The saga of Yankee superstar Alex Rodriguez (“A-Rod”) and the revelation of his past steroid use already exemplifies the far-reaching implications of information security practices. But the story is far from over. While the media firestorm over A-Rod appears to be dying down, the fate of the identities of 103 other Major League Baseball players who tested positive for steroid use in 2003 remains undecided. And the outcome of a motion now before the United States Court of Appeals for the Ninth Circuit may affect not only those 103 baseball players, but numerous athletes from other sports whose drug test results were seized by government investigators in 2004. Yet the entire story might never have existed had good OPSEC practices been in place.
OPSEC – an acronym for Operations Security – is one of the cornerstones of counterintelligence strategy. The Department of Defense definition of OPSEC (.pdf) is “a process of identifying critical information and analyzing friendly actions . . . and other activities to (1) identify actions that can be observed by adversary intelligence systems, (2) determine indicators that hostile intelligence systems might obtain that could be interpreted or pieced together to derive critical intelligence in time to be useful to adversaries, and (3) selecting and executing measures that eliminate or reduce… the vulnerabilities of friendly actions to adversary exploitation.” But OPSEC does not just apply to military organizations. It should be a foundational principle for all security architecture.
To understand what OPSEC has to do with A-Rod and information security, it is necessary to understand why federal prosecutors subpoenaed Major League Baseball’s (MLB) drug tests in the first instance. In 2003, as a result of an agreement between MLB and the players’ union, all MLB players were tested for steroid use in an effort to determine the scope of the problem in baseball. According to the agreement between the league and the players’ union, the test results were to remain confidential and would be destroyed following their completion. The results were positive for steroid use in 104 of 1200 players tested.
At the same time, federal investigators were looking into an entity called Bay Area Laboratory Co-operative (BALCO), which by then was suspected of providing steroids to a number of Olympic, NFL, and MLB athletes (including Barry Bonds). Approximately one week after the MLB steroid tests had been completed and the results reported, federal prosecutors served a subpoena for the results relating to 10 named MLB players. While the baseball players’ union (the MLBPA) moved to quash the subpoena, it could not destroy the tests results after having received the subpoena. Then, in 2004, the government’s BALCO investigation team obtained a warrant to search the premises of drug testing firms Comprehensive Drug Testing (CDT) and Quest Diagnostics, which had performed the 2003 MLB tests. Among the items seized in that 2004 search was a data file containing not only the results of all 1200 MLB players’ tests, but also those of numerous other people unrelated to baseball. Since then, the labs and the players’ union have been engaged in legal efforts to prevent the government from using the information in the data file to obtain additional warrants and to issue subpoenas based on those results. That is the issue currently before the Ninth Circuit. However, in February 2009 information that A-Rod was one of the 104 previously- unnamed players was leaked to the press from an unnamed source, and reported in Sports Illustrated.
While the process that led to the A-Rod revelation has been received extensive press coverage, there has been surprisingly little focus on the week between the players’ union’s receipt of the 2003 tests and the subpoena. In its official statement (.pdf), the players union has explained that, while the destruction process was underway when the subpoena was served, it had not been completed and thus had to be suspended in light of the subpoena. But could destruction of the test result data and samples really have taken five days? Could it have required more than 5 hours?
It is easy to miss the lessons of this story. After all, most of us sympathize with government officials seeking to root out use of performance-enhancing drugs in professional sports. And the "victims" here — baseball players caught cheating — are not entirely sympathetic. But what if, instead of steroid testing data disclosed to the government pursuant to a subpoena, this case involved hackers stealing personal medical information that, like the steroid testing data, was retained for longer than necessary? In both scenarios, effective OPSEC could have avoided the disclosure of this information altogether. Using the steroid example, for instance, it is difficult to see why the players union did not recognize that the testing result were, to borrow from the OPSEC definition, “critical information” that could “be interpreted or pieced together to derive critical intelligence in time to be useful to adversaries,” especially in light of the then-ongoing investigation into BALCO and the widespread public suspicion that a number of MLB players were using steroids. Identifying sensitive information and disposing of it when no longer necessary is an OPSEC principal that appears to have failed here.
Today, many corporations and other organizations are focused on e-discovery and classical business intelligence problems. To borrow terms from the intelligence cycle, these are primarily "collection" and "analysis" challenges. They involve management of information and data in support of efforts like business analytics or to improve a company’s ability to comply with compliance/discovery obligations. The MLBPA’s citation of the subpoena as justification for retaining testing information probably resonates with anyone handling similar responsibilities in a corporation.
But the complimentary discipline of counterintelligence, including sound OPSEC practices, is not yet receiving enough attention. We measure the utility of data today in minutes and seconds where once we thought about days and weeks. Our OPSEC practices and tools should reflect that fact. And while OPSEC can be enhanced with the right expertise and technology, it is an enterprise-wide responsibility. It must become a mindset — not an action item assigned to a single person or team. Emerging regulatory efforts at the state and federal level will have important implications on the structure and limits of future OPSEC efforts, but that is no reason to delay the adoption of sound OPSEC measures now.
- ESPN.com articles covering the A-Rod story and referred to in this piece can be found here, here, here, and here.
- The Department of Defense definition of OPSEC is contained in DoD Directive 5205.02, accessed from the Federation of American Scientists website here.
- The Internet Engineering Task Force’s (IETF) discussion of OPSEC can be found here.
- Additional information concerning BALCO, CDT, and Quest Diagnostics (respectively) can be found here, here, and here.
- Publicly-accessible copies of papers submitted to the U.S.Court of Appeals for the Ninth Circuit in the case discussed herein can be found on that Court’s website here.
- The original Sports Illustrated article that broke the A-Rod story is located here.
- The MLBPA official statement regarding the disclosure of drug testing results can be found here.