1. OPSEC Indicators. OPSEC indicators are those friendly actions and open sources of information that adversary intelligence systems can potentially detect or obtain and then interpret to derive friendly critical information.

2. Basic OPSEC Indicator Characteristics. An indicator's characteristics are those elements of an action or piece of information that make it potentially useful to an adversary. There are five major characteristics.

1. Signature
   (1) A signature is the characteristic of an indicator that makes it identifiable or causes it to stand out. Key signature properties are uniqueness and stability. Uncommon or unique features reduce the ambiguity of an indicator and minimize the number of other indicators that must be observed to confirm a single indicator's significance.

   (2) An indicator's signature stability, implying constant or stereotyped behavior, can allow an adversary to anticipate future actions. Varying the pattern of behavior decreases the signature's stability and thus increases the ambiguity of the adversary's observations.

   (3) Procedural features are an important part of any indicator signature and may provide the greatest value to an adversary. They identify how, when, and where the indicator occurs and what part it plays in the overall scheme of operations and activities.

2. Associations
   (1) Association is the relationship of an indicator to other information or activities. It is an important key to an adversary's interpretation of ongoing activity. Intelligence analysts continuously compare their current observations with what has been seen in the past in an effort to identify possible relationships.

   (2) For example, a distinctive piece of ground-support equipment known to be used for servicing strategic bombers might be observed at a tactical fighter base. An intelligence analyst could conclude that a strategic bomber presence has been or will be established there. The analyst will then look for other indicators associated with bombers to verify that conclusion.

   (3) Another key association deals with continuity of actions, objects, or other indicators that may register as patterns to the observer or analyst. Such continuity may not be the result of planned procedures but may result instead from repetitive practices or sequencing to accomplish a goal.

   (4) If, for example, the intensive generation of aircraft sorties is always preceded by a maintenance standdown to increase aircraft readiness, detecting and observing the standdown may allow the adversary analyst or observer to predict the subsequent launch activity. Moreover, based on past patterns of the length of such standdowns, the analyst may be able to judge the scope of the sortie generation.

   (5) Another type of association that is useful to intelligence analysts is organizational patterns. Military units, for example, are often symmetrically organized. Thus, when some components are detected, others that are not readily apparent can be assumed to exist.

   (6) For example, an intelligence analyst knows that a particular army's infantry battalions are organized with three infantry companies, a headquarters company, and a weapons company. If only the headquarters company and one infantry company are currently being detected, the presence of the other known battalion components will be strongly suspected. Thus, in some situations, a pattern taken as a whole can be treated as a single indicator, simplifying the intelligence problem.

3. Profiles
   (1) Each functional activity generates its own set of more- or-less unique signatures and associations. The sum of these signatures and associations is the activity's profile. An activity's profile is usually unique. Given enough data, intelligence analysts can determine the profile of any activity. Most intelligence organizations seek to identify and record the profiles of their adversary's military activities.

   (2) The profile of an aircraft deployment, for example, may be unique to the aircraft type or mission. This profile, in turn, has several subprofiles for the functional activities needed to deploy the particular mission aircraft (e.g., fuels, avionics, munitions, communications, air traffic control, supply, personnel, and transportation).

   (3) The observation of a unique profile may sometimes be the only key that an intelligence analyst needs to determine what type of operation is occurring, thus minimizing the need to look harder for additional clues. Such unique profiles cut the time needed to make accurate intelligence estimates. As a result, profiles are the analytical tools.

4. Contrasts
   (1) Contrasts are any differences that are observed between an activity's standard profile and its most recent or current actions. Contrasts are the most reliable means of detection because they depend on differences to established profiles. They also are simpler to use because they need only to be recognized, not understood.

   (2) Deviations from normal profiles will normally attract the interest of intelligence analysts. They will want to know why there is a change and attempt to determine if the change means anything significant.

   (3) In the previous example of the distinctive bomber- associated ground support equipment at a fighter base, the intelligence observer might ask the following questions:

   (a) Have bombers been deployed at fighter bases before? At this particular fighter base? At several fighter bases simultaneously?

   (b) If there have been previous bomber deployments, were they routine or did they occur during some period of crisis?

   (c) If previous deployments have been made to this base or other fighter bases, how many bomber aircraft were deployed?

   (d) What actions occurred while the bombers were deployed at the fighter bases?

   (e) What is happening at other fighter and bomber bases? Is this an isolated incident or one of many changes to normal activity patterns?

   (4) Although the detection of a single contrast may not provide intelligence analysts with a total understanding of what is happening, it may result in increased intelligence collection efforts against an activity.

5. Exposure
   (1) Exposure refers to when and for how long an indicator is observed. The duration, repetition, and timing of an indicator's exposure can affect its relative importance and meaning. Limiting the duration and repetition of exposure reduces the amount of detail that can be observed and the associations that can be formed.

   (2) An indicator (object or action) that appears over a long period of time will be assimilated into an overall profile and assigned a meaning. An indicator that appears for a short time and does not appear again may, if it has a high interest value, persist in the adversary intelligence data base or, if there is little or no interest, fade into the background of insignificant anomalies. An indicator that appears repeatedly will be studied carefully as a contrast to normal profiles.

   (3) Because of a short exposure time, the observer or analyst may not detect key characteristics of the indicator the first time it is seen, but he can formulate questions and focus collection assets to provide answers if the indicator is observed again.

   (4) Repetition of the indicator in relationship to an operation, activity, or exercise will add it to the profile even if the purpose of the indicator is not understood by the adversary. Indicators limited to a single isolated exposure are difficult to detect and evaluate.

1. Indicators of General Military Force Capabilities
   (1) The presence of unusual type units for a given location, area, base, etc.

   (2) Friendly reactions to adversary exercises or actual hostile actions.

   (3) Actions, information, or material associating Reserve components with specific commands or units (e.g., mobilization and assignment of Reserve personnel to units).

   (4) Actions, information, or material indicating the levels of unit manning as well as the state of training and experience of personnel assigned.

   (5) Actions, information, or material revealing spare parts availability for equipment or systems.

   (6) Actions, information, or material indicating equipment or system reliability (e.g., visits of technical representatives or special repair teams).

   (7) Movement of aircraft, ships, and ground units in response to friendly sensor detections of hostile units.

   (8) Actions, information, or material revealing tactics, techniques, and procedures employed in different types of training exercises or during equipment or system operational tests and evaluations.

   (9) Stereotyped patterns in performing the organizational mission that reveal the sequence of specific actions or when they are accomplished.

2. Indicators of General C2 Capabilities
   (1) Actions, information, or material providing insight into the volume of orders and reports needed to accomplish tasks.

   (2) Actions, information, or material showing unit subordination for deployment, mission, task, etc.

   (3) Association of particular commanders with patterns of behavior under stress or in varying tactical situations.

   (4) Information revealing problems of coordination between the commander's staff elements.

   (5) In exercises or operations, indications of the period between the occurrence of a need to act or react and the action taking place, of consultations that occur with higher commands, and of the types of actions initiated.

   (6) Unusual actions with no apparent direction reflected in communications.

3. General Indicators from Communications Usage
   (1) Alert and maintenance personnel using handheld radios or testing aircraft or vehicle radios.

   (2) Establishing new communications nets. These might reveal entities that have intrinsic significance for the operation or activity being planned or executed. Without conditioning to desensitize adversaries, the sudden appearance of new communications nets could prompt them to implement additional intelligence collection to discern friendly activity more accurately.

   (3) Suddenly increasing traffic volume or, conversely, instituting radio silence when close to the time of starting an operation, exercise, or test. Without conditioning, unusual surges or periods of silence may catch adversaries' attention and, at a minimum, prompt them to focus their intelligence collection efforts.

   (4) Using static call signs for particular units or functions and unchanged or infrequently changed radio frequencies. This usage also allows adversaries to monitor friendly activity more easily and add to their intelligence data base for building an accurate appreciation of friendly activity.

   (5) Using stereotyped message characteristics that indicate particular types of activity that allow adversaries to monitor friendly activity more easily.

   (6) Requiring check-in and checkout with multiple control stations before, during, and after a mission (usually connected with air operations).

4. Sources of Possible Indicators for Equipment and System Capabilities
   (1) Unencrypted emissions during tests and exercises.

   (2) Public media, particularly technical journals.

   (3) Budget data that provide insight into the objectives and scope of a system R&D effort or the sustainability of a fielded system.

   (4) The equipment or system hardware itself.

   (5) Information on test and exercise schedules that allows adversaries to better plan the use of their intelligence collection assets.

   (6) Deployment of unique units, targets, and sensor systems to support tests associated with particular equipment or systems.

   (7) Unusual or visible security imposed on particular development efforts that highlight their significance.

   (8) Information indicating special manning for tests or assembly of personnel with special skills from manufacturers known to be working on a particular contract.

   (9) Notices to mariners and airmen that might highlight test areas.

   (10) Stereotyped use of location, procedures, and sequences of actions when preparing for and executing test activity for specific types of equipment or systems.

   (11) Use of advertisements indicating that a company has a contract on a classified system or component of a system, possesses technology of military significance, or has applied particular principles of physics and specific technologies to sensors and the guidance components of weapons.

5. Indicators of Preparations for Operations or Activities. Many indicators may reveal data during the preparatory, as compared to the execution, phase of operations or activities. Many deal with logistic activity. Examples include:
   (1) Provisioning of special supplies for participating elements.

   (2) Requisitioning unusual volumes of supply items to be filled by a particular date.

   (3) Increasing pre-positioning of ammunition, fuels, weapon stocks, and other classes of supply.

   (4) Embarking special units, installing special capabilities, and preparing unit equipment with special paint schemes.

   (5) Procuring large or unusual numbers of maps and charts for specific locations.

   (6) Making medical arrangements, mobilizing medical personnel, stockpiling pharmaceuticals and blood, and marshaling medical equipment.

   (7) Focusing friendly intelligence and reconnaissance assets against a particular area of interest.

   (8) Requisitioning or assigning increased number of linguists of a particular language or group of languages from a particular region.

   (9) Initiating and maintaining unusual liaison with foreign nations for support.

   (10) Providing increased or tailored personnel training.

   (11) Holding rehearsals to test concepts of operation.

   (12) Increasing the number of trips and conferences for senior officials and staff members.

   (13) Sending notices to airmen and mariners and making airspace reservations.

   (14) Arranging for tugs and pilots.

   (15) Requiring personnel on leave or liberty to return to their duty locations.

   (16) Having unusual off-limits restrictions.

   (17) Preparing units for combat operations through equipment checks as well as operational standdowns to achieve a required readiness level for equipment and personnel.

   (18) Making billeting and transportation arrangements for particular personnel or units.

   (19) Taking large-scale action to change mail addresses or arrange for mail forwarding.

   (20) Posting such things as supply delivery, personnel arrival, transportation, or ordnance loading schedules in a routine manner where personnel without a need-to-know will have access.

   (21) Storing boxes or equipment labeled with the name of an operation or activity or with a clear unit designation outside a controlled area.

   (22) Employing uncleared personnel to handle materiel used only in particular types of operations or activities.

   (23) Providing unique or highly visible physical security arrangements for loading or guarding special munitions or equipment.

   (24) Requesting unusual or increased meteorological, oceanographic, or ice information for a specific area.

   (25) Setting up a wide-area network (WAN) over commercial lines.

6. Sources of Indicators During the Execution Phase
   (1) Unit and equipment departures from normal bases.

   (2) Adversary radar, sonar, or visual detections of friendly units.

   (3) Friendly unit identifications through COMSEC violation, physical observation of unit symbology, etc.

   (4) Force composition and tracks or routes of advance that can be provided by emissions from units or equipment and systems that provide identifying data.

   (5) Stereotyped procedures; static and standard ways of composing, disposing, and controlling strike or defensive elements against particular threats; and predictable reactions to enemy actions.

   (6) Alert of civilians in areas of operations.

   (7) Trash and garbage dumped by units or from ships at sea that might provide unit identifying data.

   (8) Transportation of spare parts or personnel to deploying or deployed units or via commercial aircraft or ship.

   (9) Changes in oceanography high frequency facsimile transmissions.

   (10) Changes in the activity over WAN.

7. Indicators of Postengagement Residual Capabilities
   (1) Repair and maintenance facilities schedules.

   (2) Urgent calls for maintenance personnel.

   (3) Movement of supporting resources.

   (4) Medical activity.

   (5) Unusual resupply and provisioning of an activity.

   (6) Assignment of new units from other areas.

   (7) Search and rescue activity.

   (8) Personnel orders.

   (9) Discussion of repair and maintenance requirements in unsecure areas.

   (10) Termination or modification of procedures for reporting of unclassified meteorological, oceanographic, or ice information.