An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

News | Feb. 1, 2017

Protecting Critical Information

By Dianne Ryder

Fort Belvoir, Virginia  –  

 

Do you practice good operations security? It’s a prevalent theme throughout the Defense Logistics Agency — echoed on posters, screen savers and flyers throughout the agency’s headquarters. 

Stephanie Samergedes, director of DLA Intelligence, said many employees misunderstand what her office does. 

“We are about information protection, whether it’s classified or sensitive,” she said. “People think OPSEC is only important during wartime, but we have to protect indicators over here, too.”

OPSEC indicators are seemingly innocuous actions and open sources of information that adversaries can use to extract critical information and possibly cause harm to national security.

Samergedes said her team, which includes DLA OPSEC program manager Joan Daigle and HQC program manager Matt Baker, attempts to raise employee awareness about OPSEC best practices.

“We try to do a lot of training with security representatives to make sure they understand what’s considered critical information,” Samergedes said. 

But OPSEC is everyone’s business, even if individuals don’t recognize their personal responsibility, she said.

“Everybody practices OPSEC. If you’ve ever planned a surprise party, you’ve had to plan the event, get the cake, make sure the celebrant is unaware of the plan —  that’s all OPSEC,” she said. 

The DLA Intelligence office is required by a Department of Defense directive to conduct surveys every three years to enhance mission effectiveness. 

“This fiscal year, we’ve asked an outside activity, the Joint OPSEC Support Element, to conduct OPSEC surveys for us,” Daigle said. “It’s helping us focus our program more — that’s the goal.”

“Surveys help identify systemic issues and determine policy changes,” Baker said. “JOSE helps identify vulnerabilities, reinforce strengths and customize training.” JOSE is part of the Joint Chiefs of Staff’s Joint Information Operations Warfare Center.

Lee Oliver, chief of plans and operations for JOSE, defines his organization’s role as “a second set of eyes” to identify vulnerabilities and helps agencies define critical information. 

“People have to understand that there is a threat; there is an adversary that wants our information,” Oliver said. “What may appear to be mundane pieces of unclassified information all become pieces of a puzzle.”

Oliver said that while each individual “puzzle piece” may seem unimportant, when adversaries collect them, the little pieces come together to form the critical-information big picture.

“You may not think it’s important, but what does the adversary think about?” Oliver said. “Logistics is a major part of everything we do; from the smallest widget to largest end item, there’s information out there that the adversary can use to effectively stop major operations.”

The surveys reproduce the adversary’s capabilities and help determine if DLA’s critical information is being disclosed through normal operations and functions. 

“They’re looking at the things that we do day-to-day,” Daigle said. “Do I throw all my work in the trash can? Do I talk about critical information or privacy information in unencrypted communications?”

The assessments allow JOSE to help DLA refine training and planning and set up countermeasures using an adversarial perspective, Daigle said. 

There are some common practices that employees should be aware of and improve, such as email encryption and use of secure phone lines; especially when employees are discussing mission information, shortages or vulnerabilities.

“Even though it may not be classified, that information is still susceptible to collection,” Daigle said. 

Survey teams have also uncovered “For Official Use Only” documents and other pieces of critical or privacy information in the trash when they should be shredded, Daigle noted.

“And it should be shredded with a cross-cut shredder, not a strip shredder,” she said. “We’re finding several strip shredders — and we shouldn’t even have those anymore.”

If employees don’t have access to a shredder, they should use a burn bag if available at their location — even for unclassified information.

Oliver said JOSE uses DLA as a “shining example,” particularly in regard to the success of its shred program. But he admits, “Everyone has their policies — but not everyone follows them.”

All organizations should have a clearly defined policy on what information should be shredded and what should be recycled. But when in doubt, Oliver said employees should contact their agency’s OPSEC coordinator.

“Understand what your command has identified as critical information and refer to the critical information list,” he said. “It’s an order from the commander or the director [of the organization].”

Encrypting emails is another crucial line of defense in protecting information. When employees attempt to send an encrypted email to a colleague but encounter an error message that the recipient can’t receive encrypted communications, Oliver said the temptation is to send the information unencrypted. 

“You can go to the global directory and pull the recipient’s certificate down,” he said. “Or ask them to send you a digitally-signed email; then you have their certificates.”

Though it may seem inconvenient to digitally sign and encrypt emails, it deters the enemy. “If it’s hard for you, it’s hard for the bad guy,” Oliver said.

“We don’t want to advertise everything we’re doing,” Daigle said. “We want to use secure means to communicate to the workforce.”

This information can include anything from supplies on hand, lack of supplies, details about procuring product, or even system changes, she said. Just as diversionary tactics are used when transporting fuel and weapons on the battlefield, DLA employees should use best practices to thwart technological attacks.

Daigle also emphasized the importance of protecting personally identifiable information, or PII, which includes contact information, credit card numbers, Social Security numbers and personal addresses. 

“Adversaries may be collecting information for years,” she said. “They’re trying to find the weak links.”

Oliver reiterated that most adver-saries targeting defense systems do so through open source information, to include social media and dumpster diving. He said they aren’t likely to risk prosecution by trying to obtain classified information. 

“We live in an open society now; everything is free information flow and no one thinks that what they have is something an adversary wants,” he said. “Because [in most people’s minds], there isn’t an adversary — but there really is.”

“The more we can protect in our normal operations, the better off we are in the future as well,” Daigle said. 

Oliver, who has worked with OPSEC for more than a decade, said he has noticed a marked improvement in DLA’s OPSEC program.

“[DLA] had a good program to begin with, but it was just getting the point across,” he said. “It just keeps getting better and better.” 

He attributes the improvement to increased leadership involvement.

“To say, ‘Do OPSEC,’ doesn’t mean anything. You have to tell them what it is you want and how you want them to do it,” Oliver said. “They have to understand they are part of a bigger picture.”

 

 
Loglines DLA Intelligence OPSEC Loglines 2017 March