Operational Security (OPSEC) For The Radio Amateur.

It seems so innocuous.

Have you ever spotted an impressive antenna on someone’s house and thought, “wow, now there’s a kickass setup!” Or maybe you have a neighbor who goes for a one hour jog at the same time every day. What about that house up your street that is very nicely kept but no one is ever seen there?

What can we conclude about these people?

When you really think about it, there is quite a bit you can learn about others by observing normal, everyday situations and activities. One does not need to spy or stalk or do anything unethical or illegal to suss out what others are doing and make accurate conclusions about their activities and lifestyle.

This of course is a two-way street. Others can determine a lot about you based solely on your outward behavior. That’s why radio amateurs especially need to be mindful of operational security, or OPSEC.

What is OPSEC?

Operational security is a big deal in the government and the military, and like all things government/military, they make it really complicated. If you google “opsec” you’ll get endless pages of detailed analyses. For the average off grid ham, we can reduce it down to a short definitiont: OPSEC is making sure those who do not need to know your business do not know your business.

In corporate lingo, OPSEC is referred to as competitive intelligence. The principle is basically the same: Glean information about your competitors from readily available sources, then use it against them. Some large companies actually encourage employees to send in tips.

opsec

Public domain image.

The bottom line is that OPSEC is information, and information has value to people who may not wish you well. What do you say about yourself by just living your ordinary life?

Unintended OPSEC violations.

I was on 2-meter simplex a while back and had a nice chat with a guy who in the course of a ten minute QSO revealed that he A) is a software engineer with an advanced degree who works long hours, B) lives alone in a quiet neighborhood, C) owns a lot of high end electronics, D) drives an expensive luxury car. He was about 20 miles from me, so his signal was being heard over a large area.

It was just casual chatter, so what’s the big deal? Hmmm let’s see: He’s a well educated software engineer with a luxury car and a lot of electronic “toys,” so he probably has money. His house is empty most of the time. A simple lookup of his call sign would reveal an address in an affluent town. From there you can figure out what a less than honest person might be inclined to do.

I gleaned all this information from one simple on-air exchange, the kind many hams engage in every day. He probably did not even realize that he was exposing himself to trouble.

Normalcy bias.

Many OPSEC violations originate from a psychological condition called normalcy bias. Normalcy bias is when someone underestimates or may be in complete denial of the possibility of a serious situation. In layman’s terms, it’s an “it can’t happen to me” attitude.

I’m sure you’ve seen videos of disasters taken by people who should have been running in the opposite direction. That’s normalcy bias. Or maybe you don’t think much about oversharing personal details about yourself on the local repeater because, well, what’s the likelihood that some villain will hear you and go through the effort to track down at your address? That’s normalcy bias too.

If you are or have been in the American military, you may have never heard the term “normalcy bias” but you probably know what it is. You’ve been trained and trained and trained to assume nothing and always anticipate the worst. For everyone else, do whatever you must to rid yourselves of normalcy bias. At best, it encourages OPSEC violations. At worst, it will kill you.

Plugging the holes.

Short of forfeiting your radio license and becoming an antisocial recluse there isn’t any way to completely eliminate all OPSEC liabilities. There are some easy things you can do.

Do not reveal specific details about your personal schedule or habits:

YES: “I coach my son’s volleyball team.” NO: “I coach my son’s volleyball team every Monday & Wednesday from 5-7 pm.”

YES: “I’m running an errand”. NO: “I’ll be at the mall for at least a few hours.”

Be mindful of how you respond to queries. Neighbors and others may make comments about things you can’t really hide, such as antennas and solar panels:

YES: “I’m an amateur radio hobbyist. It’s a pastime I really enjoy.” NO: “I have a comprehensive worldwide communications system and off grid power. When SHTF, I’ll be ready while you poor bastards sit in the dark!”

Have some awareness of what others may observe on/around your property:

YES: Before discarding the box from that expensive electronic device, turn it inside out to hide the label. NO: Just leave the box at the curb intact so everyone knows you just got a $3000 TV set.

YES: Make use of concealment such as landscaping, window blinds, fences, etc. NO: Unnecessarily leave the garage door open all weekend as if it were a showroom for your power tools.

Educate your allies.

One of the biggest OPSEC violations may be the people closest to you! Teenagers love to blab, especially on social media. Family and friends may talk, with kind intentions, about your radio and off grid capabilities. Let them know you’re really flattered but you prefer it be kept within a tight circle. Explain when SHTF, there will be more resources for them if the whole world does not know what you have. Play to their selfish side.

OPSEC and the internet/social media.

Wow, entire books could be written about operational security and the internet. It’s going off topic for this blog, so I’ll keep it simple: Do not post anything on the internet that you would not want plastered on a billboard along a major interstate highway! This includes photos.

You may not have noticed my amateur radio call sign does not appear anywhere on this website. I do not reveal my exact QTH, not even the state I live in. When I respond to reader emails or comment on other blogs, it’s always through a VPN. All of this is done on purpose. I don’t worry about my name too much because it’s so common that googling it will lead nosey people into a vast sea of Chris Warrens (I know because I’ve tried it). I also have the added benefit of a androgynous name.

It’s not that I think no one will ever find me, it’s that I’ve deliberately made myself as obscure as possible. The internet is a great resource, but be very circumspect and guarded about what you say. Don’t make it easy to find you.

OPSEC and radio clubs, groups, EMCOMM.

Any time you get involved with an amateur radio club or group, or participate in emergency communications (EMCOMM) activities, you are to to some extent lowering your OPSEC. Your capabilities, or lack of them, will be an open book and you don’t always know who you are dealing with.

If you are involved with EMCOMM, then you’ll be also be dealing with the government at least indirectly. It’s one thing if your radio buddies know what you’ve got. It’s quite another when the government knows! In a December 2018 Off Grid Ham article I related a personal story where my county disaster agency invited me to join their EMCOMM group. The application included a lengthy list of questions asking about my power generation capabilities, off road vehicles, special equipment & tools, technical skills, and other information that I considered very invasive and off-putting. I did not like the idea of being on some local bureaucrat’s list of people with skills and cool stuff, so I declined the invite.

The advice I gave then is still valid: I’m not trying to scare anyone away from what could be a great experience. I simply want radio amateurs to examine very closely what they disclose about themselves versus the benefits of being in the group. Who will have access to your information? Why do they even need to know?

Physical security.

Physical security is what you need when OPSEC fails. This is not the venue to get deep into it, but take a good look at your door locks, exterior lighting, and other security features on your property. Think about physical security when you’re not at home.

I very strongly suggest getting proper, professional self defense firearms training and purchasing a gun (do it in that order). Do not take gun “training” from your uncle Ed who was in the military 30 years ago or your boy/girl friend who likes to go plinking at the range every now and then. I absolutely do carry a gun and believe every eligible adult should too. If you are not willing or able to carry a gun, then make other plans for your safety that go well beyond simply dialing 911 and hoping for the best. “When seconds count, the police are minutes away”.

What we learned today.

  • In simple terms, operational security (OPSEC) is making sure those who do not need to know your business do not know your business.
  • Any ordinary personal trait, habit, or activity has the potential to be an OPSEC violation: What time you leave for work, what kind of car you drive, how you dress, etc.
  • Most OPSEC violations are unintended. It’s almost impossible to be 100% operationally secure.
  • Normalcy bias is a psychological condition that can lead to committing OPSEC violations.
  • Educate those close to you about the importance of OPSEC.
  • Be especially mindful of what you say on line.
  • Involvement in an amateur radio club or EMCOMM group presents unique OPSEC challenges.
  • Make accommodations for your physical security.

11 thoughts on “Operational Security (OPSEC) For The Radio Amateur.

  1. Vollie Miller

    Chris,
    An outstand article. One additional item you may wish to add in the future
    do not discuss or reveal travel plans over the air. You are correct in that
    the military and the MARS programs are taking OPSEC very seriously these
    days.
    73
    DE NA4C

  2. Richard Bender

    Thoughtful, well written, direct & concise article.
    We should remember: just because you’re paranoid doesn’t mean someone isn’t out to get you.
    Thanks Chris!

  3. Douglas

    This goes to keeping criminals away during the good times. If you have a lot of expensive stuff and you are at work, it could be stolen. Kind of like having a laptop sitting in your car in plain site.

    It can happen to you. It happened to me. I have had two laptops stolen, one was recovered. But, it was recovered from the police evidence locker.

    1. Chris Warren Post author

      Hi Douglas. Your experience shows that OPSEC does not always have to be difficult. Leaving any expensive item in plain view -in a car or anywhere- is basically an invite to a thief.

  4. Kilovolt

    A good, but brief description of OPSEC, Chris. And your correct in that it can be a very deep subject to cover. I’ve worked in security in the past, and Government and the Military make it complicated, because of the cost, if they didn’t. Many do share to much information, whether online or by other forms of communication, that is the world we live in. People think that everyone else wants to know what’s going on in their reality. And yes, it can be dangerous. We should concentrate on situational awareness, it’s not paranoia, it’s being aware of your surroundings at all times. Put the NRA, GOA and USCCA stickers on the toolbox not on the vehicle. It’s been proven, that it takes 3 seconds, for someone to cover 21 feet. If your right handed, and that hand has 4 Walmart bags in it, you’ll be saying, it happened so fast I… No matter how you are communicating, take a second, and think, is that TMI? One final bit of advice, “LEFT of the BANG” by Van Horne and Riley.

    4Bs/73

    1. Chris Warren Post author

      Your example of bumper stickers is an excellent example of a common OPSEC violation. The less you say, verbally and otherwise, the less noticed you will be. Thanks for your comments and for supporting OffGrid Ham

  5. randall krippner

    Nice article Chris. I think you touched on all of the important points. Trying to be completely secure these days is impossible, but there are a lot of things you can do to minimize the damage. Alas, often people are their own worst enemies when it comes to things like this. Unfortunately when it comes to the internet a lot of the most potentially damaging information is outside of our control, sitting in government or company databases. But common sense can go a long way to protecting yourself. Don’t put any information out there you absolutely don’t have to. Don’t volunteer information that might make you a target, etc.

    I once had a neighbor who kept his fishing boat parked outside behind his garage all the time. No lights back there and clearly visible from the street. And then wondered why he kept getting targeted by thieves stealing stuff out of his boat and garage. He might as well have just hung up a “Steal Me” sign on the curb. Common sense isn’t so common, I guess.

  6. Greg

    Good article. Same goes for a social media footprint. A great ham shack pic with attached meta data is as good as an address. Don’t let your phone or digital camera hurt you.

Comments are closed.