December 4, 2021

About Intellipedia and other intelligence wikis from the Snowden trove



For years, the NSA and other US intelligence agencies have their own internal versions of the collaboration tools that most of us are using day-to-day. Documents from some of these tools have been published as part of the Snowden revelations, which allows a closer look.

It turns out that besides the US Intelligence Community's Intellipedia, which was already publicly known, the Snowden trove also contains entries from the NSA's WikiInfo and the British GCWiki, systems that were hitherto unknown.





Intellipedia

The oldest and best known internal collaboration tool used by the US Intelligence Community is Intellipedia, which is similar to the public Wikipedia and uses the same software called MediaWiki.

Intellipedia started as a pilot project at the CIA in 2005 and was formally announced in April 2006. Later it was brought under the Intelligence Community Enterprise Services (ICES) of the Office of the Director of National Intelligence (ODNI).

A big difference with the public Wikipedia is that Intellipedia has three different versions, according to the main classification levels (with the number of users by the end of 2012):
- Unclassified, on the DNI-U network, with some 75.000 users

- Secret, on the SIPRNet network, with some 147.000 users, mostly from the Defense Department and the State Department

- Top Secret/SCI, on the JWICS network, with some 188.000 users, mostly from the intelligence agencies


Each of these Intellipedia versions can be used by both civilian and military employees with appropriate clearances from the 17 agencies of the US Intelligence Community as well as from the US military and other federal government departments.

An example of the address format of a TopSecret/SCI Intellipedia page is: http://intellipedia.intelink.ic.gov/wiki/Anna_Politkovskaya


An article from the Unclassified version of Intellipedia
This one from the CIA's AIN network
(Click to enlarge)


Intellipedia entries from the Snowden revelations

Probably a bit surprising is that among the numerous Snowden documents there are only five Intellipedia entries. A close look shows that they were published in two forms:

1. Three of the Intellipedia entries are in pdf-format or a pdf-image (or a combination thereof) and in full color, in this case much yellow, which is the color code for information classified as Top Secret/Sensitive Compartmented Information (TS/SCI).

These three entries are this one about Anna Politkovskaya, this one about Air-Gapped Network Threats and this one about BIOS threats.


Intellipedia entry about Anna Politkovskaya

Snowden's username redacted on Intellipedia? (source)


2. Two Intellipedia entries from the Snowden cache don't have color, images and formatting and seem to be a scan or a photo of a printed document, like this entry titled "Manhunting Timeline 2008", which was released by The Intercept in July 2015.

The other entry was published last October by the American journalist Spencer Ackerman and is titled "Targeted Killing: Policy, Legal and Ethical Controversy". This document not only has a very similar form as the "Manhunting Timeline 2008" but is also about the same topic.



Intellipedia entry titled Manhunting Timeline 2008



Intelink

Intellipedia is part of the Intelink network, which was set up in 1994 and also has three versions: for Unclassified, Secret and Top Secret/SCI information. Besides Intellipedia, Intelink also provides a range of other collaboration tools for members of the US Intelligence Community (IC), like:
- Intelink Search
- Inteldocs (shared files)
- IntelShare (the IC's SharePoint)
- Intelink Blogs
- eChirp (IC version of Twitter)
- Jabber (instant messaging)

A more official version of Intellipedia, called Living Intelligence, was created for collaboratively writing official intelligence reports, but this failed because each agency stuck to its own process for writing such reports or "products for their customers".

More succesful is A-Space (or Analytic Space), which is also a common collaborative workspace for analysts of the US Intelligence Community, but unlike the Intelink tools, A-Space can also be used for information classified as GAMMA or HCS. A-Space went live on the JWICS network in 2008 and is managed by the DIA. In July 2013, A-Space was widened to i-Space (Integrated Space) so access is no longer restricted to analysts.


Intelink homepage with icons of the various collaboration tools (source)


All the Intelink collaboration tools on the JWICS network are marked NOFORN, which means their content may not be shared with foreign nationals. Therefore, NSA employees apparently prefer their own tools on NSANet which do allow sharing with the other agencies of the Five Eyes partnership.



WikiInfo

The name of one such NSA tool was already found in a very interesting report from 2016 about how the US Intelligence Community uses internal collaboration tools: WikiInfo. This very unimaginative name refers to the NSA's internal wiki, parts of which were published during the Snowden leaks.

WikiInfo runs on NSANet, the network that connects all the Five Eyes signals intelligence agencies, and has a maximum classification level of TOP SECRET//SI-GAMMA/TALENT KEYHOLE//ORCON/PROPIN/RELIDO/REL TO USA, FVEY.

This really long marking says that information on NSANet may include highly sensitive communication intercepts (GAMMA) and intelligence from spy planes and satellites (TALENT KEYHOLE), including material that is closely controlled by the originator (ORCON) or contains proprietary information (PROPIN).

For even more sensitive information that should not be shared with the Five Eyes partners there's a separate platform called WikiInfo-NF (No Foreign nationals).


WikiInfo entries from the Snowden revelations

The Snowden trove provided only about 10 WikiInfo entries, which is not much, but still twice the number of Intellipedia pages. Most of them just contain the text of the article, like this one about QUANTUM shooters, but this one shows the full WikiInfo interface, apparently made with a full page screen capture tool:


The WikiInfo interface with an entry about SIGINT targeting scenarios
Note that "Edward snowden" doesn't seem to match the redacted username


WikiInfo is only one of the NSA's own series of internal collaboration tools. Others are Tapioca, JournalNSA, SpySpace, Giggleloop, RoundTable and Pidgin. Tapioca was described as the "impressive NSA system for social networking and collaboration" and combines multiple functionalities. In 2016, Tapioca also got a version on Intelink, making it available for other US intelligence users.



GCWiki

Most wiki entries that have been published during the Snowden revelations, some 23, are actually not from an American system, but from the internal wiki that is used by the NSA's British counterpart GCHQ. This platform is called GCWiki and has a maximum classification level of TOP SECRET STRAP1 COMINT.


An example of the address format for GCWiki pages is: https://wiki.gchq/index.php/TWO_FACE


GCWiki entries from the Snowden revelations

Among the GCWiki entries published as part of the Snowden revelations there are no examples of how the GCWiki interface looks like. All entries are like this article about the PHANTOM PARROT program, which was published by The Intercept in September 2017:


GCWiki entry about the PHANTOM PARROT program

Snowden's username on GCWiki (source)


Besides GCHQ, the other Five Eyes signals intelligence agencies, the Canadien CSEC (now CSE), the Australian DSD (now ASD) and GCSB from New Zealand, also have their own internal wikis, but from these platforms no entries have been published.



What's in the Snowden cache?

Regarding the content of these intelligence wikis, probably most of it is about people, places and events that are of interest for intelligence analysts. But as we can see from the pages that have been published since June 2013, these internal wikis are also used to share more technical information about collection programs and hacking tools.

It's not clear whether Snowden picked out those topics or journalists did so, or in other words: whether or not Snowden also downloaded the complete content of Intellipedia, WikiInfo and GCWiki, like he did with the NSA's internal newsletter SIDtoday. If so, that would have amassed a huge number of files, as in January 2014, the Top Secret/SCI version of Intellipedia alone contained some 113.000 pages.



A final thing to consider is how the Intelligence Community's internal collaboration tools relate to Snowden's exfiltration efforts. As we have seen here, the NSA and the US Intelligence Community both have a whole series of tools, ranging from instant messengers to file sharing systems and almost anything in between.

In his 2016 book Permanent Record, Snowden writes about what he calls "readboards", a kind of digital bulletin boards where each NSA site posted news and updates (p. 220). This sounds a bit like the "shared bookmarking" function which is available on Intelink, according to this diagram:


Collaborative tools used by the US Intelligence Community in 2016
(click to enlarge - source)


Snowden said that he started hoarding documents from all these readboards and then shared this personal collection with his colleagues, as a justification, or "the perfect cover", for collecting material from more and more sources.

This system, which Snowden called Heartbeat, also pulled in the full documents so NSA Hawaii would still have access to them in case they would be disconnected from NSA headquarters. And, according to Permanent Record: "Nearly all of the documents that I later disclosed to journalists came to me through Heartbeat" (p. 221-222).

Heartbeat isn't mentioned in the diagram above, which makes sense because if the system existed like Snowden described it was probably only used at NSA Hawaii and not throughout the NSA as a whole - and most likely completely abolished after he left the agency.



Links and sources
- The Atlantic: The Government’s Secret Wiki for Intelligence (2017)
- Wired: The Wikipedia for Spies—And Where It Goes From Here (2017)
- Center for Strategic and International Studies: New Tools for Collaboration. The Experience of the U.S. Intelligence Community (2016)

November 3, 2021

Edward Snowden and the targeted drone killing campaign



Two weeks ago, on October 22, a new document from the Snowden files was published for the first time in over two years. It's an entry from Intellipedia about the American drone killing campaign that was released by journalist and writer Spencer Ackerman.

While the content of the document is hardly significant, it's form is remarkably similar to an Intellipedia entry that was published in 2015, which leads us to Snowden's interest in the drone killings and The Drone Papers that Daniel Hale leaked to The Intercept.





Ackerman's publication

Except for five new partial documents published in Barton Gellman's book Dark Mirror in May 2020, the last release of files from the Snowden trove was in May 2019, when The Intercept and the Norwegian broadcaster NRK published a range of documents about NSA's Real Time Regional Gateway (RT-RG) collection system. Two months earlier, the publisher of The Intercept had already decided to shut down the Snowden archive.


The new document comes from the cache of Snowden documents that is kept by the American documentary filmmaker Laura Poitras, who now lives in Berlin. According to Ackerman, Poitras was preparing for her exhibition Parallel Construction that marked the 20th anniversary of 9/11, when she "came across the Intellipedia entry and realized no one had ever published it" and then gave him a copy of it.

Ackerman published the document on Substack, an online platform for journalistic articles and newsletters, where he has an account called Forever Wars to "chronicle, investigate and interrogate the continuities, departures and permutations of the War on Terror". There he discusses the Intellipedia entry in an article titled "On U.S. Intelligence’s Wiki, Anxiety About Legal Challenges To Drone Strikes".


The Intellipedia entry (full document) published by Spencer Ackerman


The Intellipedia entry provides a summary of policies and opinions about the issue of targeted (drone) killings, mostly based upon public news reports and therefore almost all the content is unclassified. What Ackerman thinks is newsworthy is "the document's occasionally alarmist depiction of legal and political challenges to the strikes" and that it shows a "paranoid" feeling among US intelligence analysts.

Apparently this is only based on the following sections in the Intellipedia entry, which actually hardly support Ackerman's interpretation:

- "Those opposing targeted killing are increasing their organization and activities. If timing is more than coincidental, activists may coordinate their opposition efforts."

- "The effort may indicate a concerted effort by human rights organizations, activist international lawyers and opposition forces to undermine the use of remotely piloted vehicles, targeted killing, preemption and other direct action as elements of Uniited States policy."

Ackerman also argues that the way the Intellipedia entry places "legal and political challenges to drone strikes on a continuum with warfare is of a piece with how U.S. intelligence can also view journalism on a continuum with espionage" - which refers to the prosecution of Julian Assange, who by his supporters is seen as an innocent journalist, while he actually engaged in acts of espionage and conspiracy against the United States.



A similar Intellipedia entry

More interesting than the content, is the form of the newly disclosed document, because it turns out that it's very similar to another Intellipedia entry which is titled "Manhunting Timeline 2008" and was published by The Intercept in July 2015, along with a report about Israeli assassination operations:


Intellipedia entry (full document) published by The Intercept in 2015


This earlier Intellipedia entry is less blurry and has some additional details compared to the one published by Ackerman. First, it has all the navigation menus, including the one that's usually in the upper right corner of the browser window and includes the user name, something The Intercept forgot to redact in this case:



Another interesting detail is a message that appeared on top of the article to announce Intellipedia users that they should expect maintenance of the Intelink Instant Messenger (IIM) service on January 3, 2013.

This indicates that this document was viewed, stored and/or downloaded shortly before that date - a period when Snowden was a SharePoint systems administrator in the Office of Information Sharing at the NSA's regional Cryptologic Center in Hawaii.



Some details of the Intellipedia entry titled Manhunting Timeline 2008
(click to enlarge)


Even more interesting are the markings at the very top and bottom of each page, which appear when an article is printed or saved through the "Printable version" option in the wiki interface: at the bottom of each page there's the URL (redacted, but remarkably long) and the page number, while at the top of the page there's the date and the title of the article, in this case "Manhunting Timeline 2008 - Intellipedia".

The date on this document is "6/2/2015" or June 2, 2015, which is more than two years after Snowden left the NSA, but just a month before The Intercept published it. Because one of the URLs has not been completely redacted, we see that when the file was printed, it was not on an internal US government network, but on a local computer drive:




This indicates that Snowden provided the entry in a digital form and that The Intercept read and printed it using a locally installed Wiki engine. For publication the print was scanned to turn it into a digital file again, which now included the printing marks. Was this to make the Intellipedia entry look like other drone documents provided by Daniel Hale?


On the Intellipedia entry published by Ackerman we see a similar page title ("Targeted Killing: Policy, Legal and Ethical Controversy - Intellipedia") but no date and also no URL and page number, but maybe that's because the bottom parts of the pages have been cut off ("some excisions for caution that do not affect the document’s narrative" according to Ackerman):




Therefore, it's not clear when this document was printed, but given the fact that it's also a sub-topic of Intellipedia's main article about Manhunting, we can assume that Snowden provided it in digital form, just like the Manhunting Timeline 2008. So was the new document also printed to look like the earlier ones, or was it just a safer way to hand it over to Ackerman?

Documents in a printed form immediately remind of the series of classified documents that were leaked by other sources than Edward Snowden. Most, but not all of them were eventually traced back to former NSA and NGA contractor Daniel Hale, who was arrested in May 2019. It turned out that in 2014 he printed a range of classified documents which were subsequently published by The Intercept.




Snowden and the drone killings

Daniel Hale's aim was to provide information about the drone strikes in order to end these lethal operations and it seems that Snowden was interested in this issue too, besides his main goal of fighting mass surveillance by the US government.

Already in October 2013, The Washington Post reported about a file which was "part of a collection of records in the Snowden trove that make clear that the drone campaign — often depicted as the CIA's exclusive domain — relies heavily on the NSA's ability to vacuum up enormous quantities of e-mail, phone calls and other fragments of signals intelligence, or SIGINT."

This sounds like Snowden had made a folder with various documents about drone killings, similar to the folders he had created about other topics that had his special interest, like operations of the NSA divisions TAO (hacking) and SSO (cable tapping). Journalist Barton Gellman confirms that the encrypted archive with some 50.000 documents he and Laura Poitras received in May 2013 was "neatly organized in folders".*


Revelations about targeted drone killings

Despite this apparently special collection of records, there have been only very few revelations about the NSA's involvement in targeted drone killings:

- The first one was on October 16, 2013, by The Washington Post, titled Documents reveal NSA’s extensive involvement in targeted killing program, but this piece only refers to documents instead of publishing them.

- On February 10, 2014, The Intercept came with an article called The NSA’s Secret Role in the U.S. Assassination Program, which is based on accounts by "a former drone operator for the military's Joint Special Operations Command (JSOC) who also worked with the NSA" (Daniel Hale?) with some additional snippets from the Snowden trove.

- On July 15, 2015, The Intercept published the Intellipedia entry with the Manhunt Timeline 2008 as part of a report titled Israeli Special Forces Assassinated Senior Syrian Official.

That's not much, although Snowden's selection of drone-related documents may also have included files about NSA programs in support of the drone killings, like systems for tracing potential targets by geolocating their mobile phones, or the role of Menwith Hill Station in the United Kingdom, for example.


The drone killings as a trigger for Snowden?

According to Glenn Greenwald's book No Place to Hide from May 2014, Snowden was already confronted with drone operations during his job at the NSA's Pacific Technical Center (PTC) at Yokota Air Base, near Tokyo in Japan, where he worked as a systems administrator from August 2009 to September 2010:

"The stuff I saw really began to disturb me", Snowden said, and: "I could watch drones in real time as they surveilled the people they might kill. You could watch entire villages and see what everyone was doing. I watched NSA tracking people's Internet activities as they typed. I became aware of just how invasive US surveillance capabilities had become" (p. 43).

According to Greenwald, Snowden then began to feel an increasingly urgent obligation to leak what he was seeing, which makes it remarkable that this experience isn't mentioned in his own book, Permanent Record, which was published in September 2019.

In this book, Snowden only presents the press reports about the drone killing of Anwar al-Aulaqi as an example of how the US government itself is also leaking classified information when it serves its own interest (p. 237-238).

And instead of the drone campaign, Permanent Record comes up with two other "atomic moments" which Snowden experienced while he was in Japan: learning about the domestic mass surveillance of the Chinese government and the STELLARWIND report about president Bush' warrantless wiretapping program.


Later, however, Snowden said that he discovered the STELLARWIND report only much later, somewhere in 2012, when he was working at the NSA in Hawaii. It was actually several times that Snowden changed the narrative about what the decisive moment for his actions was (another one was the Clapper testimony), but when there's indeed a separate folder with drone killing documents that would confirm a special interest in this topic.



Daniel Hale's leaks

Daniel Hale had a similar experience as Snowden in Japan, but only in March 2012, a few days after he arrived in Afghanistan to work as a intelligence analyst at Bagram Airfield. There he witnessed how a group of men were killed by a drone strike, just because one of them carried a targeted cell phone. Since then he had increasing moral objections against these operations.

In April 2013, Hale attended a presentation of Jeremy Scahill's book Dirty Wars: The World Is a Battlefield about the drone killings program under president Obama. As of June they contacted eachother by phone and by e-mail and in September Scahill asked Hale to set up a Jabber account for encrypted chat conversations.

On October 16, 2013, The Washington Post published its piece about how documents provided by Snowden revealed the NSA's involvement in the targeted killing program. This article may have provided additional inspiration to Hale, because in December 2013 he accepted a new job at the National Geospatial-Intelligence Agency (NGA).

Although he felt uneasy, Hale said he took the job because "the money I could make was by far more than I had ever made before" - but maybe it was also an opportunity to get access to classified military information again, similar to Snowden who took his job at Booz Allen to get access to additional documents.

Between February and August 2014, Hale printed 23 mostly classified documents, 17 of which he provided to Jeremy Scahill, who then worked for Greenwald's new online news outlet The Intercept. Somewhere in the same period Greenwald traveled to Moscow and informed Snowden about a new source with important information about the drone program, which was shown in Laura Poitras' film Citizenfour from October 2014:



Glenn Greenwald informing Edward Snowden about The Intercept's new source
(still from the documentary film Citizenfour)


In the Summer of 2014, The Intercept had already published two of Hale's documents about NCTC watchlisting, but it took until April 17, 2015 for The Intercept and Der Spiegel to publish a Top Secret diagram about the drone operations and on October 15, 2015, The Intercept finally released four classified documents along with eight articles as "The Drone Papers".



Conclusion

For Snowden, who called it "the most important national security story of the year", The Drone Papers must have been a triumph because finally someone had followed in his footsteps and leaked details about the drone program which he was apparently also concerned about for years.

However, it was also a bitter defeat, because just three days after Daniel Hale had printed out his last document, the FBI had already tracked him down and raided his home (he was arrested in May 2019 and eventually sentenced to 45 months in prison). Is this why there's nothing about Hale, nor about the NSA's involvement in drone killing operations in Snowden's book Permanent Record?

Another question is why Laura Poitras thought Spencer Ackerman should publish a rather uninteresting Intellipedia entry. Was there really nothing more interesting about this topic among the Snowden files? Or was it a signal that, unlike The Intercept, she is still willing to publish things from the Snowden archive?



Links and sources
- Forever Wars: On U.S. Intelligence’s Wiki, Anxiety About Legal Challenges To Drone Strikes (2021)
- CNN: A 'second Snowden' leaks to the Intercept about 'drone wars' (2015)
- Zone d'Intérêt: U.S. Intelligence Support to Find, Fix, Finish Operations (2015)
- The Washington Post: Documents reveal NSA’s extensive involvement in targeted killing program (2013)

May 18, 2021

What the NSA provides to its foreign partners, and vice versa

(Updated: November 3, 2021)

The cooperation between (signals) intelligence agencies of different countries is strictly quid pro quo, which means what you get is equivalent to what you give. This is perfectly illustrated by a small series of documents from the Snowden trove, which summarize what the NSA provides to its foreign partners, along what they provide to the NSA.

Three of these documents are about the NSA's Second Party partners (better known as the Five Eyes): Canada, Australia and New Zealand, and six about Third Party partners: Germany, Israel, Norway, Saudi Arabia, Sweden and Turkey. Another NSA document provides some characteristics of these relationships.





The documents about the various NSA partners are information papers prepared by the Country Desk Officer (CDO) for the particular country at the NSA's Foreign Affairs Directorate (FAD). All but one date from April 2013, which is just a month before Snowden left the agency. It's not known whether there are also papers about other NSA partners among the Snowden files.

The information papers describe the relationship between the NSA and the foreign partner in a standardized way: they all start with an introduction, mention some "Key Issues", followed by "What NSA Provides to Partner" and "What Partner Provides to NSA". The papers end with "Success Stories" and "Problems/Challenges with the Partner".

For readability, the portion markings with the classification level for each paragraph have been removed and some abbreviations are written in full.



Second Party partners

The Second Party partners of the NSA are the signals intelligence agencies of the United Kingdom, Canada, Australia and New Zealand. These five countries are also known as the Five Eyes. Their SIGINT systems are highly integrated and the partners are not supposed to spy on each other.


Canada

Information paper: NSA Intelligence Relationship with Canada's CSEC, April 3, 2013

(Published by CBC on December 9, 2013)


What NSA provides to the Partner:

SIGINT: NSA and CSEC cooperate in targeting approximately 20 high-priority countries [two lines redacted]. NSA shares technological developments, cryptologic capabilities, software and resources for state-of-the-art collection, processing and analytic effots, and IA capabilities. The intelligence exchange with CSEC covers worldwide national and transnational targets. No Consolidated Cryptologic Program (CCP) money is allocated to CSEC, but NSA at times pays R&D and technology costs on shared projects with CSEC.

[two paragraphs redacted]


What the Partner provides to NSA:

CSEC offers resources for advanced collection, processing and analyss, and has opened covert sites at the request of NSA. CSEC shares with NSA their unique geographic access to areas unavailable to the U.S. [redacted], and provides cryptologic products, cryptanalysis, technology, and software. CSEC has increased its investment in R&D projects of mutual interest. [several lines redacted].

[at least two paragraphs redacted]





Australia

Information paper: NSA Intelligence Relationship with Australia, April 2013

(Published by The Intercept and ABC on August 18, 2017)


What NSA provides to the Partner:

NSA provides cryptologic products/services to the Government of Australia through DSD, on virtually all subjects, particularly those related to the Pacific Rim. NSA shares technology, cryptanalytic capabilities, and resources for state-of-the-art collection, processing and analytic efforts. NSA will continue to work closely with Australia to meet its commitments as the U.S reallocates efforts toward Asia and the Pacific.


What the Partner provides to NSA:

NSA and DSD have agreed to specific divisions of effort, with the Australians solely responsible for reporting on multiple targets in the Pacific area, including Indonesia, Malaysia, and Singapore, based on their unique language capabilities and geographic accesses. In addition, DSD has primary reporting responsibility [redacted] regardless of geographic region. DSD provides access to commercial and foreign/domestic satellites from sites in Geraldton and Darwin, High Frequency (HF) collection and Direction Finding (DF) from three sites; and, manning of the operations floor at Joint Defense Facility at Pine Gap (RAINFALL), a site which plays a significant role in supporting both intelligence activities and military operations. In addition, DSD provides NSA with access to terrorism-related communications collected inside Australia.





New Zealand

Information paper: NSA Intelligence Relationship with New Zealand, April 2013

(Published by NZ Herald on March 11, 2015)


What NSA provides to the Partner:

NSA provides raw traffic, processing, and reporting on targets of mutual interest, in addition to technical advice and equipment loans.


What the Partner provides to NSA:

GCSB provides collection on China, Japanese/North Korean/Vietnamese/South American diplomatic communications, South Pacific Island nations, Pakistan, India, Iran, and Antarctica; as well as, French police and nuclear testing activities in New Caledonia [two lines redacted].




Third Party partners

The Third Party partners of the NSA are the signals intelligence agencies of some 33 countries. Cooperation is based on formal, bilateral agreements, but the actual scope of the relationship varies from country to country and from time to time. Unlike the Second Party partners, Third Party partners do spy on each other.


Germany

Information paper: NSA Intelligence Relationship with Germany, January 17, 2013

(Published by Der Spiegel on June 18, 2014)


What NSA provides to the Partner:

NSA has provided a significant amount of hardware and software at BND expense, as well as associated analytic expertise to help the BND independently maintain its FORNSAT [Foreign Satellite collection] capability. NSA also exchanges intelligence reporting on both military and non-military targets.


What the Partner provides to NSA:

NSA is provided access to FORNSAT communications supporting counter-narcotics (CN), counter-terrorism (CT), [redacted], and Weapons of Mass Destruction (WMD) missions and is an important source of information on drug trafficking and force protection in Afghanistan. The BND provides Igbo language support by translating NSA collection of a high-value, time-sensitive [redacted] target. NSA is seeking the proper approvals to accept BND language support in [one line redacted]. In addition to the day-to-day collection, the Germans have offered NSA unique accesses in high interest target areas.





Israel

Information paper: NSA Intelligence Relationship with Israel, April 19, 2013

(Published by The Intercept on August 4, 2014)


What NSA provides to the Partner:

The Israeli side enjoys the benefits of expanded geographic access to world-class NSA cryptanalytic and SIGINT engineering expertise, and also gains controlled access to advanced U.S. technology and equipment via accomodation buys and foreign military sales.


What the Partner provides to NSA:

Benefits to the U.S. include expanded geographic access to high priority SIGINT targets, access to world-class Israeli cryptanalytic and SIGINT engineering expertise, and access to a large pool of highly qualified analysts.





Norway

Information paper: NSA Intelligence Relationship with Norway, April 17, 2013

(Published by Dagbladet on December 17, 2013)


What NSA provides to the Partner:

- Daily TS//SI-level counter-terrorism (CT) reports shared multilaterally;
- Frequent exchanges of technical data and analytic expertise on CT targets, [one line redacted] and other threats to Norway's national security;
- Daily force protection support in Afghanistan and technical expertise to support target development of Afghan insurgent targets;
- Regular reporting on counter-proliferation (CP) topics [redacted]
- Ad-hoc reporting and analytic expertise on [redacted]
- Exchanges of reporting, tech data and analytic expertise on [redacted]
- Tech data and expertise on cryptanalytic topics of mutual interest; and
- FORNSAT communications metadata


What the Partner provides to NSA:

- SIGINT analysis as well as geolocational and communications metadata specific to Afghan targets of mutual interest (this analysis also supports Norwegian Special Operations Forces (when deployed);
- All-source analysis specific to Afghan targets of mutual interest. The analysis is based on operations conducted jointly between Norway and local and/or coalition authorities;
- Potential to leverage NIS [Norwegian Intelligence Service] FORNSAT capabilities to augment NSA collection against high priority CP SIGINT targets;
- Potential to leverage NIS unique access to SIGINT on high priority CT targets; [redacted]
- SIGINT reports on Russian civil targets of mutual targets, particularly Russian energy policy;
- FORNSAT communications metadata; and
- [one line redacted]





Saudi Arabia

Information paper: NSA Intelligence Relationship with Saudi Arabia, April 8, 2013

(Published by The Intercept on July 25, 2014)


What NSA provides to the Partner:

NSA/CSS provides technical advice on SIGINT topics such as data exploitation and target development to TAD [Technical Affairs Directorate of the Ministry of Interior] as well as a sensitive source collection capability.

NSA/CSS provides a sensitive decryption service to the Ministry of Interior against terrorist targets of mutual interest.


What the Partner provides to NSA:

NSA leverages MOD RRD [Ministry of Defense Radio Reconnaissance Department] access to remote geography in the Arabian Gulf but provides no finished SIGINT reporting to NSA/CSS, however; they have provided unencrypted collection against the IRGC QODS Maritime Force targets of mutual interest from their collection system [redacted].

TAD provides sensitive access to unique collection containing AQAP terrorist targets of mutual interest.





Sweden

Information paper: NSA Intelligence Relationship with Sweden, April 18, 2013

(Published by SVT Nyheter on December 5, 2013)


What NSA provides to the Partner:

- Technical support, collection, processing equipment and training
- NSA accepts selectors from FRA and tasks them to approved NSA collection sites
- [one line redacted]
- [one line redacted]
- Accomodation purchases of equipment
- Membership in multinational forums


What the Partner provides to NSA:

- Unique intelligence on Russia, the Baltic, Middle East, and counter-terrorism (CT)
- Outstanding and unique input of ELINT signals
- Access for special collection initiatives
- Collaboration on cryptanalytic issues





Turkey

Information paper: NSA Intelligence Relationship with Turkey, April 15, 2013

(Published by Der Spiegel on August 31, 2014)


What NSA provides to the Partner:

- NSA provides equipment, technology, training, and U.S. SIGINT requirements and reporting to the Turkish partner to better assist NSA in fulfilling U.S. intelligence requirements.

- In terms of equipment and technology NSA provides both collection and cryptographic equipment. A Cryptographic Modernization program is under way with both partners [MIT and SIB] to upgrade encryption on all shared and some non-shared communications links. A High Frequency Direction Finding (HFDF) collection site is [two line redacted] NSA also provides decryption of DHKP/C internet traffic the Turks collect.

- U.S. SIGINT requirements and reporting cover military and paramilitary targets in [redacted] and the KGK [Kurdistan Workers' Party]. This reporting is a mixture of near-real time and product "Tear Line" reports and analysis.

- NSA provides daily interaction and actionable intelligence on foreign fighter Sunni extremists, against both Turkish and non-Turkish individuals. NSA provides regional Tactical [redacted] reporting in two hour increments.


What the Partner provides to NSA:

- The partner provides near real time reporting on military air, naval, ground, and paramilitary targets in Russia, [redacted] Georgia, Ukraine, and on KGK targets, as well as daily summary reporting of Black Sea and CIS Naval and Air activity and [redacted]

[one paragraph redacted]

- NSA enjoys joint operational access to the HFDF site in [redacted] which, in turn, functions as a node on NSA's world-wide CROSSHAIR HFDF geolocation service. The U.S. and 2nd Parties receive approximately 400,000 fixes yearly utilizing Lines-of-Bearing from the [redacted] site while the Turks receive approximately 5000 fixes yearly from its regional usage of CROSSHAIR, an 80 to 1 ratio in FVEY's favor.

- NSA receives Turkish transcripts of KGK voice collection. Cooperation on the KGK target by the U.S. Intelligence Community in Ankara has increased across the board since the May 2007 DNI Memorandum encouraged all to do so.


Section from the information paper about the NSA's relationship with Turkey




Some characteristics

According to the quid pro quo-principle, we see that for each of these foreign partners, the things that NSA provides to the partner roughly equal what the partner provides to the NSA - at least according to the length of the sections in the information papers. The actual content of what each party provides is often very different, as was described in an internal interview from 2009 about the nature of the NSA's Third Party relationships:

"Generally speaking, our Third Party partners want access to our technology, as well as our regional/global reach. In exchange for providing unique accesses, regional analytical expertise, foreign language capabilities and/or I&W [Indications & Warning] support, we provide them with technical solutions (e.g., hardware, software) and/or access to related technology." The partners usually "know their regional hoods better than we do and they exponentially add to our foreign language capability."

When the information papers speak about providing data about "targets of mutual interest", the interview explains: "We must keep in mind that our partners are attempting to satisfy their own national intelligence requirements; with the exception of the assistance we provide during crises, we can only move our SIGINT relationships forward, when U.S. requirements intersect with theirs." This also depends on how long and deep such a relationship is:

"Many of our relationships have, indeed, spanned several decades, allowing us to establish higher degrees of trust with and reliance on one another. This, in turn, has led to greater levels of cooperation, where, for instance, NSA might be willing to share advanced techniques with a proven and reliable partner, in return for that partner's willingness to do something politically risky. Trust requires years to build up but can be lost in a very short period of time."

And finally, the interview also explains: "For a variety of reasons, our intelligence relationships are rarely disrupted by foreign political pertubations, international or domestic. First, we are helping our partner address critical intelligence shortfalls, just as they are assisting us. Second, in many of our foreign partners' capitals, few senior officials outside of their defense-intelligence apparatuses are witting to an SIGINT connection to the U.S./NSA."




April 7, 2021

The communications systems at the US Central Command headquarters

(Updated: April 11, 2021)

Previously, this weblog provided a close look at the phones used by US president Biden. This time we turn to another end of the line and look at the communications equipment which is used at the headquarters of the US Central Command in Tampa, Florida.

A recent 60 Minutes television report provides an unprecedented look inside the Central Command's operations center, where we see the general military communications equipment, followed by some more special devices used by the commander, who also has access to the virtual Desktop Environment for the US intelligence agencies.


Large operations center in the Central Command headquarters, January 2021
(still from 60 Minutes - click to enlarge)



The 60 Minutes television report shows never-before-seen video footage of the Iranian ballistic missile attack from January 7, 2020 on the Al Asad Airbase in Iraq, where 2000 US troops were stationed. The attack was a retaliation for the American drone strike from January 3, which killed the Iranian general Qasem Soleimani, commander of the Quds Force.

The report also includes an interview with general Frank McKenzie, combatant commander of the US Central Command, who leads the US armed forces in the Middle East. McKenzie followed the Iranian missile attack on the Al Asad Airbas at his headquarters, from where he had ordered the killing of general Soleimani six days earlier.





The Central Command headquarters

The United States Central Command (USCENTCOM) was established in 1983 and is one of the eleven unified combatant commands of the US Armed Forces. Its Area of Responsibility (AOR) includes the Middle East, Egypt, Central Asia and parts of South Asia.

CENTCOM's main headquarters is not in its area of operations, but at MacDill Air Force Base in Tampa, Florida, where a new 282,200-square-foot headquarters building was completed in 2012.

The new building includes specialized mission critical spaces like the Command Joint Operations Center, Joint Planning Cell and Operational Planning Element, Network Operations Center and the Command Secure Communications Operations Center.


The headquarters of the US Central Command at MacDill Air Force Base
(photo: Burns & McDonnell - click to enlarge)


The new headquarters building includes more than 109,000 square feet of Sensitive Compartmented Information Facility (SCIF) and space constructed according to sound transmission class (STC) 45 and 50 to support secured operations.

Relevant antiterrorism standards, including progressive collapse mitigation by means of tie forces, were also incorporated in the new headquarters. All concrete contains ground granulated blast furnace slag and fly ash for LEED compliance.

On the website of the construction company there's an earlier photo of the interior of the building showing standard workstations equipped with two computer screens, an Avocent SwitchView KVM switch, a smartcard reader, the ubiquitous HP keyboard, a mouse and two telephone sets: a Nortel Meridian 3903 and a Cisco 7975 IP Phone, one for secure and one for non-secure calls:


Interior of the Central Command headquarters at MacDill Air Force Base
(photo: Burns & McDonnell - click to enlarge)


Military communications equipment

The communications equipment that is currently used at the Central Command headquarters can be seen in the 60 Minutes television report, which shows shots from inside a large and a small operations room.

In the large operations room we see big video screens along the walls and several rows of workstations, each with two sets of communications equipment, one set for access to classified telephone and computer networks and another set for unclassified networks.

According to the color codes of the US classification system the telephones and the smartcard readers have the green label for Unclassified systems and the red label for Secret systems.


Large operations center in the Central Command headquarters, January 2021
(still from 60 Minutes - click to enlarge)


Computer systems

Some of the computer screens show a bright red lock screen with the text "This information system is accredited to process - SECRET - For authorized purposes only", which means that they are part of SIPRNet, the main classified secure network of the US military for tactical and operational information. The military's unclassified non-secure computer network is known as NIPRNet.

Identifying authorized users for NIPRNet is done through the Common Access Card, which is the standard identification for active US defense personnel. Access to SIPRNET requires the SIPRNet token, which is also a smartcard, but without visible identification information.


Coalition networks

Besides NIPRNet and SIPRNet, the Central Command also has separate computer networks for collaboration with foreign partners. For the members of bilateral and multinational coalitions, the United States provides a network architecture called Combined Enterprise Regional Information eXchange System (CENTRIXS), which operates at the classification level Secret/Releasable to [country identifier].

The first CENTRIXS networks were established as of late 2001 by the US Central Command in order to support coalition operations under Operation Enduring Freedom (OEF). This resulted in CENTRIXS-ISAF for operations in Afghanistan and CENTRIXS-GCTF for the Global Counter Terrorism Forces. Meanwhile, both systems have been integrated in the CENTCOM Partner Network (CPN).



The various networks in CENTCOM's area of responsibility
(source - click to enlarge)


A CENTRIXS network consists of servers and thin clients and provides users with at least the following computer applications, giving them the same basic capabilities as users of classified US systems:
- Microsoft Office
- Command and Control Personal Computer (C2PC)
- Integrated Imagery and Intelligence (I3)

These applications allow access to the releasable Near-Real Time (NRT) order of battle from the MIDB database (to be replaced by MARS) and imagery databases and to display the data on a map background. They can also access various browser-based products, send e-mails with attachments and conduct collaboration sessions.

For US military users, these applications are part of the Global Command and Control System (GCCS), which encompasses a suite of over 200 client-server tools and applications for fusing data from multiple sensors and intelligence sources to produce a graphical representation of the battlespace.


Interface of the Command and Control Personal Computer (C2PC) application
(source - click to enlarge)


Telephone systems

In the large operations center at CENTCOM's headquarters there are also a range of Cisco IP phones, some being the older 7975, others the current 8841. The Cisco 8841 IP phones look like the ones that are commercially available, but are actually modified versions from the small telecommunications security company CIS Secure Computing Inc.

These modified phones are approved for use in SCIF and SAPF environments and offer additional on-hook security features which can be engaged for the 'hold' and 'mute' functions while in a call. Speakerphone functionality isn't disabled, but is protected with the on-hook security of the positive disconnect electronics.

Several workstations even have a third telephone set: a Cisco IP Phone 8845, which has a video camera on top for video calls. According to their display background, these phones appear to be for the video conferencing service of the Desktop Environment (DTE, see below) which runs on the Top Secret/SCI intelligence sharing network JWICS.


Operations center in the Central Command headquarters, January 2021
(still from 60 Minutes - click to enlarge)



The commander's communications equipment

The 60 Minutes television report followed general McKenzie into a small room off his main operations center in the Central Command headquarters. There we see similar equipment as in the large room, like computers connected to SIPRNet, in this case for senior staff officers, like the:
- Director of Operations (J3)
- Commander's Action Group (CAG)
- Command Senior Enlisted Leader (CSEL)
- Staff Judge Advocate (SJA)


General McKenzie entering a small operations room, January 2021
(still from 60 Minutes - click to enlarge)


In this small room, commander McKenzie has additional communications equipment that seems not available for the personnel in the large operations center. When he is being interviewed at his place at the table (see the televison still below), we see from left to right:

- A Cisco DX 70 video screen with video camera, probably for the Secure Video Teleconferencing System (SVTS) which is part of the Crisis Management System (CMS) and allows top-level video meetings.

- A Cisco IP Phone 8841 with a distinctive yellow bezel for the highly secure Executive Voice over Secure IP-network which is also part of the Crisis Management System (CMS) and connects the President, the National Security Council, Cabinet members, the Joint Chiefs of Staff, various intelligence agency watch centers, headquarters, and Continuity of Operations (COOP) sites.

- A Touchscreen Executive Phone (TXP) with two additional 50-button Touchscreen Line Expansion units (TLE), manufactured by the small telecommunications security company Telecore, Inc., which also made the Integrated Services Telephone (IST-2) that was on the Oval Office desk of presidents Bush and Obama. These devices are specifically designed for the Defense Red Switch Network (DRSN), which offers full command and control and conferencing capabilities for military commanders up to the level of Top Secret/SCI.

- A Cisco IP Phone 8865 with video camera and a Key Expansion Module. The phone has labels for Top Secret (orange) and Top Secret/SCI (yellow) and appears to be for the video conferencing service of the Desktop Environment (DTE, see below) which runs on JWICS, the main network for intelligence sharing within the US military and the US intelligence community.

- A Cisco IP Phone 8851 with a Key Expansion Module and a label for the classification level Secret (red), which means it runs on SIPRNet and is therefore Voice over Secure IP (VoSIP).


General McKenzie's communications equipment in the small operations room
(still from 60 Minutes - click to enlarge)


According to the 60 Minutes report, it was in this small room where during the missile attack on the Al Asad Airbase, commander McKenzie "could talk directly to the only two people above him in the chain of command" - the Secretary of Defense and the President. To illustrate this, the speed dial buttons on the commander's Touchscreen Executive Phone were shown.

Normally such buttons are blurred out, but here we can clearly see that McKenzie has direct lines to the White House, the Secretary of Defense (SecDef), his house (SecDef Home) and his communications center (SecDef Cables), as well as to the National Military Command Center (NMCC) and the Chairman of the Joint Chiefs of Staff (CJCS XO), among others:


The speed dial buttons on general McKenzie's Touchscreen Executive Phone
(still from 60 Minutes - click to enlarge)



The commander's computers

The same telephones as in the small room appear on McKenzie's place in the large operations room, but here he also has two computer screens connected to a Vertiv Cybex Secure MultiViewer KVM switch which allows access to networks of different classifications levels on a single screen.

Apparently the commander was logged in on one of the classified computer networks, as we can see the desktop background with several application icons - quite remarkable because usually during photo ops or television recordings only unclassified images should be visible.

At the top of the desktop background is a yellow bar which means it's JWICS, the intelligence sharing network for the US military and the US Intelligence Community at the classification level Top Secret/SCI. Unlike NIPRNet and SIPRNet, access to JWICS doesn't require a smartcard, but a software certificate: military users have to identify themselves with a DoD PKI certificate, others need an IC PKI certificate.


General McKenzie's workstation in the large operations center
(still from 60 Minutes - click to enlarge)



The IC Desktop Environment

The desktop background on the commander's computer is deep blue and has the term "DESKTOP ENVIRONMENT (DTE)" with an image of the earth covered by a stylized network. In the bottom left corner we see the seals of the Defense Intelligence Agency (DIA) and the National Geospatial-Intelligence Agency (NGA) and some text.

This "Intelligence Community Desktop Environment" (IC DTE) was conceived in 2012 as a single, identical platform for the US Intelligence Community. As such it's the heart of a huge modernization project called Intelligence Community IT Enterprise (IC ITE), under which data will be stored and processed at the Commercial Cloud Services (C2S) managed by the CIA and the IC GovCloud managed by the NSA.

The implementation of the DTE was managed by the Joint Program Management Office (JPMO) led by DIA and NGA, while the software system was built by BAE Systems under a $300 million contract for five years. This had to result in the Next Generation Desktop Environment (NGDE), which has to bring virtual desktops at different classification levels to one physical computer.


Multiple computers for networks at different classification levels, ca. 2008.
(source - click to enlarge)


With the Desktop Environment (DTE) analysts at DIA, NGA and other US intelligence agencies can go anywhere within these organizations, sit down at any Top Secret workstation, log in, authenticate, and get access to their e-mail, home directories, shared files, etc., which were previously stored on thick client computers at each workstation.

Besides a virtual desktop, the DTE also comes with a common suite of desktop applications (developed via the Ozone Widget Framework) and access to common services, including Unified Communications as a Service. Among the first applications were standard e-mail, collaboration tools and video conferencing capabilities. The NSA is responsible for an Apps Mall that incorporates apps stores of the various agencies.


The common collaboration tool for the DTE provides a single interface for secure voicemail integration with e-mail, peer-to-peer file sharing, a screen capture tool and Outlook calendar integration. When additional users transition into the common operating environment, this tool could serve as a single interface for community-wide collaboration. In 2014, there were already some 4.000 DTE users at DIA and NGA.




However, in 2018, John Sherman, chief information officer of the Intelligence Community, said they had come to the realization that it no longer made sense to deliver a standard capability to every agency and user given the differing architectures, security requirements and mission needs.

In order to reach the outcomes for which the DTE was initially created, the Collaboration Reference Architecture (CRA) was created. Agencies can now build applications which fit their own needs as long as they comply with the standards set by the CRA in order to ensure compatibility throughout the different systems.


Finally, the DTE is also a step towards an environment where security and tagging of data will be done at the data level, as opposed to the network level. Traditionally, access to information was based on which network you were on: DIA data were only accessible on the DIA's network, etc.

The idea is that there will be a common Intelligence Community network for which the Identification, Authentication and Authorization (IAA) project of the IC ITE provides access to data and information based on the different credentials of each individual user, so on who you are, what role you have and what accesses are available to you.



Links and sources

- Yahoo! News: 'Conspiracy is hard': Inside the Trump administration's secret plan to kill Qassem Soleimani (2021)
- American News: Biden Allows “60 Minutes” to Release Military Imagery Secrets that Saved US Lives (2021)
- DIA: Striking a balance between compatibility and flexibility in the intelligence community (2018)
- Joint Publication: Joint and National Intelligence Support to Military Operations (2017)
- CSIS: New Tools for Collaboration, The Experience of the U.S. Intelligence Community (2016)
- Raytheon: When Secure KVM Isn’t Enough (2015)
- Defense Systems: How cloud is changing the spy game (2014)
- Deep Dive Intelligence: Interview: Mike Mestrovich – Full Transcript (2012)
- Burns & McDonnell: Joint Intelligence Center, Central Command (2009)
- AFCEA Signal: Desktop System Streamlines Analysis Work (2004)
- MITRE Corporation: Intelligence Community Public Key Infrastructure (IC PKI) (2002)