Intelligence officer regarding the adversary’s ability and capabilities to collect friendly information. For example, if the adversary is experienced at collecting Human Intelligence (HUMINT), such as eliciting information from the troops, a strong command emphasis must be placed on continuous training covering the vulnerabilities associated with talking to locals. Should the adversary have capable Signals Intelligence (SIGINT), a constant command emphasis must be placed on the vulnerabilities of discussing unclassified, yet sensitive operational details on cell phones and non-secure landlines. Further emphasis and awareness must be put on encrypting appropriate .mil or .gov emails. Open Source Intelligence (OSINT) is another common source of collecting information. Adversaries are proficient in reading and analyzing personal posts/blogs on Social Network Sites (SNS), such as Facebook and MySpace. Commanders must enforce a “blog policy” to minimize the risk of operational indicators disclosed in an open forum. Once the planner has an understanding of the adversary’s collection capabilities, the planner must recognize friendly-forces vulnerabilities. For help in understanding vulnerabilities, the planner should coordinate with OPSEC-trained personnel.
The Critical Information List (CIL) must be developed during the early stages of planning. The CIL is an unclassified list of items identified by the commander as critical to the success of the operation or mission and is, usually no more than ten items. It is unclassified, for official use only (FOUO), so that all members of the unit have access to it. A sample CIL might read as follows:
By order of the commander, the following information will not be discussed publicly, over open, non-secure phone lines, cell phones, unencrypted emails, weblogs, social network sites (SNS) and to anyone without a need-to-know:
− Unit strength, shortages, casualties and morale
− Equipment/weapons readiness status or supply/fuel/ammunition status
− Date/time of unit movements
− Unit tactics, techniques, procedures (TTP) and standard operating procedures (SOP)
− Details of combat operations, flight operations, convoy operations, WIAs and KIAs
− Arrival/departure of VIPs or units/ships in our area of operations
By adding the CIL to the OPSEC tab of the plan, the commander is using his/her authority to say, “Specific details pertaining to the items listed in this CIL contain important bits of information that must be protected during this operation”.
During peacetime or war, each command should have a CIL in effect at all times. However, when it comes to planning major operations, each plan must have its own CIL. Many items on the CIL for a particular operation may be identical to a unit’s standing CIL.
For example, a unit in Hawaii receives classified orders to deploy to S. Korea. This unit will be issued additional cold-weather equipment and uniforms for the deployment. Note that the location and duration of the deployment is classified, but issuing cold weather gear is not a classified activity. This amplifies the need for OPSEC, a CIL and the need to keep disclosures of cold weather gear and equipment out of the public-information domain. Commanders must also weigh the risk of possible disclosures along the supply chain outside his chain of command. The commander informs his staff and leadership chain to implement OPSEC measures to contain information regarding the additional cold-weather gear. On the day units begin receiving the gear, an order is given that no personal cold-weather gear is to leave post. Further, no one is to talk about the new gear to non-unit members, post information about the gear on Internet blogs or personal social network sites (SNS).
With the commander’s weight behind the CIL and leadership enforcement down to the lowest level of the unit, the chances of disclosures are minimized. Planners must remind leaders to keep OPSEC awareness at a high level before, during, and after an operation. Complacency and inconvenience are dangerous enemies of OPSEC measures.
Like integrating and operationalizing OPSEC measures, termination should also be addressed in the plan. For example, if the element of surprise is an initial objective of an operation, after the operation begins the resources implemented to keep the operation a surprise can be diverted elsewhere or to another phase of the plan. It makes no sense to divert resources to protect critical information that no longer needs protecting. A planner trained in OPSEC can identify those situations and inject decision points into the planning matrix.
Finding OPSEC-trained planners is not easy, yet there is a simple solution for the commander. OPSEC, being a commander’s program, sending a senior NCO or officer from the Operations section is advisable. The US Army’s 1st IO Command offers an OPSEC Planners Course specifically geared towards the Army. Currently, the DOD does not offer a “Joint OPSEC Planners Course”; however, the Joint Information Operations Warfare Center’s (JIOWC) OPSEC Support Division is developing such a course (expected by FY13). The Interagency OPSEC Support Staff (IOSS) also manages several OPSEC courses. A good course for planners to attend is the Operations Security Analysis & Program Management course (OPSE-2500). Note that the OPSE-2500 course is not a “planning” course. The OPSE-2500 covers the OPSEC process and fundamentals of OPSEC. After completing this course, planners possess the knowledge needed to operationalize OPSEC as a force multiplier. The Army’s course is three days long and OPSE-2500 is four days long. The IOSS’ course is five day’s long. Commanders should identify planners to attend one of these courses, especially prior to deployment.
Operationalizing and integrating OPSEC into operations cannot be accomplished by the person assigned the additional duty of OPSEC officer. Planners need to invest time to understand the five-step OPSEC process. This can be accomplished through one of the aforementioned courses or various resources such as the IOSS (www.ioss.gov) for free materials and training aids.
The world seems more dangerous than at any time since the Cold War. Tensions and combat operations throughout the Middle East, Islamic terrorists in Africa, and the uncertainty of a new ruler in North Korea serve notice of trouble on the horizon. The need for OPSEC will never go away as long as there is an entity somewhere in the world whose views oppose those of the United States and her allies.
OPSEC is a commander’s program but it is not limited to the halls and walls of an organization. Yet, during crisis situations or sustained combat operations, commanders deserve OPSEC-trained planners capable of viewing their plans through the eyes of the adversary, as well as from the friendly point of view. The concept of applying OPSEC as a force multiplier may seem extreme, but it isn’t. OPSEC can save lives and help win battles when integrated into an operation from the beginning of the planning process, endorsed by the commander and enforced by leaders command-wide and the troops are trained to minimize critical information disclosures.
About the Author –
LTC Millikan currently serves as the Operations Officer at the Joint Staff’s JIOWC/OPSEC Support Division. He has served as a JTF OPSEC Officer, a COCOM OPSEC Program Manager (OPM) and deployed to Iraq and Afghanistan in Information Operations and OPSEC positions. He is also a certified Adjunct Instructor for the National Security Agency (NSA) in OPSEC curriculum. He has completed several OPSEC course sponsored by the IOSS and a graduate of the Joint Information Operations Planners Course (JIOPC). He holds a Master’s of Science in Management.
 A capability that, when added to and employed by a combat force, significantly increases the combat potential of that force and thus enhances the probability of successful mission accomplishment. The Dictionary of Military and Associated Terms, US Department of Defense, 2005
 The CIL should be accessible to US Government civilians and contractors, as well as military personnel assigned to the unit or organization.
 Major operations include those operations which are not normally considered routine. These include preparation for deployment or movement from home station during a crisis or national emergency or a major combat offensive, for example.
 Army personnel completing the OPSE-2500 course receive a Project Development Skill Identifier (PDSI) of H1B. Commanders and planners should seek these qualified NCOs and officers for OPSEC assistance when needed.