Title: IR.21 – A Technology Warning Mechanism

Release Date: 2014-12-04

Document Date: 2010-01-08

Description: This 19-page NSA paper, delivered at the 2010 Five Eyes SIGDEV conference, gives a technical explanation of the importance of sourcing mobile carriers’ roaming agreements (IR.21): see the Intercept article Operation Auroragold: How the NSA Hacks Cellphone Networks Worldwide, 4 December 2014. ir21-a-technology-warning-mechanism

Document: (S//REL TO USA, FVEY ) IR.21 - A Technology

Warning Mechanism

SDC2010


SSG4/T3C Technical Director

Derived From: NSA/CSSM 1 -52
Dated: 20070108
Declassify On: 20341201

TOP SECRET//COMINT//REL TO USA, FVEY

Classification

► This briefing is classified:

► TOP SECRET//COMINT//REL TO USA, FVEY//



TOP SECRET//COMINT//REL TO USA, FVEY

(U//FOUO) Today’s Agenda

► (U) Emerging Operating Model for Trends and Forecasting

► (U) Wireless Evolution Paths

► (S//REL TO USA, FVEY) Analytic Framework

► ...and Process

► (S//REL TO USA, FVEY) Meet AURORAGOLD

► (U) An Invitation to Join - Your Use Cases.

► Includes Home Work Assignments ...



TOP SECRET//COMINT//REL TO USA, FVEY

(U//FOUO) Effective Forecasting:
Geopolitical Regions and Targets











How should discovery inform
what targets/geographies we
focus on next?

How do we discover target
adoption of a technology?

What products/services do w
produce for which customers
What is workforce makeup
and how are they distributed?
What role do partners play?

Regions &
Targets

Discovery ^

SIGINT

PLANNING

CYCLE

Delivery

Capabilities

What geographies are of national interest to our
customers?

What organizations and individuals must we
target to answer our customers' questions?

How does those targets communicate?

Vulnerabilities

What capabilities do we need to develop to take advantage of technology
vulnerabilities?

What techniques to do we deploy to take advantage of those vulnerabilities (e.g.
CNE, supply chain, mid-point, etc.)

What role does enabling, cooperative access, HUMINT, 2nd parties, etc. play in
building those capabilities?

How is technology evolving?
How are technology and
telecoms evolving in regions of
interest?

How do we expect targets to
use emerging technologies?
What is the SIGINT threat of
these emerging technologies?

What vulnerabilities are critical to
current success (i.e. where are our
risk areas)?

How do we discover vulnerabilities?
How do we introduce vulnerabilities
where they do not yet exist?









TOP SECRET//COMINT//REL TO USA, FVEY

(u)Two Types of Investigations

► (S//REL TO USA, FVEY) Horizon Scanning

► Objective: Initial identification and assessment

► All source research

► Answer the question: Does this technology appear to be a large risk
to the SIGINT system? Why or why not?

► (s//relto usa, fvey) Deep Dive

► Objective: Cause a funding decision(s)

► All source research; emphasis on geographic uptake trends; target
uptake plans or vignettes.

► Answer the question: Are SIGINT targets taking up this technology?
How fast?

► Implicitly contrast the above with the cost and time needed to
remediate any SIGINT system shortfalls.



TOP SECRET//COMINT//REL TO USA, FVEY

(U) Trends and Forecasts: A
Geo-temporal Tracking Problem

► (U) Forecast:

► “An estimation of a Future Condition” ...

► “To calculate or predict some future event or condition usually
as a result of the analysis of available pertinent data”

► (U) Trend:

► “To extend in a general direction; follow a general course”

-Merriam Webster

► (U) By necessity, a trend-line requires measurement of
understood variables across time.



TOP SECRET//COMINT//REL TO USA, FVEY

(U) Roaming Agreements

► (U) Allow a mobile subscriber to use resources on a visited

network

► Each carrier's IR.21 is a technical document that:

► Describes the operator itself in various ways

□ Location, business codes, etc.

► Describes access to the IP network of the operator

□ DNS, IP addresses, ASN, etc.

► Describes:

□ Radio Access Network: technology(ies) type(s)

□ Frequency(ies)

□ Telephony routing information (MSISDN ranges; E.212)

□ SCCP gateways (Point codes)

□ Mobile Application Part protocol in use

□ Hardware, software versions of certain network elements...

► (s//relto usa, fvey) Hypothesis: We can identify and track a carrier's
technical evolution with IR.21 and other data.



TOP SECRET//COMINT//REL TO USA, FVEY

(U) 3G Wireless Standards
Evolution - Overview

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011

-I------1-----U------1------1------1---I---------------1------U

TOP SECRET//COMINT//REL TO USA, FVEY

(U) And What About 4G?

► (U) IMT-adv is an ITU led effort to set requirements for next gen. mobile

networks

► Just as ITU’s IMT-2000 defined 3G, ITU’s IMT-adv will define 4G

TOP SECRET//COMINT//REL TO USA, FVEY

(U) Framework for Analysis...





(U)3GPP: Defines technology migration paths.

► “Releases” - A Clear Technology Roadmap

□ 3G begins with Release 99

□ Other releases: 04, 05, 06, 07, 08, 09, .... 10, 11 (future)

See: www.3gpp.org/ftp/Information/WORK_PLAN/Description_Releases/

□ Releases cover:

□ Access: GSM, EDGE, HSPA, LTE, LTE-Advanced, etc.

□ Core: GSM Core, Enhanced Packet Core.

□ Services: MS, etc.

(U)GSMA: Defines carrier information exchange required
to enable roaming

□ Changes to IR.21 format warn of imminent technology roll-out

□ An IR.21 is a GSMA-mandated document. IR.21 are exchanged between Wireless
operators with roaming agreements, to the GSMA, and to certain clearing house
operations.



TOP SECRET//COMINT//REL TO USA, FVEY

(U) Analytic Process

► (s//rel to usa, fvey) Data analysis process is to match information in
IR.21, or elsewhere, against Releases in the Technology
Roadmap

□ Example: CAMEL Phase 4 (aka CAMEL4) as proxy for Release 5 deployment

► (s//rel to usa, fvey) Analytic goals:

► Establish a date-time for a release deployment

► Track releases at the per network level

► Display status at the national, regional, hemispheric or global scale

► Measure speed of adoption at each scale

► Identify early and late adopter tendencies by network

► (s//relto usa, fvey) Deliverables:

► Adoption trends over time

___► Forecasts derived from trends and framework changes

^ ► Formal reporting of data and conclusions!-, as a dataset

TOP SECRET//COMINT//REL TO USA, FVEY

(TS//SI//REL TO USA, FVEY) Data Flow

and Process Overview

File
Output
*
Querying

©


SCORPIOFORE; SIGINT Reporting
T ©

Numbers in red are for reference only



21 May 2010

oo

Supplementary Outputs:

1. Strong Selector and Tasking Management

2. Some selectors back to AGR inputs for tasking

3. Information outputs to other systems (i.e. RONIN)

4. "Other?? N T//REL TO USA FVEY

“AUTO”-

MINIMIZATION

CD

(TS//SI//REL TO USA, FVEY)

TOP SECRET//COMINT//REL TO USA, FVEY

What Is Done Today

0

File
Output
*
Querying

©


SCORPIOFORE; SIGINT Reporting
T ®

Numbers in red are for reference only



21 May 2010

oo

Supplementary Outputs:

1. Strong Selector and Tasking Management

2. Some selectors back to AGR inputs for tasking

3. Information outputs to other systems (i.e. RONIN)
4.1 "Other?? N T//REL TO USA FVEY

“AUTO”-

MINIMIZATION

CD

TOP SECRET//COMINT//REL TO USA, FVEY

(S//REL TO USA, FVEY) Information

Delivery Vehicles - At NSA

► (S//REL TO USA, FVEY) Worldwide Wireless Market information: T3C
-> packaged for WPMO consumption

□ Drives its portfolio investment planning process

□ Affects ~80% of the portfolio (2009), per customer.

► (U)Various and sundry others ...



(TS//SI//REL TO USA, FVEY)

TOP SECRET//COMINT//REL TO USA, FVEY

Future Implementation

©

Numbers in red are for reference on



21 May 2010

TOP SECRET//COMINT//REL TO USA, FVEY

(U) Information - Now What?

► (s//relto usa, fvey) Make the data useable

► Available in or out of the SIGINT production chain

► Attach flows to value-adding chains and processes

► Deliver as a data-set

► Recognize other data sets exist and also are part of analytic processes
(federation anybody?)

► (s//relto usa, fvey) Make the data traceable

► Includes auto-sourcing of data origin

► Time-stamping

► (s//relto usa, fvey) T3C will do technology trending and warning...

► (U) Would your analytic processes benefit from this data set?



TOP SECRET//COMINT//REL TO USA, FVEY

(u)Your Invitation to Join

► (U) We are few; we welcome partnership.

► Can you help?

► Do you have a better way?

► Let’s pull together!!

► (TS//SI//REL TO USA, FVEY) We are preparing to measure the breadth

of our access to IR.21 documents...

► Goals:

□ Do we cover all 3GPP networks?

□ Tweak access

□ Tweak selectors

_____► Indexer will provide PWID for all identified IR.21, after dedupe.



TOP SECRET//COMINT//REL TO USA, FVEY

(u)What Are Your Use Cases?

► (S//REL TO USA, FVEY) This is your segment—to make the

notetaker’s job simpler please categorize your use case;
describe impact:

► A) IP Network

► B) Call Control - Switched Voice

► C) Hardware model and software version information

□ Group Discussion....



► (U) Thank you for your time and contributions

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh