Some older articles on this weblog that are of current interest:

September 22, 2019

From 9-Eyes to 14-Eyes: the Afghanistan SIGINT Coalition (AFSC)



For over five years it was a mystery: the 9-Eyes intelligence cooperation, which was first revealed by The Guardian in November 2013. It was only an extensive new piece on the website The Intercept from last May that made clear that the 9-Eyes is actually the Afghanistan SIGINT Coalition (AFSC).

The main purpose of the AFSC was to collect GSM metadata using DRT interception devices and feeding them into the NSA's huge data analysis platform for Afghanistan operations called the Real Time Regional Gateway (RT-RG).

The AFSC started in 2009 with nine members but eventually grew to the same 14 countries that already cooperated in another intelligence exchange group called SIGINT Seniors Europe (SSEUR). The AFSC existed at least until the end of 2014.



Slide from an NSA presentation about the Afghanistan SIGINT Coalition (June 2009)
Published by The Intercept in May 2019
(click to enlarge)


Intelligence sharing coalitions

The existance of the 9-Eyes group was first revealed by the British newspaper The Guardian on November 2, 2013:
"The NSA operates in close co-operation with four other English-speaking countries - the UK, Canada, Australia and New Zealand - sharing raw intelligence, funding, technical systems and personnel. Their top level collective is known as the '5-Eyes'.

Beyond that, the NSA has other coalitions, although intelligence-sharing is more restricted for the additional partners: the 9-Eyes, which adds Denmark, France, the Netherlands and Norway; the 14-Eyes, including Germany, Belgium, Italy, Spain and Sweden; and 41-Eyes, adding in others in the allied coalition in Afghanistan."

This revelation caused some embarrassment, as especially France and The Netherlands had clearly expressed their anger about the NSA's alleged eavesdropping operations against their citizens (see below), but now it turned out they were also engaged in some close alliances with the Americans.



Other 9-Eyes: CFBLNet

The Guardian's revelation started speculation about the differences between these groups and their specific purposes. From open sources, a range of similar "Eyes" for sharing military and intelligence information were identified on this weblog in November 2013 in a posting titled Five Eyes, 9-Eyes and many more.

It turned out that the term 9-Eyes was already used since 2008 for exchanging classified information among the Five Eyes and nine NATO members of the Combined Federated Battle Laboratories Network (CFBLNet). This is a multilateral network for research, development and testing on C4ISR systems.

However, the members of the CFBLNet 9-Eyes were not fully identical with those in the Guardian article, so it seemed not likely that this was the mysterious 9-Eyes group mentioned in the Snowden documents.


The 9-Eyes of the CFBLNet listed in a NATO standardization document from 2010
(click to enlarge)
 


14-Eyes: SSEUR

In December 2013, Swedish television published a range of NSA-documents from the Snowden files which revealed that the 14-Eyes were also known as the SIGINT Seniors Europe (SSEUR) and consisted of the Five Eyes plus nine European partners: Belgium, Denmark, France, Germany, Italy, the Netherlands, Norway, Spain and Sweden:


(click to enlarge)

From various other sources it became clear that the SIGINT Seniors Europe is a group in which the heads of the participating military or signals intelligence agencies coordinate the exchange of military intelligence according to the needs of each member.

The SSEUR group was established in 1982 for more efficiently monitoring the Soviet Union* and a database system called SIGDASYS was set up so the participating agencies could exchange as much military SIGINT and other information as possible.* In the early 2000s, a sub-group for counter-terrorism was formed under the name SIGINT Seniors Europe Counter Terrorism coalition (SISECT).



Afghanistan

Meanwhile, the function of the 9-Eyes remained unclear: the Dutch interior minister Ronald Plasterk refused to say anything about it, but there were rumours that it was for exchanging military signals intelligence related to operations in Afghanistan.

That could explain why no other documents about the 9-Eyes had been published, because apparently Glenn Greenwald had an agreement with Snowden not to disclose information that could endanger American troops in Afghanistan.

Nonetheless, information about NSA's involvement in Afghanistan did came out: in June 2014 for example, the German magazine Der Spiegel released an NSA paper from January 2013, which lists all the members of the Afghanistan SIGINT Coalition (AFSC). Its membership appeared identical with the SIGINT Seniors Europe or 14-Eyes.



NSA presentation slide showing the 2nd and 3rd Party partners
and some coalition and multilateral exchange groups.
Published in No Place To Hide, May 2014.



From 9-Eyes to 14-Eyes

But as was revealed in The Intercept's article from last May, the Afghanistan SIGINT Coalition not always had 14 members: the group started in 2009 with just nine members and was therefore called 9-Eyes. Besides the Five Eyes it included Denmark, France, the Netherlands and Norway.

In 2010, Sweden and Germany joined the Afghanistan SIGINT Coalition and by January 2013, Belgium, Italy, and Spain had also become members of the group. By then, the AFSC had exactly the same membership as the SIGINT Seniors Europe or 14-Eyes.

It is not known whether the number of "Eyes" increased with each new AFSC member, but it's clear that an "Eyes" designation is not always a unique designator and there can be multiple groups with the same number of Eyes at the same time. To avoid confusion, such multilateral partnerships can best be called by their actual names.


 


The Real Time Regional Gateway

The Afghanistan SIGINT Coalition was created because the NSA needed additional linguistic capabilities as well as data from regions in Afghanistan where they had little or no coverage themselves.

Therefore they turned to trusted coalition partners and provided them with wireless interception equipment known as DRT-boxes, which were first identified as such on this weblog in November 2013.

After Dutch, Danish, Norwegian, German and Spanish troops each got one, two or three DRT devices, they started feeding intercepted GSM metadata into a huge distribution and analysis system called Real Time Regional Gateway (RT-RG) as of Summer 2008.

This RT-RG system was first publicly mentioned in a Defense News article from October 2010 and in the book Top Secret America from 2011 it was described as follows:
"RTRG allows users to see all signal intelligence that collectors are working on in real time. This includes ground collectors, Air Force RC-135 Rivet Joint and Liberty planes, SIGINT-equipped drones, and SIGINT satellites operated by the NRO. RTRG has provided a tenfold increase in the speed with which intercepts are povided to operators on the ground."

This is already a pretty accurate description, except that it doesn't mention the participation of coalition partners, which governments always handle as something extremely sensitive.



Slide from an NSA presentation showing all the collection systems that fed the RT-RG platform
(click to enlarge)


RT-RG started as a project called RT-10, which was first deployed in Baghdad in 2007. An internal NSA newsletter says that in order to provide a comprehensive real-time view of the telephone and internet communications in Baghdad (with roughly 4 to 5 million residents), the RT-10 system had to be able to ingest each day:
- 100 million telephone metadata records
- 1 million pieces of telephone content
- 100 million internet metadata records

The success of the RT-RG system lay in the fact that these massive amounts of data were stored locally: in 2009, a large RT-RG data center was built at Area 82 of Bagram Airport north of Kabul. It was right next to the Afghanistan Regional Operations Cryptologic Center (A-ROCC), where analysts from the 9-Eyes countries worked side-by-side.

Previously, war-fighters in the field had to retrieve their intelligence from central databases at NSA headquarters. This costed time and bandwith, but it also meant that only data related to known targets was sent back and stored. But with storing the full-take collection in a regional repository, all data could be subjected to analytic algorithms in order to find new targets for the so-called Find, Fix, Finish operations.

In 2011, the Afghanistan RT-RG had a database of 27 terabytes, which could only store approximately one month of regional data (90% of the user queries were within a one-week timeframe though). A planned move to NSA's new cloud architecture would increase the storage space to up to 125 TB and would allow larger-scale analytics to be conducted.



Architecture of the Real Time Regional Gateway (RT-RG) in 2012
(source: NSA presentation - click to enlarge)



BOUNDLESSINFORMANT

How many GSM metadata the countries from the Afghanistan SIGINT Coalition collected can be seen in charts from the NSA's data visualization tool BOUNDLESSINFORMANT. The available charts show that the following numbers were acquired through the DRTBOX system during a one month period between December 10, 2012 and January 8, 2013:
- France: 62 million metadata records
- Spain: 60 million metadata records
- Italy: 45 million metadata records
- Sweden: 33 million metadata records
- Norway: 33 million metadata records
- Denmark: 22 million metadata records

(The chart for the Netherlands shows the CERF CALL method through which cellphone metadata from Somalia were collected. DRTBOX is not mentioned, maybe because Dutch troops had left Afghanistan already by August 2010)

These numbers are very small compared to what NSA and American military units collected. They also, once again, show that "mass surveillance" of entire populations would require the collection of billions of metadata records rather than the millions that showed up in these particular charts (60 million would roughly be the number of metadata generated by 20.000 handsets).

In the second half of 2013, these charts were published in various major European newspapers saying that they proved that NSA monitored millions of phone calls in those countries. Soon it turned out this interpretation was completely wrong, something which co-author Glenn Greenwald only admitted in The Intercept's article from last May.



BOUNDLESSINFORMANT chart showing metadata collected by French intelligence,
including 62 million records through the DRTBOX system
(click to enlarge)



3rd Party partners

Interesting is that Polish troops in Afghanistan also got one DRT interception device and there's also a BOUNDLESSINFORMANT chart showing that in one month time they collected some 71 million cellphone metadata. But despite this effort, Poland did not become a member of the Afghanistan SIGINT Coalition.

Poland was also not a member of the SIGINT Seniors Europe, so it seems the AFSC was only meant for countries that were already part of the SSEUR. The slide at the top of this blog post shows that, together with several other NATO countries, Poland is listed in red as a "National SIGINT Partner".

Except for Slovenia, these National SIGINT Partners appear to be identical with the so-called 3rd Party partners, which are the (signals) intelligence agencies of over 30 countries with which NSA has a formal relationship. They are one level below the 2nd Party partners, or Five Eyes, who have a fully integrated signals intelligence cooperation.



Quid pro quo

The operations in Afghanistan show how many different levels of cooperation there can be: there were 3rd Party partners who did nothing more or less than ordinary NATO members. Among them, information is only shared up to the classification level SECRET.

Then there was Poland which collected and shared telephone metadata, but did not participate in the CENTER ICE platform through which the countries of the SIGINT Seniors Europe communicated and exchanged threat information at the level TOP SECRET/SI.

The closest cooperation for 3rd Party partners was in the AFSC, where they fed telephone metadata directly into the NSA's RT-RG system. Because cooperation between intelligence agencies is always based upon the principle of quid pro quo, these partners also got things in return, equal to their input.

For the members of the AFSC these returns included real-time data access, unique linguistic resources and joint counter insurgency operations - things that could have been crucial for the success of their operations or the safety of their troops, but which the Five Eyes did not make available to the (initially broader group of the) SIGINT Seniors Europe.




Epilogue

The latest document in which the Afghanistan SIGINT Coalition was mentioned is an NSA paper from April 2013. One month later there was an AFSC conference in Denmark at which would be discussed what to do after the ISAF mission would be disbanded in December 2014. It's not known whether there was any kind of continuation.

The Real-Time Regional Gateway proved to be so successful that already in 2012, NSA deployed the system at 11 locations around the world, including at its regional center in Texas to combat Mexican drug trafficking, as well as on board of the nuclear submarine USS Georgia, which collected mobile phone metadata around the Horn of Africa.



Links
- Bug Brother: La NSA n’avait (donc) pas espionné la France (June 2019)
- The Intercept: Mission creep: How the NSA’s game-changing targeting system built for Iraq and Afghanistan ended up on the Mexican border (May 2019)
- Zone d'Intérêt: U.S. Intelligence Support to Find, Fix, Finish Operations (Oct. 2015)


September 12, 2019

A document about the UKUSA partnership with unknown classification compartments

(Updated: September 13, 2019)

A highly sensitive document about the intelligence sharing relationship between the United States and the United Kingdom reveals the existence of three classification compartments that were previously unknown.

The assessment was declassified in September 2018 after a FOIA request by Privacy International and Yale Law School's Media Freedom & Information Access Clinic (MFIA). The document has no date, but must be from somewhere before the NSA's internal reorganization in the year 2000.


First page of the assessment of the UKUSA relationship
(click to enlarge)



Classification markings

The classification marking at the top of the document reads:

TOP SECRET VRK11 TK AG DC MC
N O F O R N

This rather long and complex marking consists of three separate parts. First there's the actual classification level:

- TOP SECRET
This is the highest level of classified information, which would cause "exceptionally grave damage" to US national security if it were disclosed unauthorized.

Then there are several Sensitive Compartmented Information (SCI) control systems and compartments which further restrict the access to particularly sensitive information:

- VRK11
VRK stands for Very Restricted Knowledge and was a sub-control system to limit access to uniquely sensitive COMINT activities and programs. It contained compartments or categories which had an identifier of one to three alpha numeric characters, so in this case the document contains information from VRK compartment 11.
Shortly before 2004, VRK was succeeded by a new system called Exceptionally Controlled Information (ECI).

- TK
TK stands for TALENT KEYHOLE, which is a combined control system for products of overhead collection systems, such as spy satellites and reconnaissance aircraft.

- AG
Unknown.

- DC
Unknown.

- MC
Unknown. (Update: On Twitter, Bill Robinson said that MC is the abbreviation for MERCURY, a series of satellites for COMINT, SIGINT and ELINT collection, which were operated from Menwith Hill in the UK)

Finally, there's a dissemination marking which adds additional restrictions:

- NOFORN
This stands for No Foreign Nationals and is applied to any information that may not be released to any non-US citizen.

The classification of the document is remarkable and interesting in various ways. Not only because it contains VRK11 and TK information - this applies to some other declassified documents - but because it has three additional markings (AG, MC and DC), which seem to show up here for the first time.

These markings clearly look like abbreviations of code words, but that's also a bit strange because in an overall classification line, code words should be written in full. And if we assume that these markings stand for additional control systems or compartments, it's remarkable to see three that were not known before.






Benefits for the US

Although the term UKUSA is often used for the 5-Eyes partnership between the US, the UK, Canada, Australia and New Zealand, this documents uses the term in its original sense, being the relationship between the signals intelligence agencies of the United States (NSA) and the United Kingdom (GCHQ).

As this is a highly sensitive issue, the document is almost entirely redacted: 11 out of 14 pages are witheld in full, while of the remaining 3 pages also large portions have been redacted. The remaining portions are still interesting however, also because they confirm things we learned from the Snowden-revelations.

The text starts with saying that the UKUSA relationship is of "inestimable value to NSA and cannot be abandoned". But there are some weaknesses and understanding them would make NSA better able to "make some hard decisions about the future of the relationship." These weaknesses are of course redacted, but the main benefits for NSA are still readable:

- A "unique collection from GCHQ conventional sites, freeing US resources". This seems to be about data collection from undersee fiber-optic cables, which NSA also uses and therefore hasn't to invest in its own accesses to these kinds of data streams.


- NSA can also use something from the UK "where the US has none", but what exactly this is, is redacted. However, another declassified document says: "The UK has sites at strategic locations for collection that otherwise would be unavailable to the US." Some GCHQ accesses even exist "solely to satisfy NSA tasking".


- The "compatibility and interoperability of US & UK SIGINT systems" which makes it faster and easier to exchange content data, metadata and end products.


- A "strong analytic workforce, with a capability for independent interpretation of events" which saves US resources by division of efforts.

- An "especially competent cryptanalytic workforce". Another declassified document adds: "GCHQ is NSA's only peer in the field of cryptomathematics and virtually all major advances within the field of cryptography have occurred as a result of our mutual sharing."

- The "pooling of resources on key technical projects during austere fiscal periods" - again financial reasons, showing how much NSA is apparently bothered with money issues despite their annual budget of over 10 billion US dollar in 2013.

- And finally, as the perhaps most important benefit the document says that the UK has "a record of supporting the US as an ally in confronting world problems".


According to another unredacted part of the document, NSA worried about the large numbers of integrees that NSA and GHCQ exchanged, who took on more and more tasks and responsibilities. GCHQ for example wished to place an integree in G2/SA (a unit in the former NSA division responsible for non-communist countries), but this was rejected "as it would give GCHQ insight into certain sensitive operations we do not share."

Another unredacted part makes clear that the Americans were also concerned about the increasing number of electronic communications interfaces between NSA and GCHQ, which had been established "based on a myriad of decisions at various levels within NSA". The question was asked: "Should there be a common NSA position on the number and kind of electronic interfaces between NSA and GCHQ? Should the number be driven by NSA design or by GCHQ needs?"




The UKUSA partnership

The same FOIA request by Privacy International and MFIA also resulted in the declassification of a larger batch of documents related to the US-UK relationship, including ones that date back to the early 1950s and recall the origins of this unique intelligence partnership.

It began with the UKUSA Agreement, which was signed on March 5, 1946 by Col. Patrick Marr-Johnson, British Army General Staff, for and in behalf of the London Signal Intelligence Board (LSIB), and by Lt. Gen. Hoyt S. Vandenberg, GSC, Senior Member, for and in behalf of the State-Army-Navy Communications Board (STANCIB).

Canada had hoped to be a third signatory of the UKUSA Agreement but that didn't happen. Eventually a separate CANUSA agreement between Canada and the United States was "presumably signed in 1949" after the British LSIB saw no objection.*

After a first tripartite conference was held with the Australian Defence Signals Branch (DSB) in September 1953, Appendix J (about the "collaboration with commonwealth countries other than the U.K.") and Annexure J1 of the UKUSA Agreement were revised and these were signed by New Zealand in January 1956 and by Australia in May 1956.

The relationship between these five partner agencies continued to be governed by the original UKUSA agreement from 1946, supplemented by a range of appendices and an array of Memoranda of Understanding (MoU) and Divisions of Effort (DoE). However, NSA was apparently not able to locate, let alone produce, most of these additional documents.

The various kinds of data and intelligence that NSA and GCHQ exchange under the UKUSA partnership are listed in yet another declassified document:


Exchange of intelligence between NSA and GCHQ
(click to enlarge)


In November 1993, the NSA's Deputy Director of Operations (DDO) initiated a review of the UKUSA Exchange Agreement "to include a list of what is not currently exchanged with the British, what we should not exchange in the future, and new things that should be exchanged in the future".

Finally, a document from the Snowden trove says that in the same year, the original bilateral relationships between the US and the individual Second Party countries were turned into a "group (5-EYES) partnership" which in 1998 got a coordinating body called the Joint Executive for SIGINT Operability (JESI).




Links
- Lawfare: Newly Disclosed NSA Documents Shed Further Light on Five Eyes Alliance (March 2019)
- Privacy International: Privacy International v. NSA et al. (US 5EY FOIA)


June 29, 2019

The NSA's regional Cryptologic Centers



For many years, the US National Security Agency (NSA) was identified with its almost iconic dark-glass cube-shaped headquarters building at Fort Meade in Maryland.

Only when Edward Snowden stepped forward in 2013, the public learned that there's also a large NSA facility in Hawaii - which is actually one of four regional centers spread across the United States.

- History of the NSA's Cryptologic Centers

- Cryptologic Centers inside the US: Hawaii - Georgia - Texas - Colorado

- Cryptologic Centers outside the US: Europe - Afghanistan




History of the NSA's Cryptologic Centers

The history of the NSA's regional operation centers is described in the 60th Anniversary Book of the agency from 2012:

"In the 1970s and 1980s, NSA leadership grew concerned over the centralization of functions at Fort Meade. Partially prompted by the need to find adequate space for its personnel and equipment, the Agency began to look at moving some assets away from the Fort Meade area.

In this light, in 1980 a Remote Operating Facility (ROF) at Kunia was established on the Hawaiian island of Oahu. Although living costs were high there, Kunia had the advantage of proximity to the Commander in Chief, Pacific (CINCPAC).

In the late 1980s, the cryptologic leadership began developing the Regional Security Operations Center (RSOC) concept. Proven computer and communications technology allowed NSA to delegate SIGINT authority to these regional centers, thus avoiding an overconcentration in the Washington area.

Under the RSOC doctrine, each center would be "hosted" by one of the military services so that all services could be represented.

In 1995 the centers opened and NSA began to transfer missions to them. The Kunia facility was given a new status as an RSOC.

Over the next decade, the RSOCs evolved from limited operations centers into mini "regional NSAs" in Georgia, Texas, Hawaii and Colorado with the following mission benefits:
• Consolidation of cryptologic operations
• Dispersion of facilities from the Washington, D.C. area
• Capability of serving as alternate communications centers
• Representation of all military services.
The concept of "regional NSAs" was reinforced when NSA suffered a massive computer outage early in 2000, and the RSOCs, as components that could operate independently, picked up the essential missions until NSA was back in full operation. Today all four centers, now known as Cryptologic Centers, are operational, expanding, and provide redundancy in the event of an emergency.



Cryptologic Centers inside the US

Officially acknowledged and listed on the NSA's official website are the four Cryptologic Centers which are located inside the United States. Especially those in Hawaii, Texas and Georgia are fairly large facilities with a few thousand employees each and consisting of both operations and data centers.

The Cryptologic Centers in Hawaii, Texas and Georgia each cover a geographically defined part of the earth, while the Cryptologic Center in Colorado is responsible for air and space based collection systems.


NSA/CSS Hawaii (NSAH)

- Established in 1980 as a Remote Operating Facility (ROF), which was turned into the Kunia Regional Security Operations Center (KRSOC) in 1995 and became a Cryptologic Center in 2005. Initially located in the Kunia Tunnel complex in Honolulu, Hawaii.

- Currently located in the Joseph J. Rochefort building, a $ 358 million and 250,000 square-foot complex near Wahiawa in Honolulu that was opened in January 2012.

- Hosted by the US Navy.

- About 3300 military and civilian employees.

- Area of responsibility: the Pacific Rim and Far East, Southeast and Southwest Asia.

- Supports the Indo-Pacific Command of the US Armed Forces.

- SIGAD: USJ-750

- See also: Wikipedia - Cryptome - Cryptome - CBS News


The Joseph J. Rochefort Building of NSA/CSS Hawaii in Honolulu, Hawaii (2019)
(still from CBS News - click to enlarge)



NSA/CSS Georgia (NSAG)

- Established in 1995 as the Ft Gordon Regional Security Operations Center (GRSOC) and turned into a Cryptologic Center in 2005. Initially located at Fort Gordon in Augusta, Georgia.

- Currently located in the John Whitelaw building, a $ 286 million and 604,000 square foot complex that was opened in March 2012.

- Hosted by the US Army

- Some 4000 employees

- Area of responsibility: Europe, North Africa, the Middle East, the Near East and the Persian Gulf.

- Supports the European Command and the Central Command of the US Armed Forces

- NSAG also includes the alternate National Security Operations Center (NSOC, project DECKPIN) which serves as a back-up for the NSOC at NSA headquarters.

- SIGADs: USN-18 and USJ-800

- See also: Wikipedia - Cryptome - SIDtoday


The John Whitelaw Building of NSA/CSS Georgia at Fort Gordon (2012)
(photo: NSA - click to enlarge)



NSA/CSS Texas (NSAT)

- Established in 1995 as the Medina Regional Security Operations Center (MRSOC) and turned into a Cryptologic Center in 2005. Initially located on the Medina Annex of Lackland Air Force Base near San Antonio, Texas.

- In 2005, the NSA acquired a former Sony chip fabrication plant in the Northwest Side of San Antonio for $ 30.5 million and invested as much as $ 300 million to transform the 470,000 square feet complex into the current Texas Cryptologic Center (TCC).

- Hosted by the US Air Force.

- Probably some 6000 military and civilian employees.

- Area of responsibility: Middle and South America, the Caribbean and the Atlantic littoral of Africa.

- Supports the Southern Command and the Central Command of the US Armed Forces.

- SIGADs: USN-26 and USJ-783

- See also: Wikipedia - Cryptome - Cryptome


NSA's Cryptologic Center in San Antonio, Texas (2013)
(photo: William Luther - click to enlarge)



NSA/CSS Colorado (NSAC)

- Established around 2002 as the Denver Security Operations Center (DSOC) and turned into a Cryptologic Center in 2005.

- Initially located in temporary buildings at the Aerospace Data Facility at Buckley Air Force Base in Aurora, near Denver, Colorado. In 2012, a new $ 141 million building was planned to provide space for 850 NSA employees .

- NSA's primary production center for Weapons and Space (W&S) targets and Technical Signals Intelligence (TechSIGINT).

- Co-located with the joint NSA-NRO Overhead Collection Management Center (OCMC) which manages spy planes and spy satellites.

- SIGAD: USJ-751

- See also: Wikipedia - SIDtoday - SIDtoday


The Aerospace Data Facility at Buckley Air Force Base in Aurora, Colorado
(click to enlarge)


Shore support

According to a document from the Snowden cache, the Cryptologic Centers in Hawaii, Texas and Georgia also have a Fleet Information Operation Centre (FIOC), each of which include a Maritime Cryptologic Integration Centre (MCIC).

These MCICs are responsible for so-called cryptologic shore support: providing technical SIGINT information to cryptologic teams embarked in mobile sea, air and land units. A fourth MCIC is based at RAF Digby in Lincolnshire in the United Kingdom.


Cyber defense

The Cryptologic Centers not only process and analyze collected data, but also include a regional NSA/CSS Threat Operations Center (NTOC). These combine the NSA's Signals Intelligence (SIGINT) and Information Assurance (IA) missions in order to detect cyber threats against vital computer networks of the US Defense Department.

It was at the NTOC of the Cryptologic Center in Hawaii that Snowden had his last and only analytical job as an infrastructure analyst tracking Chinese hackers.


Hacking operations

As described in several editions of the internal newsletter SIDtoday, the NSA's hacking division TAO started to conduct Computer Network Exploitation (CNE) operations also from the cryptologic centers, first in 2004 in Hawaii, followed in 2006 by Texas and Georgia. In 2008, NSA/CSS Texas had some 60 TAO operators, a number that was planned to rise to 270 in 2015.



The TAO hacking unit at the NSA/CSS Texas Cryptologic Center
(source: NSA Texas presentation - click to enlarge)



Cryptologic Centers outside the US

Not officially acknowledged are the Cryptologic Centers which are located outside the United States. From the Snowden revelations we know the existance of the following two centers, which are much smaller than those inside the US and also process and disseminate data and information from the NSA's Second and Third Party partners.


European Cryptologic Center (ECC)

- Established in April 2004 as the European Security Center (ESC) and turned into the European Security Operations Center (ESOC) in July 2006. In May 2011 it became a Cryptologic Center and got its own NTOC.

- Initially located at the Dagger Complex of the US Army outside Griesheim, near Darmstadt in Germany.

- In 2016, the ECC moved to the newly built $ 91 million Consolidated Intelligence Center (CIC) with a $ 30.4 million Information Processing Center (IPC) at the Lucius D. Clay Barracks near Wiesbaden in Germany.

- Hosted by the US Army Intelligence and Security Command (INSCOM).

- Some 240 military and civilian personnel (in 2011).

- Operations focused at counter-terrorism and supporting military operations in the Middle East and North Africa (MENA).

- Supports the European Command and the Africa Command of the US Armed Forces.

- SIGADs: USM-44 (ESC) and USJ-753

- See also: Wikipedia - Electrospaces.net


The European Cryptologic Center (ECC) near Griesheim in Germany (2014)
(Photo: AP - click to enlarge)



Afghanistan Regional Operations Cryptologic Center (A-ROCC)

- Established in October 2009 and fully operational in the Winter of 2010.

- Located in 17,000 square-foot office spaces at Area 82 of Bagram Airfield north of Kabul in Afghanistan.

- Over 250 employees, 120 of whom linguists (in 2009), including personnel from all countries participating in the Afghanistan SIGINT Coalition (AFSC).

- Supports US and Coalition forces throughout Afghanistan.

- See also: SIDtoday - The Intercept


The buildings of the A-ROCC at Area 82 of Bagram Airfield near Kabul (2010)
(source: GCHQ presentation - click to enlarge)


There may be other, smaller Regional Operations Cryptologic Centers (ROCCs) as before the large A-ROCC was established there was a ROCC in place since 2005 mainly supporting the Regional Command-East of ISAF.



May 17, 2019

Daniel Hale arrested for being the source of The Drone Papers

(Updated: May 21, 2019)

Since the start of the Snowden revelations in June 2013, there have been more than 25 publications based upon classified documents provided by other leakers than former NSA contractor Edward Snowden.

Now, former intelligence analyst Daniel E. Hale has been identified as the source of six of these non-Snowden leaks. He was arrested on May 9 and charged with providing classified documents to the website The Intercept.

The case is highly remarkable, first because the FBI already found out Hale's identity almost five years ago and did not even arrest him when The Intercept published The Drone Papers in October 2015. Secondly, Hale did just as little to stay out of the picture: he featured in a documentary around the time the FBI raided his home.



Some of the slides and documents which Daniel Hale leaked to The Intercept
The abbreviations in the center slide are explained here
(click to enlarge)



Intelligence career


Daniel Everette Hale was born in 1987, is now 31 years old and living in Nashville, Tennessee. Despite his ideological disagreements with the military, he joined the US Air Force in July 2009 out of desperation because he was homeless. At the Air Force, he became a language analyst and was assigned to work at the National Security Agency (NSA) from December 2011 to May 2013.

From March to August 2012, Hale was deployed as an intelligence analyst in support of a task force of the Joint Special Operations Command (JSOC) at Bagram Airfield in Afghanistan, where he was mainly responsible for identifying and tracking targets for the drone program. He left the Air Force in July 2013.

From December 2013 to August 2014, he worked for the defense contractor Leidos (formerly SAIC), for which he was assigned to the National Geospatial-Intelligence Agency (NGA), which derives intelligence from geographical data and aerial and satellite imagery. There, Daniel Hale worked as a political geography analyst, for which he held a Top Secret/SCI clearance, just like for his previous job.



The 1.8 billion US dollar headquarters building for the ca. 16,000 employees of
the National Geospatial-Intelligence Agency in Fort Belvoir, Virginia
(photo: Marc Barnes/U.S. Army Corps of Engineers)


Contact with Scahill


Already in April 2013, almost two months before the start of the Snowden revelations, Hale used his unclassified work computer at the NSA to search for information on Jeremy Scahill, who then worked for Amy Goodman's news program Democracy Now!. In October 2013, Scahill would join Glenn Greenwald and Laura Poitras to establish the investigative website The Intercept.

On April 29, Hale attended a presentation of Scahill's book "Dirty Wars: The World Is a Battlefield" about the drone killings program under president Obama. The next day, Hale used his Top Secret NSA computer to search for classified information about people and issues about which Scahill wrote, according to the indictment.

Investigators had been able to retrieve Hale's text messages and found one which he sent to a close friend in May 2013, which read: " [Scahill] wants me to tell my story about working with drones at the opening screening of his documentary about the war and the use of drones."

On June 8, Hale was again present at a book presentation, where he was seen and recorded on video (see below) sitting right next to Scahill. In the next months they contacted eachother by phone and by e-mail.

Although Hale had already used his classified work computer for searching about related topics, there are no indications that he was already planning to steal and leak classified documents, at least before September 2013, when Scahill asked him to set up a Jabber account for encrypted chat conversations.



Book presentation at Busboys & Poets in Washington, DC on June 8, 2013,
with Jeremy Scahill (center) and Daniel Hale (right)



Printing classified documents


According to the indictment, Daniel Hale used his classified work computer at the National Geospatial-Intelligence Agency (NGA) to print classified documents for the first time on February 28, 2014 and he continued to do so until August 5, 2014.

In total, he printed 36 documents, including four duplicates. Nine documents were related to his work at NGA, but 23 did not. Hale provided at least 17 of these 23 documents to Scahill and/or The Intercept, which published them in whole or in part between July 2014 and December 2016:




A table from the indictment listing the 23 documents that Daniel Hale
printed at the NGA and were not related to his work.
(click to enlarge)


In an earlier posting on this weblog, I listed 28 revelations at various media platforms, accompanied by one or more leaked documents that were not attributed to Edward Snowden.

Trying to identify their source, I assumed that a then unknown "source nr. 3" was responsible for the documents that were scanned from paper and with a more or less military content:

Source nr. 3 (someone from US military intelligence?)
- NCTC watchlisting guidance
- NCTC terrorist watchlist report
- Ramstein AFB supporting drone operations
- The Drone Papers
- Cellphone surveillance catalogue
- FBI & CBP border intelligence gathering

Comparing the dates of these six publications with those in the table from the indictment leads to the following conclusions:

- Daniel Hale provided the documents for the first five revelations I attributed to Source nr. 3: from the "NCTC watchlisting guidance", which was published by The Intercept on July 23, 2014, to the "Cellphone surveillance catalogue" from December 17, 2015.

- The 14 original documents about "FBI & CBP border intelligence gathering", which I assumed could also have been provided by source nr. 3, are actually not among those that Hale printed out. Therefore, those files have to be leaked by someone else, probably an FBI or CBP employee.

- The indictment lists four unclassified documents (O, P, Q and R) and says these were published in December 2016, but so far no one seemed aware of a similar intelligence or national security revelation in that month.


Clapper's blog

Looking for articles that Jeremy Scahill published in December 2016 led me to a short story about James Clapper's blog called Intercept. It's indeed based upon four unclassified documents, which are again scanned from paper: a screenshot of a blog post from May 29, 2013, handwritten letters to and from Clapper and a few comments on that blog post.

This blog post is just a curiosity compared to the other documents, so it seems the only reason that Hale printed this out, is that the main comment, posted under the nickname "Wormy", is his own. The comment warns against increasing restrictions on civil liberties, with arguments based upon the US Constitution and the Bill of Rights - it reminds of how Snowden usually argues.



The documents leaked by Daniel Hale and published by The Intercept
(click to enlarge)



Raided by the FBI


On August 8, 2014, right after Daniel Hale's assignment at the NGA had ended, the FBI raided his home. This was just three days after he had printed out his last document at the NGA and some two weeks after The Intercept published its first article based upon his material, which means the FBI identified and found him rather quickly.

At his home, FBI agents found a thumb drive with the TOR software and the TAILS operating system, both used for anonymous internet communications. Also found was the unclassified (and unpublished) document T on his computer and one page of document A, which was classified Secret and published in October 2015, on a thumb drive.

Why Hale brought these files in digital form to his home, after having already printed the documents at his work place at the NGA, is not clear, but it was careless and unnecessarily risky.

It is not known how exactly Hale was traced, but a tweet from his lawyer, Jesselyn Radack seems to suggest that The Intercept failed at their source protection. That would be their third time, because NSA linguist Reality Winner and former FBI agent Terry Albury had already been arrested due to The Intercept's sloppyness.

But Daniel Hale was bad at operational security (OPSEC) too and did little to stay out of the picture: already in November 2013 he began speaking out publicly against the government's drone program at the "Ground the Drones" summit organized by Code Pink, where he apologized for his own participation in the program.

In January 2014, Hale also spoke at a rally outside the White House against the Guantanamo Bay prison camp. Again very similar to Snowden, who organized a Crypto Party while he was working for the NSA in Hawaii.

The big difference is that Hale just took a handful of selected documents that he thought were in the public interest, while Snowden (and Manning) acted just like the NSA: "collect before you select."



Featuring in National Bird


And just like Edward Snowden was being recorded on camera when his leaks came out in Laura Poitras' film Citizenfour, Daniel Hale was being interviewed for the drone whistleblower documentary National Bird around the time the FBI raided his home.

In National Bird it's mentioned that Hale was being investigated under the Espionage Act, allegedly because he was seen as a source for information about the drone program. The Intercept had already begun publishing the files he stole at the NGA, but of course Hale did not admit that on camera.

He just pretended that he didn't knew the reason for the investigation: it might had to do with the fact that he had worked for intelligence agencies and that he was politically active, which could have made the government suspicious.

Right after the release of National Bird in February 2016, at least some people must have noticed that Daniel Hale would make a perfect fit for being the source of The Drone Papers, but it seems they all kept quiet.



The full version of the 2016 documentary National Bird with German voice-over



Featuring in Citizenfour


Almost two years before Hale himself could be seen in National Bird, the information he leaked already appeared in Laura Poitras' film Citizenfour, which was released in October 2014. It shows Glenn Greenwald visiting Snowden in Moscow, telling him about a new source and writing the most sensitive details on sheets of paper.

When the camera zoomed in on the notes, it could be seen that the new source provided information about the chain of command for the drone strikes, the fact that their signals are relayed through Ramstein AFB in Germany (which would cause "a huge controversy") and that some 1.2 million people are in one way or another on a government watch list.

When Snowden expressed his concerns about the safety of the source, Greenwald reassured that they were "very careful in handling the source." Maybe they tried during the time Hale was handing over the documents, but given their prior non-secure contacts and Hale's public appearances, it was already too late for a sufficient source protection.



Glenn Greenwald informing Edward Snowden about The Intercept's new source
(still from the documentary film Citizenfour)


Interesting is that just before the scene in the Moscow hotel room, Citizenfour shows Jeremy Scahill talking to Bill Binney, former technical director of the NSA's World Geopolitical and Military Analysis Reporting Group, about how to handle confidential sources.

Binney gives the advice that the best way to talk to such sources is like Bob Woodward and Deep Throat did: meet physically in the basement of a parking garage.

We can assume that Daniel Hale met in a similar way with Scahill to hand over the documents he had printed out at the NGA. It's not clear though whether the conversation with Binney was recorded before or after these meetings, so at least Binney's advice was also meant for any future leakers.


Mission

For the relation between Hale and The Intercept the advice had come too late, and both must have known that, so apperently both were too eager to go along with publishing the files.

For The Intercept, the drone program seems to present the most clear and direct link between the NSA and actual illegal killings - despite the fact that these operations were actually run by the CIA, before Obama tried to transfer them to a military command.

Also, one of the slides leaked by Hale says that drone strikes will only occur when the presence of the target is based upon two forms of intelligence and all parties involved, being the local Task Force, the Geographic Combatant Command, the US Ambassador, the CIA Station Chief and the government of the host nation, have to concur or no strike occurs.

For Daniel Hale it may have become a moral mission to inform the public about the secret details behind the drone program and maybe this was also his way of making up his own involvement in the program during his time in Afghanistan.


Trial

Hale will appear before a judge on May 17. Under the Espionage Act of 1917, which doesn't distinguish between providing information to enemies or to the press, he can be sentenced to up to a maximum of 50 years imprisonment.

At least he has one of the best (and expensive) defense attorneys: Abbe Lowell, who recently represented Trump's son-in-law Jared Kushner(!), and who apparently does Hale's case pro bono.



Links and sources

- Intercepted Podcast: The Espionage Axe: Donald Trump and the War Agianst a Free Press
- Emptywheel: On the Curious Timing of Daniel Everette Hale’s Arrest
- Mint Press News: Another Whistleblower Bites the Dust as The Intercept Adds a Third Notch to Its Burn Belt
- The Washington Post: Former intelligence analyst charged with leaking drone details to news outlet
- Lawfare Blog: German Courts Weigh Legal Responsibility for U.S. Drone Strikes
- Zone d'Intérêt: U.S. Intelligence Support to Find, Fix, Finish Operations
- The Drone Papers: Acronyms, abbreviations, and initialisms