July 3, 2014

The National Security Agency in 2002

During the past year, a number of slides from a 2002 NSA presentation titled "National Security Agency: Overview Briefing" were disclosed as part of the Snowden-leaks.

This presentation as a whole would have been a great comprehensive overview of the structure and the mission of NSA at the start of this millennium, but until now only six slides were made public, widely scattered over a period of almost a year and media from 3 continents, almost as to prevent people getting to see the whole picture.

All slides from this presentation can be recognized by their rather overloaded blue background, combining the seals of NSA and CSS, a globe, numerous ones and zeros representing digital communications, and a fancy photoshopped lens flare. In a number of slides, the font type of the classification marking looks different, which could indicate that the presentation was altered and/or re-used several times.

This slide was published by Brasilian media in July 2013. A somewhat distorted version (pdf) was published by Der Spiegel on June 18, 2014. It shows a world map with all the locations where there's a satellite intercept station, which is used for the collection of foreign satellite (FORNSAT) communications.

Nine stations are operated by NSA, including two as part of an SCS unit (see below), and seven stations operated by 2nd Party partners, in this case Great Britain, Australia and New Zealand:
US Sites:
- TIMBERLINE, Sugar Grove (US)
- CORALINE, Sabena Seca (Puerto Rico)
- SCS, Brasilia (Brazil)
- MOONPENNY, Harrogate (Great Britain)
- GARLICK, Bad Aibling (Germany)
- LADYLOVE, Misawa (Japan)
- LEMONWOOD, Thailand
- SCS, New Delhi (India)
  2nd Party Sites:
- CARBOY, Bude (Great Britain)
- SOUNDER, Ayios Nikolaos (Cyprus)
- SNICK, near Seeb (Oman)
- SCAPEL, Nairobi (Kenya)
- STELLAR, Geraldton (Australia)
- SHOAL BAY, Darwin (Australia)
- IRONSAND, Waihopai (New Zealand)

All these satellite intercept stations were interconnected, and it was this network that became publicly known as ECHELON. Revelations about this eavesdropping system in the late 1990s led to public and political outrage and subsequent investigations very similar to what happened since the start of the Snowden-leaks.

Until the new millennium, international communications travelled via satellite links, which made ECHELON one of NSA's most important collection systems. But since then, international traffic has shifted almost entirely to fiber-optic cables, making this the agency's current number one source.

We have no slide about NSA's cable tapping capabilities in 2002, but from other sources we know that there were at least three programs operational outside the US:
- RAMPART-M for access to undersea cables
- RAMPART-T for land-based cables, in cooperation with CIA
- RAMPART-A for cable access in cooperation with 3rd Party partner agencies

This slide was published by the Italian paper L'Espresso on December 6, 2013. It once again shows a world map, this time with the names of over 80 cities where there's a joint NSA-CIA Special Collection Service (SCS) unit. These units operate covertly from inside a US embassy or consulate to get access to targets that are difficult to reach otherwise. The names of cities in countries that are hostile to the US are redacted by the paper.

There are also four "Survey Sites" and seven "Future Survey Sites", but at present it is not clear what that means. Finally, there are two Technical Support sites: PSA in Bangkok, Thailand, and RESC (Regional Exploitation Support Center?) at the US Air Force base in Croughton, UK. The headquarters of the Special Collection Service (SCS) itself is in Beltsville, Maryland.

This slide was published by Der Spiegel on June 18, 2014. It shows a world map with the locations where there's a Cryptologic Support Group (CSG). These CSGs are part of the signals intelligence and cryptologic branches of the five US Armed Services (Army, Navy, Air Force, Marines, Coast Guard), which together form the Central Security Service (CSS) - the tactical part of NSA.

Cryptologic Support Groups provide advice and assistance on SIGINT reporting and dissemination and are located at all major US military command headquarters, both inside and outside the United States. The locations of Cryptologic Support Groups in 2002 were:
- STRATCOM: United States Strategic Command, Omaha
- TRANSCOM: United States Transportation Command, Belleville
- USSPACECOM: United States Space Command, Colorado Springs
- JSOC: Joint Special Operations Command, Spring Lake
- State Department, Washington
- NMJIC: National Military Joint Intelligence Center, Washington
- CIA: Central Intelligence Agency, Langley
- ONI: Office of Naval Intelligence, Suitland
- San Francisco
- FORSCOM: United States Army Forces Command, Fort Bragg
- JFCOM: United States Joint Forces Command, Norfolk
- SOCOM: United States Special Operations Command, MacDill AFB
- CENTCOM: United States Central Command, MacDill AFB
- Key West (Naval Air Station)
- SOUTHCOM: United States Southern Command, Doral
- EUCOM: European Command, Molesworth
- NAVEUR: United States Naval Forces Europe, London
- USAREUR: United States Army Europe. Wiesbaden
- USAFE: United States Air Forces in Europe, Ramstein
- EUCOM: European Command, Stuttgart
- USFK: United States Forces Korea, Seoul
- Japan
- Hawaii (United States Pacific Command)

This large number of CSG locations is one of the things that reflects the importance of NSA's military mission, which is almost completely ignored in the Snowden-reportings (the slide was published rather unnoticed as part of a batch of 53 NSA-documents)

This slide was published in Greenwald's book No Place To Hide on May 13, 2014. It shows what NSA saw as current threats in 2002, with an overlay that seems to have been added later and which lists a range of communication techniques. Greenwald says this slide shows that NSA also counts these technologies, including the Internet, as threats to the US, proving that the US government sees this global network and other types of communications technology as threats that undermine American power.*

This interpretation is rather far-fetched because in that case, pagers and fax machines would also be a threat to the US. It's obvious the list shows the means by which individuals and organisations that threaten the US can communicate - which of course is important to know for a signals intelligence agency like NSA.

The actual threats listed in the slide are:
- Hackers
- Insiders
- Traditional Foreign Intelligence
- Foreign [...]
- Terrorists
- Criminal elements
- Developing nations

This slide was published in Greenwald's book No Place To Hide on May 13, 2014. It says that NSA has alliances with over 80 major global corporations supporting both missions (i.e. Signals Intelligence and Information Assurance) and presents the names of a number of big American telecommuncations and internet companies, along with pictures of some old-fashioned communication devices.

Greenwald's book says that in the original presentation, this slide follows some unpublished ones that are about "Defense (Protect U.S. Telecommunications and Computer Systems Against Exploitation)" and "Offense (Intercept and Exploit Foreign Signals)".*

This slide was also published in Greenwald's book on May 13, 2014. It shows the three main categories of "customers" of NSA, which are government and military organizations that can request and receive intelligence reports. Besides other major US intelligence agencies, we see that NSA works for civilian policy makers as well as for military commanders, from the Joint Chiefs of Staff (JCS) and the Commanders-in-Chief (CINCs) down to tactical commanders.

Greenwald uses this slide to point to the Departments of Agriculture, Justice, Treasury and Commerce, the mentioning of which he sees as proof for an economic motive of NSA's spying operations.* Although almost all countries (try to) spy in order to get information that can be usefull for their national economic interests, Greenwald is doing as if this kind of intelligence is somehow off limits, and thereby discrediting NSA.

> See also: NSA's global interception network in 2012

Links and Sources
- National Security Agency: Transition 2001 (pdf)
- Declassified interview with NSA Director Michael Hayden (pdf) (2000)


Bill Robinson said...

Re survey sites/future survey sites: Surveys are short-term collection efforts to determine the volume and types of signals can be intercepted at the site. If the site turns out to be productive, a permanent collection site may subsequently be established.

P/K said...

Thank you - that's very clarifying!

Rob said...

Nice job !

The CSG at Key West probably supports the Joint Interagency Task Force South (JIATF-S). That's the only unit I see at Key West that may need a CSG as there is no big command there.

The CSG at San Francisco seems to be linked to counter-drugs operations : https://www.linkedin.com/pub/gerard-voellinger/1b/463/757
There is a US Coast Guard station at San Francisco.

Anonymous said...

In the 1950's and 1960‘s knowledge of “embassy duty“ was so widespread within the U.S. Army Security Agency that Army Security Agency recruiters mentioned the possibility of civilian clothes embassy duty to promising young men to induce them to enlist in the Army Security Agency for four years instead of being drafted into the combat arms for two years.

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties