November 3, 2021

Edward Snowden and the targeted drone killing campaign

Two weeks ago, on October 22, a new document from the Snowden files was published for the first time in over two years. It's an entry from Intellipedia about the American drone killing campaign that was released by journalist and writer Spencer Ackerman.

While the content of the document is hardly significant, it's form is remarkably similar to an Intellipedia entry that was published in 2015, which leads us to Snowden's interest in the drone killings and The Drone Papers that Daniel Hale leaked to The Intercept.

Ackerman's publication

Except for five new partial documents published in Barton Gellman's book Dark Mirror in May 2020, the last release of files from the Snowden trove was in May 2019, when The Intercept and the Norwegian broadcaster NRK published a range of documents about NSA's Real Time Regional Gateway (RT-RG) collection system. Two months earlier, the publisher of The Intercept had already decided to shut down the Snowden archive.

The new document comes from the cache of Snowden documents that is kept by the American documentary filmmaker Laura Poitras, who now lives in Berlin. According to Ackerman, Poitras was preparing for her exhibition Parallel Construction that marked the 20th anniversary of 9/11, when she "came across the Intellipedia entry and realized no one had ever published it" and then gave him a copy of it.

Ackerman published the document on Substack, an online platform for journalistic articles and newsletters, where he has an account called Forever Wars to "chronicle, investigate and interrogate the continuities, departures and permutations of the War on Terror". There he discusses the Intellipedia entry in an article titled "On U.S. Intelligence’s Wiki, Anxiety About Legal Challenges To Drone Strikes".

The Intellipedia entry (full document) published by Spencer Ackerman

The Intellipedia entry provides a summary of policies and opinions about the issue of targeted (drone) killings, mostly based upon public news reports and therefore almost all the content is unclassified. What Ackerman thinks is newsworthy is "the document's occasionally alarmist depiction of legal and political challenges to the strikes" and that it shows a "paranoid" feeling among US intelligence analysts.

Apparently this is only based on the following sections in the Intellipedia entry, which actually hardly support Ackerman's interpretation:

- "Those opposing targeted killing are increasing their organization and activities. If timing is more than coincidental, activists may coordinate their opposition efforts."

- "The effort may indicate a concerted effort by human rights organizations, activist international lawyers and opposition forces to undermine the use of remotely piloted vehicles, targeted killing, preemption and other direct action as elements of Uniited States policy."

Ackerman also argues that the way the Intellipedia entry places "legal and political challenges to drone strikes on a continuum with warfare is of a piece with how U.S. intelligence can also view journalism on a continuum with espionage" - which refers to the prosecution of Julian Assange, who by his supporters is seen as an innocent journalist, while he actually engaged in acts of espionage and conspiracy against the United States.

A similar Intellipedia entry

More interesting than the content, is the form of the newly disclosed document, because it turns out that it's very similar to another Intellipedia entry which is titled "Manhunting Timeline 2008" and was published by The Intercept in July 2015, along with a report about Israeli assassination operations:

Intellipedia entry (full document) published by The Intercept in 2015

This earlier Intellipedia entry is less blurry and has some additional details compared to the one published by Ackerman. First, it has all the navigation menus, including the one that's usually in the upper right corner of the browser window and includes the user name, something The Intercept forgot to redact in this case:

Another interesting detail is a message that appeared on top of the article to announce Intellipedia users that they should expect maintenance of the Intelink Instant Messenger (IIM) service on January 3, 2013.

This indicates that this document was viewed, stored and/or downloaded shortly before that date - a period when Snowden was a SharePoint systems administrator in the Office of Information Sharing at the NSA's regional Cryptologic Center in Hawaii.

Some details of the Intellipedia entry titled Manhunting Timeline 2008
(click to enlarge)

Even more interesting are the markings at the very top and bottom of each page, which appear when an article is printed or saved through the "Printable version" option in the wiki interface: at the bottom of each page there's the URL (redacted, but remarkably long) and the page number, while at the top of the page there's the date and the title of the article, in this case "Manhunting Timeline 2008 - Intellipedia".

The date on this document is "6/2/2015" or June 2, 2015, which is more than two years after Snowden left the NSA, but just a month before The Intercept published it. Because one of the URLs has not been completely redacted, we see that when the file was printed, it was not on an internal US government network, but on a local computer drive:

This indicates that Snowden provided the entry in a digital form and that The Intercept read and printed it using a locally installed Wiki engine. For publication the print was scanned to turn it into a digital file again, which now included the printing marks. Was this to make the Intellipedia entry look like other drone documents provided by Daniel Hale?

On the Intellipedia entry published by Ackerman we see a similar page title ("Targeted Killing: Policy, Legal and Ethical Controversy - Intellipedia") but no date and also no URL and page number, but maybe that's because the bottom parts of the pages have been cut off ("some excisions for caution that do not affect the document’s narrative" according to Ackerman):

Therefore, it's not clear when this document was printed, but given the fact that it's also a sub-topic of Intellipedia's main article about Manhunting, we can assume that Snowden provided it in digital form, just like the Manhunting Timeline 2008. So was the new document also printed to look like the earlier ones, or was it just a safer way to hand it over to Ackerman?

Documents in a printed form immediately remind of the series of classified documents that were leaked by other sources than Edward Snowden. Most, but not all of them were eventually traced back to former NSA and NGA contractor Daniel Hale, who was arrested in May 2019. It turned out that in 2014 he printed a range of classified documents which were subsequently published by The Intercept.

Snowden and the drone killings

Daniel Hale's aim was to provide information about the drone strikes in order to end these lethal operations and it seems that Snowden was interested in this issue too, besides his main goal of fighting mass surveillance by the US government.

Already in October 2013, The Washington Post reported about a file which was "part of a collection of records in the Snowden trove that make clear that the drone campaign — often depicted as the CIA's exclusive domain — relies heavily on the NSA's ability to vacuum up enormous quantities of e-mail, phone calls and other fragments of signals intelligence, or SIGINT."

This sounds like Snowden had made a folder with various documents about drone killings, similar to the folders he had created about other topics that had his special interest, like operations of the NSA divisions TAO (hacking) and SSO (cable tapping). Journalist Barton Gellman confirms that the encrypted archive with some 50.000 documents he and Laura Poitras received in May 2013 was "neatly organized in folders".*

Revelations about targeted drone killings

Despite this apparently special collection of records, there have been only very few revelations about the NSA's involvement in targeted drone killings:

- The first one was on October 16, 2013, by The Washington Post, titled Documents reveal NSA’s extensive involvement in targeted killing program, but this piece only refers to documents instead of publishing them.

- On February 10, 2014, The Intercept came with an article called The NSA’s Secret Role in the U.S. Assassination Program, which is based on accounts by "a former drone operator for the military's Joint Special Operations Command (JSOC) who also worked with the NSA" (Daniel Hale?) with some additional snippets from the Snowden trove.

- On July 15, 2015, The Intercept published the Intellipedia entry with the Manhunt Timeline 2008 as part of a report titled Israeli Special Forces Assassinated Senior Syrian Official.

That's not much, although Snowden's selection of drone-related documents may also have included files about NSA programs in support of the drone killings, like systems for tracing potential targets by geolocating their mobile phones, or the role of Menwith Hill Station in the United Kingdom, for example.

The drone killings as a trigger for Snowden?

According to Glenn Greenwald's book No Place to Hide from May 2014, Snowden was already confronted with drone operations during his job at the NSA's Pacific Technical Center (PTC) at Yokota Air Base, near Tokyo in Japan, where he worked as a systems administrator from August 2009 to September 2010:

"The stuff I saw really began to disturb me", Snowden said, and: "I could watch drones in real time as they surveilled the people they might kill. You could watch entire villages and see what everyone was doing. I watched NSA tracking people's Internet activities as they typed. I became aware of just how invasive US surveillance capabilities had become" (p. 43).

According to Greenwald, Snowden then began to feel an increasingly urgent obligation to leak what he was seeing, which makes it remarkable that this experience isn't mentioned in his own book, Permanent Record, which was published in September 2019.

In this book, Snowden only presents the press reports about the drone killing of Anwar al-Aulaqi as an example of how the US government itself is also leaking classified information when it serves its own interest (p. 237-238).

And instead of the drone campaign, Permanent Record comes up with two other "atomic moments" which Snowden experienced while he was in Japan: learning about the domestic mass surveillance of the Chinese government and the STELLARWIND report about president Bush' warrantless wiretapping program.

Later, however, Snowden said that he discovered the STELLARWIND report only much later, somewhere in 2012, when he was working at the NSA in Hawaii. It was actually several times that Snowden changed the narrative about what the decisive moment for his actions was (another one was the Clapper testimony), but when there's indeed a separate folder with drone killing documents that would confirm a special interest in this topic.

Daniel Hale's leaks

Daniel Hale had a similar experience as Snowden in Japan, but only in March 2012, a few days after he arrived in Afghanistan to work as a intelligence analyst at Bagram Airfield. There he witnessed how a group of men were killed by a drone strike, just because one of them carried a targeted cell phone. Since then he had increasing moral objections against these operations.

In April 2013, Hale attended a presentation of Jeremy Scahill's book Dirty Wars: The World Is a Battlefield about the drone killings program under president Obama. As of June they contacted eachother by phone and by e-mail and in September Scahill asked Hale to set up a Jabber account for encrypted chat conversations.

On October 16, 2013, The Washington Post published its piece about how documents provided by Snowden revealed the NSA's involvement in the targeted killing program. This article may have provided additional inspiration to Hale, because in December 2013 he accepted a new job at the National Geospatial-Intelligence Agency (NGA).

Although he felt uneasy, Hale said he took the job because "the money I could make was by far more than I had ever made before" - but maybe it was also an opportunity to get access to classified military information again, similar to Snowden who took his job at Booz Allen to get access to additional documents.

Between February and August 2014, Hale printed 23 mostly classified documents, 17 of which he provided to Jeremy Scahill, who then worked for Greenwald's new online news outlet The Intercept. Somewhere in the same period Greenwald traveled to Moscow and informed Snowden about a new source with important information about the drone program, which was shown in Laura Poitras' film Citizenfour from October 2014:

Glenn Greenwald informing Edward Snowden about The Intercept's new source
(still from the documentary film Citizenfour)

In the Summer of 2014, The Intercept had already published two of Hale's documents about NCTC watchlisting, but it took until April 17, 2015 for The Intercept and Der Spiegel to publish a Top Secret diagram about the drone operations and on October 15, 2015, The Intercept finally released four classified documents along with eight articles as "The Drone Papers".


For Snowden, who called it "the most important national security story of the year", The Drone Papers must have been a triumph because finally someone had followed in his footsteps and leaked details about the drone program which he was apparently also concerned about for years.

However, it was also a bitter defeat, because just three days after Daniel Hale had printed out his last document, the FBI had already tracked him down and raided his home (he was arrested in May 2019 and eventually sentenced to 45 months in prison). Is this why there's nothing about Hale, nor about the NSA's involvement in drone killing operations in Snowden's book Permanent Record?

Another question is why Laura Poitras thought Spencer Ackerman should publish a rather uninteresting Intellipedia entry. Was there really nothing more interesting about this topic among the Snowden files? Or was it a signal that, unlike The Intercept, she is still willing to publish things from the Snowden archive?

Links and sources
- Forever Wars: On U.S. Intelligence’s Wiki, Anxiety About Legal Challenges To Drone Strikes (2021)
- CNN: A 'second Snowden' leaks to the Intercept about 'drone wars' (2015)
- Zone d'Intérêt: U.S. Intelligence Support to Find, Fix, Finish Operations (2015)
- The Washington Post: Documents reveal NSA’s extensive involvement in targeted killing program (2013)

May 18, 2021

What the NSA provides to its foreign partners, and vice versa

(Updated: November 3, 2021)

The cooperation between (signals) intelligence agencies of different countries is strictly quid pro quo, which means what you get is equivalent to what you give. This is perfectly illustrated by a small series of documents from the Snowden trove, which summarize what the NSA provides to its foreign partners, along what they provide to the NSA.

Three of these documents are about the NSA's Second Party partners (better known as the Five Eyes): Canada, Australia and New Zealand, and six about Third Party partners: Germany, Israel, Norway, Saudi Arabia, Sweden and Turkey. Another NSA document provides some characteristics of these relationships.

The documents about the various NSA partners are information papers prepared by the Country Desk Officer (CDO) for the particular country at the NSA's Foreign Affairs Directorate (FAD). All but one date from April 2013, which is just a month before Snowden left the agency. It's not known whether there are also papers about other NSA partners among the Snowden files.

The information papers describe the relationship between the NSA and the foreign partner in a standardized way: they all start with an introduction, mention some "Key Issues", followed by "What NSA Provides to Partner" and "What Partner Provides to NSA". The papers end with "Success Stories" and "Problems/Challenges with the Partner".

For readability, the portion markings with the classification level for each paragraph have been removed and some abbreviations are written in full.

Second Party partners

The Second Party partners of the NSA are the signals intelligence agencies of the United Kingdom, Canada, Australia and New Zealand. These five countries are also known as the Five Eyes. Their SIGINT systems are highly integrated and the partners are not supposed to spy on each other.


Information paper: NSA Intelligence Relationship with Canada's CSEC, April 3, 2013

(Published by CBC on December 9, 2013)

What NSA provides to the Partner:

SIGINT: NSA and CSEC cooperate in targeting approximately 20 high-priority countries [two lines redacted]. NSA shares technological developments, cryptologic capabilities, software and resources for state-of-the-art collection, processing and analytic effots, and IA capabilities. The intelligence exchange with CSEC covers worldwide national and transnational targets. No Consolidated Cryptologic Program (CCP) money is allocated to CSEC, but NSA at times pays R&D and technology costs on shared projects with CSEC.

[two paragraphs redacted]

What the Partner provides to NSA:

CSEC offers resources for advanced collection, processing and analyss, and has opened covert sites at the request of NSA. CSEC shares with NSA their unique geographic access to areas unavailable to the U.S. [redacted], and provides cryptologic products, cryptanalysis, technology, and software. CSEC has increased its investment in R&D projects of mutual interest. [several lines redacted].

[at least two paragraphs redacted]


Information paper: NSA Intelligence Relationship with Australia, April 2013

(Published by The Intercept and ABC on August 18, 2017)

What NSA provides to the Partner:

NSA provides cryptologic products/services to the Government of Australia through DSD, on virtually all subjects, particularly those related to the Pacific Rim. NSA shares technology, cryptanalytic capabilities, and resources for state-of-the-art collection, processing and analytic efforts. NSA will continue to work closely with Australia to meet its commitments as the U.S reallocates efforts toward Asia and the Pacific.

What the Partner provides to NSA:

NSA and DSD have agreed to specific divisions of effort, with the Australians solely responsible for reporting on multiple targets in the Pacific area, including Indonesia, Malaysia, and Singapore, based on their unique language capabilities and geographic accesses. In addition, DSD has primary reporting responsibility [redacted] regardless of geographic region. DSD provides access to commercial and foreign/domestic satellites from sites in Geraldton and Darwin, High Frequency (HF) collection and Direction Finding (DF) from three sites; and, manning of the operations floor at Joint Defense Facility at Pine Gap (RAINFALL), a site which plays a significant role in supporting both intelligence activities and military operations. In addition, DSD provides NSA with access to terrorism-related communications collected inside Australia.

New Zealand

Information paper: NSA Intelligence Relationship with New Zealand, April 2013

(Published by NZ Herald on March 11, 2015)

What NSA provides to the Partner:

NSA provides raw traffic, processing, and reporting on targets of mutual interest, in addition to technical advice and equipment loans.

What the Partner provides to NSA:

GCSB provides collection on China, Japanese/North Korean/Vietnamese/South American diplomatic communications, South Pacific Island nations, Pakistan, India, Iran, and Antarctica; as well as, French police and nuclear testing activities in New Caledonia [two lines redacted].

Third Party partners

The Third Party partners of the NSA are the signals intelligence agencies of some 33 countries. Cooperation is based on formal, bilateral agreements, but the actual scope of the relationship varies from country to country and from time to time. Unlike the Second Party partners, Third Party partners do spy on each other.


Information paper: NSA Intelligence Relationship with Germany, January 17, 2013

(Published by Der Spiegel on June 18, 2014)

What NSA provides to the Partner:

NSA has provided a significant amount of hardware and software at BND expense, as well as associated analytic expertise to help the BND independently maintain its FORNSAT [Foreign Satellite collection] capability. NSA also exchanges intelligence reporting on both military and non-military targets.

What the Partner provides to NSA:

NSA is provided access to FORNSAT communications supporting counter-narcotics (CN), counter-terrorism (CT), [redacted], and Weapons of Mass Destruction (WMD) missions and is an important source of information on drug trafficking and force protection in Afghanistan. The BND provides Igbo language support by translating NSA collection of a high-value, time-sensitive [redacted] target. NSA is seeking the proper approvals to accept BND language support in [one line redacted]. In addition to the day-to-day collection, the Germans have offered NSA unique accesses in high interest target areas.


Information paper: NSA Intelligence Relationship with Israel, April 19, 2013

(Published by The Intercept on August 4, 2014)

What NSA provides to the Partner:

The Israeli side enjoys the benefits of expanded geographic access to world-class NSA cryptanalytic and SIGINT engineering expertise, and also gains controlled access to advanced U.S. technology and equipment via accomodation buys and foreign military sales.

What the Partner provides to NSA:

Benefits to the U.S. include expanded geographic access to high priority SIGINT targets, access to world-class Israeli cryptanalytic and SIGINT engineering expertise, and access to a large pool of highly qualified analysts.


Information paper: NSA Intelligence Relationship with Norway, April 17, 2013

(Published by Dagbladet on December 17, 2013)

What NSA provides to the Partner:

- Daily TS//SI-level counter-terrorism (CT) reports shared multilaterally;
- Frequent exchanges of technical data and analytic expertise on CT targets, [one line redacted] and other threats to Norway's national security;
- Daily force protection support in Afghanistan and technical expertise to support target development of Afghan insurgent targets;
- Regular reporting on counter-proliferation (CP) topics [redacted]
- Ad-hoc reporting and analytic expertise on [redacted]
- Exchanges of reporting, tech data and analytic expertise on [redacted]
- Tech data and expertise on cryptanalytic topics of mutual interest; and
- FORNSAT communications metadata

What the Partner provides to NSA:

- SIGINT analysis as well as geolocational and communications metadata specific to Afghan targets of mutual interest (this analysis also supports Norwegian Special Operations Forces (when deployed);
- All-source analysis specific to Afghan targets of mutual interest. The analysis is based on operations conducted jointly between Norway and local and/or coalition authorities;
- Potential to leverage NIS [Norwegian Intelligence Service] FORNSAT capabilities to augment NSA collection against high priority CP SIGINT targets;
- Potential to leverage NIS unique access to SIGINT on high priority CT targets; [redacted]
- SIGINT reports on Russian civil targets of mutual targets, particularly Russian energy policy;
- FORNSAT communications metadata; and
- [one line redacted]

Saudi Arabia

Information paper: NSA Intelligence Relationship with Saudi Arabia, April 8, 2013

(Published by The Intercept on July 25, 2014)

What NSA provides to the Partner:

NSA/CSS provides technical advice on SIGINT topics such as data exploitation and target development to TAD [Technical Affairs Directorate of the Ministry of Interior] as well as a sensitive source collection capability.

NSA/CSS provides a sensitive decryption service to the Ministry of Interior against terrorist targets of mutual interest.

What the Partner provides to NSA:

NSA leverages MOD RRD [Ministry of Defense Radio Reconnaissance Department] access to remote geography in the Arabian Gulf but provides no finished SIGINT reporting to NSA/CSS, however; they have provided unencrypted collection against the IRGC QODS Maritime Force targets of mutual interest from their collection system [redacted].

TAD provides sensitive access to unique collection containing AQAP terrorist targets of mutual interest.


Information paper: NSA Intelligence Relationship with Sweden, April 18, 2013

(Published by SVT Nyheter on December 5, 2013)

What NSA provides to the Partner:

- Technical support, collection, processing equipment and training
- NSA accepts selectors from FRA and tasks them to approved NSA collection sites
- [one line redacted]
- [one line redacted]
- Accomodation purchases of equipment
- Membership in multinational forums

What the Partner provides to NSA:

- Unique intelligence on Russia, the Baltic, Middle East, and counter-terrorism (CT)
- Outstanding and unique input of ELINT signals
- Access for special collection initiatives
- Collaboration on cryptanalytic issues


Information paper: NSA Intelligence Relationship with Turkey, April 15, 2013

(Published by Der Spiegel on August 31, 2014)

What NSA provides to the Partner:

- NSA provides equipment, technology, training, and U.S. SIGINT requirements and reporting to the Turkish partner to better assist NSA in fulfilling U.S. intelligence requirements.

- In terms of equipment and technology NSA provides both collection and cryptographic equipment. A Cryptographic Modernization program is under way with both partners [MIT and SIB] to upgrade encryption on all shared and some non-shared communications links. A High Frequency Direction Finding (HFDF) collection site is [two line redacted] NSA also provides decryption of DHKP/C internet traffic the Turks collect.

- U.S. SIGINT requirements and reporting cover military and paramilitary targets in [redacted] and the KGK [Kurdistan Workers' Party]. This reporting is a mixture of near-real time and product "Tear Line" reports and analysis.

- NSA provides daily interaction and actionable intelligence on foreign fighter Sunni extremists, against both Turkish and non-Turkish individuals. NSA provides regional Tactical [redacted] reporting in two hour increments.

What the Partner provides to NSA:

- The partner provides near real time reporting on military air, naval, ground, and paramilitary targets in Russia, [redacted] Georgia, Ukraine, and on KGK targets, as well as daily summary reporting of Black Sea and CIS Naval and Air activity and [redacted]

[one paragraph redacted]

- NSA enjoys joint operational access to the HFDF site in [redacted] which, in turn, functions as a node on NSA's world-wide CROSSHAIR HFDF geolocation service. The U.S. and 2nd Parties receive approximately 400,000 fixes yearly utilizing Lines-of-Bearing from the [redacted] site while the Turks receive approximately 5000 fixes yearly from its regional usage of CROSSHAIR, an 80 to 1 ratio in FVEY's favor.

- NSA receives Turkish transcripts of KGK voice collection. Cooperation on the KGK target by the U.S. Intelligence Community in Ankara has increased across the board since the May 2007 DNI Memorandum encouraged all to do so.

Section from the information paper about the NSA's relationship with Turkey

Some characteristics

According to the quid pro quo-principle, we see that for each of these foreign partners, the things that NSA provides to the partner roughly equal what the partner provides to the NSA - at least according to the length of the sections in the information papers. The actual content of what each party provides is often very different, as was described in an internal interview from 2009 about the nature of the NSA's Third Party relationships:

"Generally speaking, our Third Party partners want access to our technology, as well as our regional/global reach. In exchange for providing unique accesses, regional analytical expertise, foreign language capabilities and/or I&W [Indications & Warning] support, we provide them with technical solutions (e.g., hardware, software) and/or access to related technology." The partners usually "know their regional hoods better than we do and they exponentially add to our foreign language capability."

When the information papers speak about providing data about "targets of mutual interest", the interview explains: "We must keep in mind that our partners are attempting to satisfy their own national intelligence requirements; with the exception of the assistance we provide during crises, we can only move our SIGINT relationships forward, when U.S. requirements intersect with theirs." This also depends on how long and deep such a relationship is:

"Many of our relationships have, indeed, spanned several decades, allowing us to establish higher degrees of trust with and reliance on one another. This, in turn, has led to greater levels of cooperation, where, for instance, NSA might be willing to share advanced techniques with a proven and reliable partner, in return for that partner's willingness to do something politically risky. Trust requires years to build up but can be lost in a very short period of time."

And finally, the interview also explains: "For a variety of reasons, our intelligence relationships are rarely disrupted by foreign political pertubations, international or domestic. First, we are helping our partner address critical intelligence shortfalls, just as they are assisting us. Second, in many of our foreign partners' capitals, few senior officials outside of their defense-intelligence apparatuses are witting to an SIGINT connection to the U.S./NSA."

April 7, 2021

The communications systems at the US Central Command headquarters

(Updated: April 11, 2021)

Previously, this weblog provided a close look at the phones used by US president Biden. This time we turn to another end of the line and look at the communications equipment which is used at the headquarters of the US Central Command in Tampa, Florida.

A recent 60 Minutes television report provides an unprecedented look inside the Central Command's operations center, where we see the general military communications equipment, followed by some more special devices used by the commander, who also has access to the virtual Desktop Environment for the US intelligence agencies.

Large operations center in the Central Command headquarters, January 2021
(still from 60 Minutes - click to enlarge)

The 60 Minutes television report shows never-before-seen video footage of the Iranian ballistic missile attack from January 7, 2020 on the Al Asad Airbase in Iraq, where 2000 US troops were stationed. The attack was a retaliation for the American drone strike from January 3, which killed the Iranian general Qasem Soleimani, commander of the Quds Force.

The report also includes an interview with general Frank McKenzie, combatant commander of the US Central Command, who leads the US armed forces in the Middle East. McKenzie followed the Iranian missile attack on the Al Asad Airbas at his headquarters, from where he had ordered the killing of general Soleimani six days earlier.

The Central Command headquarters

The United States Central Command (USCENTCOM) was established in 1983 and is one of the eleven unified combatant commands of the US Armed Forces. Its Area of Responsibility (AOR) includes the Middle East, Egypt, Central Asia and parts of South Asia.

CENTCOM's main headquarters is not in its area of operations, but at MacDill Air Force Base in Tampa, Florida, where a new 282,200-square-foot headquarters building was completed in 2012.

The new building includes specialized mission critical spaces like the Command Joint Operations Center, Joint Planning Cell and Operational Planning Element, Network Operations Center and the Command Secure Communications Operations Center.

The headquarters of the US Central Command at MacDill Air Force Base
(photo: Burns & McDonnell - click to enlarge)

The new headquarters building includes more than 109,000 square feet of Sensitive Compartmented Information Facility (SCIF) and space constructed according to sound transmission class (STC) 45 and 50 to support secured operations.

Relevant antiterrorism standards, including progressive collapse mitigation by means of tie forces, were also incorporated in the new headquarters. All concrete contains ground granulated blast furnace slag and fly ash for LEED compliance.

On the website of the construction company there's an earlier photo of the interior of the building showing standard workstations equipped with two computer screens, an Avocent SwitchView KVM switch, a smartcard reader, the ubiquitous HP keyboard, a mouse and two telephone sets: a Nortel Meridian 3903 and a Cisco 7975 IP Phone, one for secure and one for non-secure calls:

Interior of the Central Command headquarters at MacDill Air Force Base
(photo: Burns & McDonnell - click to enlarge)

Military communications equipment

The communications equipment that is currently used at the Central Command headquarters can be seen in the 60 Minutes television report, which shows shots from inside a large and a small operations room.

In the large operations room we see big video screens along the walls and several rows of workstations, each with two sets of communications equipment, one set for access to classified telephone and computer networks and another set for unclassified networks.

According to the color codes of the US classification system the telephones and the smartcard readers have the green label for Unclassified systems and the red label for Secret systems.

Large operations center in the Central Command headquarters, January 2021
(still from 60 Minutes - click to enlarge)

Computer systems

Some of the computer screens show a bright red lock screen with the text "This information system is accredited to process - SECRET - For authorized purposes only", which means that they are part of SIPRNet, the main classified secure network of the US military for tactical and operational information. The military's unclassified non-secure computer network is known as NIPRNet.

Identifying authorized users for NIPRNet is done through the Common Access Card, which is the standard identification for active US defense personnel. Access to SIPRNET requires the SIPRNet token, which is also a smartcard, but without visible identification information.

Coalition networks

Besides NIPRNet and SIPRNet, the Central Command also has separate computer networks for collaboration with foreign partners. For the members of bilateral and multinational coalitions, the United States provides a network architecture called Combined Enterprise Regional Information eXchange System (CENTRIXS), which operates at the classification level Secret/Releasable to [country identifier].

The first CENTRIXS networks were established as of late 2001 by the US Central Command in order to support coalition operations under Operation Enduring Freedom (OEF). This resulted in CENTRIXS-ISAF for operations in Afghanistan and CENTRIXS-GCTF for the Global Counter Terrorism Forces. Meanwhile, both systems have been integrated in the CENTCOM Partner Network (CPN).

The various networks in CENTCOM's area of responsibility
(source - click to enlarge)

A CENTRIXS network consists of servers and thin clients and provides users with at least the following computer applications, giving them the same basic capabilities as users of classified US systems:
- Microsoft Office
- Command and Control Personal Computer (C2PC)
- Integrated Imagery and Intelligence (I3)

These applications allow access to the releasable Near-Real Time (NRT) order of battle from the MIDB database (to be replaced by MARS) and imagery databases and to display the data on a map background. They can also access various browser-based products, send e-mails with attachments and conduct collaboration sessions.

For US military users, these applications are part of the Global Command and Control System (GCCS), which encompasses a suite of over 200 client-server tools and applications for fusing data from multiple sensors and intelligence sources to produce a graphical representation of the battlespace.

Interface of the Command and Control Personal Computer (C2PC) application
(source - click to enlarge)

Telephone systems

In the large operations center at CENTCOM's headquarters there are also a range of Cisco IP phones, some being the older 7975, others the current 8841. The Cisco 8841 IP phones look like the ones that are commercially available, but are actually modified versions from the small telecommunications security company CIS Secure Computing Inc.

These modified phones are approved for use in SCIF and SAPF environments and offer additional on-hook security features which can be engaged for the 'hold' and 'mute' functions while in a call. Speakerphone functionality isn't disabled, but is protected with the on-hook security of the positive disconnect electronics.

Several workstations even have a third telephone set: a Cisco IP Phone 8845, which has a video camera on top for video calls. According to their display background, these phones appear to be for the video conferencing service of the Desktop Environment (DTE, see below) which runs on the Top Secret/SCI intelligence sharing network JWICS.

Operations center in the Central Command headquarters, January 2021
(still from 60 Minutes - click to enlarge)

The commander's communications equipment

The 60 Minutes television report followed general McKenzie into a small room off his main operations center in the Central Command headquarters. There we see similar equipment as in the large room, like computers connected to SIPRNet, in this case for senior staff officers, like the:
- Director of Operations (J3)
- Commander's Action Group (CAG)
- Command Senior Enlisted Leader (CSEL)
- Staff Judge Advocate (SJA)

General McKenzie entering a small operations room, January 2021
(still from 60 Minutes - click to enlarge)

In this small room, commander McKenzie has additional communications equipment that seems not available for the personnel in the large operations center. When he is being interviewed at his place at the table (see the televison still below), we see from left to right:

- A Cisco DX 70 video screen with video camera, probably for the Secure Video Teleconferencing System (SVTS) which is part of the Crisis Management System (CMS) and allows top-level video meetings.

- A Cisco IP Phone 8841 with a distinctive yellow bezel for the highly secure Executive Voice over Secure IP-network which is also part of the Crisis Management System (CMS) and connects the President, the National Security Council, Cabinet members, the Joint Chiefs of Staff, various intelligence agency watch centers, headquarters, and Continuity of Operations (COOP) sites.

- A Touchscreen Executive Phone (TXP) with two additional 50-button Touchscreen Line Expansion units (TLE), manufactured by the small telecommunications security company Telecore, Inc., which also made the Integrated Services Telephone (IST-2) that was on the Oval Office desk of presidents Bush and Obama. These devices are specifically designed for the Defense Red Switch Network (DRSN), which offers full command and control and conferencing capabilities for military commanders up to the level of Top Secret/SCI.

- A Cisco IP Phone 8865 with video camera and a Key Expansion Module. The phone has labels for Top Secret (orange) and Top Secret/SCI (yellow) and appears to be for the video conferencing service of the Desktop Environment (DTE, see below) which runs on JWICS, the main network for intelligence sharing within the US military and the US intelligence community.

- A Cisco IP Phone 8851 with a Key Expansion Module and a label for the classification level Secret (red), which means it runs on SIPRNet and is therefore Voice over Secure IP (VoSIP).

General McKenzie's communications equipment in the small operations room
(still from 60 Minutes - click to enlarge)

According to the 60 Minutes report, it was in this small room where during the missile attack on the Al Asad Airbase, commander McKenzie "could talk directly to the only two people above him in the chain of command" - the Secretary of Defense and the President. To illustrate this, the speed dial buttons on the commander's Touchscreen Executive Phone were shown.

Normally such buttons are blurred out, but here we can clearly see that McKenzie has direct lines to the White House, the Secretary of Defense (SecDef), his house (SecDef Home) and his communications center (SecDef Cables), as well as to the National Military Command Center (NMCC) and the Chairman of the Joint Chiefs of Staff (CJCS XO), among others:

The speed dial buttons on general McKenzie's Touchscreen Executive Phone
(still from 60 Minutes - click to enlarge)

The commander's computers

The same telephones as in the small room appear on McKenzie's place in the large operations room, but here he also has two computer screens connected to a Vertiv Cybex Secure MultiViewer KVM switch which allows access to networks of different classifications levels on a single screen.

Apparently the commander was logged in on one of the classified computer networks, as we can see the desktop background with several application icons - quite remarkable because usually during photo ops or television recordings only unclassified images should be visible.

At the top of the desktop background is a yellow bar which means it's JWICS, the intelligence sharing network for the US military and the US Intelligence Community at the classification level Top Secret/SCI. Unlike NIPRNet and SIPRNet, access to JWICS doesn't require a smartcard, but a software certificate: military users have to identify themselves with a DoD PKI certificate, others need an IC PKI certificate.

General McKenzie's workstation in the large operations center
(still from 60 Minutes - click to enlarge)

The IC Desktop Environment

The desktop background on the commander's computer is deep blue and has the term "DESKTOP ENVIRONMENT (DTE)" with an image of the earth covered by a stylized network. In the bottom left corner we see the seals of the Defense Intelligence Agency (DIA) and the National Geospatial-Intelligence Agency (NGA) and some text.

This "Intelligence Community Desktop Environment" (IC DTE) was conceived in 2012 as a single, identical platform for the US Intelligence Community. As such it's the heart of a huge modernization project called Intelligence Community IT Enterprise (IC ITE), under which data will be stored and processed at the Commercial Cloud Services (C2S) managed by the CIA and the IC GovCloud managed by the NSA.

The implementation of the DTE was managed by the Joint Program Management Office (JPMO) led by DIA and NGA, while the software system was built by BAE Systems under a $300 million contract for five years. This had to result in the Next Generation Desktop Environment (NGDE), which has to bring virtual desktops at different classification levels to one physical computer.

Multiple computers for networks at different classification levels, ca. 2008.
(source - click to enlarge)

With the Desktop Environment (DTE) analysts at DIA, NGA and other US intelligence agencies can go anywhere within these organizations, sit down at any Top Secret workstation, log in, authenticate, and get access to their e-mail, home directories, shared files, etc., which were previously stored on thick client computers at each workstation.

Besides a virtual desktop, the DTE also comes with a common suite of desktop applications and access to common services, including Unified Communications as a Service. Among the first applications were standard e-mail, collaboration tools and video conferencing capabilities. The NSA is responsible for an Apps Mall that incorporates apps stores of the various agencies.

The common collaboration tool for the DTE provides a single interface for secure voicemail integration with e-mail, peer-to-peer file sharing, a screen capture tool and Outlook calendar integration. When additional users transition into the common operating environment, this tool could serve as a single interface for community-wide collaboration. In 2014, there were already some 4.000 DTE users at DIA and NGA.

However, in 2018, John Sherman, chief information officer of the Intelligence Community, said they had come to the realization that it no longer made sense to deliver a standard capability to every agency and user given the differing architectures, security requirements and mission needs.

In order to reach the outcomes for which the DTE was initially created, the Collaboration Reference Architecture (CRA) was created. Agencies can now build applications which fit their own needs as long as they comply with the standards set by the CRA in order to ensure compatibility throughout the different systems.

Finally, the DTE is also a step towards an environment where security and tagging of data will be done at the data level, as opposed to the network level. Traditionally, access to information was based on which network you were on: DIA data were only accessible on the DIA's network, etc.

The idea is that there will be a common Intelligence Community network for which the Identification, Authentication and Authorization (IAA) project of the IC ITE provides access to data and information based on the different credentials of each individual user, so on who you are, what role you have and what accesses are available to you.

Links and sources

- Yahoo! News: 'Conspiracy is hard': Inside the Trump administration's secret plan to kill Qassem Soleimani (2021)
- American News: Biden Allows “60 Minutes” to Release Military Imagery Secrets that Saved US Lives (2021)
- DIA: Striking a balance between compatibility and flexibility in the intelligence community (2018)
- Joint Publication: Joint and National Intelligence Support to Military Operations (2017)
- CSIS: New Tools for Collaboration, The Experience of the U.S. Intelligence Community (2016)
- Raytheon: When Secure KVM Isn’t Enough (2015)
- Defense Systems: How cloud is changing the spy game (2014)
- Deep Dive Intelligence: Interview: Mike Mestrovich – Full Transcript (2012)
- Burns & McDonnell: Joint Intelligence Center, Central Command (2009)
- AFCEA Signal: Desktop System Streamlines Analysis Work (2004)
- MITRE Corporation: Intelligence Community Public Key Infrastructure (IC PKI) (2002)

March 3, 2021

The telephone contacts of president George W. Bush

Always wanted to know who are on the contact list of the President of the United States? In the George W. Bush Presidential Library one can see the telephone from the president's desk in the Oval Office with a clear view of all the speed dial buttons from the final years of the Bush presidency.

Here I will tell a bit more about this special telephone set, followed by a list and a short discussion of all the contacts behind the over 40 speed dial buttons. Finally, the phone used by president Bush is compared with the one from the first years of Barack Obama.

The IST-2 phone at the president's desk in the George W. Bush Presidential Library
(photo: Ron Plante - click to enlarge)

The George W. Bush Presidential Library

Like all US presidents since Herbert Hoover, president George W. Bush also established a presidential library which holds the papers, records, collections and other historical materials from his presidency. Several presidents have been buried on the grounds of their library, which will also happen after the death of George Bush and his wife Laura.

The George W. Bush Presidential Library and Museum was opened in April 2013 and is located on the campus of the Southern Methodist University (SMU) near Dallas, Texas. Like other presidential libraries, it includes an exact replica of the Oval Office in the White House. This allows visitors a close look at the paintings and the furniture and they may also sit behind a reproduction of the Resolute desk for a photograph.

Some visitors of the replicated Oval Office took a photo of the telephone on former president Bush' desk, probably not only because it's a quite impressive device, but also because it has all the names of the president's contacts on its many speed dial buttons.

A visitor tries the phone in the replica of the Oval Office
in the George W. Bush Presidential Library
(photo: instagram/t.ryanmartinez - click to enlarge)

The IST-2 telephone

What most visitors of the Bush Presidential Center won't know is that the phone is an Integrated Services Telephone version 2 (IST-2), which is a so-called "red phone". Unlike the popular image, such a red phone isn't used for the Hotline between Washington and Moscow, but for secure communications with military command centers through the Defense Red Switch Network (DRSN).

For this network there are large telephone consoles which can be used for both secure and non-secure calls. However, the encryption of classified calls isn't done by the phone, but by a separate network encryptor. The IST-2 was designed by defense contractor Raytheon and subsequently manufactured by Telecore Inc., a small company from Richardson, Texas, that took over the production of these telecommunication devices somewhere around 2003.

As part of a military telephone network, the IST-2 also has the distinctive 4 red buttons for the four levels of a system called Multilevel Precedence and Preemption (MLPP). This allows to make phone calls that get precedence over ones with a lower priority, with "Flash Override" to allow the President, the Secretary of Defense and the Joint Chiefs of Staff to preempt any other traffic in the network.

The speed dial buttons on Bush' Oval Office telephone

The IST-2 telephone on president Bush' desk in the Oval Office had 50 line buttons, with labels for the following contacts, grouped according to the colors of the labels:

• BOLTEN - Joshua B. Bolten, White House Chief of Staff from 2006 to 2009.
• FIELDING - Fred F. Fielding, White House Counsel from 2007 to 2009.
• GILLESPIE - Ed Gillespie, Counselor to the President from 2007 to 2009.
• HADLEY - Stephen J. Hadley, National Security Advisor from 2005 to 2009.
• GOTTESMAN - Blake L. Gottesman, Deputy Chief of Staff from 2008 to 2009.
• JACKSON - Barry S. Jackson, Senior Advisor to the President from 2007 to 2009.
• JEFFREY - James F. Jeffrey, Assistant to the President and Deputy National Security Advisor from 2007 to 2009.
• KAPLAN - Joel Kaplan, Deputy Chief of Staff from 2006 to 2009.
• LUTE - Douglas E. Lute, Assistant to the President and Deputy National Security Advisor for Iraq and Afghanistan from 2007 to 2013.
• MEYER - Daniel P. Meyer, Assistant to the President for Legislative Affairs from 2007 to 2009.
• PERINO - Dana M. Perino, White House Press Secretary, 2007 to 2009.
• THIESSEN - Marc A. Thiessen, Director of Speechwritng from 2008 to 2009.
• TUBB - Richard J. Tubb, Physician to the President from 2002 to 2009.
• WAINSTEIN - Kenneth L. Wainstein, Homeland Security Advisor from 2008 to 2009.
• YANES - Raul F. Yanes, Assistant to the President and Staff Secretary from 2006 to 2009.

• VICE PRESIDENT - Dick Cheney, Vice President of the United States from 2001 to 2009.
• Secretary Of STATE - Condoleezza Rice, Secretary of State from 2005 to 2009.
• Secretary Of DEFENSE - Robert M. Gates, Secretary of Defense from 2006 to 2011.
• DNI - Mike McConnell, Director of National Intelligence from 2007 to 2009.
• Director CIA - Michael V. Hayden, Director of the CIA from 2006 to 2009.

• VP HOME - The house of Vice President Cheney, the Naval Observatory in Washington.
• BOLTEN HOME - The house of Chief of Staff Joshua Bolten.
• HADLEY HOME - The house of National Security Advisor Stephen Hadley.
• RICE HOME - The house of Secretary of State Condoleezza Rice.
• GILLESPIE HOME - The house of Counselor Ed Gillespie.

• Situation Room - The Situation Room in the basement of the West Wing.
• HOS Conference - Head of State Conference call.
• SIGNAL OPERATOR - Operator at the Signal Switchboard for non-secure calls.
• Secure OPERATOR - Operator at the Signal Switchboard for secure calls.
• White House OPERATOR - Operator at the White House switchboard for unclassified calls.

• MRS BUSH - Laura Bush, wife of the president.
• 41 - George H. W. Bush, 41st president of the United States and father of the president.
• JWB - Jenna W. Bush, daughter of the president.
• BPB - Barbara P. Bush, daughter of the president.
• CRAWFORD - The Prairie Chapel Ranch of president Bush near Crawford, Texas.
• Secretary EVANS - Donald L. Evans, Secretary of Commerce from 2001-2005.

• ROBERT - ?
• JARED - Jared Weinstein, special assistant and personal aide from 2006 to 2009.
• SAM - ?
• KAREN - (Karen Hughes?)
• ASHLEY - (Ashley Kavanaugh?)
• USHERS - Stephen W. Rochon, Chief Usher of the White House from 2007 to 2011.

• LINE 1 - Outgoing or incoming phone line
• LINE 2 - Outgoing or incoming phone line
• LINE 3 - Outgoing or incoming phone line

President Bush' primary contacts

The names on these speed dial buttons give us some insights into the people president Bush was in contact with. In the first place, represented by the first two rows of buttons, this were West Wing staff members, like the Chief of Staff, his deputies, seniors advisors and assistants. In the third row we see the press secretary and the president's speechwriter as well as the Physician to the President.

The buttons of the fourth row show that president Bush had direct lines only to the Secretary of State and the Secretary of Defense. The same group includes buttons for the Director of National Intelligence (DNI) and the director of the Central Intelligence Agency (CIA), despite the fact that in 2005, the newly created DNI replaced the director of the CIA as a Cabinet member.

George W. Bush using the IST-2 telephone for calling the
British prime minister Gordon Brown, October 7, 2008
(White House photo by Eric Draper - click to enlarge)

The next five speed dial buttons show which people president Bush could call directly even when they were at home: Vice President Cheney, Chief of Staff Bolten, National Security Advisor Hadley, Secretary of State Condoleezza Rice and Counselor Ed Gillespie.

After these first five rows, there's one row in which the buttons are blank - apparently there were no more people who president Bush needed to call directly (unlike Obama, who used all 50 buttons - see below).

The lower half of the speed dial buttons were used for mixed sets of contacts:

Five buttons positioned in an L-shape connected the President to the various communication centers of the White House: first the famous Situation Room in the basement of the West Wing, which is not only a conference room, but also includes a watch center that is operational 24/7.

Another button was labeled "HOS Conference" which means it was used to conduct phone calls to foreign Heads Of State (HOS). These are conference calls because translators, advisers and staffers from the National Security Council (NSC) listen in to translate and take notes of the content of such conversations.

Aides listening in to a phone call by president Obama, March 29, 2009.
(White House photo by Pete Souza - click to enlarge)

The next three speed dial buttons are for switchboard operators, who can connect the President to anyone who cannot be reached through one of the direct line buttons on the Oval Office phone:
First there's the so-called Signal switchboard operated by military personnel of the White House Communications Agency (WHCA). The phone buttons show that this switchboard has an operator for non-secure calls and one for secure communications.

A third button is for the operator of the White House Switchboard, which manages the internal telephone system of the White House which is used for internal and external unclassified phone calls.

Another group of buttons is for family members of president Bush: his wife Laura, his father ("41"), and his daughters Jenna and Barbara, as well as Bush' ranch in Crawford, Texas. Interesting is the button for Donald L. Evans who seems to be included here not because of his job as Secretary of Commerce from 2001-2005, but because of his longtime friendship with Bush.

This brings us to the final group of buttons, with labels that only mention first names, probably of Bush' more personal advisors. One of them was Jared Weinstein, his special assistant and personal aide, but it's less clear who the other four (Robert, Sam, Karen, Ashley) were. When readers of this blog post think they can identify them, please leave a comment.

A final speed dial button is for the ushers of the White House, led by the Chief Usher, who is the general manager of the building and oversees the butlers, maids, housekeepers, chefs, cooks, doormen, and many others.

The IST-2 telephone under Obama

In January 2009, the office of President of the United States was taken over by Barack Obama. On his desk in the Oval Office he found an IST-2 telephone like the one used by his predecessor, but now of course with labels for all the new staff members, cabinet secretaries and other people who Obama liked to call.

The IST-2 telephone on Obama's desk, March 29, 2009
(White House photo by Pete Souza)

Another difference with the IST-2 used by president Bush was that the speed dial buttons on Obama's phone had a different color scheme: while under Bush there was a different color for each type of contacts, under Obama the buttons were only yellow or green. The arrangement, however, was roughly the same, as can be recognized by the three line buttons, which were pink under Bush and white under Obama.

Comparing the other buttons indicate that the colors on Obama's IST-2 represent the classification level: green for Unclassified and yellow for Top Secret/SCI. This is confirmed by the three buttons above the white line buttons: Signal Operator: green; Secure Operator: yellow; White House Operator: green. It shows that most of the president's contacts could be reached via a secure line, likely not much different than under Bush.

The IST-2 phone on Obama's desk, March 24, 2009 - photo rotated for comparison
(photo: Brooks Kraft LLC/Corbis via Getty Images - click to enlarge)

Although it was certainly useful to have just one telephone for both secure and non-secure calls, the IST-2 was probably found a bit too military looking for Obama. Maybe the speed dial buttons also attracted a bit too much attention, so a custom cover plate was made in order to prevent visitors from seeing who the president's primary phone contacts were:

Obama's IST-2 telephone with cover plate, August 31, 2010.
(photo: J. Scott Applewhite/AP - click to enlarge)

In the Spring of 2011, the IST-2 on Obama's desk was eventually replaced by two more common, commercially available phone sets: a black Avaya/Lucent 8520T that had been part of the internal White House telephone network already since 1996, and a Cisco 7975G Unified IP Phone for the new Executive Voice over Secure IP-network which is used for Top Secret phone calls.

Links and sources
- Weblog: About The White House Communications Agency from 1965 to 1974... and Beyond
- Jerry Proc: Hotline Telephones - Making Sense of the Colours and their Use (2018)
- Cryptome: Obama Phones (2012)