October 26, 2022

A new secure red telephone for German chancellor Scholz

(Updated: October 30, 2022)

In December last year, Olaf Scholz succeeded Angela Merkel as chancellor of Germany. Since about half a year ago, he has a remarkably large red telephone at his desk, which appears to be the SINA Communicator H. This is a brand new device to conduct secure phone calls at different classification levels and part of the widely-used SINA architecture.


German chancellor Scholz with his new red telephone for secure calls
(photo: Jesco Denzel - click to enlarge)



The chancellor's office

When the German government moved back to Berlin in 1999, a new Federal Chancellery was being built that was opened in May 2001 by chancellor Gerhard Schröder. Built in a postmodern style, it is said to be one of the world's largest government headquarters, with nine floors in the central part and over 300 offices in the wings.

On the 4th floor of the main building there's a room shielded against eavesdropping for meetings of the crisis staff (Krisenstab) and the weekly meeting of the heads of the secret services with the head of the chancellery (there's no bunker underneath the building).


The small situation room in the federal Chancellary (source)
with at least three Alcatel 4039 office telephones


Next to the secure conference room is a small situation room (Lage und Krisenzentrum) where information from all over the world is collected 24/7, a selection of which is put in a folder titled Nachrichtenlage which the chancellor finds on his desk every morning, similar to the President's Daily Brief for the American president.

The chancellor's office is on the 7th floor and is very spacious, with a seating area, a conference table and a large, almost 4 meter long black desk. Chancellor Merkel didn't like this desk and used it only for phone calls to foreign leaders. For her daily work she preferred the small conference table at the opposite end of the room.




Video impression of the chancellor's office (December 2021)


The chancellor's telephones

When Olaf Scholz took over the office from Angela Merkel in December 2021, he found two Alcatel 4039 telephone sets on his desk, one of them with an extension module providing 14 additional direct line buttons. The Alcatel 4039 is a high-end IP office phone with a tiny alphabetic keyboard as a distinctive feature.

Alcatel was the telecommunications branch of the French conglomerate Compagnie Générale d’Électricité (CGE), which in 1986 was merged with the telephone equipment part of ITT Corp. from the United States. This made Alcatel NV the world's second-largest telecommunications company. In Germany, Standard Elektrik Lorenz (SEL) had become an Alcatel subsidiary as well, with 20 percent of Germany's telephone equipment market in the early 1990s, second only to Siemens AG. In 2006, Alcatel merged with the American manufacturer Lucent Technologies to become Alcatel-Lucent, which was acquired in 2016 by the Finnish company Nokia and merged into their Nokia Networks division.

Note that in the video we see that one of the phones has a red label and the other one a blue label. This likely indicates which phone is for classified conversations and which one for unclassified calls, according to the color codes of the German classification system:
- Blue: up to Confidential (VS Vertraulich)
- Red: Secret (Geheim) and Top Secret (Streng Geheim)

Ultimately by February 2022, the Alcatel 4039 with the blue label had been replaced by a stylish new IP phone, probably the IP232, made by Innovaphone. This is interesting, because Innovaphone is just a small manufacturer, but as a German company its products may be considered less risky than those of foreign manufacturers.


The IP232 made by Innovaphone (click to enlarge)



The new red telephone

The first time the new red telephone on chancellor Scholz's desk was seen was during an interview with T-Online that was published on May 15, 2022. The phone got broader attention by a photo posted on Scholz's Instagram account on September 13, 2022, during or after a 90-minute phone call with Russian president Putin.

This was picked up by the German tabloid paper BILD, which in a video report (see below) suggested that Scholz had used his new red telephone ("back from the days of the Cold War") to make the phone call with Putin. However, on its website, BILD stated that for conversations with for example the Kremlin, Scholz uses another secure line.

The latter is most likely because for a secure phone line, both parties have to use the same encryption system, and in this case it's not very likely that the Germans would provide Putin with their newest secure voice encryption technology. In the United States, a "red phone" is also used for internal command and control communications and, despite widespread popular belief, not on the famous Hotline between Washington and Moscow.






secunet Security Networks AG

BILD had also identified Scholz's new red telephone as the so-called SINA Communicator H. This device is manufactured by the German cybersecurity company secunet Security Networks AG, which is headquartered in Essen and was founded in 1997 as an offspring of the venerable testing association TÜV.

In 2004, secunet became a partner in the IT Security Partnership (Sicherheitspartnerschaft) with the federal Interior Ministry, which by then also included Rohde & Schwarz, Deutsche Telekom, Siemens, IBM Deutschland and Infineon.

Until recently, German government and military departments used voice encryption systems for ISDN, which was very popular in Germany. But German telecommunication providers are phasing out their ISDN service one by one, replacing it by Voice over IP (VoIP) via DSL. This made it urgent for the government to replace their existing voice encryption systems.


The SINA Communicator

Hence, secunet developed the SINA Communicator, for which it already had years of experience when it came to the hardware. For the necessary software for encrypted voice and video communications, secunet acquired the German company Stashcat GmbH, which in 2016 launched the Stashcat secure smartphone messenger that is used by some 50.000 German soldiers, as well as by schools, companies and local governments.

The name "SINA Communicator H" signifies that the device is part of the Secure Inter-Network Architecture (SINA) product family for securing digital data and communications (see below), in this case up to the classification level Secret. The latter is indicated by the letter H, as the last letter of the SINA product designations indicates their maximum classification level:
- S: up to VS-Nur für den Dienstgebrauch (Restricted)
- E: up to VS-Vertraulich (Confidential)
- H: up to Geheim (Secret)

As such, the SINA Communicator H was certified by the Federal Office for Information Security BSI in July 2021. Certification for organizations of the European Union and NATO has been requested.




The SINA Communicator is a fairly large and heavy device (weight ca. 5,5 kg) and despite the bulky look of its backside it won an iF Design Award earlier this year. Unlike common telephones, the SINA Communicator only has four buttons (for mute, up, down, and headset); all other functions are accessible through the 10,1" LCD touchscreen.

It seems that currently, the device can only be used for secure phone calls. A secure messenger, video telephony and the integration of thin client functionality will be part of future upgrades. Other options such as web clients, fax support, file and document transfer and multi-party messaging can also be added.

A special feature of the SINA Communicator is the Multi Level Data Separation, which means that users can communicate at different classification levels by selecting one of the approved levels via the touchscreen display. This will make it possible to use the same device to communicate with foreign partners as well.




The SINA Communicator supports up to three different networks, depending on the need of the user, which enable them to communicate at various German classification levels, or at (classified) networks of European and NATO partners, up to the level Secret.

For access to a particular network at a particular classification level, users get a hardware token in the form of a small key for each network they are authorized to. The key for each network has to be plugged into the phone to provide two-factor authentication:




The SINA Communicator can be used on dedicated government networks or directly on the public internet and is also compatible with the modernized command and control systems (Harmonisierung der Führungsinformationssysteme or HaFIS) of the German armed forces.

The Communicator uses standard VoIP protocols, including the Session Initiation Protocol (SIP) for common commercial systems and the Secure Communications Interoperability Protocol (SCIP) for secure communications with NATO partners.

Encryption is conducted with a "type A cryptographic suite" and key management through a Public Key Infrastructure (PKI) or the Internet Key Exchange version 2 (IKEv2), which can be upgraded to provide resistance against attacks by future quantum computers (PQC).


Update:

The SINA Communicator comes standard in black; the version in red seems to be for German government users to communicate up to the classification level Secret. It's not clear why this is signified with an almost completely red device, instead of with a less-eyecatching marking.

In the US, for example, the phones for calls at the highest level simply have a bright yellow bezel surrounding the display, but for the Oval Office apparently even that was standing out too much, so there the phone for secure calls looks almost identical to the one for regular phone calls, similar to the two Alcatel 4039 phones that had been on Scholz's desk.


Introduction of the SINA Commnicator H in red
(source - click to enlarge)


The SINA architecture

The SINA Communicator is the latest addition to the Sichere Inter-Netzwerk Architektur or Secure Inter-Network Architecture (SINA) to protect classified information and communications. Following a tender by the BSI, secunet started developing the SINA architecture in 1999.

SINA enables the secure processing, storage, transmission and documentation of classified information and consists of a range of terminals and network encryption devices, including:

- SINA L2 Box: Encryption at OSI layer 2 with data throughput of up to 100 GBit/s.

- SINA L3 Box: IPSec encryption at OSI layer 3 with data throughput of up to 5 GBit/s.

- SINA Workstation: Providing secure access to both classified and unclassified networks.

- SINA Workflow: Dedicated document management system for classified information




SINA encryption

At the lower classification levels, message encryption was initially conducted via the classified cryptographic algorithm CHIASMUS, but this has been replaced with the publicly available AES block cipher. The SINA products also use the Elliptic-curve Diffie-Hellman (EC-DH) for key exchange and the Elliptic-curve German Digital Signature Algorithm (EC-GDSA).

At the higher classification levels, SINA products used the classified cryptographic algorithm LIBELLE, which was stored on the PLUTO crypto processor made by Infineon. This chip was integrated in a Hardware Security Module (HSM) called PEPP1, which was manufactured by Rohde & Schwarz. LIBELLE was gradually replaced by a new classified encryption algorithm.


Usage of SINA products

In Germany, SINA products are installed at goverment departments, military facilities, companies working with classified information and critical infrastructures. Also secured by SINA encryption devices are the wide-area networks for Secret information of the German foreign intelligence service BND, as well as the global secure network connecting German embassies via the internet.

Data that are intercepted under Germany's lawful interception authorities are also secured by SINA network encryptors when they are transferred from the telecommunications provider to the appropriate government agency.

SINA devices are also certified by the responsible authorities of NATO and the European Union and used by public institutions and commercial enterprises in other countries as well. Meanwhile, some 170,000 SINA products have been installed in over 30 countries.

In the Netherlands, for example, the cybersecurity company Fox-IT equips SINA boxes with its RedFox encryption module, which comes in a commercial version and one with classified algorithms for government users.



Links and Sources
- secunet: SINA Communicator H factsheet
- BSI: SINA Broschüre (2016)
- BILD: Wenn beim Kanzler das rote Telefon klingelt (2022)
- Der Spiegel: Im Kanzleramt (2005)
- Verwaltungsvorschriften: Hinweise zur Handhabung von Verschlusssachen

October 12, 2022

Jareh Dalke arrested for offering NSA documents to the Russians


On September 28, the FBI arrested Jareh S. Dalke, who attempted to sell the Russians some highly classified documents which he exfiltrated within less than a month after he started working at the NSA. Court records provide a lot of interesting details about this case, but also raise a number of questions.



Union Station in Denver, Colorado, where Jareh Dalke provided highly
classified NSA documents to someone he assumed to be a Russian agent



A job at the NSA

At the time of his arrest, Jareh Sebastian Dalke lived in Colorado Springs, Colorado and was 30 years old. He had been a member of the US Army from 2015 to 2018 and obtained a bachelor in Cybersecurity and Information Assurance from Western Governor's University in 2019. According to his resume he also has a master's degree from Norwich University, which includes a focus on cyber policy and technical vulnerability analysis.

On June 6, 2022, Dalke became a civilian employee of the NSA and started as an information systems security designer assigned to an NSA facility in the Washington DC metro area. Not mentioned in the court records is why Dalke took a job more than 1600 miles or 2600 kilometers from where he lived, while the NSA also has a regional Cryptologic Center in Denver, which is just 70 miles or 110 km from his hometown.

It would have made more sense if Dalke only attended a training at the NSA facility near Washington, while his actual job would have been at the regional center in Denver - similar to Edward Snowden, who first attended a two-week training course at NSA headquarters before starting as an infrastructure analyst at the NSA's regional center in Hawaii.


Security clearance

For his new job at the NSA, Dalke's clearance for Secret information from his time at the Army was upgraded to a Top Secret/SCI clearance, which is common for almost everyone working at the NSA. This clearance requires the most rigorous vetting, which includes disclosing financial information like debts and bankruptcies going back seven years.

According to court records, Dalke had filed for bankruptcy in December 2017 when he had some 32,000 USD in student loan debt and 51,000 USD in other non-secured debt, primarily from credit cards. Usually things like these are a red flag, as it makes someone vulnerable to blackmail or willing to sell classified information - which was exactly what happened in this case.


Exploiting a misconfiguration

Once at the NSA, Dalke apparently soon got access to classified information beyond what he was allowed to see. This was due to "a misconfiguration in the system" as he later told his presumed Russian contact. It's asthonising that he found this flaw already within 10 days after he started his job: he printed one of the stolen classified documents already on June 17, 2022. Was this an extreme coincidence or was it orchestrated?

A highly speculative theory could be that the Russians had Dalke recruited early on and urged him to apply for a position at the NSA (which could explain why he took a job that was 1600 miles away). Once Dalke was inside, the Russians gave him the details about the misconfiguration and which information he should look for. In the court records there's nothing that hints at this option, but also not much that contradicts it.


Printing classified documents

Later, Dalke printed at least three additional documents with which he was able to walk out. Exfiltrating printed documents is easier than information in electronic form as the latter can be detected by detection gates. Earlier it had become clear that there were no pocket checks at the NSA and security guards only conducted random checks and used their discretion in order to keep and build the trust of the employees.

It's not clear how Dalke transferred the classified documents to his presumed Russian contact, but he could have known that making a scan or a photo of a printed document still makes it individually traceable.

That was painfully demonstrated by the case of former NSA employee Reality Winner, who printed a document which she provided to the investigative website The Intercept. Due to sloppyness of The Intercept, the document was recognized and traced by the NSA, after which the FBI arrested Winner on June 3, 2017.


The NSA document which Reality Winner leaked to The Intercept in 2017
(click to view the full document)



Contacting the Russians

According to the court records submitted by the FBI, Jareh Dalke abruptly left the NSA because of "a family illness that required him to be away for nine months, a period which the agency was unable to support." He submitted his resignation on June 28 and was debriefed from his TS/SCI clearance on July 1, 2022.

At the end of July, Dalke began communicating with someone he believed to be associated with the Russian government, but who actuallly was an undercover agent of the FBI, a so-called Online Covert Employee (OCE). According to the FBI they exchanged encrypted e-mail messages through a legitimate foreign e-mail provider, likely the Swiss company ProtonMail or a similar secure e-mail provider.

It's not known how Dalke came in contact with the undercover FBI agent, but he could have tried to contact for example the Russian embassy in Washington and was then detected by the FBI which closely monitors such communication channels. If so, the FBI could subsequently contact Dalke under the guise of being a Russian intelligence officer.

(Emptywheel noticed that on the same day that Dalke was arrested, the FBI also arrested Jamie Lee Henry and her wife Anna Gabrielian, who wanted to provide Russia with medical records of senior American military officers)


Dalke's motives

According to court records, Dalke told the undercover FBI agent that he "recently learned that my heritage ties back to your country, which is part of why I have come to you as opposed to others". Although he had already left the NSA, he said that he worked for the US government because he "questioned our role in damage to the world in the past and by mixture of curiosity for secrets and a desire to cause change."

Dalke then told his contact that he had "exfiltrated some information that is of a very high level" which was related to foreign targeting of US systems and information on cyber operations, among other topics.

He added that at the moment he was on a temporary assignment elsewhere that didn't allow him access to such information, but that he planned to return to a position that would give him access to information from both the NSA and another government agency.


Proof of willingness

Dalke offered the information in exchange for a specific kind of cryptocurrency, stating, "there is an opportunity to help balance scales of the world while also tending to my own needs."

On August 5, the undercover FBI agent asked him for some proof, after which Dalke sent him three excerpts, two from Top Secret documents and one from a document classified as Secret. According to NSA records, Dalke had printed these documents on June 17, 22 and 23 and was also the only NSA employee to have printed all of these documents.

On August 10, Dalke also sent his covert contact a full document from another US government agency, as a "show of good faith" and that he was "willing to provide full documents without reservation." This four-page document contained information about a foreign government leader and was classified SECRET//NOFORN.


Request for verification

In two e-mails from August 23 and 24, Dalke requested his covert contact to verify that he was truly a representative of the Russian government. According to court records, Dalke claimed that he had reached out through "multiple published channels to gain a response. This included submission to the SVR TOR site."

The SVR is the Russian foreign intelligence agency, which apparently has a website on the anonymous TOR network as well. Dalke requested a verification by a posting on an official website or through a report in a government-controlled Russian media outlet. It's not clear whether or how this was conducted, but the e-mail communications between Dalke and the undercover FBI agent continued.


The website of the Russian foreign intelligence agency SVR on the public internet


Seeking additional information

On August 26, Dalke claimed that his total debt was already some 237,000 USD and that 93,000 USD was coming due very soon. Accordingly, he requested 85,000 USD in return for all the classified information he had in his possession - a remarkably risky way of solving debts, given the high salaries which Dalke, with his TS/SCI clearance, could have expected when he would take a job in the private sector.

Dalke even told his contact that he would share additional information in the future, once he returned to the Washington DC area. And indeed, on August 11 he had applied to an external vacancy at the NSA again. The NSA's Human Resources Department was unaware of the FBI investigation into Dalke and conducted a telephonic interview with him on August 24, in which he expressed his desire to return to the agency.

This is very similar to Snowden, who took his last job at the NSA to get even more access. But while Snowden was looking for additonal information about NSA collection efforts, Dalke was apparently primarily interested in the money and appeared much less careful in hiding his digital traces.

On August 25, the undercover FBI agent sent a second amount of cryptocurrency to an address that Dalke had provided. A few days later, Dalke deposited a similar amount of the same type of cryptocurrency on an account in his true name at the cryptocurrency exchange Kraken, from which he withdrew the same amount in US dollars (ca. 4,500 USD) and deposited it at his bank account.


Final transfer and arrest

After much back and forth, Dalke and the undercover FBI agent agreed to transfer the full documents in Denver, Colorado. Dalke was told that a secure connection would be available at Union Station, on September 28, 2022, between 11:30 a.m. and 3:30 p.m., during which time he could transmit the classified material.

We don't know how this electronic dead drop worked, but a likely option would be a secure wifi connection. That allows communicating at a certain distance without meeting in person or using the telephone network or the internet.

On September 28, Dalke arrived at Union Station and used his laptop to transfer five documents via the secure connection. Right after that he was arrested by the FBI.


Union Station in Denver, Colorado



Highly classified documents

In Denver, Dalke had sent the undercover FBI agent the following five documents:

1. A letter in which he wrote that he was very happy to provide the information and asked whether there were any desired documents which he was willing to find when he returned to his main office.

2. A ten-page typed document containing additional information related to the threat assessment of the military offensive capabilities of a foreign government (source of excerpt 1 which Dalke had sent his covert contact earlier on).
Classification: TS//SI-G//OC/REL TO USA, CAN, GBR/FISA

3. A fourteen-page typed document containing additional information related to sensitive US defense capabilities, a portion of which relates to a foreign government (source of excerpt 3).
Classification: TS//SI-G//OC/NF

4. A fourteen-page typed document containing additional information regarding plans to update a certain cryptographic program (source of excerpt 2).
Classification: TS//SI-G//OC/NF

5. A fourteen-page typed annex containing additional information related to the plans to update a certain cryptographic program (source of excerpt 2).
Classification: TS//SI-G//OC/NF


The abbreviations in these classification markings stand for:

- TS = Top Secret (release would cause exceptionally grave damage to national security)

- SI = Special Intelligence (intelligence from intercepted foreign communications)

- G = GAMMA (highly sensitive communications intercepts)

- OC = ORCON (the originator of the information controls to whom it is released)

- NF = NOFORN (the information may not be disclosed to foreign nationals)

- REL TO USA, CAN, GBR (Releasable to the US, Canada and the United Kingdom)

- FISA (information derived from FISA collection inside the US)


The GAMMA compartment

It is remarkable that all four documents which Jareh Dalke eventually transferred to his covert contact have the classification marking GAMMA, which is a compartment of the Special Intelligence (SI) control system to provide additional protection for highly sensitive communication intercepts.

Such documents are of course closely guarded and even among the more than thousand documents published during the Snowden revelations, there were none from the GAMMA compartment. The Snowden trove did include 12 entries of the NSA's internal WikiInfo platform which has the maximum classification level TOP SECRET//SI-GAMMA/TALENT KEYHOLE, but these particular entries have no GAMMA information in them.

In 2015, however, Wikileaks had published a number of intelligence reports from the GAMMA compartment about the French president, the German chancellor and the UN secretary general. They were part of a series of documents, provided by a still unknown source, which were even more embarrassing for the US government than most of the Snowden files.




Intelligence report classified TOP SECRET//COMINT-GAMMA,
published by Wikileaks in 2015
(click to enlarge)



Conclusion

Almost ten years after Snowden left the NSA with several hundred thousand files, it's remarkable and surprising that it's apparently still possible that someone gets a job there and just walks out with highly sensitive documents - within less than a month!

However, as the court records leave several key questions unanswered, we don't known whether Jareh Dalke was just "lucky" to find a way to solve his debts, or whether he was part of a more sophisticated Russian spying operation.

As former NSA general counsel Rajesh De explained back in 2016, it is unlikely "you’re going to be able to stop every incident of somebody taking documents if they’re determined to do so. But the real question is how quickly can you detect it, how quickly can you mitigate the harm of any such incident." That at least seems to have gone well in this case.



Links and sources
- Court records: Affidavit (Sept. 27) - Indictment (Oct. 7)
- Schneier on Security: NSA Employee Charged with Espionage (Oct. 4, 2022)
- Clearancejobs: Ex-NSA Employee Arrested by FBI for Attempted Espionage (Sept. 30, 2022)
- Emptywheel: FBI Seems to Be Collecting Offers to Spy for Russia (Sept. 30, 2022)
- The New York Times: Former National Security Agency Employee Charged With Espionage (Sept. 30, 2022)

Some older articles on this weblog that are of current interest: