September 29, 2014

NSA's Strategic Mission List

(Updated: February 9, 2016)

One of the most important documents that has been disclosed as part of the Snowden-leaks is also one of the least-known: the Strategic Mission List from January 2007, which provides a detailed list of the goals and priorities for the National Security Agency (NSA).

This Strategic Mission List was published by The New York Times on November 2, 2013, as one of three original NSA documents that accompanied a long report about the how NSA spies on both enemies and allies.



> The Strategic Mission List in .pdf-format

About the publication

On the website of The New York Times (NYT), the Strategic Mission List was published as a series of images in png-format, which made it impossible to copy or search the text. It was also difficult to print the document in a readable way. For reasons unknown, NYT is the only media-outlet that published Snowden-documents in this not very user-friendly way.

Hence I asked The New York Times whether they could provide the Strategic Mission List in the standard pdf-format, but the paper didn't reply. I also asked the author of the report, Scott Shane, but he answered that he had no access to the document anymore.

Eventually I used an Optical Character Recognition (OCR) tool to convert the images from the NYT website into a text document, conducted the necessary corrections by hand and then converted the result into the pdf-document, that is now published here and on the Cryptome website.


The Strategic Mission List

Edward Snowden and Glenn Greenwald claim that NSA has just one single goal: collect all digital communications from all over the world: "Collect it All". But this is not mentioned in the Strategic Mission List, which instead lists a range of far more specific goals, many of which are of a military nature, which is also something that lacks in the media-coverage of the Snowden-leaks.

The document describes the priorities and risks for the United States SIGINT System (USSS) for a period of 12 to 18 months and is reviewed, and where necessary updated bi-annually. The topics are derived from a number of other strategic planning documents, including the National Intelligence Priorities Framework (NIPF), which sets the priorities for the US Intelligence Community as a whole.

Note that according to the classification marking, the Strategic Mission List is only authorized for release to the US, the UK, Canada and Australia, which leaves New Zealand excluded.


Structure

The Strategic Mission List is divided into two parts. The first part includes 16 Topical Missions, which represent missions discerned to be areas of highest priority for the USSS, where SIGINT can make key contributions. The second part includes 6 Enduring Targets, which are countries that need to be treated holistically because of their strategic importance.

For both of these sections, the Strategic Mission List includes Focus Areas, the most critical important targets which are a "must do", as well as Accepted Risks, which are significant targets for which SIGINT should not be relied upon as a primary source.


Enduring Targets

The 6 countries that are listed in the Strategic Mission List as being Enduring Targets for NSA and the tactical SIGINT collecting components of the US Armed Forces are:
- China
- North-Korea
- Iraq
- Iran
- Russia
- Venezuela



Map showing the 6 nations that are Enduring Targets, as well
as countries that are 2nd and 3rd Party partners of NSA
(click to enlarge)


Topical Missions

Besides the 6 countries listed as Enduring Targets, the Strategic Mission List also includes the following 16 Topical Missions:

- Winning the Global War on Terrorism
- Protecting the U.S. Homeland
- Combating Proliferation of Weapons of Mass Destruction
- Protecting U.S. Military Forces Deployed Overseas
- Providing Warning of Impending State Instability
- Providing Warning of a Strategic Nuclear Missile Attack
- Monitoring Regional Tensions that Could Escalate
- Preventing an Attack on U.S. Critical Information Systems
- Early Detection of Critical Foreign Military Developments
- Preventing Technological Surprise
- Ensuring Diplomatic Advantage for the U.S.
- Ensuring a Steady and Reliable Energy Supply for the U.S.
- Countering Foreign Intelligence Threats
- Countering Narcotics and Transnational Criminal Networks
- Mapping Foreign Military and Civil Communications Infrastructure

We see that many of these topics are of a military nature and that also the more civilian areas of interest are quite common goals for a large (signal) intelligence agency. Although communications of ordinary civilians are accidently caught up in NSA's collection efforts, they are clearly not of interest let alone given priority.

Updates:

In January 2016, DNI James Clapper said that "in 2013, 'cyber' bumped 'terrorism' out of the top spot on our list of national threats".

Also early 2016, NSA started an internal reorganization whereby the four main goals for the organization were described as:
- Thwarting terrorists
- Enhancing cybersecurity
- Protecting the warfighter
- Containing, controlling, and protecting strategic weapons


September 15, 2014

About STELLARWIND and other mysterious classification markings

(Updated: May 16, 2015)

Last week, on September 6, the US Justice Department released a declassified version of a 2004 memorandum about the STELLARWIND program.

The memorandum (pdf) is about the legality of STELLARWIND, which was a program under which NSA was authorized to collect content and metadata without the warrants that were needed previously.

Here we will not discuss the STELLARWIND program itself, but take a close look at the STELLARWIND classification marking, which causes some confusion. Also we learn about the existance of mysterious compartments that point to some highly sensitive but yet undisclosed interception programs.




Classification marking of the 2004 DoJ memorandum about STELLARWIND


The redacted markings

The first thing we see is that two portions of the classification marking have been blacked out:


1. The redacted space beween two double slashes

This is very strange, because according to the official classification manuals, there cannot be something between two double slashes in that position (see the chart below). The classification level (in this case: Top Secret) has to be followed by the Sensitive Compartmented Information (SCI) control system (here: COMINT).

But as the US classification system is very complex, there are often minor mistakes in such classification lines. If we assume there was a mistake made here too, then the first term that has been blacked out could be another SCI compartment, which had to be followed by just a single slash (for example HCS for HUMINT Control System would fit the redacted space, although that marking itself isn't classified).

If there was no mistake, however, and the double slash is actually correct, then it would be a complete new category which isn't in the (public) classification manuals. This reminds of the UMBRA marking, which also appeared unexpectedly between double slashes in a classification line.



Overview of the categories and formatting for the US classification and control markings
From the Intelligence Community Classification Manual 6.0 from December 2013
(click to enlarge)



2. The redacted space directly after STELLARWIND

The second redaction starts right after the last letter of "STELLARWIND", thereby carefully hiding the category of the redacted marking, which is determined by how it is separated from the previous term. This could be by a slash, a double slash, a hyphen or a space, each indicating a different level.

In this case, the most likely option is that "STELLARWIND" is followed by a hyphen, which indicates the next term is another compartment under the COMINT control system, equal to STELLARWIND.

Classification manuals say there are undisclosed COMINT compartments which have identifiers consisting of three alphabetical characters. This would fit the redacted space as it would read like: "COMINT-STELLARWIND-ABC".

This undisclosed compartment probably also figured in some other declassified documents, where it sometimes seems to be accompanied by a sub-compartment which is identified by three numeric characters, like for example in this and this declaration where the marking could read like "COMINT-ABC 678":



Classified declaration of NSA director Alexander, April 20, 2007.


Looking at what was redacted in portions of both documents which were marked with this mysterious compartment, it seems that it's about at least two highly sensitive intelligence sources and methods. For example, pages 31-32 of this declaration (pdf) suggest that this might be obtaining metadata from specific telecom companies and search them for members or agents of particular target groups.



Classified declaration of Director of National Intelligence John Negroponte, May 12, 2006
TSP = Terrorist Surveillance Program; HCS = HUMINT Control System
Note that TSP and HCS are also between double slashes
(click to open the full document in pdf)


Markings with the mysterious undisclosed COMINT compartments weren't found on any of the Snowden-documents, but only on those that were declassified by the government, so it seems that Snowden had no access to information protected by these particular compartments.

The marking TSP (for Terrorist Surveillance Program), which is in some of the examples shown above, was used instead of STELLARWIND in briefing materials and documents intended for external audiences, such as Congress and the courts.



The STELLARWIND marking

So far, we looked at the two parts of the classification marking that were blacked out. But now we also have to look at the STELLARWIND marking itself, which wasn't redacted, but still causes confusion.

The classification marking of the 2004 memorandum of the Justice Department says "COMINT-STELLAR WIND" and according to the official formatting rules, this means that STELLARWIND would be part of the COMINT control system.

Note that the same memorandum had already been declassified upon a FOIA request by the ACLU in 2011, but in that version (pdf) the codeword STELLARWIND was still blacked out from the whole document. Both documents are compared here.



Classification marking of the 2004 DoJ memorandum about STELLARWIND


As COMINT is a control system for communications intercepts or Signals Intelligence, this seems to make sense. But what is confusing, is that the internal 2009 NSA classification guide (pdf) for the STELLARWIND program, which was disclosed by Edward Snowden, says something different.

Initially this guide calls STELLARWIND a "special compartment", but from the marking rules it becomes clear that it is treated as an SCI control system. Accordingly, the prescribed abbreviated marking reads: "TOP SECRET // STLW / SI // ORCON / NOFORN". In this way we can see STELLARWIND in the classification line of the following document:



Classification marking of a 2013 classified declaration (pdf) of DNI James Clapper
which was declassified on May 6, 2014
(click to enlarge)


In this document and also in a similar declaration (pdf) from 2013, the reason for the STELLARWIND classification is explained as follows:
"This declaration also contains information related to or derived from the STELLARWIND program, a controlled access signals intelligence program under presidential authorization in response to the attacks of September 11, 2001. In this declaration, information pertaining to the STELLARWIND program is denoted with the special marking "STLW" and requires more restrictive handling."


STELLARWIND is also being treated as a control system in the 2009 draft report about this program written by the NSA Inspector General, although its classification line is also somewhat sloppy: there are double slashes between STLW and COMINT (should just be a single one), and only a single one between COMINT and ORCON (where there should have been double slashes as both are from different categories):



Classification marking of the 2009 report about
STELLARWIND by the NSA Inspector General
(click to read the full document)


Throughout this document, the portion markings are also not always consistent. Most of them are "TS//SI//STLW//NF", but one or two times "TS//SI-STLW//NF". But as this report is a draft, it's possible that these things have been corrected in the final version, which hasn't been disclosed or declassified yet.

The 2009 Inspector General report about STELLARWIND was one of the first documents from the Snowden-leaks to be published, and it still is one of the most informative and detailed pieces about the development of NSA's interception efforts since 9/11.


Conclusion

In the end, it doesn't make much difference whether STELLARWIND is a control system on its own, or a sub-system of COMINT, but it is remarkable that for such an important program, the people involved apparently also weren't clear about it's exact status and how to put it in the right place of a classification line.

More important though is that the declassified documents show that besides the STELLARWIND program, there's at least one COMINT-compartment with at least one sub-compartment that protect similar or related NSA collection efforts which are considered even more sensitive, but about which we can only speculate.

 
UPDATE:

On April 24, 2015, the US government declassified a 2009 report by five Inspectors General about the STELLARWIND program, after a FOIA request by The New York Times. This report, which is over 700 pages long, has the overall classification "TOP SECRET // STLW // HCS / COMINT // ORCON / NOFORN":


The overall classification marking of the 2009 Inspectors General report
about STELLARWIND, with underneath the classification line and the
header of the report of the NSA Inspector General

Included in this report is the final version of the report of the NSA Inspector General, the draft version of which we discussed above. We see that in this final version, the classification line has been corrected: there's now a double slash between COMINT and ORCON, just like it should be.

This also means that the double slash between STLW and COMINT, which initially looked like a mistake, must be correct. We also see this double slash in the overall classification marking for the entire report (which has the additional HCS (HUMINT Control System) for information from the CIA).

Apparently STELLARWIND (STLW) was not an ordinary SCI control system (then there would have been only a single slash between STLW and COMINT), but a category on its own, or belongs to a category not mentioned in the publicly available government classification marking guides.

Update #2:
In a speech on May 15, 2015, former NSA Inspector General Joel Brenner said that STELLAR WIND "was not SAP’ed, because the creation of a new special access program requires Congressional notification, but it was run directly by the Office of the Vice President and put under the direct personal control of the Vice President’s counsel, David Addington" - which could maybe an explanation for the fact the program was or became a classification category on its own.


September 4, 2014

NSA's Foreign Partnerships

(Updated: September 19, 2017)

For fulfilling its task of gathering foreign signals intelligence, the National Security Agency (NSA) is cooperating with partner agencies from over 35 countries all over the world.

These relationships are based upon secret bilateral agreements, but there are also some select groups in which intelligence information is shared on a multilateral basis, like the SIGINT Seniors Europe (SSEUR), the SIGINT Seniors Pacific (SSPAC) and the Afghanistan SIGINT Coalition (AFSC).

Until recently, very little was known about these foreign relationships, but the Snowden-leaks have revealed the names of all the countries that are cooperating with NSA. This made it possible to create the following graphic, which also shows various multilateral intelligence exchange groups, which will be discussed here too.





Nations with 2nd and 3rd Party status and those who are
members of the SIGINT Seniors Europe (SSEUR) and NATO
(click to enlarge)

 

2nd Party Partners

The closest cooperation is between NSA and the signals intelligence agencies of the United Kingdom, Canada, Australia and New Zealand. Formally this is based upon a range of bilateral agreements, the first being the BRUSA (now known as UKUSA) Agreement on communications intelligence cooperation from March 5, 1946. Since 1993 this group has a multilateral character, which means partners can exchange information among the other members too (as far as there's a "need to know")

The five partners under the UKUSA-agreement, commonly called the Five Eyes, agreed that they would follow common procedures for operations and reporting, and also use the same target identification systems, equipment, methods and source designations. They would not only share end reports and analyses, but also most of the raw data they collect.

As a kind of gentlemen's agreement it is supposed that the Five Eyes countries are not spying on each other, although some of the documents from the Snowden-leaks show that at least NSA secretly keeps that option open.



Since

1946
1946
1949
1953
1953
 
Five Eyes
(FVEY)

United States
United Kingdom
Canada
Australia
New Zealand
 
Four Eyes
(ACGU)

United States
United Kingdom
Canada
Australia

 
Three Eyes
(TEYE)

United States
United Kingdom

Australia



Despite the very close and longstanding relationship between the Five Eyes partners, two sub-groups have been formed for specific military operations in which not all five partners participate. These sub-groups are designated Four Eyes (abbreviation for classification purposes: ACGU) and Three Eyes (TEYE).

> More about The 5, 4 and 3 Eyes

Cable tapping

The 2nd Party countries are cooperating in many ways, one of which is in cable tapping operations. The NSA umbrella program for this is codenamed WINDSTOP. According to NSA's Foreign Partner Access budget for 2013 WINDSTOP involves primarily Britain, but also Canada, Australia and New Zealand and focusses on access to (mainly internet) "communications into and out of Europe and the Middle East" through an integrated and overarching collection system.


Representatives

For maintaining these extensive relationships, NSA has liaison units in the Second Party countries. These are called Special US Liaison Offices (SUSLO), followed by the name of the nation's capital. In 2003, there were three:
- Special US Liaison Office, London (SUSLOL, with liaison officers at GCHQ in Cheltenham)
- Special US Liaison Office, Ottawa (SUSLOO)
- Special US Liaison Office, Canberra (SUSLOC, which also handled dealings with New Zealand)

Likewise, the SIGINT agencies from the other Five Eyes countries have a senior representative at NSA headquarters. In 2003, these were called:
- Senior UK Liaison Office (SUKLO)
- Canadian Liaison Office (CANSLO)
- Australian Liaison Office (AUSLO)
- New Zealand Liaison Office (NZLO)




Slide from an NSA presentation titled 'Foreign Partner Review' from
fiscal year 2013, showing the 2nd and 3rd Party partners
and some coalition and multilateral exchange groups.
Published in No Place To Hide, May 13, 2014.

 

3rd Party Partners

One step below the 2nd Party partnerships, there's cooperation between NSA and (signals) intelligence agencies from countries who are called 3rd Party partners. This is based upon formal agreements, but the actual scope of the relationship can vary from country to country and from time to time. Details about the cooperation between two countries are laid down in Memorandums of Understanding (MoU).

For the US, this kind of cooperation is useful because foreign agencies can have better access to high-priority targets because of their geographic location, or they could have a specific expertise on certain areas, or just simply because they have a better knowledge of the local situation and language.

The foreign partner agencies are mostly interested in American technology, money and access to the worldwide interception capabilities of NSA and its Five Eyes partners. This makes these 3rd Party partnerships especially attractive for smaller countries, for whom it means a sometimes substantial increase of their otherwise limited capabilities.

One big difference with the countries from the 2nd Party category is that 3rd Party partners do spy upon each other, and many of the Snowden-documents have shown this. From these documents we also learned that in 2013, there were 33 countries with 3rd Party status:



since






1954



1962










2005?
1954







1954




1949

 
CNO
(19 countries)


Austria
Belgium

Czech Republic
Denmark



Germany
Greece
Hungary
Iceland


Italy
Japan

Luxemburg

Netherlands
Norway

Poland



South Korea
Spain
Sweden
Switzerland



Turkey

 
3rd Parties
(33 countries)

Algeria
Austria
Belgium
Croatia
Czech Republic
Denmark
Ethiopia
Finland
France
Germany
Greece
Hungary

India
Israel
Italy
Japan
Jordan

Macedonia
Netherlands
Norway
Pakistan
Poland
Romania
Saudi Arabia
Singapore
South Korea
Spain
Sweden

Taiwan
Thailand
Tunisia
Turkey
UAE
 
SSEUR
(14-Eyes)



Belgium


Denmark


France
Germany





Italy




Netherlands
Norway






Spain
Sweden






 
SSPAC
(10-Eyes)









France




India












Singapore
South Korea




Thailand






The countries in the column under "CNO" are from a list which is in an undated NSA document about collaboration regarding Computer Network Operations (CNO). The document was first published on October 30, 2013 by the Spanish paper El Mundo and classifies cooperation on four different levels, which was also explained by The Guardian.

The first level is called "Tier A - Comprehensive Cooperation", which comprises Britain, Australia, Canada and New Zealand. A second group, called "Tier B - Focused Cooperation" includes the 19 mostly European countries listed above. A third group of "Limited cooperation" consists of countries such as France, Israel, India and Pakistan, and finally a fourth group is about "Exceptional Cooperation" with countries that the US considers to be hostile to its interests.

In May 2014, the list with the "Tier A" and "Tier B" countries was also published in Greenwald's book No Place To Hide, where he ignores the fact that the document was about CNO cooperation and simply assumes that the "Tier B" countries are the same as those with 3rd Party status.*



Map showing the 2nd Party and 3rd Party partners of NSA
(click to enlarge)


Cable tapping

NSA cooperates with the 3rd Party countries in many ways, one of which is in cable tapping operations. The NSA umbrella program for this is codenamed RAMPART-A. According to NSA's Foreign Partner Access budget for 2013, RAMPART-A provides access to long-haul international leased communications, with TURMOIL capabilities, and over 3 terabit/second of data from all "communication technologies such as voice, fax, telex, modem, e-mail internet chat, Virtual Private Network (VPN), Voice over IP (VoIP), and voice call records".


Representatives

The representatives of NSA in major Third Party countries are called Special US Liaison Advisor (SUSLA), followed by the name of the country. So for example the NSA representative in Germany is the Special US Liaison Advisor, Germany (SUSLAG).

The office staff of such an advisor is called the Special US Liaison Activity (also abbreviated as SUSLA), and for example the SUSLA Germany had 18 personnel (12 civilians and 6 contractors) in 2012, a number which was to be reduced to 6 in 2013.*

The Special US Liaison Activity Japan (SUSLAJ) is led by a Chief and was originally located at Hardy Barracks under the cover name "5th Air Force Technical Liaison Office." In 2007 a new satellite office was opened in the US embassy in Tokyo, which is referred to as the "DoD Special Representative Japan-Tokyo" in unclassified channels. SUSLAJ's main facilities are on Yokota Air Base.

It is not clear whether the various Third Party agencies also have a representative at NSA headquarters and if so, what their title is.


Foreign Affairs Directorate

At NSA these foreign relationships are managed by the Foreign Affairs Directorate (FAD), which has a Country Desk Officer (CDO) for every country or region that matters. For matters related to Second Party partnerships there's the FAD has the Second Party Affairs Office (DP11) consisting of five officers based at Fort Meade.


 
Multilateral groups

Although the Third Party relationships are strictly bilateral, some of these countries have also worked very close with each other for a long time. This has been formalized into a few multilateral groups in which intelligence is exchanged not only between one particular country and the US, but also among all other participants. Besides NATO, the following three SIGINT sharing groups are known:


SIGINT Seniors Europe (SSEUR)

This group consists of the Five Eyes and nine European countries: France, Germany, Spain, Italy, Belgium, the Netherlands, Denmark, Norway and Sweden. Except for Sweden, all are NATO members. After the number of countries, the SSEUR are also called 14-Eyes.

The "Seniors" refers to the heads of the participating military or signals intelligence agencies, who in this group coordinate the exchange of military intelligence according to the needs of each member.

A BND document mentions that in February 2014, there was a conference of the leaders of the "core group" of the SSEUR, but it wasn't mentioned which countries are part of that core group.

There's also a SIGINT Seniors Europe Counter Terrorism (SISECT) coalition* which organizes a semi-annual conference* and in 2013, NSA encouraged GCHQ to host the permanent facility for the joint SSEUR collaboration center.*

> More about the SIGINT Seniors Europe
Updates:

A new multilateral intelligence sharing group seems to be the SIGINT Support to Cyber Defense (SSCD) initiative, which consists of a number of countries that together establish an early-warning system to defend themselves against cyber attacks. Its existance was first mentioned on May 8, 2014 in a speech by president Schindler of the German intelligence service BND, which is also cooperating in this SSCD framework. SSCD will use traditional SIGINT methods to inspect data packets for things like malicious code so these can be eliminated pro-actively.

From a document dated July 23, 2013 from the German parliamentary inquiry commission, which was published by Wikileaks on December 1, 2016, we learn that "within the SSCD-working group of an international SIGINT coalition, BND exchanges information about the international detection of cyber attacks." This international SIGINT coalition is most likely the SSEUR or 14-Eyes group, which means the SSCD-cooperation that Schindler mentioned in his speech seems to be an SSEUR sub-group similar to the SISECT.


SIGINT Seniors Pacific (SSPAC)

There's a similar group for multilateral exchange of military intelligence among some 3rd party nations from the East Asia/Pacific Rim region. Besides the members of the Five Eyes, the SIGINT Seniors Pacific include Singapore, South Korea and most likely Japan and Thailand. Probably one other country is participating too, making this group also being identified as the 10-Eyes.
Update:
An NSA document disclosed by The New Zealand Herald on March 11, 2015 says that the SSPAC consists of the Five Eyes plus France, India, (South) Korea, Singapore and Thailand.
> More about the The 6, 8 and 10 Eyes

Afghanistan SIGINT Coalition (AFSC)

According to an NSA paper from 2013, this group consists of the same 14 countries as the SSEUR and is aimed at sharing Afghanistan-related intelligence reports and metadata among its participants. At the time of the paper, each AFSC-member was responsible for covering a specific area of interest, maybe corresponding to the region in Afghanistan where they had troops deployed.

Snowden and Greenwald agreed not to publish about NSA's involvement in Afghanistan, but the German book about the Snowden-leaks, Der NSA Komplex, reveals that the 14 AFSC-members cooperated closely in decrypting and analysing mobile communications and have a dedicated data center codenamed CENTER ICE for exchanging this kind of intelligence.*

This makes it likely that much of the metadata that various European countries shared with the US, mistakenly presented by Glenn Greenwald as NSA spying on European citizens, was collected as part of this Afghanistan SIGINT Coalition.




Links and Sources
- Stratfor.com: Five Eyes and the Perils of an Asymmetric Alliance
- NSA document about Foreign Relations Mission Titles
- About Canada and the Five Eyes Intelligence Community (pdf)
- Duncan Campbell, Echelon and its role in COMINT
- Declassified NSA paper about Third Party Nations: Partners and Targets