Are We Our Own Worst Enemy? Safeguarding Information Operations Stephen W. Magnan The reality is that the vulnerabil to visually acquire satellites with ity oftheDepartmentof the naked eye and even lists six Defense(cid:151)and ofthe nation(cid:151)to Internet Uniform Resource LOcator offensive information warfare addresses where one pan find pro attack is largely a self-created grams and information on the problem. Program byprogram, location of the (cid:147)spies in the skies.(cid:148) economicsectorbyeconomicsec He refers to several Internet sites in tor, we have basedcritical his article that offer the capabilities functions on inadequatelypro to track the locations, routes, and tected telecomputingservices. In times certain satellites will pass the aggregate, we have createda over specific locations. Mostarticles abouttheUS target-rich environment, and US industry hassoldglobally much information ofthegeneric technology thatcan India(cid:146)s NuclearTests superhighway have be used to strike these targets. concentratedonthe need In May 1998, India conducted a for better physical (cid:151) Report ofthe Defense Science series of underground nuclear tests Board Task Force on Information that, according to the~press, the security, while at the Warfare-Defense (IW-D), Clinton Administratioi~i learned same time identifying November 1996 about when India publicly many ofits cyber-related announced the tests. This prompted vulnerabilities. Most articles about the US informa widespread speculation about how tion superhighway have multibillion-dollar US surveillance 9, concentrated on the need for bet and reconnaissance assets could ter physical security, while at the have missed the critical clues that same time identifying many of its revealed the impending tests. India cyber-related vulnerabilities. Few readily admitted that it knew how address what possibly is the most to deceive the United States. It ref vulnerable element(cid:151)the human erenced information the United operators(cid:151)and the inability of States had shown it in the past and those operators from the policy also downloaded tools freely avail level down to practice good opera able from the Internet. In an tions security (OPSEC). Associated Press article of 15 May 1998, Indian nuclear researcher G. In a 4June 1998 Guardian Online Balachandran stated, (cid:147)It(cid:146)s not a fail article by Duncan Campbell, enti ure of the CIA. It(cid:146)s a matter of their tled (cid:147)Hiding from the Spies in the intelligence being good, our decep Skies,(cid:148) he states, (cid:147)The Internet has tion being better.(cid:148) made tracking and evading spy sat ellites child(cid:146)s play.... Data and An action that further assisted the programs downloaded from the Net Indians in their deception cam enable anyone to track the satel paign was the (cid:147)sharing(cid:148) of lites and work out when the spies intelligence and overhead imagery Stephen W. Magnan is in the sky are overhead.(cid:148) Campbell by the United States. In an effort to a captain in the US Air Force. also provides instructions on how thwart a nuclear test in December 97 Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 3. DATES COVERED 2000 2. REPORT TYPE 00-00-2000 to 00-00-2000 4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER Safeguarding Information Operations 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION Center for the Study of Intelligence,Central Intelligence REPORT NUMBER Agency,Washington,DC,20505 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S) 11. SPONSOR/MONITOR’S REPORT NUMBER(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 13. SUPPLEMENTARY NOTES Studies in Intelligence. Volume 44, No. 3, Summer 2000, No.9 14. ABSTRACT 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 18. NUMBER 19a. NAME OF ABSTRACT OF PAGES RESPONSIBLE PERSON a. REPORT b. ABSTRACT c. THIS PAGE Same as 7 unclassified unclassified unclassified Report (SAR) Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18 Information Operations (cid:147) The commissionthatwas formed to evaluate why the inteffigence 1995 andJanuary 1996, the United sealedenvelope containing the community failed to States had shared this information name ofa computersystem and predict the Indian with the Indians to convey the mes told herto use any abilities or sage that (cid:147)We know what you are nuclear tests concluded resources thatshe had toget into doing and do not approve.(cid:148) Dem that the IC needs a good thatsystem. Withoutmissing a onstrating the US capability to track overhaul. beat, she loggedon to an easily India(cid:146)s actions, and the fact that the accessible military computer United States was tracking their (cid:145)9 directory tofind outwhere the actions, directly informed the Indi computersystem was. Once she ans that they needed to develop a foundthesystem in the directory, superb OPSEC and deception she couldsee whatoperatingsys campaign. under a new and improved man tem it ran and the name ofthe agement and supervisory staff, who officerin chargeofthatmachine. The commission thatwas formed to will tell or show the analysts how Next, she called the baseandput evaluate why the intelligence com to do a better job with the avail herknowledge ofmilitary termi munity (IC) failed to predict the able resources. nology to work tofindout who Indian nuclear tests concluded that the commanding officerwasat the IC needs a good overhaul. It OPSEC requires the same elements theSCIF~ asecretcompartmental directed little attention, however, to as the imagery analysts do: ized informationfacility. (cid:147)Oh, India(cid:146)s successful deception effort improved education and training yes, MajorHastings.(cid:148) Casually, or to development of an informa and increased billet authorizations. she told theperson she was talk tion operation (JO) perception OPSEC requires as much senior- ing to thatshe couldn(cid:146)t think of management campaign. Instead, it level support as do the other ele MajorHastings(cid:146)s secretary(cid:146)s recommended reviews of policies, ments. Furthermore, all elements of name. (cid:147)Oh, (cid:147)came the reply. (cid:147)You changes in leadership and manage 10 can no longer be common-sense meanSpecialistBuchanan.(cid:148) With ment philosophies, and based(cid:151)they are not integrally that, she calledthe data center organizational structures. The com linked to each other. and, switchingfrom nonchalant mission(cid:146)s recommendations to authoritative, said, (cid:147)This is Spe address, in a generic manner, the cialistBuchanan calling on symptoms of the problems, not the Beatingthe System behaIfofMajorHastings. He~ causes: been trying to access his account - Katie Hafner andJohn Markoff, in on this system and hasn(cid:146)t been The organization needs to be their book Cypeipunk: Outlawsand able toget through, andhe(cid:146)d like scrubbed, andJam talking about Hackers on the ComputerFrontier, to know why.(cid:148) When thedata theICorganization, notnecessar give an instructive example of how centeroperatorbalkedand ily the CIA, to improve the clarity easy it can be to access a com started recitingfrom theproce ofthestructure, tofix responsibil puter system: dures manual, hertemperflared ities, to resource thestaffwith andhervoice dropped inpitch. appropriate tools, and to inform While in Washington, Susangot (cid:147)Okay, look, I(cid:146)m notgoing to theorganization oncethatreview the chance to demonstrate her screw around here. What isyour has takenplace. (cid:147)social engineeringskills.(cid:147)As name, rank, andserial num Susan latertoldthestoly, a team ber?(cid:148) Within 20 minutes, she had No mention was made of improv of. colonels andgeneralsfrom whatshe laterclaimedwas classi ing education or training, increasing threeservice branchessatata fieddata on thescreen ofthe manpower, or dedicating more long conference table with a com computeron the table. A colonel assets to those who need it mOst(cid:151) puterterminal, a modem, anda rosefrom hisseat, said, (cid:147)That will the workers. Therefore, the imag telephone. When Susan entered be enough, thankyou very ery analysts will continue-to work the room, they handedhera much, (cid:147) andpulled theplug. 98 InformationOperations (cid:147) DoD has to realize that the human element, not the computer, remains This story may or may not be based of information warfare. OPSEC is the true cornerstone of on a true incident, but similar such not a dead program! It is also not a incidents occur on a daily basis information warfare. function of the IC but of the Opera around the world. In 1997, theJCS 9, tions (J-3) Community. mandated the conduct of the first- ever No-Notice Interagency Exer cise (NIEX) based on an JO Presidential Commission scenario as part of the ELIGIBLE Approaches to the Problem RECEIVER exercise series. Several The President(cid:146)s Commission on other Unified Command command The DoD has more than 2.1 mil Critical Infrastructure Protection ers have also ordered that similar lion computers, more than 10,000 (PCCIP), established in 1997 to JO-based exercises be conducted Local Area Networks (LANs), and evaluate the vulnerable compo within the confines of their more than 100 long-distance net nents of US critical infrastructures, command. works. More than 95 percent ofthis published its findings in an unclas system is commercial, commercial sified report titled Critical These 10-based scenarios are based, or leased from commercial Foundations: ProtectingAmerica(cid:146)s designed to test the Blue Team(cid:146)s sources (phone lines, computer Infrastructures. It identified eight ability to overcome an unknown hardware and software, and ser critical components: t~lecomrnuni adversary who will be attacking vice contracts). cations, transportatior( banking/ from an unknown location and time finance, electrical power, oil and against a large variety ofpotential The DoD is taking some actions to gas production and storage, water targets. The goals of these exercises prevent similar exploitation of the supply, emergency services, and are to prepare the United States for US critical infrastructures, but, once government services. The report any type of JO attack, to get US per again, these actions are mostly detailed how reliant the United sonnel (cid:147)thinking outside the box,(cid:148) cyber- and computer-related. Is the States is on those systems and how and to test the US ability to thwart popularity of JO-related exercises vulnerable the systems are to dis such an attack. Thus far, the Red merely a result of the (cid:147)newest fad,(cid:148) ruption or destruction. The report Teams for these 10-related exer available funding, or survival tech does not identify the exact location cises have achieved unprecedented niques? By repeating Red Team of critical nodes, but it emphasizes victories over the Blue Teams. victories from one Unified Com the vulnerabilities associated with mand or agency to another without the identified infrastructures. It fur ELIGIBLE RECEIVER 97-1, as well trying to fix the problem(s) creates ther implies that schematics, which as several other 10-based exer a (cid:147)self-licking ice cream cone(cid:148) for outline the specific locations and cises, disclosed several human the JO community, that is, an breakdowns of these critical nodes, vulnerabilities in the cyber world, ensured mission and fund site for are available either for free or for a including the ease with which Red the foreseeable future. small fee. The entire PCCIP report, Team personnel (cid:147)socially engi as well as subsequent updates, is neered(cid:148) Department of Defense One major obstacle some DoD available on the World Wide Web. (DoD) personnel and the vast agencies have overcome, however, amount ofvaluable information the is the propensity to create a (cid:147)loop The publication ofthe PCCIP report Red Team was able to collect from hole(cid:148) so the Blue Team always is a two-edged sword. It offers a the Internet on a daily basis. When wins. This fact alone demonstrates wake-up call to the United States participants were asked who was some have taken a paradigm shift about many of the possible threats addressing the recommendations and a step in the right direction. it faces on a daily basis and actions and conclusions from after-action But one more paradigm shift is that need to be taken~to avoid such reports for past 10-based exercises, required. DoD has to realize that threats. On the other hand, it offers the answer was always, (cid:147)That(cid:146)s a the human element, not the com an excellent targeting res3urce good question.(cid:148) puter, remains the true cornerstone launching pad: if someone with 99 Information Operations TheWebalreadycontains sensitive information about US military aggressive intent, either for war about the theft until it is too late. personnel, units, planning or terrorist purposes, were Consequently, OPSEC is becoming capabilities, and to read, study, and analyze this more of a priority in the private document, a great deal would be functions, which can be sector. learned about a potential US Achil accessed anonymously les(cid:146) heel. The experience of Ellery Systems, from anywhere in the Inc., provides a good vulnerability world. The PC~IP consolidated all the case study. Ellery Systems was a information, statistics, and even vul 9~ leading information systems/soft nerabilities for anyone who wants ware products/engineering services to read about them. The best company based in Boulder, Colo counter-argument would be: if a rado. Leading corporations, bullet has your name on it, it is The tendency to fall into the pub government agencies, and universi going to get you...but you do not lish-or-perish mode is not the ties worldwide used its software stick your head out of the foxhole exclusive preserve of the academic and services to provide practical to see if you can read the names community. It appears to be just as information systems solutions for on the incoming bullets! The same relevant to the DoD, contractor, scientific, educational, medical, holds true with the PCCIP. Even and other DoD-related industries. manufacturing, aerospace, defense, though this information is unclassi With this in mind, the United States and financial applications. In a case fied and available in open-source needs to rethink and readdress spanning 1989-1995, Ellery lost documentation, one need not what constitutes publication and everything with a few keystrokes. search far(cid:151)the PCCIP has pack what truly needs to be proliferated aged it all in one neat, organized, on the World Wide Web. The Web Ellery(cid:146)s principal customer was the and searchable document. already contains sensitive informa National Aeronautics and Space tion about US military personnel, Administration (NASA), for which units, capabilities, and functions, Ellery was develoj3ing a system to Overpublication which can be accessed anony transfer Astrophysics Data Systems mously from anywhere in the over the Internet. At the time, it Numerous articles, studies, and world. From the PCC1P toJoint was the largest data system ever to think-pieces have been published Doctrine, the United States itself is be deployed across the Internet, detailing the need to protect the peeling back its layers of protec and Ellery owned rights and source infrastructure from (cid:145)attack.(cid:148) By tion of the US critical code for the program that allowed devoting considerable attention to infrastructures. the compression of data and its these vulnerabilities, US authorities transmission. have inadvertently revealed their overreliance on the information OPSEC in the Corporate World: Ellery devoted years of research, superhighway and the tremendous Ellery Systems some ofwhich was financed by the impact any degradation would DoD, and millions of dollars to have. The rush to publish such With the arrival of the information develop a communications soft articles, along with the publication age, the civilian sector has become ware program. Ellery was also of the PCCIP, are a boon to poten vulnerable in new ways to eco contributing advanced software tial US adversaries who are nomic and corporate espionage. technology and applications, runt beginning to realize the signifi The computer allows more data to ime licenses, systems engineering, cance and ease of executing an be (cid:147)stolen,(cid:148) and the digitization of quality assurance and manage Information Warfare (1W) cam data also allows this data to be in ment, and operations support to paign. Both China and Russia offer more than one place at the same the National Information Infrastruc schools whose sole concentration time. Individuals can steal informa ture Testbed (NuT), an industry-led of study is 1W. tion, and the victim will not know consortium formed to help 100 InformationOperations Most companies who are victims ofthis sort of theft never tell anyone stimulate business and enhance ignorar~ce and naivetØ in the whole because theydo notwant American competitiveness by turn matter, said Ellery almost paid for ing the vision of a national to lose customers. Wang(cid:146)s~ plane ticket. information highway into reality. .9, NIIT provided a nationwide, high- Injani~ary 1994, Wang flew to performance testbed environment China and moved around trying to his~ for implementing a series of real- sell wares to the highest bid world applications. The members trust, admiration, and friendship of der. H~ signed a $55Q,000 business wanted to evaluate both the every the other employees. He fit right in. deal with Beijing Madhinery Import day and technical issues associated and E~port, a company run by the with the maintenance and opera During this time, a Chinese busi Ministr~T of Defense. tion of a national information ness official showed up at Ellery interested in its technological On 31 january 1994, Wang returned infrastructure. advances. The Chinese official to Ellei~y and gave notice he was Ellery shared membership in NuT explained he wanted to improve going to leave the company within China(cid:146)s ability to teach its children two weeks. On 1 February 1994, with some well-known and well- in foster homes, daycare centers, Wang ~1ectronically transferred 122 established institutions, including and schools. Ellery Systems person compl~ter files from Ellery Systems AT&T; the College of Oceanic and nel were attracted by the charitable to Unidata in Denver: These files Atmospheric Sciences; Oregon State contaiAed nature of the inquiry, and they 2.5 megabytes of Ellery(cid:146)s University; Department of Energy/ sourc4coded were excited to meet a foreigner files. Ellery did not Sandia National Laboratories; Digi who spoke their jargon. They told discov~r the missing files until 10 tal Equipment Corporation; the and showed the Chinese official Februa~ry. At that time, the firm(cid:146)s EUV Center for Astrophysics; Uni anything he wanted. president immediately contacted versity of California-Berkeley; the FB~ and Colorado(cid:146)s Attorney Essential Communications; Hewlett- In the summer of 1993, Wang Gener~d to investigate the (cid:147)theft.(cid:148) Packard; Institute for the Study of obtained a printout of the Elleiy After e1xplaining to the president the Earth, Oceans, and Space, Uni source Data/Code. He approached that virtually no laws pertained to versity ofNew Hampshire; Network Cui, who still worked for Unidata, the case, both the FBI and the Systems Corporation; Novell, Inc.; and proposed that they start up a state(cid:146)s Attorney General worked to Ohio State University; Smithsonian new computer company together, help Ellery successfully prosecute Astrophysical Observatory; Sprint; DC Nology. To help them get off to this ca~e. Realizing the precedent Sun Micro Systems; and Syn Optics a good start, Wang explained the this case was setting and that they (cid:128)~ntering Communications. technological advances Ellery had were new legal territory, made and was developing. they ppshed hard on the case to help all the other small businesses Chinese Connections In late 1993, Wang contacted Fu that might also be victimized. Xiangqun, a trade official in China, In the spring of 1989, Andrew and explained the opportunity Wang andJing Cui legally entered available for them at Ellery(cid:146)s Enter the FBI the United States from China to expense. Fu Xiangqun found a FB~ work for a corporation known as party interested in the opportunity As officials began their investi gation! Unidata, in Denver, Colorado. In and contacted Wang immediately. they briefed Ellery(cid:146)s December 1990, Ellery Systems Wang approached the company(cid:146)s presid~nt on the facts as they dis hired Wang. For the next year and president, and he explained that his cover~d them, including how this a half, Wang worked long hours mother was sick in China and that (cid:147)attacI~(cid:148) fit the profile of ChInese and performed in a superior man he would like to visit her. The pres intelligence operations. They then ner. Most important, he gained the ident, who later admitted to his infori4ed him of Wang(cid:146)s travels 101 Information Operations In the armed services, initial OPSEC training at mostunits is lumpedinto around China and the contents of consultants such as Ira Winkler for the first month or so the letter Wang wrote to the Chair hire, Corporations, both large and afterthe individuals have man ofBeijing Machinery, in which small, hire Winkler and his staff to he described advanced computing arrived on station, ifthe infiltrate their organization and steal technology. In this letter, Wang training is offered at all. whatever they can to test the cor stated: (cid:147)The common practices of poration(cid:146)s security procedures and the Americans should be used to ~9 practices. Many of his success sto defeat them in their own competi ries are documented in his book CoiporateEspionage, and he also tion.(cid:148) The president elected to speaks of several others when giv pursue the case in court and break on 15 April 1994, a US judge, cit ing presentations. Today, the aspect precedent with other companies ing national security concerns, of (cid:147)Red Teaming a corporation(cid:148) that had not, until this point, even blocked the $550,000 business deal which is most widely written about tried to prove their products had between Wang and Beijing Machin is computer hacking. Many articles been (cid:147)electronically(cid:148) stolen. ery. He also ruled that Wang had to have been written about the differ remain under house arrest until the ent corporations and small Most companies that are victims of trial, On 6 December 1995, how businesses that make a hefty profit this sort Of theft never tell anyone ever, the criminal charges against by hiring Out their hacking services because they do not want to lose Wang and Cui were dropped due to test organizations. Winkler, how customers. Yet at that time, 25 per to insufficient evidence. ever, stresses that the hacking part cent of the US GNP came from of his probes is only one small information technology companies, element. an industry in which Ellery was APainfulLesson rapidly growing. Ellery(cid:146)s key mistake was to trust OPSEC The FBI arrested Wang on 24 Feb completely all new employees it mary 1994 and searched Unidata. hired. Since this case, the enact In the armed services, initial OPSEC They had no problem finding ment of the Economic Espionage training at most units is lumped Ellery(cid:146)s files on the Unidata com Act of 1996 has helped protect US into the first month or so after the puter, and, on 5 April 1994, both trade secrets. Ellery downsized, individuals have arrived on station, Wang and Cui were indicted on declared bankruptcy, and eventu if the training is offered at all. It is charges ofwire and computer ally evolved into a new either conducted during a long, fraud. The FBI had nothing else to organization(cid:151)Global Commerce drawn-out mass briefing process charge them with at the time. The Systems, Inc(cid:151)with Ellery(cid:146)s former that only occurs once a quarter or wire-fraud charges were based on a president in charge. He openly dis once a year, depending on how law enacted in the early 1900s cusses the lessons that he and his many people rotate in and out of fellow owners learned from this the unit, or it is contained in a which dealt with criminal acts over incident, and he continues to work binder the individual has to read on telegraph and telephone lines. closely with the OPSEC community his own. The second alternative is Because the Internet was experi and the National Counterintelli more prevalent, because it is easier encing problems and re-routed gence Center. to circulate a binder than conduct a Wang(cid:146)s transmission of the Data/ briefing. Given the current atti Code signal through three other tudes toward OPSEC, most people states, the FBI and State Attorney Testing Security just sign documentation that they General(cid:146)s office saw this as their received initial or periodic required best chance to prosecute. Lawyers The computer security threat has OPSEC training. In this fashion, for both Wang and Cui entered gained the most attention of late they have satisfied the OPSEC rep innocent pleas. with Red Teams as well as security resentative(cid:146)s requirement to pass 102 InformationOperations A successful OPSEC program parallels a successful inteffigence the next Inspector General inspec its owr~~. Many people have tried organization in that one tion. This approach, unfortunately, unsucc~essfully to eradicate the leaves much to be desired in the never hears about the e-mail from the Web. training department, and it is success stories, only the reflected on a daily basis by poor failures. As the Federal Government contin OPSEC practices. ues to publish articles and direct 9, unprec(cid:146)edented attention to cyber threats~while The level ofinterest personnel have seemingly ignoring in the OPSEC program is directly traditional human-related vulnera bilitiesJ proportional to the attitude of not National Security Decision Direc it is setting itself up for a only the OPSEC representative, but tive on OPSEC 298 (NSDD 298) to: potential future catastrophe. Even thoug~ also the content and style of his our official wOrld becomes ~nd training program. Furthermore, the .provideorfacilitate OPSEC more more information-based e~tch chain of command has to support training, andactasa consul with passing day, it catinot enthusiastically and openly both tancy to ExecutiveDepartments and sh~ould not leave traditiOnal andAgencies required to have progra~s the training program and the con such as OF~SEC to each formal OPSECprograms. The tinued practice of sound OPSEC individual(cid:146)s common~sense. The lOSS offers expertise in d~fferent ~f measures. A motivated and dedi disciplinesandskills through its threiantf~rmiantdiiovniduals stealing criti cated OPSEC representative, diverse membership which cur cal via computers together with public support from rently consists ofrepresentatives remains real. On a daily basis, how ~ersonnel the chain of command, can orga from theDoE, CIA, NSA, GSA, ever, in DoD and in the nize a dynamic and interactive FBI, andDoD. rest of the IC freely, and, more than training program that will entertain likely, inadvertently, give more and educate. lOSS celebrated its 10-year anniver information away via the computer sary in 1998, yet word of its (e-mail and web pages), phone, Several different organizations, both existence and services has still not fax, g~rbage, or any other number civilian and DoD associated, offer a spread to the community as of methods. required. vast amount of information to assist any unit(cid:146)s OPSEC representative. The value ofthis information, freely in~ocently These organizations offer free train Continuing Importance and published, distrib ing programs, both hardcopy and uted, and discarded remains under~stimated computer-based training, and daily, A successful OPSEC program paral and (cid:224)ddres~ed pri marily~ monthly, quarterly, or annual news lels a successful intelligence by OPSEC and OPSEC letters, conference reports, and organization in that one never related professionals~ To help off th~se other OPSEC-related educational hears about the success stories, set human-related material. Getting the word out to only the failures: Kudos should go vulnei~abilities, senior-level support those who need it most and the de to several commands within DoD and fi~nding need to be made avail that have begun filtering the infor institutionalizing of the OPSEC able t? help move OPSEC into the mation they post. Unfortunately, community as a whole seem to be once something is inadvertently role of~ everyday applicability. This among the problems facing the posted it should be considered fundir~g and support should go DoD today. compromised. The Scott O(cid:146)Grady toward the training, education, and rescue e-mail is a perfect example practices of the other elements of The Interagency OPSEC Support of how, once something is exposed JO, pa~rticularly OPSEC, besides just Staff (lOSS) is charged by the to the Internet, it takes on a life of those dealing with the cyber-threat. 103