Why we really need to know who your adversaries are…
One of the discouraging things we see is the tendency for people to implement a solution before they understand the problem. We see this in every facet of professional life, from programmers leaping to code before requirements are understood, to risk management, where we frequently see organizations leaping to implement solutions that are often not related to the problem that needs to be solved. If you are lucky it doesn’t matter. If you are not lucky – you are, after all, in theory trying to reduce a risk – either money is lost or people end up injured or dead. Our job is to keep this from happening. One area that seems to cause confusion in the OPSEC process in the world of commerce is our desire – insistence – on identifying adversaries early in the process. In general, clients want to leap to putting in countermeasures, often well before they have any clue as to what they need to protect. While some countermeasures can be put in more or less by rote (shred every piece of paper that didn’t come wrapped around food), people often seem to forget that we are not just trying to protect something, we are trying to protect it from someone. Since different “someones” have different objectives, random protection, although giving a feeling of accomplishment, doesn’t take us where we really want to go.
Identifying the adversary is done in two phases. The first is identifying types of adversaries. Thus, for example, we may identify the factoid that we don’t want our computers stolen by random thieves. In general, these types of adversaries should have been taken care of in the initial planning for physical security, access control, and disaster planning. And, in fact, if you are prepared to deal with a fire or an earthquake or a hurricane or a flood, you are equally prepared to deal with most acts of God or godlessness. However, in protecting critical information, which could make or break your company, or which could put people’s lives at risk, these measures do not suffice. In this case, we really need to identify who might try to attack us, and what means they might use. Frankly, if there is no adversary, no special countermeasures need to be put in place. If there are adversaries who will stay within the law, depending on what will, in retrospect, appear to be our ignorance, stupidity, and carelessness, then we need to figure out how not to be ignorant, stupid, and careless. If we have adversaries who are willing and able to bend the rules, we need to take more stringent care. But the measures we need to take depend not only on the seriousness of the adversary, but on what that particular adversary may want from us.
Thus, as an example, if we have adversaries who are likely to look through our trash, we can protect ourselves simply by avoiding trash that would be useful. If our adversaries are willing to hire dishonest cleaning people, we need to either be screening the cleaning people, or making sure that papers relating to issues that this particularly adversary would consider to be of value are not left around. If we have adversaries who are likely to call us and ask probing questions, we can tell our people what they can and cannot discuss on the phone. In all of these cases, however, what we need to protect, and the countermeasures we need to take, are dependent on the particular adversary.
But can’t we say that we want to protect against some class of adversaries? Not really. There are three reasons for this.
First, it in essence assumes that our adversaries are neither intelligent nor willing to do their homework. In fact adversaries tend to be as smart as we are, and are quite willing to do all the necessary preparation.
Second, it is not cost effective, as we are spending some often-significant percentage of our scarce time and money on things that won’t happen, and leaving untouched thing that might well happen. Thus, to take a real example not related to information, it makes no particular sense to cut out free employee flu shots to finance reworking the mailroom to protect from anthrax.
Third, it can give us a false sense that we have done something fruitful, deluding us into thinking we have all the bases covered, which will prevent us from actually doing what needs to be done.
The bottom line is that when we look at OPSEC – and in fact when we look at a wide range of other risks – we generally are going to want to figure out not only what needs to be protected, but also from whom, and these two issues are very much inter-related.
What if you don’t know who your adversaries are, or what their capabilities are, or what, historically, they have been willing to do to further their aims? Well, that’s why we gather intelligence. If you don’t know the answer to these questions, you need to find out before you can make any meaningful attempt at protecting your information. And remember, if you have a group that gathers competitive intelligence, so, in all probability, do your competitors, which means that you are their adversary and they are yours. And remember also that there is no reason to think that their competitive intelligence group is any less competent than is yours.