There are several lists of OPSEC rules and commandments our there on the internet. Some of them are quite good but I wanted to write my own set of Ten OPSEC Principles.
These OPSEC principles here are designed to avoid compromise (i.e. “getting caught”), and minimize the damage when you inevitably do. The consequence of compromise varies based on your operational activities. To drug dealers or other members of criminal networks compromise means prosecution and jail time. For spies and intelligence operatives, or military special operations types, compromise means some combination of blowing an operation, being arrested or declared persona non grata, getting killed, or getting an informant arrested or killed.
1: Superior technology is not a substitute for superior tradecraft. No matter how good your technology is, it will fail if used carelessly.
2. Never underestimate your opposition. Assumption usually equals underestimation. If there is a doubt about your opposition’s ability to utilize a certain tactic, technique, or procedure, he probably can. On the other hand, assumptions that go too far in this direction can grossly limit the group’s ability to operate. The penalty for overestimation is a reduction in efficiency. The penalty for underestimation is compromise. Conduct meaningful threat models and build your mitigations accordingly.
3: Don’t be interesting. Being interesting draws attention and scrutiny. The guy driving the Maserati uptown might blend right in. The guy parking the Maserati in the trailer park looks interesting.
4: The weakest link in any security system is the human element. Humans are inherently lazy. We look for shortcuts. We get drunk and brag. We make technical mistakes. We are vulnerable to flattery, praise, denigration, and trickery. We like routine and are easily taken off-guard. And we have an uncanny capacity for self-preservation. The humans in your organization will likely betray you – inadvertently or purposefully – before the technology will, especially if you fail to follow Principle 10.
5: The complexity of a system is directly proportional to its likelihood of compromise. Put more simply, complexity is the enemy of security. This is for several reasons. First, complexity lends itself rather handily to mistakes. Sometimes a single mistake is all that is necessary for the adversary to prevail. Complexity also lends itself to shortcuts (see Principle 4) and other human fallibility. Humans want to please and to appear competent. If a system is too complex, the majority of us will “fake the funk” to keep face. I’d rather have a 80% practical solution that will survive the test of time, than attempt to enforce a 90% solution that people will lie about (again, see Principle 4). Take a sober assessment of your personnel capabilities and tailor to the lowest common denominator.
6. Skills and tools are subject to degradation. He who fails to adapt, fails. All skills are perishable and technological advances routinely change the way the game is played. Maintain awareness of your operational field/scientific trends/software updates etc. Even if you don’t, keep your “toolkit” up-to-date in the event you need to shift tools, techniques, or procedures. Additionally, remember that your ability to use a skill is only as good as your ability to teach your comrade the how to use it with you.
7: The size of an operational group is directly proportional to its likelihood of compromise. The larger your cell/enterprise/network/organization, the greater its risk of compromise. Each additional member the group takes on creates a statistically higher probability that some member of the group will be compromised. He or she can then be compelled (through legal or extralegal means) to reveal both operational details and additional members of the group (refer to Principles 4 and 10).
8: Convenience and security are inversely proportional. Over time the desire for convenience will systematically destroy security.
9: Plan for failure. Behave as if failure through compromise is inevitable. What is your plan in the event of compromise? Do you have an exit route? Do you have a data destruction plan? It may not be perfect (it won’t be), but its better than being caught flat-footed. Is your operation perfect? Yes? You’re delusional.
10: Compartment, compartment, compartment. This cannot be overstated, and is perhaps one of the most important-but-overlooked OPSEC principles. If you are facing a serious, well-funded adversary it is very likely that you will be compromised eventually. You can minimize both the risk of compromise and the impact a compromise has by minimizing the number of individuals who know the full scope of operations. When compromise does occur, compartmentation is critical to limiting the damage. Compartmentation is a one of the most basic OPSEC principles, but it can mean many things, including:
- Insulating members of the group from each other,
- compartmenting participants’ interaction (contamination) during operational activity and non-operational activity,
- insulating any single operation from other operations within the same operational portfolio,
- separating operational and personal phones, computers, etc.
This list of OPSEC principles was made possible through some seriously productive back and forth with friend who is much smarter than me in these matters, but who wishes to remain nameless. For operational security reasons. Naturally.