July 8, 2014

NSA still uses the UMBRA compartment for highly sensitive intercepts

(Updated: July 17, 2014)

Three days ago, on July 5, 2014, The Washington Post published some of the most important stories from the Snowden-leaks so far. It revealed that Snowden did had access to the content of data collected under FISA and FAA authority - a fact that had been kept secret until now. I'll come back on that main story later.

Here we will take a look at a remarkable detail from two slides that were also disclosed in the Post's article. The classification marking of these slides contains the codeword UMBRA, which was generally considered to be abolished in 1999, but now seems to be still in use. After going through several options, my conclusion is that UMBRA is most likely the codename of a so-called unpublished SCI control system.





"Target Package" prepared by the National Security Agency
prior to the capture of Abu Hamza in January 2011
(click to enlarge)


These slides are from a 2011 powerpoint presentation which details the plan to capture al-Qaeda facilitator Muhammad Tahir Shahzad and which pinpoints his location and his activities based upon intercepts from his various e-mail accounts. He was captured in Abbottabad the day after this presentation was finalized.


In the 2012 NRO Review and Redaction Guide (pdf) the existance of the UMBRA codeword is approved for public release, just like its paragraph portion marking TSC (for Top Secret Codeword). But as this manual also lists many revoked codewords, it is not conclusive about wether UMBRA is still used. One thing that is interesting though, is that the TSC portion marking would fit some of the redacted spaces in the newly disclosed slide:


Some possible options for the portion markings



Top Secret Codeword

UMBRA was one of three codewords that were used to protect sensitive intercepts of Communication Intelligence (COMINT). These codewords represented three levels of sensitivity:
- UMBRA for the most sensitive material (Category III)
- SPOKE for less sensitive material (Category II)
- MORAY for the least sensitive material (Category I)

These kind of codewords were used since the end of the 1950s World War II and together they were commonly called "Top Secret Codeword" (TSC), which was often seen as a level "above Top Secret", although it was actually more like a "vertical" division of the Top Secret-level. The codewords UMBRA, SPOKE and MORAY can be seen on many highly secret documents, a number of which have been declassified, like for example this statement from 1980 for a court case about NSA's information about UFOs:


(click for the full document as pdf-file)


According to instructions like these, the use of the codewords UMBRA, SPOKE and MORAY was terminated as of May 1999. From then on, the kind of information they were used for, had now to be protected by the general COMINT control system, or by specific compartments thereof for more sensitive information.
Update:
Since World War II, the NSA and her predecessors used codewords for protecting highly sensitive COMINT information and they were generally replaced by a new one every one or more years. The Top Secret codeword TRINE was compromised when the North Koreans captured the NSA spy ship USS Pueblo in 1968. TRINE was then replaced by UMBRA.


SPOKE

Very interesting is that not only UMBRA, but also the codeword SPOKE seems to be still in use. One document from the Snowden-leaks, which was published by Der Spiegel on December 20, 2013, is marked SECRET STRAP1 SPOKE. STRAP is the codeword that GCHQ uses to protect sensitive information, with STRAP1 denoting the least sensitive category:


Given the rather old-fashioned logo-type of the letters SD, it's not quite clear whether the document, or at least the header might predate 1999, although the content is clearly from more recent years. Der Spiegel said that it's an "analysis of the communication paths between Belgium and Africa prepared in January 2009".


Possible options

NSA using codewords that were generally considered abolished, reminds of a similar case in which the NOCON marking appeared in a document from the Snowden-trove. The general use of that marking was terminated in 1995, but NSA kept using it as an internal marking. As such it isn't listed in the official Classification Manuals, which are declassified regularly.

Now it seems that the same could have happened to the codewords UMBRA, SPOKE and maybe also to MORAY, but there's a difference: NOCON is a dissemination marking, a category which is less strictly controlled than a compartment, like UMBRA.

As the classification line of the newly disclosed slides seems not fully correct (there has to be a single, instead of a double slash between ORCON and REL USA, FVEY), which makes that there are a few options for what UMBRA could actually represent.



One option is that the double slash between COMINT and UMBRA is correct. In that case UMBRA wouldn't be a Sensitive Compartmented Information (SCI) label for intelligence information - which it actually looks like most - but a codeword from another category, like for example a Special Access Program (SAP) or Foreign Government Information (FGI) (Marc Ambinder favors this option).

Another option is that there should have been just a single slash between both terms. That would mean UMBRA is a normal SCI control system, in this case one that is apparently kept secret, as it was never mentioned anywhere since 1999.

The latter option seems very well possible, because the most recent Intelligence Community Classification Manual (pdf) acknowledges the existance of "registered but unpublished SCI control systems" which "must remain unpublished due to sensitivity and restrictive access controls".

It seems less likely that UMBRA is the undisclosed compartment of the COMINT (SI) control system, which is listed in the most recent Intelligence Community Classification Manuals, because in that case the marking would have read TOP SECRET//COMINT-UMBRA//etc.

Questions

Given this sensitivity, one wonders why in the orange classification bars of the slides UMBRA hasn't been blacked out. The overall classification line in the first slide and also most of the portion markings were fully redacted, although the latter can hardly contain something that is more sensitive than the UMBRA abbreviation.

Another question is whether Edward Snowden had authorized access to the UMBRA compartment, or that he was able to just grab these slides otherwise. The Washington Post suggests that he did had access to the Exceptionally Controlled Information (ECI) compartment RAGTIME, which is similar to UMBRA, but for content collected under FISA authority (UMBRA is probably for content collected under EO 12333).


Conclusion

For those who are somehow familiar with the US classification system, it must be quite surprising to see a codeword that has been considered dead for 15 years popping up from the Snowden-leaks. The most likely explanation is that after UMBRA (and SPOKE too) was publicly abolished in 1999, NSA kept using it in secret as a compartment for very sensitive communication intercepts, but now as an unpublished SCI control system - letting outsiders think that UMBRA was something from the past!



Links and Sources
- Lux ex Umbra: UMBRA history
- TheWeek.com: The return of an intelligence code word with a storied history
- A work of art from the series "Secret Codewords of the NSA": UMBRA
- William M. Arkin, Code Names, Deciphering U.S. Military Plans, Programs, and Operations in the 9/11 World, Steerforth Press, 2005.

3 comments:

Anonymous said...

Could these docs be forgeries? The KGB playbook was big on planting forged "secret" US documents, and then "discovering" them with great fanfare. History repeats itself.
Thoughts?

P/K said...

Yes in theory they could be forgeries, but I think only KGB or a Chinese agency would be able to do this. But with the huge number of documents, many of wich are very detailed, and most of them look genuine, it would take so much time and effort to forge them, that it would have been easier for say KGB to "assist" Snowden stealing the real stuff, than to counterfeit this all by themselves. By which I don't want to say that Snowden was a puppet of the Russians or the Chinese, there are many conspiracy theories about that too.

public key infrastructure said...

It is really amazing! So many new things that I even didn't hear about them. Difficult to follow for a not professional, a private individual. The world goes on progressing by innovating and inventing.