Good security isn’t just about individual behavior. Good security includes everything we’ve talked about: decision making, recruitment, and overall structure.
As we discussed, it is crucial that a firewall exist between those carrying out underground activities and those doing aboveground work. Internal firewalls should also be in place between compartmentalized portions of an underground organization.
Information should only cross these firewalls under very narrow and circumscribed conditions. Groups need clearly stated internal policies about when and what information can cross, when contact can be made, how that information may be communicated, and so on. Generally speaking, it should be tightly controlled and very intentional; the vast majority of the time an underground group should maintain “radio silence” as far as discussion of activities outside the group are concerned.
There are three main reasons that information might pass through a firewall. The first is to gather information and reports from auxiliaries outside the immediate organization. The second is to send information such as proclamations or communiqués to the media or press office. The third is for internal communication within an underground resistance network. In all cases, identifying information should be stripped away from the communication. The time, place, and nature of the communication should be done according to a group’s internal security policy. The people who bridge the gap between the aboveground and the underground group are also taking a definite risk, and should be aware of that.
The firewall also applies to other types of nonpolitical crime. Underground activists should avoid breaking other laws if only for reasons of self-preservation. This includes traffic laws. Breaking laws means risking the attention of police, adding an unnecessary risk for those working underground. Tre Arrow knows this, since while a fugitive he was arrested and imprisoned after being caught shoplifting bolt cutters. People who are underground must keep a low profile and at least look like regular, law-abiding citizens. Further, people who want to commit crimes for the sake of committing crimes are often not a good match for the underground. They may want to commit actions just for the rush, rather than for strategic or political reasons. And they often lack solidarity for others involved in such actions. (During the Green Scare many people were imprisoned because of informer Jacob Ferguson, a long-time petty criminal.)
In researching this book, we’ve encountered many examples of the inappropriate application of security culture; that is, some groups are applying draconian security culture measures where they are not appropriate or failing to apply security culture rules when they are appropriate. This confusion needs clearing up, because at best it can cause people to be hampered by unnecessary limitations, and, at worst, cause people to needlessly face charges or prison time.
It is important to understand what constitutes “security” and what does not. While I was writing this section, people contacted me with the complaint that some people in their aboveground groups wanted to institute excessive “security culture” measures. For example, a person in one group wanted to stop sending out minutes of the meetings to people who didn’t attend meetings anymore. But this sort of thing doesn’t increase security. They were still sending minutes out by email to those who attended meetings, and nothing sent by email can be considered secure. The effect was to unnecessarily exclude people, in basic contradiction of the aboveground need to maximize inclusiveness, outreach, and communication. And besides, an aboveground group should not be carrying out illegal activities that carry any serious risk of reprisal in the first place.
In contrast, some groups simply don’t follow security culture measures when they should. One activist friend told me of a time in her youth when fellow militants built a barricade on a major street at 8:00 am one Monday as a gesture of solidarity for labor strikes going on elsewhere in the state. Then they set it on fire. This was not guerilla-style “hit and run”; groups of sign-waving protesters were marching across the street. When the police arrived, a number of people were arrested and faced serious charges.
Now, as much as we all may love flaming barricades, the subsequent legal troubles for arrestees far outweighed the benefits of the action. In some ways this is an issue of tactics and strategy, which we’ll return to in the final part of this book. But it’s also an organizational issue. Militant groups often carry out attacks that cause minor damage but don’t shake the system itself. This happens often when a group is made up entirely of combatants, with the mentality common to combatants. They want to fight. They want to confront the cops, they want to confront those in power. They want to cause damage, to agitate, to shake things up. Not only are they unafraid of conflict, they seek it out. They’re often young, and long-term strategy isn’t on their minds.
These characteristics can be wonderful and admirable, and resistance movements cannot succeed without combatants who take to the front lines. But resistance movements also can’t succeed without cadres. Cadres, as the backbone of an organization, are tasked with strategic and training concerns. They want to maximize a group’s capacity and long-term success. It’s their job to think strategically, to think long-term, to ensure combatants don’t do reckless things that harm the organization.
There’s no firm dividing line between combatants and cadres, and people aren’t born into either role; they can move or change over time. But groups without a good proportion in each role are going to falter. You can’t have an army that consists only of officers, and you can’t have an army that consists only of foot soldiers.
New groups or those with high turnover often lack cadres. You can’t read a how- to book and become a cadre (although cadres do study resistance intensively). Cadres need years or decades of experience, a solid political and organizational grounding, and mentorship or other training from existing cadres. If your group lacks cadres, you should either train them yourself, or borrow or recruit them from other groups.
The way to avoid paranoia and an improperly applied security culture is to understand that different protective measures and security precautions are appropriate for different activities. If I were a knight on a medieval battlefield, I might wear a suit of armor; that would be an appropriate protective measure for that activity. On the other hand, if I were going to the swimming pool, I would wear a bathing suit; that would be appropriate protection there. Obviously it would be foolish to wear only swimming trunks to a castle siege. But it would be similarly foolish to wear a suit of armor to the swimming pool. It might make you feel more protected, but it would make swimming very difficult, if not fatal.
Underground groups protect themselves by keeping their location, identities, and activities secret. But aboveground groups lack clandestine mobility. If persecuted by the police or others, they use strength in numbers and a network of supporters to defend themselves. They use their communication and social networks to mobilize. An aboveground group that imposes needlessly restrictive “security” limitations isn’t genuinely increasing its security at all. On the contrary, it’s decreasing its security by alienating members and allies and by cutting itself off from its network of supporters.
The onus for keeping a low profile is on individual people and their chosen and trusted groups. Some people may join regular aboveground groups and push excessive security measures not suited for their group’s activities. (This is a bit like signing up for the synchronized swimming team and then showing up for practice and complaining that people don’t wear full-body chain mail.) If you need to keep a low profile, if you personally need a higher level of security restriction, then you shouldn’t be part of such a group in the first place.
When people do try to use higher security measures with aboveground groups, they often do it inconsistently. A good friend of mine, Brent, used to work in an aboveground conservation group affiliated with a larger liberal foundation. Shortly after joining the group, he was added to their email listserv. At first Brent was very confused by the discussion, because he didn’t recognize any of the people who were posting. Another person explained that the members were using false “code names” to protect themselves. When Brent inadvertently used someone’s real name on the listserv, there was a flare-up. Brent then explained why he thought the code names were silly and alienating, and four people sent out angry emails attacking him—two sent from their work email addresses, and one using a school address, thus making their real names obvious. Can I convert my biodiesel van to run on irony instead?
If you want to use a higher level of security in an aboveground group that may be fine, but you can’t just use some restrictions and ignore others. Security is only as strong as the weakest link. Trying to mix and match security measures is like wearing the top half of a suit of armor with a speedo; it’s needlessly cumbersome, it offers no real protection, and it looks damned silly.
This is not to say that aboveground groups never do illegal actions (though organizing higher-risk illegal actions over an email listserv would be stupid no matter the group). Nor does it mean that aboveground groups have to let just anyone join up and start planning. But it is important to recognize that the purpose of security culture isn’t to make people “safe” (since working against those in power never is), it’s to make people more effective. People can’t be very effective if they’re in jail or caught up in the courts. But they also can’t be effective aboveground if they shackle themselves with pointless “security” measures.
As M. R. D. Foot noted about resistance in occupied Europe: “in an excellent phrase of one of [British intelligence’s] SOE’s men in Stamboul, ‘Caution axiomatic, but over-caution results in nothing done.’ Those who bothered incessantly about security survived, but few of them had much beyond survival to their credit. To strike and then to survive was the real test.”5
There’s no question that the firewall is crucial. Many successful resistance movements, including the French Resistance, used it. Other resistance movements did not, much to their detriment. But there are fuzzy zones. It’s great to say that groups should avoid excessive security. But some aboveground groups do exist in an awkward middle ground; maybe they want to push the legal limit with their tactics. This makes basic security culture all the more important. Information about illegal actions needs to be limited to those directly involved. And those in power will often prosecute trivial crimes in order to attack people they couldn’t get otherwise. (How many mob bosses were convicted for tax evasion or mail fraud?)
In other cases, people may be working aboveground but hope to go underground. Those people should consider keeping a low profile, especially as far as electronic means are concerned. Data mining and profiling can allow those in power to identify people who have radical sympathies or interests. Keeping a low profile means not leaving a “paper trail” (or, in the case of online records, a digital trail) which would make someone seem suspicious or of interest.
Security is often organized at four different levels: individual, relational, operational, and organizational.
At the individual level, members of a resistance group are responsible for following good security practices. This includes the general precepts of security culture discussed above. Individual security is a group’s first line of defense. Underground resisters generally stay inconspicuous. All resisters need training for specific dangerous situations, like arrest.
Relational security refers to the way in which members of a group relate to each other and people outside the group. Relational security measures maximize the benefits of collaboration and minimize the risk (especially by limiting the effects of someone else’s individual security breach, which for some will mean hiding if a close ally is arrested). Good security culture, again, is important here. So are maintaining firewalls, either within or around an organization, and using secure communication.
Operational security measures are used during specific operations, missions, or tasks. These might include good reconnaissance and rehearsals before an operation, lookouts and tight communications during an operation, training in escape and evasion, and preplanned escape routes or safehouses for after an operation.
Organizational security measures are the highest level of security. A group’s organizational security measures are reflected in its general organization structure, record keeping, recruitment practices, and so on. At an organizational level, a group (or its leadership) is responsible for determining the standards and group norms for security practices at all levels. Organizational security includes enforcement, perhaps carried out by security cadres within the organization. Such units are also responsible for identifying and suppressing collaborators or informers in the organization, and for counterintelligence measures like disinformation.
These measures apply not just to members of the group, but also to ex-members. When people leave a group, they must know what is expected of them. The essential rules of security culture apply even after a person has left a group. Members of resistance movements do not discuss illegal or underground activities except with the people in their group. If they leave the group, then they simply may not discuss group activities with anyone. Members of a disbanded underground group must refrain from chatting about past actions. People are either in an underground group or they are not. There is no middle ground. Discussing the “good old days” with former comrades has sent many people to prison during the Green Scare.
Resistance movements organize themselves into groups based on their political means, and they organize those groups into networks that make them as effective as possible. Those groups make decisions well, they know how to recruit new members, and they can maintain their own security. That’s no small task, but the next is bigger. The point of organizing is to fight, and fight to win. And to do that, they need real strategy.