The communications equipment in Trump's Situation Room photo

Last Sunday, October 27, the White House released a photo showing president Trump and his national security team in the Situation Room of the White House.

The photo caused some discussion because people suggested that it might be staged, but here the focus will mainly be on the communications equipment.

President Trump and his national security team in the White House Situation Room, October 26, 2019
(White House photo by Shealah Craighead - click to enlarge)

The people in this photo are (from left to right): National Security Advisor Robert O’Brien, Vice-President Mike Pence, President Donald Trump, Secretary of Defense Mark Esper, Chairman of the Joint Chiefs of Staff US Army General Mark A. Milley, and Brig. Gen. Marcus Evans, Deputy Director for Special Operations on the Joint Staff.

According to the press secretary, they were monitoring developments as US Special Operations forces closed in on the compound of ISIS leader Abu Bakr al-Baghdadi in Syria. Baghdadi eventually killed himself (and three of his children) by detonating a suicide vest. Some 14 hours after the raid, Trump announced Baghdadi's death.



Telephone equipment

In the photo released by the White House we also see several different telephone sets: left of president Trump, at his right hand, is a Cisco IP phone (either the 8841, 8851 or 8861), which is part of the internal White House telephone network and can be used for all non-secure calls.

On the back of this phone is a black metal box, which is a modification by Advanced Programs, Inc. (API) in order to meet Telephone Security Group (TSG) standards, including measures to prevent the handset and the speakerphone from picking up and transmitting audio when the phone is on-hook.

> See also: Trump's "beautiful" Oval Office phones and what was changed on them

A close-up of the telephones in the White House Situation Room
(White House photo - click to enlarge)

A similar Cisco IP phone can be recognized at the left side of Trump, in front of the Chairman of the Joint Chiefs of Staff. This telephone doesn't have the additional box on the back, but does have a bright yellow faceplate, which is the color code for the highest classification level: Top Secret/SCI.

Therefore, this telephone is for secure calls, through the dedicated Executive Voice over Secure IP-network, which connects the US president with all major decision makers. The phone itself has no encryption capability, as it's connected to a central network encryptor, probably from General Dynamics' TACLANE familiy.

> See also: A new secure phone for outside the White House

The secure telephone is almost hidden behind an older Cisco 7975G IP phone. This phone seems to have the standard silver faceplate, but there's a red label on the handset, which often indicates a secure line. Maybe it was installed especially for this operation as in the White House these old Cisco phones should have been replaced by newer ones from the 8800-series

Computer equipment

Besides the telephones, there are also some computers in the Situation Room: a tablet computer and three black laptops, one of which has two yellow labels, showing that the device may be used for classified information up to the level of Top Secret/SCI.

In the middle of the table there's a mess of network cables, many of them color-coded according to the classification level of the network they may connect to: red for Secret and yellow for Top Secret/SCI networks. Given that the meeting was about a military operation, they probably used:

- SIPRNet for military information at the Secret level
- JWICS for Top Secret/SCI military intelligence.

> See also: US military and intelligence computer networks

Both networks also have Voice-over-IP and video streaming capabilities. The audio and video in the conference room can be controlled by the small AMX touchscreen right in front of the president.

Close-up of the AMX audio and video control panel on the conference table
(still from a White House video - click to enlarge)

Was the photo staged?

Immediately after its release there were speculations about whether the photo was staged. On twitter, former White House photographer Pete Souza initially wrote: "The raid, as reported, took place at 3:30 PM Washington time. The photo, as shown in the camera IPTC data, was taken at “17:05:24”."

The latest press reports however say the attack in Syria took place after midnight local time in Syria, which corresponds to 6:00 PM in Washington. President Trump had been out golfing and arrived back at the White House at 4:18 PM, well in time to be in the Situation Room around 5:00 PM - which would mean the photo was taken before the two-hour operation started.

The photo of Trump's Situation Room reminds of the one showing president Obama and his national security team following the operation in which Osama bin Laden was killed on May 1, 2011, a scene that is generally assumed to look more realistic:

President Obama and his national security team following the
mission against Osama bin Laden, May 1, 2011.
(White House Photo by Pete Souza - click to enlarge)

In the Obama photo most officials aren't wearing suit jackets and no one is looking at the camera. Everyone was focused on the dramatic events on the video screen of the room (which is one of the smaller meeting rooms, next to the main conference room seen in the Trump photo).

By contrast, Trump and his ministers are fully dressed up with the president himself right in the center. Everyone looks, or is supposed to look right into the camera, which means the photographer stood right in front of the main video screen as can be seen in an earlier photo of the room taken from another angle:

President Trump meets with Republican and Democratic leaders, January 2, 2019.
(White House Photo by Shealah Craighead - click to enlarge)

So it seems that just before the operation against Abu Bakr al-Baghdadi started, president Trump took the opportunity to have pictures taken showing him and his national security team in the way he likes it - which is opposite to Obama's much more informal style.



Links & sources
- Der Spiegel: The Hunt for the World's Most-Wanted Terrorist
- The Independent: Anomalies in Trump situation room photo spark online conspiracy theories it was staged
- Business Insider: Trump’s al-Baghdadi raid Situation Room photo has one big difference from Obama’s Osama bin Laden picture ⁠— and it tells you everything about their styles
- CNN: Photos highlight stark differences in Trump and Obama approaches

From 9-Eyes to 14-Eyes: the Afghanistan SIGINT Coalition (AFSC)

(Updated: January 30, 2024)

It was a mystery for over five years: the 9-Eyes intelligence cooperation, which was first revealed by The Guardian in November 2013. It was only an extensive new piece on the website The Intercept from last May that made clear that the 9-Eyes is actually the Afghanistan SIGINT Coalition (AFSC).

The main purpose of the AFSC was to collect GSM metadata using DRT interception devices and feeding them into the NSA's huge data analysis platform for Afghanistan operations called the Real Time Regional Gateway (RT-RG).

The AFSC started in 2009 with nine members but eventually grew to the same 14 countries that already cooperated in another intelligence exchange group called SIGINT Seniors Europe (SSEUR). The AFSC existed at least until the end of 2014.

Slide from an NSA presentation about the Afghanistan SIGINT Coalition (June 2009)
Published by The Intercept in May 2019
(click to enlarge)

Intelligence sharing coalitions

The existence of the 9-Eyes group was first revealed by the British newspaper The Guardian on November 2, 2013:

"The NSA operates in close co-operation with four other English-speaking countries - the UK, Canada, Australia and New Zealand - sharing raw intelligence, funding, technical systems and personnel. Their top level collective is known as the '5-Eyes'.

Beyond that, the NSA has other coalitions, although intelligence-sharing is more restricted for the additional partners: the 9-Eyes, which adds Denmark, France, the Netherlands and Norway; the 14-Eyes, including Germany, Belgium, Italy, Spain and Sweden; and 41-Eyes, adding in others in the allied coalition in Afghanistan."

This revelation caused some embarrassment, as especially France and The Netherlands had clearly expressed their anger about the NSA's alleged eavesdropping operations against their citizens (see below), but now it turned out they were also engaged in some close alliances with the Americans.



Other 9-Eyes: CFBLNet

The Guardian's revelation started speculation about the differences between these groups and their specific purposes. From open sources, a range of similar "Eyes" for sharing military and intelligence information were identified on this weblog in November 2013 in a posting titled Five Eyes, 9-Eyes and many more.

It turned out that the term 9-Eyes was already used since 2008 for exchanging classified information among the Five Eyes and nine NATO members of the Combined Federated Battle Laboratories Network (CFBLNet). This is a multilateral network for research, development and testing on C4ISR systems.

However, the members of the CFBLNet 9-Eyes were not fully identical with those in the Guardian article, so it seemed not likely that this was the mysterious 9-Eyes group mentioned in the Snowden documents.

The 9-Eyes of the CFBLNet listed in a NATO standardization document from 2010
(click to enlarge)

 


14-Eyes: SSEUR

In December 2013, Swedish television published a range of NSA-documents from the Snowden files which revealed that the 14-Eyes were also known as the SIGINT Seniors Europe (SSEUR) and consisted of the Five Eyes plus nine European partners: Belgium, Denmark, France, Germany, Italy, the Netherlands, Norway, Spain and Sweden:

(click to enlarge)

From various other sources it became clear that the SIGINT Seniors Europe is a group in which the heads of the participating military or signals intelligence agencies coordinate the exchange of military intelligence according to the needs of each member.

The SSEUR group was established in 1982 for more efficiently monitoring the Soviet Union* and a database system called SIGDASYS was set up so the participating agencies could exchange as much military SIGINT and other information as possible.* In the early 2000s, a sub-group for counter-terrorism was formed under the name SIGINT Seniors Europe Counter Terrorism coalition (SISECT).



Afghanistan

Meanwhile, the function of the 9-Eyes remained unclear: the Dutch interior minister Ronald Plasterk refused to say anything about it, but there were rumours that it was for exchanging military signals intelligence related to operations in Afghanistan.

That could explain why no other documents about the 9-Eyes had been published, because apparently Glenn Greenwald had an agreement with Snowden not to disclose information that could endanger American troops in Afghanistan.

Nonetheless, information about NSA's involvement in Afghanistan did came out: in June 2014 for example, the German magazine Der Spiegel released an NSA paper from January 2013, which lists all the members of the Afghanistan SIGINT Coalition (AFSC). Its membership appeared identical with the SIGINT Seniors Europe or 14-Eyes.

NSA presentation slide showing the 2nd and 3rd Party partners
and some coalition and multilateral exchange groups.
Published in No Place To Hide, May 2014.

From 9-Eyes to 14-Eyes

But as was revealed in The Intercept's article from last May, the Afghanistan SIGINT Coalition not always had 14 members: the group started in 2009 with just nine members and was therefore called 9-Eyes. Besides the Five Eyes it included Denmark, France, the Netherlands and Norway.

In 2010, Sweden and Germany joined the Afghanistan SIGINT Coalition and by January 2013, Belgium, Italy, and Spain had also become members of the group. By then, the AFSC had exactly the same membership as the SIGINT Seniors Europe or 14-Eyes.

It is not known whether the number of "Eyes" increased with each new AFSC member, but it's clear that an "Eyes" designation is not always a unique designator and there can be multiple groups with the same number of Eyes at the same time. To avoid confusion, such multilateral partnerships can best be called by their actual names.

 


The Real Time Regional Gateway

The Afghanistan SIGINT Coalition was created because the NSA needed additional linguistic capabilities as well as data from regions in Afghanistan where they had little or no coverage themselves.

Therefore they turned to trusted coalition partners and provided them with wireless interception equipment known as DRT-boxes, which were first identified as such on this weblog in November 2013.

After Dutch, Danish, Norwegian, German and Spanish troops each got one, two or three DRT devices, they started feeding intercepted GSM metadata into a huge distribution and analysis system called Real Time Regional Gateway (RT-RG) as of Summer 2008.

This RT-RG system was first publicly mentioned in a Defense News article from October 2010 and in the book Top Secret America from 2011 it was described as follows:

"RTRG allows users to see all signal intelligence that collectors are working on in real time. This includes ground collectors, Air Force RC-135 Rivet Joint and Liberty planes, SIGINT-equipped drones, and SIGINT satellites operated by the NRO. RTRG has provided a tenfold increase in the speed with which intercepts are povided to operators on the ground."

This is already a pretty accurate description, except that it doesn't mention the participation of coalition partners, which governments always handle as something extremely sensitive.

Slide from an NSA presentation showing all the collection systems that fed the RT-RG platform
(click to enlarge)

RT-RG started as a project called RT-10, which was first deployed in Baghdad in 2007. An internal NSA newsletter says that in order to provide a comprehensive real-time view of the telephone and internet communications in Baghdad (with roughly 4 to 5 million residents), the RT-10 system had to be able to ingest each day:

- 100 million telephone metadata records
- 1 million pieces of telephone content
- 100 million internet metadata records

The success of the RT-RG system lay in the fact that these massive amounts of data were stored locally: in 2009, a large RT-RG data center was built at Area 82 of Bagram Airport north of Kabul. It was right next to the Afghanistan Regional Operations Cryptologic Center (A-ROCC), where analysts from the 9-Eyes countries worked side-by-side.

Previously, war-fighters in the field had to retrieve their intelligence from central databases at NSA headquarters. This costed time and bandwith, but it also meant that only data related to known targets was sent back and stored. But with storing the full-take collection in a regional repository, all data could be subjected to analytic algorithms in order to find new targets for the so-called Find, Fix, Finish operations.

In 2011, the Afghanistan RT-RG had a database of 27 terabytes, which could only store approximately one month of regional data (90% of the user queries were within a one-week timeframe though). A planned move to NSA's new cloud architecture would increase the storage space to up to 125 TB and would allow larger-scale analytics to be conducted.

Architecture of the Real Time Regional Gateway (RT-RG) in 2012
(source: NSA presentation - click to enlarge)

BOUNDLESSINFORMANT

How many GSM metadata the countries from the Afghanistan SIGINT Coalition collected can be seen in charts from the NSA's data visualization tool BOUNDLESSINFORMANT. The available charts show that the following numbers were acquired through the DRTBOX system during a one month period between December 10, 2012 and January 8, 2013:

- France: 62 million metadata records
- Spain: 60 million metadata records
- Italy: 45 million metadata records
- Sweden: 33 million metadata records
- Norway: 33 million metadata records
- Denmark: 22 million metadata records

(The chart for the Netherlands shows the CERF CALL method through which cellphone metadata from Somalia were collected. DRTBOX is not mentioned, maybe because Dutch troops had left Afghanistan already by August 2010)

These numbers are very small compared to what NSA and American military units collected. They also, once again, show that "mass surveillance" of entire populations would require the collection of billions of metadata records rather than the millions that showed up in these particular charts (60 million would roughly be the number of metadata generated by 20.000 handsets).

In the second half of 2013, these charts were published in various major European newspapers saying that they proved that NSA monitored millions of phone calls in those countries. Soon it turned out this interpretation was completely wrong, something which co-author Glenn Greenwald only admitted in The Intercept's article from last May.

> See also: Dutch government tried to hide the truth about metadata collection

BOUNDLESSINFORMANT chart showing metadata collected by French intelligence,
including 62 million records through the DRTBOX system
(click to enlarge)

3rd Party partners

Interesting is that Polish troops in Afghanistan also got one DRT interception device and there's also a BOUNDLESSINFORMANT chart showing that in one month time they collected some 71 million cellphone metadata. But despite this effort, Poland did not become a member of the Afghanistan SIGINT Coalition.

Poland was also not a member of the SIGINT Seniors Europe, so it seems the AFSC was only meant for countries that were already part of the SSEUR. The slide at the top of this blog post shows that, together with several other NATO countries, Poland is listed in red as a "National SIGINT Partner".

Except for Slovenia, these National SIGINT Partners appear to be identical with the so-called 3rd Party partners, which are the (signals) intelligence agencies of over 30 countries with which NSA has a formal relationship. They are one level below the 2nd Party partners, or Five Eyes, who have a fully integrated signals intelligence cooperation.

> See also: NSA's Foreign Partnerships

Quid pro quo

The operations in Afghanistan show how many different levels of cooperation there can be: there were 3rd Party partners who did nothing more or less than ordinary NATO members. Among them, information is only shared up to the classification level SECRET.

Then there was Poland which collected and shared telephone metadata, but did not participate in the CENTER ICE platform through which the countries of the SIGINT Seniors Europe communicated and exchanged threat information at the level TOP SECRET/SI.

The closest cooperation for 3rd Party partners was in the AFSC, where they fed telephone metadata directly into the NSA's RT-RG system. Because cooperation between intelligence agencies is always based upon the principle of quid pro quo, these partners also got things in return, equal to their input.

For the members of the AFSC these returns included real-time data access, unique linguistic resources and joint counter insurgency operations - things that could have been crucial for the success of their operations or the safety of their troops, but which the Five Eyes did not make available to the (initially broader group of the) SIGINT Seniors Europe.

Epilogue

The latest document in which the Afghanistan SIGINT Coalition was mentioned is an NSA paper from April 2013. One month later there was an AFSC conference in Denmark at which would be discussed what to do after the ISAF mission would be disbanded in December 2014. It's not known whether there was any kind of continuation.

The Real-Time Regional Gateway proved to be so successful that already in 2012, NSA deployed the system at 11 locations around the world, including at its regional center in Texas to combat Mexican drug trafficking, as well as on board of the nuclear submarine USS Georgia, which collected mobile phone metadata around the Horn of Africa.

Update:

Since 2022, the NSA admits the existence of the AFSC/14-Eyes on its website, which says:

"One of the most successful sets of international partnerships for signals intelligence is the coalition that NSA developed to support U.S. and allied troops in Iraq and Afghanistan. The combined efforts of as many as 14 nations provided signals intelligence support that saved U.S. and allied lives by helping to identify and neutralize extremist threats across the breadth of both battlefields. The senior U.S. commander in Iraq credited signals intelligence with being a prime reason for the significant progress made by U.S. troops in the 2008 surge, directly enabling the removal of almost 4,000 insurgents from the battlefield."

Links
- Bug Brother: La NSA n’avait (donc) pas espionné la France (June 2019)
- The Intercept: Mission creep: How the NSA’s game-changing targeting system built for Iraq and Afghanistan ended up on the Mexican border (May 2019)
- Swissint.ch: Die Nachrichtendienste und ihre geheimen Klubs: Ein Einblick in die unbekannte Seite der Antiterrrorkooperation in Europa (Oct. 2018)
- The Intercept: The powerful global spy alliance you never knew existed (March 2018)
- Zone d'Intérêt: U.S. Intelligence Support to Find, Fix, Finish Operations (Oct. 2015)

A document about the UKUSA partnership with unknown classification compartments

(Updated: September 13, 2019)

A highly sensitive document about the intelligence sharing relationship between the United States and the United Kingdom reveals the existence of three classification compartments that were previously unknown.

The assessment was declassified in September 2018 after a FOIA request by Privacy International and Yale Law School's Media Freedom & Information Access Clinic (MFIA). The document has no date, but must be from somewhere before the NSA's internal reorganization in the year 2000.

First page of the assessment of the UKUSA relationship
(click to enlarge)

Classification markings

The classification marking at the top of the document reads:

TOP SECRET VRK11 TK AG DC MC
N O F O R N

This rather long and complex marking consists of three separate parts. First there's the actual classification level:

- TOP SECRET
This is the highest level of classified information, which would cause "exceptionally grave damage" to US national security if it were disclosed unauthorized.

Then there are several Sensitive Compartmented Information (SCI) control systems and compartments which further restrict the access to particularly sensitive information:

- VRK11
VRK stands for Very Restricted Knowledge and was a sub-control system to limit access to uniquely sensitive COMINT activities and programs. It contained compartments or categories which had an identifier of one to three alpha numeric characters, so in this case the document contains information from VRK compartment 11.
Shortly before 2004, VRK was succeeded by a new system called Exceptionally Controlled Information (ECI).

- TK
TK stands for TALENT KEYHOLE, which is a combined control system for products of overhead collection systems, such as spy satellites and reconnaissance aircraft.

- AG
Unknown.

- DC
Unknown.

- MC
Unknown. (Update: On Twitter, Bill Robinson said that MC is the abbreviation for MERCURY, a series of satellites for COMINT, SIGINT and ELINT collection, which were operated from Menwith Hill in the UK)

Finally, there's a dissemination marking which adds additional restrictions:

- NOFORN
This stands for No Foreign Nationals and is applied to any information that may not be released to any non-US citizen.

The classification of the document is remarkable and interesting in various ways. Not only because it contains VRK11 and TK information - this applies to some other declassified documents - but because it has three additional markings (AG, MC and DC), which seem to show up here for the first time.

These markings clearly look like abbreviations of code words, but that's also a bit strange because in an overall classification line, code words should be written in full. And if we assume that these markings stand for additional control systems or compartments, it's remarkable to see three that were not known before.

> See also: The US Classification System

Benefits for the US

Although the term UKUSA is often used for the 5-Eyes partnership between the US, the UK, Canada, Australia and New Zealand, this documents uses the term in its original sense, being the relationship between the signals intelligence agencies of the United States (NSA) and the United Kingdom (GCHQ).

As this is a highly sensitive issue, the document is almost entirely redacted: 11 out of 14 pages are witheld in full, while of the remaining 3 pages also large portions have been redacted. The remaining portions are still interesting however, also because they confirm things we learned from the Snowden-revelations.

The text starts with saying that the UKUSA relationship is of "inestimable value to NSA and cannot be abandoned". But there are some weaknesses and understanding them would make NSA better able to "make some hard decisions about the future of the relationship." These weaknesses are of course redacted, but the main benefits for NSA are still readable:

- A "unique collection from GCHQ conventional sites, freeing US resources". This seems to be about data collection from undersee fiber-optic cables, which NSA also uses and therefore hasn't to invest in its own accesses to these kinds of data streams.

> More: INCENSER, or how NSA and GCHQ are tapping internet cables

- NSA can also use something from the UK "where the US has none", but what exactly this is, is redacted. However, another declassified document says: "The UK has sites at strategic locations for collection that otherwise would be unavailable to the US." Some GCHQ accesses even exist "solely to satisfy NSA tasking".

> More: The NSA's global interception network

- The "compatibility and interoperability of US & UK SIGINT systems" which makes it faster and easier to exchange content data, metadata and end products.

> More: Data sharing systems used within the Five Eyes partnership

- A "strong analytic workforce, with a capability for independent interpretation of events" which saves US resources by division of efforts.

- An "especially competent cryptanalytic workforce". Another declassified document adds: "GCHQ is NSA's only peer in the field of cryptomathematics and virtually all major advances within the field of cryptography have occurred as a result of our mutual sharing."

- The "pooling of resources on key technical projects during austere fiscal periods" - again financial reasons, showing how much NSA is apparently bothered with money issues despite their annual budget of over 10 billion US dollar in 2013.

- And finally, as the perhaps most important benefit the document says that the UK has "a record of supporting the US as an ally in confronting world problems".

According to another unredacted part of the document, NSA worried about the large numbers of integrees that NSA and GHCQ exchanged, who took on more and more tasks and responsibilities. GCHQ for example wished to place an integree in G2/SA (a unit in the former NSA division responsible for non-communist countries), but this was rejected "as it would give GCHQ insight into certain sensitive operations we do not share."

Another unredacted part makes clear that the Americans were also concerned about the increasing number of electronic communications interfaces between NSA and GCHQ, which had been established "based on a myriad of decisions at various levels within NSA". The question was asked: "Should there be a common NSA position on the number and kind of electronic interfaces between NSA and GCHQ? Should the number be driven by NSA design or by GCHQ needs?"

The UKUSA partnership

The same FOIA request by Privacy International and MFIA also resulted in the declassification of a larger batch of documents related to the US-UK relationship, including ones that date back to the early 1950s and recall the origins of this unique intelligence partnership.

It began with the UKUSA Agreement, which was signed on March 5, 1946 by Col. Patrick Marr-Johnson, British Army General Staff, for and in behalf of the London Signal Intelligence Board (LSIB), and by Lt. Gen. Hoyt S. Vandenberg, GSC, Senior Member, for and in behalf of the State-Army-Navy Communications Board (STANCIB).

Canada had hoped to be a third signatory of the UKUSA Agreement but that didn't happen. Eventually a separate CANUSA agreement between Canada and the United States was "presumably signed in 1949" after the British LSIB saw no objection.*

After a first tripartite conference was held with the Australian Defence Signals Branch (DSB) in September 1953, Appendix J (about the "collaboration with commonwealth countries other than the U.K.") and Annexure J1 of the UKUSA Agreement were revised and these were signed by New Zealand in January 1956 and by Australia in May 1956.

The relationship between these five partner agencies continued to be governed by the original UKUSA agreement from 1946, supplemented by a range of appendices and an array of Memoranda of Understanding (MoU) and Divisions of Effort (DoE). However, NSA was apparently not able to locate, let alone produce, most of these additional documents.

The various kinds of data and intelligence that NSA and GCHQ exchange under the UKUSA partnership are listed in yet another declassified document:

Exchange of intelligence between NSA and GCHQ
(click to enlarge)

In November 1993, the NSA's Deputy Director of Operations (DDO) initiated a review of the UKUSA Exchange Agreement "to include a list of what is not currently exchanged with the British, what we should not exchange in the future, and new things that should be exchanged in the future".

Finally, a document from the Snowden trove says that in the same year, the original bilateral relationships between the US and the individual Second Party countries were turned into a "group (5-EYES) partnership" which in 1998 got a coordinating body called the Joint Executive for SIGINT Operability (JESI).

> See also: NSA's Foreign Partnerships

Links
- Lawfare: Newly Disclosed NSA Documents Shed Further Light on Five Eyes Alliance (March 2019)
- Privacy International: Privacy International v. NSA et al. (US 5EY FOIA)
- NSA FOIA: UKUSA Agreement Release

The NSA's regional Cryptologic Centers

(Updated: March 27, 2026)

For many years, the US National Security Agency (NSA) was identified with its almost iconic dark-glass cube-shaped headquarters building at Fort Meade in Maryland.

Only when Edward Snowden stepped forward in 2013, the public learned that there's also a large NSA facility in Hawaii - which is actually one of four regional centers spread across the United States.

- History of the NSA's Cryptologic Centers

- Cryptologic Centers inside the US: Hawaii - Georgia - Texas - Colorado

- Cryptologic Centers outside the US: Europe - Afghanistan

Update: two other NSA offices are located in Alaska and Utah

History of the NSA's Cryptologic Centers

The history of the NSA's regional operation centers is described in the 60th Anniversary Book of the agency from 2012:

"In the 1970s and 1980s, NSA leadership grew concerned over the centralization of functions at Fort Meade. Partially prompted by the need to find adequate space for its personnel and equipment, the Agency began to look at moving some assets away from the Fort Meade area.

In this light, in 1980 a Remote Operating Facility (ROF) at Kunia was established on the Hawaiian island of Oahu. Although living costs were high there, Kunia had the advantage of proximity to the Commander in Chief, Pacific (CINCPAC).

In the late 1980s, the cryptologic leadership began developing the Regional Security Operations Center (RSOC) concept. Proven computer and communications technology allowed NSA to delegate SIGINT authority to these regional centers, thus avoiding an overconcentration in the Washington area.

Under the RSOC doctrine, each center would be "hosted" by one of the military services so that all services could be represented.

In 1995 the centers opened and NSA began to transfer missions to them. The Kunia facility was given a new status as an RSOC.

Over the next decade, the RSOCs evolved from limited operations centers into mini "regional NSAs" in Georgia, Texas, Hawaii and Colorado with the following mission benefits:

• Consolidation of cryptologic operations
• Dispersion of facilities from the Washington, D.C. area
• Capability of serving as alternate communications centers
• Representation of all military services.

The concept of "regional NSAs" was reinforced when NSA suffered a massive computer outage early in 2000, and the RSOCs, as components that could operate independently, picked up the essential missions until NSA was back in full operation. Today all four centers, now known as Cryptologic Centers, are operational, expanding, and provide redundancy in the event of an emergency."

Challenge coin showing the locations of the four regional
Cryptologic Centers as well as the NSA facility in Alaska
Not shown on the coin is the agency's facility in Utah
(year unknown - click to enlarge)

Cryptologic Centers inside the US

Officially acknowledged and listed on the NSA's official website are the four Cryptologic Centers which are located inside the United States. Especially those in Hawaii, Texas and Georgia are fairly large facilities with a few thousand employees each and consisting of both operations and data centers.

The Cryptologic Centers in Hawaii, Texas and Georgia each cover a geographically defined part of the earth, while the Cryptologic Center in Colorado is responsible for air and space based collection systems.

NSA/CSS Hawaii (NSA-H)

- Established in 1980 as a Remote Operating Facility (ROF), which was turned into the Kunia Regional Security Operations Center (KRSOC) in 1995 and became a Cryptologic Center in 2005 (or 2011).

- Initially located in the Kunia Tunnel complex in Honolulu, Hawaii. Currently located in the Joseph J. Rochefort building, a $ 358 million and 250,000 square-foot complex near Wahiawa in Honolulu that was opened in January 2012.

- NSA/CSS Hawaii collaborates "with other agencies, private industry, and foreign governments across the Indo-Pacific region to deliver critical cybersecurity and signals intelligence and directly influence and execute US national policy. NSA-H combines geographic and functional expertise to accomplish this mission, while also investing in the long-term development of cyber threat knowledge."

- Hosted by the US Navy.

- Number of employees: 3054 (345 civilians, 2582 military, 127 others) in 2008; 4018 (557 civilians, 3240 military, 180 others) in 2012.

- Area of responsibility: the Pacific Rim and Far East, Southeast and Southwest Asia.

- Supports the Indo-Pacific Command of the US Armed Forces.

- Cloud system: -

- SIGAD: USJ-750

- See also: Wikipedia - Cryptome - Cryptome - CBS News

The Joseph J. Rochefort Building of NSA/CSS Hawaii in Honolulu, Hawaii (2019)
(still from CBS News - click to enlarge)

NSA/CSS Georgia (NSA-G)

- Established in 1995 as the Fort Gordon Regional Security Operations Center (GRSOC) and turned into a Cryptologic Center in 2005.

- Located at Fort Gordon (since 2022: Fort Eisenhower) in Augusta, Georgia, currently in the John Whitelaw building (codenamed Sweet Tea), a $ 286 million and 604,000 square foot complex that was opened in March 2012.

- NSA/CSS Georgia conducts "time-sensitive operations for tactical, operational, and national-level indications and warning requirements which support global and regional security objectives. NSA-G also employs capabilities and expertise required to harden and defend national security systems. It specializes in working closely with military customers to understand their operations, their requirements, and their culture to ensure that signals intelligence is tailored and responsive to the needs of the warfighter."

- NSA-G also includes the alternate National Security Operations Center (NSOC, project DECKPIN) which serves as a back-up for the NSOC at NSA headquarters.

- Hosted by the US Army.

- Number of employees: 2930 (410 civilians, 2173 military, 347 others) in 2009; 4319 (732 civilians, 2997 military, 590 others) in 2012.

- Area of responsibility: Europe, North Africa, the Middle East, the Near East and the Persian Gulf.

- Supports the European Command and the Central Command of the US Armed Forces

- Cloud system: -

- SIGADs: USN-18 and USJ-800

- See also: Wikipedia - Cryptome - SIDtoday - NSA OIG

The John Whitelaw Building of NSA/CSS Georgia at Fort Gordon (2012)
(photo: NSA - click to enlarge)

NSA/CSS Texas (NSA-T)

- Established in 1995 as the Medina Regional Security Operations Center (MRSOC) and turned into a Cryptologic Center in 2007.

- Initially located on the Medina Annex of Lackland Air Force Base near San Antonio, Texas. In 2005, the NSA acquired a former Sony chip fabrication plant in the Northwest Side of San Antonio for $ 30.5 million and invested as much as $ 300 million to transform the 470,000 square feet complex into the current Texas Cryptologic Center (TCC, codenamed BACONRIDGE). This facility consists of a workspace building and a datacenter with 3 rooms belonging to NSA/CSS Texas and 3 rooms belonging to corporate NSA.

- NSA/CSS Texas conducts "foreign signals intelligence activities to inform policymakers and defeat adversaries, performs cybersecurity operations to prevent and eradicate threats to National Security Systems, and develops new and innovative capabilities to support both missions. NSA-T oversees the Texas Security Operations Center (TSOC) and other NSA 24/7 functions, and thereby serves as a nerve center for NSA management of global, time-sensitive activities, including the ever-present duty of information assurance."

- Hosted by the US Air Force.

- Number of employees: 2136 (302 civilians, 1689 military, 145 others) in 2008; 3405 (839 civilians, 2318 military, 248 others) in 2012. In 2022 probably some 3000 employees were part of the Cybersecurity Directorate (CSD).

- Area of responsibility: Middle and South America, the Caribbean and the Atlantic littoral of Africa.

- Supports the Southern Command and the Central Command of the US Armed Forces.

- Cloud system: gmALAMO (2012)

- SIGADs: USN-26 and USJ-783

- See also: Wikipedia - Cryptome - Cryptome

NSA's Cryptologic Center in San Antonio, Texas (2013)
(photo: William Luther - click to enlarge)

NSA/CSS Colorado (NSA-C)

- Established in 2003 as the Denver Security Operations Center (DSOC) and turned into the Colorado Cryptologic Center (CCC) in 2005.

- Initially located in temporary buildings at the Aerospace Data Facility (ADF-C) at Buckley Air Force Base in Aurora, near Denver, Colorado. In 2012, a new $ 141 million building was planned to provide space for 850 NSA employees .

- In November 2023, NSA started building a Joint Cryptologic Center (JCC) at NSA Colorado, which will house office space for the NSA-C Service Cryptologic Elements and the new Rocky Mountain Learning Center.

- NSA/CSS Colorado works "alongside the National Reconnaissance Office (NRO) and the National Geospatial-Intelligence Agency-Denver to produce integrated intelligence to defense, intelligence, and civil agencies supporting the US government and its allies. NSA-C is the overhead Technical Signals Intelligence (TechSIGINT) collection and processing enterprise center, the global overhead SIGINT mission management hub, a cryptologic discovery leader, and the Electronic Intelligence (ELINT) analysis and tradecraft development focal point for the NSA/CSS enterprise."

- Co-located with the joint NSA-NRO Overhead Collection Management Center (OCMC) which manages spy planes and spy satellites.

- Number of employees: 1324 (237 civilians, 938 military, 115 others) in 2008.

- Cloud system: gmDEN (2012)

- SIGAD: USJ-751

- See also: Wikipedia - SIDtoday - SIDtoday

The Aerospace Data Facility at Buckley Air Force Base in Aurora, Colorado
(image: Google Earth - click to enlarge)

Additional functions of the Cryptologic Centers

Shore support

According to a document from the Snowden cache, the Cryptologic Centers in Hawaii, Texas and Georgia also have a Fleet Information Operation Centre (FIOC), each of which include a Maritime Cryptologic Integration Centre (MCIC).

These MCICs are responsible for so-called cryptologic shore support: providing technical SIGINT information to cryptologic teams embarked in mobile sea, air and land units. A fourth MCIC is based at RAF Digby in Lincolnshire in the United Kingdom.


Cyber defense

The Cryptologic Centers not only process and analyze collected data, but also include a regional NSA/CSS Threat Operations Center (NTOC). These combine the NSA's Signals Intelligence (SIGINT) and Information Assurance (IA) missions in order to detect cyber threats against vital computer networks of the US Defense Department.

It was at the NTOC of the Cryptologic Center in Hawaii that Snowden had his last and only analytical job as an infrastructure analyst tracking Chinese hackers.


Hacking operations

As described in several editions of the internal newsletter SIDtoday, the NSA's hacking division TAO started to conduct Computer Network Exploitation (CNE) operations also from the cryptologic centers, first in 2004 in Hawaii, followed in 2006 by Texas and Georgia. In 2008, NSA/CSS Texas had some 60 TAO operators, a number that was planned to rise to 270 in 2015.

The TAO hacking unit at the NSA/CSS Texas Cryptologic Center
(source: NSA Texas presentation - click to enlarge)

Other NSA offices inside the US

Besides the four Cryptologic Centers, the NSA has two additional offices in the United States: one in the state of Alaska and one in the state of Utah.

NSA Alaska (NSA-A)

- Established in 2020 as successor of the Alaska Mission Operations Center (AMOC).

- Located on the Joint Base Elmendorf and Richardson (JBER) outside of Anchorage, Alaska.

- NSA Alaska provides "time-critical combat intelligence to U.S. theater battle commanders, unified and specified commands, national and Department of Defense leadership, as well as operating and sustaining sensitive communications and computer systems in support of national intelligence missions." NSA-A also has a 24/7 watch floor, the Alaska Security Operations Center (ASOC).

- Area of responsibility: ?

- Number of employees: ?

- Cloud systems: ?

- SIGAD: ?

NSA Alaska with the former Elephant Cage antenna (1996-2016)
(photo: US Air Force - click to enlarge)

NSA Utah (NSA-U)

- It's likely that NSA-U is the successor of the Utah Regional Operations Center (UROC / F7U / USJ-755) which was already active in 2010. NSA-U apparently also incorporated the mission of the Utah Regional Language Center (URLC), which the NSA had opened at a Utah National Guard facility in Draper in 2006.

- NSA Utah is most likely also related to the Utah Data Center (UDC) near Bluffdale, which was completed in May 2014 at a cost of $ 1.5 billion.

- In 2022, the joint Inspectors General conducted an inspection of NSA Utah and identified several areas for improvement.

- Number of employees: at least 200 military and civilians.

- Cloud systems: gmCAVE, gmPEACH (2012)

- SIGAD: ?

The 1.5 million square feet Utah Data Center near Bluffdale, Utah
(photo: AP/Rick Bowmer - click to enlarge)

Cryptologic Centers outside the US

Not officially acknowledged are the Cryptologic Centers which are located outside the United States. From the Snowden revelations we know the existance of the following two centers, which are much smaller than those inside the US and also process and disseminate data and information from the NSA's Second and Third Party partners.

European Cryptologic Center (ECC)

- Established in April 2004 as the European Security Center (ESC) and turned into the European Security Operations Center (ESOC) in July 2006. In May 2011 it became a Cryptologic Center and got its own NTOC.

- Initially located at the Dagger Complex of the US Army outside Griesheim, near Darmstadt in Germany. In 2016, the ECC moved to the newly built $ 91 million Consolidated Intelligence Center (CIC) at the Lucius D. Clay Barracks near Wiesbaden in Germany, where there's also a new $ 30.4 million Information Processing Center (IPC).

- Hosted by the US Army Intelligence and Security Command (INSCOM).

- Number of employees: some 240 military and civilians (in 2011).

- In 2006, the ECC's national mission focused on select Counterterrorism targets, select Sub-Saharan Africa and Middle East and North African (MENA) targets, SIGINT Development and Geospatial Analysis missions. Its theater missions included Force Protection, Global War on Terrorism support, Pan Sahel, and targets in West Africa.

- Supports the European Command and the Africa Command of the US Armed Forces.

- SIGADs: USM-44 (ESC) and USJ-753 (ESOC)

- See also: Die Spurensuche - Wikipedia - Electrospaces.net

The former European Cryptologic Center (ECC) near Griesheim in Germany (2014)
(Photo: AP - click to enlarge)

The Consolidated Intelligence Center (CIC) under construction
at the Lucius D. Clay Barracks near Wiesbaden
(Image: Google Earth - click to enlarge)

The Consolidated Intelligence Center (CIC) in March 2025
(Image: Google Earth - click to enlarge)

Afghanistan Regional Operations Cryptologic Center (A-ROCC)

- Established in October 2009 and fully operational in the Winter of 2010. The center was closed somewhere before July 1, 2021, when the US left Bagram Airfield.

- The A-ROCC was located in 17,000 square-foot office spaces at Area 82 of Bagram Airfield north of Kabul in Afghanistan.

- Number of employees: over 250, 120 of whom were linguists (in 2009), including personnel from all countries participating in the Afghanistan SIGINT Coalition (AFSC).

- Supported US and Coalition forces throughout Afghanistan.

- See also: SIDtoday - The Intercept

The buildings of the A-ROCC at Area 82 of Bagram Airfield near Kabul (2010)
(source: GCHQ presentation - click to enlarge)

In crisis regions there may be other, smaller Regional Operations Cryptologic Centers (ROCCs) as before the large A-ROCC was established, there was a ROCC in place since 2005 which mainly supported the Regional Command-East of ISAF.

Another Cryptologic Center outside the US may have evolved from the Misawa Security Operations Center, which is located on Misawa Air Base in Misawa, Japan. There it could serve as a signals intelligence hub for the NSA's partners in the Pacific Rim region, similar to the European Cryptologic Center for its European partners.