May 18, 2021

What the NSA provides to its foreign partners, and vice versa

The cooperation between (signals) intelligence agencies of different countries is strictly quid pro quo, which means what you get is equivalent to what you give. This is perfectly illustrated by a small series of documents from the Snowden trove, which summarize what the NSA provides to its foreign partners, along what they provide to the NSA.

Two of these documents are about the NSA's Second Party partners (better known as the Five Eyes): Canada and New Zealand, and six about Third Party partners: Germany, Israel, Norway, Saudi Arabia, Sweden and Turkey. Another NSA document provides some characteristics of these relationships.

The documents about the various NSA partners are information papers prepared by the Country Desk Officer (CDO) for the particular country at the NSA's Foreign Affairs Directorate (FAD). All but one date from April 2013, which is just a month before Snowden left the agency. It's not known whether there are also papers about other NSA partners among the Snowden files.

The information papers describe the relationship between the NSA and the foreign partner in a standardized way: they all start with an introduction, mention some "Key Issues", followed by "What NSA Provides to Partner" and "What Partner Provides to NSA". The papers end with "Success Stories" and "Problems/Challenges with the Partner".

For readability, the portion markings with the classification level for each paragraph have been removed and some abbreviations are written in full.

Second Party partners

The Second Party partners of the NSA are the signals intelligence agencies of the United Kingdom, Canada, Australia and New Zealand. These five countries are also known as the Five Eyes. Their SIGINT systems are highly integrated and the partners are not supposed to spy on each other.


Information paper: NSA Intelligence Relationship with Canada's CSEC, April 3, 2013

(Published by CBC on December 9, 2013)

What NSA provides to the Partner:

SIGINT: NSA and CSEC cooperate in targeting approximately 20 high-priority countries [two lines redacted]. NSA shares technological developments, cryptologic capabilities, software and resources for state-of-the-art collection, processing and analytic effots, and IA capabilities. The intelligence exchange with CSEC covers worldwide national and transnational targets. No Consolidated Cryptologic Program (CCP) money is allocated to CSEC, but NSA at times pays R&D and technology costs on shared projects with CSEC.

[two paragraphs redacted]

What the Partner provides to NSA:

CSEC offers resources for advanced collection, processing and analyss, and has opened covert sites at the request of NSA. CSEC shares with NSA their unique geographic access to areas unavailable to the U.S. [redacted], and provides cryptologic products, cryptanalysis, technology, and software. CSEC has increased its investment in R&D projects of mutual interest. [several lines redacted].

[at least two paragraphs redacted]

New Zealand

Information paper: NSA Intelligence Relationship with New Zealand, April 2013

(Published by NZ Herald on March 11, 2015)

What NSA provides to the Partner:

NSA provides raw traffic, processing, and reporting on targets of mutual interest, in addition to technical advice and equipment loans.

What the Partner provides to NSA:

GCSB provides collection on China, Japanese/North Korean/Vietnamese/South American diplomatic communications, South Pacific Island nations, Pakistan, India, Iran, and Antarctica; as well as, French police and nuclear testing activities in New Caledonia [two lines redacted].

Third Party partners

The Third Party partners of the NSA are the signals intelligence agencies of some 33 countries. Cooperation is based on formal, bilateral agreements, but the actual scope of the relationship varies from country to country and from time to time. Unlike the Second Party partners, Third Party partners do spy on each other.


Information paper: NSA Intelligence Relationship with Germany, January 17, 2013

(Published by Der Spiegel on June 18, 2014)

What NSA provides to the Partner:

NSA has provided a significant amount of hardware and software at BND expense, as well as associated analytic expertise to help the BND independently maintain its FORNSAT [Foreign Satellite collection] capability. NSA also exchanges intelligence reporting on both military and non-military targets.

What the Partner provides to NSA:

NSA is provided access to FORNSAT communications supporting counter-narcotics (CN), counter-terrorism (CT), [redacted], and Weapons of Mass Destruction (WMD) missions and is an important source of information on drug trafficking and force protection in Afghanistan. The BND provides Igbo language support by translating NSA collection of a high-value, time-sensitive [redacted] target. NSA is seeking the proper approvals to accept BND language support in [one line redacted]. In addition to the day-to-day collection, the Germans have offered NSA unique accesses in high interest target areas.


Information paper: NSA Intelligence Relationship with Israel, April 19, 2013

(Published by The Intercept on August 4, 2014)

What NSA provides to the Partner:

The Israeli side enjoys the benefits of expanded geographic access to world-class NSA cryptanalytic and SIGINT engineering expertise, and also gains controlled access to advanced U.S. technology and equipment via accomodation buys and foreign military sales.

What the Partner provides to NSA:

Benefits to the U.S. include expanded geographic access to high priority SIGINT targets, access to world-class Israeli cryptanalytic and SIGINT engineering expertise, and access to a large pool of highly qualified analysts.


Information paper: NSA Intelligence Relationship with Norway, April 17, 2013

(Published by Dagbladet on December 17, 2013)

What NSA provides to the Partner:

- Daily TS//SI-level counter-terrorism (CT) reports shared multilaterally;
- Frequent exchanges of technical data and analytic expertise on CT targets, [one line redacted] and other threats to Norway's national security;
- Daily force protection support in Afghanistan and technical expertise to support target development of Afghan insurgent targets;
- Regular reporting on counter-proliferation (CP) topics [redacted]
- Ad-hoc reporting and analytic expertise on [redacted]
- Exchanges of reporting, tech data and analytic expertise on [redacted]
- Tech data and expertise on cryptanalytic topics of mutual interest; and
- FORNSAT communications metadata

What the Partner provides to NSA:

- SIGINT analysis as well as geolocational and communications metadata specific to Afghan targets of mutual interest (this analysis also supports Norwegian Special Operations Forces (when deployed);
- All-source analysis specific to Afghan targets of mutual interest. The analysis is based on operations conducted jointly between Norway and local and/or coalition authorities;
- Potential to leverage NIS [Norwegian Intelligence Service] FORNSAT capabilities to augment NSA collection against high priority CP SIGINT targets;
- Potential to leverage NIS unique access to SIGINT on high priority CT targets; [redacted]
- SIGINT reports on Russian civil targets of mutual targets, particularly Russian energy policy;
- FORNSAT communications metadata; and
- [one line redacted]

Saudi Arabia

Information paper: NSA Intelligence Relationship with Saudi Arabia, April 8, 2013

(Published by The Intercept on July 25, 2014)

What NSA provides to the Partner:

NSA/CSS provides technical advice on SIGINT topics such as data exploitation and target development to TAD [Technical Affairs Directorate of the Ministry of Interior] as well as a sensitive source collection capability.

NSA/CSS provides a sensitive decryption service to the Ministry of Interior against terrorist targets of mutual interest.

What the Partner provides to NSA:

NSA leverages MOD RRD [Ministry of Defense Radio Reconnaissance Department] access to remote geography in the Arabian Gulf but provides no finished SIGINT reporting to NSA/CSS, however; they have provided unencrypted collection against the IRGC QODS Maritime Force targets of mutual interest from their collection system [redacted].

TAD provides sensitive access to unique collection containing AQAP terrorist targets of mutual interest.


Information paper: NSA Intelligence Relationship with Sweden, April 18, 2013

(Published by SVT Nyheter on December 5, 2013)

What NSA provides to the Partner:

- Technical support, collection, processing equipment and training
- NSA accepts selectors from FRA and tasks them to approved NSA collection sites
- [one line redacted]
- [one line redacted]
- Accomodation purchases of equipment
- Membership in multinational forums

What the Partner provides to NSA:

- Unique intelligence on Russia, the Baltic, Middle East, and counter-terrorism (CT)
- Outstanding and unique input of ELINT signals
- Access for special collection initiatives
- Collaboration on cryptanalytic issues


Information paper: NSA Intelligence Relationship with Turkey, April 15, 2013

(Published by Der Spiegel on August 31, 2014)

What NSA provides to the Partner:

- NSA provides equipment, technology, training, and U.S. SIGINT requirements and reporting to the Turkish partner to better assist NSA in fulfilling U.S. intelligence requirements.

- In terms of equipment and technology NSA provides both collection and cryptographic equipment. A Cryptographic Modernization program is under way with both partners [MIT and SIB] to upgrade encryption on all shared and some non-shared communications links. A High Frequency Direction Finding (HFDF) collection site is [two line redacted] NSA also provides decryption of DHKP/C internet traffic the Turks collect.

- U.S. SIGINT requirements and reporting cover military and paramilitary targets in [redacted] and the KGK [Kurdistan Workers' Party]. This reporting is a mixture of near-real time and product "Tear Line" reports and analysis.

- NSA provides daily interaction and actionable intelligence on foreign fighter Sunni extremists, against both Turkish and non-Turkish individuals. NSA provides regional Tactical [redacted] reporting in two hour increments.

What the Partner provides to NSA:

- The partner provides near real time reporting on military air, naval, ground, and paramilitary targets in Russia, [redacted] Georgia, Ukraine, and on KGK targets, as well as daily summary reporting of Black Sea and CIS Naval and Air activity and [redacted]

[one paragraph redacted]

- NSA enjoys joint operational access to the HFDF site in [redacted] which, in turn, functions as a node on NSA's world-wide CROSSHAIR HFDF geolocation service. The U.S. and 2nd Parties receive approximately 400,000 fixes yearly utilizing Lines-of-Bearing from the [redacted] site while the Turks receive approximately 5000 fixes yearly from its regional usage of CROSSHAIR, an 80 to 1 ratio in FVEY's favor.

- NSA receives Turkish transcripts of KGK voice collection. Cooperation on the KGK target by the U.S. Intelligence Community in Ankara has increased across the board since the May 2007 DNI Memorandum encouraged all to do so.

Section from the information paper about the NSA's relationship with Turkey

Some characteristics

According to the quid pro quo-principle, we see that for each of these foreign partners, the things that NSA provides to the partner roughly equal what the partner provides to the NSA - at least according to the length of the sections in the information papers. The actual content of what each party provides is often very different, as was described in an internal interview from 2009 about the nature of the NSA's Third Party relationships:

"Generally speaking, our Third Party partners want access to our technology, as well as our regional/global reach. In exchange for providing unique accesses, regional analytical expertise, foreign language capabilities and/or I&W [Indications & Warning] support, we provide them with technical solutions (e.g., hardware, software) and/or access to related technology." The partners usually "know their regional hoods better than we do and they exponentially add to our foreign language capability."

When the information papers speak about providing data about "targets of mutual interest", the interview explains: "We must keep in mind that our partners are attempting to satisfy their own national intelligence requirements; with the exception of the assistance we provide during crises, we can only move our SIGINT relationships forward, when U.S. requirements intersect with theirs." This also depends on how long and deep such a relationship is:

"Many of our relationships have, indeed, spanned several decades, allowing us to establish higher degrees of trust with and reliance on one another. This, in turn, has led to greater levels of cooperation, where, for instance, NSA might be willing to share advanced techniques with a proven and reliable partner, in return for that partner's willingness to do something politically risky. Trust requires years to build up but can be lost in a very short period of time."

And finally, the interview also explains: "For a variety of reasons, our intelligence relationships are rarely disrupted by foreign political pertubations, international or domestic. First, we are helping our partner address critical intelligence shortfalls, just as they are assisting us. Second, in many of our foreign partners' capitals, few senior officials outside of their defense-intelligence apparatuses are witting to an SIGINT connection to the U.S./NSA."

April 7, 2021

The communications systems at the US Central Command headquarters

(Updated: April 11, 2021)

Previously, this weblog provided a close look at the phones used by US president Biden. This time we turn to another end of the line and look at the communications equipment which is used at the headquarters of the US Central Command in Tampa, Florida.

A recent 60 Minutes television report provides an unprecedented look inside the Central Command's operations center, where we see the general military communications equipment, followed by some more special devices used by the commander, who also has access to the virtual Desktop Environment for the US intelligence agencies.

Large operations center in the Central Command headquarters, January 2021
(still from 60 Minutes - click to enlarge)

The 60 Minutes television report shows never-before-seen video footage of the Iranian ballistic missile attack from January 7, 2020 on the Al Asad Airbase in Iraq, where 2000 US troops were stationed. The attack was a retaliation for the American drone strike from January 3, which killed the Iranian general Qasem Soleimani, commander of the Quds Force.

The report also includes an interview with general Frank McKenzie, combatant commander of the US Central Command, who leads the US armed forces in the Middle East. McKenzie followed the Iranian missile attack on the Al Asad Airbas at his headquarters, from where he had ordered the killing of general Soleimani six days earlier.

The Central Command headquarters

The United States Central Command (USCENTCOM) was established in 1983 and is one of the eleven unified combatant commands of the US Armed Forces. Its Area of Responsibility (AOR) includes the Middle East, Egypt, Central Asia and parts of South Asia.

CENTCOM's main headquarters is not in its area of operations, but at MacDill Air Force Base in Tampa, Florida, where a new 282,200-square-foot headquarters building was completed in 2012.

The new building includes specialized mission critical spaces like the Command Joint Operations Center, Joint Planning Cell and Operational Planning Element, Network Operations Center and the Command Secure Communications Operations Center.

The headquarters of the US Central Command at MacDill Air Force Base
(photo: Burns & McDonnell - click to enlarge)

The new headquarters building includes more than 109,000 square feet of Sensitive Compartmented Information Facility (SCIF) and space constructed according to sound transmission class (STC) 45 and 50 to support secured operations.

Relevant antiterrorism standards, including progressive collapse mitigation by means of tie forces, were also incorporated in the new headquarters. All concrete contains ground granulated blast furnace slag and fly ash for LEED compliance.

On the website of the construction company there's an earlier photo of the interior of the building showing standard workstations equipped with two computer screens, an Avocent SwitchView KVM switch, a smartcard reader, the ubiquitous HP keyboard, a mouse and two telephone sets: a Nortel Meridian 3903 and a Cisco 7975 IP Phone, one for secure and one for non-secure calls:

Interior of the Central Command headquarters at MacDill Air Force Base
(photo: Burns & McDonnell - click to enlarge)

Military communications equipment

The communications equipment that is currently used at the Central Command headquarters can be seen in the 60 Minutes television report, which shows shots from inside a large and a small operations room.

In the large operations room we see big video screens along the walls and several rows of workstations, each with two sets of communications equipment, one set for access to classified telephone and computer networks and another set for unclassified networks.

According to the color codes of the US classification system the telephones and the smartcard readers have the green label for Unclassified systems and the red label for Secret systems.

Large operations center in the Central Command headquarters, January 2021
(still from 60 Minutes - click to enlarge)

Computer systems

Some of the computer screens show a bright red lock screen with the text "This information system is accredited to process - SECRET - For authorized purposes only", which means that they are part of SIPRNet, the main classified secure network of the US military for tactical and operational information. The military's unclassified non-secure computer network is known as NIPRNet.

Identifying authorized users for NIPRNet is done through the Common Access Card, which is the standard identification for active US defense personnel. Access to SIPRNET requires the SIPRNet token, which is also a smartcard, but without visible identification information.

Coalition networks

Besides NIPRNet and SIPRNet, the Central Command also has separate computer networks for collaboration with foreign partners. For the members of bilateral and multinational coalitions, the United States provides a network architecture called Combined Enterprise Regional Information eXchange System (CENTRIXS), which operates at the classification level Secret/Releasable to [country identifier].

The first CENTRIXS networks were established as of late 2001 by the US Central Command in order to support coalition operations under Operation Enduring Freedom (OEF). This resulted in CENTRIXS-ISAF for operations in Afghanistan and CENTRIXS-GCTF for the Global Counter Terrorism Forces. Meanwhile, both systems have been integrated in the CENTCOM Partner Network (CPN).

The various networks in CENTCOM's area of responsibility
(source - click to enlarge)

A CENTRIXS network consists of servers and thin clients and provides users with at least the following computer applications, giving them the same basic capabilities as users of classified US systems:
- Microsoft Office
- Command and Control Personal Computer (C2PC)
- Integrated Imagery and Intelligence (I3)

These applications allow access to the releasable Near-Real Time (NRT) order of battle from the MIDB database (to be replaced by MARS) and imagery databases and to display the data on a map background. They can also access various browser-based products, send e-mails with attachments and conduct collaboration sessions.

For US military users, these applications are part of the Global Command and Control System (GCCS), which encompasses a suite of over 200 client-server tools and applications for fusing data from multiple sensors and intelligence sources to produce a graphical representation of the battlespace.

Interface of the Command and Control Personal Computer (C2PC) application
(source - click to enlarge)

Telephone systems

In the large operations center at CENTCOM's headquarters there are also a range of Cisco IP phones, some being the older 7975, others the current 8841. The Cisco 8841 IP phones look like the ones that are commercially available, but are actually modified versions from the small telecommunications security company CIS Secure Computing Inc.

These modified phones are approved for use in SCIF and SAPF environments and offer additional on-hook security features which can be engaged for the 'hold' and 'mute' functions while in a call. Speakerphone functionality isn't disabled, but is protected with the on-hook security of the positive disconnect electronics.

Several workstations even have a third telephone set: a Cisco IP Phone 8845, which has a video camera on top for video calls. According to their display background, these phones appear to be for the video conferencing service of the Desktop Environment (DTE, see below) which runs on the Top Secret/SCI intelligence sharing network JWICS.

Operations center in the Central Command headquarters, January 2021
(still from 60 Minutes - click to enlarge)

The commander's communications equipment

The 60 Minutes television report followed general McKenzie into a small room off his main operations center in the Central Command headquarters. There we see similar equipment as in the large room, like computers connected to SIPRNet, in this case for senior staff officers, like the:
- Director of Operations (J3)
- Commander's Action Group (CAG)
- Command Senior Enlisted Leader (CSEL)
- Staff Judge Advocate (SJA)

General McKenzie entering a small operations room, January 2021
(still from 60 Minutes - click to enlarge)

In this small room, commander McKenzie has additional communications equipment that seems not available for the personnel in the large operations center. When he is being interviewed at his place at the table (see the televison still below), we see from left to right:

- A Cisco DX 70 video screen with video camera, probably for the Secure Video Teleconferencing System (SVTS) which is part of the Crisis Management System (CMS) and allows top-level video meetings.

- A Cisco IP Phone 8841 with a distinctive yellow bezel for the highly secure Executive Voice over Secure IP-network which is also part of the Crisis Management System (CMS) and connects the President, the National Security Council, Cabinet members, the Joint Chiefs of Staff, various intelligence agency watch centers, headquarters, and Continuity of Operations (COOP) sites.

- A Touchscreen Executive Phone (TXP) with two additional 50-button Touchscreen Line Expansion units (TLE), manufactured by the small telecommunications security company Telecore, Inc., which also made the Integrated Services Telephone (IST-2) that was on the Oval Office desk of presidents Bush and Obama. These devices are specifically designed for the Defense Red Switch Network (DRSN), which offers full command and control and conferencing capabilities for military commanders up to the level of Top Secret/SCI.

- A Cisco IP Phone 8865 with video camera and a Key Expansion Module. The phone has labels for Top Secret (orange) and Top Secret/SCI (yellow) and appears to be for the video conferencing service of the Desktop Environment (DTE, see below) which runs on JWICS, the main network for intelligence sharing within the US military and the US intelligence community.

- A Cisco IP Phone 8851 with a Key Expansion Module and a label for the classification level Secret (red), which means it runs on SIPRNet and is therefore Voice over Secure IP (VoSIP).

General McKenzie's communications equipment in the small operations room
(still from 60 Minutes - click to enlarge)

According to the 60 Minutes report, it was in this small room where during the missile attack on the Al Asad Airbase, commander McKenzie "could talk directly to the only two people above him in the chain of command" - the Secretary of Defense and the President. To illustrate this, the speed dial buttons on the commander's Touchscreen Executive Phone were shown.

Normally such buttons are blurred out, but here we can clearly see that McKenzie has direct lines to the White House, the Secretary of Defense (SecDef), his house (SecDef Home) and his communications center (SecDef Cables), as well as to the National Military Command Center (NMCC) and the Chairman of the Joint Chiefs of Staff (CJCS XO), among others:

The speed dial buttons on general McKenzie's Touchscreen Executive Phone
(still from 60 Minutes - click to enlarge)

The commander's computers

The same telephones as in the small room appear on McKenzie's place in the large operations room, but here he also has two computer screens connected to a Vertiv Cybex Secure MultiViewer KVM switch which allows access to networks of different classifications levels on a single screen.

Apparently the commander was logged in on one of the classified computer networks, as we can see the desktop background with several application icons - quite remarkable because usually during photo ops or television recordings only unclassified images should be visible.

At the top of the desktop background is a yellow bar which means it's JWICS, the intelligence sharing network for the US military and the US Intelligence Community at the classification level Top Secret/SCI. Unlike NIPRNet and SIPRNet, access to JWICS doesn't require a smartcard, but a software certificate: military users have to identify themselves with a DoD PKI certificate, others need an IC PKI certificate.

General McKenzie's workstation in the large operations center
(still from 60 Minutes - click to enlarge)

The IC Desktop Environment

The desktop background on the commander's computer is deep blue and has the term "DESKTOP ENVIRONMENT (DTE)" with an image of the earth covered by a stylized network. In the bottom left corner we see the seals of the Defense Intelligence Agency (DIA) and the National Geospatial-Intelligence Agency (NGA) and some text.

This "Intelligence Community Desktop Environment" (IC DTE) was conceived in 2012 as a single, identical platform for the US Intelligence Community. As such it's the heart of a huge modernization project called Intelligence Community IT Enterprise (IC ITE), under which data will be stored and processed at the Commercial Cloud Services (C2S) managed by the CIA and the IC GovCloud managed by the NSA.

The implementation of the DTE was managed by the Joint Program Management Office (JPMO) led by DIA and NGA, while the software system was built by BAE Systems under a $300 million contract for five years. This had to result in the Next Generation Desktop Environment (NGDE), which has to bring virtual desktops at different classification levels to one physical computer.

Multiple computers for networks at different classification levels, ca. 2008.
(source - click to enlarge)

With the Desktop Environment (DTE) analysts at DIA, NGA and other US intelligence agencies can go anywhere within these organizations, sit down at any Top Secret workstation, log in, authenticate, and get access to their e-mail, home directories, shared files, etc., which were previously stored on thick client computers at each workstation.

Besides a virtual desktop, the DTE also comes with a common suite of desktop applications and access to common services, including Unified Communications as a Service. Among the first applications were standard e-mail, collaboration tools and video conferencing capabilities. The NSA is responsible for an Apps Mall that incorporates apps stores of the various agencies.

The common collaboration tool for the DTE provides a single interface for secure voicemail integration with e-mail, peer-to-peer file sharing, a screen capture tool and Outlook calendar integration. When additional users transition into the common operating environment, this tool could serve as a single interface for community-wide collaboration. In 2014, there were already some 4.000 DTE users at DIA and NGA.

However, in 2018, John Sherman, chief information officer of the Intelligence Community, said they had come to the realization that it no longer made sense to deliver a standard capability to every agency and user given the differing architectures, security requirements and mission needs.

In order to reach the outcomes for which the DTE was initially created, the Collaboration Reference Architecture (CRA) was created. Agencies can now build applications which fit their own needs as long as they comply with the standards set by the CRA in order to ensure compatibility throughout the different systems.

Finally, the DTE is also a step towards an environment where security and tagging of data will be done at the data level, as opposed to the network level. Traditionally, access to information was based on which network you were on: DIA data were only accessible on the DIA's network, etc.

The idea is that there will be a common Intelligence Community network for which the Identification, Authentication and Authorization (IAA) project of the IC ITE provides access to data and information based on the different credentials of each individual user, so on who you are, what role you have and what accesses are available to you.

Links and sources

- Yahoo! News: 'Conspiracy is hard': Inside the Trump administration's secret plan to kill Qassem Soleimani (2021)
- American News: Biden Allows “60 Minutes” to Release Military Imagery Secrets that Saved US Lives (2021)
- DIA: Striking a balance between compatibility and flexibility in the intelligence community (2018)
- Joint Publication: Joint and National Intelligence Support to Military Operations (2017)
- CSIS: New Tools for Collaboration, The Experience of the U.S. Intelligence Community (2016)
- Raytheon: When Secure KVM Isn’t Enough (2015)
- Defense Systems: How cloud is changing the spy game (2014)
- Deep Dive Intelligence: Interview: Mike Mestrovich – Full Transcript (2012)
- Burns & McDonnell: Joint Intelligence Center, Central Command (2009)
- AFCEA Signal: Desktop System Streamlines Analysis Work (2004)
- MITRE Corporation: Intelligence Community Public Key Infrastructure (IC PKI) (2002)

March 3, 2021

The telephone contacts of president George W. Bush

Always wanted to know who are on the contact list of the President of the United States? In the George W. Bush Presidential Library one can see the telephone from the president's desk in the Oval Office with a clear view of all the speed dial buttons from the final years of the Bush presidency.

Here I will tell a bit more about this special telephone set, followed by a list and a short discussion of all the contacts behind the over 40 speed dial buttons. Finally, the phone used by president Bush is compared with the one from the first years of Barack Obama.

The IST-2 phone at the president's desk in the George W. Bush Presidential Library
(photo: Ron Plante - click to enlarge)

The George W. Bush Presidential Library

Like all US presidents since Herbert Hoover, president George W. Bush also established a presidential library which holds the papers, records, collections and other historical materials from his presidency. Several presidents have been buried on the grounds of their library, which will also happen after the death of George Bush and his wife Laura.

The George W. Bush Presidential Library and Museum was opened in April 2013 and is located on the campus of the Southern Methodist University (SMU) near Dallas, Texas. Like other presidential libraries, it includes an exact replica of the Oval Office in the White House. This allows visitors a close look at the paintings and the furniture and they may also sit behind a reproduction of the Resolute desk for a photograph.

Some visitors of the replicated Oval Office took a photo of the telephone on former president Bush' desk, probably not only because it's a quite impressive device, but also because it has all the names of the president's contacts on its many speed dial buttons.

A visitor tries the phone in the replica of the Oval Office
in the George W. Bush Presidential Library
(photo: instagram/t.ryanmartinez - click to enlarge)

The IST-2 telephone

What most visitors of the Bush Presidential Center won't know is that the phone is an Integrated Services Telephone version 2 (IST-2), which is a so-called "red phone". Unlike the popular image, such a red phone isn't used for the Hotline between Washington and Moscow, but for secure communications with military command centers through the Defense Red Switch Network (DRSN).

For this network there are large telephone consoles which can be used for both secure and non-secure calls. However, the encryption of classified calls isn't done by the phone, but by a separate network encryptor. The IST-2 was designed by defense contractor Raytheon and subsequently manufactured by Telecore Inc., a small company from Richardson, Texas, that took over the production of these telecommunication devices somewhere around 2003.

As part of a military telephone network, the IST-2 also has the distinctive 4 red buttons for the four levels of a system called Multilevel Precedence and Preemption (MLPP). This allows to make phone calls that get precedence over ones with a lower priority, with "Flash Override" to allow the President, the Secretary of Defense and the Joint Chiefs of Staff to preempt any other traffic in the network.

The speed dial buttons on Bush' Oval Office telephone

The IST-2 telephone on president Bush' desk in the Oval Office had 50 line buttons, with labels for the following contacts, grouped according to the colors of the labels:

• BOLTEN - Joshua B. Bolten, White House Chief of Staff from 2006 to 2009.
• FIELDING - Fred F. Fielding, White House Counsel from 2007 to 2009.
• GILLESPIE - Ed Gillespie, Counselor to the President from 2007 to 2009.
• HADLEY - Stephen J. Hadley, National Security Advisor from 2005 to 2009.
• GOTTESMAN - Blake L. Gottesman, Deputy Chief of Staff from 2008 to 2009.
• JACKSON - Barry S. Jackson, Senior Advisor to the President from 2007 to 2009.
• JEFFREY - James F. Jeffrey, Assistant to the President and Deputy National Security Advisor from 2007 to 2009.
• KAPLAN - Joel Kaplan, Deputy Chief of Staff from 2006 to 2009.
• LUTE - Douglas E. Lute, Assistant to the President and Deputy National Security Advisor for Iraq and Afghanistan from 2007 to 2013.
• MEYER - Daniel P. Meyer, Assistant to the President for Legislative Affairs from 2007 to 2009.
• PERINO - Dana M. Perino, White House Press Secretary, 2007 to 2009.
• THIESSEN - Marc A. Thiessen, Director of Speechwritng from 2008 to 2009.
• TUBB - Richard J. Tubb, Physician to the President from 2002 to 2009.
• WAINSTEIN - Kenneth L. Wainstein, Homeland Security Advisor from 2008 to 2009.
• YANES - Raul F. Yanes, Assistant to the President and Staff Secretary from 2006 to 2009.

• VICE PRESIDENT - Dick Cheney, Vice President of the United States from 2001 to 2009.
• Secretary Of STATE - Condoleezza Rice, Secretary of State from 2005 to 2009.
• Secretary Of DEFENSE - Robert M. Gates, Secretary of Defense from 2006 to 2011.
• DNI - Mike McConnell, Director of National Intelligence from 2007 to 2009.
• Director CIA - Michael V. Hayden, Director of the CIA from 2006 to 2009.

• VP HOME - The house of Vice President Cheney, the Naval Observatory in Washington.
• BOLTEN HOME - The house of Chief of Staff Joshua Bolten.
• HADLEY HOME - The house of National Security Advisor Stephen Hadley.
• RICE HOME - The house of Secretary of State Condoleezza Rice.
• GILLESPIE HOME - The house of Counselor Ed Gillespie.

• Situation Room - The Situation Room in the basement of the West Wing.
• HOS Conference - Head of State Conference call.
• SIGNAL OPERATOR - Operator at the Signal Switchboard for non-secure calls.
• Secure OPERATOR - Operator at the Signal Switchboard for secure calls.
• White House OPERATOR - Operator at the White House switchboard for unclassified calls.

• MRS BUSH - Laura Bush, wife of the president.
• 41 - George H. W. Bush, 41st president of the United States and father of the president.
• JWB - Jenna W. Bush, daughter of the president.
• BPB - Barbara P. Bush, daughter of the president.
• CRAWFORD - The Prairie Chapel Ranch of president Bush near Crawford, Texas.
• Secretary EVANS - Donald L. Evans, Secretary of Commerce from 2001-2005.

• ROBERT - ?
• JARED - Jared Weinstein, special assistant and personal aide from 2006 to 2009.
• SAM - ?
• KAREN - (Karen Hughes?)
• ASHLEY - (Ashley Kavanaugh?)
• USHERS - Stephen W. Rochon, Chief Usher of the White House from 2007 to 2011.

• LINE 1 - Outgoing or incoming phone line
• LINE 2 - Outgoing or incoming phone line
• LINE 3 - Outgoing or incoming phone line

President Bush' primary contacts

The names on these speed dial buttons give us some insights into the people president Bush was in contact with. In the first place, represented by the first two rows of buttons, this were West Wing staff members, like the Chief of Staff, his deputies, seniors advisors and assistants. In the third row we see the press secretary and the president's speechwriter as well as the Physician to the President.

The buttons of the fourth row show that president Bush had direct lines only to the Secretary of State and the Secretary of Defense. The same group includes buttons for the Director of National Intelligence (DNI) and the director of the Central Intelligence Agency (CIA), despite the fact that in 2005, the newly created DNI replaced the director of the CIA as a Cabinet member.

George W. Bush using the IST-2 telephone for calling the
British prime minister Gordon Brown, October 7, 2008
(White House photo by Eric Draper - click to enlarge)

The next five speed dial buttons show which people president Bush could call directly even when they were at home: Vice President Cheney, Chief of Staff Bolten, National Security Advisor Hadley, Secretary of State Condoleezza Rice and Counselor Ed Gillespie.

After these first five rows, there's one row in which the buttons are blank - apparently there were no more people who president Bush needed to call directly (unlike Obama, who used all 50 buttons - see below).

The lower half of the speed dial buttons were used for mixed sets of contacts:

Five buttons positioned in an L-shape connected the President to the various communication centers of the White House: first the famous Situation Room in the basement of the West Wing, which is not only a conference room, but also includes a watch center that is operational 24/7.

Another button was labeled "HOS Conference" which means it was used to conduct phone calls to foreign Heads Of State (HOS). These are conference calls because translators, advisers and staffers from the National Security Council (NSC) listen in to translate and take notes of the content of such conversations.

Aides listening in to a phone call by president Obama, March 29, 2009.
(White House photo by Pete Souza - click to enlarge)

The next three speed dial buttons are for switchboard operators, who can connect the President to anyone who cannot be reached through one of the direct line buttons on the Oval Office phone:
First there's the so-called Signal switchboard operated by military personnel of the White House Communications Agency (WHCA). The phone buttons show that this switchboard has an operator for non-secure calls and one for secure communications.

A third button is for the operator of the White House Switchboard, which manages the internal telephone system of the White House which is used for internal and external unclassified phone calls.

Another group of buttons is for family members of president Bush: his wife Laura, his father ("41"), and his daughters Jenna and Barbara, as well as Bush' ranch in Crawford, Texas. Interesting is the button for Donald L. Evans who seems to be included here not because of his job as Secretary of Commerce from 2001-2005, but because of his longtime friendship with Bush.

This brings us to the final group of buttons, with labels that only mention first names, probably of Bush' more personal advisors. One of them was Jared Weinstein, his special assistant and personal aide, but it's less clear who the other four (Robert, Sam, Karen, Ashley) were. When readers of this blog post think they can identify them, please leave a comment.

A final speed dial button is for the ushers of the White House, led by the Chief Usher, who is the general manager of the building and oversees the butlers, maids, housekeepers, chefs, cooks, doormen, and many others.

The IST-2 telephone under Obama

In January 2009, the office of President of the United States was taken over by Barack Obama. On his desk in the Oval Office he found an IST-2 telephone like the one used by his predecessor, but now of course with labels for all the new staff members, cabinet secretaries and other people who Obama liked to call.

The IST-2 telephone on Obama's desk, March 29, 2009
(White House photo by Pete Souza)

Another difference with the IST-2 used by president Bush was that the speed dial buttons on Obama's phone had a different color scheme: while under Bush there was a different color for each type of contacts, under Obama the buttons were only yellow or green. The arrangement, however, was roughly the same, as can be recognized by the three line buttons, which were pink under Bush and white under Obama.

Comparing the other buttons indicate that the colors on Obama's IST-2 represent the classification level: green for Unclassified and yellow for Top Secret/SCI. This is confirmed by the three buttons above the white line buttons: Signal Operator: green; Secure Operator: yellow; White House Operator: green. It shows that most of the president's contacts could be reached via a secure line, likely not much different than under Bush.

The IST-2 phone on Obama's desk, March 24, 2009 - photo rotated for comparison
(photo: Brooks Kraft LLC/Corbis via Getty Images - click to enlarge)

Although it was certainly useful to have just one telephone for both secure and non-secure calls, the IST-2 was probably found a bit too military looking for Obama. Maybe the speed dial buttons also attracted a bit too much attention, so a custom cover plate was made in order to prevent visitors from seeing who the president's primary phone contacts were:

Obama's IST-2 telephone with cover plate, August 31, 2010.
(photo: J. Scott Applewhite/AP - click to enlarge)

In the Spring of 2011, the IST-2 on Obama's desk was eventually replaced by two more common, commercially available phone sets: a black Avaya/Lucent 8520T that had been part of the internal White House telephone network already since 1996, and a Cisco 7975G Unified IP Phone for the new Executive Voice over Secure IP-network which is used for Top Secret phone calls.

Links and sources
- Weblog: About The White House Communications Agency from 1965 to 1974... and Beyond
- Jerry Proc: Hotline Telephones - Making Sense of the Colours and their Use (2018)
- Cryptome: Obama Phones (2012)

January 26, 2021

The phones in president Biden's Oval Office

(Updated: February 21, 2021)

On January 20, Joseph R. Biden Jr. was inaugurated as the 46th president of the United States. As such he has access to the presidential communications system, including secure and non-secure telephone lines.

Here, I will discuss a small and unnoticed change in the telephones on the desk of the new president, as well as what happened to the call device that became known as Trump's "Diet Coke Button".

President Joe Biden in the Oval Office, January 20, 2021.
(click to enlarge)

The telephones on Biden's desk

Already on his first day as president, Biden went to the Oval Office of the White House to sign a range of executive orders.

By then, this famous room had already been redecorated with new paintings, busts and photographs, while Trump's beige rug had been replaced by the deep blue one from Bill Clinton's Oval Office. The flags of the five branches of the US Armed Forces have also been removed.

A close look at the photos shows that there was also a small change in the telephone equipment. On Biden's presidential desk there are now two identical phone sets, which can be identified as the high-end Cisco IP 8851 Phone:

Both phones are not the standard commercially available model, however, as they have been modified by a small communications security company called Advanced Programs, Inc. (API). This can be recognized by the dark gray metal box at the back side of the phone's color display and an additional red button on the front panel of the phone:

The purpose of these modifications is to provide on-hook security for the handset and the speakerphone and probably also for TEMPEST protection - to make sure that the phone cannot, either accidentally or deliberately, pick up and transmit audio when the handset is on-hook.

Comparing the two phones on Biden's desk with the ones used by president Trump, we see that under Trump only one of the Cisco 8851 IP phones had the aforementioned modifications. The other phone was the standard model:

Former president Donald Trump in the Oval Office, December 3, 2020.
(photo: Doug Mills/The New York Times - click to enlarge)

Unclassified phone calls

The modified Cisco 8851 IP phone was placed on the president's desk by the end of 2016, replacing an old Avaya/Lucent 8520T of the internal White House telephone network which is used for all kinds of unclassified phone calls.

This telephone connects to the regular White House switchboard in the basement of the Eisenhower Executive Office Building, where operators can set up calls to whoever the president wants to speak with.

Classified phone calls

The standard, unmodified Cisco 8851 IP phone on Trump's desk was for the highly secure Executive Voice over Secure IP-network which is part of the Crisis Management System (CMS) and connects the President, the National Security Council, Cabinet members, the Joint Chiefs of Staff, various intelligence agency headquarters and watch centers, as well as Continuity of Operations (COOP) sites.

This telephone replaced an old Cisco 7975 IP phone in September 2017 and connects to the so-called Signal switchboard of the White House Communications Agency (WHCA). The WHCA is a joint military unit that provides the president with secure and non-secure communications in Washington as well as during presidential travels. The Signal board also connects to the White House Situation Room.

Despite being used for classified conversations, the Cisco 8851 IP phone for secure calls wasn't equipped with the additional security features like the non-secure telephone - probably because secure calls travel over a separate, encrypted network, which mitigates the risk that adversaries can abuse the phone's microphones for eavesdropping.

But now, under president Biden, the phone for secure calls also has the modifications for on-hook security. Maybe this was considered safer, or maybe it's just to make both phone sets look the same, so outsiders cannot see whether the president is making a classified or an unclassified phone call based upon which telephone he is using.

Usually, the phones for the secure top-level telephone network can be recognized by a bright yellow faceplate, as can be seen at the modified Cisco IP phone that is used when the president is outside the White House, for example.

Yellow is the color code for the highest classification category: Top Secret/SCI, but in the Oval Office this would probably stand out too much, so here this phone just has the presidential seal in the bottom left corner of the black display section:

Close-up of the presidential seal on a Cisco 8851 IP phone

Update #1:

Around the first of February 2021, there was another small change in the phone on Biden's desk in the Oval Office: as can be seen in the picture below, the Cisco IP phone on the left, probably the one for unclassified conversations, now has an Key Expansion Module attached to it, which provides 14 additional programmable direct line buttons.

President Biden's desk in the Oval Office. One of the Cisco 8851 IP phones
having an additional Key Expansion Module, February 2, 2021
(photo: AFP via Getty Images - click to enlarge)

Under Obama, the old Cisco 7975 IP Phone for secure calls had a similar expansion module, but under president Trump that module was removed. Apparently he saw no need for having the extra direct line buttons, probably because he could always make calls via the White House switchboard operator, but it also symbolized that there was only a very small group of people he was in contact with.

Update #2:

On February 18, 2021, the White House released a photo in which we see president Biden in the office of his secretary, just outside the Oval Office. On the desk in front of him are the same modified Cisco 8851 IP phone sets as on his own desk, although here, both have an additional Key Expansion Module.

In the Oval Office, the phones have brown network cables to blend in with the furniture, but in the secretary's office the cables are color-coded: green for the Unclassified network and yellow for the Top Secret/SCI telephone network:

President Biden watches the landing of NASA's Perseverance vehicle on Mars
(White House photo, February 18, 2021 - click to enlarge)

The president's call button

While the small change in phones wasn't noticed, there was quite some media attention for something that appeared missing on the desk of president Biden: the wooden box with the presidential seal and a red push-button, which became known as Trump's "Diet Coke Button".

The removal of this box was just temporarily though, because meanwhile it has been placed back on the president's desk, as can be seen in this photo from January 25:

President Joe Biden at his desk in the Oval Office, January 25, 2021
(click to enlarge)

Trump's "Diet Coke Button"

There are a lot of stories about how president Trump used the button. Former White House communications aide Cliff Sims, for example, wrote in his 2019 book Team of Vipers that Trump would prank visitors by hitting the button and suggesting it was related to the country’s nuclear weapons arsenal.

"Out of nowhere, he'd suddenly press the button," Sims wrote. "Not sure what to do, guests would look at one another with raised eyebrows" he added. "Moments later, a steward would enter the room carrying a glass filled with Diet Coke on a silver platter, and Trump would burst out laughing."

On Twitter, Times Radio political commentator Newton Dunn recalled a similar situation: "When Tim Shipman and I interviewed Donald Trump in 2019, we became fascinated by what the little red button did. Eventually Trump pressed it, and a butler swiftly brought in a Diet Coke on a silver platter."

Trump's glass of Diet Coke in front of the Cisco 8851 IP phone for secure calls
(photo: Jonathan Ernst/Reuters - click to enlarge)

Earlier usage of the call button

The box with the call button is in the Oval Office already since the presidency of Bill Clinton and it's not only on the president's desk, but also on a side table in the seating area and in the small presidential dining room nearby the Oval Office.

The button has nothing to do with nuclear command and control, but can be used by the president to summon assistance. According to earlier sources, it was meant to alert the Secret Service, while others say that pushing the button makes an aide come in for whatever the president may need.

In his autobiography Finding My Virginity from 2017, billionaire Richard Branson recalled what president Obama once said during a lunch in the Oval Office: "As we stood up to leave I noticed the red buttons on his desk. Obama saw me looking at them," Branson wrote. "He said, 'They used to be there for emergencies, but now I use them for ordering tea for my guests.' "

President George W. Bush in the small dining room near the Oval Office
On the table is the wooden box with the call button
(click to enlarge)

Links & sources

- Homepage of the White House Communications Agency
- Politico: Trump hid his calls with Putin. Now, Biden has access to them. (2021)
- Secrecy News: Biden Issues National Security Directive 1 (2021)
- Phone calls with Trump: more risky venture than diplomatic boon (2019)
- Richard Branson Reveals the Real Purpose for Barack Obama's Oval Office Red Button (2017)
- The Week: Who answers the White House phone, anyway? (2010)
- The New York Times: Whitehouse; A Switchboard That is Justly Fabled (1983)