How US defense secretary Hegseth circumvents the official DoD communications equipment

Last week it was reported that US defense secretary Pete Hegseth has a private computer with a direct link to the public internet in his office, in order to use the messaging app Signal.

US defense secretary Pete Hegseth in his office in the Pentagon, January 30, 2025
(Still from a video message on X, formerly Twitter)

Hegseth's government equipment

Like his predecessors, Trump's defense secretary Pete Hegseth has access to a range of secure and non-secure telephone and computer networks. The equipment is installed at a table behind his back, when sitting at his big writing desk in the Pentagon.

In the photo above we can see that equipment in a set-up that has basically been unchanged since Chuck Hagel, who was Obama's secretary of Defense from 2013 to 2015. In the photo of Pete Hegseth we see from left to right:

- On top of a wooden stand sits a Cisco IP Phone 8851 with a 14-key expansion module. This phone is part of the Crisis Management System (CMS), which connects the President, the National Security Council, Cabinet members, the Joint Chiefs of Staff, intelligence agency watch centers, and others. Its bright yellow bezel indicates that it can be used for conversations up to Top Secret/Sensitive Compartmented Information (TS/SCI).

- Below the CMS phone on the wooden stand is (hardly visible) an Integrated Services Telephone-2 (IST-2), which can be used for both secure and non-secure phone calls. This phone belongs to the Defense Red Switch Network (DRSN), also known as the Multilevel Secure Voice service, which connects the White House, all military command centers, intelligence agencies, government departments and NATO allies.

- Right in front of the IST-2 is another Cisco IP Phone 8851 with a 14-key expansion module, but this time with a green bezel, which indicates that it's for unclassified phone calls. This phone is part of the internal telephone network of the Pentagon and replaced an Avaya Lucent 6424 executive phone.

A better view of these phones is provided by the following photo from 2021:

Former secretary of defense Lloyd Austin in his Pentagon office in 2021,
with a Cisco IP phone with yellow bezel for the CMS and
an IST-2 phone with many red buttons for the DRSN.
(DoD photo - click to enlarge)

- Besides the telephones there are two computer screens, both with a bright green wallpaper, which again indicates that they are connected to an unclassified network, most likely NIPRNet. In the photo of Lloyd Austin's office we see that there's also a KVM switch which is used to switch securely to the SIPRNet (Secret) and JWICS (Top Secret/SCI) networks, using the same keyboard, video and mouse set.

- Finally, at the right side of the table there are two Cisco Webex DX80 videoteleconferencing screens. The one at the right has a yellow label, which indicates that it's approved for Top Secret/SCI and most likely belongs to the Secure Video Teleconferencing System (SVTS), which is part of the aforementioned Crisis Management System (CMS). The other screen might then be for videoconferences at a lower classification level.

> See also: US military and intelligence computer networks

Hegseth's personal computer

Despite the wide range of options for communicating via the proper and secure government channels, secretary Hegseth insisted on using Signal. Apparently it wasn't allowed or possible to install this app on one of the government computers, nor on a smartphone that is approved for classified conversations.

> See: The equipment that Trump's national security team should have used

Therefore, Hegseth initially went to the back area of his office where he could access Wi-Fi to use Signal, according to AP News. It's not clear whether he used a private laptop or his personal smartphone, both of which would have been strictly forbidden to use in secure areas like this.

Somewhat later, Hegseth requested an internet connection to his desk where he could use a computer of his own. This line connects directly to the public internet and bypassed the Pentagon's security protocols. This new computer must be the one that can be seen in the photo below, as it wasn't there on February 21 and has no labels that indicate its classification level:

US defense secretary with a new desktop computer on his desk, March 20, 2025
(DoD photo, see also this video message on X)

Some other employees at the Pentagon also use direct lines to the public internet, for example when they don't want to be recognized by an IP address assigned to the Pentagon. That's risky because such a line is less well monitored than NIPRNet, which allows limited access to the outside internet.

At his new desktop computer, Hegseth had Signal installed, which means he effectively 'cloned' the Signal app that is on his personal smartphone. He also had interest in the installation of a program to send conventional text messages from this personal computer, according to some press sources.

The move was intended to circumvent a lack of cellphone service in much of the Pentagon and enable easier communication with the White House and other Trump officials who are using the Signal app.



SecDef Cables

It is remarkable to what great lengths Hegseth went to use the Signal app, because as defense secretary he has his own communications center which is specialized in keeping him in contact with anyone. This center is commonly called SecDef Cables and is part of Secretary of Defense Communications (SDC) unit.

SecDef Cables is an operational information management and command and control support center, which is staffed by 26 service members and 4 civilians. They provide "comprehensive voice, video, and data capabilities to the secretary and his immediate staff, regardless of their location, across multiple platforms and classifications."

SecDef Cables also serves as a liaison to the White House Situation Room, the State Department, Department of Defense agencies, and foreign counterparts.

Promotion video for job opportunities at SecDef Cables

Links and sources
- AP News: Hegseth had an unsecured internet line set up in his office to connect to Signal, AP sources say (April 24, 2025)
- The Washington Post: Hegseth had Signal messaging app installed on an office computer (April 24, 2025)

The equipment that Trump's national security team should have used

(Updated: April 29, 2025)

Recently, the editor in chief of The Atlantic found himself in a group chat on Signal, in which president Trump's national security team discussed a military operation in Yemen. This immediately became SignalGate.

Here I present the secure government equipment and networks that Trump's team should have used instead of an app on their (personal) smartphones. It will also become clear why the Trump team prefers using Signal.

From left to right: Marco Rubio, Michael Waltz and Pete Hegseth in a White House conference room,
with some screenshots of messages that were exchanged in the Signal group chat.
(White House photo, January 28, 2025 - click to enlarge)

The Houthi PC small group

On March 11, 2025, president Trump's national security adviser Michael Waltz started a group chat on the open-source encrypted messaging app Signal to discuss airstrikes on Houthi rebels in Yemen, which took place on March 15.

The chatgroup was named "Houthi PC small group", with PC apparently referring to Principals Committee, a term typically used for a gathering of senior national-security officials. This group had a total of 19 participants:

- Michael Waltz, National Security Adviser
- Brian McCormack, Chief of Staff for the National Security Council
- Alex Wong, Principal Deputy National Security Adviser
- Susie Wiles, White House Chief of Staff
- Stephen Miller, White House Deputy Chief of Staff for Policy
- JD Vance, Vice-President of the United States
- Marco Rubio, Secretary of State
- Mike Needham, Special Adviser for the Department of State
- Pete Hegseth, Secretary of Defense
- Scott Bessent, Secretary of the Treasury
- Dan Katz, Chief of Staff for the Secretary of the Treasury
- Tulsi Gabbard, Director of National Intelligence
- Joe Kent, Acting Chief of Staff for the Director of National Intelligence
- John Ratcliffe, Director of the CIA
- Walker Barrett, Staff member of the House Armed Services Committee Republicans
- Steve Witkoff, Special Envoy to the Middle East
- Jacob, function unknown
- Jeffrey Goldberg, Editor in Chief of The Atlantic

This list shows that the members of the "Houthi PC small group" were from many different government departments and agencies and that some lower-ranking officials participated as well.

This is probably one of the reasons why they used Signal: given the variety of positions, they would probably not have access to the same equipment and/or networks to have a properly secured conversation.

The major US government departments and intelligence agencies have their own computer networks, usually one for unclassified and one or two for classified information:

Overview of major Homeland Security computer networks
From a briefing for Congress, July 2004

Secure computer networks

The networks of the Department of Defense (DoD) are the most widely used and therefore most suitable for interagency communications. There are separate DoD networks for different classification levels:

NIPRNet (Non-secure Internet Protocol Router Network)
- For information that is Sensitive But Unclassified (SBU)
- Circa 4,000,000 users

SIPRNet (Secret Internet Protocol Router Network)
- For information classified Secret (S)
- Circa 500,000 users

JWICS (Joint Worldwide Intelligence Communications System)
- For information classified Top Secret/SCI (TS/SCI)
- Circa 200,000 users

These classified networks are not connected to the internet and additionally secured with TACLANE network encryptors. These networks offer email (in the Signal group chat mentioned as "high side inboxes"), messaging and other collaboration tools, but they can also be used for VoIP phone calls and secure video teleconferencing.

> See also: US military and intelligence computer networks

Operations center in the US Central Command headquarters, with computers and
VoIP phones for Unclassified (green) and Secret (red) communications.
(still from 60 Minutes, January 2021 - click to enlarge)

Secure telephone networks

The DoD also operates a secure telephone network for classified conversations, called the Defense Red Switch Network (DRSN), also known as the Multilevel Secure Voice service. The DRSN connects the White House, all military command centers, intelligence agencies, government departments and NATO allies.

The DRSN has some special features and uses custom made telephone sets (currently the IST-2 made by Telecore), which can be used for both secure and non-secure phone calls. These phones also have the distinctive four red buttons for Multilevel Precedence and Preemption (MLPP).

During the attacks of September 11, 2001, the DRSN didn't function as intended and therefore a new Crisis Management System (CMS) was established. This includes a dedicated Voice over IP network that connects the President, the National Security Council, Cabinet members, the Joint Chiefs of Staff, intelligence agency watch centers, and others.

The CMS uses high-end Cisco IP phones with a bright yellow bezel. This color indicates that it can be used for conversations up to Top Secret/Sensitive Compartmented Information (TS/SCI), which is the classification category for the most sensitive, intelligence related information.

Former secretary of defense Lloyd Austin in his Pentagon office in 2021,
with a Cisco IP phone with yellow bezel for the CMS and
an IST-2 phone with many red buttons for the DRSN.
(DoD photo - click to enlarge)

Most senior members of the "Houthi PC small group" have a phone for the CMS in their office, but their deputies, advisers and staff members usually have not. So when they have to be involved in a secure phone call, that often means they have to be in the same room as their principal and listen to the conversation via the speakerphone.

It's noteworthy that not included in the Signal chat group were Michael E. Kurilla, commander of the US Central Command, and local commanders who led the military operation in Yemen. They were likely in contact with defense secretary Hegseth via the proper military channels, which would be SIPRnet or the DRSN.

> See also: The communications systems at the US Central Command headquarters

Securing mobile phones

All the equipment for secure communications discussed so far are fixed/landline devices that sit on someone's desk. That's fine when working in office, but nowadays people are used to do almost everything on their smartphone.

Securing mobile communications has long been a challenge. In the first place because outside, conversations can easily be overheard. For a long time, encryption devices were large and heavy, until in 2002 the Sectéra Secure Wireless Phone was introduced, which enabled encrypted phone calls and SMS/text messages over public networks.

> See also: How Obama's BlackBerry got secured

> See also: Obama using a secure GSM phone

Around 2010, cell phones of the GSM generation were rapidly replaced by smartphones, which became so complex that it's very difficult, if not impossible to prevent the device from being compromised by malware and/or backdoors.

Under its Commercial Solutions for Classified (CSfC) program, the NSA tried to solve this problem by securing commercially available devices with multiple layers of protection and encryption. This resulted in the DoD Enterprise Mobility program, which encompasses three different classification levels:

DMUC (Unclassified)
- For Samsung and Apple smartphones and tablets
- Circa 140,000 users

DMCC-S (Secret)
- For Samsung smartphones and tablets
- Circa 8000 users

DMCC-TS (Top Secret)
- For Samsung smartphones
- Circa 500 users

Overview of the DoD Enterprise Mobility program, 2022
(click here for the full document)

The CellCrypt app

The Secret version (DMCC-S) became operational in 2015 and offers secure phone calls via the CellCrypt app, access to SIPRNet email via the Outlook Web Application (OWA) and some other pre-approved apps on a Samsung smartphone or a Samsung tablet.

The website of the manufacturer provides additional details about the encryption methods used by CellCrypt app and also says that it can also be used for secure instant messaging, including group messaging and sharing photos, videos, voice notes, and files of any kind.

The DMCC-S solution has further restrictions, because in case the phone not only handles data-in-transit (DIT), but also stores classified information (data-at-rest, or DAR) it may only be used in physically protected environments.

On social media some people claimed that a conversation like in the Signal group chat should only take place in a Sensitive Compartmented Information Facility (SCIF). However, a SCIF is only mandatory for information classified Top Secret/SCI, while military information is usually classified Secret.


At the White House

The White House provides its employees with Apple iPhones, but without access to the iOS App Store and with all text messaging capabilities disabled - under president Biden, only a few staffers in the press office had the ability to text on a limited basis.

Especially Signal's option for "disappearing messages" (which was turned on in the "Houthi PC small group") isn't compliant with the Presidential Records Act (PRA), which requires that all communications by and among White House staff members have to be archived.

The phones issued to White House officials are managed by the Presidential Information Technology Community (PITC), which is an umbrella organization established in 2015 to provide IT systems to the President, Vice President, the National Security Council, the Secret Service, the White House Communications Agency, and others.



Trump's shift to Signal

As we have seen, there are various highly secure communication channels that Trump's national security team could have used. Those who were working in their office had access to secure computer networks and a secure phone, those who were traveling (like Gabbard and Witkoff) had the option of using a DMCC-S smartphone.

However, it already was the transition team that prepared Trump's take-over of the presidency in January 2025, which deliberately refused to use government facilities and IT systems. This was in part to avoid the mandatory record-keeping that comes with using official resources (it's not clear why they prefer Signal, because Whatsapp has disappearing messages as well).

Instead, Trump's staffers and incoming government officials communicated via their personal devices, often using the Signal app, and this continued after Donald J. Trump had been inaugurated as the 47th president of the United States.

Last February, political appointees at the DoD ordered that Signal had to be installed on government phones for newly installed senior military officials: "they all use Signal and need it to communicate with the White House" - even though in the same month, the NSA had warned against vulnerabilities in using Signal.

NSA bulletin about Signal vulnerabilities, February 2025
(click here for the full document)

During a House Intelligence Committee hearing a few days ago, Trump's CIA director John Ratcliffe said that Signal is also widely used by officials and staff at his agency's headquarters: "One of the first things that happened when I was confirmed as CIA director was Signal was loaded onto my computer at the CIA as it is for most CIA officers."

National Security Council spokesperson Brian Hughes said that Signal is allowed on government devices and that some agencies automatically install it on employees’ phones. "It's one of a host of approved methods for unclassified material with the understanding that a user must preserve the record" according to Hughes.

Updates:

On April 1, 2025, The Washington Post reported that Michael Waltz and other members of the National Security Council (NSC) also used Gmail for work-related communications. One of Waltz's senior aides, for example, used Gmail for "highly technical conversations with colleagues at other government agencies involving sensitive military positions and weapons systems."

On April 2, 2025, Politico revealed that the team of national security adviser Mike Waltz had set up at least 20 group chats on Signal to coordinate official work on issues including Ukraine, China, Gaza, Middle East policy, Africa and Europe.

On April 6, 2025, The Guardian reported that an internal investigation by the White House made clear how Jeffrey Goldberg was accidentally added to the Signal group chat: in October 2024, Goldberg had emailed the Trump campaign and his email was forwarded to Trump's former spokesman Brian Hughes. The latter copied and pasted the content of the email, including the signature block with Goldberg's phone number, into a text message that he sent to Michael Waltz. Waltz' iPhone then semi-automatically stored Goldberg's number under the contact card for Hughes, who had now become the spokesman for the National Security Council. So when Waltz set up the "Houthi PC small group" on Signal, he actually wanted to add Hughes, but this resulted in the number of Goldberg being added.

On April 20, 2025, the New York Times reported that Hegseth also shared similar details about the Yemen operation in another Signal group that included his wife Jennifer, his brother Phil, and his personal lawyer Tim Parlatore. Jennifer Hegseth has no relevant role in the Defense Department, while Phil Hegseth serves in the Pentagon as a Department of Homeland Security appointee. Parlatore, a military defense attorney, recently rejoined the Navy with an assignment to improve military justice issues.

Links and sources
- The Guardian: Exclusive: how the Atlantic’s Jeffrey Goldberg got added to the White House Signal group chat (April 6, 2025)
- Politico: Waltz’s team set up at least 20 Signal group chats for crises across the world (April 2, 2025)
- Bruce Schneier: The Signal Chat Leak and the NSA (March 31, 2025)
- The Independent: Previous administrations were wary of the messaging app Signal. Trumpworld has embraced it (March 27, 2025)
- The Atlantic: Here Are the Attack Plans That Trump’s Advisers Shared on Signal (March 26, 2025)
- The Atlantic: The Trump Administration Accidentally Texted Me Its War Plans (March 24, 2025)
- TWZ: C-17’s ‘Silver Bullet’ Airstream Trailer Pod Used By Secretary Of Defense Hegseth On First Overseas Trip (February 12, 2025)
- DoD Inspector General: Audit of Cybersecurity of DoD Classified Mobile Devices (December 13, 2024)

See also some comments on Hacker News

Interesting topics from the NSA's 2009 Presidential Transition Book

(Updated: April 8, 2025)

In the period between the election and the inauguration, a new US president prepares to take over the administration and gets briefed by numerous officials and agencies, including the National Security Agency (NSA).

Here I will present some interesting topics from the extensive 2009 Presidential Transition Book (pdf), which the NSA had prepared for Barack Obama after he had been elected president on November 4, 2008.

Context

The NSA's briefing book was published in May 2017 by the National Security Archive as part of its Cyber Vault. That collection contains 42 declassified documents about cyber issues and also includes a 42-page Transition 2001 briefing (pdf) which the NSA had prepared for incoming president George W. Bush.

The 2009 Presidential Transition Book (pdf) for Obama was declassified on April 13, 2016 and has no less than 289 pages from a binder. It combines various documents and briefing materials from 2006 to 2008, some of them quite highly classified and therefore still heavily redacted.

Despite the redacted portions, the book provides a good and detailed introduction to the NSA and its activities, but with its 289 pages it sometimes goes well beyond what the president and his staff had to know, like for example the highly detailed acquisition and procurement plans of the agency. (p. 154ff)

Mission

While on its public website it was said that the NSA had just two core missions, Information Assurance and Signals Intelligence, the Presidential Transition Book add a third one:

- Signals Intelligence (SIGINT), including codebreaking,

and

- Information Assurance (IA), including codemaking,

which together enable

- Computer Network Attack (CNA), which includes offensive operations against adversaries' information systems, but this had to be done in collaboration the JFCC-NW, which eventually merged into the US Cyber Command.

> See also: NSA's Strategic Mission List

Communications monitoring

Another topic that seems not necessary for the president to know is about a hardly known NSA unit called the Joint COMSEC Monitoring Activity (JCMA), which was part of the NSA's former Information Assurance (IA) directorate.

The JCMA consists of a Headquarters Operations Centers at Fort Meade and six Regional COMSEC Monitoring Centers, located at Menwith Hill Station (MHS) in the UK, NSA/CSS Europe in Stuttgart in Germany, an undisclosed location, NSA/CSS Hawaii at Camp Smith in Hawaii, and NSA/CSS Georgia at Fort Gordon in Georgia. (p. 36)

These JCMA units monitor the unclassified communications of American military and government entities to determine if critical information has been disclosed or if other vulnerabilities exist that adversaries could exploit. (p. 36)

According to the Transition Book the "Attorney General-approved procedures (and Federal law) permit monitoring with consent, and NSA/CSS ensures that personnel are notified of the possibility of monitoring and that all required consents have been obtained before such monitoring can begin." (p. 49)

Label on an Integrated Services Telephone (IST) which can be
used for both classified and unclassified phone calls
(click to enlarge)

Declassifications

The 2009 Presidential Transition Book, which was declassified in April 2016, also reveals some details that can be compared to information from the Snowden documents:

For example, the Transition Book reveals the involvement of foreign partners in the NSA's RT-RG processing and analysis system:

"The Real Time Regional Gateway (RT-RG) [...] is bringing the full Signals Intelligence analysis, processing and exploitation power of NSA/CSS to deployed U.S. and governement agencies and military forces along with our 2nd and 3rd party partners in Theater through special agreements. RT-RG provides Signals Intelligence analysts near real-time access to [redacted]." (p. 19)

As part of the Snowden revelations this aspect was reported only three years later, in May 2019, by the online outlet The Intercept.

> See also: From 9-Eyes to 14-Eyes: the Afghanistan SIGINT Coalition (AFSC)

The Transition Book also mentions the multilateral group formed by the NSA's partners in the Pacific Region called SIGINT Seniors Pacific (SSPAC):

"In addition to bilateral partnerships, NSA/CSS continues to support a limited number of multilateral relationships such as SIGINT Seniors Europe (SSEUR) and SIGINT Seniors Pacific (SSPAC)." (p. 47)

The name of this group had already been revealed a year before, in March 2015, when The New Zealand Herald released a document from the Snowden trove (although a paper from 2012 had already mentioned a "Pacific version of the Five Eyes ‘plus’ grouping").

> See also: NSA's Foreign Partnerships

Cyber defense

Several parts of the 2009 Presidential Transition Book are about "Defending Vital Networks", which at that time already was a high priority issue.

The NSA saw a central role for itself, because "Insights and information gained from the Signals Intelligence mission, combined with the expertise and capabilities offered by the Information Assurance mission, make NSA/CSS a key player in defending vital networks against the threats of the Internet age." (p. 30)

Accordingly, the NSA was one of over 20 federal departments involved in the Comprehensive National Cybersecurity Initiative (CNCI), or simply the "Cyber Initiative", which was established by president George W. Bush in January 2008 and was continued by president Obama.

The CNCI "seeks to address current cybersecurity threats and anticipate future threats and technologies in order to prevent, deter, and protect the U.S. Federal government (.gov) domain against cyber intrusions. The strategy includes establishing shared situational awareness across the federal government." (p. 32)

The exact way in which the NSA contributes to the CNCI is redacted, but some of its unclassified contributions are:

- "Threat analysis provides a comprehensive understanding of the intentions, capabilities, and activities of the adversary."

- "Activity analysis allows for the discovery of unknown, significant intrusion activity, in-depth analysis of known intrusion sets, and trend analysis."

- "Network analysis and cyber target development efforts monitor, characterize, and report on foreign digital networks, organizations and personas in cyberspace." (p. 32-35)

An intriguing issue is that in other NSA documents the notorious Utah Data Center is called an "Intelligence Community Comprehensive National Cybersecurity Initiative Data Center", but the Transition Book doesn't contain a single unclassified reference to what the purpose of such a CNCI data center would be (neither do the Snowden documents).

However, the Transition Book does emphasize that "All of our responsibilities under the CNCI are within our existing authorities and missions, i.e., SIGINT, Information Assurance, enabling network warfare under JFCC-NW, and providing technical assistance to other federal agencies. The vast majority of our work under the CNCI is work we are already doing under our Transformation 3.0." (p. 100)

The NSA/CSS Threat Operations Center (NTOC), ca. 2006
(photo: NSA - click to enlarge)

Transformation 3.0

The 2009 Presidential Transition Book seems to be the first document that provides an elaboration of "Transformation 3.0" or T3.0. This appears to be a strategic technology plan meant to "distribute our processing capabilities throughout the global enterprise and to unify our missions."

This had to be done by "creating a cooperative and concerted real-time exploit-attack-defend capability [redacted]. T3.0 connects analysts, missions partners, clients, sensors, systems, and information on a global scale through a robust, secure, and distributed network." (p. 60)

(Upon request of The Black Vault, an Intellipedia page about Transformation 3.0 was declassified in 2018, but again most parts have been redacted)

Transformation 3.0 comes after two earlier Transformations of the NSA, which apparently took place in the 1990s and the early 2000s:

"T1.0 - Modernization
Following the cold war, T1.0 improved corporate business processes, shaped the workforce, modernized technlogy, and updated operations - better positioning the Agency to grapple with varied threats and emerging technology."

"T2.0 - Collaboration
Following 9/11/2001, T2.0 began to move NSA/CSS from a paradigm of "need to know" to "need to share", both within NSA and with our clients and partners. T2.0 began to merge the Signals Intelligence and Information Assurance missions together as one, providing on-site support and tailored services - which enabled NSA/CSS to fashing new relationships for the new world order, redrawing distinctions between national and tactical, producer and consumer, collector and operator."

T3.0 - [redacted]
Today, NSA/CSS is focused on the [redacted]. The intention is to create cooperative, interoperable, real-time Exploitation/Defense/attack-enabling (E/D/enA) capabilities [redacted]" (p. 123)

Transformation 3.0 was comprised of three parts: "(1) Mission Modernization, (2) Infrastructure Modernization (comprising significant improvement in Power, Space and Cooling (PS&C) and Information Technology (IT) Modernization efforts, both described earlier) and (3) Workforce Modernization." (p. 125)

T3.0 is briefly mentioned in some documents from the Snowden trove as well, for example this one that says that the initiative started in 2006, which means it came shortly after Transformation 2.0 which had just been launched in 2003. See about T2.0 also this newsletter. At GCHQ there was a counterpart program called SIGINT Modernisation.

Another document leaked by Snowden says that the objective of T3.0 was nothing less than "Global Network Dominance" and that a crucial piece for that was the Remote Operations Center (ROC), which manages and operates the NSA's rapidly growing array of hacking operations.

The 2009 Presidential Transition Book also includes a copy of an internal powerpoint presentation about the Transformation 3.0 plan, which is almost completely redacted. (p. 79ff)

This briefing slide from the Transition Book repeats that an important part of T3.0 was to "create cooperative, interoperable, real-time Exploitation, Defense and attack-enabling capabilities" which reminds us of the NSA's TURBULENCE program. This program was first reported on in 2007 and was the successor of the TRAILBLAZER project.

Update:
An internal NSA newsletter from October 2006 confirms that TURBULENCE is the actual implementation of the Transformation 3.0 initiative. Something similar can be read on page 293 of the National Defense Authorization Act (pdf) for the fiscal year 2008, which added that TURBULENCE was structured as a "series of loosely connected projects, not one of which met the threshold for designation as a major systems acquisition. This decision, while permitting the NSA to avoid external acquisition oversight, exacerbated the Agency’s weaknesses in systems engineering and systems integration."

TURBULENCE (abbreviated as TU) was/is an umbrella program with at least seven components, including TURMOIL for passive collection from fiber-optic cables and TUTELAGE, which detects and blocks cyberattacks directed against the computer networks of the US Defense Department.

Even more interesting is TURBINE, which uses identifiers from TURMOIL and TUTELAGE to initiate a semi-automated process in which an implant from the NSA's Computer Network Exploitation system QUANTUM is installed on a target's computer system.

With these three components, TURBULENCE integrates all three capabilities of Transformation 3.0: TURMOIL for exploitation, TUTELAGE for defense and TURBINE for attack-enabling.

Slide about the TURBULENCE program from the Snowden files
(click to enlarge)

Research program

Another interesting chapter in the 2009 Presidential Transition Book is about the efforts of the NSA's Research Directorate (RD):

"Since 2003, the NSA Research Program has been structured around four important mission thrusts which drive our advanced research efforts.

"Owning the Net.
This denotes our goal to dominate the global computing and communications network. Research will develop tools and techniques to access, at will, any networked device for offensive or defensive purposes."

"Coping with Information Overload.
We must turn the massive amount of information on the global network into a strategic asset, rather than an obstacle. Under this thrust, Research will develop capabilities to present the most valuable information, organized to make sense to analysts so that thy can perform their tasks in a more efficient and effective manner."

"Ubiquitous, Secure Collaboration.
The focus here is to provide the techniques and technology to allow diverse users - within the government and with our industrial and international partners - to work collaboratively and securely across multiple domains and different environments."

"Penetrate Hard Targets.
Penetrating hard targets provides the technological solutions to enable new access, collection and exploitation methodologies against the nation's toughest intelligence targets. The research Directorate provides foundational and advanced mathematics that contribute innovative solutions to all of the above mission thrusts." (p. 69)

The NSA's Research and Engineering (R&E) Building at Fort Meade
(click to enlarge)

NSA workforce

The exact number of people working at US intelligence agencies was always classified, but surprisingly, the 2009 Presidential Transition Book provides some very detailed figures.

It says that, probably in 2008, NSA/CSS employed 36,371 people worldwide, with 52% of them civilians (18,849) and 48% military and civilians from the armed services (17,522).

68.8% of the NSA's civilian workforce had a bachelor's degree or higher, 40.7% were women, 17.7% members of a minority and 3.8% were persons with disabilities. The average age of the civilian workforce was 43.6 years. (p. 58-59)

A separate chapter titled "NSA/CSS Footprint" provides detailed information charts about the NSA's four regional Cryptologic Centers, including the names of their commanders, partial organizational charts and numbers about their workforce, with actual numbers for 2008 and projected numbers for 2012 and 2015. Below are the actual numbers for 2008: (p. 185ff)

- NSA/CSS Georgia (codename SWEET TEA):
2930 employees: 368 civilians, 42 service civilians, 2173 military, 347 other (foreign or IC partner, contractor)

- NSA/CSS Hawaii:
3054 employees: 224 civilians, 121 service civilians, 2582 military, 127 others

- NSA/CSS Texas (codename BACONRIDGE):
2136 employees: 246 civilians, 56 service civilians, 1689 military, 145 other.

- NSA/CSS Colorado:
1324 employees: 233 civilians, 4 service civilians, 976 military, 115 contractors.

> See also The NSA's regional Cryptologic Centers

Finally, the 2009 Presidential Transition Book ends with the biographies of over 30(!) top officials of the NSA, all of which have been fully redacted, except for those of the director (Keith B. Alexander), the deputy director (John C. Inglis) and the chief of staff (Deborah A. Bonanni). (p. 243ff)

Treaties on the exchange and protection of classified information

(Updated: February 6, 2025)

According to parliamentary records from The Netherlands, almost all western countries have signed, or plan to sign treaties on the exchange and protection of classified information. While many of them are public now, they replace secret agreements which date back to the 1960s.

Sources

For The Netherlands these treaties can easily be found via a new open source viewer called OpenTK, which builds upon an API provided by the staff of the Second Chamber (Tweede Kamer) of the Dutch parliament.

The most recent one is the "Treaty between the Kingdom of the Netherlands and the Kingdom of Sweden on the exchange and mutual security of classified information" that was signed in Stockholm on January 18, 2024. In November it was sent to the Second Chamber of parliament for silent ratification.

For the United States, some similar agreements can be found on the website of the Office of Treaty Affairs of the State Department. One example is the "Agreement Concerning Security Measures for the Protection of Classified Information" between the US and the Slovak Republic from May 13, 2022.


Purpose

The purpose of these treaties is to ensure that when classified information is exchanged, it gets the same level of protection in the country of the recipient. Thus they provide a safeguard for cooperation between government agencies (including law enforcement, intelligence and security services as well as the armed forces), but also between governments and corporations, for example when the government of one country grants a classified contract to a company in the other country.

The actual cooperation, whether a long-term partnership, temporary project or military procurement, is regulated by a multitude of treaties, agreements and contracts, which are often classified or at least confidential. For example, the collaboration between the NSA and other signals intelligence agencies is governed by secret bilateral Memorandums of Understanding (MoU), with details that can vary from country to country and from time to time.

> See also: What the NSA provides to its foreign partners, and vice versa

Origin

A Dutch parliamentary document shows that bilateral treaties on handling classified information apparently go back to the 1960s: an agreement on this topic was concluded with the United States on August 18, 1960, which was supplemented on April 6, 1981. However, at the request of the US, they were kept secret and were therefore not submitted to the Dutch parliament for ratification.

In 2017, the US agreed to declassify these earlier agreements, partly because The Netherlands no longer saw a compelling reason for keeping them secret. They were replaced by a new, public treaty that was signed on June 22, 2018. The aforementioned treaty with Sweden from January 18, 2024 also replaced a previous agreement that was signed on October 29, 1984.


Contents

All these treaties, both from The Netherlands and from the United States, contain more or less similar provisions, including:

- Classified information has to get a level of protection which is at least equal to the protection in the originating country.
- Each party designates an agency that acts as its "National Security Authority" (NSA) which is responsible for the implementation of the treaty.
- A comparison of the national classification levels, which in almost all western countries follow the British/American system of Restricted, Confidential, Secret and Top Secret.
- Access to classified information has to be limited to people with a need-to-know and a proper security clearance.
- Classified information shall not be released to a third party without explicit prior authorization by the originating country. This is the so-called "third party rule".
- Requirements for the transmission of classified information, whether in hard copy or electronic form.
- Classified information shall be stored in properly secured facilities, only accessible by authorized personnel.
- Verification of the security measures implemented by the other party and informing the other party about security standards.
- Inform the originating party about any loss or compromise of its classified information.
- How to conduct in case of classified contracts.

All these provisions are in rather general terms, further details can be agreed upon by the respective National Security Authorities.

> See also: The US Classification System

Bilateral treaties

According to parliamentary records from the past 15 years, The Netherlands has made preparations for treaties on handling classified information with at least the 22 countries listed below. When the treaty has already been signed, its date has been added:

- Albania
- Australia
- Belgium (November 5, 2019)
- Brazil (October 9, 2023)
- Bulgaria
- Cyprus
- Czech Republic
- Estonia
- Finland (February 22, 2022)
- Latvia
- Luxembourg
- Malta
- Norway (November 7, 2023)
- Ukraine (February 5, 2024)
- Poland (February 10, 2023)
- Portugal
- Romania
- Slovakia
- Slovenia
- Spain (November 23, 2021)
- Sweden (January 18, 2024)
- United States (June 22, 2018)

This list contains most of the member states of the European Union and NATO, except for Brazil which is of course a member of neither, but does have a considerable defence industry. In 2022, for example, the Dutch Armed Forces ordered new military transport aircraft from the Brazilian manufacturer Embraer.

Interestingly, the United Kingdom, Germany, Denmark, France, Italy, Greece, Turkey and Israel are not included in the list, despite the fact that they are important countries when it comes to military and intelligence cooperation. Given the long and close relationship with most of these countries, it seems not likely that negotiations have not yet started, so maybe the treaties with these particular countries are still classified.


International organizations

Besides the bilateral treaties between states, there are also ones between states and international and supranational organizations.

On August 19, 2002, for example, the countries that participate in the European Space Agency (ESA) signed an agreement with the ESA for the protection and the exchange of classified information. Undoubtedly there will be a similar agreement with NATO and one is also being prepared for the OCCAR, a European organization for collaborative armament programs.

The European Union has decided to sign "Agreements on security procedures for exchanging and protecting classified information" with 17 non-member states, ranging from Russia and the United States to Iceland and Liechtenstein(!). There's even such an agreement between the EU and the ESA, which was signed on May 22, 2024.

These international organizations have their own versions of the usual classification levels:
- ESA: ESA Confidential, ESA Secret, ESA Top Secret.
- NATO: NATO Restricted, NATO Confidential, NATO Secret, COSMIC Top Secret.
- OCCAR: OCCAR Restricted, OCCAR Confidential, OCCAR Secret.
- EU: EU Restricted, EU Confidential, EU Secret, EU Top Secret.

> See also: NSA's Foreign Partnerships

Membership of various military and intelligence groups
(click to enlarge)

Update:
On January 21, 2025, president Trump granted interim Top Secret/SCI security clearances for up to six months to incoming White House officials who have not completed the required vetting process. This could lead to the situation that foreign intelligence partners, on which the US relies for much of its intelligence work, will curtail what they share with the US, out of fear that their sources and methods may be put in danger.