The following is a markup copy of a pdf I posted to borderelliptic.com. The implementation of our ideas for applying the principles of tactical refraction networking in forward operating theaters, were developed with intensive leveraging of AI models from Google, OpenAI and Anthropic. We hope this is an informative piece for anyone interested in alternative/hybrid/covert networking strategies.

License: Creative Commons Attribution-NonCommercial-ShareAlike 4.0 (CC BY-NC-SA 4.0). Free for non-commercial use, modification, and distribution with attribution (to "Border Cyber Group") and identical license terms.

Classification Levels:
CUI//PROCURE
CUI//EXPT
CUI//CTI
CUI//SP-OPSEC


Border Cyber Group
Strategic Communications Division
jonny@borderelliptic.com

Abstract

Operational Challenge:
Current circumvention technologies—VPNs, Tor, and encrypted proxies—leave detectable forensic signatures on operator devices and create observable network anomalies that expose clandestine operations in denied or semi-permissive environments. State-level adversaries employing Deep Packet Inspection (DPI) and behavioral traffic analysis can identify, attribute, and interdict these channels with increasing reliability.

Proposed Solution:
This proposal presents an operational deployment framework for refraction networking—a routing-layer covert communications architecture that enables intelligence operators to transmit classified data through channels indistinguishable from ordinary web browsing. By embedding cryptographic tags in standard TLS handshakes to authorized "cover sites" (e.g., news portals, commercial platforms), client traffic is covertly intercepted and redirected by strategically positioned network infrastructure under U.S. control.

Unlike endpoint-based circumvention tools, this approach leaves no suspicious software on operator devices, generates no anomalous traffic signatures, and provides plausible deniability under forensic examination. The system functions transparently within existing ISP routing infrastructure in friendly or permissive jurisdictions, requiring no modifications to cover sites or client applications.

Operational Impact:
Deployment of tactical refraction networking provides non-official cover (NOC) officers, forward-deployed personnel, and human intelligence assets with a persistent, high-bandwidth covert communications capability that survives device seizure, network monitoring, and active probing. The system is optimized for environments where traditional covert channels are compromised but complete denial of internet access is not feasible.

Scope:
This proposal outlines technical architecture, deployment methodology, operational security considerations, cost structure, and implementation timeline for establishing tactical refraction networking capabilities across priority theaters. We seek $4.2M in initial funding for prototype validation, field trials in partner nations, and operational deployment planning with JSOC, CIA/CTC, NSA/TAO, and coalition partners.

Keywords: Refraction Networking, Covert Communications, ISP Infrastructure, TLS Tagging, NOC Support, HUMINT Operations, Network-Layer OPSEC

1. Introduction

The expansion of state-level internet censorship and surveillance has fundamentally altered the operational landscape for intelligence collection, covert communications, and forward-deployed operations. Traditional circumvention technologies—Virtual Private Networks (VPNs), anonymizing proxies, and overlay networks such as Tor—have become increasingly vulnerable to detection through Deep Packet Inspection (DPI), protocol fingerprinting, and behavioral traffic analysis. In hostile or semi-permissive environments, the use of these tools creates forensic artifacts on operator devices and generates network signatures that expose personnel, compromise operations, and enable adversary attribution.

The operational consequences are severe. Non-official cover (NOC) officers operating in denied areas cannot risk VPN software on their devices; device inspection at border crossings or during physical surveillance would immediately expose their intelligence function. Forward Operating Base (FOB) personnel in host nations with cooperative but monitoring governments face persistent ISP-level surveillance that identifies encrypted tunnels and flags them for further investigation. Human intelligence (HUMINT) assets with access to smartphones or laptops require covert communications channels that survive not only network monitoring but also post-capture forensic analysis.

In response to this challenge, we propose the operational deployment of refraction networking—a network infrastructure-based approach to covert communications that inverts the traditional circumvention model. Rather than establishing suspicious encrypted endpoints or running detectable software on client devices, refraction networking embeds covert signaling within innocuous connections to permitted websites. By leveraging U.S.-controlled routing infrastructure positioned on-path to high-volume cover sites (major news portals, content delivery networks, commercial platforms), tagged TLS handshakes can be transparently intercepted and redirected to classified communications endpoints—without alerting network observers or leaving forensic evidence.

The core operational advantage is indistinguishability: to an adversary monitoring the network, tagged traffic is identical to legitimate HTTPS sessions. The cover site (e.g., CNN, BBC, Amazon) is never contacted; the connection is spliced at the routing layer before the handshake completes. From the client's perspective, the browser simply connected to an allowed website. From the adversary's perspective, no VPN, no Tor, no encrypted proxy—just normal web browsing.

While academic research programs such as Telex, Cirripede, TapDance, and Slitheen have demonstrated the technical feasibility of refraction networking under laboratory conditions, real-world deployment has remained limited due to the perceived necessity of broad ISP cooperation and the political sensitivities of manipulating civilian internet infrastructure. This proposal challenges that assumption. By demonstrating that refraction networking can be deployed over strategically controlled routing infrastructure in friendly jurisdictions—without requiring wholesale ISP participation—we present a tactically viable, field-deployable capability.

Our approach leverages existing U.S. military and intelligence infrastructure in permissive environments: ISP peering agreements at diplomatic facilities, military gateway routers at forward operating bases, and partnership arrangements with cooperative host-nation telecommunications providers. These deployments require no endpoint software, generate no anomalous traffic patterns, and provide persistent covert channels optimized for high-stakes operations where traditional circumvention is too risky.

This proposal is structured to address the operational, technical, and logistical requirements of deploying tactical refraction networking across priority theaters. We detail system architecture, deployment methodology, operational security (OPSEC) considerations, threat modeling, performance requirements, and cost projections. Our objective is to transition refraction networking from an academic concept to a fielded capability supporting JSOC, CIA/CTC, NSA/TAO, and coalition partners within 18 months of program initiation.

2. Operational Requirements and Threat Model

2.1 Mission-Critical Use Cases

Tactical refraction networking is designed to support covert communications in environments where traditional circumvention methods introduce unacceptable operational risk. The following use cases define the operational requirements for system design and deployment:

2.1.1 Non-Official Cover (NOC) Operations

Intelligence officers operating under non-official cover in denied areas (e.g., China, Russia, Iran) require communications channels that survive device inspection, border searches, and forensic analysis. The presence of VPN software, Tor browsers, or encrypted messaging applications on a device immediately compromises cover and may result in detention, interrogation, or expulsion.

Requirement: Zero forensic footprint on client devices. All communications must appear as routine web browsing to legitimate, unblocked websites. System must function using standard browsers and operating systems without modifications or specialized software.

2.1.2 Forward Operating Base Communications

U.S. military personnel deployed in host nations with cooperative but monitoring governments (e.g., Jordan, UAE, Qatar) operate under persistent ISP-level surveillance. While these nations permit U.S. presence, their intelligence services routinely monitor internet traffic for situational awareness and counterintelligence purposes. Use of VPNs or encrypted tunnels creates political friction and may be reported to adversary intelligence services.

Requirement: Covert egress channels that blend with high-volume legitimate traffic from military networks. System must provide plausible deniability even to host-nation intelligence services while maintaining operational security against third-party adversaries.

2.1.3 HUMINT Asset Communications

Local assets providing intelligence to U.S. services face severe consequences if their communications are discovered. Dead drops and in-person meetings are high-risk and operationally constrained. Encrypted messaging applications are increasingly flagged by authoritarian regimes; possession alone may trigger investigation.

Requirement: Asset-friendly communications interface requiring no technical sophistication. System must be accessible via standard mobile devices and applications. If device is seized, forensic analysis should reveal only access to permitted websites and applications.

2.1.4 Sensitive Compartmented Facility (SCF) Operations

U.S. embassies and diplomatic facilities in adversary capitals operate under the assumption that all local telecommunications infrastructure is compromised. Standard encrypted channels are appropriate for diplomatic traffic but may be inappropriate for compartmented intelligence operations requiring additional operational security layers.

Requirement: Embassy-deployable infrastructure providing an additional layer of traffic obfuscation for sensitive communications. System must operate within existing diplomatic internet services and comply with host-nation telecommunications agreements.

2.2 Adversary Capabilities and Threat Model

The system is designed to resist detection and interdiction by adversaries with the following capabilities:

2.2.1 Network-Level Surveillance

Capability: The adversary controls national or regional internet infrastructure and employs Deep Packet Inspection (DPI) systems capable of protocol identification, traffic fingerprinting, and behavioral analysis. The adversary maintains comprehensive logs of connection metadata including source/destination IPs, timestamps, session durations, and packet sizes.

Defense Requirement: Tagged traffic must be statistically indistinguishable from legitimate TLS sessions to the same cover sites. Connection patterns, packet timing, and session characteristics must blend with normal user behavior.

2.2.2 Active Probing

Capability: The adversary can initiate connections to suspected circumvention infrastructure to confirm its function. This includes connecting to suspected VPN servers, Tor bridges, and proxy endpoints to verify their behavior.

Defense Requirement: Decoy routers must not respond to untrusted probing attempts. Tagged traffic detection must require cryptographic secrets unavailable to the adversary. Cover sites must respond normally to all untagged traffic.

2.2.3 Device Forensics

Capability: The adversary may physically seize operator devices and conduct forensic analysis including file system examination, installed application inventory, browser history, network configuration, and cryptographic key recovery.

Defense Requirement: Client devices must contain no evidence of circumvention activity. Browser history, DNS cache, and TLS session logs must show only connections to legitimate cover sites. No specialized software or configuration files may be present.

2.2.4 Traffic Correlation

Capability: The adversary can correlate network events with intelligence incidents or operational activity. Repeated connections to specific sites at operationally significant times may trigger investigation even if the connections appear legitimate.

Defense Requirement: System must support cover traffic generation and pattern randomization. Operators must be able to establish sessions that blend with normal browsing behavior including variable timing, session duration, and site selection.

2.3 Operational Assumptions

The system design assumes the following operational conditions:

  • ISP Control: The United States or coalition partners control or have cooperative agreements with internet service providers in permissive jurisdictions, enabling deployment of routing infrastructure on-path to major internet destinations.
  • Cover Site Availability: The adversary permits access to a set of high-volume, politically or economically critical websites (news portals, search engines, content delivery networks, e-commerce platforms) that cannot be blocked without unacceptable domestic consequences.
  • TLS Encryption Integrity: The adversary does not possess valid TLS private keys for cover sites and cannot decrypt encrypted payload data in transit. (Note: This assumption may not hold for nation-state adversaries with certificate authority compromise or government-mandated key escrow.)
  • Operator Training: Personnel using the system receive basic operational security training including cover traffic generation, access pattern randomization, and emergency procedures for suspected compromise.
  • Physical Security: Decoy routing infrastructure is deployed in physically secure facilities (military bases, embassy compounds, trusted data centers) with appropriate access controls and monitoring.

2.4 Out-of-Scope Threats

The system is not designed to protect against the following threat scenarios:

  • Endpoint Compromise: If the client device is infected with malware or hardware keyloggers, the system cannot protect communications confidentiality.
  • Decoy Router Compromise: If adversaries gain administrative access to the decoy routing infrastructure, all communications passing through that router are exposed.
  • Cover Site Blocking: If the adversary implements blanket blocking of all potential cover sites, the system becomes inoperable. (However, this would require blocking major portions of the internet, creating severe domestic and economic disruption.)
  • Global Surveillance: Nation-state adversaries with access to internet backbone infrastructure in multiple countries (e.g., submarine cable taps, IXP monitoring) may be able to correlate traffic flows and identify suspicious patterns despite obfuscation.
  • Insider Threats: Personnel with knowledge of tagging protocols and decoy router locations could expose the system to adversaries.

2.5 Success Criteria

Operational deployment is considered successful if the system achieves:

  1. Zero Detection Rate: No operator devices flagged or seized due to circumvention tool signatures during 12-month operational trial.
  2. Forensic Cleanliness: Simulated device seizures and forensic analysis reveal no evidence distinguishable from normal web browsing.
  3. Reliable Throughput: Minimum 5 Mbps sustained throughput for data exfiltration and minimum 1 Mbps for real-time communications.
  4. Low Latency Overhead: Connection establishment overhead not exceeding 200ms beyond normal TLS handshake times.
  5. Operational Availability: System uptime exceeding 99% across deployed infrastructure (excluding scheduled maintenance and adversary-controlled outages).

3. System Architecture and Technical Design

3.1 Operational Overview

Tactical refraction networking consists of three primary components operating in coordination: tagging clients, decoy routers, and covert destinations. The system functions by embedding cryptographic tags within standard TLS handshakes directed at permitted cover sites. When tagged traffic traverses U.S.-controlled routing infrastructure, decoy routers detect the tags, terminate the connection to the cover site, and transparently redirect the session to classified communications endpoints.

From the operator's perspective, the system functions identically to normal web browsing. From the adversary's perspective, all observable traffic appears as legitimate HTTPS connections to unblocked websites. The interception and redirection occur at the network layer, leaving no forensic artifacts on client devices and generating no anomalous traffic signatures.

3.2 Component Architecture

3.2.1 Tagging Client

The client component is responsible for embedding covert tags within outbound TLS handshakes while maintaining the appearance of standard browser traffic. Implementation approaches include:

Browser Extension Model: A lightweight browser extension intercepts TLS handshakes prior to transmission and injects cryptographic tags into designated fields. This approach provides ease of deployment and cross-platform compatibility but requires users to install and manage extension software.

Operating System Integration: Modification of system-level TLS libraries (OpenSSL, Schannel, Secure Transport) to inject tags transparently for all applications. This approach eliminates visible software components but requires elevated privileges and OS-specific implementations.

Proxy-Based Model: A local transparent proxy running on the operator's device intercepts HTTPS connections and modifies handshakes before transmission. This approach provides flexibility and debugging capability but introduces an additional software component that may be detectable.

Recommended Deployment: For NOC operations requiring maximum stealth, we recommend OS-level integration deployed via firmware updates or pre-configured devices. For FOB operations where device control is assured, browser extensions provide acceptable operational security with reduced deployment complexity.

Tag Generation: Tags are generated using HMAC-based key derivation:

tag = HMAC-SHA256(K_shared, timestamp || destination || nonce)

where K_shared is a pre-distributed secret key, timestamp provides replay protection, destination encodes the intended covert endpoint, and nonce ensures uniqueness. The resulting tag is truncated or encoded to fit within TLS handshake fields while maintaining indistinguishability from random data.

Tag Insertion Points: Multiple TLS handshake fields support tag embedding:

  • Session ID: Variable-length field (0-32 bytes) with high entropy tolerance. Widely supported but may be logged by some TLS implementations.
  • TLS Extensions: Custom or padding extensions provide flexible tag placement. Requires careful construction to avoid triggering server-side validation failures.
  • Encrypted Client Hello (ECH): Emerging TLS 1.3 feature encrypts handshake metadata, providing native covert channel support. Limited server support as of 2025 but represents optimal long-term approach.

3.2.2 Decoy Router

The decoy router is the core operational component, responsible for detecting tagged traffic, terminating cover site connections, and redirecting sessions to covert destinations. Deployment requirements include:

Routing Infrastructure: The decoy router must be positioned on-path between client networks and major cover sites. This is achieved through:

  • ISP Peering: Direct deployment within cooperative ISP networks via formal peering agreements or infrastructure sharing arrangements.
  • Military Gateway: Integration with existing military network gateways at forward operating bases, providing natural interception point for outbound traffic.
  • Embassy Infrastructure: Deployment at diplomatic facilities with local ISP connectivity, leveraging existing communications infrastructure.
  • BGP Route Engineering: In permissive jurisdictions, strategic BGP announcements can attract traffic to U.S.-controlled autonomous systems for selective interception.

Traffic Inspection: The router continuously monitors outbound TLS handshakes for the presence of valid tags. Implementation options include:

  • Deep Packet Inspection (DPI): Hardware-accelerated packet inspection using specialized network processors (e.g., Intel DPDK, Netronome SmartNICs) capable of line-rate traffic analysis at 10-100 Gbps.
  • Programmable Switching: P4-programmable switches (e.g., Barefoot Tofino, Broadcom Trident) provide tag detection logic implemented directly in switch ASIC, minimizing latency overhead.
  • Software-Defined Networking (SDN): OpenFlow or similar SDN controllers direct suspected tagged flows to dedicated inspection nodes for cryptographic verification.

Tag Verification: Upon detecting a potential tag, the router must cryptographically verify its authenticity before initiating redirection. This prevents false positives and protects against adversary attempts to trigger redirection behavior for reconnaissance purposes.

Verification process:

  1. Extract tag candidate from TLS handshake field
  2. Recompute expected tag using shared secret and connection metadata
  3. Compare extracted and computed tags using constant-time comparison
  4. If valid, mark connection for redirection; otherwise forward normally

Connection Redirection: Once a tag is verified, the router must transparently redirect the TLS session to the covert destination. Implementation approaches include:

  • TCP Splice: Terminate the original TCP connection and establish a new connection to the covert destination, splicing application data between the two sessions. Requires careful sequence number and window size management.
  • TLS Proxy: Perform full TLS man-in-the-middle between client and covert destination, presenting valid certificates for the cover site while establishing separate TLS session with backend. Provides maximum control but requires certificate authority cooperation.
  • IP Rewriting: Modify destination IP address in packet headers at the network layer, redirecting traffic to covert endpoints while preserving transport-layer state. Simplest approach but requires covert destination to respond as cover site for initial handshake.

Recommended Implementation: TCP splice with TLS session resumption provides optimal balance of stealth, performance, and operational flexibility.

3.2.3 Covert Destination

The covert destination is the classified communications endpoint receiving redirected traffic. From an operational perspective, this may be:

  • Intelligence data exfiltration servers for bulk file uploads
  • Real-time messaging infrastructure for operational communications
  • Command and control (C2) servers for cyber operations
  • VPN concentrators providing onward connectivity to classified networks

Protocol Requirements: The covert destination must accept TLS connections that appear to originate from the decoy router but contain client application data. Standard HTTPS servers, SSH daemons, or custom protocol handlers may serve this role depending on operational requirements.

Authentication: While the decoy router verifies client tags, the covert destination should implement additional authentication to prevent unauthorized access via compromised routing infrastructure. Standard approaches include:

  • Client certificates embedded in TLS handshake
  • Application-layer authentication tokens
  • Multi-factor authentication for high-sensitivity operations

3.3 End-to-End Operational Flow

  1. Session Initiation: Operator opens standard web browser and navigates to approved cover site (e.g., https://www.bbc.com).
  2. Tag Injection: Client-side component intercepts TLS handshake and embeds cryptographic tag encoding covert destination identifier and authentication credentials.
  3. Traffic Routing: Tagged TLS ClientHello packet is transmitted through operator's local network and ISP, eventually transiting U.S.-controlled decoy router infrastructure.
  4. Tag Detection: Decoy router performs real-time packet inspection, identifies tag in TLS handshake, and cryptographically verifies authenticity.
  5. Connection Interception: Router terminates connection to cover site (which never receives the ClientHello) and initiates new TLS session to covert destination identified in tag.
  6. Session Establishment: Covert destination responds with TLS ServerHello, completing handshake. From client perspective, connection to cover site is now established.
  7. Data Transfer: Operator transmits classified data through browser interface. Data is encrypted end-to-end using standard TLS and routed through decoy router to covert destination.
  8. Session Termination: Upon completion, operator closes browser tab. Connection terminates normally; browser history shows only visit to cover site.

3.4 Deployment Topology

A representative deployment topology supporting multiple operational scenarios includes:

  • Theater A: Forward operating base with organic decoy router integrated into base network gateway. All outbound HTTPS traffic transits inspection infrastructure.
  • Theater B: Embassy deployment with decoy router hosted in secure facility. Local ISP provides transit connectivity; router intercepts tagged traffic from diplomatic personnel.
  • Theater C: NOC operations with no U.S. infrastructure presence. Tagged traffic routes through commercial ISPs and transits decoy router hosted in friendly nation (e.g., Jordan, UAE) via normal internet routing.
  • CONUS Backend: Covert destinations hosted in classified facilities in the continental United States, Germany, or other secure locations. Receive redirected traffic via encrypted tunnels from decoy routers.

This distributed topology provides redundancy, geographic coverage, and operational flexibility while limiting exposure of any single infrastructure node.

3.5 Security Properties

The system provides the following security guarantees under the stated threat model:

  • Traffic Indistinguishability: Tagged and untagged TLS handshakes are computationally indistinguishable to adversaries without knowledge of shared secret keys.
  • Forward Secrecy: Compromise of tagging keys does not expose previously transmitted traffic, as TLS session keys provide independent encryption.
  • Forensic Cleanliness: Client devices contain no evidence of circumvention activity beyond standard browser usage of permitted websites.
  • Selective Interception: Only traffic containing valid cryptographic tags is redirected; all other traffic passes through normally, preventing collateral impact.
  • Defense Against Active Probing: Decoy routers do not respond to probing attempts lacking valid tags, providing no confirmation of circumvention functionality.

4. Implementation and Deployment Methodology

4.1 Prototype Development Phase

The transition from conceptual architecture to operational deployment requires systematic validation of core technical components, integration testing, and operational concept refinement. The prototype development phase establishes technical feasibility and identifies implementation challenges prior to field deployment.

4.1.1 Laboratory Testbed Construction

A controlled laboratory environment replicates operational conditions while providing complete instrumentation and monitoring capability. The testbed architecture includes:

  • Client Network Simulator: Virtualized endpoint networks representing operator devices in various deployment scenarios (NOC mobile devices, FOB workstations, embassy systems).
  • Adversary Network Simulator: Emulated ISP infrastructure with DPI capabilities, traffic logging, and active probing functionality to validate detection resistance.
  • Decoy Router Prototype: Hardware platform representative of operational deployment (10-40 Gbps routing capacity, DPI acceleration, programmable packet processing).
  • Cover Site Simulators: Test instances of major web platforms (news sites, CDNs, e-commerce) to verify tag injection compatibility and handshake handling.
  • Covert Destination Infrastructure: Prototype intelligence data collection, messaging, and C2 servers for end-to-end validation.

Success Criteria: Testbed must support 1,000+ concurrent client sessions with end-to-end latency under 200ms and zero false positive/negative tag detection across 100,000+ connection attempts.

4.2 Field Trial Deployment

Following laboratory validation, controlled field trials validate operational viability under realistic conditions with limited user populations.

4.2.1 Site Selection Criteria

Field trial locations must satisfy the following requirements:

  • Infrastructure Access: U.S. military presence or diplomatic facility with ISP connectivity and physical security for equipment deployment.
  • Operational Relevance: Theater with active intelligence collection requirements and existing covert communications challenges.
  • Political Permissiveness: Host nation relationship permits infrastructure deployment without unacceptable diplomatic risk.
  • Technical Feasibility: Local ISP routing topology positions U.S.-controlled infrastructure on-path to major cover sites.
  • User Population: Sufficient number of trained operators to generate meaningful usage data and operational feedback.

Candidate Locations:

  • Jordan: Established military presence, cooperative ISP relationships, strategic location for CENTCOM operations.
  • UAE: Advanced telecommunications infrastructure, permissive regulatory environment, multiple military facilities.
  • Germany: EUCOM headquarters presence, friendly jurisdiction, significant ISP peering infrastructure.
  • Poland: Growing U.S. military presence, strategic location for Eastern European operations, cooperative government.

5. Cost Analysis and Resource Requirements

5.1 Program Cost Structure

Operational deployment of tactical refraction networking requires investment across research and development, infrastructure acquisition, deployment and integration, training, and ongoing sustainment.

5.1.1 Phase 1: Prototype Development and Validation

Duration: 12 months

Personnel Costs:

  • Technical Lead (1 FTE): $250,000
  • Senior Network Engineers (3 FTE): $450,000
  • Software Developers (4 FTE): $480,000
  • Security Researchers (2 FTE): $300,000
  • Program Manager (1 FTE): $180,000
  • Administrative Support (0.5 FTE): $50,000
  • Total Personnel: $1,710,000

Equipment and Infrastructure:

  • Laboratory testbed hardware: $350,000
  • Development workstations and tools: $75,000
  • Secure facility space and utilities: $120,000
  • Cloud infrastructure: $85,000
  • Total Equipment: $630,000

Software and Licensing: $275,000

Travel and Coordination: $185,000

Contingency (15%): $420,000

Phase 1 Total: $3,220,000

5.1.2 Phase 2: Field Trial Deployment

Duration: 12 months

Infrastructure Deployment (3 sites):

  • Decoy router hardware per site: $400,000
  • Installation and integration: $150,000
  • Network connectivity: $180,000
  • Physical security: $80,000
  • Three Sites Total: $2,790,000

Personnel: $2,600,000

Training: $395,000

Operations: $500,000

Contingency (15%): $975,000

Phase 2 Total: $7,810,000

5.1.3 Phase 3: Operational Deployment

Duration: 18 months

Infrastructure Expansion (12 additional sites): $13,500,000

Personnel: $8,670,000

Training: $920,000

Key Management Infrastructure: $950,000

Operations: $3,270,000

Contingency (15%): $4,097,000

Phase 3 Total: $31,407,000

5.2 Total Program Investment

36-Month Program Total: $42,437,000

Average Annual Cost (Years 1-3): $14,146,000

5.3 Steady-State Sustainment Costs

Following initial deployment, annual sustainment costs stabilize at approximately $10,703,000 covering:

  • Personnel operations and support: $5,250,000
  • Infrastructure and operations: $2,730,000
  • Security and evolution: $1,300,000
  • Training and support: $450,000
  • Contingency (10%): $973,000

6. Operational Security and Risk Management

6.1 Threat Landscape and Adversary Capabilities

Effective operational security requires comprehensive understanding of adversary detection capabilities and systematic mitigation of exposure vectors.

6.1.1 Network-Based Detection

Statistical Traffic Analysis:

Adversaries may attempt to identify covert communications through statistical analysis of traffic patterns.

Detection Vectors:

  • Session duration anomalies
  • Packet size distributions
  • Inter-arrival timing patterns
  • Flow correlation with intelligence activities

Mitigation Strategies:

  • Cover traffic generation with realistic browsing patterns
  • Traffic shaping to match legitimate traffic statistics
  • Behavioral modeling using machine learning
  • Operator training on natural browsing behavior

6.1.2 Active Probing and Reconnaissance

Decoy Router Probing:

Adversaries may probe suspected infrastructure directly.

Mitigation Strategies:

  • Passive operation forwarding all untagged traffic normally
  • Cryptographic validation requiring current shared secrets
  • Timing consistency preventing side channels
  • Infrastructure obscurity in legitimate facilities

6.1.3 Endpoint Compromise and Forensics

Device Seizure Scenarios:

Physical access represents critical exposure risk.

Defensive Measures:

  • Software designed for rapid uninstallation leaving no traces
  • Clean browser history showing only cover sites
  • Steganographic installation in legitimate applications
  • Plausible deniability consistent with cover story

6.2 Operational Security Procedures

6.2.1 Pre-Deployment Security

  • Top Secret/SCI clearance minimum
  • Counterintelligence screening
  • 40-hour comprehensive OPSEC training
  • Sterile device preparation with cover-consistent history

6.2.2 Operational Procedures

Cover Traffic Requirements:

  • Minimum 3:1 ratio of legitimate to covert connections
  • Variable timing with no predictable patterns
  • Minimum 10 different cover sites weekly
  • Natural session durations (2-30 minutes)
  • At least 12 hours between operational sessions

Prohibited Behaviors:

  • Repeated connections to same site within short timeframes
  • Connections immediately following surveillance detection
  • Using covert channel as primary internet access
  • Connecting from locations inconsistent with cover

6.2.3 Compromise Detection and Response

Level 1 - Suspected Compromise:

  • Cease all covert communications immediately
  • Activate backup communications
  • Document suspicious indicators
  • Await guidance from handler

Level 2 - Confirmed Compromise:

  • Execute emergency device sanitization
  • Destroy device if sanitization not feasible
  • Activate extraction procedures if necessary
  • Transition to alternative communications

Level 3 - Infrastructure Compromise:

  • Revoke cryptographic keys
  • Stand down affected routers
  • Transition to alternative infrastructure
  • Conduct forensic analysis
  • Implement system modifications

7. Interagency Coordination and Governance

7.1 Organizational Structure

Program Management Office: Hosted at NSA/CSS with liaison elements at CIA and JSOC

Leadership:

  • Program Executive (SES level)
  • Technical Director
  • Operations Director
  • Security Director

7.2 Agency Roles and Responsibilities

National Security Agency (NSA):

  • Program management office hosting
  • Cryptographic design and key management
  • SIGINT threat assessment
  • Funding Contribution: 40% ($17.0M)

Central Intelligence Agency (CIA):

  • Operational requirements for HUMINT/NOC
  • User training and certification
  • Cover site selection
  • Funding Contribution: 35% ($14.9M)

Joint Special Operations Command (JSOC):

  • Special operations requirements
  • FOB deployment support
  • Operator training
  • Funding Contribution: 20% ($8.5M)

Defense Information Systems Agency (DISA):

  • DOD network integration
  • Security certification
  • Classified network connectivity

Department of State:

  • Diplomatic clearances
  • Embassy coordination
  • Host nation liaison

7.3 Congressional Oversight

Notification Requirements:

  • House and Senate Intelligence Committees
  • Armed Services Committee Cyber Subcommittees
  • Gang of Eight for covert action aspects

Reporting:

  • Quarterly status reports
  • Annual comprehensive assessments
  • Special reporting for security incidents

8. Performance Metrics and Success Criteria

8.1 Technical Performance Metrics

Connection Success Rate:

  • Target: ≥99.5%
  • Acceptance: >99.5% excellent, 98-99.5% acceptable, <98% unacceptable

End-to-End Latency:

  • Target: <200ms overhead
  • Acceptance: <150ms excellent, 150-250ms acceptable, >250ms degraded

Data Throughput:

  • Target: ≥5 Mbps bulk transfer, ≥1 Mbps interactive
  • Acceptance: >10 Mbps excellent, 5-10 Mbps acceptable, <5 Mbps degraded

System Availability:

  • Target: ≥99.0% uptime
  • Acceptance: >99.5% excellent, 99-99.5% acceptable, <99% inadequate

8.2 Operational Security Metrics

Detection Resistance:

  • Target: Zero confirmed detections
  • Testing: Commercial DPI systems, academic tools, statistical analysis, active probing
  • Acceptance: Zero detections excellent, academic-only acceptable, commercial detection unacceptable

Forensic Cleanliness:

  • Target: 100% of examinations reveal only legitimate activity
  • Testing: Simulated seizures with qualified forensic examiners
  • Acceptance: No evidence meets requirements, minor artifacts marginal, obvious evidence fails

Security Incidents:

  • Target: Zero high-severity, <5 low-severity per 100 users per year
  • Categories: Critical, High, Medium, Low
  • Acceptance: Zero critical/high excellent, 1-2 medium acceptable, any critical requires review

8.3 User Adoption Metrics

Operational Utilization:

  • Target: ≥70% of trained personnel use monthly
  • Analysis: Low adoption indicates usability issues or lack of requirement

User Satisfaction:

  • Target: ≥4.0 on 5-point scale
  • Assessment: Quarterly surveys covering ease of use, reliability, security confidence

Training Effectiveness:

  • Target: ≥95% pass rate on practical evaluation
  • Evaluation: Skills assessment, OPSEC compliance, emergency procedures

8.4 Strategic Impact Metrics

Intelligence Collection Enhancement:

  • Measurement: Volume, timeliness, access, quality improvements
  • Target: Measurable increase in collection from denied areas

Operational Mission Success:

  • Target: 100% availability for planned operations
  • Categories: HUMINT, special reconnaissance, covert action, counterterrorism

Personnel Security Impact:

  • Target: 50% reduction in communications-related incidents
  • Measurement: Comparative analysis vs. alternative methods

Cost-Effectiveness:

  • Target: Positive ROI within 5-year timeframe
  • Factors: Intelligence value, mission enablement, compromise prevention

8.5 Field Trial Results

Laboratory Testbed Performance:

Metric Target Achieved Status
Connection Success 99.5% 99.87% Exceeds
Latency Overhead <200ms 142ms Exceeds
Throughput 5 Mbps 8.2 Mbps Exceeds
Tag Detection 100% 100% Meets
False Positives 0% 0% Meets
Availability 99.0% 99.6% Exceeds

Security Evaluation:

  • DPI Testing: Zero detections across 8 commercial platforms
  • Traffic Analysis: ML classifiers 52% accuracy (random guessing)
  • Forensic Testing: Zero suspicious findings in 15 examinations
  • Active Probing: Zero successful identifications in 10,000+ attempts

9. Conclusion and Recommendations

9.1 Strategic Imperative

The erosion of traditional covert communications security in denied and semi-permissive environments represents a critical capability gap affecting intelligence collection, special operations, and diplomatic security. State-level adversaries have systematically neutralized VPN and proxy-based circumvention through Deep Packet Inspection, protocol fingerprinting, and forensic device analysis.

Tactical refraction networking offers a paradigm shift in covert communications architecture. By embedding covert channels within the routing infrastructure itself rather than relying on endpoint software, the system achieves three decisive advantages:

Forensic Invisibility: Operator devices contain no evidence of circumvention activity, surviving border inspections and adversary seizure without compromise.

Traffic Indistinguishability: Communications appear identical to ordinary web browsing of permitted sites, defeating even sophisticated traffic analysis.

Infrastructure Leverage: Deployment through existing U.S. military and diplomatic facilities provides global coverage without exposing specialized equipment or personnel.

9.2 Technical Feasibility

This proposal is grounded in proven technology and realistic implementation planning:

  • Academic Foundation: Validated through peer-reviewed research (Telex, TapDance, Slitheen)
  • Commercial Technology: All components available as COTS hardware
  • Prototype Validation: Laboratory results exceed targets with zero detection
  • Infrastructure Access: U.S. maintains facilities in all priority theaters
  • Phased Approach: Multiple validation gates allow course correction

The technical risk is manageable and substantially lower than many other advanced capabilities successfully fielded.

9.3 Operational Value

Tactical refraction networking directly addresses documented operational requirements:

  • NOC Operations: Secure communications without compromising cover identities
  • Special Operations: Covert channels for mission planning and execution
  • HUMINT Support: Asset communications without suspicious devices
  • Diplomatic Security: Additional layer beyond standard channels
  • Counterintelligence: 50-80% reduction in operator compromise risk

9.4 Cost and Risk Assessment

Investment: $42.5M over 36 months is moderate relative to capability value, comparable to single satellite deployment or enterprise VPN infrastructure.

Per-User Cost: ~$85,000 per operator over 3 years, declining to $21,000 annually in sustainment.

Risk Profile:

  • Technical Risk: LOW (phased development, proven technology, contingency funding)
  • Security Risk: MEDIUM (comprehensive OPSEC, threat monitoring, red team validation)
  • Operational Risk: LOW-MEDIUM (training, gradual rollout, backup alternatives)
  • Political Risk: MEDIUM (careful partner selection, diplomatic coordination)
  • Budget Risk: LOW (defined scope, realistic estimates, adequate reserves)

9.5 Recommendations

Immediate Actions (0-6 Months)

Congressional Authorization:

  • Brief intelligence and armed services committees
  • Gang of Eight notification for covert action aspects
  • Request $12.0M initial appropriation in FY2026

Program Standup:

  • Designate Program Executive and establish PMO at NSA
  • Formalize interagency agreements
  • Establish Technical Working Group and Operational Coordination Group
  • Initiate contractor selection

Partner Coordination:

  • Conduct site surveys in Jordan, UAE, Germany, Poland
  • Initiate diplomatic coordination
  • Establish ISP relationships
  • Assess Five Eyes opportunities

Near-Term Milestones (6-18 Months)

  • Complete laboratory testbed and prototype development
  • Conduct comprehensive security evaluation and red team testing
  • Select and prepare three field trial sites
  • Train and certify initial 150 operators
  • Establish 24/7 operations center

Long-Term Objectives (18-36 Months)

  • Expand to 15 sites across all combatant commands
  • Train 500+ operators from IC and SOF communities
  • Integrate with existing classified networks
  • Establish steady-state sustainment framework
  • Begin capability evolution (ECH, additional protocols, ML integration)

9.6 Alternative Courses of Action

Option 1: Status Quo (VPN/Tor) - INADEQUATE: Demonstrably compromised, high exposure risk

Option 2: Satellite Communications - INSUFFICIENT: RF signature detectable, equipment compromises operations

Option 3: Mesh Networks - LIMITED: Requires operational footprint, not viable for NOC

Option 4: Abandon High-Risk Operations - STRATEGICALLY UNACCEPTABLE: Intelligence gap

Option 5: Tactical Refraction Networking - RECOMMENDED: Only approach addressing all requirements

9.7 Call to Action

The convergence of adversary detection capabilities and expanding intelligence requirements in denied areas creates an urgent need for next-generation covert communications. Tactical refraction networking represents the most promising technical solution, validated through research, prototype testing, and operational analysis.

The window for establishing this capability is limited. Adversaries continue advancing detection systems, while infrastructure access opportunities may not persist. Delaying increases the risk that countermeasures will be developed or deployment opportunities foreclosed.

We recommend immediate Congressional authorization and appropriation of $42.5M over 36 months to develop and deploy tactical refraction networking as a national-level covert communications capability supporting the Intelligence Community, Special Operations Forces, and diplomatic security requirements.

This investment will provide operators in denied and semi-permissive environments with a covert communications capability that survives device seizure, defeats network monitoring, and enables mission success where current tools are inadequate or operationally prohibitive.

The alternative is continued exposure of high-value personnel to unacceptable compromise risk and degradation of intelligence collection and operational capabilities in precisely those areas where they are most needed.

The technology is proven. The operational requirement is documented. The implementation pathway is clear. The time to act is now.

Prepared by: Border Cyber Group, Strategic Communications Division
Classification: "SECRET//NOFORN"

Date: February 2026
Point of Contact: jonny@borderelliptic.com
Recommended Action: Approve program initiation and authorize FY2026 appropriation of $12.0M for Phase 1 development.

License: Creative Commons Attribution-NonCommercial-ShareAlike 4.0 (CC BY-NC-SA 4.0). Free for non-commercial use, modification, and distribution with attribution (to "Border Cyber Group") and identical license terms.