OPSEC for NGOs

     The recent (and ongoing) abduction incident in Niger is an interesting case study. In summary, two trucks loaded with armed men arrived at a CARE guest house in Dakoro. The gunmen forced their way past the guard, abducted five aid workers and a driver, and escaped toward Mali. During the preliminary investigation, officials learned the kidnappers were looking for an Italian; who was supposed to be staying at the guest house. The fortunate Italian, who was unaware of the threat, had spent the night elsewhere. When the frustrated kidnappers couldn't find him, they seized staff members of the Niger-based NGO Befen and the Chadian health group Alerte-Sante instead. (Our hopes for a speedy and successful resolution go out to the abducted, their friends, families, and colleagues.)

     This certainly did not appear to be an opportunistic crime. The kidnappers knew about the guest house and that an Italian male was staying there. They had to get their information from somewhere, which prompts this brief discussion of Operations Security.

     Operations Security (or OPSEC as the military and intelligence communities like to call it) is the process of identifying, controlling, and protecting information that could be used by someone that wants to cause harm or loss to your organization and its operations. The classic operations security process consists of five steps:

Identification of Critical Information – The first step is determining what information is critical. This is any information that someone planning harm against your organization could benefit from. Some examples of critical information include:

• Guest house locations
• Meeting schedules
• Office floor plans
• Travel itineraries

Analysis of Threats – Quite simply, who might want to cause your organization harm or loss and why? While the focus is usually on external threats, don’t forget about insiders who may be working with external actors for personal or political reasons. (Insider threats are an uncomfortable subject to discuss, and are worthy of a dedicated, future blog post.)

Analysis of Vulnerabilities – Once you’ve identified types of critical information and those who might benefit from it, the next step is to determine how this information might be compromised. Here are a few "lessons learned" examples of how critical information has been unintentionally disclosed:

• Food aid distribution plans discussed in a public place
• Photos of an office showing security measures posted on a Facebook page
• A travel itinerary placed on an office bulletin board that could be seen from an outside window
• A list of staff names and residence addresses left on a desk after working hours

Assessment of Risk – Next, think about how likely is it that someone may acquire and take advantage of critical information? And if they do, what are the potential impacts? The severity of the risk should help you decide what actions to take; and how quickly.

Application of Appropriate Operations Security Countermeasures – The final step is implementing countermeasures that prevent or reduce the chances of critical information being compromised. Refer back to the vulnerabilities you have identified and apply fixes through policies, procedures, and education efforts. For the examples above, countermeasures could include:

• Being careful when talking about critical information in public places
• Avoiding posting critical information on the Internet
• Keeping travel itineraries known only to a few people
• Locking up critical information at the end of the day

     Like many other security processes, operations security is not a onetime event. Threats, vulnerabilities, and risk should be assessed regularly (always rely on context and common sense to determine how much to be concerned and how best to respond). Additionally, ensure that all staff are aware of why operations security is important. In high risk environments, consider extending this awareness to staff members’ families.

     During World War II, posters like the one above appeared across the United States with the catchy slogan, "Loose Lips Sink Ships" (otherwise, unguarded talk about critical information might find its way to enemy submarines; with significant consequences). In a nutshell, that’s what OPSEC is all about. And in some cases, the process can be just as important to humanitarian organizations as it is to governments.