March 2, 2023

The National Security Operations Center (NSOC): 50 years in photos

(Updated: March 9, 2023)

On February 21, the NSA's National Security Operations Center (NSOC) celebrated its 50-year anniversary. For this occasion, I will take a close look at a range of unique historic photos from inside this "Nerve Center of NSA".





NSA watch centers

At the US National Security Agency (NSA) there are two major watch centers operating on a 24 hours a day, 7 days a week basis:

- The National Security Operations Center (NSOC), established in 1973 for monitoring unfolding events and crises around the world, coordinating time-sensitive actions and providing actionable intelligence to military and civilian decision-makers.

- The NSA/CSS Threat Operations Center (NTOC), established in 2004 for real-time situational awareness of cyber threats against US computer systems and coordinating both defensive and offensive Computer Network Operations (CNO).




The history of NSOC

The various international crises in the 1960s, like the tensions in the Middle East, the Soviet invasion of Czechoslovakia, and the capture of the USS Pueblo, prompted NSA leadership to create separate offices for these geographic regions. The same events, however, demonstrated the need for immediate input from multiple offices to get a full understanding of what was happening around the globe.

Therefore, the National Sigint Watch Center (NSWC) was created in December 1968. But already during its set-up a major crisis evolved, when in April 1969 North Korea shot down a US Navy EC-121 SIGINT reconnaissance aircraft. Assistant Director for Production (ADP) John E. Morrison, Jr. was frustrated when he had to speed between various watch centers attempting to piece together a complete picture for military and policy leaders.


Major General John E. Morrison, Jr.
(photo via NCM)

The creation of NSOC

After the EC-121 incident Morrison proposed, and eventually established, a single dedicated watch center to coordinate a rapid response of the NSA to incidents and crises. The new center began limited operations in December 1972 and was formally inaugurated on February 21, 1973, as the National Sigint Operations Center (NSOC).

NSOC (pronounced as "N-sock") was housed at the third floor of the east corridor in the OPS-1 building at the NSA's headquarters compound. OPS-1 is the large flat, three-story building which was built in 1957 as the NSA's very first building at Fort Meade, Maryland:





NSOC in the 1970s

How the National Sigint Operations Center initially looked can be seen in some great photos from the archive of the NSA's National Cryptologic Museum (NCM), which provide a unique look behind once tightly closed doors:


Entrance to the National Sigint Operations Center (NSOC), 1970s
(photo: National Cryptologic Museum)


Behind this door were the NSOC rooms, including its main watch floor, which consisted of a large open space with numerous desks. Despite the fact that almost all desks have a computer terminal, there is still a lot of paper present:


A view of the NSOC watch floor from its early days in the 1970s
(photo: NSA - click to enlarge)


It's not yet clear what kind of computer terminals we see on the desks, but one suggestion is that they might have been from Wang Laboratories. Terminals like these allowed NSOC officers access to (informal) teletype links with listening posts, query, update and maintain various databases and review time-sensitive reports. There was also a computer system called SOLIS (Sigint On-Line Information System) for rapid retrieval of SIGINT reports and requirements from the last 14 months.

The telephones right next to the computer terminal are Call Directors: the upper one in black with a keypad and 6 push buttons, the lower one is an older version in white with a rotary dial and 18 push buttons. The Call Director was manufactured by Western Electric from 1958 to the early 1980s and was the most advanced phone from its (largely electromechanical) 1A2 Key Telephone System. Here, one may have been used for secure and another one for non-secure calls.

The desk in the front of the photo even has a third telephone set of the common type from those days but without a rotary dial. Such a phone was usually used for a hotline or a dedicated alerting network, like the secure National Operational Intelligence Watch Officer's Network (NOIWON), which connects NSOC with other military and intelligence watch centers.


Adjacent to the large NSOC watch floor were separate rooms and spaces for specific purposes, like a conference room, a teletype printer room, some kind of map room, a control room and an office for the Senior Operations Officer:


The teletype printer room of NSOC in the 1970s
(photo: NCM - click to enlarge)


Some kind of map room of NSOC in the 1970s
(photo: NCM - click to enlarge)


More photos of NSOC can be found in the photo database of the NCM.


The organization of NSOC

The internal organization and the atmosphere of NSOC are described in a 2003 internal newsletter which was published as part of the Snowden revelations. At that time, NSOC consisted of 36 desks, with desk officers representing particular elements of the NSA, like collection and analysis units, field sites and Second Party partners. These officers, both military and civilian, work in eight-hour shifts in five rotating teams.

The most important position is the Senior Operations Officer (SOO) who acts as the NSA Director after-hours. To stay abreast of recent reporting and dissemination issues, the SOO relies on the Reporting Cell, which consists of the Reporting Officer (RO) and the Senior Reporting Officer (SRO), who "work intimately with other desks to ensure that authorized customers receive needed intelligence legally, securely, reliably, accountably, and on time."

The Surveillance and Collection Officer (SCO) focuses primarily on operational and technical matters related to the over-all SIGINT system. Other positions are or were the Operations Support Officer (OSO), the Systems Officer (SYO), the Communications Watch Officer (CWO) and the Information Service Officers (ISO).


SRO desk sign on the ceiling of the NSOC watch floor



NSOC in the 1980s

In January 1981, NSOC played a critical role during the Iran hostage crisis when president Jimmy Carter spoke directly with the SOO asking questions about NSA's collection capabilities and Iranian air traffic control tower procedures. Carter insisted that the line with NSOC be kept open so he could follow the progress of events in real time. Even as he was riding to the Capitol, the link with NSOC was reestablished in his car and an aide maintained contact at the Capitol throughout Carter's inauguration ceremony.

In the late 1980s the NSOC watch floor looked much more orderly, with the large watch floor being divided into the ubiquitous office cubicles, each with a MINX workstation with a handset attached to it as this system allowed video calls already (see below):


The NSOC watch floor, August 1988
(photo: NSA - click to enlarge)


Besides the large watch floor, there appears to be a watch floor in a narrower sense as well, as can be seen in the following photo which was on display in the National Cryptologic Museum and is available at Wikimedia Commons:


The small NSOC watch floor in the early 1980s
(photo: National Cryptologic Museum - click to enlarge)


According to the description provided by the National Cryptologic Museum, this photo shows the "NSOC watch floor circa 1975". The computer, however, can be identified as an IBM 5150, which was launched in 1981. This means the photo cannot be from the 1970s, but must have been taken in the early 1980s. Still from the 1970s, however, are the two Call Director telephone sets on the left side of the desk.

Wikimedia Commons has another photo of the small NSOC watch floor, which the National Cryptologic Museum said is from around 1985, but is actually from the late 1980s:


The small NSOC watch floor in the late 1980s
(photo: National Cryptologic Museum - click to enlarge)


Here we see a wall covered with large and small monitors and computer screens for various kinds of (real-time) information systems, which are marked on the photo that was on display in the NCM.

Compared to the previous picture of the small watch floor, we see that the old Call Directors had been replaced by black and white multiline office phones from ITT which still worked via the 1A2 Key Telephone sytem.

Job openings indicate that COASTLINE is some kind of messaging system, while MINX stands for Multimedia Information Network Exchange, which was the first workstation that combined a camera and speakerphone with a high-resolution-color video graphics display screen. This system had been introduced in 1985 by Datapoint Corporation with a pricetag of almost 9.000 US Dollar for a single workstation.


Close-up of a MINX video terminal from another photo
(photo: National Cryptologic Museum - click to enlarge)



NSOC in the 1990s

Over the years, NSOC was able to assume a wide range of functions in NSA's daily operations and had become the focal point for crisis response at the agency. However, since operation Desert Shield in the early 1990s, the practice of convening special cells tailored to particular crises became standard.

The National Sigint Operations Center was renamed into National Security Operations Center (NSOC as well) in 1996, when it became responsible for the information security side of the NSA as well. Since then, NSOC included specialists who monitored critical networks for indications of hostile threats and intrusions, a function that was taken over by the newly created NTOC in 2004.

From 1997 we have the first video footage of the NSOC watch floor, when it was filmed for the Discovery Channel documentary "Inside the NSA":





A still from this documentary allows a closer look at the telephone and computer equipment used at that time:




On the right we see a SPARCstation, a very popular type of desktop computer that was introducted by Sun Microsystems in 1989.

The telephone set on the left is a beige office phone manufactured by Comdial as part of its ExecuTech electronic key telephone system. The NSA uses these devices on the National Secure Telephone System (NSTS), which is a stand-alone network for secure calls up to the level Top Secret/SCI. NSTS phones are also known as "gray phones" despite the fact that the actual instruments have a different color (non-secure phones are called "black")

Next to the Comdial phone sits a white AT&T 1100 secure telephone from the STU-III family, which can be used for encrypted phone calls to anyone who is not connected to the NSTS, but also for regular unclassified conversations over the public switched telephone network (PSTN).


Close-up of a Comdial ExecuTech phone elsewhere at NSA
(click to enlarge)


After NSA Director Michael Hayden had seen the 1998 Hollywood movie Enemy of the State, in which the NSA was depicted as a rogue agency trying to kill people, he launched a PR-campaign which resulted in the History Channel documentary "America's Most Secret Agency" which was aired in the year 2000 and for which filmmakers had once again been allowed access to the NSOC watch floor:





The alerting function of NSOC was described by James Bamford in his bestseller book Body of Secrets from 2002:
"Of special significance is the capability to instantly display CRITIC messages on screen. Critical Intelligence reports are of the highest importance, and the CRITIC system is designed to get them to the president in ten minutes or less from the time of an event. When Saddam Hussein pushed into Kuwait in 1990, for example, the first alert came in the form of a CRITIC. The issuance of a CRITIC is instantly noted in the National SIGINT File by a flashing message in the top left corner of the screen." (p. 516)

"If a listening post suddenly picks up an indication of a far-off assassination, or a sudden attack by Russia on a neighboring republic, a CRITIC message containing that information will be flashed immediately to the NSOC. Shortly after the USS Cole was attacked by terrorists in the port of Aden in October 2000, a CRITIC was zapped to the NSOC. Within minutes of the early morning message, a call was placed to the director, Michael Hayden." (p. 501)

This CRITICOMM system had become operational in 1961 and consisted of a worldwide network of relay centers which automatically put through the messages to the NSA. Encryption was initially performed by KW-26 machines.



NSOC in the 21st century

The first photo from NSOC in the 21st century can be found on Wikimedia Commons again and shows a visit by NSA Director Hayden somewhere in 2001:


NSA director Michael Hayden visits NSOC, 2001
(photo: National Cryptologic Museum - click to enlarge)


With the many screens on the wall, the photo apparently shows the small watch floor with modernized equipment. A whole range of digital clocks show the time in the many regions of the world where the NSA was interested in: Bosnia, Iraq/Saudi Arabia, Mogadishu, Moscow, Afghanistan, Pakistan/India, Tajikistan/Kyrgyzstan, Jakarta and Seoul.

On the left we see a glimpse of two phones: the upper one being the Comdial ExecuTech for the NSTS network, the lower one appears to be a black Motorola Sectel 1500 which is also from the STU-III secure telephone family.


The 9/11 attacks

During the attacks of September 11, 2001, the NSA headquarters complex at Fort Meade was evacuated. All nonessential personnel was sent home immediately, while the remaining mission-essential personnel was moved out of the tall black-glass cubes of OPS-2A and OPS-2B into the less-vulnerable three-story OPS-1 building.

"At the direction of Richard Berardino, the chief of NSOC, his thirty analysts and reporting officers began rapidly compiling whatever information they could brief Hayden and the agency's senior officials about what had just transpired. Other NSOC staffers began systematically going back over the past several days' worth of SIGINT reporting to see if anything had been missed that might have given any warning of the terrorist attacks. They found nothing." *

After the NSA was fully up and running again, NSOC "was converted into a war room. Superfast CRITIC messages began going out to field stations around the world every time a new piece of the puzzle was discovered, such as the names of the hijackers obtained from the passenger manifest lists." *


An alternate NSOC in Georgia

In July 2006, high temperatures and problems with Baltimore Gas and Electric power generation caused server and communications failures around the NSA's headquarters complex. This resulted in a critical limitation in NSOC's ability to dispatch CRITIC messages to the US Intelligence Community.

This prompted the first ever activation of the alternate NSOC (codenamed DECKPIN) at the NSA's regional cryptologic center in Georgia, which had been created to take over critical NSOC functions, should the Fort Meade facility lose its ability to operate. After two days, NSOC at NSA headquarters was able to resume its activities again.


A modernized watch floor

Somewhere before 2012, the large NSOC watch floor in the old OPS-1 building was modernized and give a more futuristic look with a long wall filled with video screens and some spaceship-like elements, as can be seen in a photo that was released on the occasion of the NSA's 60th anniversary:


The NSOC watch floor in 2012
(photo: NSA - click to enlarge)


Another angle of this new watch floor was shown in the CBS 60 Minutes report "Inside the NSA" from 2014:


The NSOC watch floor in 2014
(still from CBS 60 Minutes - click to enlarge)


A close look shows that the beige Comdial ExecuTech phones for the secure NSTS network had been replaced by white Nortel M3904 executive office phones:


A Nortel M3904 phone from the NSTS network




Moving to the Morrison Center

By the end of last year and after almost 50 years, NSOC left its rooms in the old OPS-1 building and moved to a brand new office building on the NSA's East Campus. This new building is called the Morrison Center, named in honor of John E. Morrison, Jr., who proposed and established NSOC back in 1973.

Besides NSOC, the seven-story Morrison Center includes a multipurpose conference center, a modern fitness center, a 24/7 open-concept cafeteria, gender-neutral single-user restrooms, modernized sit/stand desks, and larger windows. The building was designed with a strong emphasis on accessibility, so it's the first NSA facility with touchless door activators.


The new Morrison Center at the NSA's East Campus
(photo: NSA.gov - click to enlarge)


In the Morrison Center, NSOC now has a very spacious watch floor that looks even more futuristic than the previous one in the OPS-1 building, as we can see in two photos which the NSA released in October last year:


The current NSOC watch floor in the new Morrison Center
(photo: NSA - click to enlarge)


The SOO-pit at the NSOC watch floor in the Morrison Center
(photo: NSA - click to enlarge)


The new NSOC watch floor has huge video screens along the wall and each workstation is equipped with multiple computer screens and a KVM-switch to switch between physically separated computer networks at different classification levels.

Each workstation also has at least two Cisco IP phones from the current 8800 series, one for the secure NSTS network and another one for a (classified) telephone network depending on the desk officer's mission needs.





Links and Sources
- NSA.gov: NSA's National Security Operations Center celebrates 50 years of 24/7 operations in service to the Nation (Feb. 21, 2023)
- NSA.gov: NSA opens an innovative workplace for critical missions focused on the future (Nov. 17, 2022)
- WashingtonTimes.com: NSA’s new ‘nerve center’ ready to scan the world for threats to America (Oct. 25, 2022)
- NSA.gov: NSA 60th Anniversary Book (2012)
- James Bamford: Body of Secrets: Anatomy of the Ultra-Secret National Security Agency, Anchor, 2002, p. 501-502.
- Cryptologic Spectrum: The National SIGINT Operations Center, Summer 1979, Vol. 9, No. 3.

January 5, 2023

About the legality of the NSA's testing and SIGINT Development projects

(Updated: January 11, 2023)

On November 1, 2022, Bloomberg published a remarkable story about an NSA analyst who in 2013 developed and tested a new collection method that resulted in the unauthorized collection of American telephone data.

Here I will provide some additional details about what that method could have been about and will also look whether these so-called SIGINT Development (SIGDEV) projects are actually legal under American law.





A controversial project

The Bloomberg report is based upon internal NSA documents requested by FOIA-expert Jason Leopold, who had to wait six years before their release. The set of documents contains the report by the NSA's Inspector General from 2016 and more than 330 pages of appendices, which include a lot of internal e-mails about the case. However, most parts of the documents have been redacted.

From what is readable it becomes clear that in March 2013 two whistleblowers, one of them a (female) global network analyst, discovered that another analyst in the NSA's Signals Intelligence Directorate (SID) was working on an unnamed project that apparently violated internal regulations and possibly the law.

The whistleblowers informed internal compliance officials, but during a meeting of seniors officials it was concluded that the project of the other analyst was acceptable because as "technical development or protocol development" it was covered by the internal regulation about Signals Intelligence Development (USSID SD4000, see below).

The global network analyst, however, wasn't satisfied and contacted the NSA's Inspector General (IG) on May 7, 2013, which was exactly one month before the first story based upon the Snowden-documents came out. The female analyst, in the IG report referred to as "the Source", accused her colleague of running a project which targeted a large volume of US persons phone numbers without proper authorization and without the necessary foreign intelligence purpose.


NSA headquarters with the OPS-1 building, where large parts
of the Signals Intelligence Directorate (SID) are located


A more senior NSA official told the IG that the accused analyst claimed that "the foreign intelligence purpose behind his project is to make the collection system healthier, the analytic process richer and the system more efficient". According to a subject matter expert, the analyst probably "saw his project as an easy way to accomplish his targeting and collection" and he decided to "work on his project until someone told him he should stop".

His division chief, however, claimed that he told the analyst to stop his activities because he intentionally targeted US persons. Another chief told the IG that personnel in that particular branch "do not receive guidance from upper management on how to perform their mission because no one understands it" and in one of the e-mails it's said that this case is "extremely complex and would take an encyclopedia to explain fully".


Inspector General George Ellard eventually spent 3 years investigating the case and completed his report on February 12, 2016. It substantiated all of the allegations that the source had brought forward: the project had "resulted in, or were at least reasonably likely to result in, the unauthorized collection of communications to or from USPs or persons in the United States, or both."

The IG also found that even if the analyst had been truly unaware that he had tasked and collected US person's data, he "acted with reckless disregard of the regulations, policies, and procedures that govern the use of the SIGINT system". Finally, the IG addressed a lack of oversight, as senior officials didn't fully understand what was happening under their responsibility.


According to the Bloomberg report it's unknown if the analyst was ever held accountable. However, according to a list of his annual training courses in the IG report, the analyst took his first course in November 2010 and his last one in May 2014, which may indicate that he started his job at the NSA somewhere in 2010 and left in 2014.



Filtering telephone communications

Besides the case as described above, the Inspector General's report and the appendices released by the NSA contain some additional details that are worth mentioning.

Appendix A.3 contains a list of definitions, almost all of which have been redacted. There's one entry, however, that could provide a clue to the analyst's controversial project: under the letter L there's the name of a particular NSA collection software.

Checking my extensive list of NSA Nicknames and Codewords shows that there's only one known collection program starting with L that fits the redacted space in the definitions list: LOPERS.


(text in red added by the author)


LOPERS is NSA's main system to process telephone data that are collected from the core networks of telephone companies. This fits with the fact that the analyst's project resulted in collecting (American) telephone numbers. More information about LOPERS is found in an earlier internal dictionary from the Snowden trove:




According to this description, "LOPERS decodes the telephone numbers present in the call signaling and forwards the numbers to KEYCARD for normalization and validation. Calls including targeted selectors are captured and saved to an output directory". This means LOPERS filters out phone numbers and subsequently the content of phone calls to and from the phone numbers which are on the NSA's target list.

Given that LOPERS was apparently involved in the case of the unauthorized collection, we can imagine that the analyst could have been trying to improve the algorithms of its filter system. Another indication for this is that the table of abbreviations of the IG report contains the following entry: "% is a wildcard for an undefined character length".

So when the analyst developed a highly complex way for filtering telephone data, that bears the risk of pulling in the wrong data, in this case phone numbers of US persons.


The second word that has been redacted in the dictionary entry for LOPERS is more difficult to unmask as the system has multiple functions and purposes. The most likely options, like 'telephone', 'DNR phone' or 'main PSTN', don't fit the redacted space. What fits best is 'IP telephony', but that would only refer to one part of LOPERS' functionality:


(text in red added by the author)


The term 'IP telephony' could make sense though when the analyst's project was actually about finding or improving ways to intercept IP telephony, which requires different methods than those used for tradtional Public Switched Telephone Networks (PSTN). As early as 2004, the NSA was afraid of the complications by Voice-over-IP (VoIP) providers offering Pick-Your-Own-Number services.

With the increase of VoIP telephony, the telecommunication networks moved beyond PSTN and so did the NSA's collection efforts: in January 2011, AT&T began to provide "Carrier Grade Corporate VoIP" under the FAIRVIEW program, which encompasses AT&T's cooperation in collecting foreign intelligence inside the US.


This "new capability rests on a large and complex system which collects, processes, authorizes, and selects calls using both SIP and H.323 VOIP protocol technology from 26 separate IP backbone router nodes [...] A large component of this eligible traffic is to/from high interest areas such as Pakistan".

In dataflow diagrams like the one below from 2012, we see that LOPERS was one of the components of this new VoIP collection under the FAIRVIEW program:


Dataflow diagram for VoIP collection under FISA authority in cooperation with AT&T
(source - click to enlarge)


These details about FAIRVIEW show that the NSA began to use LOPERS for collecting VoIP telephony as well. The analyst's controversial project, however, was conducted under authority of Executive Order 12333, which means outside, instead of inside the United States like under FAIRVIEW.



Other examples of SIGINT Development

The project the NSA's Inspector General investigated from 2013 to 2016 was so-called Signals Intelligence (SIGINT) Development (SIGDEV), which is the term for activities to develop, improve and refine new collection methods.

The Snowden revelations included a range of documents about SIGDEV projects, which was sometimes confusing because it wasn't always clear whether such projects actually moved beyond their experimental status or not. We also learned that the signals intelligence agencies of the Five Eyes organize a large annual SIGDEV Conference (SDC) to share their most promising discovery efforts.


An early example of a controversial SIGDEV project from the Snowden trove is a presentation from the NSA's Canadian counterpart CSEC which describes a "Tradecraft Development" project aimed at identifying IP networks. The presentation was published by the Canadian television channel CBC in January 2014.

Some people assessed that this was a proof-of-concept using an existing database of user IDs found on wifi networks, but the reporter who revealed this presentation insisted that the project used real-world data collected from the wifi system of a Canadian airport. In that case, the experiment would have been illegal, as CSEC isn't allowed to operate domestically.

Probably the biggest known testing program from the NSA is BASECOAT, which provided access to the core network of a cell phone provider in the Bahamas, an island country with some 350,000 inhabitants. BASECOAT was part of the SOMALGET program which collected and processed the content of all the phone calls from a particular network.

In the Bahamas, this capability was used as a "test bed for system deployments, capabilities, and improvements", most likely to improve its operation in Afghanistan, where SOMALGET was also deployed. Together with programs that collected telephone metadata from three other countries, SOMALGET was part of the umbrella program MYSTIC.


The various components of the MYSTIC program;
"country X" later turned out to be Afghanistan
(image: The Intercept - click to enlarge)



The legal framework for SIGINT Development

One of the most striking and controversial aspects of these SIGINT Development projects is that they are conducted on real-world data from actual collection systems, instead of on dummy data sets or data that have already been lawfully collected earlier on. So is this legal under American law?

In Executive Order 12333 from December 4, 1981, which is the basic legal authority for American foreign intelligence collection, the NSA is given the responsibility to "Conduct of research and development to meet the needs of the United States for signals intelligence and communications security".

This was further detailed in United States Signals Intelligence Directive (USSID) SD4000, Signals Intelligence Development, from April 6, 2011, which was superseded by SID Implementing Directive, Annex F Governance of the Signals Intelligence Mission, from February 25, 2013.

These internal policy documents haven't been published, but from the Inspector General's report from 2016 we learn that USSID SD4000 said that SIGDEV activities:
- are governed by the NSA's SIGDEV Strategy and Governance (SSG) division
- have to comply with other regulations, like EO 12333 and USSID SP0018
- must allow auditing of queries

USSID SP0018 is about legal compliance and has an Annex D about the testing of "electronic equipment that has the capability to intercept communications". Such testing includes "development, calibration, and evaluation of such equipment".

The wording of this regulation seems from the time that signals intelligence was about intercepting wireless communications, but it can easily be applied to SIGDEV activities for cable tapping purposes.

According to USSID SP0018 Annex D, such testing (and development etc.) is allowed under the condition that to the maximum extent practical, the following signals should be used:
1. Laboratory-generated signals;
2. Communications transmitted between terminals located outside the US, not used by any known US person;
3. Official government communications with the consent of that agency;
4. Public broadcast signals;
5. Other communications in which there is no reasonable expectation of privacy.

Where it is not practical to test equipment according to the aforementioned provisions, testing is also allowed using signals that may contain US person communications, but only under the following conditions:
1. The proposed test is coordinated with the NSA's General Counsel;
2. The test is limited in scope and duration;
3. No particular person is targeted without consent;
4. The test does not exceed 90 days.

When the testing results in the collection of communications of US persons, these communications shall be:
a. Retained and used only for the purpose of determining the capability of the electronic equipment;
b. Disclosed only to persons conducting or evaluating the test, and
c. Destroyed before or immediately upon completion of the testing.

Annex D of USSID SP0018 concludes with saying that "The technical parameters of a communications, such as frequency, modulation, and time of activity of acquired electronic signals, may be retained and used for test reporting or collection-avoidance purposes. Such parameters may be disseminated to other DoD intelligence components and other entities authorized to conduct electronic surveillance."



Conclusion

Given the rules laid out in Annex D of USSID SP0018 it can be perfectly legal for the NSA to conduct SIGINT Development activities on real-world data if, under the aforementioned conditions, there are no alternatives that allow an equally adequate testing of new systems and methods.

If the controversial SIGDEV project which the NSA's Inspector General investigated from 2013 to 2016 was indeed about improving filtering and selection methods, that would explain why the analyst used it on a live collection system: only then it could become clear whether the new method was able to sort foreign data from those related to US persons.

The Inspector General, however, concluded that the analyst failed to comply with the regulations for SIGDEV projects, especially because USSID SD4000 requires that such projects have to comply with EO 12333 and USSID SP0018, which prohibit the intentional targeting of US persons, except when its approved by the FISA Court, the Attorney General or the Director of NSA.

As the analyst hadn't obtained such approval and it appeared that his method resulted in the intentional targeting and subsequent collection of US person telephone communications, he had violated all applicable regulations.




Links and Sources
- Schneier on Security: NSA Over-surveillance (Nov. 11, 2022)
- Bloomberg: NSA Watchdog Concluded One Analyst’s Surveillance Project Went Too Far (Nov. 1, 2022 - without paywall)

October 26, 2022

A new secure red telephone for German chancellor Scholz

(Updated: February 4, 2023)

In December last year, Olaf Scholz succeeded Angela Merkel as chancellor of Germany. Since about half a year ago, he has a remarkably large red telephone at his desk, which appears to be the SINA Communicator H. This is a brand new device to conduct secure phone calls at different classification levels and part of the widely-used SINA architecture.


German chancellor Scholz with his new red telephone for secure calls
(photo: Jesco Denzel - click to enlarge)



The chancellor's office

When the German government moved back to Berlin in 1999, a new Federal Chancellery was being built that was opened in May 2001 by chancellor Gerhard Schröder. Built in a postmodern style, it is said to be one of the world's largest government headquarters, with nine floors in the central part and over 300 offices in the wings.

On the 4th floor of the main building there's a room shielded against eavesdropping for meetings of the crisis staff (Krisenstab) and the weekly meeting of the heads of the secret services with the head of the chancellery (there's no bunker underneath the building).


The small situation room in the federal Chancellary (source)
with at least three Alcatel 4039 office telephones


Next to the secure conference room is a small situation room (Lage und Krisenzentrum) where information from all over the world is collected 24/7, a selection of which is put in a folder titled Nachrichtenlage which the chancellor finds on his desk every morning, similar to the President's Daily Brief for the American president.

The chancellor's office is on the 7th floor and is very spacious, with a seating area, a conference table and a large, almost 4 meter long black desk. Chancellor Merkel didn't like this desk and used it only for phone calls to foreign leaders. For her daily work she preferred the small conference table at the opposite end of the room.




Video impression of the chancellor's office (December 2021)


The chancellor's telephones

When Olaf Scholz took over the office from Angela Merkel in December 2021, he found two Alcatel 4039 telephone sets on his desk, one of them with an extension module providing 14 additional direct line buttons. The Alcatel 4039 is a high-end IP office phone with a tiny alphabetic keyboard as a distinctive feature.

Alcatel was the telecommunications branch of the French conglomerate Compagnie Générale d’Électricité (CGE), which in 1986 was merged with the telephone equipment part of ITT Corp. from the United States. This made Alcatel NV the world's second-largest telecommunications company. In Germany, Standard Elektrik Lorenz (SEL) had become an Alcatel subsidiary as well, with 20 percent of Germany's telephone equipment market in the early 1990s, second only to Siemens AG. In 2006, Alcatel merged with the American manufacturer Lucent Technologies to become Alcatel-Lucent, which was acquired in 2016 by the Finnish company Nokia and merged into their Nokia Networks division.

Note that in the video we see that one of the phones has a red label and the other one a blue label. This likely indicates which phone is for classified conversations and which one for unclassified calls, according to the color codes of the German classification system:
- Blue: up to Confidential (VS Vertraulich)
- Red: Secret (Geheim) and Top Secret (Streng Geheim)

Ultimately by February 2022, the Alcatel 4039 with the blue label had been replaced by a stylish new IP phone, probably the IP232, made by Innovaphone. This is interesting, because Innovaphone is just a small manufacturer, but as a German company its products may be considered less risky than those of foreign manufacturers.


The IP232 made by Innovaphone (click to enlarge)



The new red telephone

The first time the new red telephone on chancellor Scholz's desk was seen was during an interview with T-Online that was published on May 15, 2022. The phone got broader attention by a photo posted on Scholz's Instagram account on September 13, 2022, during or after a 90-minute phone call with Russian president Putin.

This was picked up by the German tabloid paper BILD, which in a video report (see below) suggested that Scholz had used his new red telephone ("back from the days of the Cold War") to make the phone call with Putin. However, on its website, BILD stated that for conversations with for example the Kremlin, Scholz uses another secure line.

The latter is most likely because for a secure phone line, both parties have to use the same encryption system, and in this case it's not very likely that the Germans would provide Putin with their newest secure voice encryption technology. In the United States, a "red phone" is also used for internal command and control communications and, despite widespread popular belief, not on the famous Hotline between Washington and Moscow.






secunet Security Networks AG

BILD had also identified Scholz's new red telephone as the so-called SINA Communicator H. This device is manufactured by the German cybersecurity company secunet Security Networks AG, which is headquartered in Essen and was founded in 1997 as an offspring of the venerable testing association TÜV.

In 2004, secunet became a partner in the IT Security Partnership (Sicherheitspartnerschaft) with the federal Interior Ministry, which by then also included Rohde & Schwarz, Deutsche Telekom, Siemens, IBM Deutschland and Infineon.

Until recently, German government and military departments used voice encryption systems for ISDN, which was very popular in Germany. But German telecommunication providers are phasing out their ISDN service one by one, replacing it by Voice over IP (VoIP) via DSL. This made it urgent for the government to replace their existing voice encryption systems.


The SINA Communicator

Hence, secunet developed the SINA Communicator, for which it already had years of experience when it came to the hardware. For the necessary software for encrypted voice and video communications, secunet acquired the German company Stashcat GmbH, which in 2016 launched the Stashcat secure smartphone messenger that is used by some 50.000 German soldiers, as well as by schools, companies and local governments.

The name "SINA Communicator H" signifies that the device is part of the Secure Inter-Network Architecture (SINA) product family for securing digital data and communications (see below), in this case up to the classification level Secret. The latter is indicated by the letter H, as the last letter of the SINA product designations indicates their maximum classification level:
- S: up to VS-Nur für den Dienstgebrauch (Restricted)
- E: up to VS-Vertraulich (Confidential)
- H: up to Geheim (Secret)

As such, the SINA Communicator H was certified by the Federal Office for Information Security BSI in July 2021. Certification for organizations of the European Union and NATO has been requested.




The SINA Communicator is a fairly large and heavy device (weight ca. 5,5 kg) and despite the bulky look of its backside it won an iF Design Award earlier this year. Unlike common telephones, the SINA Communicator only has four buttons (for mute, up, down, and headset); all other functions are accessible through the 10,1" LCD touchscreen.

It seems that currently, the device can only be used for secure phone calls. A secure messenger, video telephony and the integration of thin client functionality will be part of future upgrades. Other options such as web clients, fax support, file and document transfer and multi-party messaging can also be added.

A special feature of the SINA Communicator is the Multi Level Data Separation, which means that users can communicate at different classification levels by selecting one of the approved levels via the touchscreen display. This will make it possible to use the same device to communicate with foreign partners as well.




The SINA Communicator supports up to three different networks, depending on the need of the user, which enable them to communicate at various German classification levels, or at (classified) networks of European and NATO partners, up to the level Secret.

For access to a particular network at a particular classification level, users get a hardware token in the form of a small key for each network they are authorized to. The key for each network has to be plugged into the phone to provide two-factor authentication:




The SINA Communicator can be used on dedicated government networks or directly on the public internet and is also compatible with the modernized command and control systems (Harmonisierung der Führungsinformationssysteme or HaFIS) of the German armed forces.

The Communicator uses standard VoIP protocols, including the Session Initiation Protocol (SIP) for common commercial systems and the Secure Communications Interoperability Protocol (SCIP) for secure communications with NATO partners.

Encryption is conducted with a "type A cryptographic suite" and key management through a Public Key Infrastructure (PKI) or the Internet Key Exchange version 2 (IKEv2), which can be upgraded to provide resistance against attacks by future quantum computers (PQC).


Update:

In October 2022, minister of state in the foreign office Tobias Lindner tweeted a high-resolution photo of the SINA Communicator in red, like the one on chancellor Scholz' desk (see below).

The photo shows that in the upper right corner the phone is marked with the abbreviation R-VSK, which stands for Ressortübergreifende Verschlusssachen-Kommunikation or in English: Interagency Classified Communication. This version is for use at federal government ministries and is currently being rolled out.

Next, foreign partners will be included (International, I-VSK) as well as companies where there's a need for secure communications with government agencies (Firmen, F-VSK). There are also plans to offer the system to German state governments (Länderbehörden).

To ensure its availability, the SINA Communicator is manufactured both by secunet and Rohde & Schwarz, the latter providing experience with secure communications for vehicles. The new phone system is also made redundant so it continues to function when there's a electricity blackout.



The SINA Communicator comes standard in black; the version in red seems to be for German government users to communicate up to the classification level Secret. It's not clear why this is signified with an almost completely red device, instead of with a less-eyecatching marking.

In the US, for example, the phones for calls at the highest level simply have a bright yellow bezel surrounding the display, but for the Oval Office apparently even that was standing out too much, so there the phone for secure calls looks almost identical to the one for regular phone calls, similar to the two Alcatel 4039 phones that had been on Scholz's desk.


Introduction of the SINA Commnicator H in red
(source - click to enlarge)


The SINA architecture

The SINA Communicator is the latest addition to the Sichere Inter-Netzwerk Architektur or Secure Inter-Network Architecture (SINA) to protect classified information and communications. Following a tender by the BSI, secunet started developing the SINA architecture in 1999.

SINA enables the secure processing, storage, transmission and documentation of classified information and consists of a range of terminals and network encryption devices, including:

- SINA L2 Box: Encryption at OSI layer 2 with data throughput of up to 100 GBit/s.

- SINA L3 Box: IPSec encryption at OSI layer 3 with data throughput of up to 5 GBit/s.

- SINA Workstation: Providing secure access to both classified and unclassified networks.

- SINA Workflow: Dedicated document management system for classified information




SINA encryption

At the lower classification levels, message encryption was initially conducted via the classified cryptographic algorithm CHIASMUS, but this has been replaced with the publicly available AES block cipher. The SINA products also use the Elliptic-curve Diffie-Hellman (EC-DH) for key exchange and the Elliptic-curve German Digital Signature Algorithm (EC-GDSA).

At the higher classification levels, SINA products used the classified cryptographic algorithm LIBELLE, which was stored on the PLUTO crypto processor made by Infineon. This chip was integrated in a Hardware Security Module (HSM) called PEPP1, which was manufactured by Rohde & Schwarz. LIBELLE was gradually replaced by a new classified encryption algorithm.


Usage of SINA products

In Germany, SINA products are installed at goverment departments, military facilities, companies working with classified information and critical infrastructures. Also secured by SINA encryption devices are the wide-area networks for Secret information of the German foreign intelligence service BND, as well as the global secure network connecting German embassies via the internet.

Data that are intercepted under Germany's lawful interception authorities are also secured by SINA network encryptors when they are transferred from the telecommunications provider to the appropriate government agency.

SINA devices are also certified by the responsible authorities of NATO and the European Union and used by public institutions and commercial enterprises in other countries as well. Meanwhile, some 170,000 SINA products have been installed in over 30 countries.

In the Netherlands, for example, the cybersecurity company Fox-IT equips SINA boxes with its RedFox encryption module, which comes in a commercial version and one with classified algorithms for government users.



Links and Sources
- Tagesspiegel: Sicher über Geheimes reden (2022)
- secunet: SINA Communicator H factsheet
- BSI: SINA Broschüre (2016)
- BILD: Wenn beim Kanzler das rote Telefon klingelt (2022)
- Der Spiegel: Im Kanzleramt (2005)
- Verwaltungsvorschriften: Hinweise zur Handhabung von Verschlusssachen

Some older articles on this weblog that are of current interest: