What is OPSEC and why do you need it?

OPSEC is an important part of secure communications

Keeping your communications secure is one of the most difficult challenges. No matter if you’re talking about business secrets, communicating with your lawyer, or exchanging private information, it’s incredibly important to keep confidential information confidential.

Encryption is touted as the ultimate solution to all our privacy problems—keeping all unwanted spies at bay with powerful, uncheatable math. But you also need good Operations Security (OPSEC), to holistically protect your communications, and yourself, from falling into the wrong hands.

Encryption is necessary for private communications

With publicly audited and professionally implemented encryption techniques, you no longer have to trust companies or courts with protecting your personal information—it’s in your hands alone.

OPSEC ensures security

Sadly, encryption is not a magical switch you can simply flip to protect yourself.

Having good OPSEC means thinking about who you’re trying to protect your information from, who you communicate with, and what capabilities your adversaries might have. If you’re trying to protect yourself from organized crime or nation states, for example, you need a very different OPSEC than if you’re protecting yourself from a stalker.

It’s important to assess how your security setup can be compromised, and weigh whether risks are worth taking or avoiding.

A password manager allows complex and secure passwords, but good OPSEC requires that you don’t sit underneath a security camera when using one.

The process of OPSEC, as described by the U.S. military, includes five steps. ExpressVPN has applied the five security steps to the communications we all have, probably every day: digital chat.

Identify OPSEC threats

1. Identification of critical information

What is it you are trying to hide? In the context of a digital conversation, it’s largely the content and metadata that will expose you. Content is the conversation itself, while metadata describes the information relating to this information. Metadata includes who you talk to, when, the duration, and the frequency of the conversations.

It’s easy to hide the contents of a message, but hiding metadata remains difficult. Apps like Signal promise to keep no metadata, but to be sure, you might have to run your own OTR server (not a trivial feat, and encumbered with unique risks of its own).

Analyse OPSEC threats

2. Analysis of threats

This includes who you’re trying to hide information from. If you’re only hiding information from your stalker or neighbor, assessed risk and vulnerabilities are very different than if you’re up against a powerful nation state. Think about threats by imagining who you definitely don’t want to be in possession of your details. Perhaps it’s a work rival or a corrupt government official.

OPSEC vulnerabilites

3. Analysis of vulnerabilities

Step three is by far the hardest part of OPSEC awareness, as your vulnerabilities are potentially endless. You have to be able to trust your device, operating system, apps, and any programs you’ve installed. Backdoors could allow intelligence agencies access to your data and sloppy programming could leak information without your knowledge.

Vulnerabilities might also exist along the communication chain, or with your chat partner. This is tough to assess as you may not know what systems are running between you and them.

Your chat partner might not have the same incentives to keep information private. Perhaps they’re in a country where authorities are less repressive. Or maybe they just don’t care as much about privacy as you do.

It’s important to include the OPSEC of the people you’re communicating with in your own OPSEC model, even if it’s hard and includes uncertainty. There are many ways to mitigate vulnerabilities, you could, for example, distance yourself from your partner by only revealing strictly necessary information about yourself.

Unfortunately, the most challenging and troublesome weaknesses often lie outside of what is possible through technology. Attackers could personally threaten you to give up passwords, or subtly coerce you, perhaps with the prospect of jail time.

OPSEC risk assessment

4. Assessment of risk

Your list of vulnerabilities is likely to be very long. But not all threats are equally relevant. In fact, some might not be relevant at all.

In this step, combine step 2 with step 3 to ascertain threats and assess how they could exploit your vulnerabilities.

A threat might include a sophisticated hacker, or somebody sharing your home. Each need to be addressed differently. For example, a password written on a piece of paper has a very low risk of being discovered by a hacker, but there’s a high risk it could be found by a snooping roommate.

Strike unnecessary threats off your list then mark the rest as high, medium, or low risk.

Appropriate OPSEC measures

5. Application of appropriate OPSEC measures

In the last step, plan your actions. Address the highest threats first, then work towards the lower risks. Some will be unavoidable, but they can be minimized.

OPSEC is a significant step towards secure communications

Use Encryption and OPSEC together for better security. Tailor your response to suit the situation at hand. OPSEC measures might focus on employing stronger encryption but could also focus on avoiding technology altogether.

Leaving your phone at home and using public transport to visit a post box a few dozen kilometers away might, depending on your OPSEC analysis, be a better strategy than sending documents via PGP encrypted email through the Tor network.

Lexie is the blog's resident tech expert and gets excited about empowerment through technology, space travel, and pancakes with blueberries.