Operational security is a systematic process that identifies critical information and determines how adversaries could exploit vulnerabilities to gain an advantage. It is designed to prevent inadvertent disclosure of sensitive or classified information that could compromise missions or personnel. Operational security subsets include information technology (IT) security, which focuses on securing digital assets and networks from unauthorized access, and information security, which ensures that sensitive data remains confidential and protected from cyber threats. Operational security has traditionally protected operational plans, troop movements, and technological capabilities from adversarial exploitation. In the digital era, it should extend further to include routine personnel and administrative information.
Operational security is drilled at every stage of military training. From annual training to security and classification briefs, service members learn that protecting information is crucial to preserve the integrity and safety of operations. This might mean limiting information family members post about a service member’s deployments and activity abroad. In the field, operational security might call for destroying documents or other items that could expose planned or pending operations.
Yet the Marine Corps does not follow recommended operational-security practices in the context of information and IT security. Its habit of publishing detailed administrative information and personnel data presents significant risks, especially when paired with out-of-date IT systems and lackluster cybersecurity controls. Further, in no other nation does a force make so much information publicly available about military personnel, policy, and procedures as the Marine Corps does. This practice should be reviewed. Choosing to accept risk to disseminate information requires a full understanding of the possible effects on the force. Maintaining an open and uncontrolled information posture increases the likelihood that an adversary will illicitly access unclassified administrative systems and access data that will degrade force readiness.
Unsophisticated Practices
Until November 2024, the Marine Corps posted on a publicly accessible website a consolidated list exposing the identity, rank, precedence, and service component of every Marine officer. Marine Corps administrative systems often use a template username that combines the user’s first, middle, and last names and lacks multi-factor authentication. This exposes most Marine Corps public-facing systems to brute-force penetration. Such poor security practices fail to protect the service’s administrative systems and the troves of sensitive data held there. If a Marine exhibited comparable lapses, he or she would be reprimanded. The Marine Corps should reconsider its information-security practices for many routine unclassified communications to the force.
Organizations sometimes decide the need to communicate quickly and effectively is greater than the need to protect information. Marine Corps policy, administration, and strategy pronouncements are often communicated openly via press releases, administrative publications, or unit social media. For example, Force Design 2030 and its annual updates are unclassified and uncontrolled documents; so is the Tentative Manual for Expeditionary Advanced Base Operations. Marine Corps warfighting manuals and publications are the same, as are all Marine Corps promotion, selection, and other major administrative and personnel announcements. These updates are published as MarAdmins, and they show any researcher an electronic history of the Marine Corps dating back to 2000. The Marine Corps has decided it is more valuable to ensure these written products are accessible to every Marine than it is dangerous to put them in the hands of competitors.
The risk is that this data, when aggregated, paints a clear picture of the Marine Corps’ operational posture and personnel status. It reveals the identities of military personnel filling critical roles; selectees for competitive top-level schools; and high-performing intelligence personnel. Artificial intelligence-powered data analysis makes the risks even greater by lowering the difficulty of harvesting this aggregated institutional information for operational insights.
Given the data the Marine Corps makes public about its personnel and the substandard security on its core administrative systems, even a relatively unsophisticated actor could disrupt operations and steal sensitive information.
Standard Procedure, Devastating Breach
A hypothetical example shows how mundane publications could lead to devastating information breaches. Before the Marine Corps controlled distribution of the officer precedence list in November, this document was published on a public-facing website. The list shared the name and rank order of every Marine Corps officer. Anyone on the internet could download the document and compile the names of all 29,418 officers. With that information, and knowing that the username template for Marine online systems is [first initial][middle initial][last name], a researcher could compile every MOL username for every officer.
This system is uniquely vulnerable because of its overly stringent password requirements and its obvious lack of multi-factor authentication. The system requires that user passwords must be at least 12 characters and must include special characters, uppercase characters, lowercase characters, and numeric characters—and they must be changed every 60 days. Because of these requirements, users likely turn to physical-pattern passwords such as “zaq1wsx2ZAQ!WSX@” that follow a specific and memorable pattern across the keyboard. A user could use a tool such as John the Ripper to identify the patterns that best fit each case. The researcher could then test how many attempts it took to lock an account and prepare to try one fewer than that number of passwords per each username. At that point, it would become a simple matter of automating the brute-force testing of the system. The system’s resilience might depend on a factor as banal as the number of officers who use a common physical-pattern password because they are fed up with remembering yet another complex sequence.
Once the researcher got access to those accounts, they could seek information about the rest of the Marine Corps. This is where the value of the attack could start to build. If the researcher were especially lucky, one of the first accounts accessed would be someone in an administrative role as an adjutant or administrative specialist. That individual’s elevated privileges would allow the researcher to automate and collect enterprise-level data, including every Marine’s social security number, address, or family information. This breach could be devastating.
Risk Reduction
The Cybersecurity and Infrastructure Security Agency (CISA) recommends several best practices for password security to mitigate cyber threats. In its guidance document “Choosing and Protecting Passwords,” CISA recommends organizations implement policies that discourage the frequent forced rotation of passwords, as this can lead to users choosing weak or repetitive patterns. CISA also emphasizes the importance of multifactor authentication to add an additional layer of security. Strong multifactor authentication prevents unauthorized access even if passwords are compromised. Military systems infrequently adhere to these best practices. They ought to do so as a matter not only of information security, but of operational security.
The Marine Corps watches, studies, and analyzes potential adversaries’ weaknesses. It should expect those who see the Marine Corps as a threat will do the same. Adversaries are no longer isolated terrorist cells—they are sophisticated, state-sponsored cyber actors. The Marine Corps must do more to protect Marines’ information and its own systems. Simple proactive measures can reduce the risk. Following CISA-recommended cybersecurity practices would be a start. The Marine Corps and other services also should reconsider the risks of continuing to openly publish critical information.
