NSA's global interception network

On November 23, the Dutch newspaper NRC Handelsblad published a new slide from the Snowden documents. The slide is from a Top Secret NSA management presentation from 2012 and shows the agency's worldwide information collection capabilities.

As the slide is titled "Driver 1: Worldwide SIGINT/Defense Cryptologic Platform" there must be more slides with "Drivers", but unfortunately these were not published.

This article will take a close look at the map and tries to provide an explanation of the various interception locations of what is NSA's new ECHELON network for the internet age:




The slide shows five types of data collection, called "Classes of Accesses". These correspond to the organizational channels through which NSA gathers it's intelligence:

- 3rd PARTY/LIAISON - Intelligence sharing with foreign agencies
- REGIONAL - SCS units, a joint venture between NSA and CIA
- CNE - NSA's Tailored Access Operations (TAO) division
- LARGE CABLE - NSA's Special Source Operations (SSO) division
- FORNSAT - NSA's Global Access Operations (GAO) division

Besides the collection capabilities shown in this map, NSA also collects data through spy planes and satellites (called Overhead Collection) and a range of tactical collection systems used to support military operations.



3rd PARTY/LIAISON- Intelligence sharing

As the first class of access, the slide lists the so-called 3rd Party liaisons with partner agencies in other countries with which NSA has formal agreements for the exchange of raw data and end product reports.

The legend designates 3rd Party Liaisons with a green dot, but there are no green dots on the map, which seems strange. One possible explanation could be that the different colored dots appear one by one after clicking the original powerpoint presentation, but according to a tweet of one of the NRC journalists, there were no green dots on the original map.

Another possible explanation is that 3rd Party stands for countries, whereas all other dots represent specific facilities. This however could have been solved by simply listing the nations just like the Regional and Fornsat lists at the top of the map.

With that not being the case, the most likely reason seems to be that NSA considers the names of these 3rd Party nations to be too sensitive to be mentioned in a TOP SECRET//COMINT document. Probably they may only be in documents classified within the Exceptionally Controlled Information (ECI) control system, just like the names of the telecommunication companies cooperating with NSA (the exact locations of the cable tapping facilities are also not mentioned in the map's legend).

This makes that it's still a big secret which 30 countries are NSA's 3rd party partners. Based upon the Snowden-documents, the German magazine Der Spiegel only published the names of these six European countries:

- Germany
- France
- Austria
- Denmark
- Belgium
- Poland

Some othersources also named the following countries as 3rd party partners:

- Norway - Italy - Greece - Turkey - Israel - South-Africa

- Thailand - Malaysia - Singapore - Japan - South-Korea - Taiwan

NRC Handelsblad reported that The Netherlands is a 3rd party partner too, but presented no evidence for that. According to an article (pdf) by Dutch scolars it's not very likely that Dutch agencies are a formal 3rd party partner of NSA, as they have different political and cultural views. Nonetheless, the Netherlands has always been a loyal partner in military operations and so there is information sharing on that level.

If we include The Netherlands, the list of known 3rd party countries adds up to 19, which means there must be 11 other nations having a formal intelligence sharing agreement with NSA.



REGIONAL - Special Collection Service

Under "Regional" the map shows over 80 locations of the joint NSA-CIA Special Collection Service (SCS) units. These units are covertly based in US embassies and consulates all around the world and are charged with eavesdropping on high-level targets in difficult-to-reach places, such a foreign embassies, communications centers, and foreign government installations.

The names of 88 locations are listed at the top of the map, but 46 of them are blacked out. According to NRC Handelsblad, Glenn Greenwald asked them to do so, because of "protection of the source and the agreement we have with him: it's not really newsworthy". But Snowden apparently also insisted on this in order to protect his legal interests and therefore he provided Greenwald a "clear list" about categories of information that should not be published.

Earlier, a map showing SCS locations worldwide was published by the German magazine Der Spiegel. Initially an unredacted map was put online by accident, but before it was replaced, it was already copied onto several websites. This map showed 74 staffed SCS locations, 14 unmanned remote controlled locations and 8 other locations as of August 2010. Except for the SCS locations in Europe, the names of all other cities were blurred by Der Spiegel:




If we compare the European cities in this map from 2010 with those in the NRC map from 2012, we see that the latter doesn't show the following places: Baiku, Croughton, Kiev, Madrid, Moscow, and Tbilisi.

This could mean these SCS activities were terminated in the meantime, but also that their names were simply blacked out, which is definitely the case for Moscow and Madrid (having a dot on the map but not being mentioned in the legend) and seems likely for the technical SCS support facility at the US Air Force base in Croughton (or might this be "RESC" if it stands for something like Regional Exploitation Support Center?).

Also interesting is that the legend of the 2012 map reveals SCS locations in the US:

- Langley, Virginia, where the CIA headquarters is
- Reston, Virginia, where there's a small CIA facility too

These two locations are most likely not for eavesdropping, but rather serve as technical, training or support facilities. The headquarters of the Special Collection Service (SCS) itself is in Beltsville, Maryland.



CNE- Computer Network Exploitation

The yellow dots on the map give some indication of where NSA has placed over 50.000 implants in computer networks as part of it's Computer Network Exploitation (CNE) operations. These operations are conducted by NSA's highly specialized and secretive Tailored Access Operations (TAO) division.

Last August, the Washington Post reported that the NSA installed an estimated 20.000 computer implants as early as 2008. This was based on the secret budget of the American intelligence agencies.

Compared to the over 50.000 implants, there's only a very small number of yellow dots on the map, so they probably provide only an indication of the regions where NSA placed most of them. As such we see India, China, Mexico, the northern part of South-America, north-east Africa, eastern Europe, the European part of Russia and the Middle-East.



LARGE CABLE - Access to the Internet Backbone

The big blue dots represent 20 major "covert, clandestine, or cooperative large accesses" to "high speed optical cable" links which form the internet backbone. It's this way that the Special Source Operations (SSO) division collects the largest share of NSA's intelligence and maybe therefore the blue dots are the biggest ones.

The map itself shows just 16 blue dots, but as the legend says "20 Access Programs" it's possible that there are 20 programs and only 16 actual intercept locations, or that not all locations are marked on the map (which is also the case for the FORNSAT locations).

The 16 Cable Access locations marked on the map seem to be in:

- Indonesia
- South Korea
- Guam
- one of the Caroline Islands?
- Hawaii
- 4 locations at the US West coast
- 2 locations at the US East coast
- Great Britain (Menwith Hill and/or Bude)
- France (Marseille?)
- Djibouti
- Oman
- Afghanistan?

In most of these countries there's an American military base, which probably makes it easier to get covert and clandestine access to internet backbone cables. But as we know from earlier reports, NSA and GCHQ also have secret cooperation arrangements with major American, British and foreign telecommunication and internet providers, in order to get access to internet traffic.

One supposed cable tapping location that's missing on the map is the Ayios Nikolaos station, which is part of the British Sovereign Base Area of Dhekelia on Cyprus. This station was identified as a major cable intercept facility run by GCHQ.

Some known NSA programs for intercepting internet cables are:

- BLARNEY
- FAIRVIEW
- STORMBREW
- OAKSTAR, which is an umbrella program for:

- MONKEYROCKET
- SHIFTINGSHADOW
- ORANGECRUSH
- YACHTSHOP
- ORANGEBLOSSOM
- SILVERZEPHYR
- BLUEZEPHYR
- COBALTFALCON

Most of these OAKSTAR sub-programs are "foreign access points", so maybe some of them are represented by the blue dots on the map. If we add these 12 Corporate programs to the 4 Unilateral and 2 Foreign cable access programs shown in the presentation slide below, we get a total of 18 programs, which is quite close to the number of 20 Major Accesses mentioned in the legend of the map.




FORNSAT - Foreign Satellite interception

Finally, the orange dots on the map represent locations where there are stations for intercepting the signals of foreign communication satellites. The orange dots are the second biggest ones, so maybe this indicates that FORNSAT collection provides the second largest share of intelligence.

The legend in the bottom right corner says there are "12 + 40 Regional" FORNSAT stations, but on the map there are only 6 dots and the list in the upper right corner lists only 10 codenames. The six locations on the map can be identified as:

- INDRA - Khon Kuen (Thailand)
- ? (Philippines)
- LADYLOVE - Misawa (Japan)
- TIMBERLINE - Sugar Grove (US)
- CARBOY - Bude, on the map combined with:
- MOONPENNY - Menwith Hill (Great Britain)
- ? (Norway or Sweden)

Five FORNSAT stations have their codename listed, but are, for reasons unknown, not marked on the map:

- STELLAR - Geraldton (Australia)
- IRONSAND - Waihopai or Tangimoana (New Zealand)
- JACKKNIFE - Yakima (US)
- SOUNDER - Ayios Nikolaos (Cyprus)
- SNICK - Oman

The locations in the map published by NRC Handelsblad can be compared to those on a map shown by Brazilian media, which is about Primary FORNSAT Collection:


In this map, which is said to be from 2002, we see the following satellite intercept stations:

US Sites: - TIMBERLINE, Sugar Grove (US) - CORALINE, Sabena Seca (Puerto Rico) - SCS, Brasilia (Brazil) - MOONPENNY, Harrogate (Great Britain) - GARLICK, Bad Aibling (Germany) - LADYLOVE, Misawa (Japan) - LEMONWOOD, Thailand - SCS, New Delhi (India)

2nd Party Sites: - CARBOY, Bude (Great Britain) - SOUNDER, Ayios Nikolaos (Cyprus) - SNICK, Oman - SCAPEL, Nairobi (Kenya) - STELLAR, Geraldton (Australia) - SHOAL BAY, Darwin (Australia) - IRONSAND, New Zealand

If we compare both maps, we see some notable differences. First of all, four stations from 2002 are not on the 2012 map, nor in its legend:

- CORALINE - Sabena Seca (Puerto Rico)
- GARLICK - Bad Aibling (Germany)
- SCAPEL - Nairobi (Kenya)
- SHOAL BAY - Darwin (Australia)

The stations in Sabena Seca and Bad Aibling were closed down and the same could have happened to the one in Nairobi. The Australian intercept facility near Darwin, Shoal Bay Receiving Station, is not in the 2012 map, but seems to be still operational. Therefore we should be careful in treating information in presentation slides and maps like this as perfectly accurate.


The map from 2002 also shows two SCS locations: one in Brasilia and one in New Delhi. Apparently those Special Collection Service units also had a satellite intercept capability. This is most likely also the explanation for the number of "40 regional" FORNSAT stations mentioned in the legend of the 2012 map - which means that meanwhile half of all SCS units worldwide also conduct some kind of foreign satellite interception.

This could also explain the device shown in a slide published earlier by Der Spiegel: an SCS antenna system codenamed EINSTEIN and its corresponding control device codenamed CASTANET. Der Spiegel said this device may be used to intercept cell phone signals, but as a dish antenna, it actually looks more like a receiver for satellite signals:



The map from 2012 as published by NRC Handelsblad also has orange dots for a FORNSAT station at the Philippines and in Norway or Sweden. These locations were not in the map of 10 years earlier, so it seems that these are new intercept stations build somewhere between 2002 and 2012.

Unfortunately we don't have their codenames, because in the list in the upper right corner, there's no codename which was not already in the 2002 map. But as this list has only 10 names, and some don't fit on one line, it's possible that two names (coincidentally those of the new stations?!) dissappeared because of bad rendering.


A final difference between the FORNSAT stations shown in the maps of 2002 and 2012 is the station in Thailand, which was codenamed LEMONWOOD in 2002. The location near the city of Khon Kaen was identified as being an intercept facility since 1979, but with a different codename: INDRA.

This facility fell into disrepair in the 1990s and seems to have been closed somewhere before 2002. In the years following 9/11, the old station apparantly has been reactivated and expanded to an important satellite intercept mission, and appeared again under its old codename INDRA in the 2012 map. Why this place (or another one?) was called LEMONWOOD in 2002 remains a mystery.





Links and Sources
- NRC.nl: NSA infected 50,000 computer networks with malicious software
- DuncanCampbell.org: The embassy spy centre network (updated)
- NYTimes.com: N.S.A. Report Outlined Goals for More Power