Over the past several years, the Naval Operations Security (OPSEC) Support Team, headquartered at Navy Information Operations Command Norfolk, has been asked what the difference is between cyber security and operations security. It is first and foremost important to know and understand the definitions of OPSEC and cybersecurity.
OPSEC is an operations program first, and security program second. It’s also one of several information-related capabilities within information operations (IO).
OPSEC is really about protecting our unclassified sensitive information, whether in the content we post or send online, what we say in public, or how we project (indicate) our next move.
Regardless of what publication or doctrine you have read, it’s important to understand that OPSEC is a risk-based decision process comprised of five distinct steps:
• Identifying friendly unclassified critical information and indicators (CI&I);
• Analyzing the threat or adversary who has the intent and capability to collect our CI&I;
• Analyzing the vulnerabilities of how our CI&I can be collected;
• Assessing the risk if our CI&I is collected and can be used against us; and
• Applying measures or countermeasure to prevent our CI&I from compromise.
There are also several definitions for cybersecurity, but the ones I found the easiest to understand are:
Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access, according to Whatis.com.
In a computing context, the term “security” implies cybersecurity. The National Security Agency’s definition is even broader: “Any actions taken to secure the Nation’s cyber infrastructure.”
The National Security Presidential Directive-54/Homeland Security Presidential Directive-23, "Cybersecurity Policy," of Jan. 8, 2008, describes cybersecurity as:
"Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation."
Because there are so many organizations and lines of effort in cybersecurity, it can often be difficult to determine which organization to turn to for cybersecurity support. From the National Security Agency, to the Defense Information Systems Agency (DISA), the services’ cyber commands, and an organization’s Information System Security Manager, each has a cybersecurity-related function.
The same somewhat holds true for OPSEC. However, the biggest difference is that each service, and other organizations, has a designated OPSEC support element (OSE) or capability:
• Interagency OPSEC Support Staff (IOSS), Fort Meade, Maryland
• Joint OPSEC Support Element (JOSE), San Antonio, Texas
• Special Operations Command OPSEC Support Element (SOCOM OSE), Tampa, Florida
• Army OPSEC Support Element (AOSE), Fort Belvoir, Virginia
• Navy OPSEC Support Team (NOST), Norfolk, Virginia
• Air Force OPSEC Support Element (AFOSE), San Antonio, Texas
• Marine Corps OPSEC Support Team (MOST), Quantico, Virginia
So when the Naval OPSEC Support Team (NOST) receives a request for support or to provide a PowerPoint brief on phishing is that a NOST responsibility or a cybersecurity responsibility? What about a brief on cell phone vulnerabilities or the vulnerabilities associated with social networking sites? Even though the NOST could argue that these are cybersecurity-related requests, the OPSEC team WILL provide answers, recommendations, or direct the request to the proper agency or organization.
OPSEC is a holistic approach to protecting information, and because much of our information is shared or transmitted via a cyber means, there will be overlap in responsibilities as to which organization provides support. Just because an issue or question may be cyber- or cybersecurity-related does not mean there are OPSEC implications as well.
The bottom line up front is that we ALL play a significant role, and are responsible for protecting our networks (cybersecurity) and protecting our unclassified critical information and indicators (OPSEC).
You can contact the Naval OPSEC Support Team at firstname.lastname@example.org or (757) 417-7100. You can also download the “Naval OPSEC” App from Apple and Google App stores.
Navy Information Operations Command Norfolk serves as the Navy's Center of Excellence for Information Operations (IO). NIOC Norfolk advances Information Operations war fighting capabilities for Naval and Joint Forces by providing operationally focused training and planning support; developing doctrine, tactics, techniques, and procedures; advocating requirements in support of future effects-based warfare; and managing functional data for Information Operations.
U.S. Fleet Cyber Command serves as the Navy component command to U.S. Strategic Command and U.S. Cyber Command, and the Navy's Service Cryptologic Component commander under the National Security Agency/Central Security Service. Fleet Cyber Command also reports directly to the Chief of Naval Operations as an echelon II command.
U.S. 10th Fleet is the operational arm of Fleet Cyber Command and executes its mission through a task force structure.
For news from Commander, U.S. Fleet Cyber Command/U.S. 10th Fleet, visit www.navy.mil/local/FCCC10F/.