DEFCON / ALPHA

Section I

OPSEC and information security

OPSEC (Operations Security) is the process that prevents the enemy from deriving useful information from friendly actions and communications. It is not generic secrecy: it is a specific discipline that identifies 'critical indicators', assesses how they can be intercepted, and applies proportionate countermeasures. On the Ukrainian front, OPSEC failure is the documented cause of a substantial number of avoidable losses.

Five steps of the OPSEC process

  1. Identify critical information (location, intent, capabilities, vulnerabilities)
  2. Analyse threats (who wants the information and with what means)
  3. Analyse vulnerabilities (where the information leaks — social, radio, habits)
  4. Assess risk (probability × impact)
  5. Apply countermeasures (encryption, deception, habit control, training)

Critical indicators for international volunteers

  • Phone GPS — disable it and treat the phone as a tracker even when off
  • Photos published with intact EXIF — strip before any publication
  • Faces in published photos — cover or do not publish
  • Proper names, ranks, units in clear — never on open channels
  • Pattern of life (call-home hours, resupply hours) — vary them
  • Identification of the host unit in civilian conversations
  • Recognisable kit in photos (unit patches, vehicles with numbers, optics)

Social media

FOUNDATIONAL RULE

No social during deployment, in any form. No 'private' stories on closed accounts (they leak). No 'my base' photos. No 'I'm in Poland now' check-ins. No family messages with operational detail. The rule accepts zero exceptions because every exception is the one the enemy finds.

Communicating with home

  • Use encrypted apps (Signal) — no WhatsApp/Telegram for sensitive content
  • Never declare position, unit, future missions
  • Never send photos with a recognisable background
  • Never share patrol in/out timings
  • Treat every message as potentially read by third parties
  • Limit communications to fixed windows, not on demand

Common mistakes

  • Publishing 'home safe' right after a mission (signals the mission ended)
  • Showing unit patches in private photos to family
  • Involuntarily geolocating via posted weather ('raining here')
  • Keeping the phone on in the operational area
  • Trusting encryption as the only protection layer (metadata and DF remain)
  • Underestimating the OSINT dossiers the enemy builds on known volunteers

Lessons learned Ukraine

Russian services maintain OSINT dossiers on identified international volunteers: real name, country of origin, family at home, historical social profiles, pre-deployment photos. The family at home is the actually accessible target. OPSEC protection is not for the volunteer in theatre — it is for the relatives who do not know they are targets. Telling them so is part of the discipline.