The Big Brother on Menwith Hill
It started with Enigma
Germany had developed the first prototypes of Enigma encrypting machines since the end of the World War I. Initially meant for civilian purposes, they started to be developed for military applications since around 1925. To break German codes, a large team was put together of British cryptanalysts, mathematicians, crossword and chess enthusiasts and various others and assigned to the manor of Bletchley Park near London.
At the height of its days, it consisted of as much as about 10 000 people. According to the Daily Telegraph, in one instance, the ability to solve The Daily Telegraph crossword in under 12 minutes was used as a recruitment test. The newspaper was asked to organise a crossword competition, after which each of the successful participants was contacted and asked if they would be prepared to undertake "a particular type of work as a contribution to the war effort".
The team, led by the famous mathematician Alan Turing, succeeded in breaking the Enigma codes in 1943 (using a number of electromechanical devices - the best known of which is probably the Colossus - which were arguably among the first modern computers). The effort called ULTRA had a substantial influence on the war - it has been suggested that without breaking the German codes, the war in Europe had lasted for two more years.
Actually, while the effort of British cryptanalysts in Bletchley Park is well known, the work in Poland before the war is much less recognized. By 1939, the Poles led by mathematician Marian Rejewski were able to read most of the encrypted texts - sharing the information with Brits in 1939 (and 3 key persons escaping to the French resistance movement) played a large part in overall success. And the final key was salvaging the code books from German submarine U559 which was discovered and forced to surface in Eastern Mediterranean Sea.
At the end of the war, much of the equipment used and its blueprints were destroyed. Although thousands of people were involved in the decoding efforts, the participants remained silent for decades about what they had done during the war, and it was only in the 1970s that the work at Bletchley Park was revealed to the general public. The manor was opened to the public as a museum in 1993.
From the Quadripartite Agreement to ECHELON
In 1947, four English-speaking countries - the United States, the United Kingdom, Australia (together with New Zealand) and Canada - signed a secret treaty (some sources suggest that even Prime Ministers were kept unaware) about sharing intelligence data. The treaty has also been known as UKUSA (UK plus USA). As such, it was beneficial for the smaller (in terms of intelligence resources) partners who did not have comparable intelligence systems with the UK and the US. The treaty allowed sharing of raw intelligence data, but analysis and conclusions were made separately by each state, which sometimes led to contradictory results based on the same data. Under the terms of the agreement, the five nations carved up the earth into five spheres of influence, and each country was assigned particular signals intelligence targets (e.g. Britain was responsible for intercepting the Chinese, through its Hong Kong listening post, while the US was given other responsibilities to cover from its listening posts in Taiwan, Japan and Korea).
While the details of the treaty remain largely unknown to the public, it has been suggested that the infamous bypass system for the gentlemanly ban on domestic spying (a state would not spy after its own subjects at home) was born already with this treaty. A former employee of Canadian CSE (Communication Security Establishment) Mike Frost wrote a book titled Spyworld in 1994 which also has an account of Canadian agents snooping after Brits (see a review of the book by Bob Leonard.
According to the treaty, Britain's zone included Africa and Europe, east to the Ural Mountains of the former USSR; Canada covered northern latitudes and polar regions; Australia covered Oceania. The agreement prescribed common procedures, targets, equipment and methods that the sigint agencies would use. Among them were international regulations for sigint security , which required that before anyone was admitted to knowledge of the arrangements for obtaining and handling sigint, they must first undertake a lifelong commitment to secrecy. Every individual joining a UKUSA sigint organisation must be "indoctrinated" and, often "re-indoctrinated" each time they are admitted to knowledge of a specific project. They are told only what they "need to know", and that the need for total secrecy about their work "never ceases".
More history here
The Intelligence cycle
(The material below is summarized from the 1999 EP report Development of Surveillance Technology & Risk of Abuse of Economic Information)
- Planning, requirements & direction
- Collection (access & interception)
- Analysis & processing
- go back to 1.
Planning starts with determining customer requirements. In this case, customers may include major ministries of the sponsoring government – notably those concerned with defence, foreign affairs, security, trade and home affairs. The overall management of Comint involves the identification of requirements for data as well as translating requirements into potentially achievable tasks, prioritising, arranging analysis and reporting, and monitoring the quality of Comint product.
Once targets have been selected, specific existing or new collection capabilities may be tasked, based on the type of information required, the susceptibility of the targeted activity to collection, and the likely effectiveness of collection.
Access and collection
The first essential step is access to the desired communications medium so that communications may be intercepted. Historically, where long-range radio communications were used, this task was simple; however, some important modern communications systems are not "Comint friendly". The physical means of communication is usually independent of the type of information carried. For example, inter-city microwave radio-relay systems, international satellite links and fibre optic submarine cables will all usually carry mixed traffic of television, telephone, fax, data links, private voice, video and data.
Collection follows interception, but is a distinct activity in that many types of signals may be intercepted but will receive no further processing save perhaps technical searches to verify that communications patterns remain unchanged. For example, a satellite interception station tasked to study a newly launched communications satellite will set up an antenna to intercept all that the satellite sends to the ground. Once a survey has established which parts of the satellite's signals carry, say, television or communications of no interest, these signals will not progress further within the system.
Collection includes both acquiring information by interception and passing information of interest downstream or processing and production. Because of the high information rates used in many modern networks, and the complexity of the signals within them, it is now common for high speed recorders or "snapshot" memories temporarily to hold large quantities of data while processing takes place (like the British 90-day storage of all Usenet traffic). Modern collection activities use secure, rapid communications to pass data via global networks to human analysts who may be a continent away. Selecting messages for collection and processing is in most cases automated, involving large on-line databases.
This means conversion of collected information into a form suitable for analysis or the production of intelligence, being done either automatically or under human supervision. Incoming communications are normally converted into standard formats identifying their technical characteristics, together with message (or signal) related information (such as the telephone numbers of the parties to a telephone conversation).
At an early stage, if it is not inherent in the selection of the message or conversation, each intercepted signal or channel will be described in standard "case notation". Case notation first identifies the countries whose communications have been intercepted, usually by two letters. A third letter designates the general class of communications: C for commercial carrier intercepts, D for diplomatic messages, P for police channels, etc. A fourth letter designates the type of communications system (such as S for multi-channel). Numbers then designate particular links or networks. Thus for example, during the 1980s NSA intercepted and processed traffic designated as "FRD" (French diplomatic) from Chicksands, England, while the British Comint agency GCHQ deciphered "ITD" (Italian diplomatic) messages at its Cheltenham headquarters.
Processing may also involve translation or "gisting" (replacing a verbatim text with the sense or main pointsof a communication). Translation and gisting can to some degree be automated.
Production and dissemination
Analysis, evaluation, translation and interpretation of raw data are shaped into finished intelligence here. The final step of the intelligence cycle is dissemination, meaning the passing of reports to the intelligence consumers. Such reports can consist of raw (but decrypted and/or translated) messages, gists, commentary, or extensive analyses. The quality and relevance of the disseminated reports lead in turn to the re-specification of intelligence collection priorities, thereby completing the intelligence cycle and moving back to the planning stage.
The nature of dissemination is highly significant to questions of how Comint is exploited to obtain economic advantage (some examples are given below. Comint activities everywhere are highly classified because, it is argued, knowledge of the success of interception would be likely to lead targets to change their communications methods to defeat future interception.
Dissemination is restricted within the UKUSA organisation by national and international rules generally stipulating that the Sigint agencies of each nation may not normally collect or (if inadvertently collected) record or disseminate information about citizens of, or companies registered in, any other UKUSA nation. Citizens and companies are collectively known as "legal persons". The opposite procedure is followed if the person concerned has been targeted by their national Comint organisation.
For example, New Zealand officials were instructed to remove the names of identifiable UKUSA citizens or companies from their reports, inserting instead words such as "a Canadian citizen" or "a US company". British Comint staff have described following similar procedures in respect of US citizens following the introduction of legislation to limit NSA's domestic intelligence activities in 1978.
The corollary is also true; UKUSA nations place NO restrictions on intelligence gathering affecting either citizens or companies of any non-UKUSA nation, including member states of the European Union (except the UK).
Tapping the communication
From 1945 onwards in the United States the NSA and predecessor agencies systematically obtained cable traffic from the offices of the major cable companies. This activity was codenamed SHAMROCK. These activities remained unknown for 30 years, until enquiries were prompted by the Watergate affair. On 8 August 1975, NSA Director Lt General Lew Allen admitted to the Pike Committee of the US House of Representatives that "NSA systematically intercepts international communications, both voice and cable”.
He also admitted that "messages to and from American citizens have been picked up in the course of gathering foreign intelligence". US legislators considered that such operations might have been unconstitutional. During 1976, a Department of Justice team investigated possible criminal offences by NSA. Part of their report was released in 1980. It described how intelligence on US citizens:
"was obtained *incidentally* in the course of NSA's interception of aural and non-aural (e.g., telex) international communications and the receipt of GCHQ-acquired telex and ILC (International Leased Carrier) cable traffic (SHAMROCK)" (emphasis in original).
HF Radio interception
High frequency radio signals are relatively easy to intercept, requiring only a suitable area of land in, ideally, a "quiet " radio environment. From 1945 until the early 1980s, both NSA and GCHQ operated HF radio interception systems tasked to collect European ILC communications in Scotland.
The most advanced type of HF monitoring system deployed during this period for Comint purposes was a large circular antenna array known as AN/FLR-9. AN/FLR-9 antennae are more than 400 metres in diameter. They can simultaneously intercept and determine the bearing of signals from as many directions and on as many frequencies as may be desired. In 1964, AN/FLR-9 receiving systems were installed at San Vito dei Normanni, Italy; Chicksands, England, and Karamursel, Turkey.
In August 1966, NSA transferred ILC collection activities from its Scottish site at Kirknewton, to Menwith Hill in England. Ten years later, this activity was again transferred, to Chicksands. Although the primary function of the Chicksands site was to intercept Soviet and Warsaw Pact air force communications, it was also tasked to collect ILC and "NDC" (Non-US Diplomatic Communications). Prominent among such tasks was the collection of FRD traffic (i.e., French diplomatic communications). Although most personnel at Chicksands were members of the US Air Force, diplomatic and ILC interception was handled by civilian NSA employees in a unit called DODJOCC.
During the 1970s, British Comint units on Cyprus were tasked to collect HF communications of allied NATO nations, including Greece and Turkey. The interception took place at a British army unit at Ayios Nikolaos, Eastern Cyprus. In the United States in 1975, investigations by a US Congressional Committee revealed that NSA was collecting diplomatic messages sent to and from Washington from an army Comint site at Vint Hill Farms, Virginia. The targets of this station included the United Kingdom.
Space interception of inter-city networks
Long distance microwave radio relay links may require dozens of intermediate stations to receive and re-transmit communications. Each subsequent receiving station picks up only a tiny fraction of the original transmitted signal; the remainder passes over the horizon and on into space, where satellites can collect it. These principles were exploited during the 1960s to provide Comint collection from space. The nature of microwave "spillage" means that the best position for such satellites is not above the chosen target, but up to 80 degrees of longitude away.
The first US Comint satellite, CANYON, was launched In August 1968, followed soon by a second. The satellites were controlled from a ground station at Bad Aibling, Germany. In order to provide permanent coverage of selected targets, CANYON satellites were placed close to geostationary orbits. However, the orbits were not exact, causing the satellites to change position and obtain more data on ground targets. Seven CANYON satellites were launched between 1968 and 1977.
Links extended for thousands of miles, much of it over Siberia, where permafrost restricted the reliable use of underground cables. Geographical circumstances thus favoured NSA by making Soviet internal communications links highly accessible. The satellites performed better than expected, so the project was extended.
The success of CANYON led to the design and deployment of a new class of Comint satellites, CHALET. The ground station chosen for the CHALET series was Menwith Hill, England. Under NSA project P-285, US companies were contracted to install and assist in operating the satellite control system and downlinks (RUNWAY) and ground processing system (SILKWORTH). The first two CHALET satellites were launched in June 1978 and October 1979. After the name of the first satellite appeared in the US press, they were renamed VORTEX. In 1982, NSA obtained approval for expanded "new mission requirements" and were given funds and facilities to operate four VORTEX satellites simultaneously. A new 5,000m2 operations centre (STEEPLEBUSH) was constructed to house processing equipment. When the name VORTEX was published in 1987,the satellites were renamed MERCURY.
The expanded mission given to Menwith Hill after 1985 included MERCURY collection from the Middle East. The station received an award for support to US naval operations in the Persian Gulf from 1987 to 1988. In 1991, a further award was given for support of the Iraqi war operations, Desert Storm and Desert Shield. Menwith Hill is now the major US site for Comint collection against its major ally, Israel. Its staff includes linguists trained in Hebrew, Arabic and Farsi as well as European languages.
The CIA developed a second class of Sigint satellite with complementary capabilities over the period from 1967 to 1985. Initially known as RHYOLITE and later AQUACADE, these satellites were operated from a remote ground stat ion in central Australia, Pine Gap. Using a large parabolic antenna which unfolded in space, RHYOLITE intercepted lower frequency signals in the VHF and UHF bands. Larger, most recent satellites of this type have been named MAGNUM and then ORION. Their targets include telemetry, VHF radio, cellular mobile phones, paging signals, and mobile data links.
A third class of satellite, known first as JUMPSEAT and latterly as TRUMPET, operates in highly elliptical near-polar orbits enabling them to "hover" for long period over high northern latitudes. They enable the United States to collect signals from transmitters in high northern latitudes poorly covered by MERCURY or ORION, and also to intercept signals sent to Russian communications satellites in the same orbits. Although precise details of US space-based Sigint satellites launched after 1990 remain obscure, it is apparent from observation of the relevant ground centres that collection systems have expanded rather than contracted.
The main stations are at Buckley Field, Denver, Colorado; Pine Gap, Australia; Menwith Hill, England; and Bad Aibling, Germany. The satellites and their processing facilities are exceptionally costly (of the order of $1 billion US each).
It follows that the United States can if it chooses direct space collection systems to intercept mobile communications signals and microwave city-to-city traffic anywhere on the planet. The geographical and processing difficulties of collecting messages simultaneously from all parts of the globe suggest strongly that the tasking of these satellites will be directed towards the highest priority national and military targets. Thus, although European communications passing on inter-city microwave routes can be collected, it is likely that they are normally ignored. But it is very highly probable that communications to or from Europe and which pass through the microwave communications networks of Middle Eastern states are collected and processed.
No other nation (including the former Soviet Union) has deployed satellites comparable to CANYON, RHYOLITE, or their successors. Both Britain (project ZIRCON) and France (project ZENON) have attempted to do so, but neither persevered. After 1988 the British government purchased capacity on the US VORTEX (now MERCURY) constellation to use for unilateral national purposes. A senior UK Liaison Officer and staff from GCHQ work at Menwith Hill NSA station and assist in tasking and operating the satellites.
Systematic collection of COMSAT ILC communications began in 1971. Two ground stations were built for this purpose. The first at Morwenstow, Cornwall, England had two 30-metre antennae. One intercepted communications from the Atlantic Ocean Intelsat; the other the Indian Ocean Intelsat. The second Intelsat interception site was at Yakima, Washington in the northwestern United States. NSA's "Yakima Research Station" intercepted communications passing through the Pacific Ocean Intelsat satellite.
ILC interception capability against western-run communications satellites remained at this level until the late 1970s, when a second US site at Sugar Grove, West Virginia was added to the network. By 1980, its three satellite antenna had been reassigned to the US Naval Security Group and were used for COMSAT interception.
Large-scale expansion of the ILC satellite interception system took place between 1985 and 1995, in conjunction with the enlargement of the ECHELON processing system (section 3). New stations were constructed in the United States (Sabana Seca, Puerto Rico), Canada (Leitrim, Ontario), Australia (Kojarena, Western Australia) and New Zealand (Waihopai, South Island). Capacity at Yakima, Morwenstow and Sugar Grove was expanded, and continues to expand.
Based on a simple count of the number of antennae currently installed at each COMSAT interception or satellite SIGINT station, it appears that indicates that the UKUSA nations are between them currently operating at least 120 satellite based collection systems.
Submarine cable interception
Submarine cables now play a dominant role in international telecommunications, since – in contrast to the limited bandwidth available for space systems – optical media offer seemingly unlimited capacity. Save where cables terminate in countries where telecommunications operators provide Comint access (such as the UK and the US), submarine cables appear intrinsically secure because of the nature of the ocean environment.
In October 1971, this security was shown not to exist. A US submarine, Halibut, visited the Sea of Okhotsk off the eastern USSR and recorded communications passing on a military cable to the Khamchatka Peninsula. Halibut was equipped with a deep diving chamber, fully in view on the submarine's stern. The chamber was described by the US Navy as a "deep submergence rescue vehicle". The truth was that the "rescue vehicle" was welded immovably to the submarine. Once submerged, deep-sea divers exited the submarine and wrapped tapping coils around the cable.
Having proven the principle, USS Halibut returned in 1972 and laid a high capacity recording pod next to the cable. The technique involved no physical damage and was unlikely to have been readily detectable. The Okhotsk cable tapping operation continued for ten years, involving routine trips by three different specially equipped submarines to collect old pods and lay new ones; sometimes, more than one pod at a time.
New targets were added in 1979. That summer, a newly converted submarine called USS Parche travelled from San Francisco under the North Pole to the Barents Sea, and laid a new cable tap near Murmansk. Its crew received a presidential citation for their achievement. The Okhotsk cable tap ended in 1982, after its location was compromised by a former NSA employee who sold information about the tap, codenamed IVY BELLS, to the Soviet Union. One of the IVY BELLS pods is now on display in the Moscow museum of the former KGB. The cable tap in the Barents Sea continued in operation, undetected, until tapping stopped in 1992.
During 1985, cable-tapping operations were extended into the Mediterranean, to intercept cables linking Europe to West Africa. After the cold war ended, the USS Parche was refitted with an extended section to accommodate larger cable tapping equipment and pods. Cable taps could be laid by remote control, using drones. USS Parche continues in operation to the present day, but the precise targets of its missions remain unknown. The Clinton administration evidently places high value on its achievements, Every year from 1994 to 1997, the submarine crew has been highly commended. Likely targets may include the Middle East, Mediterranean, eastern Asia, and South America. The United States is the only naval power known to have deployed deep-sea technology for this purpose.
Miniaturised inductive taps recorders have also been used to intercept underground cables. 32 Optical fibre cables, however, do not leak radio frequency signals and cannot be tapped using inductive loops. NSA and other Comint agencies have spent a great deal of money on research into tapping optical fibres, reportedly with little success. But long distance optical fibre cables are not invulnerable. The key means of access is by tampering with optoelectronic "repeaters" which boost signal levels over long distances. It follows that any submarine cable system using submerged optoelectronic repeaters cannot be considered secure from interception and communications intelligence activity.
Intercepting the Internet
During the 1980s, NSA and its UKUSA partners operated a larger international communications network than the then Internet but based on the same technology. According to its British partner "all GCHQ systems are linked together on the largest LAN [Local Area Network] in Europe, which is connected to other sites around the world via one of the largest WANs [Wide Area Networks] in the world … its main networking protocol is Internet Protocol (IP). This global network, developed as project EMBROIDERY, includes PATHWAY, the NSA's main computer communications network. It provides fast, secure global communications for ECHELON and other systems.
Since the early 1990s, fast and sophisticated Comint systems have been developed to collect, filter and analyse the forms of fast digital communications used by the Internet. Because most of the world's Internetcapacity lies within the United States or connects to the United States, many communications in "cyberspace" will pass through intermediate sites within the United States. Communications from Europe to and from Asia, Oceania, Africa or South America normally travel via the United States.
Routes taken by Internet "packets" depend on the origin and destination of the data, the systems through which they enter and leaves the Internet, and a myriad of other factors including time of day. Thus, routers within the western United States are at their most idle at the time when central European traffic is reaching peak usage. It is thus possible (and reasonable) for messages travelling a short distance in a busy European network to travel instead, for example, via Internet exchanges in California. It follows that a large proportion of international communications on the Internet will by the nature of the system pass through the United States and thus be readily accessible to NSA.
Standard Internet messages are composed of packets called "datagrams" . Datagrams include IP addresses which are inherently easy to identify as to country and site of origin and destination. Handling, sorting and routing millions of such packets each second is fundamental to the operation of major Internet centres. The same process facilitates extraction of traffic for Comint purposes.
Internet traffic can be accessed either from international communications links entering the United States, or then it reaches major Internet exchanges. Both methods have advantages. Access to communications systems is likely to be remain clandestine - whereas access to Internet exchanges might be more detectable but provides easier access to more data and simpler sorting methods. Although the quantities of data involved are immense, NSA is normally legally restricted to looking only at communications that start or finish in a foreign country. Unless special warrants are issued, all other data should normally be thrown away by machine before it can be examined or recorded.
Much other Internet traffic (whether foreign to the US or not) is of trivial intelligence interest or can be handled in other ways. For example, messages sent to Usenet discussion groups amounts to about 15 Gigabytes (GB) of data per day; the rough equivalent of 10,000 books. All this data is broadcast to anyone wanting (or willing) to have it. Like other Internet users, intelligence agencies have open source access to this data and store and analyse it. In the UK, the Defence Evaluation and Research Agency maintains a 1 Terabyte database containing the previous 90 days of Usenet messages. Messages for Usenet are readily distinguishable. It is pointless to collect them clandestinely (similar web portals to Usenet exist for mainstream users).
Similar considerations affect the Web, most of which is openly accessible. Web sites are examined continuously by search engines which generate catalogues of their contents. NSA similarly employs searchbots to collect data of interest.
It follows that foreign Internet traffic of communications intelligence interest – consisting of e-mail, file transfers, virtual private networks operated over the internet, and some other messages - will form at best a few per cent of the traffic on most US Internet exchanges or backbone links. According to a former employee, NSA had by 1995 installed sniffers to collect such traffic at nine major Internet exchange points (IXPs).
It has also been alleged that a leading US Internet and telecommunications company had contracted with NSA to develop software to capture Internet data of interest, and that deals had been struck with the leading manufacturers Microsoft, Lotus, and Netscape to alter their products for foreign use. Providing such features would make little sense unless NSA had also arranged general access to Internet traffic. Although NSA will not confirm or deny such allegations, a 1997 court case in Britain involving alleged "computer hacking" produced evidence of NSA surveillance of the Internet. Witnesses from the US Air Force component of NSA acknowledged using packet sniffers and specialised programmes to track attempts to enter US military computers. The case collapsed after the witnesses refused to provide evidence about the systems they had used.
Examples of Comint Business
In 1993, former National Security Council official Howard Teicher described in a programme about Menwith Hill how the European Panavia company was specifically targeted over sales to the Middle East. "I recall that the words 'Tornado' or 'Panavia' - information related to the specific aircraft - would have been priority targets that we would have wanted information about".
Thomson CSF and Brazil
In 1994, NSA intercepted phone calls between Thomson-CSF and Brazil concerning SIVAM, a $1.3 billion surveillance system for the Amazon rain forest. The company was alleged to have bribed members of the Brazilian government selection panel. The contract was awarded to the US Raytheon Corporation - who announced afterwards that "the Department of Commerce worked very hard in support of U.S. industry on this project". Raytheon also provide maintenance and engineering services to NSA's ECHELON satellite interception station at Sugar Grove.
Airbus Industrie and Saudi Arabia
According to a well-informed 1995 press report :"from a commercial communications satellite, NSA lifted all the faxes and phone calls between the European consortium Airbus, the Saudi national airline and the Saudi government . The agency found that Airbus agents were offering bribes to a Saudi official. It passed the information to U.S. officials pressing the bid of Boeing Co and McDonnell Douglas Corp., which triumphed last year in the $6 billion competition."
International trade negotiations
Many other accounts have been published by reputable journalists and some firsthand witnesses citing frequent occasions on which the US government has utlitised Comint for national commercial purposes. These include targeting data about the emission standards of Japanese vehicles; 1995 trade negotiations the import of Japanese luxury cars; French participation in the GATT trade negotiations in 1993; the Asian-Pacific Economic Conference (APEC), 1997.
Targeting host nations
The issue of whether the United States utilises communications intelligence facilities such as Menwith Hill or Bad Aibling to attack host nations' communications also arises. The available evidence suggests that such conduct may normally be avoided. According to former National Security Council official Howard Teicher, the US government would not direct NSA to spy on a host governments such as Britain: " [But] I would never say never in this business because, at the end of the day, national interests are national interests … sometimes our interests diverge. So never say never - especially in this business".