Know Your Status

DORADUS LABS

Cybersecurity and Intelligence Analysis

Know Your Status

The Cardinal Rule of Tradecraft, and Why Information From a Compromised Source Is Itself Compromised

A follow-up to The Six Second Threat: Why the Question Is Never About the Time

The first article in this series ended on a quiet but important point borrowed from the human intelligence profession. A cardinal rule of HUMINT is that an officer must always know their status, meaning whether they are themselves under surveillance, because information drawn from a compromised contact is itself compromised. That single sentence carries more weight than it first appears, and it deserves an article of its own, because it is the hinge on which trustworthy intelligence turns. If you do not know whether you are being watched, you cannot know whether anything you learn is real, and you cannot know whether anyone who trusts you is safe.

The discipline built around this rule is among the most demanding in the profession, and the consequences of getting it wrong are not abstract. David Rolph, the former CIA officer who ran the Cold War agent Adolf Tolkachev, described confirming surveillance status as the single most critical thing a case officer does before meeting a source, and his rule was unambiguous: if the status is that you are covered, you abort. This article examines what that rule means, how professionals satisfy it, what happens when it fails, how the digital age has made it harder, and what it teaches any organization that needs to trust its own information.

As with the earlier articles, this is awareness content assembled from public sources. The aim is to translate a hard-won intelligence principle into something useful for defenders.

1. The Rule and Its Logic

The rule rests on a chain of dependence. An intelligence officer meets a source to obtain information. If the officer is under hostile surveillance during that meeting, three things happen at once, and each is worse than the last. First, the source is exposed, because the watchers now know who the officer is talking to. Second, the information is exposed, because the adversary learns what was sought and what was passed. Third, and most insidious, the channel itself is now suspect, because once an adversary controls or observes a connection, everything that flows through it afterward must be treated as potentially fabricated. The Soufan Center has described this as a cascading effect: information obtained from a compromised relationship is itself compromised, with consequences that spread if the compromise goes undetected.

This is why a professional speaks of getting to a meeting clean. Clean does not mean careful. It means confirmed. It means the officer has actively established, through deliberate technique, that no hostile surveillance is present, rather than simply hoping that is the case. The distinction matters because a compromised channel does not merely leak. It can be turned. An adversary who controls a connection can feed it false information, double a source against their handler, and use the trusted pipe to deliver deception that looks exactly like genuine intelligence. The poison is not only that you might lose the secret. It is that you might be fed a lie and act on it with full confidence. A channel you cannot trust is worse than no channel at all, because it produces conclusions that feel earned and are in fact manufactured.

2. How Professionals Confirm Status

Knowing your status is a learned skill, not an instinct, and the profession has built a precise vocabulary and method around it. The foundation is surveillance detection, the practice of determining whether you are being watched without revealing that you are checking.

The TEDD Framework

United States government training uses the acronym TEDD, which stands for time, environment, distance, and demeanor. The logic is that a single sighting of a stranger means nothing, but a person seen repeatedly across time, in different environments, and over distance, or a person who displays poor surveillance demeanor, can reasonably be assumed to be conducting surveillance. Demeanor is the most telling element and the hardest for a watcher to control, because good surveillance demeanor runs counter to human nature and requires extensive training. The lurker who has no natural reason to be where they are, who mirrors your pace, or who reacts to your movements is exhibiting the demeanor that betrays the role.

The Surveillance Detection Route

The signature tool is the surveillance detection route, or SDR. An SDR is a carefully designed path that appears entirely natural to any observer while quietly forcing surveillance to expose itself. It uses turns at natural corners that create reasons to look back, stops that allow a reflective surface to be checked without turning the head, changes of pace, and channels, which are constrained points such as bridges, tunnels, or transit platforms that funnel any follower into view. The route always tends toward the eventual destination while crossing and enveloping the direct path, so that the officer arrives on time, clean, and without ever alerting the watchers that a check was underway.

A deeper secret of the craft, described by analysts at Stratfor and others, is that surveillance can be manipulated into revealing itself. A mobile target is far harder to follow than a stationary one, and a well built route places the burden on the watchers, forcing them to react to sudden movements and choose between losing the target or showing their hand. The same principle explains why professional surveillance is conducted by teams rather than individuals. A former MI6 officer has described a typical covert team as roughly fourteen operators supported by several camera equipped vehicles, a van with high resolution optics, and motorbikes, precisely so that no single face has to stay with the target long enough to be caught by TEDD. The countermeasure and the threat are two sides of the same knowledge.

It is worth noting the professional caution that detection should rest on correlation rather than feeling alone. A trained observer treats a single coincidence as a coincidence, looks for the repetition that TEDD describes, and confirms a hostile presence through geometry and pattern before acting on it. The instinct that something is wrong is the prompt to start checking, not the conclusion.

3. The Cautionary Tale: When the Channel Was Lost

The most sobering modern illustration of the cardinal rule is not a foot surveillance failure but a digital one, and it shows how completely a single compromised channel can cascade. Beginning around 2009 and continuing through 2013, the United States intelligence community suffered what reporting has called one of its worst failures in decades, centered on an internet based system the CIA used to communicate covertly with sources abroad.

According to reporting by Zach Dorfman and Jenna McLaughlin for Yahoo News, and by Foreign Policy and others, the system had been designed for a relatively permissive war zone environment and was then migrated into countries with sophisticated counterintelligence services, where it was never built to survive. In Iran, a mole reportedly exposed an initial site, and from there investigators were able to use ordinary internet search techniques to discover the interconnected family of websites that the covert system relied on. Iran is reported to have shared its methodology with China. The result was catastrophic. New York Times reporting described a large number of CIA sources in China going dark between 2010 and 2012, and later accounts indicated that more than two dozen sources died in China and that dozens more were identified in Iran. A subsequent Reuters investigation, examined in technical detail by the Citizen Lab, traced one captured asset's communications to a covert site and concluded that the flawed system contributed to his capture and years of imprisonment.

The mechanism of the cascade is the part most relevant to defenders. When the FBI and NSA later ran a penetration test against the architecture, examining it the way an adversary would, they reportedly discovered that the interim system connected back, by design, to the main covert communications platform, and that the barrier meant to separate the two had a gap wide enough to expose the whole. One compromised node did not stay contained. It became a thread that unraveled a network built over years. A warning had existed: a contractor named John Reidy had raised the alarm about exactly this class of failure as early as 2008, through a whistleblower process that met resistance while the compromise spread.

It would be a mistake to read this only as failure, because the professional response is part of the lesson and reflects the seriousness with which the institution treats the rule. In 2013, hundreds of CIA officers worked without pause to dismantle and reconfigure the compromised system and to move endangered sources to safety, a triage effort that one official described as all that mattered at the time. The agency then undertook a deep institutional reckoning with the underlying problem, which leads directly to the next point. The rule had been violated because status had been lost without anyone knowing it, and the organization rebuilt its doctrine around making sure that could not happen again.

4. Knowing Your Status in the Digital Age

The reason status is harder to confirm today than in Tolkachev's era is that the watchers no longer need to be in the street. They can be passive, automated, and permanent. The intelligence community calls this ubiquitous technical surveillance, and it refers to the web of closed circuit cameras, mobile phones, payment systems, application data, wireless networks, and license plate readers that together produce a continuous record of where people are and what they do. Artificial intelligence ties these streams together, scanning for a specific face or device across an entire city in real time, finding the patterns and anomalies that a human could never sift by hand.

The institutional response shows how seriously this is taken. As reported by the Washington Post, the CIA created the role of chief of tradecraft and a working group devoted to ubiquitous technical surveillance, recognizing that the threat was no longer just cameras but every technology that generates data which lives permanently. A 2025 inspector general review and a 2026 assessment described the danger to operations and to sources in the starkest terms, with officials across the FBI and CIA characterizing it as existential, and a defense technologist summarizing the core problem in three words: data persists forever. The old discipline of running a route to flush out a tail still matters, but it is no longer sufficient, because the most dangerous surveillance leaves no one to spot. The check now has to extend to the digital exhaust a person sheds without noticing, and that exhaust does not fade.

5. The Cyber Translation

Every element of the cardinal rule maps directly onto modern cybersecurity, which is why this principle belongs in a defender's vocabulary and not only an officer's. The intelligence world arrived, through hard experience, at the same conclusions that now define sound security architecture.

• Know your status becomes continuous monitoring and threat hunting. You cannot defend a network whose compromise state you do not know. The modern posture of assuming breach is simply the institutional version of an officer confirming whether they are clean before acting, rather than assuming the best.

• A compromised contact compromises the information becomes the integrity problem. Logs, alerts, and data drawn from a system the adversary may control cannot be trusted, because that system can be made to lie. Decisions of consequence must be confirmed through a separate, trusted channel, the digital equivalent of refusing to rely on a single suspect line of communication.

• The barrier with a gap in it becomes the segmentation lesson. The interim system that connected back to the main platform through a flawed separation is the same failure as a flat network that lets an attacker move laterally from one foothold to everything. Segmentation, least privilege, and containment exist to ensure that one compromised node stays one compromised node.

• The surveillance detection route becomes deception technology. Canaries, honeytokens, and decoy systems are designed to make an intruder reveal their presence the moment they touch something they should not, forcing the watcher to tip their hand exactly as a route forces a tail into view.

• If you are covered, abort becomes the discipline to stop. If you suspect a channel or system is compromised, you do not push sensitive operations through it and hope. You assume the adversary is watching, you contain, and you verify before you proceed.

• Ubiquitous technical surveillance becomes operational security and digital footprint management. The data an organization and its people shed in public, through profiles, metadata, and exposed services, is the reconnaissance that makes an attack precise. Minimizing it is the corporate form of maintaining good demeanor.

6. Practical Guidance for Defenders

The rule converts into a short list of habits that apply to any high consequence environment, from a casino floor to a water utility to a corporate network.

For Individuals

• Build a baseline and watch for correlation. Know the normal pattern of your environment so that the repetition TEDD describes stands out. Treat the first coincidence as a prompt to pay attention, not as proof.

• Verify out of band. When a request or a piece of information carries real consequence, confirm it through an independent channel rather than trusting the one it arrived on.

• Manage your digital exhaust. Assume that what you post, where you check in, and what your devices broadcast becomes part of a permanent record that someone may one day correlate.

For Organizations

• Assume breach and hunt. Operate as though an adversary may already be present. Continuous monitoring and active threat hunting are how an organization knows its status rather than guessing it.

• Segment and contain. Design networks so that a single compromise cannot cascade. The blast radius of one bad node should be small and known in advance.

• Protect data integrity. Treat the trustworthiness of logs and telemetry as a first order concern, since an adversary who can alter what you see can steer what you do.

• Deploy deception. Use canaries and decoys so that intrusion announces itself early, turning the attacker's own movement into your detection.

• Rehearse the abort and the triage. Have a plan to disconnect, contain, and verify when compromise is suspected, and practice it. The CIA's 2013 response worked as well as it did because people acted decisively under pressure.

• Reduce your attack surface in public. Conduct open source reconnaissance against yourself, see what an adversary would find, and shrink it.

7. The Professional's Perspective

The cardinal rule endures because the people who live by it understand that the stakes are measured in lives, and the discipline it demands is a mark of professionalism rather than paranoia. The same institutions that suffered the communications compromise responded by confronting the problem directly, creating new tradecraft leadership, standing up dedicated working groups, and rebuilding doctrine for a world in which data is permanent and surveillance is automated. That willingness to learn from a hard failure and to rearchitect around it is precisely what a serious security culture looks like, and it is the reason the American intelligence community remains formidable against adversaries who would prefer it stand still.

For defenders, the lesson closes the loop that this series has traced from the start. A stranger's question gathers a fact. A conversation with a purpose draws out more. And underneath both sits the deeper discipline of never trusting what you learn until you know whether the channel that delivered it is clean. Doradus Labs works at the meeting point of physical, human, and digital security because that is where the cardinal rule actually applies today. Knowing your status is not a single check at the door. It is a continuous posture, and it is the precondition for trusting anything you think you know.

Sources and Further Reading

The following publicly available sources informed this analysis. Inclusion does not imply endorsement of any source. Several accounts of the covert communications compromise rely on investigative reporting by current and former officials and should be read as such.

1. Surveillance Spy Skills: Top Tips from the CIA, MI6 and More (Rolph, SDRs, team composition). SPYSCAPE. <https://spyscape.com/article/surveillance-spy-skills-top-tips-from-the-cia-mi6-and-more>

1. Detecting Hostile Surveillance (TEDD framework). TorchStone Global. <https://www.torchstoneglobal.com/detecting-hostile-surveillance/>

1. Watching for Watchers: The Warning Signs of Terrorist Behavior (TEDD, demeanor). Police1. <https://www.police1.com/police-products/radios/surveillance/articles/watching-for-watchers-the-warning-signs-of-terrorist-behavior-rjMqS51cOdfdoKX9/>

1. Surveillance Detection Route (SDR) (route design and channels). TRDCRFT. <https://trdcrft.com/surveillance-detection-route-sdr/>

1. The Secrets of Countersurveillance (forcing surveillance to tip its hand). Stratfor, via Telluric. <https://telluric.us/the-secrets-of-countersurveillance/>

1. Traditional Espionage Challenged by Ubiquity of Emerging Technologies (knowing your status, cascading compromise). The Soufan Center. <https://thesoufancenter.org/intelbrief-2021-december-6/>

1. Botched CIA Communications System Helped Blow Cover of Chinese Agents. Foreign Policy. <https://foreignpolicy.com/2018/08/15/botched-cia-communications-system-helped-blow-cover-chinese-agents-intelligence/>

1. The CIA's Communications Suffered a Catastrophic Compromise. It Started in Iran. (Dorfman and McLaughlin). Yahoo News. <https://www.yahoo.com/news/cias-communications-suffered-catastrophic-compromise-started-iran-090018710.html>

1. CIA Operations in Iran, China Compromised for Years (FBI and NSA penetration test, segmentation gap). The Hill. <https://thehill.com/opinion/technology/416215-cia-operations-in-iran-china-compromised-for-years-because-of-hubris-and-a/>

1. US Spy Catastrophe: CIA Betrayed Informants With Shoddy Covert Comms Websites. The Register. <https://www.theregister.com/2022/09/29/us_spy_catastrophe_reported_in/>

1. Statement on the Fatal Flaws Found in a Defunct CIA Covert Communications System. The Citizen Lab. <https://citizenlab.ca/statement-on-the-fatal-flaws-found-in-a-defunct-cia-covert-communications-system/>

1. A Band of Innovators Reimagines the Spy Game for a World With No Cover (chief of tradecraft, UTS working group). The Washington Post. <https://www.washingtonpost.com/opinions/interactive/2025/cia-ai-technology-spies/>

1. The Danger of Digital Footprints: How Ubiquitous Technical Surveillance Threatens the US Military (data persists forever). The Washington Times. <https://www.washingtontimes.com/news/2026/may/27/danger-digital-footprints-ubiquitous-technical-surveillance-threatens/>

1. Countering Ubiquitous Technical Surveillance (MS-ISAC report). Multi-State Information Sharing and Analysis Center. <https://mcsheriffs.com/images/Resources/MS-ISAC_Countering-Ubiquitous-Technical-Surveillance-Report_20251105.pdf>

1. Ubiquitous Tech Surveillance: CIA Techniques to Protect Phones and Electronics (AI pattern matching). SPYSCAPE. <https://spyscape.com/article/spy-school-heres-how-cia-officers-protect-cell-phones-electronics>

Doradus Labs | Intelligent infrastructure, secured.