December 4, 2021

About Intellipedia and other intelligence wikis from the Snowden trove



For years, the NSA and other US intelligence agencies have their own internal versions of the collaboration tools that most of us are using day-to-day. Documents from some of these tools have been published as part of the Snowden revelations, which allows a closer look.

It turns out that besides the US Intelligence Community's Intellipedia, which was already publicly known, the Snowden trove also contains entries from the NSA's WikiInfo and the British GCWiki, systems that were hitherto unknown.





Intellipedia

The oldest and best known internal collaboration tool used by the US Intelligence Community is Intellipedia, which is similar to the public Wikipedia and uses the same software called MediaWiki.

Intellipedia started as a pilot project at the CIA in 2005 and was formally announced in April 2006. Later it was brought under the Intelligence Community Enterprise Services (ICES) of the Office of the Director of National Intelligence (ODNI).

A big difference with the public Wikipedia is that Intellipedia has three different versions, according to the main classification levels (with the number of users by the end of 2012):
- Unclassified, on the DNI-U network, with some 75.000 users

- Secret, on the SIPRNet network, with some 147.000 users, mostly from the Defense Department and the State Department

- Top Secret/SCI, on the JWICS network, with some 188.000 users, mostly from the intelligence agencies


Each of these Intellipedia versions can be used by both civilian and military employees with appropriate clearances from the 17 agencies of the US Intelligence Community as well as from the US military and other federal government departments.

In 2006, the NSA had only about 20 registered Intellipedia users, the smallest number of any of the big intelligence agencies. At the time, the CIA had the most registered users: more than 200.

An example of the address format of a TopSecret/SCI Intellipedia page is: http://intellipedia.intelink.ic.gov/wiki/Anna_Politkovskaya


An article from the Unclassified version of Intellipedia
This one from the CIA's AIN network
(Click to enlarge)


Intellipedia entries from the Snowden revelations

Probably a bit surprising is that among the numerous Snowden documents there are only five Intellipedia entries. A close look shows that they were published in two forms:

1. Three of the Intellipedia entries are in pdf-format or a pdf-image (or a combination thereof) and in full color, in this case much yellow, which is the color code for information classified as Top Secret/Sensitive Compartmented Information (TS/SCI).

These three entries are this one about Anna Politkovskaya, this one about Air-Gapped Network Threats and this one about BIOS threats.


Intellipedia entry about Anna Politkovskaya

Snowden's username redacted on Intellipedia? (source)


2. Two Intellipedia entries from the Snowden cache don't have color, images and formatting and seem to be a scan or a photo of a printed document, like this entry titled "Manhunting Timeline 2008", which was released by The Intercept in July 2015.

The other entry was published last October by the American journalist Spencer Ackerman and is titled "Targeted Killing: Policy, Legal and Ethical Controversy". This document not only has a very similar form as the "Manhunting Timeline 2008" but is also about the same topic.



Intellipedia entry titled Manhunting Timeline 2008



Intelink

Intellipedia is part of the Intelink network, which was set up in 1994 and also has three versions: for Unclassified, Secret and Top Secret/SCI information. Besides Intellipedia, Intelink also provides a range of other collaboration tools for members of the US Intelligence Community (IC), like:
- Intelink Search
- Inteldocs (shared files)
- IntelShare (the IC's SharePoint)
- Intelink Blogs
- eChirp (IC version of Twitter)
- Jabber (instant messaging)

A more official version of Intellipedia, called Living Intelligence, was created for collaboratively writing official intelligence reports, but this failed because each agency stuck to its own process for writing such reports or "products for their customers".

More succesful is A-Space (or Analytic Space), which is also a common collaborative workspace for analysts of the US Intelligence Community, but unlike the Intelink tools, A-Space can also be used for information classified as GAMMA or HCS. A-Space went live on the JWICS network in 2008 and is managed by the DIA. In July 2013, A-Space was widened to i-Space (Integrated Space) so access is no longer restricted to analysts.


Intelink homepage with icons of the various collaboration tools (source)


Under the huge modernization project called Intelligence Community IT Enterprise (IC ITE or "Eye Sight") the NSA will provide an Apps Mall with collaboration tools that can be used as part of the Desktop Environment (DTE) for all intelligence users.

All the Intelink collaboration tools on the JWICS network are marked NOFORN, which means their content may not be shared with foreign nationals. Therefore, NSA employees apparently prefer their own tools on NSANet which do allow sharing with the other agencies of the Five Eyes partnership.



WikiInfo

The name of one such NSA tool was already found in a very interesting report from 2016 about how the US Intelligence Community uses internal collaboration tools: WikiInfo. This very unimaginative name refers to the NSA's internal wiki, parts of which were published during the Snowden leaks.

WikiInfo runs on NSANet, the network that connects all the Five Eyes signals intelligence agencies, and has a maximum classification level of TOP SECRET//SI-GAMMA/TALENT KEYHOLE//ORCON/PROPIN/RELIDO/REL TO USA, FVEY.

This really long marking says that information on NSANet may include highly sensitive communication intercepts (GAMMA) and intelligence from spy planes and satellites (TALENT KEYHOLE), including material that is closely controlled by the originator (ORCON) or contains proprietary information (PROPIN).

For even more sensitive information that should not be shared with the Five Eyes partners there's a separate platform called WikiInfo-NF (No Foreign nationals).


WikiInfo entries from the Snowden revelations

The Snowden trove provided only 12 WikiInfo entries, which is not much, but still twice the number of Intellipedia pages. Most of them just contain the text of the article, like this one about QUANTUM shooters, but this one shows the full WikiInfo interface, apparently made with a full page screen capture tool:


The WikiInfo interface with an entry about SIGINT targeting scenarios
Note that "Edward snowden" doesn't seem to match the redacted username


WikiInfo is only one of the NSA's own series of internal collaboration tools. Others are Tapioca, JournalNSA, SpySpace, Giggleloop, RoundTable and Pidgin. Tapioca was described as the "impressive NSA system for social networking and collaboration" and combines multiple functionalities. In 2016, Tapioca also got a version on Intelink, making it available for other US intelligence users.



GCWiki

Most wiki entries that have been published during the Snowden revelations, some 23, are actually not from an American system, but from the internal wiki that is used by the NSA's British counterpart GCHQ. This platform is called GCWiki and has a maximum classification level of TOP SECRET STRAP1 COMINT.


An example of the address format for GCWiki pages is: https://wiki.gchq/index.php/TWO_FACE


GCWiki entries from the Snowden revelations

Among the GCWiki entries published as part of the Snowden revelations there are no examples of how the GCWiki interface looks like. All entries are like this article about the PHANTOM PARROT program, which was published by The Intercept in September 2017:


GCWiki entry about the PHANTOM PARROT program

Snowden's username on GCWiki (source)


Besides GCHQ, the other Five Eyes signals intelligence agencies, the Canadien CSEC (now CSE), the Australian DSD (now ASD) and GCSB from New Zealand, also have their own internal wikis, but from these platforms no entries have been published.



What's in the Snowden cache?

Regarding the content of these intelligence wikis, probably most of it is about people, places and events that are of interest for intelligence analysts. But as we can see from the pages that have been published since June 2013, these internal wikis are also used to share more technical information about collection programs and hacking tools.

It's not clear whether Snowden picked out those topics or journalists did so, or in other words: whether or not Snowden also downloaded the complete content of Intellipedia, WikiInfo and GCWiki, like he did with the NSA's internal newsletter SIDtoday. If so, that would have amassed a huge number of files, as in January 2014, the Top Secret/SCI version of Intellipedia alone contained some 113.000 pages.



A final thing to consider is how the Intelligence Community's internal collaboration tools relate to Snowden's exfiltration efforts. As we have seen here, the NSA and the US Intelligence Community both have a whole series of tools, ranging from instant messengers to file sharing systems and almost anything in between.

In his 2016 book Permanent Record, Snowden writes about what he calls "readboards", a kind of digital bulletin boards where each NSA site posted news and updates (p. 220). This sounds a bit like the "shared bookmarking" function which is available on Intelink, according to this diagram:


Collaborative tools used by the US Intelligence Community in 2016
(click to enlarge - source)


Snowden said that he started hoarding documents from all these readboards and then shared this personal collection with his colleagues, as a justification, or "the perfect cover", for collecting material from more and more sources.

This system, which Snowden called Heartbeat, also pulled in the full documents so NSA Hawaii would still have access to them in case they would be disconnected from NSA headquarters. And, according to Permanent Record: "Nearly all of the documents that I later disclosed to journalists came to me through Heartbeat" (p. 221-222).

Heartbeat isn't mentioned in the diagram above, which makes sense because if the system existed like Snowden described it was probably only used at NSA Hawaii and not throughout the NSA as a whole - and most likely completely abolished after he left the agency.



Links and sources
- SpyTalk: Classified US Intelligence Chat Rooms a 'Dumpster Fire' of Hate Speech, Says Ex-NSA Contractor (2022)
- The Atlantic: The Government’s Secret Wiki for Intelligence (2017)
- Wired: The Wikipedia for Spies—And Where It Goes From Here (2017)
- Center for Strategic and International Studies: New Tools for Collaboration. The Experience of the U.S. Intelligence Community (2016)

No comments:

Post a Comment