What SMEs can learn from black ops tactics about secrecy and data security
9 min read
27 March 2017
Warning. Restricted area. Deadly force authorised: This is the black ops sign that greets visitors to Area 51 – the top-secret US military base deep in the Nevada desert made famous by the TV series The X-Files.
Understandably, very little is known about what black ops goes on in Area 51. But what we do know is that it involves the development of aircraft and weapons like the ground-breaking Lockheed SR-71 spy plane, the F-117 Stealth Fighter and the Northrup RQ-180 stealth drone that are products of the US government’s highly classified “black programmes.”
Forget the PR spin of DARPA; these are ultra-hi-tech research projects that won’t find themselves in the pages of Wired magazine until they are already in frontline service.
These black ops programmes are so secret that their existence is hidden from the prying eyes of politicians and buried deep within the US defence budget. Journalists’ best guess is that these programmes account for about ten per cent of the entire US defence budget.
Remarkably in this era of Russian and Chinese cyber attacks, Area 51, to the best of our knowledge, has never been hacked and in the 60 years of operations on the Area 51 test site there has never been a single whistleblower revealing current operations whose credentials can be verified.
“There is the misperception, which is continuously reinforced and perpetuated by politicians and the media, that nothing leaks as badly as Washington and that there are no real secrets,” says Armin Krishnan, the University of Texas at El Paso , in the Journal of Strategic Security.
“Overall it can be said that the US government is not only able to keep secrets, but has a very impressive track record keeping secrets. Some ‘black’ intelligence and weapons development programs were successfully kept from the public for decades.”
With Donald Trump promising to increase defence funding, what can small businesses learn from the techniques used by Area 51 and Britain’s own “black programme” headquarters, GCHQ, about how to keep their own black ops secret?
While the threat of lethal force is certainly not an option for businesses, there are other cautionary lessons for businesses to learn from the less lethal tactics used by black ops programmes.
Sharing fake stories on social media, for instance, to protect their secrets is an obvious and well-known tactic used by many intelligence agencies.
The conspiracy theories that swirl around Area 51, and other covert programmes, make it hard for anyone to write about these stories without sounding like a conspiracy theorist themselves.
The CIA is widely believed to have organised misinformation campaigns during the 1950s and 1960s to disguise the goings on at Area 51 and other air bases.
The CIA itself has admitted that flights by the U2 spy plane “accounted for more than one-half of all UFO reports during the late 1950s and most of the 1960s.”
While it’s not a good idea for an SME to deliberately spread misinformation about themselves – as if they had the time or money (!) – it’s worth remembering that not everyone plays by the same rules. Keeping an eye out for fake news, possibly spread by competitors, is something to be mindful of.
If a news item appears that contains inaccurate, fake or disparaging information about a business, like it or not, the falsely accused business may need to respond before things spiral out of control.
On the next page, find out how black ops tactics fit into remote working and more.
If that is still too extreme then there may be lessons in the physical isolation of AWE in Aldermaston (and, Los Alamos, birth place of the atomic bomb, and in England, of Bletchley Park, which was the precursor of GCHQ).
- Seclusion and isolation make it hard for information to leak about projects you are working on.
It’s great to be a startup based near Silicon Roundabout or Silicon Valley, but if you say something that you shouldn’t over a drink at a party that information will spread as fast as a WhatsApp message.
Perhaps it’s time to set up a base in the foothills of the Welsh Black Mountains, or a small village in rural Montana?
Thinking inside the box
If careless talk can cost lives – as it were – then keeping knowledge about your innovative new product compartmentalised might just work. This is the classic black programme technique of keeping information disintegrated and on a strictly need-to-know basis.
While this has been parodied in many movies, the principle is sound. If you have no knowledge about the project beyond what you are working on (and you may not even know that you are part of a bigger project) then information can’t leak out, or at least it can’t easily be pieced together.
At Area 51, the use of contractors helps to reinforce these compartments – by restricting the information each contractor has access to – and the weight of non-disclosure orders. Having said that, Edward Snowdon was a contractor, so no solution comes without its risks.
More easily applied black ops tactics
Many of us will have witnessed the scene in Rogue One: A Star Wars Story where Cassian Andor and Jyn have to try and guess which filename hides the plans of the Death Star: well, that is a classic black programme technique.
You never use the real name of the project as filenames or even in documents. You just use code words – and never the nickname of your daughter.
However, some of the most effective tactics used by black programmes to prevent being hacked in addition to conventional cyber security measures may be the easiest to copy but the hardest to stick to.
It is rumoured that the USB ports on employees’ computers are super glued up. Too far? Bradley Manning and Edward Snowden were able to just plug in a USB stick and download all the files.
No home work
Another tactic is banning staff from taking work home. Then they can’t leave their laptop – or the latest iPhone prototype – in a bar by mistake. The most effective though is reported to be simply pulling the plug and disconnecting all its computer systems from the interconnected world.
But the weakest link in any company are the employees. Finding a member of staff that can be manipulated for some reason makes an easy target, much simpler than hacking.
“For small and medium businesses – who may have very limited budgets, time and resource – principles and simple tactics can be borrowed from the intelligence services: from restricting who can access files and data with which device and from what location, to disabling USB ports and disconnecting devices entirely from a network,” said Tony Anscombe, senior security evangelist, AVG Business.
“Applied consistently through a company of any size, these tactics can keep your most confidential projects and data confidential.”
If it ain’t broke…
Physical isolation, building silos rather than breaking them down, and even working from home all go against what we are told are the best ways to encourage creativity, but they have helped to keep black ops black.
Tony Anscombe is senior security evangelist from AVG Business