December 21, 2021

From the Hotline to the first video call between presidents Biden and Putin

(Updated: January 8, 2022)

Among the most special telecommunication links are those between the presidents of the United States and Russia. The first and most famous one is the Hotline from 1963, but contrary to popular belief it never had red telephone sets, because it started as a teletype link that evolved into a secure e-mail system.

Only in 1990, a separate secure telephone line was established between the Kremlin and the White House, which was integrated into a digital computer network in 2008. This also enables video calls, a capability that was first used by US president Biden and Russian president Putin only two weeks ago, on December 7, 2021.


US president Biden talking to Russian president Putin from
the White House Situation Room, December 7, 2021.
(photo: White House - click to enlarge)


The Biden-Putin video call

The Russian news agency TASS reported that "the video conference was organized via a secure video conference line, designed for communication between world leaders, and used for the first time today" - a memorable moment, but hardly any other news outlet mentioned it.

Maybe that's because the American and the Russian president had already participated in several multilateral video conferences, like for example the G20 summit in Riyadh in November 2020, and therefore this first bilateral video call seemed not that special anymore.

US president Joe Biden attended the virtual meeting from the large conference room in the White House Situation Room, which is in the basement of the West Wing of the White House. Also present were national security adviser Jake Sullivan, secretary of State Antony Blinken and Eric Green, a senior advisor on Russia.


Russian president Putin talking to US president Biden at
his Bocharov Ruchei residence, December 7, 2021.
(photo: Kremlin via EPA - click to enlarge)


Russian president Vladimir Putin conducted the video call from a conference room in Bocharov Ruchei, which is the summer residence of the Russian president in the Black Sea resort of Sochi. In the photos and video released by the Kremlin no aides or other officials were visible.

An interesting little detail is that the security camera in the corner of the room seems to be covered in black plastic, likely to prevent the ordinary security personnel from watching and/or listening to the video call with president Biden:



Another detail is that president Putin seems to have a white button in front of him, probably similar to the call button in the White House which the American president can use to summon assistance. Under Trump this became known as the "Diet Coke Button".

Close-up of the phone and button in front of president Putin
(photo: Mikhail Metzel, Sputnik, Kremlin Pool Photo via AP)



Start and duration of the video call

A brief snippet broadcast by Russia state television shows that the two leaders offered friendly greetings to each other: "I welcome you, Mr. President," Putin said, but US president Biden seemed to fumble with his microphone, awkwardly waving to his Russian counterpart during the silence.

After a few seconds, Biden leaned forward and pressed a button on the control panel of the video teleconference (VTC) system. This apparently turned his microphone on: "There you go" he said, suddenly audible, chuckling and waving to Putin.


The AMX control panel of the videoconferencing
system in the White House Situation Room


After president Biden expressed his hope for an in-person meeting with the Russian leader in the future, further talks proceeded in private. Biden and Putin spoke to each other for just over two hours, according to the White House from 10:07 a.m. to 12:08 p.m. Eastern Time, or 18:08 to 20:10 Moscow Time.

Putin's foreign affairs adviser Yuri Ushakov described the presidents' video conference as "candid and businesslike," adding that they also exchanged occasional jokes. Biden's national security adviser said the meeting was "useful", the discussion "direct and straightforward" and "There was no finger wagging."

After the video call with Putin, president Biden had a telephone (conference?) call with France's president Emmanuel Macron, German chancellor Angela Merkel, the British prime minister Boris Johnson and Italian prime minister Mario Draghi to brief them about the conversation with the Russian president.

Update:
On December 30, 2021, US president Biden and Russian president Putin had their second conversation within a month. This time it was a 50-minute telephone call, which was requested by Putin and was about the ongoing crisis around Ukraine.

President Biden speaks on the phone to president Putin
from his home near Wilmington, Delaware on December 30, 2021
(photo: AFP/Getty Images - click to enlarge)



US-Russian communication links

It should be noted that neither the video call, nor the telephone conversations between the presidents of Russia and the United States are conducted through the famous Hotline between Washington and Moscow. This Hotline, which is officially called the Direct Communications Link (DCL), was established to prevent nuclear war and is formally based upon a memorandum between the United States and the Soviet Union from June 20, 1963.

In popular culture the Washington-Moscow Hotline is often called the Red Phone, and therefore many people think it has red telephone sets, but this is false: the Hotline was never a phone line. It was set up as a teletype connection, which in 1988 was upgraded to inlcude facsimile (fax) units. Since 2008 the Hotline is a highly secure computer link over which messages are exchanged by e-mail.



The Washington-Moscow Hotline terminal room at the Pentagon in 2013
(photo: www.army.mil - click to enlarge)


The American president did use a red telephone though, although not for foreign, but for domestic communications. Quick and easy contact between the president and military commanders is of course just as important as contact with the Kremlin, and this was achieved through a secure military telephone network, called the Defense Red Switch Network (DRSN).



The Direct Voice Link (1990)

While president Reagan used to write letters to his Soviet counterparts, his successor George H.W. Bush had his first phone call with general secretary Mikhail Gorbachev already on January 23, 1989, three days after his inauguration. This established the practice of direct calls to the Soviet leadership, which were to prove very productive.*

Therefore, the United States and the Soviet Union signed an agreement on June 2, 1990 to set up a "Direct, Secure Telephone Link between Washington and Moscow". This agreement was updated by the memorandum of understanding between the United States and the Russian Federation from October 15, 1999.

The official name of this telepone line is Direct Voice Link (DVL) and it connects the White House with the office of the Russian president, initially via the same satellite link as the Hotline. But while the Hotline is designated for top level crisis communications, the Direct Voice Link can be used for routine matters and the calls are usually scheduled in advance, so interpreters can be present.*


President Obama using his telephone for secure calls in the Oval
Office to talk to Russian president Putin, March 1, 2014.
(White House photo by Pete Souza - click to enlarge)


A Russian integration proposal

From the declassified Presidential Review Directive/NSC 51 by president Clinton's national security advisor Anthony Lake from February 28, 1995, we learn that:
"The Russian government has recently tabled a proposal to upgrade existing government-to-government communications links between Washington and Moscow by installing a secure digital network with voice, data and teleconferencing capabilities. Significantly, the Russian proposal would integrate the existing Direct Communications Link, the secure Direct Voice Link, and the Nuclear Risk Reduction Center communications network in a manner that would permit intergovernmental communications between the U.S. and Russian presidents as well as other government officials; it would also provide the capability to convene conference communications involving Washington, Moscow and "third parties," e.g., other capitals of the Newly Independent States."

In reaction to this proposal, the senior director for Defense Policy of the US National Security Council set up an interagency working group, to "reexamine the purpose, function and overall architecture of direct communications networks between Washington and Moscow."

I haven't found the conclusions of this working group, but given the fact that the different communication systems continued to exist, indicates that at the time the US did not agree to the Russian proposal.



The Direct Secure Communications System (2008)

Eventually, the Russians partly got what they wanted, because on October 30, 2008, an agreement was signed on the establishment of a "direct secure communications system between the United States of America and the Russian Federation".

This agreement supersedes and terminates the earlier agreements and memoranda of understanding about both the Hotline (from 1963, 1971, 1984 and 1988) and the Direct Voice Link (from 1990 and 1999).

The new system consists of "networked equipment and communications circuits and [is] intended for secure emergency and non-emergency communications between the highest leadership of the two countries." To make the system suitably reliable, the "communications circuits shall follow geographically diverse paths" and both countries agreed to equally share the cost of leasing communication circuits that run outside their territory.




According to the agreement it was up to the Defense Information Systems Agency (DISA) on the American side and the Federal Protective Service (FSO) on the Russian side to "determine the configuration and technical parameters of the communications circuits, as well as the specific types of encryption devices and equipment to be used."

It was also agreed that "the secure communications system shall be reequipped and updated every five years" while it may also be used to transfer classified information, but only up to the level Secret, as the agreement only mentions the classification markings Secret (Russian: Совершенно секретно) and Confidential (Секретно).


Since the new system became operational, probably in the course of 2009, there's one secure network between Washington and Moscow which is used for the e-mail capability of the old Hotline as well as for the direct telephone line between both presidents.

Since 2013 the network is also used for "a direct secure voice communications line between the U.S. Cybersecurity Coordinator and the Russian Deputy Secretary of the Security Council, should there be a need to directly manage a crisis situation arising from an ICT security incident."

And likewise the video call between Biden and Putin must also have been conducted through the Direct Secure Communications System, although it's not clear why it took so long before this capability was first used.


The Head-of-State Network

The new secure communications network between Washington and Moscow has probably been integrated in the Head-of-State (HoS) network which the president of the United States uses to communicate with foreign leaders.

According to the 2009 budget of the White House Communications Agency (WHCA), which is part of DISA, this Head-of-State network was upgraded to an IP network and expanded with "new suites and additional network capacity", a project that was finally completed in the fiscal year 2013.

There's very little information about the Head-of-State network, but we can assume that it includes at least the countries that previously had a bilateral top-level hotline with the White House: Russia, the United Kingdom, Germany, India and probably China. Other allied countries are likely also included.




A small room within the White House Situation Room where the president
"can make a head-of-state phonecall from the Situation Room itself"
(screenshot from a White House video)



Head-of-State phone calls

Presidential phone calls to other heads of state are usually prepared by the senior duty officer (SDO) of the White House Situation Room who negotiates date and time with the designated contact in the foreign capital and arranges an interpreter from the Language Service of the State Department.* Subject-matter experts from the National Security Council (NSC) may also listen in to the call.

These phone calls are not recorded, but duty officers in the Situation Room take verbatim notes which are put together in a Memorandum of Conversation (MemCon). An example is this one of the famous last phone call between presidents George H.W. Bush and Mikhail Gorbachev on December 25, 1991. These MemCons are stored on TNet, the internal computer network for the NSC staff.


When the Situation Room has no dedicated link to a particular foreign leader, then the call would be set up through the so-called Signal switchboard, which is staffed by military personnel from the White House Communications Agency.*

The Signal switchboard is also used for all other secure phone calls and thus we see that the IST2-telephone used by presidents George W. Bush and Barack Obama had separate buttons not only for the Situation Room, but also for the Head-of-State conference calls, the Signal switchboard and its operator for secure calls:




Securing the networks

For obvious reasons there's no information about how the Head-of-State network and the Secure Communications System between the US and Russia are secured. For its own classified IP networks, the US military uses advanced network encryptors, like the TACLANE series made by General Dynamics. These devices are certified by the NSA as Type 1 product that use classified Suite A algorithms to encrypt communications data up to the highest classification level (Top Secret/SCI).

For such an encryption system, however, both parties have to use the same equipment, or at least the same algorithms and that's a problem when it comes to bilateral communications: one country will of course never provide it's best encryption systems to another country. One solution is to use less secret methods, like the Advanced Encryption Standard (AES), which is considered one of the best publicly available encryption algorithms.

Responsible not only for securing the Direct Voice Link (DVL), but also for Obama's BlackBerry, was Richard "Dickie" George, who served as technical director of the NSA's Information Assurance Directorate (IAD) from 2003 until his retirement in 2011.


One-time pad

When head-of-state communications should be as secure as possible, then they could use a one-time pad (OTP), which is unbreakable if implemented correctly. Instead of an algorithm, the OTP method uses a completely random key that is as long as the message that has to be encrypted.

In this way both the original Hotline and the communication links of the Nuclear Risk Reduction Center (NRRC) were secured: "The information security devices shall consist of microprocessors that will combine the digital message output with buffered random data read from standard 5 1/4 inch floppy disks" which each party provided to the other through its embassy.


Russian equipment?

In August 2018, several Russian state media came with a somewhat confusing story saying that "a sophisticated scrambler developed by Concern Avtomatika was tested by US specialists and recommended for use in the direct telephone link connecting Washington with Moscow."

Avtomatika and its predecessors have been manufacturing cryptographic equipment for secure top-level telecommunications already since 1930. In 2014 Avtomatika became part of the state-owned defense conglomerate Rostec.



Links and sources

- ABC News: Biden confronts Putin over Ukraine in high-stakes meeting (Dec. 8, 2021)
- TASS: Putin-Biden video conference over (Dec. 7, 2021)
- The New York Times: The White House relies on a secret system for calls with world leaders. (Dec. 7, 2021)
- Bloomberg: Outdated White House Situation Room Getting Needed Overhaul (Oct. 21, 2021)
- Syracuse.com: I listened to dozens of presidential phone calls. Here’s why it’s done (Sept. 25, 2019)
- National Security Archive: The Last Superpower Summits (Jan. 23, 2017)
- CNN Business: 'I made Obama's BlackBerry' (May 22, 2014)
- Michael K. Bohn: Nerve Center. Inside the White House Situation Room, Brassey's Inc, 2003, p. 67-101.

December 4, 2021

About Intellipedia and other intelligence wikis from the Snowden trove



For years, the NSA and other US intelligence agencies have their own internal versions of the collaboration tools that most of us are using day-to-day. Documents from some of these tools have been published as part of the Snowden revelations, which allows a closer look.

It turns out that besides the US Intelligence Community's Intellipedia, which was already publicly known, the Snowden trove also contains entries from the NSA's WikiInfo and the British GCWiki, systems that were hitherto unknown.





Intellipedia

The oldest and best known internal collaboration tool used by the US Intelligence Community is Intellipedia, which is similar to the public Wikipedia and uses the same software called MediaWiki.

Intellipedia started as a pilot project at the CIA in 2005 and was formally announced in April 2006. Later it was brought under the Intelligence Community Enterprise Services (ICES) of the Office of the Director of National Intelligence (ODNI).

A big difference with the public Wikipedia is that Intellipedia has three different versions, according to the main classification levels (with the number of users by the end of 2012):
- Unclassified, on the DNI-U network, with some 75.000 users

- Secret, on the SIPRNet network, with some 147.000 users, mostly from the Defense Department and the State Department

- Top Secret/SCI, on the JWICS network, with some 188.000 users, mostly from the intelligence agencies


Each of these Intellipedia versions can be used by both civilian and military employees with appropriate clearances from the 17 agencies of the US Intelligence Community as well as from the US military and other federal government departments.

An example of the address format of a TopSecret/SCI Intellipedia page is: http://intellipedia.intelink.ic.gov/wiki/Anna_Politkovskaya


An article from the Unclassified version of Intellipedia
This one from the CIA's AIN network
(Click to enlarge)


Intellipedia entries from the Snowden revelations

Probably a bit surprising is that among the numerous Snowden documents there are only five Intellipedia entries. A close look shows that they were published in two forms:

1. Three of the Intellipedia entries are in pdf-format or a pdf-image (or a combination thereof) and in full color, in this case much yellow, which is the color code for information classified as Top Secret/Sensitive Compartmented Information (TS/SCI).

These three entries are this one about Anna Politkovskaya, this one about Air-Gapped Network Threats and this one about BIOS threats.


Intellipedia entry about Anna Politkovskaya

Snowden's username redacted on Intellipedia? (source)


2. Two Intellipedia entries from the Snowden cache don't have color, images and formatting and seem to be a scan or a photo of a printed document, like this entry titled "Manhunting Timeline 2008", which was released by The Intercept in July 2015.

The other entry was published last October by the American journalist Spencer Ackerman and is titled "Targeted Killing: Policy, Legal and Ethical Controversy". This document not only has a very similar form as the "Manhunting Timeline 2008" but is also about the same topic.



Intellipedia entry titled Manhunting Timeline 2008



Intelink

Intellipedia is part of the Intelink network, which was set up in 1994 and also has three versions: for Unclassified, Secret and Top Secret/SCI information. Besides Intellipedia, Intelink also provides a range of other collaboration tools for members of the US Intelligence Community (IC), like:
- Intelink Search
- Inteldocs (shared files)
- IntelShare (the IC's SharePoint)
- Intelink Blogs
- eChirp (IC version of Twitter)
- Jabber (instant messaging)

A more official version of Intellipedia, called Living Intelligence, was created for collaboratively writing official intelligence reports, but this failed because each agency stuck to its own process for writing such reports or "products for their customers".

More succesful is A-Space (or Analytic Space), which is also a common collaborative workspace for analysts of the US Intelligence Community, but unlike the Intelink tools, A-Space can also be used for information classified as GAMMA or HCS. A-Space went live on the JWICS network in 2008 and is managed by the DIA. In July 2013, A-Space was widened to i-Space (Integrated Space) so access is no longer restricted to analysts.


Intelink homepage with icons of the various collaboration tools (source)


Under the huge modernization project called Intelligence Community IT Enterprise (IC ITE or "Eye Sight") the NSA will provide an Apps Mall with collaboration tools that can be used as part of the Desktop Environment (DTE) for all intelligence users.

All the Intelink collaboration tools on the JWICS network are marked NOFORN, which means their content may not be shared with foreign nationals. Therefore, NSA employees apparently prefer their own tools on NSANet which do allow sharing with the other agencies of the Five Eyes partnership.



WikiInfo

The name of one such NSA tool was already found in a very interesting report from 2016 about how the US Intelligence Community uses internal collaboration tools: WikiInfo. This very unimaginative name refers to the NSA's internal wiki, parts of which were published during the Snowden leaks.

WikiInfo runs on NSANet, the network that connects all the Five Eyes signals intelligence agencies, and has a maximum classification level of TOP SECRET//SI-GAMMA/TALENT KEYHOLE//ORCON/PROPIN/RELIDO/REL TO USA, FVEY.

This really long marking says that information on NSANet may include highly sensitive communication intercepts (GAMMA) and intelligence from spy planes and satellites (TALENT KEYHOLE), including material that is closely controlled by the originator (ORCON) or contains proprietary information (PROPIN).

For even more sensitive information that should not be shared with the Five Eyes partners there's a separate platform called WikiInfo-NF (No Foreign nationals).


WikiInfo entries from the Snowden revelations

The Snowden trove provided only about 10 WikiInfo entries, which is not much, but still twice the number of Intellipedia pages. Most of them just contain the text of the article, like this one about QUANTUM shooters, but this one shows the full WikiInfo interface, apparently made with a full page screen capture tool:


The WikiInfo interface with an entry about SIGINT targeting scenarios
Note that "Edward snowden" doesn't seem to match the redacted username


WikiInfo is only one of the NSA's own series of internal collaboration tools. Others are Tapioca, JournalNSA, SpySpace, Giggleloop, RoundTable and Pidgin. Tapioca was described as the "impressive NSA system for social networking and collaboration" and combines multiple functionalities. In 2016, Tapioca also got a version on Intelink, making it available for other US intelligence users.



GCWiki

Most wiki entries that have been published during the Snowden revelations, some 23, are actually not from an American system, but from the internal wiki that is used by the NSA's British counterpart GCHQ. This platform is called GCWiki and has a maximum classification level of TOP SECRET STRAP1 COMINT.


An example of the address format for GCWiki pages is: https://wiki.gchq/index.php/TWO_FACE


GCWiki entries from the Snowden revelations

Among the GCWiki entries published as part of the Snowden revelations there are no examples of how the GCWiki interface looks like. All entries are like this article about the PHANTOM PARROT program, which was published by The Intercept in September 2017:


GCWiki entry about the PHANTOM PARROT program

Snowden's username on GCWiki (source)


Besides GCHQ, the other Five Eyes signals intelligence agencies, the Canadien CSEC (now CSE), the Australian DSD (now ASD) and GCSB from New Zealand, also have their own internal wikis, but from these platforms no entries have been published.



What's in the Snowden cache?

Regarding the content of these intelligence wikis, probably most of it is about people, places and events that are of interest for intelligence analysts. But as we can see from the pages that have been published since June 2013, these internal wikis are also used to share more technical information about collection programs and hacking tools.

It's not clear whether Snowden picked out those topics or journalists did so, or in other words: whether or not Snowden also downloaded the complete content of Intellipedia, WikiInfo and GCWiki, like he did with the NSA's internal newsletter SIDtoday. If so, that would have amassed a huge number of files, as in January 2014, the Top Secret/SCI version of Intellipedia alone contained some 113.000 pages.



A final thing to consider is how the Intelligence Community's internal collaboration tools relate to Snowden's exfiltration efforts. As we have seen here, the NSA and the US Intelligence Community both have a whole series of tools, ranging from instant messengers to file sharing systems and almost anything in between.

In his 2016 book Permanent Record, Snowden writes about what he calls "readboards", a kind of digital bulletin boards where each NSA site posted news and updates (p. 220). This sounds a bit like the "shared bookmarking" function which is available on Intelink, according to this diagram:


Collaborative tools used by the US Intelligence Community in 2016
(click to enlarge - source)


Snowden said that he started hoarding documents from all these readboards and then shared this personal collection with his colleagues, as a justification, or "the perfect cover", for collecting material from more and more sources.

This system, which Snowden called Heartbeat, also pulled in the full documents so NSA Hawaii would still have access to them in case they would be disconnected from NSA headquarters. And, according to Permanent Record: "Nearly all of the documents that I later disclosed to journalists came to me through Heartbeat" (p. 221-222).

Heartbeat isn't mentioned in the diagram above, which makes sense because if the system existed like Snowden described it was probably only used at NSA Hawaii and not throughout the NSA as a whole - and most likely completely abolished after he left the agency.



Links and sources
- The Atlantic: The Government’s Secret Wiki for Intelligence (2017)
- Wired: The Wikipedia for Spies—And Where It Goes From Here (2017)
- Center for Strategic and International Studies: New Tools for Collaboration. The Experience of the U.S. Intelligence Community (2016)

November 3, 2021

Edward Snowden and the targeted drone killing campaign



Two weeks ago, on October 22, a new document from the Snowden files was published for the first time in over two years. It's an entry from Intellipedia about the American drone killing campaign that was released by journalist and writer Spencer Ackerman.

While the content of the document is hardly significant, it's form is remarkably similar to an Intellipedia entry that was published in 2015, which leads us to Snowden's interest in the drone killings and The Drone Papers that Daniel Hale leaked to The Intercept.





Ackerman's publication

Except for five new partial documents published in Barton Gellman's book Dark Mirror in May 2020, the last release of files from the Snowden trove was in May 2019, when The Intercept and the Norwegian broadcaster NRK published a range of documents about NSA's Real Time Regional Gateway (RT-RG) collection system. Two months earlier, the publisher of The Intercept had already decided to shut down the Snowden archive.


The new document comes from the cache of Snowden documents that is kept by the American documentary filmmaker Laura Poitras, who now lives in Berlin. According to Ackerman, Poitras was preparing for her exhibition Parallel Construction that marked the 20th anniversary of 9/11, when she "came across the Intellipedia entry and realized no one had ever published it" and then gave him a copy of it.

Ackerman published the document on Substack, an online platform for journalistic articles and newsletters, where he has an account called Forever Wars to "chronicle, investigate and interrogate the continuities, departures and permutations of the War on Terror". There he discusses the Intellipedia entry in an article titled "On U.S. Intelligence’s Wiki, Anxiety About Legal Challenges To Drone Strikes".


The Intellipedia entry (full document) published by Spencer Ackerman


The Intellipedia entry provides a summary of policies and opinions about the issue of targeted (drone) killings, mostly based upon public news reports and therefore almost all the content is unclassified. What Ackerman thinks is newsworthy is "the document's occasionally alarmist depiction of legal and political challenges to the strikes" and that it shows a "paranoid" feeling among US intelligence analysts.

Apparently this is only based on the following sections in the Intellipedia entry, which actually hardly support Ackerman's interpretation:

- "Those opposing targeted killing are increasing their organization and activities. If timing is more than coincidental, activists may coordinate their opposition efforts."

- "The effort may indicate a concerted effort by human rights organizations, activist international lawyers and opposition forces to undermine the use of remotely piloted vehicles, targeted killing, preemption and other direct action as elements of Uniited States policy."

Ackerman also argues that the way the Intellipedia entry places "legal and political challenges to drone strikes on a continuum with warfare is of a piece with how U.S. intelligence can also view journalism on a continuum with espionage" - which refers to the prosecution of Julian Assange, who by his supporters is seen as an innocent journalist, while he actually engaged in acts of espionage and conspiracy against the United States.



A similar Intellipedia entry

More interesting than the content, is the form of the newly disclosed document, because it turns out that it's very similar to another Intellipedia entry which is titled "Manhunting Timeline 2008" and was published by The Intercept in July 2015, along with a report about Israeli assassination operations:


Intellipedia entry (full document) published by The Intercept in 2015


This earlier Intellipedia entry is less blurry and has some additional details compared to the one published by Ackerman. First, it has all the navigation menus, including the one that's usually in the upper right corner of the browser window and includes the user name, something The Intercept forgot to redact in this case:



Another interesting detail is a message that appeared on top of the article to announce Intellipedia users that they should expect maintenance of the Intelink Instant Messenger (IIM) service on January 3, 2013.

This indicates that this document was viewed, stored and/or downloaded shortly before that date - a period when Snowden was a SharePoint systems administrator in the Office of Information Sharing at the NSA's regional Cryptologic Center in Hawaii.



Some details of the Intellipedia entry titled Manhunting Timeline 2008
(click to enlarge)


Even more interesting are the markings at the very top and bottom of each page, which appear when an article is printed or saved through the "Printable version" option in the wiki interface: at the bottom of each page there's the URL (redacted, but remarkably long) and the page number, while at the top of the page there's the date and the title of the article, in this case "Manhunting Timeline 2008 - Intellipedia".

The date on this document is "6/2/2015" or June 2, 2015, which is more than two years after Snowden left the NSA, but just a month before The Intercept published it. Because one of the URLs has not been completely redacted, we see that when the file was printed, it was not on an internal US government network, but on a local computer drive:




This indicates that Snowden provided the entry in a digital form and that The Intercept read and printed it using a locally installed Wiki engine. For publication the print was scanned to turn it into a digital file again, which now included the printing marks. Was this to make the Intellipedia entry look like other drone documents provided by Daniel Hale?


On the Intellipedia entry published by Ackerman we see a similar page title ("Targeted Killing: Policy, Legal and Ethical Controversy - Intellipedia") but no date and also no URL and page number, but maybe that's because the bottom parts of the pages have been cut off ("some excisions for caution that do not affect the document’s narrative" according to Ackerman):




Therefore, it's not clear when this document was printed, but given the fact that it's also a sub-topic of Intellipedia's main article about Manhunting, we can assume that Snowden provided it in digital form, just like the Manhunting Timeline 2008. So was the new document also printed to look like the earlier ones, or was it just a safer way to hand it over to Ackerman?

Documents in a printed form immediately remind of the series of classified documents that were leaked by other sources than Edward Snowden. Most, but not all of them were eventually traced back to former NSA and NGA contractor Daniel Hale, who was arrested in May 2019. It turned out that in 2014 he printed a range of classified documents which were subsequently published by The Intercept.




Snowden and the drone killings

Daniel Hale's aim was to provide information about the drone strikes in order to end these lethal operations and it seems that Snowden was interested in this issue too, besides his main goal of fighting mass surveillance by the US government.

Already in October 2013, The Washington Post reported about a file which was "part of a collection of records in the Snowden trove that make clear that the drone campaign — often depicted as the CIA's exclusive domain — relies heavily on the NSA's ability to vacuum up enormous quantities of e-mail, phone calls and other fragments of signals intelligence, or SIGINT."

This sounds like Snowden had made a folder with various documents about drone killings, similar to the folders he had created about other topics that had his special interest, like operations of the NSA divisions TAO (hacking) and SSO (cable tapping). Journalist Barton Gellman confirms that the encrypted archive with some 50.000 documents he and Laura Poitras received in May 2013 was "neatly organized in folders".*


Revelations about targeted drone killings

Despite this apparently special collection of records, there have been only very few revelations about the NSA's involvement in targeted drone killings:

- The first one was on October 16, 2013, by The Washington Post, titled Documents reveal NSA’s extensive involvement in targeted killing program, but this piece only refers to documents instead of publishing them.

- On February 10, 2014, The Intercept came with an article called The NSA’s Secret Role in the U.S. Assassination Program, which is based on accounts by "a former drone operator for the military's Joint Special Operations Command (JSOC) who also worked with the NSA" (Daniel Hale?) with some additional snippets from the Snowden trove.

- On July 15, 2015, The Intercept published the Intellipedia entry with the Manhunt Timeline 2008 as part of a report titled Israeli Special Forces Assassinated Senior Syrian Official.

That's not much, although Snowden's selection of drone-related documents may also have included files about NSA programs in support of the drone killings, like systems for tracing potential targets by geolocating their mobile phones, or the role of Menwith Hill Station in the United Kingdom, for example.


The drone killings as a trigger for Snowden?

According to Glenn Greenwald's book No Place to Hide from May 2014, Snowden was already confronted with drone operations during his job at the NSA's Pacific Technical Center (PTC) at Yokota Air Base, near Tokyo in Japan, where he worked as a systems administrator from August 2009 to September 2010:

"The stuff I saw really began to disturb me", Snowden said, and: "I could watch drones in real time as they surveilled the people they might kill. You could watch entire villages and see what everyone was doing. I watched NSA tracking people's Internet activities as they typed. I became aware of just how invasive US surveillance capabilities had become" (p. 43).

According to Greenwald, Snowden then began to feel an increasingly urgent obligation to leak what he was seeing, which makes it remarkable that this experience isn't mentioned in his own book, Permanent Record, which was published in September 2019.

In this book, Snowden only presents the press reports about the drone killing of Anwar al-Aulaqi as an example of how the US government itself is also leaking classified information when it serves its own interest (p. 237-238).

And instead of the drone campaign, Permanent Record comes up with two other "atomic moments" which Snowden experienced while he was in Japan: learning about the domestic mass surveillance of the Chinese government and the STELLARWIND report about president Bush' warrantless wiretapping program.


Later, however, Snowden said that he discovered the STELLARWIND report only much later, somewhere in 2012, when he was working at the NSA in Hawaii. It was actually several times that Snowden changed the narrative about what the decisive moment for his actions was (another one was the Clapper testimony), but when there's indeed a separate folder with drone killing documents that would confirm a special interest in this topic.



Daniel Hale's leaks

Daniel Hale had a similar experience as Snowden in Japan, but only in March 2012, a few days after he arrived in Afghanistan to work as a intelligence analyst at Bagram Airfield. There he witnessed how a group of men were killed by a drone strike, just because one of them carried a targeted cell phone. Since then he had increasing moral objections against these operations.

In April 2013, Hale attended a presentation of Jeremy Scahill's book Dirty Wars: The World Is a Battlefield about the drone killings program under president Obama. As of June they contacted eachother by phone and by e-mail and in September Scahill asked Hale to set up a Jabber account for encrypted chat conversations.

On October 16, 2013, The Washington Post published its piece about how documents provided by Snowden revealed the NSA's involvement in the targeted killing program. This article may have provided additional inspiration to Hale, because in December 2013 he accepted a new job at the National Geospatial-Intelligence Agency (NGA).

Although he felt uneasy, Hale said he took the job because "the money I could make was by far more than I had ever made before" - but maybe it was also an opportunity to get access to classified military information again, similar to Snowden who took his job at Booz Allen to get access to additional documents.

Between February and August 2014, Hale printed 23 mostly classified documents, 17 of which he provided to Jeremy Scahill, who then worked for Greenwald's new online news outlet The Intercept. Somewhere in the same period Greenwald traveled to Moscow and informed Snowden about a new source with important information about the drone program, which was shown in Laura Poitras' film Citizenfour from October 2014:



Glenn Greenwald informing Edward Snowden about The Intercept's new source
(still from the documentary film Citizenfour)


In the Summer of 2014, The Intercept had already published two of Hale's documents about NCTC watchlisting, but it took until April 17, 2015 for The Intercept and Der Spiegel to publish a Top Secret diagram about the drone operations and on October 15, 2015, The Intercept finally released four classified documents along with eight articles as "The Drone Papers".



Conclusion

For Snowden, who called it "the most important national security story of the year", The Drone Papers must have been a triumph because finally someone had followed in his footsteps and leaked details about the drone program which he was apparently also concerned about for years.

However, it was also a bitter defeat, because just three days after Daniel Hale had printed out his last document, the FBI had already tracked him down and raided his home (he was arrested in May 2019 and eventually sentenced to 45 months in prison). Is this why there's nothing about Hale, nor about the NSA's involvement in drone killing operations in Snowden's book Permanent Record?

Another question is why Laura Poitras thought Spencer Ackerman should publish a rather uninteresting Intellipedia entry. Was there really nothing more interesting about this topic among the Snowden files? Or was it a signal that, unlike The Intercept, she is still willing to publish things from the Snowden archive?



Links and sources
- Forever Wars: On U.S. Intelligence’s Wiki, Anxiety About Legal Challenges To Drone Strikes (2021)
- CNN: A 'second Snowden' leaks to the Intercept about 'drone wars' (2015)
- Zone d'Intérêt: U.S. Intelligence Support to Find, Fix, Finish Operations (2015)
- The Washington Post: Documents reveal NSA’s extensive involvement in targeted killing program (2013)

May 18, 2021

What the NSA provides to its foreign partners, and vice versa

(Updated: November 3, 2021)

The cooperation between (signals) intelligence agencies of different countries is strictly quid pro quo, which means what you get is equivalent to what you give. This is perfectly illustrated by a small series of documents from the Snowden trove, which summarize what the NSA provides to its foreign partners, along what they provide to the NSA.

Three of these documents are about the NSA's Second Party partners (better known as the Five Eyes): Canada, Australia and New Zealand, and six about Third Party partners: Germany, Israel, Norway, Saudi Arabia, Sweden and Turkey. Another NSA document provides some characteristics of these relationships.





The documents about the various NSA partners are information papers prepared by the Country Desk Officer (CDO) for the particular country at the NSA's Foreign Affairs Directorate (FAD). All but one date from April 2013, which is just a month before Snowden left the agency. It's not known whether there are also papers about other NSA partners among the Snowden files.

The information papers describe the relationship between the NSA and the foreign partner in a standardized way: they all start with an introduction, mention some "Key Issues", followed by "What NSA Provides to Partner" and "What Partner Provides to NSA". The papers end with "Success Stories" and "Problems/Challenges with the Partner".

For readability, the portion markings with the classification level for each paragraph have been removed and some abbreviations are written in full.



Second Party partners

The Second Party partners of the NSA are the signals intelligence agencies of the United Kingdom, Canada, Australia and New Zealand. These five countries are also known as the Five Eyes. Their SIGINT systems are highly integrated and the partners are not supposed to spy on each other.


Canada

Information paper: NSA Intelligence Relationship with Canada's CSEC, April 3, 2013

(Published by CBC on December 9, 2013)


What NSA provides to the Partner:

SIGINT: NSA and CSEC cooperate in targeting approximately 20 high-priority countries [two lines redacted]. NSA shares technological developments, cryptologic capabilities, software and resources for state-of-the-art collection, processing and analytic effots, and IA capabilities. The intelligence exchange with CSEC covers worldwide national and transnational targets. No Consolidated Cryptologic Program (CCP) money is allocated to CSEC, but NSA at times pays R&D and technology costs on shared projects with CSEC.

[two paragraphs redacted]


What the Partner provides to NSA:

CSEC offers resources for advanced collection, processing and analyss, and has opened covert sites at the request of NSA. CSEC shares with NSA their unique geographic access to areas unavailable to the U.S. [redacted], and provides cryptologic products, cryptanalysis, technology, and software. CSEC has increased its investment in R&D projects of mutual interest. [several lines redacted].

[at least two paragraphs redacted]





Australia

Information paper: NSA Intelligence Relationship with Australia, April 2013

(Published by The Intercept and ABC on August 18, 2017)


What NSA provides to the Partner:

NSA provides cryptologic products/services to the Government of Australia through DSD, on virtually all subjects, particularly those related to the Pacific Rim. NSA shares technology, cryptanalytic capabilities, and resources for state-of-the-art collection, processing and analytic efforts. NSA will continue to work closely with Australia to meet its commitments as the U.S reallocates efforts toward Asia and the Pacific.


What the Partner provides to NSA:

NSA and DSD have agreed to specific divisions of effort, with the Australians solely responsible for reporting on multiple targets in the Pacific area, including Indonesia, Malaysia, and Singapore, based on their unique language capabilities and geographic accesses. In addition, DSD has primary reporting responsibility [redacted] regardless of geographic region. DSD provides access to commercial and foreign/domestic satellites from sites in Geraldton and Darwin, High Frequency (HF) collection and Direction Finding (DF) from three sites; and, manning of the operations floor at Joint Defense Facility at Pine Gap (RAINFALL), a site which plays a significant role in supporting both intelligence activities and military operations. In addition, DSD provides NSA with access to terrorism-related communications collected inside Australia.





New Zealand

Information paper: NSA Intelligence Relationship with New Zealand, April 2013

(Published by NZ Herald on March 11, 2015)


What NSA provides to the Partner:

NSA provides raw traffic, processing, and reporting on targets of mutual interest, in addition to technical advice and equipment loans.


What the Partner provides to NSA:

GCSB provides collection on China, Japanese/North Korean/Vietnamese/South American diplomatic communications, South Pacific Island nations, Pakistan, India, Iran, and Antarctica; as well as, French police and nuclear testing activities in New Caledonia [two lines redacted].




Third Party partners

The Third Party partners of the NSA are the signals intelligence agencies of some 33 countries. Cooperation is based on formal, bilateral agreements, but the actual scope of the relationship varies from country to country and from time to time. Unlike the Second Party partners, Third Party partners do spy on each other.


Germany

Information paper: NSA Intelligence Relationship with Germany, January 17, 2013

(Published by Der Spiegel on June 18, 2014)


What NSA provides to the Partner:

NSA has provided a significant amount of hardware and software at BND expense, as well as associated analytic expertise to help the BND independently maintain its FORNSAT [Foreign Satellite collection] capability. NSA also exchanges intelligence reporting on both military and non-military targets.


What the Partner provides to NSA:

NSA is provided access to FORNSAT communications supporting counter-narcotics (CN), counter-terrorism (CT), [redacted], and Weapons of Mass Destruction (WMD) missions and is an important source of information on drug trafficking and force protection in Afghanistan. The BND provides Igbo language support by translating NSA collection of a high-value, time-sensitive [redacted] target. NSA is seeking the proper approvals to accept BND language support in [one line redacted]. In addition to the day-to-day collection, the Germans have offered NSA unique accesses in high interest target areas.





Israel

Information paper: NSA Intelligence Relationship with Israel, April 19, 2013

(Published by The Intercept on August 4, 2014)


What NSA provides to the Partner:

The Israeli side enjoys the benefits of expanded geographic access to world-class NSA cryptanalytic and SIGINT engineering expertise, and also gains controlled access to advanced U.S. technology and equipment via accomodation buys and foreign military sales.


What the Partner provides to NSA:

Benefits to the U.S. include expanded geographic access to high priority SIGINT targets, access to world-class Israeli cryptanalytic and SIGINT engineering expertise, and access to a large pool of highly qualified analysts.





Norway

Information paper: NSA Intelligence Relationship with Norway, April 17, 2013

(Published by Dagbladet on December 17, 2013)


What NSA provides to the Partner:

- Daily TS//SI-level counter-terrorism (CT) reports shared multilaterally;
- Frequent exchanges of technical data and analytic expertise on CT targets, [one line redacted] and other threats to Norway's national security;
- Daily force protection support in Afghanistan and technical expertise to support target development of Afghan insurgent targets;
- Regular reporting on counter-proliferation (CP) topics [redacted]
- Ad-hoc reporting and analytic expertise on [redacted]
- Exchanges of reporting, tech data and analytic expertise on [redacted]
- Tech data and expertise on cryptanalytic topics of mutual interest; and
- FORNSAT communications metadata


What the Partner provides to NSA:

- SIGINT analysis as well as geolocational and communications metadata specific to Afghan targets of mutual interest (this analysis also supports Norwegian Special Operations Forces (when deployed);
- All-source analysis specific to Afghan targets of mutual interest. The analysis is based on operations conducted jointly between Norway and local and/or coalition authorities;
- Potential to leverage NIS [Norwegian Intelligence Service] FORNSAT capabilities to augment NSA collection against high priority CP SIGINT targets;
- Potential to leverage NIS unique access to SIGINT on high priority CT targets; [redacted]
- SIGINT reports on Russian civil targets of mutual targets, particularly Russian energy policy;
- FORNSAT communications metadata; and
- [one line redacted]





Saudi Arabia

Information paper: NSA Intelligence Relationship with Saudi Arabia, April 8, 2013

(Published by The Intercept on July 25, 2014)


What NSA provides to the Partner:

NSA/CSS provides technical advice on SIGINT topics such as data exploitation and target development to TAD [Technical Affairs Directorate of the Ministry of Interior] as well as a sensitive source collection capability.

NSA/CSS provides a sensitive decryption service to the Ministry of Interior against terrorist targets of mutual interest.


What the Partner provides to NSA:

NSA leverages MOD RRD [Ministry of Defense Radio Reconnaissance Department] access to remote geography in the Arabian Gulf but provides no finished SIGINT reporting to NSA/CSS, however; they have provided unencrypted collection against the IRGC QODS Maritime Force targets of mutual interest from their collection system [redacted].

TAD provides sensitive access to unique collection containing AQAP terrorist targets of mutual interest.





Sweden

Information paper: NSA Intelligence Relationship with Sweden, April 18, 2013

(Published by SVT Nyheter on December 5, 2013)


What NSA provides to the Partner:

- Technical support, collection, processing equipment and training
- NSA accepts selectors from FRA and tasks them to approved NSA collection sites
- [one line redacted]
- [one line redacted]
- Accomodation purchases of equipment
- Membership in multinational forums


What the Partner provides to NSA:

- Unique intelligence on Russia, the Baltic, Middle East, and counter-terrorism (CT)
- Outstanding and unique input of ELINT signals
- Access for special collection initiatives
- Collaboration on cryptanalytic issues





Turkey

Information paper: NSA Intelligence Relationship with Turkey, April 15, 2013

(Published by Der Spiegel on August 31, 2014)


What NSA provides to the Partner:

- NSA provides equipment, technology, training, and U.S. SIGINT requirements and reporting to the Turkish partner to better assist NSA in fulfilling U.S. intelligence requirements.

- In terms of equipment and technology NSA provides both collection and cryptographic equipment. A Cryptographic Modernization program is under way with both partners [MIT and SIB] to upgrade encryption on all shared and some non-shared communications links. A High Frequency Direction Finding (HFDF) collection site is [two line redacted] NSA also provides decryption of DHKP/C internet traffic the Turks collect.

- U.S. SIGINT requirements and reporting cover military and paramilitary targets in [redacted] and the KGK [Kurdistan Workers' Party]. This reporting is a mixture of near-real time and product "Tear Line" reports and analysis.

- NSA provides daily interaction and actionable intelligence on foreign fighter Sunni extremists, against both Turkish and non-Turkish individuals. NSA provides regional Tactical [redacted] reporting in two hour increments.


What the Partner provides to NSA:

- The partner provides near real time reporting on military air, naval, ground, and paramilitary targets in Russia, [redacted] Georgia, Ukraine, and on KGK targets, as well as daily summary reporting of Black Sea and CIS Naval and Air activity and [redacted]

[one paragraph redacted]

- NSA enjoys joint operational access to the HFDF site in [redacted] which, in turn, functions as a node on NSA's world-wide CROSSHAIR HFDF geolocation service. The U.S. and 2nd Parties receive approximately 400,000 fixes yearly utilizing Lines-of-Bearing from the [redacted] site while the Turks receive approximately 5000 fixes yearly from its regional usage of CROSSHAIR, an 80 to 1 ratio in FVEY's favor.

- NSA receives Turkish transcripts of KGK voice collection. Cooperation on the KGK target by the U.S. Intelligence Community in Ankara has increased across the board since the May 2007 DNI Memorandum encouraged all to do so.


Section from the information paper about the NSA's relationship with Turkey




Some characteristics

According to the quid pro quo-principle, we see that for each of these foreign partners, the things that NSA provides to the partner roughly equal what the partner provides to the NSA - at least according to the length of the sections in the information papers. The actual content of what each party provides is often very different, as was described in an internal interview from 2009 about the nature of the NSA's Third Party relationships:

"Generally speaking, our Third Party partners want access to our technology, as well as our regional/global reach. In exchange for providing unique accesses, regional analytical expertise, foreign language capabilities and/or I&W [Indications & Warning] support, we provide them with technical solutions (e.g., hardware, software) and/or access to related technology." The partners usually "know their regional hoods better than we do and they exponentially add to our foreign language capability."

When the information papers speak about providing data about "targets of mutual interest", the interview explains: "We must keep in mind that our partners are attempting to satisfy their own national intelligence requirements; with the exception of the assistance we provide during crises, we can only move our SIGINT relationships forward, when U.S. requirements intersect with theirs." This also depends on how long and deep such a relationship is:

"Many of our relationships have, indeed, spanned several decades, allowing us to establish higher degrees of trust with and reliance on one another. This, in turn, has led to greater levels of cooperation, where, for instance, NSA might be willing to share advanced techniques with a proven and reliable partner, in return for that partner's willingness to do something politically risky. Trust requires years to build up but can be lost in a very short period of time."

And finally, the interview also explains: "For a variety of reasons, our intelligence relationships are rarely disrupted by foreign political pertubations, international or domestic. First, we are helping our partner address critical intelligence shortfalls, just as they are assisting us. Second, in many of our foreign partners' capitals, few senior officials outside of their defense-intelligence apparatuses are witting to an SIGINT connection to the U.S./NSA."