Design preview · adopts the Kaharagian design system
An official training service of the State of the Kaharagians
Royal Army CollegeRoyal Army CollegeRoyal Kaharagian ArmyThe College of the Army
SIG 220 Communications Security and Digital Discipline
Lesson 9 of 10SIG 220

When Security Fails: Compromise, Reporting, and Recovery

Lesson Overview

Every lesson so far has been about preventing a compromise: keeping the message secret, the pattern hidden, the location unknown, the equipment and material safe. But prevention is never perfect, and sooner or later something fails: a radio is captured, a codebook is lost, an intrusion is detected, a careless disclosure is realised, or simply the suspicion arises that the enemy knows something they should not. What the operator and the force do then, in the minutes and hours after a compromise, matters as much as all the prevention, because a compromise handled well is contained and recovered from, while the same compromise hidden or ignored goes on doing damage indefinitely. This lesson is about that response: recognising a compromise, reporting it at once, containing the damage, recovering secure communications, and learning so it does not happen again.

The governing idea is stark and worth stating plainly: a reported compromise is recoverable; a hidden one is fatal. When a compromise is known, the force can act, change the compromised callsigns, frequencies, and codes, warn those affected, restore security on new arrangements, so that the captured material or detected intrusion becomes worthless before the enemy can fully exploit it. When a compromise is hidden, out of embarrassment, fear of blame, or a hope that it will not matter, none of that can happen: the enemy goes on reading, imitating, or locating the net with material the force does not know is compromised, and the damage runs on unchecked. So the single most important thing about a security failure is not that it happened, failures happen, but that it is brought into the open at once so it can be dealt with. The response, more than the failure, decides the outcome.

This is the knowledge layer. It teaches you how to recognise a compromise, the duty and manner of reporting it, how the damage is contained and secure communications recovered, and how the failure is learned from, so that you understand how a force survives a security failure. The actual recovery drills, the changing of indicators, the re-establishment of a secure net, are practised in person under qualified supervision and certified there. Read this to know how compromise is handled; the recovery drills are built in the doing.

By the end you will be able to recognise the signs of a compromise, report a compromise at once and correctly, explain how the damage is contained by changing what was compromised, describe the recovery of secure communications, and explain how a security failure is learned from without blame.

Key Terms

  • Compromise: the loss of security of communications, equipment, material, or information to an adversary, by capture, loss, theft, disclosure, or intrusion.
  • Suspected compromise: a situation where a compromise may have occurred but is not certain, treated with the same seriousness as a confirmed one until cleared.
  • Indicators: the changeable elements that secure a net, callsigns, frequencies, codes, passwords, which are changed to recover from a compromise.
  • Containment: limiting the damage of a compromise, chiefly by changing the compromised indicators before the enemy can exploit them.
  • Recovery: the re-establishment of secure communications on new, uncompromised arrangements after a compromise is contained.
  • Reporting: the immediate, honest notification of a compromise so that it can be contained and recovered from; the pivot on which the whole response turns.
  • No-blame reporting: the climate in which a person who reports a compromise is supported for doing the right thing rather than punished into silence (from TRG 320).
  • Assume compromise: the prudent default of treating doubtful material or arrangements as compromised, because acting as if secure when you are not is the dangerous error.
  • After-action review: the honest examination of how a compromise happened and how to prevent its recurrence, the learning that closes the loop.
  • Damage assessment: the working-out of what exactly was compromised and what it could reveal, which guides what must be changed and warned.

Recognising a compromise

The response to a compromise can only begin when the compromise is recognised, and recognition is not always obvious, so the operator must know the signs. The clearest are the plain losses: a radio captured or missing, a signals instruction or codebook lost, key material unaccounted for. These are unmistakable compromises and are treated as such at once. Less obvious are the signs from the net itself: an intrusion detected by the authentication failures of Lesson 03 (a station that cannot authenticate, traffic that does not fit), which suggests the enemy is on or imitating the net; and the subtler signal that the enemy seems to know something they should not, an operation anticipated, a position found, a routine exploited, which can indicate that the net's security has failed somewhere even when no specific loss is known.

A crucial discipline in recognition is to take the suspected compromise as seriously as the confirmed one. Often it is not certain whether a compromise has occurred, a radio is missing but might be merely mislaid, an intrusion is suspected but not proven, the enemy's knowledge might be coincidence, and the temptation is to wait for certainty before acting, hoping the compromise is not real. This is the dangerous error, because waiting for certainty means the enemy exploits a real compromise during the delay. The prudent default is to assume compromise: treat doubtful material and arrangements as compromised and act accordingly, because the cost of treating a false alarm as real is some unnecessary changing of indicators, while the cost of treating a real compromise as a false alarm is the continued, unchecked exploitation of the net. The operator who assumes compromise when in genuine doubt errs on the side that is recoverable.

Part of recognising a compromise is the damage assessment: working out what exactly was compromised and what it could reveal, because that guides everything after. A captured radio compromises the frequencies and settings it held and any key material in it; a lost callsign list compromises the callsigns; a detected intrusion compromises whatever the intruder could have learned. Knowing what was compromised tells the force what must be changed and who must be warned, which is the substance of containment. The operator who recognises a compromise, takes the doubtful case seriously, and assesses what was lost has done the first and enabling part of the response.

Reporting: the pivot of the whole response

Everything in the response to a compromise turns on one act: the immediate, honest report, because nothing can be contained or recovered until those who can act know that a compromise has occurred. The operator who discovers or suspects a compromise reports it at once, to the chain of command and to those who need to act, because the damage can only be limited while there is still time to change the compromised arrangements before the enemy exploits them, and every hour of delay is an hour the enemy may be exploiting the compromise. Reporting is not a step in the response; it is the pivot the whole response turns on, and a compromise unreported is a compromise unhandled.

This is exactly where the human factor most often fails, and the failure is the one the physical-security lesson named: the temptation to hide the compromise out of embarrassment, fear of blame, or hope that it will not matter. A captured radio or a careless disclosure is a real failure, and concealing it can feel safer for the individual than confessing it. But concealment is catastrophic for the net, because the hidden compromise cannot be contained, and the enemy goes on exploiting it precisely because no one with the power to change the compromised material knows it is compromised. The hidden compromise is the worst outcome in all of communications security, worse than the original failure, because it converts a recoverable problem into an open wound. So the force builds, exactly as the safety course taught, a no-blame reporting climate in which the member who reports a compromise promptly is supported for doing the right thing, because the prompt report is what saves the net, and punishing it into silence would cost far more than the compromise. The operator's duty is unambiguous: report at once, honestly, whatever the embarrassment, because the report is the only thing that makes recovery possible.

   REPORTING: THE PIVOT THE WHOLE RESPONSE TURNS ON

   COMPROMISE (or suspicion)
        |
        v  REPORT AT ONCE, honestly, to those who can act
        |  (every hour of delay = an hour the enemy may exploit it)
        v
   CONTAINMENT and RECOVERY become possible

   THE HUMAN TRAP: hiding it out of embarrassment / fear of blame.
   The HIDDEN compromise is the WORST outcome of all, worse than the
   failure itself: it can't be contained, so the enemy exploits it freely.
   -> NO-BLAME climate: the prompt reporter is SUPPORTED, not punished.

Containment: change what was compromised

Once a compromise is reported, the damage is contained, and containment in communications security has a simple, central mechanism: change what was compromised. The elements that secure a net, the callsigns, the frequencies, the codes, the passwords, are deliberately changeable indicators precisely so that, when one is compromised, it can be replaced with a fresh one the enemy does not have, instantly rendering the compromised version worthless. A captured callsign list is contained by changing the callsigns; a compromised frequency by changing the frequency; a compromised code or key by replacing it; a compromised password by changing it. The enemy holds the old indicators, but the net has moved to new ones, and the compromise, contained, has bought the enemy nothing going forward.

The damage assessment guides the containment: what was compromised determines what must be changed, and the change is made completely and at once, because a partial or delayed change leaves a gap the enemy can still exploit. Where key material is compromised, it is replaced thoroughly; where a callsign list is taken, the whole allocation is changed, not just the one station; where an intrusion may have revealed the frequency plan, the plan is changed. And those affected are warned, so that every station moves to the new arrangements together and none is left using the compromised ones, which would both fail to escape the enemy and create the confusion of a split net. Containment is, in essence, the rapid, complete replacement of the compromised indicators across everyone who uses them, racing the enemy's exploitation, and winning that race is what limits the damage of a compromise to the brief window before the change.

This is also why the changeability was built in, and why the physical-security lesson guarded the indicators so closely: the whole design assumes that indicators may be compromised and must then be changed, which works only if there are fresh ones ready to change to and a means to promulgate the change. A force that has planned for compromise, with reserve indicators and a way to switch, contains a compromise quickly; one that has not is left exposed while it improvises new arrangements under pressure. Containment is therefore prepared for in advance, as part of the signals planning, so that when a compromise comes, the change is ready to make.

Recovery and learning

With the compromise contained, the net recovers: secure communications are re-established on the new, uncompromised arrangements, and normal operation resumes on a footing the enemy cannot exploit. Recovery confirms that the net is whole again on the fresh indicators, that all stations have made the change, and that the compromised material is fully out of use, so that the force is once more communicating securely. A compromise survived this way, recognised, reported, contained, and recovered from, leaves the net secure again, often with little lasting damage, which is the whole aim of the response and the proof that prevention's inevitable failures need not be disasters.

The final step closes the loop: learning. After the immediate response, the force conducts an honest after-action review of how the compromise happened and how to prevent its recurrence, exactly as the safety course taught of incidents and near misses. How was the radio captured, the material lost, the intrusion enabled, the disclosure made? What in the procedures, the discipline, or the circumstances allowed it, and what change would prevent the next one? This learning, captured honestly and without blame, is what turns a compromise from a pure loss into a source of improvement, hardening the force against the next attempt. As with safety, the near miss, the compromise that was caught and contained before it did real harm, is a free lesson, a warning of a weakness found before it cost more, and the force that learns from it grows more secure.

The whole response, then, is a sequence: recognise, report, contain, recover, learn. It rests on the willingness to bring a failure into the open, the changeability of the indicators that lets the compromised be replaced, the preparation that has fresh arrangements ready, and the honesty that learns from what happened. A force that has this sequence drilled treats a compromise not as a catastrophe but as a contingency it can handle, which is the resilient mindset the whole speciality cultivates: prevention as good as it can be, and a sound, practised response for when prevention, as it sometimes must, fails.

   THE RESPONSE TO A COMPROMISE  (recognise -> report -> contain -> recover -> learn)

   RECOGNISE   plain loss, detected intrusion, or enemy knows too much;
               take the SUSPECTED case as seriously as the confirmed
               (ASSUME COMPROMISE in genuine doubt); assess what was lost
   REPORT      at once, honestly, to those who can act (the PIVOT)
   CONTAIN     CHANGE what was compromised, completely and at once:
               callsigns, frequencies, codes, passwords; warn all affected
               (works because indicators are CHANGEABLE and reserves are ready)
   RECOVER     re-establish secure comms on the new arrangements; confirm
               the net is whole and the compromised material is out of use
   LEARN       honest, no-blame after-action: how did it happen, how to
               prevent the next; the contained compromise is a free lesson

   A REPORTED compromise is recoverable; a HIDDEN one is fatal.

In Practice: A Compromise Contained

A signals NCO of the Royal Kaharagian Army faces a real compromise on an exercise: a member returns to report, shamefaced, that he has lost a signals instruction carrying the net's callsigns and frequencies, and separately the assessors have injected signs that the adversary may be on the net. A weak NCO, or a weak climate, would see the member hide the loss and would wait for certainty about the intrusion, and the net would be exploited through both. The College's NCO runs the response this lesson teaches.

He has built the no-blame climate, so the member reports the loss at once despite his embarrassment, which is the pivot everything depends on, and the NCO treats the suspected intrusion with the same seriousness as the confirmed loss, assuming compromise rather than waiting for proof, because waiting would let a real compromise run. He makes a quick damage assessment: the lost instruction compromises the callsigns and frequencies, and the suspected intrusion compromises whatever the intruder could hear. Then he contains it by changing what was compromised, completely and at once: the whole callsign allocation and the frequency plan are switched to the reserve arrangements prepared in advance, and every station is warned to move together, so the enemy is left holding indicators that are now worthless and the net moves on out of reach. Because the change was prepared and ready, the containment is fast.

The net recovers on the new arrangements, whole and secure again, the compromised material out of use, and the brief window before the change is all the enemy ever got. Afterward the NCO holds an honest, no-blame after-action review: how was the instruction lost, what would prevent it, what allowed the suspected intrusion, and the lessons are captured to harden the net against the next attempt. The compromise, which a hidden loss and a wait-for-certainty hesitation would have turned into a disaster, is instead contained and recovered from with little lasting harm, because it was recognised, reported at once, contained by changing the indicators, recovered from on prepared arrangements, and learned from. That is surviving a security failure, and it is why the response matters as much as the prevention.

Check Your Understanding

  1. Explain the principle that "a reported compromise is recoverable; a hidden one is fatal," and why the response to a compromise matters as much as the prevention. What are the signs of a compromise, and why must a suspected compromise be taken as seriously as a confirmed one (the "assume compromise" default)?
  2. Explain why reporting is the pivot the whole response turns on, the human temptation to hide a compromise, why concealment is worse than the failure itself, and the role of the no-blame climate.
  3. Describe how a compromise is contained by changing the compromised indicators (callsigns, frequencies, codes, passwords), why the change must be complete and at once and those affected warned, and why containment must be prepared for in advance. Then explain recovery and the learning that closes the response.

Reflection (write a short paragraph): This lesson, like the safety course, insists that the worst response to a failure is to hide it, and that a force must build a climate where reporting a compromise is supported rather than punished. Why is it so hard, in the moment, to report a security failure you caused, and what would make it easier, both in yourself and in how your unit treats such reports? Then think about the design that makes recovery possible, that callsigns, frequencies, and codes are deliberately changeable: how does building things to be replaceable, in advance, change a compromise from a catastrophe into a contingency you can handle?

Summary

  • Prevention is never perfect; compromises happen (a captured radio, a lost codebook, a detected intrusion, a careless disclosure, or the sense the enemy knows too much), and the response matters as much as the prevention. The governing principle: a reported compromise is recoverable; a hidden one is fatal.
  • Recognise a compromise from plain losses, detected intrusions, or the enemy knowing what they should not, and take a suspected compromise as seriously as a confirmed one, assuming compromise in genuine doubt because waiting for certainty lets a real one run. A damage assessment of what was compromised guides the response.
  • Reporting is the pivot the whole response turns on: immediate and honest, because nothing can be contained until those who can act know. The human trap is hiding the compromise out of embarrassment; the hidden compromise is the worst outcome of all, so a no-blame climate supports the prompt reporter.
  • Containment is to change what was compromised, the callsigns, frequencies, codes, and passwords are deliberately changeable indicators replaced completely and at once, with all affected warned, so the enemy is left holding worthless old indicators. It works only if reserves and a means to switch are prepared in advance.
  • Recovery re-establishes secure communications on the new arrangements, and learning (an honest, no-blame after-action review of how it happened and how to prevent recurrence) closes the loop, turning the compromise into a source of improvement. The whole sequence: recognise, report, contain, recover, learn.
  • This is the knowledge layer; the recovery drills, the changing of indicators and re-establishment of a secure net, are practised in person under qualified supervision and certified there. This lesson completes the comsec response begun in the physical security of Lesson 08, applies the authentication and intrusion recognition of Lesson 03 and the no-blame reporting of TRG 320, and supports the operational security of Lesson 10.

Crown Copyright © 2026 | Published by Authority of H.R.H. The Prince of Kaharagia

Lesson 9 · Knowledge Check

Question 1 of 3

What is the governing principle when a compromise occurs?