Friday, September 13, 2013

Military Encryption Devices

Military Encryption Devices
Soldiers operate AN/URC-103/V radios, left, and an RF 7401 remote control console in the Edingen Transceiver Station operations room. Also shown is the KL-42 message encryption device, 03/24/1986
KL-42 description:
US Air Force (USAF) STAFF Sergeant (SSGT) John Lontoc, Ground Radio Journeyman, 35th Communications Squadron (CS), Misawa Air Base (AB), Tohoku Region, Japan (JPN), installs an Advanced Encryption Standard (AES) chip onto an XTS-5000 Motorola hand held radio, 03/12/2004
US Air Force Reserve (USAFR) SENIOR AIRMAN (SRA) Daniel Ratzel (left) and USAFR Technical Sergeant (TSGT) Robert Fisher (right), both assigned to the 910th Communications Flight, observe US Air Force (USAF) AIRMAN First Class (A1C) James Matthews, 31Communications Squadron, as he performs a diagnostic check on KG-194 trunk encryption equipment. Both SRA Ratzel and TSGT Fisher are deployed at Aviano Air Base (AB), Italy, for their two-week annual tour, 08/13/2002
US Air Force (USAF) STAFF Sergeant (SSGT) Jeffery Hartman (left) teaches USAF AIRMAN First Class (A1C) Travis Hoisington (center) and USAF A1C Edward Perez, Ground Radio Technicians, 52nd Communications Squadron (CS), how to load type 2 digital encryption codes into the Land Mobil Base Station. The Airmen are preparing for the 52nd Fighter Wing (FW) exercise Harley Saber at Spangdahlem Air Base (AB), Germany (DEU), 04/19/2004
During Combined Endeavor 2004, (left to right) Italian Contractor Guseppi Carucci, US Air Force (USAF) STAFF Sergeant (SSGT) Jason Bryant, Italian Warrant Officer 3 (WO3) Sandro Venazangeli and Bulgarian Captain (CPT) Stanislav Stoychev work on encrypted certificates and signature blocks for secure e-mail at Combined Endeavor, Camp Sarafovo, Bulgaria (BGR), 05/16/2004
A close-up view of the airborne launch control system aboard an EC-135 Stratolifter "Looking Glass" aircraft of the 2nd Airborne Command and Control Squadron, 55th Strategic Reconnaissance Wing. The system decodes launch instructions from an encrypted tape and after two missile launch officers turn separate keys, it transmits a launch message to a Minuteman III missile housed in a silo, 03/22/1991
US Navy Cryptologic Technician (Collection) 3rd Class Melissa Shirk, shown loading cryptographic code into an EA-6B Prowler aircraft, is a Cryptologic Analyst on board the US Navy's nuclear powered aircraft carrier USS CARL VINSON (CVN 70) where she collects and analyzes different types of encrypted signals. Commanded by Captain Larry Baucom (not shown), Carl Vinson is currently deployed to the Persian Gulf enforcing the extended "No Fly Zone" over Iraq in support of Operation SOUTHERN WATCH, 09/11/1996

Tuesday, June 25, 2013


June 23, 2013

Is PRISM just a not-so-secret web tool?


Since The Guardian first published about the PRISM data collection program on June 6, there have been new disclosures of top secret documents almost every day, resulting in some fierce protests against apparently illegal wiretapping by the NSA and GCHQ. However, it remains unclear what PRISM actually is or does, as The Guardian didn't provide any new details or disclosed more than 5 of the 41 presentation slides about the program.

This makes it hard to determine whether PRISM really is the illegal or at least embarrassing program which most people now think it is. Especially, because it could even be the hardly secret Planning tool for Resource Integration, Synchronization and Management (PRISM), which is a web-based tool to manage information requests widely used by the US military. Here we will take a closer look at this program and try to determine whether this could be the same as the PRISM revealed by The Guardian.

Planning tool for Resource Integration, Synchronization and Management

The earliest document which mentions the Planning tool for Resource Integration, Synchronization and Management (PRISM) is a paper (pdf) from July 2002, which was prepared by the MITRE Corporation Center for Integrated Intelligence Systems. The document describes the use of web browsers for military operations, the so-called "web-centric warfare", for which intelligence collection management programs were seen as the catalyst. These programs fuse battlefield intelligence information with the national data that they already possess, in order to provide a complete picture to their users.

PRISM was developed by SAIC (formerly Science Applications International Corporation, a company that was also involved in the 2002 TRAILBLAZER program for analyzing network data). The program was originally prototyped and fielded for the US European Command, but is also being used in other military operation areas such as Iraq. Involved in the establishment of PRISM was Ron Baham. His LinkedIn profile says that he currently is senior vice president and operations manager at SAIC and that he worked on CMMA PRISM at JDISS from 2000 - 2004, so PRISM might be developed somewhere between 2000 and early 2002.

On its website, SAIC says that the PRISM application allows theater users, in various functional roles and at different echelons, to synchronize Intelligence, Surveillance and Reconnaissance (ISR) requirements with current military operations and priorities. The application was first developed for use on JWICS, the highly secure intelligence community network, but is now also being used on SIPRNet, the secure internet used by the US military.

Screenshot of the PRISM Input Tool (EEI = Essential Elements of Intelligence)
source: GMTI Utility Analysis for Airborne Assets (pdf)

Other sources clarify that PRISM consists of a web-based interface which connects to PRISM servers, and that it's used by a variety of users, like intelligence collection managers at military headquarters, to request the intelligence information which is needed for operations. These requests are entered in the PRISM interface, which sends them to the PRISM server. From there the request goes to units which collect the raw data. These are processed into intelligence, which then becomes available through the PRISM server.

PRISM is able to manage and prioritize these intelligence collection requirements to ensure critical intelligence is timely available to the commander during crisis operations. The application integrates these requirements and, with other tools, generates the so called daily collection deck. PRISM also provides traceability throughout the so-called intelligence cycle, from planning through exploitation to production.

The PRISM application made by SAIC is still widely used. It's mentioned in joint operations manuals from 2012 and in quite a number of job descriptions, like this one from March 2013 for a systems administator in Doha, Qatar, which says that part of the job is providing on-site and off-site PRISM training and support. Also these US government spending data show that in 2011 a maintaince contract (worth $ 1.085.464,-) for PRISM support services was awarded to SAIC, with options for 2012 and 2013.

Are there two different PRISMs?

So now it looks like as if there are two different programs called PRISM: one is a web-based tool for requesting and managing intelligence information from a server that gets input from various intelligence sources. The other is the program from which The Guardian says it's a top secret electronic surveillance program that collects raw data from the servers of nine major US internet companies.

If the Guardian's claims are true, it's strange that two important intelligence programs apparently have the exact same name. For sure, this would not be very likely, if "PRISM" would be an acronym or a codeword in both cases. But if we assume one PRISM being an acronym and the other PRISM a codeword, it could be somewhat more likely.

As we know, the PRISM tool developed by SAIC is an acronym, just like the names of many other military and intelligence software tools are often lengthy acronyms. This leaves the PRISM which was unveiled by The Guardian likely to be a codeword, or more correctly said, a nickname. NSA data collection methods, officially designated by an alphanumerical SIGAD like US-984, can have nicknames which may or may not be classified.

These are different from codenames, which are always classified and often assigned to the intelligence products from the various data collection methods. This can cause some confusion, as "PRISM" perfectly fits in the NSA tradition of using 5-letter codewords for products of sensitive Signals Intelligence programs.

If PRISM had been a classified codename, it should also have been part of the classification line, and the marking should have read TOP SECRET // SI-PRISM // [...] instead of the current TOP SECRET // SI // [...]. This indicates that PRISM isn't a codeword for intelligence from a specific source, but more likely the nickname of a collection method.

This still leaves the question of why in 2007 an apparently new collection program got a nickname which is exactly the same as the already widely used computer application which is going to task this internet data collection method.

A less spectacular PRISM?

Allthough The Guardian presented PRISM as a method of directly collecting raw data from major internet companies, other sources say that PRISM might well be a much less spectacular internal computer program.

Initially, The Washington Post came with the same story as The Guardian, but revised some of its claims by citing another classified report that describes PRISM as allowing "collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations." These words very much resemble the way the PRISM Planning Tool is described.

National security reporter Marc Ambinder describes PRISM as "a kick-ass GUI (Graphical User Interface) that allows an analyst to look at, collate, monitor, and cross-check different data types provided to the NSA from Internet companies located inside the United States" - which also sounds much more like the SAIC application, than like a data dragnet with free access to commercial company servers.

This view was also confirmed by a statement (pdf) of Director of National Intelligence (DNI) James Clapper, which says: "PRISM is not an undisclosed collection or data mining program. It is an internal government computer system used to facilitate the government’s [...] collection of foreign intelligence information from electronic communication service providers [...]".

With this statement, Clapper officially confirms the existance of a program called PRISM, and allthough his description could also fit that of the Planning tool for Resource Integration, Synchronization and Management, he didn't positively identified PRISM as such.

Finally, an anonymous former government official told that The Guardian's reports are "incorrect and appear to be based on a misreading of a leaked Powerpoint document", making journalist Declan McCullagh go one step further by suggesting that PRISM might be actually the same as the web application named Planning Tool for Resource Integration, Synchronization, and Management.

PRISM as an all-source planning tool

Some sources, like a joint operations manual and a number of job descriptions, seem to indicate that the PRISM planning tool is primarily used for geospational intelligence (GEOINT), which is analysed imagery of the earth as collected by spy planes and satellites.

However, more extensive research has shown that the Planning tool for Resource Integration, Synchronization and Management (PRISM) is not only used for geospatial intelligence, but for fusing intelligence from all sources. Besides GEOINT, sources prove that PRISM is also used for SIGINT (Signals Intelligence), IMINT (Imagery Intelligence) and HUMINT (Human Intelligence), probably through additional modules for each of these sources.

Even the 2006 Geospatial Intelligence Basic Doctrine (pdf) says PRISM is a "web-based application that provides users, at the theater level and below, with the ability to conduct Integrated Collection Management (ICM). Integrates all intelligence discipline assets with all theater requirements."
More specifically, the 2012 Joint and National Intelligence Support to Military Operations manual describes that where applicable, requests for SIGINT support should be entered into approved systems such as PRISM, for approval by a military commander.

In a job description for an Intelligence Training Instructor from 2010 we see a distinction being made between PRISM-IMINT and PRISM-SIGINT, and a LinkedIn profile mentions the IMINT/SIGINT PRISM training in 2006 of someone who was administrator for PRISM, which is described as the system of record USCENTCOM uses for submitting, tracking, and researching theater ISR requirements. In a job description for a SIGINT Collection Management Analyst (by Snowden-employer Booz Allen Hamilton!) experience with PRISM is required too.

Also a module was added to PRISM for accessing information from HUMINT (Human Intelligence) sources. Testing of this module was done during the Empire Challenge 2008 exercise. In the daily reports of this exercise we can read that for example the Defense Intelligence Agency's HUMINT team loaded "additional data into PRISM HUMINT module for operations on Tuesday morning". From a French report about this exercise we learn that the PRISM HUMINT module was a new application, just like the Humint Online Tasking & Reporting (HOT-R) tool, which runs on SIPRNet.

Are both PRISMs one and the same?

If The Guardian's PRISM really is just a computer system for sending tasking instructions directly to equipment that collects raw data, it is hard to believe that it's different from the Planning tool for Resource Integration, Synchronization and Management (PRISM), which for many years is used to order and manage intelligence from all sources. This would also fit claims by which PRISM is most used in NSA reporting.

If this could be true, and there's only one PRISM program, what about the slides which were disclosed by The Guardian? First of all, as this newspaper is not willing to publish all PRISM-slides, we cannot be sure about what this presentation is really about, but it's possible that it's not about a PRISM which is a nickname of the US-984XN collection method, but about how to gather material from that source by using the PRISM web tool.

More specific, we can think of a machine-to-machine interface between the PRISM system and dedicated data collection devices at remote locations, like a secure FTP server or an encrypted dropbox at sites of the internet companies. At the PRISM desktop interface this tasking may be done through a separate SIGINT module. As one of the slides says: "Complete list and details on PRISM web page: Go PRISMFAA" we can even imagine a module called "PRISM FAA" for requesting intelligence from intercepts of foreign communications under the conditions of the FISA Amendment Act (FAA) from 2008.

By publishing the PRISM slides The Guardian for the first time revealed evidence about the NSA collecting data from major internet companies. But as this apparently surprised the general public, the practice is hardly new. Spies and later intelligence agencies of all countries have always tried to intercept foreign communications and of course tried to do this with every new way of communication: first letters, later phonecalls and nowadays internet based social media.

Therefore, it may hardly come as a surprise that NSA also found ways to intercept those new means of communications too. And whether these interception and collection methods might have nicknames or not, it's very likely that access to their processed output was added to all the other intelligence sources which can be tasked by using the PRISM Planning Tool.

What looks more of a problem, is the fact that in the past, enemies were nation states, which could be targeted by focussing on diplomatic and military communications. Nowadays, with terrorism considered as the main enemy, almost every (foreign) citizen could be a potential adversary, which made intelligence agencies try to search all communications available.

Next time we will discuss more specific details of the Planning tool for Resource Integration, Synchronization and Management (PRISM), as this gives an interesting look at internal intelligence procedures.

Thursday, January 24, 2013


SEOUL, South Korea — North Korea vowed on Thursday to launch more long-range rockets and conduct its third nuclear test, saying that it would build up its capability of striking the United States after the United Nations’s expansion of sanctions against North Korea.

The North’s threat was the boldest challenge its new, untested leader, Kim Jong-un, has posed at his country’s longtime foe, the United States, and its last remaining major ally, China, and rattled governments in Northeast Asia that are undergoing sensitive transitions of power.
In a statement issued through state-run media, the National Defense Commission, the North’s highest governing agency, headed by Mr. Kim, said that “a variety of satellites and long-range rockets which will be launched by the D.P.R.K. one after another and a nuclear test of higher level which will be carried out by it” will be “targeted” at “the U.S., the sworn enemy of the Korean people.”
The statement, which used the acronym for the North’s official name, Democratic People’s Republic of Korea, did not clarify when it would conduct such a test, which would be the first since Mr. Kim came to power after the death of his father, Kim Jong-il, in December 2011.
But citing preparations at the Punggye test site in northeastern North Korea, Army Col. Wi Yong-seob, deputy spokesman of the Defense Ministry of South Korea, said on Thursday, “North Korea can conduct a nuclear test as soon as its leadership makes up its mind.”
North Korea had previously hinted at the possibility of conducting a nuclear test, as its Foreign Ministry did on Wednesday when it issued a scathing statement rejecting a unanimous resolution that the United Nations Security Council adopted on Tuesday. The resolution tightened sanctions and condemned North Korea’s Dec. 12 rocket launching as a violation of earlier resolutions that banned the country from conducting any tests involving ballistic-missile technology.
North Korea has since declared that it would shun any talk on denuclearizing the Korean Peninsula, adding that it would not give up its nuclear weapons until “the denuclearization of the world is realized.”
The North’s statement on Thursday indicated that Mr. Kim, despite recent hints of economic changes and openness in North Korea, was likely to follow the pattern his father established when he ran the country: a cycle of a rocket launching, United Nations condemnation and nuclear testing.
“It’s a major test for Kim Jong-un,” said Koh Yu-hwan, a North Korea specialist at Dongguk University in Seoul. “Unlike the rocket launching in December, which the North has said was conducted because it was his father’s dying wish, a nuclear test will be Kim Jong-un’s decision, one for which he will be held responsible.”
By a “nuclear test of higher level,” North Korea most likely meant that it was seeking the technology of building nuclear warheads small enough to mount on long-range missiles, analysts here said. They said that North Korea could detonate a uranium bomb this time to demonstrate its ability to produce weapons-grade uranium. The North’s two previous nuclear tests, in 2006 and 2009, used some of its limited stockpile of plutonium.
A nuclear test would compel the United States and South Korea to take a tough stance, dispelling hopes that Mr. Kim might use the inaugurations of new government in the countries to open a new path of engagement.
Glyn Davies, Washington’s special envoy on North Korea, warned on Thursday that a nuclear test would be “a mistake and a missed opportunity” for North Korea.
“This is not a moment to increase tensions on the Korean Peninsula,” said Mr. Davies, who was visiting Seoul to coordinate the North Korea policies of President Obama’s second-term administration and the incoming government of President-elect Park Geun-hye in Seoul. From Seoul, Mr. Davies will move on to Beijing and then to Tokyo to continue policy consultations with the new governments there.
President Lee Myung-bak, who will hand over the South Korean presidency to Ms. Park next month, said on Thursday that his “biggest worry” was that North Korea might launch a military provocation in time with the changes of hands in government in Seoul.
On Thursday, the North expressed bitterness at China and Russia’s endorsement of the United Nations resolution, denouncing “those big countries” as “failing to come to their senses.” It said that North Korea’s drive to rebuild its moribund economy and its rocket program, until now billed as a peaceful space project, will now “all orientate toward the purpose of winning in the all-out action for foiling the U.S. and all other hostile forces’ maneuvers.”
“They are making a brigandish assertion that what they launched were satellites but what other country launched was a long-range missile,” the statement said, insisting that North Korea had a sovereign right to test rockets.
Moon Soon-bo, an analyst at the private Sejong Institute, said North Korea’s harsh reaction reflected the pain the isolated regime felt by the new resolution, which expanded the number of ways that countries can interdict and inspect cargo bound for the North.
North Korea said Unha-3 rocket it launched in December put a scientific satellite into orbit. But Washington said the launching was a cover for testing technology for intercontinental ballistic missiles. After analyzing the debris of the rocket North Korea fired in December to put a satellite into orbit, South Korean officials said North Korea indigenously built crucial components of a missile that can fly more than 6,200 miles.
Analysts speculated on Thursday that North Korea might test launch one of its KN-08 missiles. KN-08, first unveiled during a military parade in the North Korean capital, Pyongyang, in April last year, is the North’s biggest missile deployed yet but has never been flight tested, according to officials in Seoul.