Sean Penn, El Chapo, and a Tale of Operational Security
For the third time, the wily Mexican drug kingpin Joaquín Guzmán Loera has been apprehended by government authorities. The story bears all the hallmarks of any good cybersecurity thriller: evasion, deception, espionage, hamartia.
Investigators began tracking the infamous narcotics tycoon, also known as El Chapo (or “Shorty”), after his daring escape from a maximum-security federal prison last year. His accomplices had burrowed for a mile to a spot underneath his cell’s shower, allowing him to flee underground on a rail-guided motorcycle. The drug trafficker had made another legendary escape more than a decade prior, carted out of a holding facility while hiding inside a laundry basket. (Yes, a laundry basket.)
Following the latest improbable breakout, law enforcement agents appear to have monitored the cartel boss’ communications with Mexican actress and El Chapo sympathizer Kate del Castillo. The Mexican news outlet Milenio recently published the contents of intercepted Blackberry Messenger chats between the two here. (Take a gander at a translated version on CNN.) Aside from the obviously piquant thrill that accompanies peeking into the private lives of the celebrity pair, one must wonder: How did this breach bring about El Chapo’s third and most recent downfall?
Del Castillo isn’t the only star implicated in the fugitive’s arrest either. After the actor-activist Sean Penn’s riveting, if fawning, Rolling Stone feature hit newsstands, people speculated that his operational security procedures might be to blame for the cocaine chief’s re-capture. Cybersecurity experts questioned Penn’s protocols, calling some of his magazine descriptions “incomprehensible…gibberish,” as Kashmir Hill at Fusion reported. (Penn self-identified in his story’s first paragraph as “the single most technologically illiterate man left standing,” so there’s that.) In the end, Penn declared that his “article has failed”; but more importantly, did his attempts at operational security fail, too?
For more about drugs, watch:
For those with the time, I recommend sifting through theories and analyses contained in the comments section of this post by the computer security blogger Bruce Schneier. In any case, it’s unlikely that all of the hunt’s details will fully surface. If the reports are to be believed, then Penn and del Castillo’s visit to the drug lord’s mountain hideout provided necessary intel to pinpoint the suspect’s location. That incident didn’t immediately lead to his arrest; however, a few months later, after an initially unsuccessful raid, Mexican marines finally nabbed him.
All this goes to show just how utterly important it is for people in precarious situations to practice excellence in operational security. (El Chapo’s case is exceptional, of course.) After all, Mexico’s most wanted man’s own son reportedly leaked his location earlier through a careless photo upload.
The best tactics are easier spoken than obeyed: Don’t reveal information. Compartmentalize. Avoid letting the details of your personal life bleed into your professional one. Opsec, as the pros call it, too often is a losing game. It only takes one slip-up—one tragic flaw—to give oneself up.