July 8, 2014

NSA still uses the UMBRA compartment for highly sensitive intercepts

(Updated: December 7, 2014)

Three days ago, on July 5, 2014, The Washington Post published some of the most important stories from the Snowden-leaks so far. It revealed that Snowden did had access to the content of data collected under FISA and FAA authority - a fact that had been kept secret until now. I'll come back on that main story later.

Here we will take a look at a remarkable detail from two slides that were also disclosed in the Post's article. The classification marking of these slides contains the codeword UMBRA, which was generally considered to be abolished in 1999, but now seems to be still in use. After going through several options, my conclusion is that UMBRA is most likely the codename of a so-called unpublished SCI control system.





"Target Package" prepared by the National Security Agency
prior to the capture of Abu Hamza in January 2011
(click to enlarge)


These slides are from a 2011 powerpoint presentation which details the plan to capture al-Qaeda facilitator Muhammad Tahir Shahzad and which pinpoints his location and his activities based upon intercepts from his various e-mail accounts. He was captured in Abbottabad the day after this presentation was finalized.


In the 2012 NRO Review and Redaction Guide (pdf) the existance of the UMBRA codeword is approved for public release, just like its paragraph portion marking TSC (for Top Secret Codeword). But as this manual also lists many revoked codewords, it is not conclusive about wether UMBRA is still used. One thing that is interesting though, is that the TSC portion marking would fit some of the redacted spaces in the newly disclosed slide:


Some possible options for the portion markings



Top Secret Codeword

UMBRA was one of three codewords that were used to protect sensitive intercepts of Communication Intelligence (COMINT). These codewords represented three levels of sensitivity:
- UMBRA for the most sensitive material (Category III)
- SPOKE for less sensitive material (Category II)
- MORAY for the least sensitive material (Category I)

These kind of codewords were used since the end of the 1950s World War II and together they were commonly called "Top Secret Codeword" (TSC), which was often seen as a level "above Top Secret", although it was actually more like a "vertical" division of the Top Secret-level. The codewords UMBRA, SPOKE and MORAY can be seen on many highly secret documents, a number of which have been declassified, like for example this statement from 1980 for a court case about NSA's information about UFOs:


(click for the full document as pdf-file)


According to instructions like these, the codewords UMBRA, SPOKE and MORAY, as well as the COMINT categories I, II and III were terminated as of October 1999. From then on, the kind of information they were used for, had now to be protected by the general COMINT control system, or by specific compartments thereof for more sensitive information.
Update:
Since World War II, the NSA and her predecessors used codewords for protecting highly sensitive COMINT information and they were generally replaced by a new one every one or more years. The Top Secret codeword TRINE was compromised when the North Koreans captured the NSA spy ship USS Pueblo in 1968. TRINE was then replaced by UMBRA.


SPOKE

Very interesting is that not only UMBRA, but also the codeword SPOKE seems to be still in use. One document from the Snowden-leaks, which was published by Der Spiegel on December 20, 2013, is marked SECRET STRAP1 SPOKE. STRAP is the codeword that GCHQ uses to protect sensitive information, with STRAP1 denoting the least sensitive category:


Given the rather old-fashioned logo-type of the letters SD, it's not quite clear whether the document, or at least the header might predate 1999, although the content is clearly from more recent years. Der Spiegel said that it's an "analysis of the communication paths between Belgium and Africa prepared in January 2009".


Possible options

NSA using codewords that were generally considered abolished, reminds of a similar case in which the NOCON marking appeared in a document from the Snowden-trove. The general use of that marking was terminated in 1995, but NSA kept using it as an internal marking. As such it isn't listed in the official Classification Manuals, which are declassified regularly.

Now it seems that the same could have happened to the codewords UMBRA, SPOKE and maybe also to MORAY, but there's a difference: NOCON is a dissemination marking, a category which is less strictly controlled than a compartment, like UMBRA.

As the classification line of the newly disclosed slides seems not fully correct (there has to be a single, instead of a double slash between ORCON and REL USA, FVEY), which makes that there are a few options for what UMBRA could actually represent.



One option is that the double slash between COMINT and UMBRA is correct. In that case UMBRA wouldn't be a Sensitive Compartmented Information (SCI) label for intelligence information - which it actually looks like most - but a codeword from another category, like for example a Special Access Program (SAP) or Foreign Government Information (FGI) (Marc Ambinder favors this option).

Another option is that there should have been just a single slash between both terms. That would mean UMBRA is a normal SCI control system, in this case one that is apparently kept secret, as it was never mentioned anywhere since 1999.

The latter option seems very well possible, because the most recent Intelligence Community Classification Manual (pdf) acknowledges the existance of "registered but unpublished SCI control systems" which "must remain unpublished due to sensitivity and restrictive access controls".

It seems less likely that UMBRA is the undisclosed compartment of the COMINT (SI) control system, which is listed in the most recent Intelligence Community Classification Manuals, because in that case the marking would have read TOP SECRET//COMINT-UMBRA//etc.

Questions

Given this sensitivity, one wonders why in the orange classification bars of the slides UMBRA hasn't been blacked out. The overall classification line in the first slide and also most of the portion markings were fully redacted, although the latter can hardly contain something that is more sensitive than the UMBRA abbreviation.

Another question is whether Edward Snowden had authorized access to the UMBRA compartment, or that he was able to just grab these slides otherwise. The Washington Post suggests that he did had access to the Exceptionally Controlled Information (ECI) compartment RAGTIME, which is similar to UMBRA, but for content collected under FISA authority (UMBRA is probably for content collected under EO 12333).


Conclusion

For those who are somehow familiar with the US classification system, it must be quite surprising to see a codeword that has been considered dead for 15 years popping up from the Snowden-leaks. The most likely explanation is that after UMBRA (and SPOKE too) was publicly abolished in 1999, NSA kept using it in secret as a compartment for very sensitive communication intercepts, but now as an unpublished SCI control system - letting outsiders think that UMBRA was something from the past!

Update:
On December 4, 2014, the website The Intercept came with a story about NSA mapping access options for mobile phone networks under the AURORAGOLD program. One of the NSA presentations about this program contains a slide which shows an example of an NSA serialized product report. The classification line of this report reads: TOP SECRET  UMBRA  US/UK/CAN/AUS/NZ EYES ONLY:




Links and Sources
- Lux ex Umbra: UMBRA history
- TheWeek.com: The return of an intelligence code word with a storied history
- A work of art from the series "Secret Codewords of the NSA": UMBRA
- William M. Arkin, Code Names, Deciphering U.S. Military Plans, Programs, and Operations in the 9/11 World, Steerforth Press, 2005.

12 comments:

Anonymous said...

Could these docs be forgeries? The KGB playbook was big on planting forged "secret" US documents, and then "discovering" them with great fanfare. History repeats itself.
Thoughts?

P/K said...

Yes in theory they could be forgeries, but I think only KGB or a Chinese agency would be able to do this. But with the huge number of documents, many of wich are very detailed, and most of them look genuine, it would take so much time and effort to forge them, that it would have been easier for say KGB to "assist" Snowden stealing the real stuff, than to counterfeit this all by themselves. By which I don't want to say that Snowden was a puppet of the Russians or the Chinese, there are many conspiracy theories about that too.

public key infrastructure said...

It is really amazing! So many new things that I even didn't hear about them. Difficult to follow for a not professional, a private individual. The world goes on progressing by innovating and inventing.

mofuniplo said...

Ingenuos todo eso y mas yo se programa monster mind

mofuniplo said...

Manden cazas a paracuaro guanajuato mexico aqui sobre mi casa existe un portal dimensional es como un triangulo de treinta metros en donde yo veo naves y ovnis es en paracuaro guanajuato mexico

mofuniplo said...

Perimetro fue desclasificado voy a subir los codigos a internet saludos

Anonymous said...

What level of access and storage would have the UFO files? There are above Top Secret (very restricted knowledge?) and not stored in the general database? Recent documentaries on Discovery and NG show that in particular cases (credible cases of UFO) there had been serious investigations by the State (unknown department of the military complex)...

P/K said...

As you can see in the example, UFO files were classified as TOP SECRET UMBRA, which means they were protected under the rules governing the UMBRA compartment, which was for the most sensitive material.
The Very Restricted Knowledge (VRK) compartments were established in 1974.

mofuniplo said...

Usa esta por iniciar una invasion a rusia por la frontera de kosovo e iniciar un ataque niclear arquero 83

spokeumbra said...

Not bad as far as speculation goes.

An alternative hypothesis is that just because the classification system changed, the documents with those classifications did not. I would guess that the whatever the new classification is, it will be a marker that is tagged to electronically stored documents, not hardcopy.

The NSA is populated by crazy people who don't know they are crazy. I was in it once and they made me crazy. Or half crazy, depending on you you define it. In any event, they also think they are all-American patriots who can do no wrong because they work for the security of the USA. No matter what. Like Snowden said, it takes a few years before you realize how crazy, and dangerous, the entire black world is. At that point you have a choice: Stay in, or get out. If you stay in, you buy in to the craziness. If you get out, you are sane, but smart enough to keep your mouth shut. One in thousands will stand out and say NO. Like Snowden. That takes courage because at that point you know that life as you knew it will never be the same again. And you know that better than anyone outside can ever imagine.

Anonymous said...

UMBRA/WHCA/OP GRAND EAGLE, TF-157, TF-XXX, SHIN BET, ISA AND SO MANY MORE DEEPLY DARK OPERATIONS ARE STILL GOING ON, ALL INCLUSIVE CONCEALED, HIDDEN, NE, ETC.

AS THE 18+ INTELLIGENCE ALPHABETS AGENCIES AND COMPANIES MANY DARK AND PRIVATE THE War's STILL CONTINUE AND SADLY TO ADMIT WE ARE IN A DEEP DIVE TO DEMISE AND MAJOR CIVIL UNREST, AS THINGS CONTINUE TO FALL APART WITHIN AND WITHOUT OFFICIAL SANCTIONS AND SO MANY WORKING AGAINST EACH OTHER AND THEY DID NOT EVEN KNOW IT, MET TODAY WITH 4 OPERATORS UNKNOWN UNTIL TODAY, KNEW EACH OTHER YET ALL WERE ASSIGNED TO DO THE SAME OP'S AGAINST EACH OTHER ONCE THE MISSION WAS COMPLETE . WE ARE IS SOME REALLY DEEP AND DARK OPERATIONS EVEN THOSE AT THE HIGHEST LEVEL'S FROM NORAD, VANDENBERG AFB, CHINA LAKE, CA, EDWARDS AFB AND MANY MORE ARE UNAWARE OF THE COMING DUAL OPS AGAINST EACH OTHER, AS A PLAY WITH CCP, IRAN AND ?

Anonymous said...

Cold war agenda?

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties