One of the hardest parts of operational security when dealing with more powerful opponents than yourself is ensuring that you can have multiple levels of protection. In some circumstances, you do not even want your opponents to know that there is communication occurring. This will cover methods for how to create mechanisms for hiding, even in plain sight. The value in such training is not just for knowing how to do so yourself, but to understand how your opposition may do the same.
Before you go much further, you should be aware of the basics of operational security. For foundational reading, I suggest looking through the primer from the U.S. Navy. Additionally, you should look at the grugq’s blog, especially for counter-state-entities.
The first thing you have to determine is exactly how to examine what level of information security is needed. For the rest of this article, it will be assumed that you are dealing with state-level opposition. If nothing else, it sets a high-end to base from which to operate. You need to figure that out on your own, however.
Once you have done that, you need to determine what your covers will be. If you are doing anything with such a determined adversary, you need to have a “normal” experience. This means that someone should have friends who are not part of the targeted group. In doing so, you create a method that allows you to look for abnormalities. This mean you can look for people tailing you, and set up methods for contacting anyone you need to even while under observation.
The fine line that needs to be trodden provides a way to look for observation, as described above. Routine allows you to observe, look for new people on a path you know well, strange activity by people whose patterns you understand better than they themselves know, or
An integrated OPSEC is not just an act, it is a lifestyle. It has to be done so that even someone watching every move has no indication of what is being done. At its pinnacle, someone can be confronted with an event that demonstrates threat without showing any outward indication.
The first step in doing so is learning how to lie. There are many books that illustrate how to do so in simple ways, such as Covert Persuasion. As you get better, reading how people can look for lies can also be invaluable, to understand how you will be evaluated. Both Liespotting: Proven Techniques to Detect Deception as well as What Every BODY Is Saying: An Ex-FBI Agent’s Guide to Speed-Reading People provide good primers.
Beyond those, however, there are some simple suggestions. The movie Ocean’s Eleven has a nice quick introduction.
One of the things that clip hints at, but never directly says, is that you should avoid saying unnecessary details. Those are places where stories can be tripped up. For instance, you tell a story about growing up and your high school, but you cannot tell the truth of it due to the exposure of who you really are. It gives information that allows people to piece together who you really are. However, are you going to remember your fantasy school’s mascot? Their school colors? Are those details even important?
Usually, people like to give details because it makes them seem friendly. That is something you have to quash. Never give away what is not requested, but learn to do so in a way that does not appear unfriendly. People will remember if you refuse to talk about anything personal, but they may not notice if you talk about how you liked or disliked school and shrug about it with a laugh. That is the difference between being memorably obstinate and forgettably average.
Once you have a good grip on how to lie, you need to learn when to lie. Someone who is attempting to subvert via any method, including information gathering, does not want to utilize that skill. They want to look normal in all ways. They have a life that in no way intersects with this hidden passion. Many friends but none too close. Work that is enough to bring necessary income in, and preferably provide cover for “anomalous” activities.
Routine is powerful, but dangerous. It allows you to know people…the clerks at storefronts, employees walking the same path to and from work, even the homeless who frequent the area. Changes in this do not require panic, but they should draw attention. Evaluate the changes, and how they should be adjudicated in your plans for the day.
If you were planning on making contact with other conspirators, such flags should cause a delay in the action. That is why whenever any plan is made to do so, there should be fallback plans that can be acted upon that would not raise any eyebrows. Knowing other destinations near the point of contact is critical in order to do so. This is even true if you are planning on making contact over digital methods.
There is an old meme, jokingly stating that there is no fear behind multiple layers of protection. There is some truth to this, however. If you are reaching out to someone you are working with clandestinely, it should never be through a method that has any ties to you. This means using a device that is used only for that purpose, from a physical location that you cannot be tied to, using multiple VPNs, proxies, and tor. Any identities used here should have no connection either, which means you don’t create user IDs based on your favorite book. Simple sources for such things can be to go to a local library and grab a random book off the shelf and find a character name, or an author, or a publisher.
When working on these clandestine efforts, one of the things to keep in mind is that secrecy is important for all players involved. This has been historically true, given the difficulty in proving loyalties. From Greenpeace to Sabu, parties have come in with false allegiances or turned. The less that “compatriots” know of each other, the less that can be betrayed.
This means that communication should be done with as little face-to-face information as possible. Using dead drops to pass messages remain useful, especially for non-digital forms. If the recipient of a message is not important (for instance, trying to get sensitive information to someone who may disseminate it regardless of the content), then there exists digital dead drop systems that can be used. In order to facilitate the use of these, however, you need to know all of the information of your life as described above. You cannot utilize a dead drop if you do not know what to look for as a threat.
The ability to compact data increases the ability to conceal it. In previous decades, microfiche was often used to pass information. Now, MicroSD can hold up to 64gb of data in only 165 mm³. Short of strip searching everyone, however, you cannot prevent information sneaking out. This is why security policy will often disable USB ports (warning: PDF) and memory card slots to ensure that these tools cannot be used for exfiltration.
It also allows for the information to be hidden in multiple locations. This goes from the traditional hollow book all the way to compartments hidden in furniture. With the sizes described, all that is needed is a small space. Each of those could be used for a dead drop in conjunction with any public space, such as a library or coffee-house.
In order to do all these things, it requires dedication. As others have said, utilizing OPSEC correctly doesn’t require practice until you can do it right. It instead requires practicing it until you cannot do it incorrectly. On the other side, detecting behavior that raises questions is as easy as looking for slips in those behaviors. Most people do not have the training necessary to live OPSEC, and thusly will make mistakes.