April 24, 2015

Some equipment that connects NSA with its foreign partners

(Updated: June 29, 2019)

A close look at a unique photo of NSA computer equipment revealed the names of five countries: Tunisia, the Netherlands, Belgium, Germany and Italy. The devices are routers, but it's not certain what exactly they used for. The circumstances indicate that they enable the exchange of data for military operations in which these NSA partner countries participate.

Presentation about Strategic Analystics at the
NSA's European Cryptologic Center (ECC)
(Click for the full presentation in pdf)

On June 14, 2014, the German magazine Der Spiegel published 53 documents pertaining to the NSA's operations in Germany and its cooperation with German agencies. Many of them got little attention, and so they often contain interesting things which are not yet reported.

One of these documents is an undated presentation about Strategic Analystics used at the NSA's European Cryptologic Center (ECC), which is located near the city of Darmstadt in Germany. This presentation contains some unique photos of what seems to be NSA equipment.

Cisco routers

One of the photo's shows a 19-inch rack for computer equipment modules, which contains 13 common Cisco 2811 routers. In the photo we see the front panels of the routers, with each one having a black power cable and a red network cable, which connects to a computer in order to manage the router. The cables for the actual data are on the rear side, where the device has four high-speed WAN interface card (HWIC) slots, two 10/100 Gigabit Ethernet ports, and a slot for an Enhanced Network Module (ENM).

Slide from the presentation about Strategic Analystics
at the NSA's European Cryptologic Center (ECC)
(Click to enlarge)

Classification labels

Twelve routers have an orange and a yellow label, only the bottom one has a red label. These labels indicate the (highest) classification level of the data that are handled by the equipment. The red label is for Secret, the orange one for Top Secret and the yellow one for Sensitive Compartmented Information (SCI), which means the information is in a "control system" with extra protective measures.

All but one of the routers may therefore transfer data up to the level of Top Secret/SCI. This sounds quite impressive, but actually almost everything NSA does is classified at this level, more specifically as Top Secret//Comint (or SI for Special Intelligence) - the marking that can be seen on almost all Snowden documents.

Sometimes, the photos in the presentation are related to what the slide is about, but here that seems not to be the case. The slide is about MapReduce analytics, with MapReduce being a particular method to filter, sort and generate data from very large databases. This is completely different from what routers do, which is transferring data from one computer network to another.

Photo of the equipment rack with 13 Cisco routers
(Click to enlarge)

The white labels

Most interesting in this photo is the text on the white labels, which unfortunately is very difficult to read. But after I brought these photos under attention, a twitter-user noticed that these labels contained new codewords and names of countries. Eventually the following words could be read, with in gray those that are uncertain:










...... ..../....


ITALY ....

....... ....

Most of the routers are labeled BAYBRIDGE, either accompanied by another codeword or by the name of a country: Tunisia, Belgium and probably Italy. The Netherlands and Germany are mentioned on routers which appear to be related to other systems, which for the Netherlands is codenamed PARTSTREAMER. Germany is related to some kind of EXPANSION.

All these codewords are seen here for the first time, so it's not known what they stand for and the variations make it even more difficult to guess what these routers are actually used for. Maybe some future disclosures of NSA documents can provide an explanation.

On August 15, 2018, The Intercept published a batch of internal SIDtoday newsletters, including one from April 12, 2006 which reveals that BAYBRIDGE is a circuit for the exchange of metadata and analytic information from and to the NSA's foreign partner agencies.

Close-up of the white labels for the routers labeled

Third Party partners

One thing that these five countries have in common, is the fact that they are 3rd Party partners of NSA. This means there's a close cooperation based upon a formal agreement between NSA and the agency responsible for signals intelligence in a given country.

Belgium, The Netherlands, Germany and Italy are long-time trusted allies of the US, but Tunisia only came more close to the US after 9/11. It for example supported the war on terrorism, conducted joint training exercises with the US, and US Navy ships regularly visited the ports of Bizerte, Sfax, Sousse and Tunis.*

Initially, Tunisia then fell under responsibility of the US European Command (EUCOM), but came under the newly created US Africa Command (AFRICOM) in 2008. There are even plans to move the AFRICOM headquarters from Stuttgart, Germany to Tunisia, after this small north-african country moved away from its close relationship with France in recent years.

We probably can come even closer to what the purpose of these routers is, by looking at where they are used. As we have seen, the photo isn't related to what's in the slide, but as the presentation as a whole is about certain efforts at the NSA's European Cryptologic Center (ECC), we can assume the routers were photographed there.

The European Cryptologic Center

The ECC is one of several Cryptologic Centers of the NSA. These were established in the mid-1990s to decentralize SIGINT operations and make their systems more redundant. Initially they were called Regional SIGINT Operations Center (RSOC).

Four of these centers are in the United States and named after the state they are in: Georgia (in Augusta), Texas (in San Antonio), Hawaii (in Honolulu) and Colorado (in Denver). There are two known centers outside the US: the European Cryptologic Center (ECC, in Griesheim, Germany) and the Afghanistan Remote Operations Cryptologic Center (AROCC, in Bagram, Afghanistan).

The NSA's European Cryptologic Center (ECC) at the Dagger
Complex in Griesheim near Darmstadt, Germany
(Photo: AP, July 2014 - Click to enlarge)

The European Cryptologic Center (ECC) is located within the US Army's Dagger Complex outside the small town of Griesheim, near the city of Darmstadt in Germany. In 2011, it had some 240 personnel, consisting of military and civilian members of the military services, NSA civilians and contractors.

On behalf of NSA, the center is operated by the US Army Intelligence and Security Command (INSCOM) and as such is part of the NSA's military branch, the Central Security Service (CSS), more specifically of NSA/CSS Europe and Africa (NCEUR/AF).

The ECC conducts the processing, analysis and reporting of signals intelligence in support of both the European Command and the Africa Command - which perfectly fits the countries we saw on the white labels. The ECC is primarily focussed on Counter-Terrorism and supporting military operations in Africa and the Middle East.

In March 2016, it was announced that a new Joint Intelligence Analysis Centre will be established at RAF Croughton, a US Air Force base near Milton Keynes, which already processes about a third of US military communications in Europe. The new centre will be the US headquarters for European and African military communications, employing up to 1250 staff analysing intelligence from more than 50 countries. It is due to be completed in 2017.

Military operations

According to NSA historian Matthew Aid, NSA's European center already supported American troops operating in Bosnia and Kosovo in the late 1990s. There were direct communication links not only with US military units, but also with all the SIGINT agencies and units of the partner nations operating in the Balkan, like Germany, France, Italy, the Netherlands, and others.

In a similar way the routers we see in the photo from the presentation could then be used for the exchange or transfer of data related to specific military and counter-terrorism operations, each involving different countries. For now, this seems the most likely option, as it could also explain the variations of the codewords.

This seems to be different from SIGDASYS, which is a database system where NSA and some partner agencies can put in and pull out military intelligence information on a more regular basis. Also, SIGDASYS is part of the SIGINT Seniors Europe (SSEUR or 14 Eyes) group, which doesn't include Tunisia.

Links and sources
- Matthew Aid: The European Cryptologic Center at Darmstadt, Germany (2013)
- Presentation about the US Army Intelligence and Security Command (INSCOM) (pdf, 2013)
- NIST: Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy (pdf, 2005)


Anonymous said...

"MALFRACK" looks like it could also be "HALFBACK".

Unknown said...

I really like your blog. I really appreciate the good quality content you are posting here for free. May I ask which blog platform you are using?

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties