A few years ago, I attended the National Operational Security Conference. In one of the lectures I attended, the speaker played a clip from an old episode of Saturday Night Live that aired during the Persian Gulf War. You can read the transcript of that sketch here, and anyone who uses Netflix can view it online (Saturday Night Live: The 1990's, Season 16: Ep. 12 (Kevin Bacon)). It's a good illustration of the challenges faced by anyone whose job is to disseminate information to the public while protecting information that could be potentially damaging.
The military term for protecting critical information from exploitation by an enemy is Operational or Operations Security, or "OPSEC". The military goes to great lengths to train personnel of all stripes to protect information that could be useful to adversaries, and a legion of Public Affairs Officers are specially trained to provide relevant information to the public without divulging secrets that could jeopardize personnel or operations. In the corporate world, this is accomplished by strategic communications specialists. Although the military stakes are often higher, companies take the control of information very seriously. Improper disclosure of sensitive data about a corporation or other organization could encourage corporate espionage, or damage the public's perception. The same is true of the military, with the added risk of endangering the lives of personnel and the effectiveness of missions vital to national security.
The military uses the Five Step OPSEC Process as a tool to help protect sensitive information. The process is as follows:
1) Identify critical information
2) Threat analysis
3) Vulnerability analysis
4) Risk assessment
5) Implement OPSEC Measures
The best OPSEC principle I've ever heard is called "The New York Times Rule", or the "Karachi Corollary". When determining whether information should be protected or released, ask yourself: "Would I want this information to be published on the front page of the New York Times? What about on the screen in an Internet cafe in Karachi, Pakistan?" More often than not, the answer is "no".
As with any functional area of security, the best advice is to err on the side of caution. If you think that a piece of information could be useful to an adversary, it probably could be. Organizations with security concerns should do their best to promote a culture of awareness and caution.
No comments:
Post a Comment