Is your fire department involved in hazardous materials or weapons of mass destruction (WMD) responses, criminal investigations, counterterroism planning, terrorism responses or planning for special events? Is this information sensitive and, if so, how do you keep it away from terrorists and other criminals? How does Operations Security (OPSEC) apply to public-safety agencies?
For fire departments, other public-safety agencies and special operations teams that are involved in planning and training for special events and terrorist incidents, it is critical that OPSEC be used in planning and training efforts. OPSEC is a five-step risk-management process used by military and security professionals to protect sensitive information that adversaries could use to their advantage and your disadvantage. OPSEC does not replace other security measures; it supplements them. As our society becomes more complex and gives rise to many intricate problems, first responders must gain additional knowledge and understanding to protect themselves, their families and the public we are sworn to protect.
Here are examples of why you and your department need to look at implementing an OPSEC program. Is your department involved in:
•Public-safety training and field exercises? (Exercises help us improve, but they also reveal our weaknesses.)
•Emergency management or infrastructure planning and protection?
•WMD and hazmat planning and training?
•Planning for and managing VIP visits such as the President?
•Planning for and managing special events?
•Criminal investigations?
•The Clandestine Drug Lab Task Force?
•A local terrorism task force?
•A local arson task force?
•A special operations team?
•A local tactical medical support team?
Terrorists and organized criminals can take weeks and even months to select their targets and plan their operations. To be successful, they need specific information about personnel, response plans, capabilities and infrastructures. Public-safety managers must look at their organization through the eyes of a potential adversary or "bad guy" and ask themselves, "If I were a terrorist or criminal, could I use this information to harm the agency or disrupt its mission?"
The information that is often used against public safety agencies is not classified; rather, it is information that is openly available to anyone who knows where to look and what to ask. We in public safety don’t always realize how much we are giving away by our predictable behavior, casual conversations and Internet information.
According to an Al Qaeda training manual for Jihad that was recovered in Afghanistan, "Using public sources openly and without resorting to illegal means, it is possible to gather at least 80% of the information about the enemy." According to U.S. Department of Defense (DOD) sources, "For Official Use Only" and other sensitive but unclassified information – such as concepts of operations, operation plans and standard operating procedures – continues to appear on public DOD websites.
In 2002, reviewers found more than 1,500 such discrepancies in government websites. Open-source information is the source of the bulk of adversaries’ intelligence. Internet websites are just one example, along with news reports, telephone directories, travel orders, job announcements, budget documents and newsletters. Bits of information from open sources can be pieced together to form a more complete picture.
An adversary can be anyone who is collecting information about you and your organization and intends to use this information to defeat your operations or plan an attack against you and your resources. This can include terrorists, extremists, organized criminals, drug traffickers and computer hackers. It appears that criminals and terrorists are more determined, violent and heavily armed than ever before, and crisis situations such as terrorist events, organized crimes, active shooters, barricaded subjects and hostage-takings are occurring with alarming frequency.
Vulnerabilities
There are several areas where public- safety agencies are vulnerable to information gathering. Since this is an "open-source" article, just a few examples will be given. It is important that each public safety agency examines its operations and identifies vulnerabilities that could impact operations:
•Unsecured e-mail accounts
•Use of home e-mail for official business
•No trash management plans to stop "dumpster diving"
•No shredding of sensitive documents
•Information posted in agency procedures and guidelines
•Units with no radio encryption
•Use of cell phones for sensitive calls
•Extensive amounts of photos of public safety equipment and people available
•Leaving mission briefs and sensitive documents in your car
•Web cams (there are more of these out there than you think)
•Websites
•Chat groups
•Discussing information with friends and family
•Releasing unscreened information to the media
We all know what OPSEC is, even if you do not realize you are using it. You shred old paperwork and bills and do not give out your credit card numbers to strangers. You do not tell people your Social Security number or home telephone number. In our personal lives, we protect information we consider "sensitive" by considering whether each request is legitimate. This same type of "sensitive information" protection must be applied to our professional lives.
How does OPSEC help you and what does it do for your agency? The effective use of an "OPSEC for Public Safety" program will help ensure that law enforcement, public safety and special operations teams will be able to conduct day to day activities, criminal investigations and special operations missions with:
•No injuries or loss of life to personnel
•Protect personnel’s families
•Safe and secure arrest of "bad guys"
•Safe and secure collection of "bad-guy" evidence
•"Bad-guy" convictions in court
•Protection of vital information
•Protection of infrastructure
•Ensuring the safety and security of a planned special event
•Ensuring that a public information officer (PIO) will release the proper information
The five steps of the OPSEC process for ensuring operational security as the following:
1. Identify critical information a terrorist or criminal may want. This may not be traditional "classified" information, but rather a piece of the puzzle or "indicator" that can reveal your agency’s plans. Do the same unmarked vans covered with radio antennas stage behind the local fire station the day before a clandestine drug lab raid? Does your website show photos of and list the names of members of your local hazmat team or bomb squad? Critical information can include capabilities, strengths, weaknesses, technology and tactics.
2. Conduct a threat analysis to determine what information potential attackers seek and whether they have the intent and capability to harm us. There are two elements of a threat: you must have an adversary with the intent to do you harm and with the technical capability to do you harm. If you believe you are dealing with a threat, it is important to contact your local law enforcement agency to assist in a threat analysis.
3. Perform a vulnerability analysis to determine how an individual or group might disrupt operations or security by using the information. Vulnerabilities are opportunities for adversaries to exploit your critical information, such as publishing sensitive information on public websites or talking about sensitive matters on cell phones that are easily monitored. Often, "indicators" can also point to vulnerabilities. Did your agency suddenly put security or a fence around a location where there was no fence before? These can be indicators that "something is up" at that location and cause an adversary to take a closer look at what is going on.
4. Assess risks and determine the probability that the "bad guys" will obtain critical information and how that could impact your operations. Once again, this is a process that law enforcement can assist you with.
5. Implement countermeasures to minimize an attacker’s ability to discover your weaknesses and strike at your vulnerabilities. If you identify a vulnerability, it is important to consider countermeasures. These can include making face-to-face meetings with key personnel when planning a special event or mission; minimizing changes in work habits and staffing; not holding special meetings or planning sessions in areas where they will draw attention; limiting the number of people with access to sensitive information; and using encrypted radios. When conducting this process, it is important to review the time available, resources and costs. Not every risk can be addressed or even needs to be addressed.
OPSEC is a fluid process that can be constantly updated and reviewed based on current threats and missions. This five-step process can be used during mission planning or can be implemented real-time at the command post during a critical incident.
Review these two scenarios and identify how these situations could occur in your jurisdiction, what issues could arise and how OPSEC could be maintained:
1. Local law enforcement will raid four active and possibly booby-trapped clandestine drug labs across your jurisdiction at the exact same time over the next two days. The labs are run by a local organized criminal element. This event will involve local and state law enforcement agencies, tactical teams, bomb squads in an operational role, and fire, hazmat and EMS in a support role. The plan is extensive and will require several resources from local public-safety agencies. In this event, do hazmat, fire and EMS need to know all the specifics of the event or just that certain assets will need to be available on certain days? How much pre-planning information should be given to the public-safety agencies so they can prepare for these raids. Should only one fire representative be the liaison or should each agency be provided the information?
2. Your local terrorism task force has spent the past several months compiling an extensive and detailed risk and threat assessment. In the assessment, the top 10 possible highest threat targets in your jurisdiction are listed and the vulnerabilities of each. Since the assessment was completed with the assistance of a large federal grant, there is much interest from local media and elected officials on what happened to the money. Both the media and the elected officials have been approaching members of the task force, asking for information and stating that it is important that the public know how the grant funding is being used. How much information should be released?
Planning and Training
The U.S. Department of Homeland Security offers a three-day "OPSEC for Public Safety and Counterterrorism" training course. Any sworn member of a U.S. law enforcement, fire-EMS or emergency management agency may register. There is no registration fee and the course is on the Office of Domestic Preparedness (ODP) approved course list.
Identical courses are delivered at the Interagency OPSEC Support Staff (IOSS) Training Center in Greenbelt, MD, and the Federal Law Enforcement Training Center (FLETC) in Glynco, GA. To register for the DHS Greenbelt, MD, course, go to www.ioss.gov and click on Homeland Security. To register for the DHS/FLETC course at Glynco, GA, go to www.fletc.gov, click on Training Programs, then Counter terrorism Division and then CTD Training. If you are a local or state agency you must register through FLETC state and local programs. From the FLETC website, click on training programs, then State and Local Programs.
One-day OPSEC training programs are available for field delivery to the DHS designated Urban Area Security Initiative (UASI) cities. For more information, contact the DHS Office of Security, Training and Operations security Division at 202-205-0484. Additional information can be found in the textbook Special Operations for Terrorism and Hazmat Crimes by Chris Hawley, Greg Noll and Mike Hildebrand, available at http://www.redhatpub.com/sops.htm.
Conclusion
Every public-safety agency should conduct research into the subject of protecting "critical information" and have a plan in place to address any vulnerability that may arise. The more our public- safety agencies prepare, the better they are prepared to respond to effectively manage any type of situation that may arise.
August Vernon is the assistant coordinator of the Forsyth County, NC, Office of Emergency Management. He recently returned from a year in Iraq as a security contractor. Vernon is also an adjunct instructor for the U.S. Department of Homeland Security’s OPSEC for Public Safety program. He has been involved in emergency management since 2000 and a member of the fire service since 1990. Vernon served in the U.S. Army as an NBC (Nuclear, Biological and Chemical) Operations Specialist. He teaches incident management, hazmat operations and terrorism/WMD and can be reached for questions or comments at [email protected].
