I admit I stole something today. Well, maybe not, I didn't exactly steal it. There is a saying that the greatest form of flattery is plagiarism.  I read a joke today that really made me sit up and notice. It was sent around by the OPSEC Professionals Association and I was sure glad I received the following joke, so I'm reproducing it here:

There was a man who had worked at a factory for twenty years. Every night when he left the plant, he would push a wheelbarrow full of straw past the guard at the gate.

The guard would look through the straw, and find nothing and pass the man through. On the day of his retirement the man came to the guard as usual but without the wheelbarrow.

Having become friends over the years, the guard asked him, "Charlie, I've seen you walk out of here every night for twenty years. I know you've been stealing something. Now that you're retired, tell me what it was. It's driving me crazy."

Charlie simply smiled and replied, "Okay, wheelbarrows!"

Information is such an awesome weapon. In this case the information was always available, the guard saw the man with the wheelbarrow but it never occurred to him to think that the man was stealing wheelbarrows. This is exactly how we were surprised on 9/11/2001 when terrorists crashed airplanes into the World Trade Center, the Pentagon and into a field in Pennsylvania. Just last week we heard of insurgents using $26 software to view videos shot by US UAVs, and many were shocked, SHOCKED, that we hadn't encrypted the video signals. Perhaps, during the design phase, someone thought ”˜we should encrypt the signal’ but it might have made their proposal more expensive, thus a good idea was left behind.

Superior technology is useful when fighting a technologically advanced adversary. Recall during World War II the advances made in mine detection systems, mine sweepers became easy to use, portable and technologically advanced. The Soviets realized they did not have the technology to outwit western mine detectors, so they began putting their mines inside wooden cases, practically negating mine detectors. A recent assassination attempt used an explosive device actually inside the assassin, making exterior searches not quite enough. Lax procedures and the pressure to keep a plane on schedule on Christmas Day 2009 may have enabled 80 grams of PETN explosive, enough to peel off the entire roof of an airliner, to be snuck on board. It was only due to the rapid actions of a fellow passenger as well as lack of talent by the 'alleged' crotch-bomber that the attempt was unsuccessful.  These are examples of superior technology being thwarted by "Aw shucks, why didn't I think of that?"

Electronic Warfare is all about stopping communications, deceiving or preventing information from flowing, in communications, radars or even completely overpowering a system, but it all boils down to information. If I can make your radar look left when I am going right, just for a split second, you will not see the information on your screen. If I can blind you, you don’t know where I am.

Cyberwarfare is all about information. Destroying it, denying its use to someone, damaging it, making it unreliable, copying it, manipulating it or just sitting, watching and waiting and putting the tools in place to do all those things sometime in the future.

What in the heck does all this have to do with operational security? One of the greatest 'hackers' of all time was Kevin Mitnick. Kevin was a good hacker, skilled, experienced and dedicated. But what set Kevin apart from his peers was his preparation for the computer penetration. He used a skill called social engineering, but only after doing extensive research, dumpster diving and putting the picture together. Kevin might call up a company and just ask for a password, he said he was working for computer security and had to work on their system. Sometimes he would discover a password was the person's dog's name. He was so good at this that he wrote a book called "The Art of Deception". This book is not about operational security, but it should be assigned reading for all OPSEC professionals. It should also be required reading for anyone in security. As a matter of fact it should be required reading for anyone with a computer or dealing with information.  In other words, everybody should read this book. 

The bottom line is that no matter what we are doing we should protect our information. It’s a simple concept; it would make a great New Year’s resolution as well, but one that we should keep.