Since
The Guardian first
published about the PRISM data collection program on June 6,
there have been new disclosures of top secret documents almost every day,
resulting in some fierce protests against apparently illegal wiretapping by the
NSA and GCHQ. However, it remains unclear what PRISM actually is or does, as The
Guardian didn't provide any new details or disclosed more than 5 of the 41
presentation slides about the program.
This makes it hard to determine
whether PRISM really is the illegal or at least embarrassing program which most
people now think it is. Especially, because it could even be the hardly secret
Planning tool for Resource Integration, Synchronization and Management (PRISM),
which is a web-based tool to manage information requests widely used by the US
military. Here we will take a closer look at this program and try to determine
whether this could be the same as the PRISM revealed by The Guardian.
Planning tool for Resource Integration,
Synchronization and ManagementThe earliest document which
mentions the Planning tool for Resource Integration, Synchronization and
Management (PRISM) is a
paper (pdf) from July 2002, which was prepared by the MITRE
Corporation Center for Integrated Intelligence Systems. The document describes
the use of web browsers for military operations, the so-called "web-centric
warfare", for which intelligence collection management programs were seen as the
catalyst. These programs fuse battlefield intelligence information with the
national data that they already possess, in order to provide a complete picture
to their users.
PRISM was developed by
SAIC
(formerly Science Applications International Corporation, a company that was
also involved in the 2002
TRAILBLAZER program for analyzing network data). The program
was originally prototyped and fielded for the US European Command, but is also
being used in other military operation areas such as Iraq. Involved in the
establishment of PRISM was Ron Baham. His LinkedIn profile says that he
currently is senior vice president and operations manager at SAIC and that he
worked on CMMA PRISM at JDISS from 2000 - 2004, so PRISM might be developed
somewhere between 2000 and early 2002.
On its
website, SAIC
says that the PRISM application allows theater users, in various functional
roles and at different echelons, to synchronize Intelligence, Surveillance and
Reconnaissance (ISR) requirements with current military operations and
priorities. The application was first developed for use on
JWICS, the highly
secure intelligence community network, but is now also being used on
SIPRNet, the
secure internet used by the US military.
Other sources clarify that PRISM consists of a
web-based interface which connects to PRISM servers, and that it's used by a
variety of users, like intelligence collection managers at military
headquarters, to request the intelligence information which is needed for
operations. These requests are entered in the PRISM interface, which sends them
to the PRISM server. From there the request goes to units which collect the raw
data. These are processed into intelligence, which then becomes available
through the PRISM server.
PRISM is able to manage and prioritize these
intelligence collection requirements to ensure critical intelligence is timely
available to the commander during crisis operations. The application integrates
these requirements and, with other tools, generates the so called daily
collection deck. PRISM also provides traceability throughout the so-called
intelligence cycle, from planning through exploitation to
production.
The PRISM application made by SAIC is still widely used. It's
mentioned in joint operations manuals from 2012 and in quite a number of job
descriptions, like
this one from March 2013 for a systems administator in Doha,
Qatar, which says that part of the job is providing on-site and off-site PRISM
training and support. Also these
US government spending data show that in 2011 a maintaince
contract (worth $ 1.085.464,-) for PRISM support services was awarded to SAIC,
with options for 2012 and 2013.
Are there two different
PRISMs?So now it looks like as if there are two different
programs called PRISM: one is a web-based tool for requesting and managing
intelligence information from a server that gets input from various intelligence
sources. The other is the program from which The Guardian says it's a top secret
electronic surveillance program that collects raw data from the servers of nine
major US internet companies.
If the Guardian's claims are true, it's
strange that two important intelligence programs apparently have the exact same
name. For sure, this would not be very likely, if "PRISM" would be an acronym or
a codeword in
both cases. But if we assume one PRISM being an acronym and
the other PRISM a codeword, it could be somewhat more likely.
As we know,
the PRISM tool developed by SAIC is an acronym, just like the names of many
other military and intelligence software tools are often lengthy
acronyms. This
leaves the PRISM which was unveiled by The Guardian likely to be a codeword, or
more correctly said, a nickname. NSA data collection
methods, officially
designated by an alphanumerical
SIGAD like US-984, can have nicknames which may or may not be
classified.
These are different from codenames, which are always
classified and often assigned to the intelligence
products from the
various data collection methods. This can cause some confusion, as "PRISM"
perfectly fits in the NSA tradition of using 5-letter
codewords
for products of sensitive Signals Intelligence programs.
If PRISM had been a classified codename, it should also have been part
of the classification line, and the marking should have read TOP SECRET //
SI-PRISM // [...] instead of the current TOP SECRET // SI // [...]. This
indicates that PRISM isn't a codeword for intelligence from a specific source,
but more likely the nickname of a collection method.
This still leaves
the question of why in 2007 an apparently new collection program got a nickname
which is exactly the same as the already widely used computer application which
is going to task this internet data collection method.
A less spectacular PRISM?Allthough The Guardian presented
PRISM as a method of directly collecting raw data from major internet companies,
other sources say that PRISM might well be a much less spectacular internal
computer program.
Initially, The Washington Post came with the same
story as The Guardian, but revised some of its claims by
citing another classified report that describes PRISM as allowing "collection
managers [to send] content tasking instructions directly to equipment installed
at company-controlled locations." These words very much resemble the way the
PRISM Planning Tool is described.
National security reporter Marc
Ambinder
describes PRISM as "a kick-ass GUI (Graphical User Interface)
that allows an analyst to look at, collate, monitor, and cross-check different
data types provided to the NSA from Internet companies located inside the United
States" - which also sounds much more like the SAIC application, than like a
data dragnet with free access to commercial company servers.
This view
was also confirmed by a
statement (pdf) of Director of National Intelligence (DNI)
James Clapper, which says: "PRISM is not an undisclosed collection or data
mining program. It is an internal government computer system used to facilitate
the government’s [...] collection of foreign intelligence information from
electronic communication service providers [...]".
With this statement,
Clapper officially confirms the existance of a program called PRISM, and
allthough his description could also fit that of the Planning tool for Resource
Integration, Synchronization and Management, he didn't positively identified
PRISM as such.
Finally, an anonymous former government official told
CNet.com that The Guardian's reports are "incorrect and appear
to be based on a misreading of a leaked Powerpoint document", making journalist
Declan McCullagh go one step further by suggesting that PRISM might be actually
the same as the web application named Planning Tool for Resource Integration,
Synchronization, and Management.
PRISM as an all-source
planning toolSome sources, like a
joint operations manual and a number of job descriptions, seem
to indicate that the PRISM planning tool is primarily used for
geospational
intelligence (GEOINT), which is analysed imagery of the earth as collected
by spy planes and satellites.
However, more extensive research has shown that the
Planning tool for Resource Integration, Synchronization and Management (PRISM)
is not only used for geospatial intelligence, but for fusing intelligence from
all sources. Besides GEOINT, sources prove that PRISM is also used for SIGINT
(Signals Intelligence), IMINT (Imagery Intelligence) and HUMINT (Human
Intelligence), probably through additional modules for each of these
sources.
Even the 2006
Geospatial
Intelligence Basic Doctrine (pdf) says PRISM is a "web-based application
that provides users, at the theater level and below, with the ability to conduct
Integrated Collection Management (ICM). Integrates all intelligence discipline
assets with all theater requirements."
More specifically, the 2012
Joint and National Intelligence Support to Military Operations
manual describes that where applicable, requests for SIGINT support should be
entered into approved systems such as PRISM, for approval by a military
commander.
In a
job
description for an Intelligence Training Instructor from 2010 we see a
distinction being made between PRISM-IMINT and PRISM-SIGINT, and a LinkedIn
profile
mentions the IMINT/SIGINT PRISM training in 2006 of someone
who was administrator for PRISM, which is described as the system of record
USCENTCOM uses for submitting, tracking, and researching theater ISR
requirements. In a
job description for a SIGINT Collection Management Analyst (by
Snowden-employer Booz Allen Hamilton!) experience with PRISM is required
too.
Also a module was added to PRISM for accessing information from
HUMINT (Human Intelligence) sources. Testing of this module was done during the
Empire Challenge 2008 exercise. In the daily reports of this exercise we can
read that for example the Defense Intelligence Agency's HUMINT
team loaded
"additional data into PRISM HUMINT module for operations on
Tuesday morning". From a
French report about this exercise we learn that the PRISM
HUMINT module was a new application, just like the Humint Online Tasking &
Reporting (HOT-R) tool, which runs on SIPRNet.
Are both
PRISMs one and the same?If The Guardian's PRISM really is just a
computer system for sending tasking instructions directly to equipment that
collects raw data, it is hard to believe that it's different from the Planning
tool for Resource Integration, Synchronization and Management (PRISM), which for
many years is used to order and manage intelligence from all sources. This would
also fit claims by which PRISM is most used in NSA reporting.
If this
could be true, and there's only one PRISM program, what about the slides which
were disclosed by The Guardian? First of all, as this newspaper is
not willing to publish all PRISM-slides, we cannot be sure
about what this presentation is really about, but it's possible that it's not
about a PRISM which is a nickname of the US-984XN collection method, but about
how to gather material from that source by using the PRISM web tool.
More specific, we can think of a machine-to-machine interface between
the PRISM system and dedicated data collection devices at remote locations, like
a secure FTP server or an encrypted dropbox at sites of the internet companies.
At the PRISM desktop interface this tasking may be done through a separate
SIGINT module. As one of the slides says:
"Complete list and details on PRISM
web page: Go PRISMFAA" we can even imagine a module called "PRISM FAA" for
requesting intelligence from intercepts of foreign communications under the
conditions of the FISA Amendment Act (FAA) from 2008.
By publishing the
PRISM slides The Guardian for the first time revealed evidence about the NSA
collecting data from major internet companies. But as this apparently surprised
the general public, the practice is hardly new. Spies and later intelligence
agencies of all countries have always tried to intercept foreign communications
and of course tried to do this with every new way of communication: first
letters, later phonecalls and nowadays internet based social
media.
Therefore, it may hardly come as a surprise that NSA also found
ways to intercept those new means of communications too. And whether these
interception and collection methods might have nicknames or not, it's very
likely that access to their processed output was added to all the other
intelligence sources which can be tasked by using the PRISM Planning Tool.
What looks more of a problem, is the fact that in the past, enemies were
nation states, which could be targeted by focussing on diplomatic and military
communications. Nowadays, with terrorism considered as the main enemy, almost
every (foreign) citizen could be a potential adversary, which made intelligence
agencies try to search all communications available.
Next time we
will discuss more specific details of the Planning tool for Resource
Integration, Synchronization and Management (PRISM), as this gives an
interesting look at internal intelligence procedures.