30 March 2018

Do You Even OPSEC, Bro?

By John PWN Jones

John PWN Jones is a former surface warfare officer, a lateral transfer to the CW community, and is fine with you proving him wrong. He’ll email you on the “high side” if you make enough stink, and used a pseudonym because not today, ISIS. The opinions here are his own, and do not represent the views of the Department of Defense. Remember when we didn’t do our adversary’s targeting for them? Remember when we didn’t openly acknowledge our personnel’s associations with intelligence agencies? Remember when we didn’t freely put targets on the back of the military? Pepperidge Farms remembers.


Despite signs decrying the effects of loose lips hanging fleet-wide alongside ubiquitous PURPLE DRAGON posters, we routinely expose our intelligence community (IC) professionals to unnecessary risk several times each year through a careless mix of poor operations security (OPSEC), administrative oversight, and/or intentional laziness.

Finish reading this, and then open up your browser and Google “cryptologic warfare officer.” The first link will outline the typical scope of work for a CWO: perhaps working at NSA, operating/managing national systems, or conducting computer network operations (a term no longer used in joint doctrine, a sign that we really are not contemplating what we put out in the open). With a few short keystrokes, you will probably develop an intuitive appreciation to the sensitive nature of cryptologic warfare, and the greater information warfare (IW) community’s line of work—contrary to clichéd notions of Cheetos-stained keyboards and crinkled Mountain Dew cans. Intelligence officers and their intelligence specialist enlisted counterparts are exposed to the same threat—perhaps even more—given their job descriptions contain the word “intelligence.” Understanding that the IW community is tantamount to a uniformed arm of the IC, what if I told you that we compile a list of people with tip-top security clearances and then offer them up to anyone with an internet connection?

As it turns out, the process of releasing promotion and lateral transfer results via record message traffic gives our adversaries an itemized (and alphabetical!) roster of those who regularly carry the most sensitive accesses in government.

But it’s not just the promotion rolls.

We proselytize to ourselves via magazines like InfoDomain which habitually aggravate the problem by posting high-resolution photos of cryptologic technician sailors, showing their faces, awards, and coworkers while pointing out their duty stations and responsibilities. “The oddly named Information Warfare Self Synchronization Facebook page has linked to at least one article centered around, containing screenshots of, and linking to a leaked TOP SECRET NIOC course* brief.”* Complementing the IW Self Sync page is Station Hypo—a page that laudably aims to preserve a 75-plus year heritage that existed in the shadows for much of its life. Despite its lofty intentions, Station Hypo frequently posts graduation pictures of new accession officers. Congratulations, you’re burned before you arrived at your first duty station!

You’re being irrational. No one else thinks like this.

Special Operations Command (SOCOM) recognized and addressed this vulnerability years ago with their identity management program. Why aren’t we doing the same?

Okay, so they have a name, a photo, and maybe can figure out accesses through open source (OSINT) intelligence and a ribbon rack—what does it matter?

If we are to buy into the notices posted above the urinals clamoring about keeping America’s secrets safe, then these concerns are of utmost importance:

1) IC personnel on international travel (for personal or professional reasons) are at higher risk for detention and questioning by host-nation customs or approach by a hostile intelligence service. Without appropriate training (e.g. SERE—survival, evasion, resistance, escape), professional interrogators can draw out valuable information or use the traveler for propaganda purposes.

2) Social media provides an easy avenue to target personnel via the internet. Sites like Facebook present a goldmine of targeting materials and can aid in network construction and follow-on target refinement. “Hook-up” sites like Tinder and Grindr provide a physical access vector for blackmail and/or emotional exploitation . . . and yes, that person is way out of your league.

3) Sailors that desire follow-on work in agencies that require even a modicum of anonymity (e.g. CIA, DIA) are burned before they can apply. Publishing names of intelligence community professionals does them a disservice and effectively discards a significant monetary investment in their high-demand skillsets while at the same time shrinking the applicant pool.

4) Despite years of repetitive mandatory online training, we continually shoot ourselves in the foot. Highlighting IC personnel consistently puts our networks at risk by presenting advanced persistent threats (APT, read: nation-state hacking organizations) a spear phishing and social engineering hit list.

But John, aren’t you helping our enemies by showing them how to exploit us?

If you think there are not five guys in the “America Target Office” in Country Orange huddled over a database with all of our names and faces, I have got some oceanfront property in Arizona I would like to sell you.

This is all hypothetical, right?

Ask the people targeted in ISIS’ “Top 100.” With a little ingenuity and legwork, a hastily assembled crew of hackers compiled an in-depth, open-source intelligence-based target deck. So what do you think nation-state actors/APTs are capable of?

Now you’re just being negative.

I’m just being honest. To add fuel to the fire, if you are reading this, you were most likely affected by the Office of Personnel Management data breach, where nearly ALL of our SF-86s were lost, likely to an APT. With that knowledge in nefarious hands, the access vectors to get to (and through) you just went up exponentially. This is now a GENERATIONAL problem.

But doesn’t Congress require notification in open sessions? It is already a matter of public record, right?

As dictated by 10 USC § 624, officers are placed in competitive categories by rank, but that is merely direction to the services on how to create and maintain promotion lists. Furthermore, House of Representatives Rule VII, Section 4 allows the clerk to determine the scope of release, preventing disclosure if availability would be detrimental to the nation.

Okay, so the sky is falling, now what?

The first steps are simple:

1) Stop enumerating the IW community through public release of promotion and lateral transfer board results. Release results over SIPR, P4 message traffic, or at least through a CAC-protected portal.

2) Severely restrict posting on, increase scrutiny of, and/or remove organizationally owned, IC-related, social media pages and websites. Move communication to SIPR where possible, and scale back public affairs efforts that are not justifiable necessities.

3) Take an honest look at what we as a service putting out across the board, regardless of designator. Is it really in our best interest to parade our personnel in public?

Protecting our sailors is paramount.

Let’s do better.

No comments: