October 12, 2013

From BULLRUN to NOCON and LACONIC


On September 5, The Guardian, The New York Times and ProPublica jointly revealed that NSA has a top secret program to break encryption systems used on the internet. This is done by for example inserting vulnerabilities into commercial encryption and IT systems. This program is codenamed BULLRUN, which, according to NSA documents, is not a regular sensitive information compartment, but a "secure COI".

COI or CoI stands for Community of Interest, a more common computer security feature by which network assets and/or users are segregated by technological means. This is done through a logical or physical grouping of network devices or users with access to information that should not be available to the general user population of the network. According to the 2011 Classification Manual (pdf), information residing on secure COIs may not be taken out of the COI or moved to other databases without appropriate approval.


ECI = Exceptionally Controlled Information; PTD = Penetrating Target Defences
IIB = Initial Infrastructure Build ?


According to a GCHQ briefing sheet about BULLRUN, there are at least two other COIs: ENDUE and NOCON, both for sensitive materials. These Community of Interest codenames were revealed here for the first time. For classification purposes they are treated as dissemination markings: they appear at the very end of a classification line, separated from other markings (like NOFORN and ORCON) by a single forward slash. For example: TOP SECRET//SI//NOFORN/BULLRUN


Surprise

As the COI codenames BULLRUN, ENDUE and NOCON are used within a Top Secret environment for highly sensitive NSA operations, it was quite a surprise to find the NOCON marking on another document too: an appendix (pdf) of a very secret NSA document. This appendix is about Public Key crypto systems and has no date, but seems to be from the 1980s. It was declassified by the NSA in March 2007 upon request of the Cryptome website:




The document was marked TOP SECRET UMBRA LACONIC NOCON. This old style classification marking (without slashes between the categories and terms) means that the document has the overall classification level TOP SECRET and was protected by putting it in the UMBRA compartment, which was designated for the most sensitive communications intercept material. The LACONIC and NOCON markings will be explained below.


LACONIC

The function of LACONIC is clarified in the NSA's internal Cryptolog (pdf) magazine, 2nd issue from 1988, which says that LACONIC is not a clearance or a classification, but a handling control marking. It's described as a restrictive distribution indicator for certain techniques - what kind of techniques is blacked out. Access to documents marked with LACONIC does not require a special clearance, but the reader must have a need to know certain details about those undisclosed things.


An indication about what kind of techniques are blacked out can be found in the Cryptolog (pdf) issue of January/February 1986. There it's said that "LACONIC access" is required for attending the CRYSCO-86 conference about computer technology and cryptanalysis, so it seems likely that LACONIC is about sensitive computer codebreaking techniques.

This comes close to the BULLRUN program and therefore it's not unthinkable that LACONIC was one of its forerunners, allthough according to the New York Times, the direct predecessor of BULLRUN was a program codenamed MANASSAS.

The LACONIC marking was retired as of October 2006 and apparently replaced by a new compartment within the control system for Exceptionally Controlled Information (ECI).


NOCONTRACT

In addition to restricting access to people with the need-to-know, the 1988 Cryptolog explanation says that LACONIC was also designed to deny access to contractors and consultants. Therefore, LACONIC had always to be accompanied by the NOCONTRACT marking. Apparently this marking could also be shortened to NOCON, as can be seen in the aforementioned document about public key crypto systems.

The Director of Central Intelligence Directive (DCID) 1/7 from April 12, 1995 ruled that as from that date, the NOCONTRACT marking should not be used anymore. This because it had "clearly outlived [its] usefullnes". Officials could now release intelligence bearing the NOCONTRACT marking to appropriately cleared and access-approved contractors. It's no surprise that this came at a time when US intelligence agencies started their large-scale outsourcing to private contractors.

However, it seems strange that Directive 1/7 eliminated the NOCONTRACT marking in 1995, but at the same time we still see NOCON as a COI in recent BULLRUN documents. A possible explanation could be that NSA still wanted to keep some sensitive materials out of the hands of contractors, and therefore continued to use the NOCON marking internally.

This could also explain the fact that NOCON, like the BULLRUN and ENDUE COI markings, are not listed in the extensive classification marking manuals for the intelligence community. The 2010 BULLRUN Classification Guide confirms that "the BULLRUN data label (for use in databases) and marking (for use in hard- or soft copy documents) are for NSA/CSS internal use only".


Conclusion

At least since the 1980s, NSA used the LACONIC marking to protect sensitive information, which was probably related to computer codebreaking techniques. Whether LACONIC was for internal NSA use only is not entirely clear, but as LACONIC material was not meant for contractors and consultants, it had to be accompanied by the NOCONTRACT marking which was used throughout the intelligence community.

After the general use of NOCONTRACT or NOCON was prohibited in 1995, NSA seems to have continued it as an internal marking. Similar are the probably more recent markings ENDUE and BULLRUN, which are all used for highly sensitive information that is protected by putting it in separated and secured parts (COIs) of NSA's internal computer networks.



5 comments:

Dirk Rijmenants said...

It seems to go more and more in the direction of total non-privacy. Will this end in everyone going back to the 70's era of symmetric keys, one-time pad encryption and secure devices? One thing is certain: virtually every computer is fair game, and today's tables and smart phones are just as bad.

It's time that someone throws secure dedicated stand-alone devices on the market that use the insecure computer only as a transportation means for its securely encrypted data. In fact, it's not that hard to develop such dedicated devices.

Unfortunately, privacy seems to be the least of people's worries.

Dirk Rijmenants said...

Oh, and maybe I should start a firm in suitcases and hand cuffs. Since we can no longer rely on public key encryption on PC's, there should be a fortune to earn with couriers and suitcases ;-)

P/K said...

Yes, I think people should be made more aware of digital security, it should be teached at schools, would be great for practicing in math classes. For the sake of convenience we probably rely too much on less secure systems, but I guess that it will always be some kind of balance between the costs, the convenience and the security.

But it should also be noted that intelligence agencies like NSA are not interested in the (content of) communications by ordinary people. They are targeting people and organizations which endanger national interests.

Ordinary people have more to fear from organized crime, hacking bank accounts and identity theft.

Anonymous said...

P/K: with respect, your position is deeply naive.

The problem is that there is no such thing as an "ordinary person". It's a nonsense proposition to anyone who would pause to think of it.

There are many problems with bulk data collection, but the worst is scope creep.

Maybe now they're only targeting terrorists (the evidence from Brazil suggests that isn't true, but let's pretend). But they've collected a huge amount of data. How about they start to target other things, like tax fraud?

And remember that, according to one analysis, the average US citizen commits three felonies every day without knowing it.

Scope creep is a serious issue. In Australia, where I live, telecommunications interception was originally limited to serious crimes, those being ones which carried a seven year or greater sentence (ie. murder, kidnap). As of 2012, telecommunications interception is now being used to identify and prosecute rubbish dumpers. So the scope has crept from serious criminal misbehavior to people who might leave a pile of rubbish on an empty lot.

There's scope creep in action.

We already have evidence of major scope creep already (the targeting of Brazil's Petrobras - hardly likely to be on the basis of terrorism). We also know that the NSA also targets drug trafficking, which is not terrorism, and DEA agents are encouraged to recreate the evidence to cover the surveillance activity.

So if you think scope creep isn't happening, open your eyes. There's evidence it already is.

P/K said...

Thank you for your comment. I agree that scope creep, as you described it, is dangerous. But that's not the fault of agencies like NSA, but rather of policymakers and politicians. Lawmakers and courts should set the boundaries here. Unfortunately, politicians nowadays are very willing to promise more and more safety and security and hence lowering the criteria for electronic surveillance etc.

I think eavesdropping and other kinds of electronic surveillance are not bad in se, they can be usefull, sometimes even the only means to get rid of dangerous enemies and really bad criminals. But these means should be limited, controlled and proportionate.

The idea that NSA should only target terrorists has been framed by Snowden and Greenwald. Intelligence agencies (directed by policy makers) have always been interested in a wide range of information about foreign countries, including economic issues, as things like energy resources, trade barriers, etc are often of national interest. Tracking terrorists is a relatively new issue and it's the question whether this should use up so much of the American intelligence resources.