Chapter 1

Physical-Security Challenges

Physical security is defined as that part of security concerned with physical measures designed to safeguard personnel; to prevent unauthorized access to equipment, installations, material, and documents; and to safeguard against espionage, sabotage, damage, and theft. As such, all military operations face new and complex physical-security challenges across the full spectrum of operations. Challenges relative to physical security include the control of populations, information dominance, multinational and interagency connectivity, antiterrorism, and the use of physical-security assets as a versatile force multiplier.


1-1. Reductions in manpower and funding are critical challenges to physical security. Manpower for supporting physical-security activities is reduced through deployments and cutbacks. The rapid evolution of physical-security-equipment technology also lends to physical-security challenges, which are exponentially multiplied by the introduction of the information age.

1-2. Physical-security challenges must be understood, and measures must be taken to minimize them to enhance force protection. Leaders must create order when coming upon a situation; and when they depart, some semblance of that order must remain. They must be aware of the human-dimension factors and ensure that their soldiers do not become complacent. It was human error rather than modern technology that took lives in the bombings of the African embassy. Warning was given, but not heeded. Complacency became a physical-security challenge.

Automated Information Systems

1-3. Success on past battlefields has resulted not so much from technological advances, but from innovative ways of considering and combining available and new technologies as they apply to war fighting. Some of these technologies dealt with disseminating and processing information. For example, the telegraph, the telephone, the radio, and now the computer have redefined the fire-support paradigm.

1-4. As the armed forces move into the technological age, a greater need for physical-security measures is required. The risks associated with automated information systems (AISs) are widespread because computers are used for everything. Army Regulation (AR) 380-19 outlines the requirements that commanders and managers need for processing unclassified and classified information and for securing media, software, hardware, and different systems.

1-5. The threat to AISs and information systems security (ISS) involves deliberate, overt, and covert acts. This includes the physical threat to tangible property, such as the theft or destruction of computer hardware. Also included is the threat of electronic, electromagnetic-pulse, radio-frequency (RF), or computer-based attacks on the information or communications components that control or make up critical Army command and control (C 2 ) infrastructures. In most cases, the threat's target is the information itself rather than the system that transmits it. The threat comes from a range of sources, including the following:

  • Unauthorized users (such as hackers) are the main source of today's attacks, primarily against computer-based systems. The threat they pose to AIS networks and mainframe computers is growing.
  • Insiders are those individuals with legitimate access to an AIS. They pose the most difficult threat to defend against. Whether recruited or self-motivated, the AIS insider has access to systems normally protected by ISS against an attack.
  • Terrorists once had to operate in the immediate vicinity of a target to gain access to or collect intelligence on that target. The proximity to the target risked exposure and detection. Today, a terrorist can accomplish most target selection, intelligence collection, and preoperational planning by gaining access through a computer network. He can increase his probability of success by using computer systems to reduce his "time on target." Terrorist access to an AIS also increases the threat of critical-data destruction or manipulation. Although his presence would be virtual, the potential for damage to Army C 2 systems could be equal to or greater than that achieved by physical intrusion, especially when used as a force multiplier in conjunction with a traditional terrorist attack. Therefore, while traditional preventive measures are still needed to protect unwanted access to information, the information age has added additional concerns for the commander and new opportunities for those with hostile intent.
  • Non-state- and state-sponsored groups provide additional challenges. In many cases, it is difficult to confirm state sponsorship of threat activity against an AIS, no matter how apparent the affiliation might seem. Activists of all persuasions are increasingly taking advantage of information-age technology. Neither AISs nor ISS are immune from an adversary's interest in exploiting US military information systems or disrupting communication infrastructures. The availability of low-cost technology and the proliferation of an AIS increase the risk to the Army by potential adversaries.
  • Foreign-intelligence services (FIS), both civil and military, are continually active and are another source of contention concerning information systems. In peacetime, they are increasingly targeted against US commercial and scientific interests, rather than military information. With little effort, this peacetime intrusiveness could easily be refocused on AISs and ISS using a wide range of information operations tactics.
  • Political and religious groups are other potential adversaries to AISs and ISS. The world's political climate is diverse and complicated. It embraces traditional mainstream political values, as well as radical religious fundamentalism and political extremism. When political or religious viewpoints also incorporate anti-US sentiment, US information infrastructures (including AISs) are increasingly at risk of penetration or exploitation by these potential adversaries.

1-6. When considering an AIS, physical security is more than just safeguarding the equipment. It includes the following elements:

  • Software is marked for each system and secured when not in use.
  • Initial logon is password-protected (at a minimum).
  • Passwords are a minimum of eight characters, using a mixture of letters and numerals.
  • Access to an AIS is allowed only to authorized and cleared personnel (per AR 380-19).

1-7. Classified material is entered and transmitted only on approved devices with the following considerations:

  • Approved classified devices are operated in a secured environment.
  • Classified devices are secured in appropriate containers when not in use.
  • Secure telephone unit-III (STU-III) keys are secured in an appropriate safe when not in use (as outlined in AR 380-19).

1-8. Additional information regarding AISs can be found in ARs 380-5 and 380-19. Required training of personnel working with an AIS is located in AR 380-19.


1-9. OPSEC is a process of identifying critical information and subsequently analyzing friendly actions attendant to military operations and other activities. The threat is identified using the factors of mission, enemy, terrain, troops, time available, and civilian considerations (METT-TC). The threat defines the physical-security challenges. Implementing physical-security measures supports OPSEC. Providing soundproof rooms for conducting briefings is a simple but invaluable measure.

1-10. Another issue to consider when evaluating physical-security challenges is what actions to take in case of political implications interfering with physical-security measures. In the devastating event at Khobar Towers, a warning was given but not everyone received it. It took too long to evacuate the building after the warning was issued because a cohesive plan was not in place.

1-11. Commanders can minimize the challenges to physical security through proactive measures. They should periodically change the physical-security posture of their area of responsibility to throw off perpetrators.

Join the mailing list