In the period between the election and the inauguration, a new US president is being prepared to take over the administration and for that, he gets briefed by numerous agencies and officials.
Here I will present some interesting topics from the extensive 2009 Presidential Transition Book (pdf), which the NSA had prepared for Barack Obama, who had been elected president on November 4, 2008.
Context
The NSA's briefing book was published in May 2017 by the National Security Archive as part of its Cyber Vault. This set contains 42 declassified documents about cyber issues and also includes a 42-page Transition 2001 briefing (pdf) which the NSA had prepared for incoming president George W. Bush.
The 2009 Presidential Transition Book (pdf) for Obama was declassified on April 13, 2016 and has no less than 289 pages from a binder. It combines various documents and briefing materials from 2006 to 2008, some of them quite highly classified and therefore still heavily redacted.
Despite the redacted portions, the book provides a good and detailed introduction to the NSA and its activities, but with its 289 pages it sometimes goes well beyond what the president and his staff had to know, like the highly detailed acquisition and procurement plans of the agency. (p. 154ff)
Communications monitoring
A hardly known NSA unit is the Joint Communications Security Monitoring Activity (JCMA), which was part of the NSA's former Information Assurance (IA) directorate.
The JCMA consists of a Headquarters Operations Centers at Fort Meade and six Regional COMSEC Monitoring Centers, located at Menwith Hill Station (MHS) in the UK, Stuttgart in Germany, an undisclosed location, Camp Smith in Hawaii, and Fort Gordon in Georgia. (p. 36)
These JCMA units monitor the unclassified communications of US military and government entities to determine if critical information has been disclosed or if other vulnerabilities exist that adversaries could exploit. (p. 36)
According to the transition book the "Attorney General-approved procedures (and Federal law) permit monitoring with consent, and NSA/CSS ensures that personnel are notified of the possibility of monitoring and that all required consents have been obtained before such monitoring can begin." (p. 49)
Label on a Integrated Services Telephone (IST) for
both classified and unclassified phone calls
(click to enlarge)
both classified and unclassified phone calls
(click to enlarge)
Cyber defense
Several parts of the 2009 Presidential Transition Book are about "Defending Vital Networks", which at that time already was a high priority issue.
The NSA saw a central role for itself, because "Insights and information gained from the Signals Intelligence mission, combined with the expertise and capabilities offered by the Information Assurance mission, make NSA/CSS a key player in defending vital networks against the threats of the Internet age." (p. 30)
Accordingly, the NSA was one of over 20 federal departments involved in the Comprehensive National Cybersecurity Initiative (CNCI), or simply the "Cyber Initiative", which was established by president George W. Bush in January 2008 and was continued by president Obama.
The CNCI "seeks to address current cybersecurity threats and anticipate future threats and technologies in order to prevent, deter, and protect the U.S. Federal government (.gov) domain against cyber intrusions. The strategy includes establishing shared situational awareness across the federal government." (p. 32)
The exact way in which the NSA contributes to the CNCI is redacted, but some of its unclassified contributions are:
- "Threat analysis provides a comprehensive understanding of the intentions, capabilities, and activities of the adversary."
- "Activity analysis allows for the discovery of unknown, significant intrusion activity, in-depth analysis of known intrusion sets, and trend analysis."
- "Network analysis and cyber target development efforts monitor, characterize, and report on foreign digital networks, organizations and personas in cyberspace." (p. 32-35)
- "Activity analysis allows for the discovery of unknown, significant intrusion activity, in-depth analysis of known intrusion sets, and trend analysis."
- "Network analysis and cyber target development efforts monitor, characterize, and report on foreign digital networks, organizations and personas in cyberspace." (p. 32-35)
An intriguing issue is that in other NSA documents the notorious Utah Data Center is called an "Intelligence Community Comprehensive National Cybersecurity Initiative Data Center", but the Transition Book doesn't contain a single unclassified reference to what the purpose of such a CNCI data center would be (neither do the Snowden documents).
However, the Transition Book does emphasize that "All of our responsibilities under the CNCI are within our existing authorities and missions, i.e., SIGINT, Information Assurance, enabling network warfare under JFCC-NW, and providing technical assistance to other federal agencies. The vast majority of our work under the CNCI is work we are already doing under our Transformation 3.0." (p. 100)
The NSA/CSS Threat Operations Center (NTOC)
(photo: NSA - click to enlarge)
Transformation 3.0
The 2009 Presidential Transition Book seems to be the first document that provides an elaboration of "Transformation 3.0" or T3.0. This appears to be a strategic technology plan meant to "distribute our processing capabilities throughout the global enterprise and to unify our missions."
And to "achieve these goals, we are creating a cooperative and concerted real-time exploit-attack-defend capability [redacted]. T3.0 connects analysts, missions partners, clients, sensors, systems, and information on a global scale through a robust, secure, and distributed network." (p. 60)
(Upon request of The Black Vault, an Intellipedia page about Transformation 3.0 was declassified in 2018, but again most parts have been redacted)
Transformation 3.0 comes after two earlier Transformations of the NSA, which apparently took place in the 1990s and the early 2000s:
"T1.0 - Modernization
Following the cold war, T1.0 improved corporate business processes, shaped the workforce, modernized technlogy, and updated operations - better positioning the Agency to grapple with varied threats and emerging technology."
"T2.0 - Collaboration
Following 9/11/2001, T2.0 began to move NSA/CSS from a paradigm of "need to know" to "need to share", both within NSA and with our clients and partners. T2.0 began to merge the Signals Intelligence and Information Assurance missions together as one, providing on-site support and tailored services - which enabled NSA/CSS to fashing new relationships for the new world order, redrawing distinctions between national and tactical, producer and consumer, collector and operator."
T3.0 - [redacted]
Today, NSA/CSS is focused on the [redacted]. The intention is to create cooperative, interoperable, real-time Exploitation/Defense/attack-enabling (E/D/enA) capabilities [redacted]" (p. 123)
Following the cold war, T1.0 improved corporate business processes, shaped the workforce, modernized technlogy, and updated operations - better positioning the Agency to grapple with varied threats and emerging technology."
"T2.0 - Collaboration
Following 9/11/2001, T2.0 began to move NSA/CSS from a paradigm of "need to know" to "need to share", both within NSA and with our clients and partners. T2.0 began to merge the Signals Intelligence and Information Assurance missions together as one, providing on-site support and tailored services - which enabled NSA/CSS to fashing new relationships for the new world order, redrawing distinctions between national and tactical, producer and consumer, collector and operator."
T3.0 - [redacted]
Today, NSA/CSS is focused on the [redacted]. The intention is to create cooperative, interoperable, real-time Exploitation/Defense/attack-enabling (E/D/enA) capabilities [redacted]" (p. 123)
Transformation 3.0 was comprised of three parts: "(1) Mission Modernization, (2) Infrastructure Modernization (comprising significant improvement in Power, Space and Cooling (PS&C) and Information Technology (IT) Modernization efforts, both described earlier) and (3) Workforce Modernization." (p. 125)
T3.0 is briefly mentioned in some documents from the Snowden trove, for example this one that says that the initiative started in 2006, and another one saying that the objective of T3.0 was nothing less than "Global Network Dominance" and that a crucial piece was the Remote Operations Center (ROC), which manages and operates the NSA's rapidly growing array of hacking operations.
The Presidential Transition Book also includes a copy of an internal briefing about the Transformation 3.0 plan, which is almost completely redacted. (p. 79ff)
This briefing slide from the Transition Book repeats that an important part of T3.0 was to "create cooperative, interoperable, real-time Exploitation, Defense and attack-enabling capabilities" which reminds us of the NSA's TURBULENCE program. TURBULENCE was first reported on in 2007 and was the successor of the TRAILBLAZER project.
TURBULENCE was/is an umbrella program with at least 7 components, including TURMOIL for passive collection from high-speed data links and TUTELAGE, which detects and blocks cyberattacks directed against the computer networks of the US Defense Department.
Even more interesting is TURBINE, which can initiate a semi-automated process in which an implant from the NSA's Computer Network Exploitation (CNE) system QUANTUMTHEORY is installed on a target's computer system.
With these three components, TURBULENCE integrates all three capabilities of Transformation 3.0: TURMOIL for exploitation, TUTELAGE for defense and TURBINE for attack-enabling.
Slide about the TURBULENCE program from the Snowden files
(click to enlarge)
(click to enlarge)
Research program
Another chapter in the 2009 Presidential Transition Book is about the efforts of the NSA's Research Directorate (RD):
"Since 2003, the NSA Research Program has been structured around four important mission thrusts which drive our advanced research efforts.
"Owning the Net.
This denotes our goal to dominate the global computing and communications network. Research will develop tools and techniques to access, at will, any networked device for offensive or defensive purposes."
"Coping with Information Overload.
We must turn the massive amount of information on the global network into a strategic asset, rather than an obstacle. Under this thrust, Research will develop capabilities to present the most valuable information, organized to make sense to analysts so that thy can perform their tasks in a more efficient and effective manner."
"Ubiquitous, Secure Collaboration.
The focus here is to provide the techniques and technology to allow diverse users - within the government and with our industrial and international partners - to work collaboratively and securely accross multiple domains and different environments."
"Penetrate Hard Targets.
Penetrating hard targets provides the technological solutions to enable new access, collection and exploitation methodologies against the nation's toughest intelligence targets. The research Directorate provides foundational and advanced mathematics that contribute innovative solutions to all of the above mission thrusts." (p. 69)
This denotes our goal to dominate the global computing and communications network. Research will develop tools and techniques to access, at will, any networked device for offensive or defensive purposes."
"Coping with Information Overload.
We must turn the massive amount of information on the global network into a strategic asset, rather than an obstacle. Under this thrust, Research will develop capabilities to present the most valuable information, organized to make sense to analysts so that thy can perform their tasks in a more efficient and effective manner."
"Ubiquitous, Secure Collaboration.
The focus here is to provide the techniques and technology to allow diverse users - within the government and with our industrial and international partners - to work collaboratively and securely accross multiple domains and different environments."
"Penetrate Hard Targets.
Penetrating hard targets provides the technological solutions to enable new access, collection and exploitation methodologies against the nation's toughest intelligence targets. The research Directorate provides foundational and advanced mathematics that contribute innovative solutions to all of the above mission thrusts." (p. 69)
The NSA's Research and Engineering (R&E) Building at Fort Meade
(click to enlarge)
(click to enlarge)
NSA workforce
The exact number of people working at US intelligence agencies was always classified, but surprisingly, the 2009 Presidential Transition Book provides some very detailed figures.
It says that, probably in 2008, NSA/CSS employed 36,371 people worldwide, with 52% of them civilians (18,849) and 48% active-duty military and civilian personnel of the armed services (17,522).
68.8% of the NSA's civilian workforce had a bachelor's degree or higher, 40.7% were women, 17.7% members of a minority and 3.8% were persons with disabilities. The average age of the civilian workforce was 43.6 years. (p. 58-59)
A separate chapter titled "NSA/CSS Footprint" provides detailed information charts about the NSA's four regional Cryptologic Centers, including the names of their commanders, partial organizational charts and numbers about their workforce, with actual numbers for 2008 and projected numbers for 2012 and 2015. Below are the actual numbers for 2008: (p. 185ff)
- NSA/CSS Georgia (codename SWEET TEA):
2930 employees: 368 civilians, 42 service civilians, 2173 military, 347 other (foreign or IC partner, contractor)
- NSA/CSS Hawaii:
3054 employees: 224 civilians, 121 service civilians, 2582 military, 127 others
- NSA/CSS Texas (codename BACONRIDGE):
2136 employees: 246 civilians, 56 service civilians, 1689 military, 145 other.
- NSA/CSS Colorado:
1324 employees: 233 civilians, 4 service civilians, 976 military, 115 contractors.
2930 employees: 368 civilians, 42 service civilians, 2173 military, 347 other (foreign or IC partner, contractor)
- NSA/CSS Hawaii:
3054 employees: 224 civilians, 121 service civilians, 2582 military, 127 others
- NSA/CSS Texas (codename BACONRIDGE):
2136 employees: 246 civilians, 56 service civilians, 1689 military, 145 other.
- NSA/CSS Colorado:
1324 employees: 233 civilians, 4 service civilians, 976 military, 115 contractors.
> See also The NSA's regional Cryptologic Centers
Finally, the 2009 Presidential Transition Book ends with the biographies of over 30(!) top officials of the NSA, all of which have been fully redacted, except for those of the director (Keith B. Alexander), the deputy director (John C. Inglis) and the chief of staff (Deborah A. Bonanni). (p. 243ff)
