June 23, 2013

Is PRISM just a not-so-secret web tool?

(Updated with an infographic on June 30, 2013)

Since The Guardian first published about the PRISM data collection program on June 6, there have been new disclosures of top secret documents almost every day, resulting in some fierce protests against apparently illegal wiretapping by the NSA and GCHQ. However, it remains unclear what PRISM actually is or does, as The Guardian didn't provide any new details or disclosed more than 5 of the 41 presentation slides about the program.

This makes it hard to determine whether PRISM really is the illegal or at least embarrassing program which most people now think it is. Especially, because it could even be the hardly secret Planning tool for Resource Integration, Synchronization and Management (PRISM), which is a web-based tool to manage information requests widely used by the US military. Here we will take a closer look at this program and try to determine whether this could be the same as the PRISM revealed by The Guardian.

> The latest information: What is known about NSA's PRISM program


Planning tool for Resource Integration, Synchronization and Management

The earliest document which mentions the Planning tool for Resource Integration, Synchronization and Management (PRISM) is a paper (pdf) from July 2002, which was prepared by the MITRE Corporation Center for Integrated Intelligence Systems. The document describes the use of web browsers for military operations, the so-called "web-centric warfare", for which intelligence collection management programs were seen as the catalyst. These programs fuse battlefield intelligence information with the national data that they already possess, in order to provide a complete picture to their users.

PRISM was developed by SAIC (formerly Science Applications International Corporation, a company that was also involved in the 2002 TRAILBLAZER program for analyzing network data). The program was originally prototyped and fielded for the US European Command, but is also being used in other military operation areas such as Iraq. Involved in the establishment of PRISM was Ron Baham. His LinkedIn profile says that he currently is senior vice president and operations manager at SAIC and that he worked on CMMA PRISM at JDISS from 2000 - 2004, so PRISM might be developed somewhere between 2000 and early 2002.

On an older page of its website, SAIC says that the PRISM application allows theater users, in various functional roles and at different echelons, to synchronize Intelligence, Surveillance and Reconnaissance (ISR) requirements with current military operations and priorities. The application was first developed for use on JWICS, the highly secure intelligence community network, but is now also being used on SIPRNet, the secure internet used by the US military.



Screenshot of the PRISM Input Tool (EEI = Essential Elements of Intelligence)
source: GMTI Utility Analysis for Airborne Assets (pdf)


Other sources clarify that PRISM consists of a web-based interface which connects to PRISM servers, and that it's used by a variety of users, like intelligence collection managers at military headquarters, to request the intelligence information which is needed for operations. These requests are entered in the PRISM interface, which sends them to the PRISM server. From there the request goes to units which collect the raw data. These are processed into intelligence, which then becomes available through the PRISM server.

PRISM is able to manage and prioritize these intelligence collection requirements to ensure critical intelligence is timely available to the commander during crisis operations. The application integrates these requirements and, with other tools, generates the so called daily collection deck. PRISM also provides traceability throughout the so-called intelligence cycle, from planning through exploitation to production.

The PRISM application made by SAIC is still widely used. It's mentioned in joint operations manuals from 2012 and in quite a number of job descriptions, like this one from March 2013 for a systems administator in Doha, Qatar, which says that part of the job is providing on-site and off-site PRISM training and support. Also these US government spending data show that in 2011 a maintaince contract (worth $ 1.085.464,-) for PRISM support services was awarded to SAIC, with options for 2012 and 2013.


Are there two different PRISMs?

So now it looks like as if there are two different programs called PRISM: one is a web-based tool for requesting and managing intelligence information from a server that gets input from various intelligence sources. The other is the program from which The Guardian says it's a top secret electronic surveillance program that collects raw data from the servers of nine major US internet companies.

If the Guardian's claims are true, it's strange that two important intelligence programs apparently have the exact same name. For sure, this would not be very likely, if "PRISM" would be an acronym or a codeword in both cases. But if we assume one PRISM being an acronym and the other PRISM a codeword, it could be somewhat more likely.

As we know, the PRISM tool developed by SAIC is an acronym, just like the names of many other military and intelligence software tools are often lengthy acronyms. This leaves the PRISM which was unveiled by The Guardian likely to be a codeword, or more correctly said, a nickname. NSA data collection methods, officially designated by an alphanumerical SIGAD like US-984, can have nicknames which may or may not be classified.

These are different from codenames, which are always classified and often assigned to the intelligence products from the various data collection methods. This can cause some confusion, as "PRISM" perfectly fits in the NSA tradition of using 5-letter codewords for products of sensitive Signals Intelligence programs.


If PRISM had been a classified codename, it should also have been part of the classification line, and the marking should have read TOP SECRET // SI-PRISM // [...] instead of the current TOP SECRET // SI // [...]. This indicates that if there are two PRISMs, and one is an acronym, the other PRISM isn't a codeword for intelligence from a specific source, but most likely the unclassified nickname of a collection method.

This still leaves the question of why in 2007 an apparently new collection program got a nickname which is exactly the same as the acronym of an already widely used computer application - which is even going to be one of its tasking systems.


A less spectacular PRISM?

Allthough The Guardian presented PRISM as a method of directly collecting raw data from major internet companies, other sources say that PRISM might well be a much less spectacular internal computer program.

Initially, The Washington Post came with the same story as The Guardian, but revised some of its claims by citing a classified report from the NSA Inspector General that describes PRISM as allowing "collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations." These words very much resemble the way the PRISM Planning Tool is described.

National security reporter Marc Ambinder describes PRISM as "a kick-ass GUI (Graphical User Interface) that allows an analyst to look at, collate, monitor, and cross-check different data types provided to the NSA from Internet companies located inside the United States" - which also sounds much more like the SAIC application, than like a data dragnet with free access to commercial company servers.

This view was also confirmed by a statement (pdf) of Director of National Intelligence (DNI) James Clapper, which says: "PRISM is not an undisclosed collection or data mining program. It is an internal government computer system used to facilitate the government’s [...] collection of foreign intelligence information from electronic communication service providers [...]".

With this statement, Clapper officially confirms the existance of a program called PRISM, and allthough his description could also fit that of the Planning tool for Resource Integration, Synchronization and Management, he didn't positively identified PRISM as such.

Finally, an anonymous former government official told CNet.com that The Guardian's reports are "incorrect and appear to be based on a misreading of a leaked Powerpoint document", making journalist Declan McCullagh go one step further by suggesting that PRISM might be actually the same as the web application named Planning Tool for Resource Integration, Synchronization, and Management.


PRISM as an all-source planning tool

Some sources, like a joint operations manual and a number of job descriptions, seem to indicate that the PRISM planning tool is primarily used for geospational intelligence (GEOINT), which is analysed imagery of the earth as collected by spy planes and satellites.


However, more extensive research has shown that the Planning tool for Resource Integration, Synchronization and Management (PRISM) is not only used for geospatial intelligence, but for fusing intelligence from all sources. Besides GEOINT, sources prove that PRISM is also used for SIGINT (Signals Intelligence), IMINT (Imagery Intelligence) and HUMINT (Human Intelligence), probably through additional modules for each of these sources.

Even the 2006 Geospatial Intelligence Basic Doctrine (pdf) says PRISM is a "web-based application that provides users, at the theater level and below, with the ability to conduct Integrated Collection Management (ICM). Integrates all intelligence discipline assets with all theater requirements."
More specifically, the 2012 Joint and National Intelligence Support to Military Operations manual describes that where applicable, requests for SIGINT support should be entered into approved systems such as PRISM, for approval by a military commander.

In a job description for an Intelligence Training Instructor from 2010 we see a distinction being made between PRISM-IMINT and PRISM-SIGINT, and a LinkedIn profile mentions the IMINT/SIGINT PRISM training in 2006 of someone who was administrator for PRISM, which is described as the system of record USCENTCOM uses for submitting, tracking, and researching theater ISR requirements. In a job description for a SIGINT Collection Management Analyst (by Snowden-employer Booz Allen Hamilton!) experience with PRISM is required too.

Also a module was added to PRISM for accessing information from HUMINT (Human Intelligence) sources. Testing of this module was done during the Empire Challenge 2008 exercise. In the daily reports of this exercise we can read that for example the Defense Intelligence Agency's HUMINT team loaded "additional data into PRISM HUMINT module for operations on Tuesday morning". From a French report about this exercise we learn that the PRISM HUMINT module was a new application, just like the Humint Online Tasking & Reporting (HOT-R) tool, which runs on SIPRNet. This indicates that modules for different -INTs were added gradually in time.


Are both PRISMs one and the same?

If The Guardian's PRISM really is just a computer system for sending tasking instructions to equipment that collects the raw data, it is hard to believe that it's different from the Planning tool for Resource Integration, Synchronization and Management (PRISM), which for many years is used to order and manage intelligence from all sources.

If this could be true, and there's only one PRISM program, what about the slides which were disclosed by The Guardian? First of all, as this newspaper is not willing to publish all PRISM-slides, we cannot be sure about what this presentation is really about, but it's possible that it's not about a PRISM which is the nickname of the US-984XN collection method, but about how to gather material from that source by using the PRISM web tool. This way around, the SIGAD US-984XN can still deliver for most NSA reporting, including the President's Daily Brief.

More specific, we can think of a machine-to-machine interface between the PRISM system and dedicated data collection devices at remote locations, like a secure FTP server or an encrypted dropbox at sites of the internet companies. At the PRISM desktop interface this tasking may be done through a separate SIGINT module. As one of the slides says: "Complete list and details on PRISM web page: Go PRISMFAA" we can even imagine a module called "PRISM FAA" for requesting intelligence from intercepts of foreign communications under the conditions of the FISA Amendment Act (FAA) from 2008.



Infographic of the PRISM Planning Tool as part of the Intelligence Cycle,
with a possible way of how it could be the same as the
PRISM internet data collection program
(click for a bigger picture)


By publishing the PRISM slides, The Guardian for the first time revealed evidence about the NSA collecting data from major internet companies. But as this apparently surprised the general public, the practice is hardly new. Spies and later intelligence agencies of all countries have always tried to intercept foreign communications and of course tried to do this with every new way of communication: first letters, later phonecalls and radio communications, and nowadays internet based social media. Therefore, it may hardly come as a surprise that NSA found ways to intercept those new means of communications too.

What looks more of a problem, is the fact that in the past, enemies were nation states, which could be targeted by focussing on diplomatic and military communications, leaving most people's privacy untouched. Nowadays, with terrorism considered as the main enemy, almost every (foreign) citizen could be a potential adversary. This made intelligence agencies try to search everyone's communications, which are also more internationally intertwined than ever before.


Next time we will discuss more specific details of the Planning tool for Resource Integration, Synchronization and Management (PRISM), as this gives an interesting look at internal intelligence procedures.


Links

- TheWeek.com: Is the NSA PRISM leak much less than it seems?
- CNet.com: What is the NSA's PRISM program? (FAQ)
- CNet.com: No evidence of NSA's 'direct access' to tech companies
- VanityFair.com: PRISM Isn’t Data Mining and Other Falsehoods in the N.S.A. “Scandal”
- ExtremeTech.com: Making sense of the NSA Prism leak as the real details emerge
- Medium.com: The PRISM Details Matter
- Reflets.info: #PRISM: let’s have a look at the big picture
- VanityFair.com: PRISM Isn’t Data Mining and Other Falsehoods in the N.S.A. “Scandal” - Mashable.com: See How PRISM May Work — in This Infographic
- ZDNet.com: How did mainstream media get the NSA PRISM story so hopelessly wrong?

June 20, 2013

Abbreviations, Acronyms, Nicknames and Codewords

The communications security and intelligence branch is notorious for its abbreviations, acronyms, nicknames and codewords, and recently we learned a number of new NSA codewords from many classified documents which Edward Snowden handed over to The Guardian.

Here we provide two listings, one of abbreviations and acronyms, and one of nicknames and codewords, to get somewhat more grip on these things:

- Abbreviations and Acronyms

- Nicknames and Codewords

Listings like this can never be complete, and therefore expect new entries to be added gradually, as well as updates of existing entries.

June 7, 2013

Are the NSA's PRISM slides photoshopped?

(Updated: June 10, 2013)

Yesterday, Thursday June 6, The Washington Post and The Guardian came with a breaking news story about a Top Secret NSA program called PRISM, which reportedly collects data directly from the servers of nine major internet companies like Microsoft, Google, Facebook, Skype and Apple.

Many of these firms have already denied that the government has access to their networks. Today both president Obama and director of National Intelligence James Clapper said there is no gathering of information about US citizens or of any person located within the United States.

> The latest information: What is known about NSA's PRISM program


The Guardian claimed to have obtained 41 slides of an NSA presentation about the PRISM collection program, and showed some of them on its website. But some strange looking details caused a number of people, especially on Twitter, think the slides might be fake.

Here we take a more close look at these slides, which, if genuine, give a very rare look at a recent Top Secret document from the US National Security Agency.


The strangest thing about the slides is probably the PRISM program logo, which is shown at the top right side of each slide. On the Guardian website this logo is also shown separately with an orange background box - the same way it appears on their slides. But as we look at the same slides on the website of The Washington Post, we see that the orange background has been cropped away.

This can only mean that the logo was added somewhere afterwards, and therefore wasn't part of the original slide deck. On Twitter, it was also noticed, that the PRISM logo was made by using a standard clipart image.

UPDATE:
One of the journalists of The Guardian explained on twitter, that these differences between the slides are caused by using different powerpoint readers (The Guardian using OpenOffice).



Details and explanation of the first PRISM slide

This does not automatically mean the whole slide deck is fake, so let's take a closer look at the rest of the slide contents:

- At the top left and the bottom right corner of each slide we see the standardized classification marking line, showing the classification level and the dissemination control markings. In this case the slides are marked: TOP SECRET // SI // ORCON // NOFORN, which combines:

TOP SECRET - the classification level, meaning that public disclosure of the document would cause 'exceptionally grave damage' to national security.

SI - Special Intelligence, formerly known as COMINT or COMmunications INTelligence, which means this document is part of a control system for Sensitive Compartmented Information (SCI).

ORCON - ORiginator CONtrolled, meaning the originator controls dissemination and/or release of the document. Therefore these are always viewed in secured areas that are cleared for top-secret data and one cannot view or copy such a document without leaving an audit trail.

NOFORN - NO FOReign Nationals, meaning distribution to non-US citizens is prohibited, regardless of their clearance or access permissions.

- At the top of each slide we also see the logos of the internet companies involved in the PRISM program. The way these logos are grouped at the top of each slide looks not very professional, it distracts from the content and there's also no good reason for showing them on every slide. Therefore this part is also seen as a typical photoshop work.

- Top left we also see a seal with the words Special Source Operations, which is a department of the NSA responsible for important intelligence collection programs. This seal cannot be easily found elsewhere on the internet and looks well designed, so is most likely real.


- The title of the presentation is: PRISM/US-984XN Overview or The SIGAD Used Most in NSA Reporting Overview. SIGAD is the abbreviation of SIGINT Activity Designator, which is a unique addresss for every signals intelligence collection station, ship, or method and consists of a country code followed by alphanumeric characters. Thus the second part of the title (The SIGAD Used Most in NSA Reporting) refers to the first part, where US-984XN is the SIGAD of the PRISM program.

- Underneath the title there's a line which is partly (Guardian) or fully (Washington Post) blacked out. From what we can read, this line most likely started with the name of the person being the PRISM collection manager, followed by a kind of service/department number. Understandably the name has been blacked out because of privacy and security reasons, and the American paper even blacked out the rest.

- Finally, at the bottom right we see a red bordered box with three lines:
Derived from: NSA/CSSM 1-52 - meaning this was derived from the NSA/CSS Manual 1-52 about Classified National Security Information, which describes additional responsabilities of holders of NSA/CSS protected information.
Dated: 20070108 - meaning the presentation was derivative of work dated January 8, 2007, which appears to be the date of the NSA/CSS Manual 1-52.
Declassify On: 20360901 - meaning the slide deck was meant to be declassified on September 1, 2036. In general, this has to be 25 years from the date of the document’s origin, which seems to indicate that this presentation was classified on September 1, 2011, allthough the first slide itself is dated April 2013.

After this close look at the first slide of the PRISM presentation we have seen that there are a few strange elements, but also that most of the content looks realistic.



Another difference between the slides

Not only there's a difference between the PRISM logo on the slides at the Guardian and the Washtington Post websites, but, as noticed at this website, also on the slide showing in which years the various internet companies were "added" to the program:


As we can see in the picture, the slide on the Guardian website shows a different green arrow underneath the yellow circles than the Washington Post slide does. Both papers each seem to have some slightly different slides, which is quite strange if they really obtained a copy of such a higly classified slide deck.

UPDATE:
One of the journalists of The Guardian explained on twitter, that these differences between the slides are caused by using different powerpoint readers (The Guardian using OpenOffice).

As the presentation concerns signals intelligence, it has to be handled either trough the highly secured JWICS network used by the US intelligence community, or through NSAnet, which is the classified intranet of the NSA. It looks like PRISM is related to NSAnet, as one of the slides says: "Complete list and details on PRISM web page: Go PRISMFAA". Using a command like this appears to be common practice for NSAnet.

As it is very difficult and risky to get the slides themselves out of NSA's control, it is of course far more easy for someone who has seen the presentation, to tell a journalist what was in it. Then some graphic artist at the newspaper could have made these slides according to what was told to him. In this way, the differences between the slides of both newspapers can easily be explained by an internal messing up of some different versions.



The story revised?

Meanwhile, the Washington Post (because they had rushed the publication?) had to walk back a bit from its initial claims by citing a second classified report that identified PRISM as a program to "allow ‘collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,’ rather than directly to company servers."

Also the New York Times came with a story which says that each of the large internet companies negotiated with the government about handing out information. As far as this concerns non-US citizens, they are legally required to share the data under the Foreign Intelligence Surveillance Act (FISA) and in this way these companies are providing intelligence agencies like NSA with specific data in response to individual court orders.

These FISA orders can range from inquiries about specific people to a broad sweep for intelligence, like logs of certain search terms. Last year there were 1856 of such FISA requests. In order to make this more easy, some companies agreed with NSA to transmit these data electronically, using company’s servers or even government equipment at a company location. This however is different from giving the NSA wholesale bulk access to user data.

This version of the PRISM story was more or less confirmed by Director of National Intelligence (DNI) James Clapper, who released a statement with a fact sheet (PDF), which says "PRISM is not an undisclosed collection or data mining program. It is an internal government computer system used to facilitate the government’s statutorily authorized collection of foreign intelligence information from electronic communication service providers under court supervision".



More about classification markings

Earlier on the evening of June 8, The Guardian published another slide, to clarify that PRISM, which involves data collection from servers, is distinct from four different programs involving data collection from "fiber cables and infrastructure as data flows past".



This newest slide (shown left in the picture above) seems to have an omission, which can also be seen in some of the earlier slides: allthough they have the obligatory classification line (as described above), and the slide title is marked with the so called portion marking (the (TS//SI//NF) which is an abbreviation of the full classification line), this portion marking is missing in the content.

As the DoD and intelligence community Classification Markings Manuals prescribe, all content of briefing slides, including bullets, captions, titles, and embedded graphs, charts and figures, have to be marked with portion markings at the beginning of each portion (except when a waiver for the portion marking has been obtained). This because parts of a document classified as Top Secret can have a lower classification level or can even be unclassified, which also clearly applies to some of the paragraphs of the slides.

Again, this omission alone does not mean these slides are fake, it's also possible that the author of the presentation was simply somewhat lazy. At least in case of the slide titled "Introduction. U.S. as World's Telecommunications Backbone" the content is public information, for which the overall Top Secret classification would clearly not be justified.

A correct implementation of the portion marking can be seen in some slides about the NSA's BOUNDLESSINFORMANT data mining tool, which were disclosed by The Guardian on June 8. Here we see the slides are marked as TOP SECRET // SI // NOFORN within an orange bar, which is the color code for Top Secret, but with the separate text portions marked as (U//FOUO) as they are Unclassified // For Official Use Only:


With correct markings and a more professional look, these new slides look more credible than those of the PRISM presentation. As government agencies apparently often produce bad looking presentations, this alone doesn't make the PRISM slides fake, but we always should be aware of things like hoaxes, sensationalism and disinformation from whatever source, and at the same time don't get trapped into conspiracy theories.



Other PRISM programs

As there are still questions about what exactly NSA's PRISM program does, it became clear that there are also a number of other intelligence and security related programs called PRISM, which may cause some confusion:

The journalist Matthew Keys discovered that in 2007 a classified Defense Intelligence Agency (DIA) intelligence job listing mentions "national intelligence community collection management systems" like PRISM, COLISEUM and HOT-R. A DIA job listing from earlier this year requires "Experience working in collection requirements management systems and procedures, to include PRISM, HOT-R, GIMS, NSRP, TORS, OSCR, COLISEUM, and CMST"

As this are DIA jobs, it seems however that this PRISM system is different from the one of the NSA. At the website of defense contractor IIT, PRISM is explained as an abbreviation of the "Planning tool for Resource Integration, Synchronization and Management", which just like COLISEUM, seems to be used in the field of Geospatial Intelligence, which analyses satellite imagery of the earth. In this way, PRISM is also mentioned in a number of documents on the Cryptome website. These are dating back to 2003, which is four years before the alledged start of the NSA PRISM internet program in 2007.

> More about this confusion: Is PRISM just a not-so-secret web tool?

The existence of what looks like a third PRISM system was unveiled by this PDF document at the Cryptome website. This document, dated March 21, 2004, describes PRISM (Protect, Respond, Inform, Secure, and Monitor) as a Homeland security Command and Control (C2) decision support system, providing a single end-user application for messaging, alerting, geo-referenced mapping, and asset tracking.

A program called PRISM is also used by the US Secret Service, where this is an acronym which stands for Protective Research Information System Management (PRISM-ID). This system is used to record information that required to assist the agency in meeting its protective mission that includes the protection of the President, and other top level officials. More about this program can be found in this PDF document from 2010 at the Cryptome website.



Links and Sources
- The Washington Post: U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program
- The Guardian: NSA Prism program taps in to user data of Apple, Google and others
- Business Insider: Is The Claim That The Government Has A Direction Connection To Tech Companies A Lie?
- Forbes: Startup Palantir Denies Its 'Prism' Software Is The NSA's 'PRISM' Surveillance System
- New York Times: Tech Companies, Bristling, Concede to Federal Surveillance Program
- ABC News: 4 Unanswered Questions About NSA Leaks
- The 2011 Intelligence Community Classification and Control Markings Implementation Manual (PDF)
- The 2012 DoD Marking of Classified Information Manual (PDF)
- ZDNet: The real story in the NSA scandal is the collapse of journalism
- The Week: Solving the mystery of PRISM

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties