Tuesday, June 25, 2013



 
 
 

June 23, 2013

Is PRISM just a not-so-secret web tool?

 

Since The Guardian first published about the PRISM data collection program on June 6, there have been new disclosures of top secret documents almost every day, resulting in some fierce protests against apparently illegal wiretapping by the NSA and GCHQ. However, it remains unclear what PRISM actually is or does, as The Guardian didn't provide any new details or disclosed more than 5 of the 41 presentation slides about the program.

This makes it hard to determine whether PRISM really is the illegal or at least embarrassing program which most people now think it is. Especially, because it could even be the hardly secret Planning tool for Resource Integration, Synchronization and Management (PRISM), which is a web-based tool to manage information requests widely used by the US military. Here we will take a closer look at this program and try to determine whether this could be the same as the PRISM revealed by The Guardian.


Planning tool for Resource Integration, Synchronization and Management

The earliest document which mentions the Planning tool for Resource Integration, Synchronization and Management (PRISM) is a paper (pdf) from July 2002, which was prepared by the MITRE Corporation Center for Integrated Intelligence Systems. The document describes the use of web browsers for military operations, the so-called "web-centric warfare", for which intelligence collection management programs were seen as the catalyst. These programs fuse battlefield intelligence information with the national data that they already possess, in order to provide a complete picture to their users.

PRISM was developed by SAIC (formerly Science Applications International Corporation, a company that was also involved in the 2002 TRAILBLAZER program for analyzing network data). The program was originally prototyped and fielded for the US European Command, but is also being used in other military operation areas such as Iraq. Involved in the establishment of PRISM was Ron Baham. His LinkedIn profile says that he currently is senior vice president and operations manager at SAIC and that he worked on CMMA PRISM at JDISS from 2000 - 2004, so PRISM might be developed somewhere between 2000 and early 2002.

On its website, SAIC says that the PRISM application allows theater users, in various functional roles and at different echelons, to synchronize Intelligence, Surveillance and Reconnaissance (ISR) requirements with current military operations and priorities. The application was first developed for use on JWICS, the highly secure intelligence community network, but is now also being used on SIPRNet, the secure internet used by the US military.



Screenshot of the PRISM Input Tool (EEI = Essential Elements of Intelligence)
source: GMTI Utility Analysis for Airborne Assets (pdf)


Other sources clarify that PRISM consists of a web-based interface which connects to PRISM servers, and that it's used by a variety of users, like intelligence collection managers at military headquarters, to request the intelligence information which is needed for operations. These requests are entered in the PRISM interface, which sends them to the PRISM server. From there the request goes to units which collect the raw data. These are processed into intelligence, which then becomes available through the PRISM server.

PRISM is able to manage and prioritize these intelligence collection requirements to ensure critical intelligence is timely available to the commander during crisis operations. The application integrates these requirements and, with other tools, generates the so called daily collection deck. PRISM also provides traceability throughout the so-called intelligence cycle, from planning through exploitation to production.

The PRISM application made by SAIC is still widely used. It's mentioned in joint operations manuals from 2012 and in quite a number of job descriptions, like this one from March 2013 for a systems administator in Doha, Qatar, which says that part of the job is providing on-site and off-site PRISM training and support. Also these US government spending data show that in 2011 a maintaince contract (worth $ 1.085.464,-) for PRISM support services was awarded to SAIC, with options for 2012 and 2013.


Are there two different PRISMs?

So now it looks like as if there are two different programs called PRISM: one is a web-based tool for requesting and managing intelligence information from a server that gets input from various intelligence sources. The other is the program from which The Guardian says it's a top secret electronic surveillance program that collects raw data from the servers of nine major US internet companies.

If the Guardian's claims are true, it's strange that two important intelligence programs apparently have the exact same name. For sure, this would not be very likely, if "PRISM" would be an acronym or a codeword in both cases. But if we assume one PRISM being an acronym and the other PRISM a codeword, it could be somewhat more likely.

As we know, the PRISM tool developed by SAIC is an acronym, just like the names of many other military and intelligence software tools are often lengthy acronyms. This leaves the PRISM which was unveiled by The Guardian likely to be a codeword, or more correctly said, a nickname. NSA data collection methods, officially designated by an alphanumerical SIGAD like US-984, can have nicknames which may or may not be classified.

These are different from codenames, which are always classified and often assigned to the intelligence products from the various data collection methods. This can cause some confusion, as "PRISM" perfectly fits in the NSA tradition of using 5-letter codewords for products of sensitive Signals Intelligence programs.


If PRISM had been a classified codename, it should also have been part of the classification line, and the marking should have read TOP SECRET // SI-PRISM // [...] instead of the current TOP SECRET // SI // [...]. This indicates that PRISM isn't a codeword for intelligence from a specific source, but more likely the nickname of a collection method.

This still leaves the question of why in 2007 an apparently new collection program got a nickname which is exactly the same as the already widely used computer application which is going to task this internet data collection method.


A less spectacular PRISM?

Allthough The Guardian presented PRISM as a method of directly collecting raw data from major internet companies, other sources say that PRISM might well be a much less spectacular internal computer program.

Initially, The Washington Post came with the same story as The Guardian, but revised some of its claims by citing another classified report that describes PRISM as allowing "collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations." These words very much resemble the way the PRISM Planning Tool is described.

National security reporter Marc Ambinder describes PRISM as "a kick-ass GUI (Graphical User Interface) that allows an analyst to look at, collate, monitor, and cross-check different data types provided to the NSA from Internet companies located inside the United States" - which also sounds much more like the SAIC application, than like a data dragnet with free access to commercial company servers.

This view was also confirmed by a statement (pdf) of Director of National Intelligence (DNI) James Clapper, which says: "PRISM is not an undisclosed collection or data mining program. It is an internal government computer system used to facilitate the government’s [...] collection of foreign intelligence information from electronic communication service providers [...]".

With this statement, Clapper officially confirms the existance of a program called PRISM, and allthough his description could also fit that of the Planning tool for Resource Integration, Synchronization and Management, he didn't positively identified PRISM as such.

Finally, an anonymous former government official told CNet.com that The Guardian's reports are "incorrect and appear to be based on a misreading of a leaked Powerpoint document", making journalist Declan McCullagh go one step further by suggesting that PRISM might be actually the same as the web application named Planning Tool for Resource Integration, Synchronization, and Management.


PRISM as an all-source planning tool

Some sources, like a joint operations manual and a number of job descriptions, seem to indicate that the PRISM planning tool is primarily used for geospational intelligence (GEOINT), which is analysed imagery of the earth as collected by spy planes and satellites.


However, more extensive research has shown that the Planning tool for Resource Integration, Synchronization and Management (PRISM) is not only used for geospatial intelligence, but for fusing intelligence from all sources. Besides GEOINT, sources prove that PRISM is also used for SIGINT (Signals Intelligence), IMINT (Imagery Intelligence) and HUMINT (Human Intelligence), probably through additional modules for each of these sources.

Even the 2006 Geospatial Intelligence Basic Doctrine (pdf) says PRISM is a "web-based application that provides users, at the theater level and below, with the ability to conduct Integrated Collection Management (ICM). Integrates all intelligence discipline assets with all theater requirements."
More specifically, the 2012 Joint and National Intelligence Support to Military Operations manual describes that where applicable, requests for SIGINT support should be entered into approved systems such as PRISM, for approval by a military commander.

In a job description for an Intelligence Training Instructor from 2010 we see a distinction being made between PRISM-IMINT and PRISM-SIGINT, and a LinkedIn profile mentions the IMINT/SIGINT PRISM training in 2006 of someone who was administrator for PRISM, which is described as the system of record USCENTCOM uses for submitting, tracking, and researching theater ISR requirements. In a job description for a SIGINT Collection Management Analyst (by Snowden-employer Booz Allen Hamilton!) experience with PRISM is required too.

Also a module was added to PRISM for accessing information from HUMINT (Human Intelligence) sources. Testing of this module was done during the Empire Challenge 2008 exercise. In the daily reports of this exercise we can read that for example the Defense Intelligence Agency's HUMINT team loaded "additional data into PRISM HUMINT module for operations on Tuesday morning". From a French report about this exercise we learn that the PRISM HUMINT module was a new application, just like the Humint Online Tasking & Reporting (HOT-R) tool, which runs on SIPRNet.


Are both PRISMs one and the same?

If The Guardian's PRISM really is just a computer system for sending tasking instructions directly to equipment that collects raw data, it is hard to believe that it's different from the Planning tool for Resource Integration, Synchronization and Management (PRISM), which for many years is used to order and manage intelligence from all sources. This would also fit claims by which PRISM is most used in NSA reporting.

If this could be true, and there's only one PRISM program, what about the slides which were disclosed by The Guardian? First of all, as this newspaper is not willing to publish all PRISM-slides, we cannot be sure about what this presentation is really about, but it's possible that it's not about a PRISM which is a nickname of the US-984XN collection method, but about how to gather material from that source by using the PRISM web tool.

More specific, we can think of a machine-to-machine interface between the PRISM system and dedicated data collection devices at remote locations, like a secure FTP server or an encrypted dropbox at sites of the internet companies. At the PRISM desktop interface this tasking may be done through a separate SIGINT module. As one of the slides says: "Complete list and details on PRISM web page: Go PRISMFAA" we can even imagine a module called "PRISM FAA" for requesting intelligence from intercepts of foreign communications under the conditions of the FISA Amendment Act (FAA) from 2008.

By publishing the PRISM slides The Guardian for the first time revealed evidence about the NSA collecting data from major internet companies. But as this apparently surprised the general public, the practice is hardly new. Spies and later intelligence agencies of all countries have always tried to intercept foreign communications and of course tried to do this with every new way of communication: first letters, later phonecalls and nowadays internet based social media.

Therefore, it may hardly come as a surprise that NSA also found ways to intercept those new means of communications too. And whether these interception and collection methods might have nicknames or not, it's very likely that access to their processed output was added to all the other intelligence sources which can be tasked by using the PRISM Planning Tool.

What looks more of a problem, is the fact that in the past, enemies were nation states, which could be targeted by focussing on diplomatic and military communications. Nowadays, with terrorism considered as the main enemy, almost every (foreign) citizen could be a potential adversary, which made intelligence agencies try to search all communications available.


Next time we will discuss more specific details of the Planning tool for Resource Integration, Synchronization and Management (PRISM), as this gives an interesting look at internal intelligence procedures.