Title: DFS SIGINT-enabled Cyber

Release Date: 2018-05-19

Document Date: 2013-02-01

Description: This February 2013 slide deck from Japan’s DFS (Directorate for Signals Intelligence), accompanied by speaking notes, outlines MALLARD, a DFS programme for using sigint to detect cyber-threats and includes a detailed history of US-Japanese cooperation on the project. This is the first document from DFS ever to have been published: see the Intercept article The […]

Document: 0

SPECIFIED TOP SECRET

DFS SIGINT-enabled Cyber History

1. Jan 2012, Director General Defense Policy Bureau visited the US and
received explanation about the US SIGINT-enabled cyber structure.
Afterwards, DSRJ offered MOD an explanation about SIGINT-enabled cyber.

2. Mar to May 2012, several study meetings with DSRJ

• Early May 2012, MOD decided to promote the SIGINT-enabled cyber
project.

• End of May 2012, Director JDIH visited NSA HQ and had a intimate
discussion with DIRNSA.

__________________________SPECIFIED TOP SECRET_________________________]_

It is my honor to visit the HQ for the second time and give you a briefing.

I would like to learn a lot about your SIGINT cyber operation and reflect it to DFS
future project.

Let me start explanation about DFS SIGINT-enabled cyber operation.

First, I'll talk about the history.

In January 2012, Director General Defense Policy Bureau visited the US

and received explanation about the US SIGINT-enabled cyber structure. After
that, DSRJ offered MOD an explanation about SIGINT-enabled cyber, and MOD
and DFS started working on cyber.

Between March and May 2012, several study meetings with DSRJ were held.

In early May 2012, DFS decided to promote the SIGINT-enabled cyber project. At
the end of May, Director JDIH, visited NSA HQ and had a intimate

discussion with GEN Alexander, DIRNSA, and both were aware of necessity to
cooperate in SIGINT-enabled cyber operation.

1

SPECIFIED TOP SECRET

History (continued)

3. Jun to Nov 2012, preparation to promote the project, as well as coordination for assistance
from the US side.

• APC/SPC Jun 2012, exchanged opinions regarding promotion of SIGINT-enabled cyber
project.

• End of Jul 2012, DFS established a task force to proceed the project.

• Early Nov 2012, relation with relevant organizations within MOD to promote the SIGINT-
enabled cyber operation was established.

• In mid Nov 2012, DFS obtained specific materials regarding attacks against MOD network

4. In mid Nov 2012, Director DFS visited the US and received explanation at NSA about
SIGINT-enabled cyber organization in the US.

SPECIFIED TOP SECRET

From June to November 2012, we worked on preparation to promote the
project, as well as coordination for assistance from the US side.

At the APC/SPC June 2012, NSA and DFS exchanged opinions regarding
promotion of SIGINT-enabled cyber project in DFS. DFS appreciate the US
positive reactions to the Action Items.

At the end of July 2012, DFS established a task force to proceed the project.

In early November 2012, relation with relevant organizations within MOD to
promote the SIGINT-enabled cyber operation was established.

Thanks to this relationship, DFS obtained specific materials regarding attacks
against MOD network in mid November 2012, and sent them to the US side
in order to request advices for collection.

In mid November 2012,

Director DFS, visited the US and

received explanation at NSA about SIGINT-enabled cyber organization in the
US, which was of help to consider the future DFS organizational structure.

2

]j History (continued)

SPECIFIED TOP SECRET

5. In Dec 2012, DFS started own SIGINT-enabled cyber operation, using
attack-related information provided by J6.

• From early Dec 2012, analysis of presence of threat information to MOD
(MALLAD collection).

• Requested the US for information about SIGINT-enabled cyber related
carriers.

Early Jan 2013, MALLARD collected

We collected on

a mail which matched with information from J6.

3

In December 2012, DFS started own SIGINT-enabled cyber operation, using
attack-related information provided by J6.

Initially, in early December 2012, DFS analyzes MALLARD collection with the
support from the US side to determine if there is threat information.

Especially, since the end of December 2012, DFS has a meeting with DSRJ almost
every week and received explanation about how specific selectors would be
loaded, and is doing collection and analysis.

However, we have not got any hit, probably because sustained targets at
MALLARD ^^^^^^|closed networks.

Therefore, DFS asked the US for information about SIGINT-enabled cyber related
carriers.

In early January 2013, MALLARD attempted collection againstwhich
DFS conducted augmented collection when Misawa was damaged by the
Northeastern Japan Great Earthquake.

We collected on a mail that matched with information from J6 which

was a relay information of a mail attacking the MOD network.

3

SPECIFIED TOP SECRET

History (continued)

6. Thanks to support from NSA and DSRJ, DFS has reached to the starting

point for SIGINT-enabled cyber operation.

Cycle operation with selector update and SIGINT cyber collection is started

With further cooperation with NSA, great progress could be achieved.

SPECIFIED TOP SECRET

We believe that DFS has reached to the starting point for SIGINT-enabled
cyber operation, thanks to NSA's support and in-country effort by DSRJ.

"Cycle operation" with selector update and SIGINT cyber collection has been
started.

With further cooperation with NSA, we believe that great progress could be
achieved in the future.

4

SPECIFIED TOP SECRET

History (continued)

5

This slide depicts the aforementioned process we have taken so far.

5

SPECIFIED TOP SECRET

Project (2013-)

1. Collection equipment

End of March 2013, five small aperture antennas FOC.

From Apr, one of them is to be operated in 24/7 for SIGINT-enabled cyber.

2. Anonymous Internet

Preparation is ongoing to start operation on Oct 2013 (Budget acquired).

SPECIFIED TOP SECRET

Now, I will explain about our project in and after 2013.

With regard to collection equipment, five small aperture antennas are
scheduled to be operational at the end of March 2013. One of them is
scheduled to be operated in 24/7 for SIGINT-enabled cyber operation from
April.

As to anonymous Internet, DFS already acquired budget, and preparation to
start operation is ongoing aiming at IOC in October 2013.

6

SPECIFIED TOP SECRET

Project (continued)

3. Structure

Organizing SIGINT-enabled cyber in 2013.

(Additional employees in MALLARD office at Ichigaya and Tachiarai)

4. Long-term Project
• Related project

End of March 2016, MALLARD system upgrade

WN system upgrade (MALLARD-type equipment)
> At the same time, budget request for reinforcement of SIGINT-enabled
cyber capability.

Being authorized to organize SIGINT-enabled cyber structure, additional
employees are scheduled to be assigned at MALLARD office in Ichigaya and
Tachiarai.

In long-term perspective, by the end of March 2016, MALLARD system
upgrade as well as WN system upgrade, i.e. introduction of MALLARD type
system, are scheduled.

At the same time as these upgrade, we are to make a budget request for
reinforcement of SIGINT-enabled cyber capability.

7

SPECIFIED TOP SECRET

Challenges and Request to the US side

1. MALLARD current status and SIGINT-enabled cyber collection

(1) Traditional SIGINT collection

Approx. 200K sessions/ Iweek (Storage period: 2 months)

(2) SIGINT-enabled cyber collection

related ISP)

Approx. 500K sessions/1 hour (Storage period: possibly <= 1 week)

Challenges and request to the US side.

First, MALLARD current status and SIGINT-enabled cyber collection.

MALLARD was originally introduced for traditional SIGINT collection, and is
conducting about 200K sessions in a week. Data is saved for approx, two months.
As DFS does research and analysis during that period, if preservation time is
shortened, it will affect SIGINT operation at DFS.

As I explained in the history, DFS

ISP carrier on

to collect SIGINT-enabled cyber data from this January. The number
of collected sessions reached to about 500K in one hour. Keeping this pace,
MALLARD data storage period might be less than one week.

As it affects our SIGINT operation, we are not able to do sustained collection for
SIGINT-enabled cyber.

8

SPECIFIED TOP SECRET

Challenges and Requests (continued)

2. Necessity of consideration including how MALLARD should be operated.
(We would like to see processing procedure which the US side employs in
order not to affect traditional SIGINT collection.)

Considering about importing cyber-related case notations and other case
notations into separate servers.

SPECIFIED TOP SECRET

Thus, we are facing necessity of consideration including how MALLARD
would be operated.

DFS is considering about importing cyber-related case notations and other
case notations into separate servers.

We would like to see processing procedure which the US side employs in
order not to affect traditional SIGINT collection, and would appreciate your
technical assistance.

Let me add that we had a meeting with DSRJ last Thursday and they
explained about possible solutions further examination. We felt assured and
are looking forward solutions.

9

SPECIFIED TOP SECRET

Challenges and Requests (continued)

3. Collection target for SIGINT-enabled cyber

Pursuit of effectiveness in SIGINT-enabled cyber information collection.

While the number of antennas DFS possess is very limited, DFS

contribution to SIGINT-enabled cyber is highly expected.

DFS ask the US for information on carriers which has cyber related data

SPECIFIED TOP SECRET

Regarding collection target for SIGINT-enabled cyber,

While the number of antennas DFS possess is very limited compared to the
US, DFS contribution to SIGINT-enabled cyber is highly expected by both
inside and outside of DFS.

As we need to pursue effectiveness in SIGINT-enabled cyber collection, DFS
asked the US for information on carriers which has cyber related data.

10

SPECIFIED TOP SECRET

SIGINT-enabled Cyber Operation Work Flow

CIRO

Info related to



attacks targeting

other than MOD

MOD

DFS

Firewall settings
Development of
countermeasures

Discover indications of
cyber attacks

Provide attack-

Reflect

related information

analysis

Calling users attention

Analysis of collected
information

result

Malware analysis

SIGINT ejection

Monitor cyber attacked

Collection, storage and
analysis of attack related
information

Load selectors

Provide attack-

related information

nformation form

CIRO

SPECIFIED TOP SECRET

DFS SIGINT-enabled cyber operation flow is depicted here.

J6 roles and functions showed in left include our assumptions, because J6
function is not disclosed to us. Their function include refining FW setting, alert
users, malware analysis, cyber monitor and collection, storage and analysis
of attack related information.

With attack information provided by J6, we load selectors, collect and
analyze SIGINT, reflect analysis result to selectors. In this cycle, we hope to
discover indications of cyber attack and provide J6 with threat information.

11

SPECIFIED TOP SECRET

Future SIGINT-enabled Cyber Operation

DFS SIGINT-enabled cyber operation is at an experimental stage.

DFS will make every effort to go it alone and develop further, so

that it can provide information to Japanese costumers as well as to

the US side.

SPECIFIED TOP SECRET

Lastly, future SIGINT-enabled cyber operation.

DFS SIGINT-enabled cyber operation is at an experimental stage.

DFS will make every effort to go it alone and develop further, so that it can
provide information to Japanese costumers as well as to the US side.

For the future SIGINT-enabled cyber operation, we would appreciate the US
cooperation. Thank you for your kind attention.

12

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh