Documents
DFS briefing Feb 2013
May 19, 2018
DFS SlGINT-enabled Cyber
February 2013
DFS SlGINT-enabled Cyber
February 2013
It is my honor to visit the HQ for the second time and give you a briefing.
I would like to learn a lot about your SIGINT cyber operation and reflect it to DFS
future project.
Let me start explanation about DFS SIGINT-enabled cyber operation.
First, I’ll talk about the history.
In January 2012, Director General Defense Policy Bureau
visited the US
and received explanation about the US SIGINT-enabled cyber structure. After
that, DSRJ offered MOD an explanation about SIGINT-enabled cyber, and MOD
and DFS started working on cyber.
Between March and May 2012, several study meetings with DSRJ were held.
In early May 2012, DFS decided to promote the SIGINT-enabled cyber project. At
the end of May,
, Director JDIH, visited NSA HQ and had a intimate
discussion with GEN Alexander, DIRNSA, and both were aware of necessity to
cooperate in SIGINT-enabled cyber operation.
1
It is my honor to visit the HQ for the second time and give you a briefing.
I would like to learn a lot about your SIGINT cyber operation and reflect it to DFS
future project.
Let me start explanation about DFS SIGINT-enabled cyber operation.
First, I’ll talk about the history.
In January 2012, Director General Defense Policy Bureau
visited the US
and received explanation about the US SIGINT-enabled cyber structure. After
that, DSRJ offered MOD an explanation about SIGINT-enabled cyber, and MOD
and DFS started working on cyber.
Between March and May 2012, several study meetings with DSRJ were held.
In early May 2012, DFS decided to promote the SIGINT-enabled cyber project. At
the end of May,
, Director JDIH, visited NSA HQ and had a intimate
discussion with GEN Alexander, DIRNSA, and both were aware of necessity to
cooperate in SIGINT-enabled cyber operation.
1
From June to November 2012, we worked on preparation to promote the
project, as well as coordination for assistance from the US side.
At the APC/SPC June 2012, NSA and DFS exchanged opinions regarding
promotion of SIGINT-enabled cyber project in DFS. DFS appreciate the US
positive reactions to the Action Items.
At the end of July 2012, DFS established a task force to proceed the project.
In early November 2012, relation with relevant organizations within MOD to
promote the SIGINT-enabled cyber operation was established.
Thanks to this relationship, DFS obtained specific materials regarding attacks
against MOD network in mid November 2012, and sent them to the US side
in order to request advices for collection.
In mid November 2012,
, Director DFS, visited the US and
received explanation at NSA about SIGINT-enabled cyber organization in the
US, which was of help to consider the future DFS organizational structure.
2
From June to November 2012, we worked on preparation to promote the
project, as well as coordination for assistance from the US side.
At the APC/SPC June 2012, NSA and DFS exchanged opinions regarding
promotion of SIGINT-enabled cyber project in DFS. DFS appreciate the US
positive reactions to the Action Items.
At the end of July 2012, DFS established a task force to proceed the project.
In early November 2012, relation with relevant organizations within MOD to
promote the SIGINT-enabled cyber operation was established.
Thanks to this relationship, DFS obtained specific materials regarding attacks
against MOD network in mid November 2012, and sent them to the US side
in order to request advices for collection.
In mid November 2012,
, Director DFS, visited the US and
received explanation at NSA about SIGINT-enabled cyber organization in the
US, which was of help to consider the future DFS organizational structure.
2
(R) SPECIFIED TOP SECRET
History (continued)
5 In Dec 2012. DFS started own SlGINTeenabled cyber operation, uslng
attackrrelated Information provided by J6
- From early Dec 2012, of presence of threat lnformatlon to MOD
(MALLAD collection)
- Requested the us for Informatlon about SlGINTrenabled cyber related
carriels
- Early Jan 2013. MALLARD collected --
- We collected on- a mail which matched information from J6
SEEIFIED roP m1 3
In December 2012, DFS started own SIGINT--enabled cyber operation, using
attack-related information provided by JG.
Initially, in early December 2012, DFS analyzes MALLARD collection with the
support from the US side to determine if there is threat information.
Especially, since the end of December 2012, DFS has a meeting with DSRJ almost
every week and received explanation about how specific selectors would be
loaded, and is doing collection and analysis.
However, we have not got any hit, probably because sustained targets at
networks.
Therefore, DFS asked the US for information about SlGINT--enabled cyber related
carriers.
In early January 2013, MALLARD attempted collection against-- which
DFS conducted augmented collection when Misawa was damaged by the
Northeastern Japan Great Earthquake.
We collected on_ a mail that matched with information from J6 which
was a relay information of a mail attacking the MOD network.
(R) SPECIFIED TOP SECRET
History (continued)
5 In Dec 2012. DFS started own SlGINTeenabled cyber operation, uslng
attackrrelated Information provided by J6
- From early Dec 2012, of presence of threat lnformatlon to MOD
(MALLAD collection)
- Requested the us for Informatlon about SlGINTrenabled cyber related
carriels
- Early Jan 2013. MALLARD collected --
- We collected on- a mail which matched information from J6
SEEIFIED roP m1 3
In December 2012, DFS started own SIGINT--enabled cyber operation, using
attack-related information provided by JG.
Initially, in early December 2012, DFS analyzes MALLARD collection with the
support from the US side to determine if there is threat information.
Especially, since the end of December 2012, DFS has a meeting with DSRJ almost
every week and received explanation about how specific selectors would be
loaded, and is doing collection and analysis.
However, we have not got any hit, probably because sustained targets at
networks.
Therefore, DFS asked the US for information about SlGINT--enabled cyber related
carriers.
In early January 2013, MALLARD attempted collection against-- which
DFS conducted augmented collection when Misawa was damaged by the
Northeastern Japan Great Earthquake.
We collected on_ a mail that matched with information from J6 which
was a relay information of a mail attacking the MOD network.
We believe that DFS has reached to the starting point for SIGINT-enabled
cyber operation, thanks to NSA’s support and in-country effort by DSRJ.
“Cycle operation” with selector update and SIGINT cyber collection has been
started.
With further cooperation with NSA, we believe that great progress could be
achieved in the future.
4
We believe that DFS has reached to the starting point for SIGINT-enabled
cyber operation, thanks to NSA’s support and in-country effort by DSRJ.
“Cycle operation” with selector update and SIGINT cyber collection has been
started.
With further cooperation with NSA, we believe that great progress could be
achieved in the future.
4
(R)
GBP5 History (continued)
FV m: 2012 2013
May Jun Iul All:xpmum m. mm:
9an mm sme .. momma" nanDFS manta DPS "Inland-Ink CM
SIGINYV m, a -Im.
mm um. my
m.
Ramon rem-m
Mm"! away-Inflow; MIMI MOD In bum
~5qu macaw MI m,
we" mm Mushy mm mm mm
ammo" I I .1
oFsomIM awn-lam mummy an
mnanm J5 a. mum:
lame us I I I I
SEEQIEIED TOP SEQBEY
This slide depicts the aforementioned process we have taken so far.
(R)
GBP5 History (continued)
FV m: 2012 2013
May Jun Iul All:xpmum m. mm:
9an mm sme .. momma" nanDFS manta DPS "Inland-Ink CM
SIGINYV m, a -Im.
mm um. my
m.
Ramon rem-m
Mm"! away-Inflow; MIMI MOD In bum
~5qu macaw MI m,
we" mm Mushy mm mm mm
ammo" I I .1
oFsomIM awn-lam mummy an
mnanm J5 a. mum:
lame us I I I I
SEEQIEIED TOP SEQBEY
This slide depicts the aforementioned process we have taken so far.
Now, I will explain about our project in and after 2013.
With regard to collection equipment, five small aperture antennas are
scheduled to be operational at the end of March 2013. One of them is
scheduled to be operated in 24/7 for SIGINT-enabled cyber operation from
April.
As to anonymous Internet, DFS already acquired budget, and preparation to
start operation is ongoing aiming at IOC in October 2013.
6
Now, I will explain about our project in and after 2013.
With regard to collection equipment, five small aperture antennas are
scheduled to be operational at the end of March 2013. One of them is
scheduled to be operated in 24/7 for SIGINT-enabled cyber operation from
April.
As to anonymous Internet, DFS already acquired budget, and preparation to
start operation is ongoing aiming at IOC in October 2013.
6
Being authorized to organize SIGINT-enabled cyber structure, additional
employees are scheduled to be assigned at MALLARD office in Ichigaya and
Tachiarai.
In long-term perspective, by the end of March 2016, MALLARD system
upgrade as well as WN system upgrade, i.e. introduction of MALLARD type
system, are scheduled.
At the same time as these upgrade, we are to make a budget request for
reinforcement of SIGINT-enabled cyber capability.
7
Being authorized to organize SIGINT-enabled cyber structure, additional
employees are scheduled to be assigned at MALLARD office in Ichigaya and
Tachiarai.
In long-term perspective, by the end of March 2016, MALLARD system
upgrade as well as WN system upgrade, i.e. introduction of MALLARD type
system, are scheduled.
At the same time as these upgrade, we are to make a budget request for
reinforcement of SIGINT-enabled cyber capability.
7
SPECIFIED TOP SECRET
,5 Challenges and Request to the US side
'l MALLARD current status and cyber Collectlon
(1) Tradltlonal SIGINT collection
Approx 200K sesslons/ tweak (Storage period 2 months)
(2) cyber collection --related ISP)
Approx 500K sesslonsl 1 hour (Storage period 1 week)
SEEIFIED roP Stair '3
Challenges and request to the US side.
First, MALLARD current status and cyber collection.
MALLARD was originally introduced for traditional SIGINT collection, and is
conducting about 200K sessions in a week. Data is saved for approx. two months.
As DFS does research and analysis during that period, if preservation time is
shortened, it will affect SIGINT operation at DFS.
As I explained in the history, DFS -- ISP carrier on
to collect cyber data from this January. The number
of collected sessions reached to about 500K in one hour. Keeping this paoe,
MALLARD data storage period might be less than one week.
As it affects our SIGINT operation, we are not able to do sustained collection for
cyber.
SPECIFIED TOP SECRET
,5 Challenges and Request to the US side
'l MALLARD current status and cyber Collectlon
(1) Tradltlonal SIGINT collection
Approx 200K sesslons/ tweak (Storage period 2 months)
(2) cyber collection --related ISP)
Approx 500K sesslonsl 1 hour (Storage period 1 week)
SEEIFIED roP Stair '3
Challenges and request to the US side.
First, MALLARD current status and cyber collection.
MALLARD was originally introduced for traditional SIGINT collection, and is
conducting about 200K sessions in a week. Data is saved for approx. two months.
As DFS does research and analysis during that period, if preservation time is
shortened, it will affect SIGINT operation at DFS.
As I explained in the history, DFS -- ISP carrier on
to collect cyber data from this January. The number
of collected sessions reached to about 500K in one hour. Keeping this paoe,
MALLARD data storage period might be less than one week.
As it affects our SIGINT operation, we are not able to do sustained collection for
cyber.
Thus, we are facing necessity of consideration including how MALLARD
would be operated.
DFS is considering about importing cyber-related case notations and other
case notations into separate servers.
We would like to see processing procedure which the US side employs in
order not to affect traditional SIGINT collection, and would appreciate your
technical assistance.
Let me add that we had a meeting with DSRJ last Thursday and they
explained about possible solutions further examination. We felt assured and
are looking forward solutions.
9
Thus, we are facing necessity of consideration including how MALLARD
would be operated.
DFS is considering about importing cyber-related case notations and other
case notations into separate servers.
We would like to see processing procedure which the US side employs in
order not to affect traditional SIGINT collection, and would appreciate your
technical assistance.
Let me add that we had a meeting with DSRJ last Thursday and they
explained about possible solutions further examination. We felt assured and
are looking forward solutions.
9
Regarding collection target for SIGINT-enabled cyber,
While the number of antennas DFS possess is very limited compared to the
US, DFS contribution to SIGINT-enabled cyber is highly expected by both
inside and outside of DFS.
As we need to pursue effectiveness in SIGINT-enabled cyber collection, DFS
asked the US for information on carriers which has cyber related data.
10
Regarding collection target for SIGINT-enabled cyber,
While the number of antennas DFS possess is very limited compared to the
US, DFS contribution to SIGINT-enabled cyber is highly expected by both
inside and outside of DFS.
As we need to pursue effectiveness in SIGINT-enabled cyber collection, DFS
asked the US for information on carriers which has cyber related data.
10
DFS SIGINT-enabled cyber operation flow is depicted here.
J6 roles and functions showed in left include our assumptions, because J6
function is not disclosed to us. Their function include refining FW setting, alert
users, malware analysis, cyber monitor and collection, storage and analysis
of attack related information.
With attack information provided by J6, we load selectors, collect and
analyze SIGINT, reflect analysis result to selectors. In this cycle, we hope to
discover indications of cyber attack and provide J6 with threat information.
11
DFS SIGINT-enabled cyber operation flow is depicted here.
J6 roles and functions showed in left include our assumptions, because J6
function is not disclosed to us. Their function include refining FW setting, alert
users, malware analysis, cyber monitor and collection, storage and analysis
of attack related information.
With attack information provided by J6, we load selectors, collect and
analyze SIGINT, reflect analysis result to selectors. In this cycle, we hope to
discover indications of cyber attack and provide J6 with threat information.
11
Lastly, future SIGINT-enabled cyber operation.
DFS SIGINT-enabled cyber operation is at an experimental stage.
DFS will make every effort to go it alone and develop further, so that it can
provide information to Japanese costumers as well as to the US side.
For the future SIGINT-enabled cyber operation, we would appreciate the US
cooperation. Thank you for your kind attention.
12
Lastly, future SIGINT-enabled cyber operation.
DFS SIGINT-enabled cyber operation is at an experimental stage.
DFS will make every effort to go it alone and develop further, so that it can
provide information to Japanese costumers as well as to the US side.
For the future SIGINT-enabled cyber operation, we would appreciate the US
cooperation. Thank you for your kind attention.
12