OPSEC for NGOs

     The recent (and ongoing) abduction incident in Niger is an interesting case study. In summary, two trucks loaded with armed men arrived at a CARE guest house in Dakoro. The gunmen forced their way past the guard, abducted five aid workers and a driver, and escaped toward Mali. During the preliminary investigation, officials learned the kidnappers were looking for an Italian; who was supposed to be staying at the guest house. The fortunate Italian, who was unaware of the threat, had spent the night elsewhere. When the frustrated kidnappers couldn't find him, they seized staff members of the Niger-based NGO Befen and the Chadian health group Alerte-Sante instead. (Our hopes for a speedy and successful resolution go out to the abducted, their friends, families, and colleagues.)

     This certainly did not appear to be an opportunistic crime. The kidnappers knew about the guest house and that an Italian male was staying there. They had to get their information from somewhere, which prompts this brief discussion of Operations Security.

     Operations Security (or OPSEC as the military and intelligence communities like to call it) is the process of identifying, controlling, and protecting information that could be used by someone that wants to cause harm or loss to your organization and its operations. The classic operations security process consists of five steps:

Identification of Critical Information – The first step is determining what information is critical. This is any information that someone planning harm against your organization could benefit from. Some examples of critical information include:

• Guest house locations
• Meeting schedules
• Office floor plans
• Travel itineraries

Analysis of Threats – Quite simply, who might want to cause your organization harm or loss and why? While the focus is usually on external threats, don’t forget about insiders who may be working with external actors for personal or political reasons. (Insider threats are an uncomfortable subject to discuss, and are worthy of a dedicated, future blog post.)

Analysis of Vulnerabilities – Once you’ve identified types of critical information and those who might benefit from it, the next step is to determine how this information might be compromised. Here are a few "lessons learned" examples of how critical information has been unintentionally disclosed:

• Food aid distribution plans discussed in a public place
• Photos of an office showing security measures posted on a Facebook page
• A travel itinerary placed on an office bulletin board that could be seen from an outside window
• A list of staff names and residence addresses left on a desk after working hours

Assessment of Risk – Next, think about how likely is it that someone may acquire and take advantage of critical information? And if they do, what are the potential impacts? The severity of the risk should help you decide what actions to take; and how quickly.

Application of Appropriate Operations Security Countermeasures – The final step is implementing countermeasures that prevent or reduce the chances of critical information being compromised. Refer back to the vulnerabilities you have identified and apply fixes through policies, procedures, and education efforts. For the examples above, countermeasures could include:

• Being careful when talking about critical information in public places
• Avoiding posting critical information on the Internet
• Keeping travel itineraries known only to a few people
• Locking up critical information at the end of the day

     Like many other security processes, operations security is not a onetime event. Threats, vulnerabilities, and risk should be assessed regularly (always rely on context and common sense to determine how much to be concerned and how best to respond). Additionally, ensure that all staff are aware of why operations security is important. In high risk environments, consider extending this awareness to staff members’ families.

     During World War II, posters like the one above appeared across the United States with the catchy slogan, "Loose Lips Sink Ships" (otherwise, unguarded talk about critical information might find its way to enemy submarines; with significant consequences). In a nutshell, that’s what OPSEC is all about. And in some cases, the process can be just as important to humanitarian organizations as it is to governments.

Blowout Kits for NGOs

We are all products of our own experience. As a former Emergency Medical Technician and member of a federal Disaster Medical Assistance Team, I often find myself spending extra time and effort considering medical-related threats. Injury and illness are common on-the-job hazards for humanitarian workers and the more risks you can mitigate, the better.

An area I’ve always been interested in is treating trauma; when the body receives a serious injury from an accident or act of violence. One of the leading causes of death in conflict zones and developing world vehicle accidents is bleeding. If a major artery is compromised, a person can potentially die in a few short minutes if external bleeding is not promptly stopped.

While basic first aid classes teach bleeding control, unfortunately most do not discuss commercial supplies specifically designed to stop blood loss. One of the few positive byproducts of the wars in Iraq and Afghanistan has been advances in military battlefield medicine; especially in regard to bleeding control. Revised protocols and new products have successfully reduced the number of fatalities from bleeding wounds.

Of particular interest to the humanitarian community are blowout kits; supplies purposely designed to treat bleeding, either for performing first aid on yourself or someone else. These kits are widely used by military forces and private security providers. Their effectiveness also makes them worthy of consideration by humanitarian organizations; either inside vehicles or carried by staff in conflict zones; the kits' small size and light weight mean they can readily fit in a pocket, purse, pack, or bag.

I’ve hesitated recommending commercial versions of blowout kits to NGOs in conflict zones because they look too military-like (the pouches come in camouflage or tactical colors). Additionally, the kits often contain other supplies that require advanced training (like inserting an airway adjunct or performing a needle chest decompression).

Recently, I was pleased to see that one of my favorite austere medical supply sources, Chinook Medical, is now offering a much more neutral looking, civilian-oriented blowout kit. It only contains bleeding control supplies, no airway adjunct and decompression needle are included, and is reasonably priced at $31.49 USD. You can check out the details here.

I really like the contents of these kits and am starting to recommend them to organizations for field use. (It's worth noting that the packages of the individual supplies have instructions, but there's no overall guidance on when to use what; for example under what circumstances should you use the QuikClot sponge instead the compressed gauze. I'd suggest some basic first aid training to go with the kits as well as attaching a simple reference card written by someone with an appropriate level of medical training on what to use for treating various types of bleeding.)

These types of kits should be widely adopted by the humanitarian community. They're cheap, easy to use, and could save a life.