COMMS and

LOGISTICS

SECURE COMPUTER
NETWORKS
OPS DOMAINS, SECURITY ASSURANCE
LEVELS, CRITERIA FOR HARDWARE
SELECTION AND INFRASTRUCTURE
CONFIDENTIAL SPACE
MANET & ISR
CONFIDENTIAL
IONOSPHERE MANET & SATCOM

RESTRICTED
HF NVIS IP DATA LINK

RESTRICTED
OPS CENTER

RESTRICTED SECRET
BASEMENT
LMR VOICE & IP DATA NOT TO SCALE.
SCIF

MAY 2023
 INTRODUCTION
Any successfully organized force needs reliable and
secure methods of communication, intelligence
collection, intelligence processing, and strict OPSEC.
Today, computers and radio technologies are riddled
with privacy and security vulnerabilities that are
exploited by state and non-state actors. Thus, team
leaders along with every member of your group need to
understand and operate with extreme discipline with
regard to OPSEC. In addition, groups need to adapt
communications technologies and computers that they
have to mitigate known and unknown zero-day
vulnerabilities with a certain degree of assurance. This
post focuses on certain levels of security assurance
standards (the resistance of an operating domain to
state and non-state actors COMINT, ELINT, & HUMINT)
for communications networks and computers. In other
words, we need to make sure the technologies and
techniques we use for operations are hardened against
attacks and do not inadvertently leak sensitive
operational information. We hope this post sparks lots
of ideas with regard to this very important topic.
COMMS and
LOGISTICS
 OPERATIONAL DOMAINS
Operational domains are domains that include
information (all media types: CDs, flash storage, pictures,
documents, etc.), communications (OSI layer 2 and 3
networks, radios, COMSEC [crypto, frequencies]),
computers (their operating systems, software [OSI layer
4-7], & configuration), any other electronic technologies,
and persons. Domains pertain to the sensitivity of the
operation. Each domain you may have requires a specific
amount of security. The security measures that are
instated should coincide with the sensitivity of the
particular operation. Not all operations require the same
amount of attention with regard to security. However,
having a standardized criterion and ruleset (classification
levels) that dictates when and which technologies and
procedures are used to handle sensitive information is
critically important to maintaining OPSEC. Implementing
the information in this post takes a considerable amount
of planning, research, and discipline. Be prepared to work
and learn a lot more about the technologies you use.
NOTE: Domains can and should be referenced by their assurance level
(classification).

COMMS and
LOGISTICS
 ASSURANCE LEVELS
FOR OFFICIAL USE ONLY (FOUO)
Professional work, official education (college, schooling), and
DOMAIN/USAGE
personal communications.
Avoid unnecessary social media communications, disable
radios when not in use, use open source applications
RESTRICTIONS
(particularly password managers) when possible, consider
disabling biometrics and use longer alphanumeric passwords.
Ideally meant for daily use tasks. Does not necessarily need to
thwart corporate-level surveillance. Generally, FOUO is
convenience driven with a focus on deterring IP region
tracking, browser JS tracking, man-in-the-middle attacks,
password brute force/dictionary attacks; e.g. standard “cyber-
IMPLEMENTATION
conscious” ideals. Proprietary software is acceptable,
however open-source alternatives with a strong emphasis on
privacy are preferred. Utilize automatic lockout and reboot if
available.
Tag FOUO devices with green tape or markings if desirable.
• iPhone (iOS, latest) with Signal, ProtonMail, Bitwarden,
LinkedIn, Brave Browser, Mullvad VPN or IVPN
• Unsecure analog or digital skywave and groundwave radio
EXAMPLES is acceptable, though more secure alternatives should
always be considered
• Windows 10/11 Home and Pro, Librewolf, Mullvad VPN,
Bitwarden, Thunderbird email client
NOTE: It is acceptable to adopt stronger security measures from
higher classified assurance levels such as from CONF to FOUO.
However, be sure to maintain a defined line between the assurance
levels by file system, hardware, and network compartmentalization.

COMMS and
LOGISTICS
 ASSURANCE LEVELS CONT.
CONFIDENTIAL LOW ASSURANCE (CONF-LA)
Personal, group, or company-level project/product
DOMAIN/USAGE
development and communications.
Avoid social media, services with remote server hosting
(servers you do not control), cellular radio usage is strongly
discouraged, use open source applications (particularly
RESTRICTIONS
password managers) and operating systems, only use longer
alphanumeric passwords, no Bluetooth (BT), use persistent
airplane mode to try to deactivate cellular and BT modems.
Most usage should be found in a CONF-LA domain. FOUO can
be accessible to CONF-rated devices and systems. Strong
emphasis on self-hosted, peer-to-peer communications,
filesharing, and offline media. Generally, all CONF-rated
infrastructure should work without a connection to the
IMPLEMENTATION Internet but it should be able to utilize the internet if available
or desirable. Encrypted containers and multi-factor decryption
and authentication are recommended. Full disk encryption
with LUKS or VeraCrypt is strongly advised. Allowed usage of
proprietary software for development i.e.: SOLIDWORKS,
Altium Designer, Microsoft Office LTSC, VS Code, ARM Keil.
• Android devices with a “degoogled” operating system
• RC-40/DES-OFB/AES-256 encrypted radio: DMR, P25,
AREDN, BGAN, VSAT, Winlink with Paranoia text crypto,
• Windows 10 LTSC (with disabled telemetry), Linux Mint
EXAMPLES • Librewolf browser, VPS hosted email server and VPN,
KeePass, Session messenger, BeeBEEP LAN messenger,
ZeroTier LAN bridge, Syncthing filesharing, self-hosted
Mumble VOIP and RustDesk remote desktop software,
aggressive firewalls on hosts and infrastructure.

COMMS and
LOGISTICS
 ASSURANCE LEVELS CONT.
CONFIDENTIAL HIGH ASSURANCE (CONF-HA)
Personal, group, or company-level project/product
DOMAIN/USAGE development and communications, future CONF infrastructure
development, and low-risk pre-shared key (PSK) generation.
Inherit all restrictions from CONF-LA whilst including:
disconnect from any internet connectivity medium (ethernet,
fiber, wireless) when not in use, use a partially
compartmentalized work structure, filesystem, and devices
RESTRICTIONS
between CONF-LA and other CONF-HA devices, remove
wireless capabilities from hardware where feasible (excluding
highly integrated devices), avoid Windows OS when possible.
Embedded cellular capability is strongly discouraged.
Similar implementation compared to CONF-LA. However
CONF-HA should have a stronger emphasis on using self-
hosted/administered computer systems and communication
infrastructure. All CONF-HA rated infrastructure should work
IMPLEMENTATION
without a connection to the internet but it should be able to
utilize the internet if available or desirable. CONF-HA
infrastructure should adhere to EMCON TTPs. RF emitters
should be easily disconnected and or powered off by admin.
• Currently supported Google Pixels with GrapheneOS
• AES-256 encrypted waveforms: P25 (IP & voice); BGAN,
VSAT, HF 2G ALE for PACTOR-III or PACTOR-IV (IP data),
• Linux Mint, Debian, Arch, OpenBSD, FreeBSD,
EXAMPLES • Librewolf browser, Remote self-hosted VPN service,
KeePassXC (KeePassDX for Android),
• WireGuard full tunnel between clients, BeeBEEP LAN
messenger, ZeroTier LAN bridge, Syncthing filesharing,
self-hosted Mumble VOIP and RustDesk.

COMMS and
LOGISTICS
 ASSURANCE LEVELS CONT.
RESTRICTED (RESTR)
Medium to highly sensitive group or company level development,
DOMAIN/USAGE communications, operations, and surveillance; pre-shared key (PSK)
generation, infrastructure organization.
RESTR domains do not and will never connect to any other devices
which touch external networks (air-gap), this includes any lower
classification level. RESTR computer systems have all wireless
capabilities removed. Thus, hardware selection is significantly more
strict as many integrated devices today do not have the capability of
being RESTR. RESTR is ideally a “data diode,” where data is only ever
RESTRICTIONS ingested. RESTR devices/workstations should only ever be
accessed in RESTR-certified environments, free from any non-RESTR
cameras, microphones, devices, and any technology that could
capture RESTR classified information. The only wireless capability in
this network is highly vetted standalone systems that utilize OSI
Layer 2 (data link) cryptography with at least AES-256 PSK
encryption.
Computers and networking HW have no embedded wireless radios.
Use as much wired networking mediums as possible (ethernet, fiber,
voice powered telephone). Designated RF emitters shall operate as
little as possible. PSKs shall be rotated at least every two weeks.
IMPLEMENTATION Data ingestion from flash media should be zeroized before
disconnecting from RESTR. RESTR allows for nearly unrestricted
application usage, allowing propriety development software usage.
All development and mission data should be stored in encrypted
containers secured with Cryptographic Ignition Key (CIK, hardware).
• AES-256 encrypted radio: P25, HF 2G ALE with PACTOR IV
• Windows 10 LTSC w/ VeraCrypt boot, Linux Mint w/ LUKS
EXAMPLES • KeePassXC, BeeBEEP LAN messenger, ZeroTier LAN bridge,
Syncthing filesharing, self-hosted Mumble VOIP and RustDesk
(P2P mode) remote desktop software.

COMMS and
LOGISTICS
 ASSURANCE LEVELS CONT.
SECRET (SCRT)
High risk: development for projects, operations, and intelligence
DOMAIN/USAGE
products.
All work should be done in an electromagnetically hardened
environment with adequate RF shielding, sound insulation, physical
isolation, and anti-tamper protection (SCIF). Only physical medium
802.3/IP connectivity (coaxial, ethernet) between local computers (if
RESTRICTIONS
any). The existence of SCRT classified systems, facilities, and TTPs
is never to be disclosed to any persons outside of any SCRT cleared
personnel. Data ingestion storage media is to be destroyed usage
by zeroization, microwave, crushing, and fire.
SCRT domains are “no chance” domains. Thus, every measure must
be taken to hide, deter, scatter, and destruct SCRT classified
systems and information in the event of unauthorized access. All
data must be able to be destroyed within three minutes. Leave ALL
foreign electronics FAR away from the facility. Use noisemakers or
ultrasonic jammers to prevent microphone usage. Verify all
ventilation is blocked with pillows, towels, and blankets, and attempt
IMPLEMENTATION to prevent noise from leaving the facility by using blankets to block
holes in door jams, and windows (if any). Use indoor or whisper
voices if possible. Attempt to build a properly grounded Faraday
cage around the wall perimeter of the room with copper mesh. Fully
analog/no electronics operation is highly encouraged if Faraday
enclosure is not possible or feasible. All protocols MUST be
followed AT ALL TIMES to ensure security assurance.
• Paper and pen, typewriter
• Very obsolete computer systems (80s tech) such as
Commodore 64/128, IBM PC, Apple Macintosh II
EXAMPLES
• Room with no windows, lots of towels and blankets everywhere
• Low-tech microwave and sledgehammer.

COMMS and
LOGISTICS
FURTHER IMPLEMETATION
Creating, maintaining, and proliferating electronics and
software that need to combat certain information
technology, intelligence collection, and electronic warfare
threats is no easy task. Plan out everything. Take your
time to research tools, procedures, and techniques. Start
small and slowly build up your infrastructure at a lower
classification level. Then when the need arises for a more
serious security posture, build out a higher assurance
level network. It is very important to think critically and
ahead when developing your network. You MUST get into
the mind of the enemy. Think about all the ways they can
attack you, your networks, and any other cleared
personnel.
Serious focus needs to be applied to data ingress and
egress from air-gapped CONF-HA and especially RESTR
networks. Using a computer that is never updated and
never connected to any networked device that is strictly
dedicated to zeroing any media is suitable for when media
is going to be connected to a lower classified domain or
unclassified computer system. This is designed to
mitigate egress from a higher classified domain.
NOTE: This zeroing technique needs more development.

COMMS and
LOGISTICS
 REMARKS
The information in this post should be the bare minimum for
implementing security assurance domains. You, as a leader in
your group, need to take charge in establishing a baseline
understanding of OPSEC with strong considerations towards
unknown/hypothetical attack vectors of state and non-state
actors. The electronics you bring with you can and will be used
against you to leverage a tactical/strategic advantage. This
means: you and your group need to be responsible in
upkeeping and adhering to procedure, and constantly looking
for ways to bring more of your own infrastructure under your
absolute control by exploring alternative technologies. Every
member needs to be conscious of the very real threat of the
adversary’s SIGINT and electronic attack capabilities.
Development of RESTR and higher classified networks should
be secretive and should not be discussed with non-cleared
personnel. When working around RESTR devices, make sure
that other unclassified or lower-classified systems cannot
visibly see RESTR hardware and screens. This can easily be
done by taping over cameras with electrical tape. Unclassified
and lower classified devices with embedded microphones
should be removed from RESTR operating areas, especially
indoors. Consider removing all embedded cameras and
microphones on any air-gapped domain hardware.

COMMS and
LOGISTICS