OPSEC Needs to Be Part of University Curriculum

As I approach the end of the PhD process, I have been reflecting on what I have accomplished, where I have failed and what I would change or like to change about my field. There is one thing that has stood out to me: in our field of research, academic institutions have failed me and my peers in providing us with the methods and knowledge to safely conduct our research.  This is something that I want to work towards changing, as I now consider what to do post dissertation.

When I started my doctoral adventure, I was interested in the nexus of how ISIS used technology to recruit people to their cause and how they used or didn’t use religion to inspire people to acts of violence. Like any academic, I was keen to jump into the topic and I therefore did what any young scholar with more will than wits does, I created a fake account and started going into ISIS ecosystems on Twitter, Facebook and subsequently on Telegram. As my studies went on, the focus of my doctoral research shifted, my methods of research shifted, and the threats I faced in doing research in violent extremist and terroristic milieus changed. Throughout, operational security (OPSEC) was never part of the curriculum or the methodologies that were taught, it was never mentioned in the books or articles I read by academics, nor was OPSEC part of the conversation I had with the majority of my peers and or professors before or during my research.

Now this is not unique to my university, rather it is a gap of programs that have students doing research on terrorism, violent extremism, foreign interference, disinformation, security studies, etc. As part of the graduate studies process, we go through broad ethics and methodological training related to our fields of research. We are taught how to apply for ethics, how to gather data, how to analyze it and interpret it. Yet not once was I ever taught about the risks I was exposing myself to, nor how to evaluate the environment and topic of research for potential threats to myself, family and peers. To that end, there is an important need to implement institutional changes about the safety of academics researching topics that involve dangerous actors.

As time has gone on I have had to learn about OPSEC and how to safely do research on my own. I have done this by reading and by being a member of the OSINT community, and I have been privileged to have exceptional professional experiences that offered me learning opportunities about OPSEC. I am privileged to have the technical know-how and having received training on how to protect myself, yet this is not the norm for my peers in the field who do not have the same technical know-how I have or the same learning opportunities I have been afforded. So what can be done about it?

1) Institutional Barriers

There is a lack of awareness in academic institutions about the need to protect researchers, when they are doing research about topics related to threat actors. There is an advocacy role here for both students and professors to work together in raising awareness about this need, as well as finding ways to include OPSEC as part of a methods course either by inviting subject matter experts to come in and speak to your students about the topic, or teaching it yourself. OPSEC for researchers is something I would love to see taught at university, or at a minimum have professors in this space make OPSEC part of their curriculum.

2) Secrecy and Mysticism Around Operational Security

Subject matter experts rarely disclose publicly what their OPSEC procedures and methods are, and there are valid reasons to do so, in particular disclosing your OPSEC tactic, techniques and procedures, can make you vulnerable to threat actors, as they will know what they need to circumvent. I have not publicly shared about my own OPSEC practices as I know threat actors read my work and my posts and I want to limit any vulnerabilities I may have. However, I think subject matter experts can do more to teach the methods behind OPSEC. Subject matter experts also need to improve how they communicate about OPSEC to a non-technical audience, or where to find resources on this topic for those who are not in the OSINT community.

Now all hope is not lost, as there are amazing people and organizations who already do so much publicly available work on this topic, but they are not widely known in the academic community. Here are a few of the many amazing people I follow and read on a weekly basis (this is not exhaustive and represents more my personal preferences): OSINT Curious, OSINT Techniques, Bellingcat, Nixintel, Dutch OSINT guy, Sector035, Trace Labs, Loran Bodo, Sinwindie, etc.

3) Personal Effort

As with any field or topic, there is a need to take measures into your own hands. Ultimately no one can care for your OPSEC, except yourself. Your safety and security needs to be tailored to your own situation, and structured around the work you intend to do now and be adapted to the work you will do in the future. There is a method that needs to be learned and understood, that can be taught. How that is adapted and implemented is up to you as an individual. This means there is a certain amount of effort you need to make, habits to break, and new habits to learn. However, the barrier to entry for developing and implementing your OPSEC has lowered with time and there are several free tools, guides, and methods that are available to the majority of researchers.

What are My Considerations?

What do I tell my friends and colleagues who come and ask my about how to be safe when doing research online, what are the tools I use and need? I never have an off the shelf answer as it always depends on a) what is your research question, b) what your subject of research, c) where is this research taking place. Researchers need to learn to therefore develop a threat model tailored to their research questions and objectives, and know how to adapt their OPSEC in light of this.

When I started my Doctoral research my considerations were different than today, I was not a known researcher nor very active on social media. To answer my research question I was scraping data to collect social media data on Twitter and Facebook via their APIs, therefore limiting harm to my operational security. The threat actors, members and supporters of ISIS, were, for the most part, in theater abroad. I was not very worried about these actors coming to my house, nor was I actively publishing my research on social media. Since the research was being done online, and not in person, my safety considerations were to work from a virtual machine, connected to a tor box, and used a VPN in the VM.

Today my considerations are different. I am no longer an unknown researcher, I have a modest following, I am published and have a presence on social media. The threat actors I am focusing on have changed and are mostly present domestically. These actors search out and read any research and articles published about them. They actively seek to dox and harass researchers and their families (I know of friends who have gone through this). As a husband and father I do not only have to think of my own safety, but also that of my partner, my children, my parents and my siblings. To that end, I have deleted most of my personal socials, I do not interact with my family online and rarely post about them.

Your considerations will be different than mine based on where you live, your topic of research (non-state vs state actor, domestic or foreign, etc.), your gender, race, identity group, age, religious practices, etc. As part of my effort to be a public scholar, I will work on developing basic OPSEC guides for researchers. I will begin to share some basic tips and guides for the academic community. I will be happy to share my knowledge with any researcher (feel free to reach out) or help any professor seeking to include this as part of their curriculum, in order to make our field safer, especially for new and young scholars.