Title: Running Strategic Analytics Affecting Europe and Africa

Release Date: 2014-06-18

Description: This undated presentation from the NSA’s European Cryptologic Center explains some of the activities of the agency’s main European base: see the Der Spiegel article Terrorverdächtige: NSA nutzte Erkenntnisse aus Deutschland-Filiale für Tötungen, 15 June 2014.

Document: (Uj Running btrategic
Analytics Affecting Europe

and Africa

The overall classification of this briefing is:
TOP SECRET//COM INT//REL USA, FVEYS//2D291

Region: Europe, Middle East
(Israel), and Africa :

ECC

CY?

Outline

• (U) Background

• (U) Problem Definition & Challenge

• (U)OurAOR: Europe-Africa

• (U) Examples forEurope-Africa

• (U) Enrichment and Data Flow

• (U) Real-time, batch, XKEYSCORE

• (U) Conclusions

33

UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U) Terrorists Transit via Europe.

—m vi-Lf

• (U) Communication

• Transit Points

• (U) Partners

• Second Party

• Third Party----

• (U) Relationships

• EUCOM

• AFRICOM

ti jaWu.

• CENTCOM

'S
V J

CONFIDENTIAL//REL USA, FVEYS

(U) Challenge: Integrating Tactical

& National Collection

• (C//FVEY) Collection with HF/

VHF/UHF

- Digital packets

- Analog comms

- Noise issues, lack of experience with
these types of signals

• (C//FVEY) Tactical versus National
(Strategic) Collection

- RTRG

- DISTILLERY

CONFIDENTIAL//REL USA, FVEYS

37

(U) Analytics for Targets in Europe

(C//FVEY) OPSEC Savvy Targets

• “... most terrorists stop thru Europe

(TS//FVEY) Use advanced
techniques

• Steganography

• Forensics or Analytics on front end

• Encryption

• Takes time and has “black hole” issue

(TS//SI//FVEY) Reliance on
“special” collection

• GCHQ and FAA

• Problems processing w/r to TS

TOP SECRET//SI//REL USA, FVEYS

(U) Analytics for Identity

Intelligence

(U) Human Trafficking (C//FVEY) Operations from Jordan to Syria in both directions; Sahel Metadata for geolocation; content for confirmation
(U) Weapons Smuggling (C//FVEY) From Libya to Sahel Metadata for geolocation; content for confirmation
(U) Drug Smuggling (C//FVEY) Sahel and financing of terrorism; Balkans into Europe Metadata for geolocation; content for confirmation
(U) Biometrics & Elections (C//FVEY) Used in Africa Need collection assets

CONFIDENTIAL//REL USA, FVEYS

41

(U) Enrichment Sources

• (U) Air Breather, HF & UHF/VHF

• (C//FVEY) Big Pipe & FORNSAT

• (U) MilitarySIGINT Services

• (U//FOUO) Forensics

• (U) Third Party Sources

• (C//FVEY) Second Party

• GCHQ is critical for mission

\


CONFIDENTIAL//REL USA, FVEYS

(U) Enrichment: SIGDEV & GCHQ QFDs

Account Allocations by TOPI

S2A S2B S2C S2D

17%

F6

9%

March 2012

(S//FVEY) 54% of current ECC DNI
tasking based on QFD data

(S//FVEY) QFDs provide better
access to metadata for European &
North African targets than any other
access at ECC due to poor passive
collection

( C//FVEY) Flexibility provided by
the use of TDIs and the first stage
query allows for better target
discovery and development

Slide taken from ECC archives.

SECRET//REL USA, FVEYS

(U) Data Flow Integration is Constant Headache

Access

Exploitation

Signal Signal Receiver/
Acquisition (RF Conditioning: Downconverter
or Optical) Amplification, Distribution (RF)


Transport

Channel Processing

SECRET//REL USA, FVEYS

(U) “Real Time” Analytics

(U) Nascent Analytics with unclear definition of“real
time”

• How fast is alerting?

(C//FVEY) DISTILLERY

• Pulled from GHOSTMACHINE stack
(U) NIAGARAFILES

• File based

• Starting to gain experience
(C//FVEY) RTRG

• Tools not integrated into ECC

• Data Sets are sparse

• Tactically oriented

• Unregulated alerts can quickly spam user
(C//FVEY) ECC Current Effort:

• Focused on NTOC and Distributed Denial of
Service attack alerting

Uses DISTITT ERY

CONFIDENTIAL//REL USA, FVEYS

(U) Batch: MapReduce Analytics

(U) Batch oriented versus streaming

• Run every 15 min to once a day or so

• Not streaming
(U) Good Data Storage

• Good access outward to MDR-1, MDR-2

• Days to years of storage

• Promotion (?)

(U) Complex Analytics like “Pattern of Life”

• Reasonable amount of processing cycles at the
front end collection system (not yet tested)

(U) Session can be quite long and still captured (not yet
tested)

(U) UUID’s (identifying sessions) are workable
(U) No experience yet sharing with second and third
party partners

(U) Unknown level of entry training required

Menwith Will W WHI7BANG

UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U) Xkeyscore Fingerprints

(C//FVEY) Streaming

• Data available one hour later?

• Most do pulls up to yesterday
(U) Good Data Storage

• RAW content: 3 days to a couple of weeks

• Metadata: 90+ days

(U) Complex Analytics like “Pattern of Life”

• Reasonable amount of processing cycles at the
front end collection system

(U) Session can be quite long and still captured
(U) UUID’s are workable
(U) Good for sharing with second and third party
(U) Relatively low level of entry training required

49

-/

CONFIDENTIAL//REL USA, FVEYS

(U) Key Take Aways

• (U//FOUO) Discovery in Africa is based on “we
do not know what we do not see”

- Unknown Unknown from url: https://wiki.nsa.ic.gov/
wiki/NTOC-E_discovery_tradecraft

• (U) Europe has Opsec savvy CT targets

• (U) Analytics involve partners
-- 3rd Party in future

• (U) Limited Resources: Processing Power & BW

50

UNCLASSIFIED//FOR OFFICIAL USE ONLY

NSA/CSS Europe & Africa

QUESTIONS?

UNCLASSIFIED//FOR OFFICIAL USE ONLY

51

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh