March 11, 2015

US military and intelligence computer networks

(Updated: November 18, 2016)

From the Snowden revelations we learned not only about NSA data collection projects, but also about many software tools that are used to analyze and search those data. These programs run on secure computer networks, isolated from the public internet. Here we will provide an overview of these networks that are used by the US military and US intelligence agencies.

Besides computer networks, they also use a number of dedicated telephone networks, but gradually these are transferred from traditional circuit-switched networks to Voice over IP (VoIP). This makes it possible to have only one IP packet-switched network for both computer and phone services. It seems that for example NSA's NSTS phone system is now fully IP-based.



An old NSTS telephone and a KVM-switch which enables switching between physically
separated networks, in this case two Unclassified (green labels), one Secret
(red label) and one Top Secret/SCI (orange and yellow label) network
(National Security Operations Center, 2006 - Click to enlarge)


US national networks

The main US military and intelligence computer networks are (of course) only accessible for authorized personnel from the United States. Special security measures are in place to prevent interception by foreign intelligence agencies. Most of the tools and programs used by NSA run on JWICS and NSANet, but here we only mention them when this is confirmed by documents.


DNI-U (Director National Intelligence-Unclassified)
- Until 2006: Open Source Information System (OSIS)
- Classification level: Sensitive But Unclassified (SBU, color code: green)
- Access: US intelligence users
- Controlled by: DNI-CIO Intelligence Community Enterprise Services office (ICES)
- Purpose: Providing open source information; consists of a group of secure intranets used by the US Intelligence Community (IC)
- Computer applications: Intelink-U, Intellipedia, EViTAP, etc.



Page of the Unclassified version of Intellipedia
This one from the CIA's AIN network
(Click to enlarge)


NIPRNet (Non-secure Internet Protocol Router Network)
- Classification level: Sensitive But Unclassified (SBU, color code: green)
- Secured by: Network traffic monitored by the TUTELAGE program and QUANTUM-DNS at the 18 gateways to the public internet *
- Address format: http://subdomains.domain.mil
- E-mail format: john.doe@mail.mil
- Access: US military users, via Common Access Card smart card *
- Number of users: ca. 4,000,000
- Purpose: Combat support applications for the US Department of Defense (DoD), Joint Chiefs of Staff (JCS), Military Departments (MILDEPS), Combatant Commands (COCOM), and senior leadership; composed of the unclassified networks of the DoD; provides protected access to the public internet.
- Computer applications: E-mail, file transfer and web services like the Joint Deployable Intelligence Support System (JDISS)
- Video Teleconferencing (VTC)



Cyber security officers in an operations center room at Barksdale Air Force Base
There are screens connected to NIPRNet (green background/border)
and SIPRNet (red background/border)
(Photo: U.S. Air Force/Tech. Sgt. Cecilio Ricardo - Click to enlarge)
More about this photo on SecurityCritics.org



SIPRNet (Secret Internet Protocol Router Network)
- Classification level: SECRET (color code: red)
- Secured by: TACLANE (KG-175A/D) network encryptors
- Address format: http://subdomains.domain.smil.mil
- E-mail format: john.doe@mail.smil.mil
- Access: users from multiple US intelligence agencies and government departments (and some foreign partners)*, via SIPRNet Token smart card
- Number of users: ca. 500,000 *
- Controlled by: JCS, NSA, DIA and DISA *
- Purpose: Supporting the Global Command and Control System (GCCS), the Defense Message System (DMS), collaborative planning and numerous other classified warfighter applications, and as such DoD's largest interoperable command and control data network.
- Computer applications: Intelink-S, Intellipedia, TREASUREMAP, Joint Deployable Intelligence Support System (JDISS), Defense Knowledge Online, Army Knowledge Online, InfoWorkSpace (IWS), etc.
- Phone service: VoSIP (Voice over Secure IP) as an adjunct to the DRSN for users that do not require the full command and control and conferencing capabilities.
- Secure Video Teleconferencing (VTC)



Computers in the White House Situation Room, with a yellow screensaver,
indicating they are connected to a TOP SECRET/SCI computer network
(Screenshot from a White House video)


JWICS (Joint Worldwide Intelligence Communications System)
- Classification level: TOP SECRET/SCI (color code: yellow)
- Secured by: TACLANE (KG-175A/D) network encryptors *
- Address format: http://subdomains.domain.ic.gov
- E-mail format: john.doe@agency.ic.gov
- Access: users from multiple US intelligence agencies and government departments
- Controlled by: DIA, with management delegated to AFISR
- Purpose: Collaboration and sharing of intelligence data within the US Intelligence Community (IC)
- Computer applications: ICE-mail, Intelink-TS, Intellipedia, GHOSTMACHINE, ROYALNET, TREASUREMAP, ICREACH, Joint Deployable Intelligence Support System (JDISS), etc.
- Phone Service: DoD Intelligence Information System (DoDIIS) VoIP telephone system
- Secure Video Teleconferencing (VTC)



Web-browser with a JWICS address for the ROYALNET tool


These various military and intelligence networks run on a world-wide physical infrastructure that is called the Defense Information Systems Network (DISN), which is maintained by the Defense Information Systems Agency (DISA) and consists of landline, mobile, radio and satellite communication links.

Most of these communication links are not connected to the public internet, but because radio and satellite transmissions can easily be intercepted by foreign countries, the security of these networks is assured by encryption. This encryption can also be used to run higher classified traffic over communication links with a lower classification level through Virtual Private Network (VPN) tunnels.

Classified communications have to be protected by Suite A Cryptography, which contains very strong and classified encryption algorithms. On most networks this is implemented by using Type 1 certified TACLANE (KG-175A/D) in-line network encryptors made by General Dynamics:



(Diagram: General Dynamics)


As long there's the appropriate strong link encryption, only the end points with the computer terminals (where data are processed before they are encrypted) need strict physical and digital security requirements in order to prevent any kind of eavesdropping or interception by foreign adversaries.

Most American military bases are connected to the SIPRNET backbone, but for tactical users in the field, the SIPRNet and JWICS networks can extend to mobile sites through Satellite Communications (SATCOM) links, like for example TROJAN SPIRIT and TROJAN SPIRIT LITE, which consist of a satellite terminal that can be on a pallet, in a shelter, on a trailer or even connected to a transit case.


Other US goverment departments and intelligence agencies also have their own computer networks at different classification levels:

FBI
- LEO (Law Enforcement Online; Unclassified, for law enforcement communications)
- FBINet (Federal Bureau of Investigation Network; Secret)
- SCION (Sensitive Compartmented Information Operational Network; Top Secret/SCI)


DHS
- HSIN (Homeland Security Information Network; Unclassified)
- HSDN (Homeland Secure Data Network; Secret)


State Department
- OpenNet (Unclassified)
- ClassNet (Secret; address format: http://subdomain.state.sgov.gov)
- INRISS (INR Intelligence Support System; Top Secret/SCI)


Department of Energy
- DOENet (DOE Corporate Network; Unclassified)
- ECN/U (Emergency Communications Network/Unclassified)
- ECN/C (Emergency Communications Network/Classified)


CIA
- AIN (Agency InterNet; Unclassified)
- ADN (Agency Data Network?; Top Secret/SCI)


NRO
- GWAN (Government Wide Area Network, also known as NRO Management Information System (NMIS); Top Secret)
- CWAN (Contractor Wide Area Network; Top Secret)


NGA
- NGANet (National Geospational intelligence Agency Network; Top Secret/SCI)


Finally, there's the Capitol Network (CapNet, formerly known as Intelink-P), which provides Congressional intelligence consumers with connectivity to Intelink-TS and CIASource, the latter being the CIA's primary dissemination vehicle for both finished and unfinished intelligence reports.


Overview of major Homeland Security computer networks
From a briefing for Congress, July 2004


US multinational networks

Besides the aforementioned networks that are only accessible for authorized military and intelligence personnel from the United States, there are also computer networks set up by the US for multinational coalitions, and which therefore can also be used by officials from partner countries.

The group of countries that have access to such coalition networks is often denoted by a number of "Eyes" corresponding with the number of countries that participate.


NSANet (National Security Agency Network)
- Classification level: TOP SECRET/SCI (color code: yellow)
- Secured by: TACLANE network encryptors *
- Address format: http://subdomain.domain.nsa
- E-mail format: john.doe@nsa
- Access: US, UK, CAN, AUS, NZL signals intelligence users
- Controlled by: NSA, with management delegated to CSS Texas
- Purpose: Sharing intelligence data among the 5 Eyes partners
- Computer applications: InfoWorkSpace (IWS), SIDToday (newsletter), TREASUREMAP, MAILORDER, MARINA, TURBINE, PRESSUREWAVE, INTERQUAKE, CATAPULT, Cellular Information Service (WCIS), GATC Opportunity Volume Analytic, etc.
- Phone service: NSTS (National Secure Telephone System)



Web-browser with NSANet address for the INTERQUAKE tool, used by NSA's
Special Collection Service (SCS, organizational code: F6) units
(Click for the full presentation)


Besides NSANet as its general purpose intranet, NSA also operates several other computer networks, for example for hacking operations conducted by the TAO-division. We can see some of these networks in the following diagram, which shows how data go (counter-clockwise) from a bot in a victim's computer on the internet, through a network codenamed WAITAUTO to TAONet and from there through a TAONet/NSANet DeMilitarized Zone (DMZ) to data repositories and analysing tools on NSANet:



Diagram showing the data flow for TAO botnet hacking operations
(Source: NSA presentation - Click to enlarge)


PEGASUS
- Until 2010: GRIFFIN (Globally Reaching Interconnected Fully Functional Information Network)
- Classification level: SECRET//REL FVEY
- Access: US, UK, CAN, AUS, NZL military users
- Controlled by: DIA(?)
- Purpose: Information sharing and supporting command and control systems
- Applications: Secure e-mail, chat and VoSIP communications


STONEGHOST (Quad-Link or Q-Lat)
- Classification level: TOP SECRET//SCI
- Access: US, UK, CAN, AUS, NZL(?) military intelligence users
- Controlled by: DIA
- Purpose: Sharing of military intelligence information
- Applications: Intelink-C, etc.


CFBLNet (Combined Federated Battle Laboratories Network)
- Classification level: Unclassified and SECRET
- Access: US, UK, CAN, AUS, NZL, and at least nine European countries Research & Development institutions
- Controlled by: MultiNational Information Sharing (MNIS) Program Management Office
- Purpose: Supporting research, development and testing on command, control, communication, computer, intelligence, surveillance and reconnaissance (C4ISR) systems.
- Applications: Communications, analytic tools, and other applications



The CFBLNet countries in 2009, with three of the Five Eyes countries (yellow line),
six European NATO countries and the NATO organization (black line),
six NATO guest nations (dotted line) and two non-NATO countries.
(source: NATO Education and Training Network (pdf), 2012)


For communications among the members of multinational coalitions, the United States provides computer networks called Combined Enterprise Regional Information eXchange System (CENTRIXS). These are secure wide area network (WAN) architectures which are established according to the specific demands of a particular coalition exercise or operation.

CENTRIXS enables the secure sharing of intelligence and operational information at the level of "SECRET REL TO [country/coalition designator]" and also provides selected centralized services, like Active Directory/DNS Roots, VoIP telephony, Windows Server Update Services (WSUS) and Anti-Virus Definitions.

There are more than 40 CENTRIXS networks and communities of interest (COIs) in which the 28 NATO members and some 80 other countries participate. The best-known CENTRIXS networks are:


CENTRIXS Four Eyes (CFE or X-Net)
- Classification level: TOP SECRET//ACGU
- Address format: http://subdomains.domain.xnet.mnf
- Access: US, UK, CAN, AUS military users
- Controlled by: DIA
- Purpose: Operational coordination through sharing and exchange of intelligence products
- Applications: Various services


CENTRIXS-ISAF (CX-I)
- Classification level: TOP SECRET//ISAF
- Access: ca. 50 coalition partners
- Controlled by: ?
- Purpose: Sharing critical battlefield information; US component of the Afghan Mission Network (AMN).
- Computer applications: Web services, instant messaging, Common Operational Picture (COP), etc.
- Voice over IP


CENTRIXS-M (Maritime)
- Classification level: TOP SECRET ?
- Purpose: Supporting multinational information exchange among the ships of coalition partners of the US Navy to provide access to critical, time-sensitive planning and support data necessary to carry out the mission
- Computer applications: E-mail, Chat messaging, Webpages, etc.



Report from the Afghanistan Regional Command Southwest (RC(SW))
with a SIPRNet and a CENTRIXS e-mail address and webpage
(Full document in pdf format - Click to enlarge)


Some other CENTRIXS networks are:

CENTRIXS-GCTF
- Address format: http://subdomains.domain.gctf.cmil.mil
- For the ca. 80 Troop Contributing Nations of the Global Counter-Terrorism Force (GCTF)

CENTRIXS-CMFC
- For the Combined Maritime Forces, Central Command (CMFC)

CENTRIXS-CMFP
- For the Combined Maritime Forces, Pacific (CMFP)

CENTRIXS-J
- For the United States and Japan

CENTRIXS-K
- For the United States and South-Korea



Links and Sources
- KMI Media Group: Everything Over Internet Protocol (2009)
- US National Intelligence: A Consumer's Guide (pdf) (2009)
- Paper about How to Use FASTLANEs to Protect IP Networks (pdf) (2006)

6 comments:

Anonymous said...

PK: Wow! Thanks for this. This is new information for me. It provides information review on how some corporations can use multiple encryption units. Best regards.
Joe Tag

--- end ---

Anonymous said...

Oh those bring back memories! 10 years in the Intel world and I used most of those, minus some of the NSA networks. There are times I miss it, others not so much lol.

Anonymous said...

Where does the secure Bullrun community of interest fit into this?

P/K said...

Such a Community of Interest (CoI) is a segregated part or an enclave on a given network, in this case probably on NSANet or TAONet.

Anonymous said...

I miss looking at secret information. The NSA put a virus into my eyes.

elio dominglos said...

some i.p. that military uses.. http://dangerousip.blogspot.com/