September 22, 2019

From 9-Eyes to 14-Eyes: the Afghanistan SIGINT Coalition (AFSC)



It was a mystery for over five years: the 9-Eyes intelligence cooperation, which was first revealed by The Guardian in November 2013. It was only an extensive new piece on the website The Intercept from last May that made clear that the 9-Eyes is actually the Afghanistan SIGINT Coalition (AFSC).

The main purpose of the AFSC was to collect GSM metadata using DRT interception devices and feeding them into the NSA's huge data analysis platform for Afghanistan operations called the Real Time Regional Gateway (RT-RG).

The AFSC started in 2009 with nine members but eventually grew to the same 14 countries that already cooperated in another intelligence exchange group called SIGINT Seniors Europe (SSEUR). The AFSC existed at least until the end of 2014.



Slide from an NSA presentation about the Afghanistan SIGINT Coalition (June 2009)
Published by The Intercept in May 2019
(click to enlarge)


Intelligence sharing coalitions

The existance of the 9-Eyes group was first revealed by the British newspaper The Guardian on November 2, 2013:
"The NSA operates in close co-operation with four other English-speaking countries - the UK, Canada, Australia and New Zealand - sharing raw intelligence, funding, technical systems and personnel. Their top level collective is known as the '5-Eyes'.

Beyond that, the NSA has other coalitions, although intelligence-sharing is more restricted for the additional partners: the 9-Eyes, which adds Denmark, France, the Netherlands and Norway; the 14-Eyes, including Germany, Belgium, Italy, Spain and Sweden; and 41-Eyes, adding in others in the allied coalition in Afghanistan."

This revelation caused some embarrassment, as especially France and The Netherlands had clearly expressed their anger about the NSA's alleged eavesdropping operations against their citizens (see below), but now it turned out they were also engaged in some close alliances with the Americans.



Other 9-Eyes: CFBLNet

The Guardian's revelation started speculation about the differences between these groups and their specific purposes. From open sources, a range of similar "Eyes" for sharing military and intelligence information were identified on this weblog in November 2013 in a posting titled Five Eyes, 9-Eyes and many more.

It turned out that the term 9-Eyes was already used since 2008 for exchanging classified information among the Five Eyes and nine NATO members of the Combined Federated Battle Laboratories Network (CFBLNet). This is a multilateral network for research, development and testing on C4ISR systems.

However, the members of the CFBLNet 9-Eyes were not fully identical with those in the Guardian article, so it seemed not likely that this was the mysterious 9-Eyes group mentioned in the Snowden documents.


The 9-Eyes of the CFBLNet listed in a NATO standardization document from 2010
(click to enlarge)
 


14-Eyes: SSEUR

In December 2013, Swedish television published a range of NSA-documents from the Snowden files which revealed that the 14-Eyes were also known as the SIGINT Seniors Europe (SSEUR) and consisted of the Five Eyes plus nine European partners: Belgium, Denmark, France, Germany, Italy, the Netherlands, Norway, Spain and Sweden:


(click to enlarge)

From various other sources it became clear that the SIGINT Seniors Europe is a group in which the heads of the participating military or signals intelligence agencies coordinate the exchange of military intelligence according to the needs of each member.

The SSEUR group was established in 1982 for more efficiently monitoring the Soviet Union* and a database system called SIGDASYS was set up so the participating agencies could exchange as much military SIGINT and other information as possible.* In the early 2000s, a sub-group for counter-terrorism was formed under the name SIGINT Seniors Europe Counter Terrorism coalition (SISECT).



Afghanistan

Meanwhile, the function of the 9-Eyes remained unclear: the Dutch interior minister Ronald Plasterk refused to say anything about it, but there were rumours that it was for exchanging military signals intelligence related to operations in Afghanistan.

That could explain why no other documents about the 9-Eyes had been published, because apparently Glenn Greenwald had an agreement with Snowden not to disclose information that could endanger American troops in Afghanistan.

Nonetheless, information about NSA's involvement in Afghanistan did came out: in June 2014 for example, the German magazine Der Spiegel released an NSA paper from January 2013, which lists all the members of the Afghanistan SIGINT Coalition (AFSC). Its membership appeared identical with the SIGINT Seniors Europe or 14-Eyes.



NSA presentation slide showing the 2nd and 3rd Party partners
and some coalition and multilateral exchange groups.
Published in No Place To Hide, May 2014.



From 9-Eyes to 14-Eyes

But as was revealed in The Intercept's article from last May, the Afghanistan SIGINT Coalition not always had 14 members: the group started in 2009 with just nine members and was therefore called 9-Eyes. Besides the Five Eyes it included Denmark, France, the Netherlands and Norway.

In 2010, Sweden and Germany joined the Afghanistan SIGINT Coalition and by January 2013, Belgium, Italy, and Spain had also become members of the group. By then, the AFSC had exactly the same membership as the SIGINT Seniors Europe or 14-Eyes.

It is not known whether the number of "Eyes" increased with each new AFSC member, but it's clear that an "Eyes" designation is not always a unique designator and there can be multiple groups with the same number of Eyes at the same time. To avoid confusion, such multilateral partnerships can best be called by their actual names.


 


The Real Time Regional Gateway

The Afghanistan SIGINT Coalition was created because the NSA needed additional linguistic capabilities as well as data from regions in Afghanistan where they had little or no coverage themselves.

Therefore they turned to trusted coalition partners and provided them with wireless interception equipment known as DRT-boxes, which were first identified as such on this weblog in November 2013.

After Dutch, Danish, Norwegian, German and Spanish troops each got one, two or three DRT devices, they started feeding intercepted GSM metadata into a huge distribution and analysis system called Real Time Regional Gateway (RT-RG) as of Summer 2008.

This RT-RG system was first publicly mentioned in a Defense News article from October 2010 and in the book Top Secret America from 2011 it was described as follows:
"RTRG allows users to see all signal intelligence that collectors are working on in real time. This includes ground collectors, Air Force RC-135 Rivet Joint and Liberty planes, SIGINT-equipped drones, and SIGINT satellites operated by the NRO. RTRG has provided a tenfold increase in the speed with which intercepts are povided to operators on the ground."

This is already a pretty accurate description, except that it doesn't mention the participation of coalition partners, which governments always handle as something extremely sensitive.



Slide from an NSA presentation showing all the collection systems that fed the RT-RG platform
(click to enlarge)


RT-RG started as a project called RT-10, which was first deployed in Baghdad in 2007. An internal NSA newsletter says that in order to provide a comprehensive real-time view of the telephone and internet communications in Baghdad (with roughly 4 to 5 million residents), the RT-10 system had to be able to ingest each day:
- 100 million telephone metadata records
- 1 million pieces of telephone content
- 100 million internet metadata records

The success of the RT-RG system lay in the fact that these massive amounts of data were stored locally: in 2009, a large RT-RG data center was built at Area 82 of Bagram Airport north of Kabul. It was right next to the Afghanistan Regional Operations Cryptologic Center (A-ROCC), where analysts from the 9-Eyes countries worked side-by-side.

Previously, war-fighters in the field had to retrieve their intelligence from central databases at NSA headquarters. This costed time and bandwith, but it also meant that only data related to known targets was sent back and stored. But with storing the full-take collection in a regional repository, all data could be subjected to analytic algorithms in order to find new targets for the so-called Find, Fix, Finish operations.

In 2011, the Afghanistan RT-RG had a database of 27 terabytes, which could only store approximately one month of regional data (90% of the user queries were within a one-week timeframe though). A planned move to NSA's new cloud architecture would increase the storage space to up to 125 TB and would allow larger-scale analytics to be conducted.



Architecture of the Real Time Regional Gateway (RT-RG) in 2012
(source: NSA presentation - click to enlarge)



BOUNDLESSINFORMANT

How many GSM metadata the countries from the Afghanistan SIGINT Coalition collected can be seen in charts from the NSA's data visualization tool BOUNDLESSINFORMANT. The available charts show that the following numbers were acquired through the DRTBOX system during a one month period between December 10, 2012 and January 8, 2013:
- France: 62 million metadata records
- Spain: 60 million metadata records
- Italy: 45 million metadata records
- Sweden: 33 million metadata records
- Norway: 33 million metadata records
- Denmark: 22 million metadata records

(The chart for the Netherlands shows the CERF CALL method through which cellphone metadata from Somalia were collected. DRTBOX is not mentioned, maybe because Dutch troops had left Afghanistan already by August 2010)

These numbers are very small compared to what NSA and American military units collected. They also, once again, show that "mass surveillance" of entire populations would require the collection of billions of metadata records rather than the millions that showed up in these particular charts (60 million would roughly be the number of metadata generated by 20.000 handsets).

In the second half of 2013, these charts were published in various major European newspapers saying that they proved that NSA monitored millions of phone calls in those countries. Soon it turned out this interpretation was completely wrong, something which co-author Glenn Greenwald only admitted in The Intercept's article from last May.



BOUNDLESSINFORMANT chart showing metadata collected by French intelligence,
including 62 million records through the DRTBOX system
(click to enlarge)



3rd Party partners

Interesting is that Polish troops in Afghanistan also got one DRT interception device and there's also a BOUNDLESSINFORMANT chart showing that in one month time they collected some 71 million cellphone metadata. But despite this effort, Poland did not become a member of the Afghanistan SIGINT Coalition.

Poland was also not a member of the SIGINT Seniors Europe, so it seems the AFSC was only meant for countries that were already part of the SSEUR. The slide at the top of this blog post shows that, together with several other NATO countries, Poland is listed in red as a "National SIGINT Partner".

Except for Slovenia, these National SIGINT Partners appear to be identical with the so-called 3rd Party partners, which are the (signals) intelligence agencies of over 30 countries with which NSA has a formal relationship. They are one level below the 2nd Party partners, or Five Eyes, who have a fully integrated signals intelligence cooperation.



Quid pro quo

The operations in Afghanistan show how many different levels of cooperation there can be: there were 3rd Party partners who did nothing more or less than ordinary NATO members. Among them, information is only shared up to the classification level SECRET.

Then there was Poland which collected and shared telephone metadata, but did not participate in the CENTER ICE platform through which the countries of the SIGINT Seniors Europe communicated and exchanged threat information at the level TOP SECRET/SI.

The closest cooperation for 3rd Party partners was in the AFSC, where they fed telephone metadata directly into the NSA's RT-RG system. Because cooperation between intelligence agencies is always based upon the principle of quid pro quo, these partners also got things in return, equal to their input.

For the members of the AFSC these returns included real-time data access, unique linguistic resources and joint counter insurgency operations - things that could have been crucial for the success of their operations or the safety of their troops, but which the Five Eyes did not make available to the (initially broader group of the) SIGINT Seniors Europe.




Epilogue

The latest document in which the Afghanistan SIGINT Coalition was mentioned is an NSA paper from April 2013. One month later there was an AFSC conference in Denmark at which would be discussed what to do after the ISAF mission would be disbanded in December 2014. It's not known whether there was any kind of continuation.

The Real-Time Regional Gateway proved to be so successful that already in 2012, NSA deployed the system at 11 locations around the world, including at its regional center in Texas to combat Mexican drug trafficking, as well as on board of the nuclear submarine USS Georgia, which collected mobile phone metadata around the Horn of Africa.



Links
- Bug Brother: La NSA n’avait (donc) pas espionné la France (June 2019)
- The Intercept: Mission creep: How the NSA’s game-changing targeting system built for Iraq and Afghanistan ended up on the Mexican border (May 2019)
- Zone d'Intérêt: U.S. Intelligence Support to Find, Fix, Finish Operations (Oct. 2015)


No comments: