The first article in this series posited that, should global war break out, our food supply and agriculture would be domains of war (for example, some day China might challenge the U.S. militarily). The second part introduced the concept of “war games,” in which corporations could examine likely scenarios to gauge whether their defenses were robust enough to ward off potential threats. Because food corporations have been and currently are targeted by adversarial nations, it is important that you and your company start practicing “operational security” or “OPSEC,” the focus of this article.

The label “OPSEC” was first used in the Vietnam War, during “Operation Purple Dragon.” The U.S. Air Force had a problem—no matter where they flew, there always seemed to be a coordinated response of North Vietnamese missiles and anti-aircraft fire. Aircraft were lost and pilots killed. U.S. military personnel were perplexed by their own inability to surprise the enemy until they figured out that flight information was being exposed because they were filing it with international flight authorities. That gave North Vietnam legitimate access to U.S. military flight information. Once the problem was identified, flight-planning practices changed and fewer aircraft were lost.  

Still today, corporations, academia, small businesses, and individuals fall prey to adversaries by unknowingly giving them information. Simply throwing a credit card offer with your name on it in the trash can be labeled poor OPSEC. Most people don’t have the mindset to realize that such a small, seemingly meaningless choice can make them a victim.  
When adversaries pass you by as a potential victim, they likely choose someone else instead. This should not make you feel guilty—your primary responsibility is to protect yourself, your family, your company, and your coworkers. The adversary is responsible for his or her actions, not you. The goal of OPSEC is to protect your information so it can’t be used against you.

The purpose of OPSEC, in military terms, is to identify an operation’s or activity’s vulnerabilities. This is achieved by thoroughly examining each aspect of an operation or activity to identify any OPSEC indicators or vulnerabilities that could reveal critical information. These indicators or vulnerabilities are then compared to what is known about an adversary’s intelligence collection capabilities. A vulnerability exists when the adversary is capable of collecting critical information, correctly analyzing it, and then taking timely action. The adversary can then exploit that vulnerability to obtain an advantage.

Social Media
Social media can be a wonderful way to remained connected to distant friends and family. It can also be dangerous, because what you put on social media remains forever. Adversaries can exploit this information, even turning   seemingly benign posts into psychological weapons.

For example, in a recent Facebook post, an acquaintance posted a picture of her young children on a swing set, commenting on how bold they were. She also commented that, as a child, she had been afraid of swinging. The last comment could be exploited by offering an adversary insight into the mother’s psychology. Was she still timid? Probably, because otherwise she might not have mentioned her fear. Adversarial translation: This individual is easily frightened. Fear tactics would be used when they target her.

Now, suppose this person has access to a computer system or intellectual property the adversary wants to target. Individuals are always the weakest links in any corporation and, therefore, will be the first targets. In particular, decision makers and those who work for and with decision makers in the government, military, and business are highly targeted. Nation states are not the only ones using social media to exploit individuals.

Gangs, criminal organizations, and terrorist groups also use social media to foster membership, communicate among followers and non-followers, and obtain ideological and financial support. This exploitation of social media has serious political, cultural, and societal repercussions that go beyond stolen identities, hacked systems, or loss of productivity, note the authors of Social Media Exploitation by Covert Networks: A Case Study of ISIS. “There are literal life-and-death consequences of the actions of the groups behind these covert networks,” they go on to say.[1]

Here are some ways to prevent social media exploitation:

• Remove yourself completely from social media. Admittedly, this move is one of the most proactive on threat response spectrum. Even so, most decision makers should seriously consider it. Alternatively, become very measured in what you post. Think before you post, and always examine it from an adversary’s perspective. Ask yourself, “Can an adversary exploit this post? If the answer is yes—delete it!  

• Identify and start protecting your critical information. Critical information, also known as your collective “core secrets,” is any information about your company’s personnel, processes, systems, activities, or capabilities or capabilities that could be harmful to your company if discovered by either a competitor or actual adversary (sometimes one and the same).  

• Analyze your threats. It is critical that you have a clear understanding of both your threats and threat actors. These elements are different but closely related. Developing protective measures requires constant adjustment as the threat actors and their capabilities evolve.  

• Identify and analyze your vulnerabilities. Vulnerabilities are the characteristics of your company that could precipitate degradation or failure if they were targeted by a hostile threat. Look at your operations through the lens of the adversary, and then prioritize your true vulnerabilities. Don’t waste time, effort, or money on hypothetical vulnerabilities.

• Assess your risk. OPSEC is dependent on risk assessment, which involves comparing threats to vulnerabilities. If a risk assessment indicates that company vulnerability is high, and there is also a high probability that adversaries pose a threat, then the risk of potential exploitation is high. Rapidly implement additional protective measures. Always plan for the most capable adversary.

• Develop appropriate countermeasures. Countermeasures protect your company’s activities and information. “Ideally, the chosen countermeasures eliminate the adversary threat, the vulnerabilities that can be exploited by the adversary, or the utility of the information.”[2] Design and implement appropriate countermeasures using standard business practices, including a cost/benefit analysis.

• Prioritize OPSEC training for all personnel. Most OPSEC training material is oriented toward the military. However, applying military training materials to your own company can involve simply substituting “Military Operations” with your company name (e.g., “Acme Food Company Operations”). The chart shows some additional equivalency examples:

       
Additionally, practical military-oriented OPSEC resources are available.[3] Training through companies that specialize in OPSEC is also an option, but can be expensive.

Moving Forward         
Any food or agricultural company is capable of identifying its most sensitive information. Think in practical terms: What information do you need to protect?  Who are your company’s adversaries? Nation states are your highest level and most competent of adversaries, and criminal organizations are next. Guard your company’s critical secrets, and you guard your company, your competitive edge, your market share, and your bottom line. Your corporate survival is dependent upon vigilant OPSEC.

Robert A. Norton, Ph.D., is chair of the Auburn University Food System Institute’s Food and Water Defense Working Group (aufsi.auburn.edu/fooddefense). He is a long-time consultant to the U.S. military, federal, and state law enforcement agencies. His blog, Bob Norton’s Food Defense Blog, can be found at aufsi.auburn.edu/fooddefense/blog/. He can be reached at nortora@auburn.edu or by phone at 334.844.7562.

Disclaimer: Dr. Norton and production of this article were supported by the Alabama Agricultural Experiment Stations and the Hatch program of the National Institute of Food and Agriculture (NIFA), U.S. Department of Agriculture (USDA). The article represents the personal opinion of Dr. Norton and does not reflect official policy or statutory related opinion of the federal government, NIFA or USDA.

References
1. aisel.aisnet.org/cgi/viewcontent.cgi?article=4009&context=cais.
2. fas.org/irp/nsa/ioss/threat96/part01.htm.
3. jfsc.ndu.edu/Portals/72/Documents/JC2IOS/Additional_Reading/1C2_JP_3-13-3_OPSEC_Process.pdf.