By Mike Moser
Somewhere in a classified archive, a purple dragon was quietly guarding one of the most important security lessons ever learned by the United States military. It doesn’t breathe fire, nor does it hoard gold. It was protecting something far more valuable: the principle that knowing what your adversary can see, before they use it against you, is the difference between mission success and catastrophic failure. And the discipline it gave birth to belongs in every election office in America.
From the Jungles of Vietnam to Your Election Office
In 1966, the U.S. military faced a problem in Vietnam. Despite their best efforts at the time and careful planning, some operations were failing. Enemy combatants seemed to anticipate strikes before they arrived. A classified investigation, codenamed Operation Purple Dragon, was authorized to find out why.
The answer was unsettling. Enemy combatants weren’t breaking U.S. security protocols. Rather, they were harvesting unclassified, overlooked details: flight plan notifications, air traffic advisories, radio patterns, and more. Individually, each piece was harmless. Together, they handed adversaries a more detailed understanding of American operations and planning. Operation Purple Dragon implemented countermeasures, and the enemy combatant’s understanding of airstrikes significantly dropped. Thus, operations security, or OPSEC, was born.
OPSEC would later become a mandatory practice across all U.S. military commands and was later extended to government agencies with a nexus to national security. The core lesson: it isn’t enough to protect your secrets. You have to understand what an adversary can learn from what you don’t think of as a secret at all.
This is exactly where OPSEC applies to elections, which are highly visible and scrutinized events that malicious actors see as opportunistic targets. CISA’s 2024 Guide to Operations Security for Election Officials defines the discipline as a systematic approach to identifying and protecting sensitive information, data, and capabilities. Without robust safeguards, that information can be inadvertently or deliberately exposed, jeopardizing election workers’ ability to do their jobs, compromising voter PII, and enabling unauthorized access to election infrastructure.
A key principle is aggregation. CISA refers to individual data points as “indicators”, seemingly innocent pieces of information that, when combined, reveal vulnerabilities. A staffing schedule is visible in an online photo. A vendor name in a press release. A photo from a ballot storage facility. Alone, each is innocuous. Together, they can hand a threat actor a roadmap.
The OPSEC Process
CISA’s guide provides a repeatable framework that election offices can apply, and should apply continuously, because threat actors are always looking for new opportunities.
- Step 1: Identify Sensitive Information
- For example, what information or data could be valuable to a malicious actor, either on its own or in aggregate with other information? (e.g., staff schedules, staff directories, equipment storage locations, vendor names, etc.)
- For example, what information or data could be valuable to a malicious actor, either on its own or in aggregate with other information? (e.g., staff schedules, staff directories, equipment storage locations, vendor names, etc.)
- Step 2: Understand Threats
- Be knowledgeable of the various threat actors, such as foreign adversaries, that may use your information or data.
- Be knowledgeable of the various threat actors, such as foreign adversaries, that may use your information or data.
- Step 3: Identify Vulnerabilities
- Examine potential risks by considering how malicious actors might use your information or data. For example, a malicious actor may potentially use a staff directory to phish an election worker.
- Examine potential risks by considering how malicious actors might use your information or data. For example, a malicious actor may potentially use a staff directory to phish an election worker.
- Step 4: Assess Risk
- What’s the consequence and impact of risks identified in Step 3? Not every vulnerability carries equal priority. Risks that pose a greater impact should be addressed first.
- What’s the consequence and impact of risks identified in Step 3? Not every vulnerability carries equal priority. Risks that pose a greater impact should be addressed first.
- Step 5: Implement Safeguards
- Now that you’ve assessed potential risk, what controls can you put in place to secure sensitive data or information? (e.g., update policies and procedures, train staff, etc.)
Each step intersects with the others, where a weakness in any one can expose the rest. When considering safeguards to mitigate potential risks, it’s always important to assess threats holistically across all risk domains: cybersecurity, physical security, information, and operations. Often, risk doesn’t stay neatly in its lane and can spill over into other areas. For example, information posted online may motivate someone to take physical action.
Putting OPSEC Into Practice
Building OPSEC awareness doesn’t require a classified program or a sophisticated budget. It starts with culture and a few disciplined habits.
Multi-disciplinary
One of the best first steps is to convene a team with different backgrounds, which may vary across jurisdictions, depending on their size and resources. The point is to gather input to round out a holistic approach. Convene IT, legal, communications, and operations staff together to identify sensitive information and assess vulnerabilities.
Review your Footprint
Spend a few moments reviewing everything your office publicly communicates, spanning websites, social media, procurement, press releases, training materials, equipment photos, and meeting minutes. Then, ask yourself, “What can someone piece together from this information?” CISA recommends a quick step to avoid photos that reveal real-time locations and to encourage staff to review their personal social media privacy settings. Small habits aggregate into large vulnerabilities.
The Exchange’s Operational Security Fast Wins for Election Offices offers five high-impact areas for local offices and small teams to consider. This could be a staff directory, email signatures, a social media post at a conference, or a visible whiteboard, none of which trigger an alarm on their own. However, when aggregated, malicious actors can build an attack profile against an organization or individual.
Integrate Across Plans
OPSEC reinforces your Continuity of Operations Plan (COOP), Incident Response Plan (IRP), and Disaster Recovery Plan (DRP). During tabletop exercises, include OPSEC scenarios that explore information patterns in your own preparation. Building this muscle memory before an incident is far more effective than responding in the moment.
Continuous Improvement
Operation Purple Dragon found that OPSEC improvements were often temporary because adversaries adapted and found new information sources. CISA also echoes this. OPSEC practices should be reviewed and updated regularly, much like other plans. It’s equally important to ensure that training is a standing agenda item rather than a pre- or post-election event. Threats, technology, vendors, and documentation are continuously changing, and practices should continuously evolve to meet the moment.
The bottom line: Operations security was born from a hard-learned lesson: adversaries don’t always need to break in. Sometimes they just need to pursue a less complex path, one unguarded detail at a time. Election officials can find protection in the same disciplined awareness that has safeguarded national security operations for decades, a practice now adapted for securing the front lines of democracy. For a practical on-ramp, check out the Exchange’s quick-start guide, which offers quick wins that can be implemented this month.
About the Author
Mike Moser is a nationally recognized expert in election security, bringing deep practitioner experience to one of democracy’s most critical challenges. As an Election Security Consultant with the Election Security Exchange (SecuringElections.org), he supports election officials across the country with practical, practitioner-focused guidance on the threats and challenges facing modern election infrastructure. He consults with election stakeholders, government agencies, and educational institutions on cybersecurity, physical security, and the responsible use of emerging technology. Before entering the consulting world, Mike served as Director of Election Security and Technology at the Pennsylvania Department of State and as an IT Cybersecurity Specialist on the Election Security and Resilience team at CISA, where he worked directly with federal, state, and local partners on everything from incident response to tabletop exercises. He holds a B.A. in Political Science from Kutztown University of Pennsylvania and a Certified Information Security Manager (CISM) certification.