We’ve reached the third step in the OPSEC process: Analyze the Vulnerabilities. In other words, asking the question, “How could my adversary get my information?” We’ve mentioned thinking like the wolf before, and here’s where that comes into play. Your job in this step is to be the enemy, to look at your information infrastructure, so to speak, and find the holes.
This can be a bit of a gut check, because it’s when your idea of OPSEC meets your reality of OPSEC. You might believe that your group runs a tight ship, for instance. This step might force you to face some things about your group dynamics or the members’ personalities. It might put you in a position where you need to admit that you have vulnerabilities. You might even need to admit that you are the problem.
WHAT ARE YOU LOOKING FOR?
You’ve already decided what information is critical, and you’ve already outlined who wants it. So it’s fairly logical that now you would look at how your adversary could get it. But what does that even mean?
You’ll do what’s called a “vulnerability analysis,” which is a fancy way of saying that you take a very close look at your processes, your policies, and even your personal or group mission. For the purposes of this article, policies are anything from HOW you protect information to your mindset about it, your group agreements on the subject if any exist and/or have been formalized, etc.
INDICATORS, VULNERABILITIES, AND ANALYSIS
Before we go any further, you’ll want to understand these terms and how they fit into the bigger picture.
Indicators: These are actions or snippets of info that can be used to deduce other actions and information; using indicators, someone can ‘leapfrog’ or connect the dots to determine a piece of your actual critical info. An extremely basic example would be if I want to know what you drive, I don’t need to hack the DMV. I can simply find your home address (a very easy thing to do in this day and age), and find out what make and model car is most often outside your home, or enters/exits at times that would be appropriate for a resident (such as leaving in the morning and returning in the late afternoon, etc.). I can often do the same if I have your employer.
Vulnerability: The ‘hole’ in your security that allows me to find the indicators such as what’s listed above is a vulnerability. You might think that a certain adversary you’ve identified is four states away, and can’t watch your house so that’s a dead end. That’s fine; have you ever posted on a car troubleshooting forum? Ever commented on a Facebook Marketplace post for a vehicle? All of that is trackable. I can deduce the car you drive from the Amazon wish list you have. You put some parts on it and didn’t pay attention to the fact that the privacy on the list is public.
That’s just bottom rung, basic electronic stuff; there is plenty more on the physical side, and we aren’t even getting into the human terrain — which is arguably the easiest of all to leverage with the right training and awareness. That’s where the third term comes in.
Vulnerability Analysis: We just mentioned this above. It’s the process where we look at our situation and our own heads to find the places that are open to attack.
THWARTING THE INVADERS
One thing my siblings and I used to hear as kids is the admonition not to leave the curtains open so people can “see what we have.” The point, of course, was that would-be home invaders would be more apt to target you if they saw something in your window that they deemed worth stealing. That idea carries over to activism/resistance as well (yes, activism and resistance are two different things, but that’s a topic for another day).
Someone who is active in the supply underground or black market, for instance, doesn’t live in a dark cave, with pale skin that never sees the light of day because he’s “hiding from the enemy.” He might be your kid’s Little League coach. He could be a pastor or other clergy. Maybe she is a stay at home mom, or retired grandmother, or even a small business owner. Someone active in “the cause” could be anyone. What they are not, however, is openly acting even on the fringes of the cause whose underground they are involved with. In other words, if you’re the guy who is providing magazines to states where they are banned, your face should never be seen at a gun rally. If you’re funneling money to a cause, don’t get caught on one of their “training videos” posted online (in fact, if you’re even remotely serious, you shouldn’t be training with people who make videos of it to begin with).
We’re Only Trying to Save Western Civilization. No Big Deal.
Get all the latest from AP every morning at 0700.
Doing a vulnerability analysis — and the next chapter, in which we talk about deciding risk — is not a comfortable activity. It isn’t something that you finish with a proud flourish, secure in the knowledge that you found no holes in your information armor and can go back to “important things” like crawling around in the woods. You will always find a hole. It doesn’t matter how long you’ve done this, or how good you are. There is always improvement to be done, always things you can shore up or think about, always a person you can look back and think, “I shouldn’t have talked to that person/told him X/given that away.” And it only takes one remark, one comment on social media, one photo, one slip, to cause untold drama and even life-threatening problems later. In other words, this activity should be done often, with a ongoing evaluation occurring in terms of lifestyle.
If you’re a group member, you need to be looking at not just your personal environment, but how you interact with group members, how you talk to people outside your group, etc. Infiltrators will get in with one group member, and then leverage that relationship into more information and more relationships. They’ll often act as though they already know something, using basic fishing tactics, and their mark will think they are talking to someone who’s already “in the know.” We’ve already talked about the need to shut up if it’s not your information, and that article is worth another look.
If you’re at the public events, if you’re ‘out front,’ if you’re the guy who’s always posting on social media about your many exploits while dressed like Rambo Rallygoer the Mighty, then you are known. At some point, the government determines you are a political dissident and/or threat of varying degree, and then they start allocating resources to tracking you, paying more attention to your comings and goings, or following you around the internet. Keep in mind that they can do a great deal of stuff to you in terms of tracking and surveillance without a warrant, simply by not calling it an “investigation.” The Fourth Amendment exceptions available to government agencies are staggering — and that assumes they even stay within those corrupt and lax boundaries.
If you choose to take up the mantle of someone working behind the scenes, then you need to be the guy (or female) that no one pays attention to. The person who can move in public spaces without drawing attention, and doesn’t need to broadcast his or her skill set. You need to be able to work without recognition, to be underestimated and even unknown. In fact, that last sentence is the exact reason why so few choose that work, and so many choose the life of public attention.
QUESTIONS TO ASK YOURSELF
During your vulnerability assessment, you should be asking yourself all kinds of questions. Here is a very basic, partial list. Use it to springboard into your own items and just open up thinking patterns. If you use this list as an all-inclusive checklist, you missed the entire point.
Keep in mind that you may go through some of these and think, “yeah that item doesn’t point to critical information for me.” That’s fine, but stay open; does it lead to other vulnerabilities? Think like the adversary; where would you look if you wanted to get information? Look at everything from physical to electronic, personal to family to group. You’re basically standing outside the house, looking for a set of open curtains or an open window.
- Do you carry a smartphone everywhere you go? Does your family?
- Are you or your family posting on social media every time you leave the house?
- Is your wifi wide open? Is your house or vehicle?
- Do you get interviewed often by the media or do pics of you show up in the media fairly often?
- Are the photos you are posting giving away information? Can the elements of the photo tell a viewer something you don’t want exposed (such as taking a pic of your dog and not realizing that he’s standing in front of the shipping container you have packed full of food and supplies)?
- Does your home/property have a security plan if you need to evacuate for any reason, even temporarily? What happens to any information or physical items you need protected then?
- Is anyone in your group a bigmouth? What about people who are motivated by attention or need to feel important? What about people who want so badly to be part of something that they’ll give away information in an effort to make the group sound awesome and recruit more people? What about spouses; are any of them not on board with their significant other taking part?
- How many ‘background search’ sites is your information on? How much about you on the internet is still valid information about your location, family members, etc.? You can remove yourself from much of the internet, or at least control some of what’s out there. We’ll talk about how in a later article.
- What facets of your personality can be leveraged against you? Do you have secrets? Vices? Temper problem? Do you need to be loved/needed/accepted? What embarrasses you? What scares you?
If you’ve done this process correctly, you probably have amassed a bit of a list of vulnerabilities. That’s good; in fact, the more you find the more you can fix. you can’t fix the problem you’re unwilling to admit exists.
Next we will look at prioritizing the problems, and preparing to get them fixed