Stories‎ > ‎

Leader's Guide to Protecting Cyber and Operational Security

posted Feb 26, 2018, 7:32 PM by James Caroland   [ updated Mar 2, 2018, 10:08 AM ]
By Major Michael Senft, U.S. Army

Cyberspace is a contested domain of warfighting and information technology. Capable and intelligent adversaries, namely state and non-state actors, seek to asymmetrically disrupt U.S. advantages in communications by targeting the weakest link in our technical and human defenses1,2. A single weak security practice can result in the widespread compromise of a network or information system, endangering not only the lives of U.S. military and civilian personnel, but also business viability3,4. The purpose of this guide is to provide leaders with a concise outline of significant Cybersecurity and Operational Security (OPSEC) concerns with recommendations to protect network dependent warfighting and other essential functions including mission command, fires, intelligence, and sustainment. Cybersecurity and OPSEC are processes that should be incorporated into all phases of operations to protect people, equipment, and ensure mission success3. This guide will cover three topics: Cybersecurity concerns, OPSEC concerns, and recommendations.  Let’s address the foundational cybersecurity concerns first.

Cybersecurity Concerns:

Rob Joyce, the former Chief of the National Security Agency’s Tailored Access Operations and current White House Cybersecurity Coordinator, succinctly captured this concern by stating, "If you really want to protect your network, you really have to know your network"5,6. Knowing the network is essential to defending your key cyber terrain. Leaders must consider that:

  • Every device that emits a signal or has a processor is a potential vulnerability4
  • Three primary attack vectors within your formations3,4,5,7:
  • Email – Spear phishing emails can fool even experienced security professionals6,8,9
  • Removable media –  Adversaries use removable media to gain access to systems9
  • Websites – Adversaries compromise trusted websites to precisely target specific user groups6,10

The second concern is the threat posed by privilege escalation and lateral movement. Leaders must identify, monitor, and protect high-value assets within their organizations by considering the following11:
  • Mission critical data, systems and networks12
  • Network and system configuration, security, and monitoring systems13
  • Users with elevated privileges (e.g., network and system administrators, users with removable media writing or cross-domain data transfer rights, etc.)14

OPSEC Concerns:

The first thing leaders should understand is that large enterprise networks including the Non-classified Internet Protocol Router Network (NIPRNET) are not secure. Sensitive but Unclassified (SBU) information should be encrypted prior to transmission via email as communications can be targeted for interception and exploitation at any time16. Likewise, SBU data stored on mobile computing devices (data-at-rest) should be encrypted to prevent compromise in the event of loss or theft of these devices [9]. SBU data includes, but is not limited to:
  • Network Configuration Files, Network Architecture Diagrams, and Network Vulnerability Reports15
  • Password and System Credential Files15
  • Personally Identifiable Information (PII)15
  • Very Important Person (VIP) Travel15
  • Locations, movements and mission planning of essential elements15
Secondly, leaders must understand and mitigate operational vulnerabilities created by cell phones4,16,17
  • Cell phones are prime targets for enemy Signals Intelligence (SIGINT) and Electronic Intelligence (ELINT) even when used in a disciplined manner4
  • Compromised smart phone applications can provide adversaries with geo-location and other valuable intelligence16
  • Loss or theft of cellphones and other mobile devices can provide an avenue of attack for adversaries to gain access to enterprise networks or provide access to sensitive information
Third, leaders must understand and mitigate operation vulnerabilities created by insider threats18
  • Insider threats abuse their authorized access to information and information systems to execute theft, espionage, fraud and sabotage18
  • Unintentional insider threats may unknowingly aid adversaries to gain access to systems or exfiltrate data18
Finally, leaders should gain increased understanding of and seek to mitigate the vulnerabilities introduced by the use of social media, social engineering, and PII. 
  • Adversaries use social media to gather intelligence and target Service Members, their families and others4,16,17,19 
  • Social engineering is a highly effective and low-cost attack vector used by threat actors to bypass the most effective defenses to compromise systems and gain access to sensitive information20
  • Awareness and training are the most effective countermeasures20
  • Adversaries target PII to exploit financial and other personal interests of Service Members, their families and others4


To counter the dual concerns of cybersecurity and OPSEC, leaders should foremost train their people, but also implement and enforce best practices. For cybersecurity concerns, the following recommendations will strengthen your ability to know your network and defend against the insider threat:

Protect Credentials 
  • Implement the Principle of Least Privilege to limit account rights to the minimum required by the user5,6,7
  • Log and monitor privileged user activity and the use of administrative tools6,7,12
  • Enforce password management since default, weak, or stolen passwords enable adversaries to gain access to and elevate privileges12,21

Defend Against the Insider Threat 

  • Know your Service Members and employees
  • Know the behavioral indicators of malicious threat activity18
  • Employ security technology, including multifactor authentication, to detect and prevent insider attacks12,18

Even the most secure network can be compromised, thus it is essential to harden the network and introduce resiliency [4].
  • Disable unnecessary services.  Unnecessary services provide potential avenues of attack for adversaries6,7,21
  • Disable use of insecure protocols (FTP, SNMPv1, Telnet, etc.).  Insecure protocols transmit user names and passwords in the clear.
  • Identify systems that are not patched on a continuous basis and apply other risk mitigations such as traffic filtering and network segmentation to reduce the attack surface.  Program of Record systems are an example as they typically receive software updates and patches on a quarterly basis21
  • Prevent unauthorized devices from connecting to the network [6,14].  Unauthorized devices provide avenue of attack for adversaries to gain access to systems or exfiltrate data6,14
  • Restrict physical access to network devices and infrastructure to the greatest extent possible [23].  Physical access enables a skilled adversary to quickly bypass technical security measures to gain full control of systems23
  • Develop Continuity of Operations Plans to operate despite degraded or disrupted communications.1,11  Ensure communications Primary, Alternate, Contingency, and Emergency (PACE) plans enable mission command even in the event unclassified and/or one or more classified networks are compromised or disrupted.4,11
As outlined in this guide, a single weak security practice can result in the widespread compromise of a network or information system. Protecting network dependent warfighting and other essential functions requires incorporating cybersecurity and OPSEC into all phases of operations. Like good OPSEC, effective cybersecurity requires the development and promotion of an organizational culture that is cyber risk and adversary threat aware, and emphasizes and enforces standards and practices that minimize vulnerabilities to Department of Defense and corporate networks, systems, and information.3

About the Author

Major Michael Senft is a Functional Area 26A Information Network Engineering Officer and has multiple deployments in support of Joint and Special Operations units. He holds a Master's Degree in Computer Science from the Naval Postgraduate School and a Master's Degree in Engineering Management from Washington State University.

End Notes

1. U.S. Department of the Army. (2014). The Army Operating Concept, Win in a Complex World. TRADOC Pamphlet 525-3-1. Retrieved from

2. U.S. Army Asymmetric Warfare Group. (2016) Russian New Generation Warfare Handbook. Retrieved from (CAC Login Required).

3. U.S. Army Chief Information Office/G-6. (2015). Leaders Information Assurance/Cybersecurity Handbook. Retrieved from

4. R. Leonhard, (2016). The Defense of Battle Position Duffer – Cyber Enabled Maneuver in Multi-Domain Battle. Retrieved from (CAC Login Required).

5. R. Joyce, (2016). Disrupting Nation State Hackers. USENIX 2016 Presentation. Retrieved from

6. Center for Internet Security. (2016). Critical Security Controls for Effective Cyber Defense. Retrieved from

7. National Security Agency. (2015). NSA Methodology for Adversary Obstruction. Retrieved from

8. FireEye. (2016). Spear-Phishing Attacks - Why They are Successful and How to Stop Them. Retrieved from

9. Defense Security Service (n.d.) Common Cyber Threats: Indicators and Countermeasures. Retrieved from

10. FireEye. (2015). Zero-Day Danger. Retrieved from

11. BG P. Frost and  M. Hutchison, (2015). Top 10 Questions for Commanders to Ask About Cybersecurity. Retrieved


12. Verizon. (2016). 2016 Data Breach Investigations Report. Retrieved from

13. P. Stone,and A. Chapman, (2015). WSUSpect – Compromising the Windows Enterprise via Windows Update. Retrieved from

14. U.S. Department of the Navy (2014). Commander’s Cyber Security and Information Assurance Handbook. COMNAVCYBERFORINST 5239.2A. Retrieved from

15. National Security Agency. (2016). JCMA Findings and Trends – 2016 Information Assurance Symposium. Retrieved from

16. CrowdStrike. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian Field Artillery Units. Retrieved from

17. U.S. Computer Emergency Readiness Team. (2011). Cyber Threats to Mobile Phones. Retrieved from

18. National Cybersecurity and Communications Integration Center. (2014). Combating the Insider Threat. Retrieved from

19. Wired. (2017). Meet Mia Ash, the Fake Woman Iranian Hackers Used to Lure Victims. Retrieved from

20. U.S. Department of State Overseas Security Advisory Council. (2015). Social Engineering: Threats and Best Practices. Retrieved from

21. U.S. Army Cyber Center of Excellence. (2016). Cyberspace Operations Bulletin 16-13. Retrieved from (CAC Login Required)

22. US Army Communications-Electronics Command (CECOM) Software Engineering Center. (2014). Software Engineering Center Productions and Services Catalog. Retrieved from

23. D. Ollam, (2008). Ten Things Everyone Should Know About Lockpicking & Physical Security. Retrieved from

Image credits (in order of appearance):  Pixabay, Moody Air Force Base, U.S. Department of Defense