Documents
SSO NEWS Relevant Entries
June 25, 2018
(TS//NF) Full One End Foreign (1EF) Interim Status Update
By REDACTED on 2012-10-15 1030
(TS//NF) Special Source Operations (SSO) commenced deploying full One End Foreign
(1EF) Internet Protocol (IP) address filtering for Foreign Intelligence Surveillance (FISA)
Amendments Act (FAA) 702 collection at Unilateral Legal collection sites on 5
September, 2012. To date, this change has been effected at 6 FAA accesses. The
metrics available cannot account for collection which may have been subsequently
sequestered due to potential over-collection concerns (capabilities integrated into the
collection distribution components), but the net count of additional collection events
resulting from the expansion to 1EF filtering as of 11 October 2012 is 1,595. This gain
may increase more dramatically as the capability is rolled out to additional high
producing accesses.
(TS//NF) Given the sensitivity of the FAA collection authorities, SSO is proceeding at a
measured pace according to the plan. In order to address evolving intelligence priorities
in a timely manner SSO collection managers have directed the inclusion of IP
addresses associated with a small set of focused regions of interest (Iran, Afghanistan,
Israel, Nigeria, Pakistan, Yemen, Sudan, Tunisia, Libya, and Egypt) to several accesses
which have not yet migrated to this open aperture approach. From the two most
lucrative sites within one program that are not yet 1EF capable, this inclusion has netted
an additional 182 intercepts.
(TS//NF) Where feasible, the migration to full 1EF IP filtering will continue through
approximately mid-November. Efforts are continuing to establish the necessary tools to
manage the IP filter list at sites which cannot accommodate the full 1EF, where some
focus on the collection gain versus resource trade space is required to maximize each
site/Program’s contributions to the FAA 702 mission. The timeline for establishing these
tools has yet to be determined, but efforts are being focused on this component to fully
maximize SSO’s potential under FAA 702 collection authorities.
POC: REDACTED
(TS//SI//NF) Initial Application of One-End Foreign (1EF) Filter at a FAA Upstream DNI
Collection Site
By REDACTED on 2012-09-10 1319
(TS//SI//NF) On 5 Sep 2012 at ~1500Z, the FAIRVIEW site known as OVERHILL,
became the first Foreign Intelligence Surveillance Act (FISA) Amendment Act (FAA)
Upstream Digital Network Intelligence (DNI) site to use the 1EF filter (sourced from
EVILOLIVE, Internet Protocol (IP) geo-location reference source, foreign IP list) for FAA
compliance purposes. The 1EF filter replaces the use of the more limited FAA IP
Subnet filter as a method to ensure compliance with FAA collection authorities, while
opening the collection aperture to maximize collection opportunities. A further
advantage of this approach is that the IP filter will be current with EVILOLIVE updates,
(TS//NF) Full One End Foreign (1EF) Interim Status Update
By REDACTED on 2012-10-15 1030
(TS//NF) Special Source Operations (SSO) commenced deploying full One End Foreign
(1EF) Internet Protocol (IP) address filtering for Foreign Intelligence Surveillance (FISA)
Amendments Act (FAA) 702 collection at Unilateral Legal collection sites on 5
September, 2012. To date, this change has been effected at 6 FAA accesses. The
metrics available cannot account for collection which may have been subsequently
sequestered due to potential over-collection concerns (capabilities integrated into the
collection distribution components), but the net count of additional collection events
resulting from the expansion to 1EF filtering as of 11 October 2012 is 1,595. This gain
may increase more dramatically as the capability is rolled out to additional high
producing accesses.
(TS//NF) Given the sensitivity of the FAA collection authorities, SSO is proceeding at a
measured pace according to the plan. In order to address evolving intelligence priorities
in a timely manner SSO collection managers have directed the inclusion of IP
addresses associated with a small set of focused regions of interest (Iran, Afghanistan,
Israel, Nigeria, Pakistan, Yemen, Sudan, Tunisia, Libya, and Egypt) to several accesses
which have not yet migrated to this open aperture approach. From the two most
lucrative sites within one program that are not yet 1EF capable, this inclusion has netted
an additional 182 intercepts.
(TS//NF) Where feasible, the migration to full 1EF IP filtering will continue through
approximately mid-November. Efforts are continuing to establish the necessary tools to
manage the IP filter list at sites which cannot accommodate the full 1EF, where some
focus on the collection gain versus resource trade space is required to maximize each
site/Program’s contributions to the FAA 702 mission. The timeline for establishing these
tools has yet to be determined, but efforts are being focused on this component to fully
maximize SSO’s potential under FAA 702 collection authorities.
POC: REDACTED
(TS//SI//NF) Initial Application of One-End Foreign (1EF) Filter at a FAA Upstream DNI
Collection Site
By REDACTED on 2012-09-10 1319
(TS//SI//NF) On 5 Sep 2012 at ~1500Z, the FAIRVIEW site known as OVERHILL,
became the first Foreign Intelligence Surveillance Act (FISA) Amendment Act (FAA)
Upstream Digital Network Intelligence (DNI) site to use the 1EF filter (sourced from
EVILOLIVE, Internet Protocol (IP) geo-location reference source, foreign IP list) for FAA
compliance purposes. The 1EF filter replaces the use of the more limited FAA IP
Subnet filter as a method to ensure compliance with FAA collection authorities, while
opening the collection aperture to maximize collection opportunities. A further
advantage of this approach is that the IP filter will be current with EVILOLIVE updates,
whereas the process to develop the FAA IP list was a lengthy and complicated effort
requiring input from the range of Target Offices of Primary Interest (TOPIs) involved for
managing and prioritizing IP addresses for inclusion into the FAA IP subnet list. FAA IP
Subnet generation process results in some inherent latency and may be somewhat less
precise for compliance purposes due to this artifact. Use of the 1EF filter approach vice
the more restrictive FAA IP Subnet filter will provide a significant increase in the amount
of traffic presented for processing/selection. Early indications from the OVERHILL site
is that the volume of traffic being delivered for processing using the 1EF filter approach
is on the order of two times as much as compared to when the FAA IP Subnet filter was
in use. This does not necessarily translate into a corresponding increase in FAA DNI
selected hits, but the expectation is that an increase in selection will typically occur
when using the 1EF filter approach due to the significant increase in traffic being
forwarded for processing and potential selection.
(TS//SI//NF) The current strategy for rolling-out the 1EF filter to additional Special
Source Operations (SSO) FAA Upstream DNI sites is to add the 1EF filter to one FAA
DNI site per week in place of the current FAA IP Subnet filter. This will occur at sites
that can support the entire 1EF filter (i.e. the entire foreign IP list as listed in
EVILOLIVE). The FAA Upstream DNI sites that currently cannot support the entire 1EF
filter list will continue to use the FAA IP Subnet filter until such time that collection
management tools are established to develop an expanded EVILOLIVE sourced IP list
on a site by site basis, maximizing the FAA potential of each access.
(S//SI) This first step is the result of an 18+ month effort, collaborating across SSO,
SIGINT Development Strategies and Governance (SSG), Office of General Counsel
(OGC), Department of Justice (DoJ), FAA Mission leads, and the Authorities integration
group, factoring in all participants concerns.
(C//REL FVEY) POC: REDACTED, FAIRVIEW Collection Manager, REDACTED,
REDACTED; REDACTED, FAIRVIEW Technical Director, S3531, REDACTED
(U//FOUO) Last Remaining FAIRVIEW ETMLs are Operational
By REDACTED on 2012-07-24 1444
(TS//SI//NF) On 19 June 2012, FAIRVIEW turned up 7 Extended TURMOILs (ETML) at
FREEWAY, a major west coast Internet Protocol (IP) backbone access. This was the
last remaining access scheduled to go operational in FY12, and delivered 3,221 Digital
Network Intelligence (DNI) FISA Amendment Act (FAA) intercepts to National Security
Agency Washington (NSAW) within the first 15 hours of operation. Additionally
FREEWAY, based on initial intercepts, has the potential to be the highest contributing
FAIRVIEW access for LEGION JADE activity.
POC: REDACTED, S3531, REDACTED
whereas the process to develop the FAA IP list was a lengthy and complicated effort
requiring input from the range of Target Offices of Primary Interest (TOPIs) involved for
managing and prioritizing IP addresses for inclusion into the FAA IP subnet list. FAA IP
Subnet generation process results in some inherent latency and may be somewhat less
precise for compliance purposes due to this artifact. Use of the 1EF filter approach vice
the more restrictive FAA IP Subnet filter will provide a significant increase in the amount
of traffic presented for processing/selection. Early indications from the OVERHILL site
is that the volume of traffic being delivered for processing using the 1EF filter approach
is on the order of two times as much as compared to when the FAA IP Subnet filter was
in use. This does not necessarily translate into a corresponding increase in FAA DNI
selected hits, but the expectation is that an increase in selection will typically occur
when using the 1EF filter approach due to the significant increase in traffic being
forwarded for processing and potential selection.
(TS//SI//NF) The current strategy for rolling-out the 1EF filter to additional Special
Source Operations (SSO) FAA Upstream DNI sites is to add the 1EF filter to one FAA
DNI site per week in place of the current FAA IP Subnet filter. This will occur at sites
that can support the entire 1EF filter (i.e. the entire foreign IP list as listed in
EVILOLIVE). The FAA Upstream DNI sites that currently cannot support the entire 1EF
filter list will continue to use the FAA IP Subnet filter until such time that collection
management tools are established to develop an expanded EVILOLIVE sourced IP list
on a site by site basis, maximizing the FAA potential of each access.
(S//SI) This first step is the result of an 18+ month effort, collaborating across SSO,
SIGINT Development Strategies and Governance (SSG), Office of General Counsel
(OGC), Department of Justice (DoJ), FAA Mission leads, and the Authorities integration
group, factoring in all participants concerns.
(C//REL FVEY) POC: REDACTED, FAIRVIEW Collection Manager, REDACTED,
REDACTED; REDACTED, FAIRVIEW Technical Director, S3531, REDACTED
(U//FOUO) Last Remaining FAIRVIEW ETMLs are Operational
By REDACTED on 2012-07-24 1444
(TS//SI//NF) On 19 June 2012, FAIRVIEW turned up 7 Extended TURMOILs (ETML) at
FREEWAY, a major west coast Internet Protocol (IP) backbone access. This was the
last remaining access scheduled to go operational in FY12, and delivered 3,221 Digital
Network Intelligence (DNI) FISA Amendment Act (FAA) intercepts to National Security
Agency Washington (NSAW) within the first 15 hours of operation. Additionally
FREEWAY, based on initial intercepts, has the potential to be the highest contributing
FAIRVIEW access for LEGION JADE activity.
POC: REDACTED, S3531, REDACTED
(TS//SI//REL FVEY) FAIRVIEW Tour for new FBI Agent and Attorney
By REDACTED on 2012-05-11 1519
(TS//SI//REL FVEY) On 3 May, FAIRVIEW provided the new FBI Agent, REDACTED,
and their new Attorney, REDACTED, a tour of one of the program’s east coast cable
stations (NASSAU SHORE) and the program’s centralized processing SCIF
(PINECONE). A FAIRVIEW overview was provided expanding upon the program’s vast
access and collection infrastructure, budget constraints, and program authorities with a
focus on the fundamental partnership with the FBI. Other topics included the varying
data flows (i.e., DNI, DNR, CDRs, etc.), FY12 and FY13 strategies, budget constraints,
sensor deployments (ETML, VANGUARD and NETFLOW), and endpoint-midpoint
shaping activities with TAO and NCSC. The day was extremely successful and
broadened their understanding of the breadth and depth of the program which requires
their partnership for success.
POC: REDACTED, FAIRVIEW D/Program Director, REDACTED, REDACTED
(TS//SI//REL FVEY) FAIRVIEW Tour
By REDACTED on 2012-03-28 1333
(TS//SI//REL FVEY) On 23 March, S3 and GAO Technical Directors: S3 - REDACTED,
REDACTED, REDACTED; GAO - REDACTED and REDACTED, and SV SIGINT
Compliance and Architecture Lead REDACTED, attended the FAIRVIEW partner
provided tour of one of the program’s east coast cable stations (NASSAU SHORE) and
the program’s centralized processing SCIF (PINECONE). A short FAIRVIEW overview
was provided which led into an in-depth technical discussion regarding the program’s
vast access & collection infrastructure, the varying data flows (i.e., DNI, DNR, CDRs,
etc.) to include program authorities, budget constraints, sensor deployments (ETML,
VANGUARD and NETFLOW), and endpoint-midpoint shaping activities and future
opportunities in partnership with organizations such as TAO, NCSC and other IC
elements such as the FBI, DEA and the CIA. The partner also provided a briefing on
company/USG activities outside of FAIRVIEW (i.e., NEST, DIB Pilot) and expounded on
current and future program Cyber plans. The day was extremely successful and
broadened their understanding of this unique Government/Partner relationship,
highlighted the Partner’s ability and willingness to help with NSA’s SIGINT and Cyber
missions, provided insight into the breadth and depth of the program’s access and
showcased the highly collaborative nature of the FAIRVIEW partner and the value of
their intellectual capital.
POC: REDACTED, FAIRVIEW Program Director, REDACTEDs
(TS//SI//REL FVEY) FAIRVIEW Tour for new FBI Agent and Attorney
By REDACTED on 2012-05-11 1519
(TS//SI//REL FVEY) On 3 May, FAIRVIEW provided the new FBI Agent, REDACTED,
and their new Attorney, REDACTED, a tour of one of the program’s east coast cable
stations (NASSAU SHORE) and the program’s centralized processing SCIF
(PINECONE). A FAIRVIEW overview was provided expanding upon the program’s vast
access and collection infrastructure, budget constraints, and program authorities with a
focus on the fundamental partnership with the FBI. Other topics included the varying
data flows (i.e., DNI, DNR, CDRs, etc.), FY12 and FY13 strategies, budget constraints,
sensor deployments (ETML, VANGUARD and NETFLOW), and endpoint-midpoint
shaping activities with TAO and NCSC. The day was extremely successful and
broadened their understanding of the breadth and depth of the program which requires
their partnership for success.
POC: REDACTED, FAIRVIEW D/Program Director, REDACTED, REDACTED
(TS//SI//REL FVEY) FAIRVIEW Tour
By REDACTED on 2012-03-28 1333
(TS//SI//REL FVEY) On 23 March, S3 and GAO Technical Directors: S3 - REDACTED,
REDACTED, REDACTED; GAO - REDACTED and REDACTED, and SV SIGINT
Compliance and Architecture Lead REDACTED, attended the FAIRVIEW partner
provided tour of one of the program’s east coast cable stations (NASSAU SHORE) and
the program’s centralized processing SCIF (PINECONE). A short FAIRVIEW overview
was provided which led into an in-depth technical discussion regarding the program’s
vast access & collection infrastructure, the varying data flows (i.e., DNI, DNR, CDRs,
etc.) to include program authorities, budget constraints, sensor deployments (ETML,
VANGUARD and NETFLOW), and endpoint-midpoint shaping activities and future
opportunities in partnership with organizations such as TAO, NCSC and other IC
elements such as the FBI, DEA and the CIA. The partner also provided a briefing on
company/USG activities outside of FAIRVIEW (i.e., NEST, DIB Pilot) and expounded on
current and future program Cyber plans. The day was extremely successful and
broadened their understanding of this unique Government/Partner relationship,
highlighted the Partner’s ability and willingness to help with NSA’s SIGINT and Cyber
missions, provided insight into the breadth and depth of the program’s access and
showcased the highly collaborative nature of the FAIRVIEW partner and the value of
their intellectual capital.
POC: REDACTED, FAIRVIEW Program Director, REDACTEDs
(TS//SI//REL FVEY) FAIRVIEW Tour for HPSI/SSCI Staffers
By REDACTED on 2011-11-16 0844
(TS//SI//REL FVEY) On 21 October, the FAIRVIEW partner provided HPSI staffers
REDACTED (CCP Majority Monitor), REDACTED (Congressional Fellow) J
REDACTED (Senior Majority Counsel) and SSCI staffers REDACTED (CCP Majority
Monitor) and REDACTED (CCP Minority Monitor) with a tour of one of the FAIRVIEW
program’s east coast cable stations (FRIAR) and FAIRVIEW’s centralized processing
SCIF (PINECONE). A high level overview of the FAIRVIEW program was provided.
Discussion topics revolved around data collection to include FAA, BR FISA, Court Order
and Transit, the program’s authorities, and budget constraints. The day was extremely
successful and broadened the Staffer’s understanding of the Government/Partner
relationship, Partner provided services, the FAIRVIEW program overall and identified
areas where the Staffer’s may be able to provide overarching support with their broader
understanding of SSO Corporate programs.
POC: REDACTED, FAIRVIEW Program Director, S3531
(TS//SI//REL FVEY) FAIRVIEW Tour for Director, Research Directorate
By REDACTED on 2012-01-13 0814
(TS//SI//REL FVEY) On 6 January 2012, Dr. Michael Wertheimer, Director of NSA’s
Research Directorate, was provided a tour of FAIRVIEW’s East Coast cable station
(FRIAR) and FAIRVIEW’s centralized processing SCIF (PINECONE). In addition to the
site tours, Dr. Wertheimer also received a high level program overview, to include
discussion of the various authorities the program operates under, current and future
program Cyber plans and some discussion regarding FAIRVIEW’s Business Record
FISA (BR-FISA) collection. The discussion also included mention of the program’s
FY12 Strategic Initiatives, a snapshot of the FAIRVIEW’s access & collection footprint,
clearly depicting the breadth of the access. The day was extremely successful and
broadened his understanding of this unique Government/Partner relationship,
highlighted the Partner’s extreme willingness to help with NSA’s SIGINT and Cyber
missions and the breadth and depth of not only the program’s access, but also the
amazing knowledge of the FAIRVIEW partner’s workforce.
POC: REDACTED, FAIRVIEW Tech Director, S3531
(TS//SI//NF) Mobility Business Records Flow Significantly Increases Volume of Records
Delivered Under BR FISA
By REDACTED on 2011-08-30 1440
(TS//SI//NF) On 29 August, FAIRVIEW started delivering Mobility Business Records
traffic into MAINWAY under the existing Business Record (BR) FISA authorization. The
(TS//SI//REL FVEY) FAIRVIEW Tour for HPSI/SSCI Staffers
By REDACTED on 2011-11-16 0844
(TS//SI//REL FVEY) On 21 October, the FAIRVIEW partner provided HPSI staffers
REDACTED (CCP Majority Monitor), REDACTED (Congressional Fellow) J
REDACTED (Senior Majority Counsel) and SSCI staffers REDACTED (CCP Majority
Monitor) and REDACTED (CCP Minority Monitor) with a tour of one of the FAIRVIEW
program’s east coast cable stations (FRIAR) and FAIRVIEW’s centralized processing
SCIF (PINECONE). A high level overview of the FAIRVIEW program was provided.
Discussion topics revolved around data collection to include FAA, BR FISA, Court Order
and Transit, the program’s authorities, and budget constraints. The day was extremely
successful and broadened the Staffer’s understanding of the Government/Partner
relationship, Partner provided services, the FAIRVIEW program overall and identified
areas where the Staffer’s may be able to provide overarching support with their broader
understanding of SSO Corporate programs.
POC: REDACTED, FAIRVIEW Program Director, S3531
(TS//SI//REL FVEY) FAIRVIEW Tour for Director, Research Directorate
By REDACTED on 2012-01-13 0814
(TS//SI//REL FVEY) On 6 January 2012, Dr. Michael Wertheimer, Director of NSA’s
Research Directorate, was provided a tour of FAIRVIEW’s East Coast cable station
(FRIAR) and FAIRVIEW’s centralized processing SCIF (PINECONE). In addition to the
site tours, Dr. Wertheimer also received a high level program overview, to include
discussion of the various authorities the program operates under, current and future
program Cyber plans and some discussion regarding FAIRVIEW’s Business Record
FISA (BR-FISA) collection. The discussion also included mention of the program’s
FY12 Strategic Initiatives, a snapshot of the FAIRVIEW’s access & collection footprint,
clearly depicting the breadth of the access. The day was extremely successful and
broadened his understanding of this unique Government/Partner relationship,
highlighted the Partner’s extreme willingness to help with NSA’s SIGINT and Cyber
missions and the breadth and depth of not only the program’s access, but also the
amazing knowledge of the FAIRVIEW partner’s workforce.
POC: REDACTED, FAIRVIEW Tech Director, S3531
(TS//SI//NF) Mobility Business Records Flow Significantly Increases Volume of Records
Delivered Under BR FISA
By REDACTED on 2011-08-30 1440
(TS//SI//NF) On 29 August, FAIRVIEW started delivering Mobility Business Records
traffic into MAINWAY under the existing Business Record (BR) FISA authorization. The
intent of the Business Records FISA program is to detect previously unknown terrorist
threats in the United States through the cell chaining of metadata. This new metadata
flow is associated with a cell phone provider and will generate an estimated 1.1 billion
cellular records a day in addition to the 700M records delivered currently under the BR
FISA. After extensive dialogue with the consumers of the BR data, repeated testing, a
push to get this flow operational prior to the tenth anniversary of 9/11, and extensive
coordination with external entitites via our OGC (to include: FBI, DOJ, ODNI, and FISC)
NSA received approval to initiate this dataflow on August 29, 2011. Analysts have
already reported seeing BR Cellular records in the Counter Terrorism call-chaining
database queries.
POCs: REDACTED, S3531, REDACTEDs; REDACTED, ST, REDACTEDs; &
REDACTED, S35324, REDACTEDs
(TS//SI//NF) Mobility Business Records Flow Significantly Increases Volume of Records
Delivered Under BR FISA
By REDACTED on 2011-08-30 1440
(TS//SI//NF) On 29 August, FAIRVIEW started delivering Mobility Business Records
traffic into MAINWAY under the existing Business Record (BR) FISA authorization. The
intent of the Business Records FISA program is to detect previously unknown terrorist
threats in the United States through the cell chaining of metadata. This new metadata
flow is associated with a cell phone provider and will generate an estimated 1.1 billion
cellular records a day in addition to the 700M records delivered currently under the BR
FISA. After extensive dialogue with the consumers of the BR data, repeated testing, a
push to get this flow operational prior to the tenth anniversary of 9/11, and extensive
coordination with external entitites via our OGC (to include: FBI, DOJ, ODNI, and FISC)
NSA received approval to initiate this dataflow on August 29, 2011. Analysts have
already reported seeing BR Cellular records in the Counter Terrorism call-chaining
database queries.
POCs: REDACTED, S3531, REDACTEDs; REDACTED, ST, REDACTEDs; &
REDACTED, S35324, REDACTEDs
(TS//SI//NF) FAIRVIEW: CLIFFSIDE Site - Collection Resumes After ~5 Months
By REDACTED on 2011-08-23 0805
(TS//SI//NF) On 5 Aug 2011, collection of DNR and DNI traffic at the FAIRVIEW
CLIFFSIDE trans-pacific cable site resumed, after being down for approximately five
months. Collection operations at CLIFFSIDE had been down since 11 March 2011, due
to the cable damage as a result of the earthquake off of the coast of Japan. The initial
damage assessment showed the loss of collection of 275 E1 DNR circuits and 55 DNI
intent of the Business Records FISA program is to detect previously unknown terrorist
threats in the United States through the cell chaining of metadata. This new metadata
flow is associated with a cell phone provider and will generate an estimated 1.1 billion
cellular records a day in addition to the 700M records delivered currently under the BR
FISA. After extensive dialogue with the consumers of the BR data, repeated testing, a
push to get this flow operational prior to the tenth anniversary of 9/11, and extensive
coordination with external entitites via our OGC (to include: FBI, DOJ, ODNI, and FISC)
NSA received approval to initiate this dataflow on August 29, 2011. Analysts have
already reported seeing BR Cellular records in the Counter Terrorism call-chaining
database queries.
POCs: REDACTED, S3531, REDACTEDs; REDACTED, ST, REDACTEDs; &
REDACTED, S35324, REDACTEDs
(TS//SI//NF) Mobility Business Records Flow Significantly Increases Volume of Records
Delivered Under BR FISA
By REDACTED on 2011-08-30 1440
(TS//SI//NF) On 29 August, FAIRVIEW started delivering Mobility Business Records
traffic into MAINWAY under the existing Business Record (BR) FISA authorization. The
intent of the Business Records FISA program is to detect previously unknown terrorist
threats in the United States through the cell chaining of metadata. This new metadata
flow is associated with a cell phone provider and will generate an estimated 1.1 billion
cellular records a day in addition to the 700M records delivered currently under the BR
FISA. After extensive dialogue with the consumers of the BR data, repeated testing, a
push to get this flow operational prior to the tenth anniversary of 9/11, and extensive
coordination with external entitites via our OGC (to include: FBI, DOJ, ODNI, and FISC)
NSA received approval to initiate this dataflow on August 29, 2011. Analysts have
already reported seeing BR Cellular records in the Counter Terrorism call-chaining
database queries.
POCs: REDACTED, S3531, REDACTEDs; REDACTED, ST, REDACTEDs; &
REDACTED, S35324, REDACTEDs
(TS//SI//NF) FAIRVIEW: CLIFFSIDE Site - Collection Resumes After ~5 Months
By REDACTED on 2011-08-23 0805
(TS//SI//NF) On 5 Aug 2011, collection of DNR and DNI traffic at the FAIRVIEW
CLIFFSIDE trans-pacific cable site resumed, after being down for approximately five
months. Collection operations at CLIFFSIDE had been down since 11 March 2011, due
to the cable damage as a result of the earthquake off of the coast of Japan. The initial
damage assessment showed the loss of collection of 275 E1 DNR circuits and 55 DNI
circuits. Since the cable was repaired and returned to service (5 Aug), FAIRVIEW
operations has tasked 205 E1 DNR circuits and 37 DNI circuits for collection.
Enviornmental survey continues to compare the old enviornment footprint to the new
environment footprint and FAIRVIEW operations will continue to task collection for all
new and restored circuits.
POC: REDACTED, S35333, REDACTED (FAIRVIEW Collection Manager)
(TS//SI//REL FVEY) FAIRVIEW High Level Structural Survey (HLSS) Data Populating
TWISTEDPATH Data Repository
By REDACTED on 2011-01-28 1431
(TS//SI//REL FVEY) On 12 January 2011, FAIRVIEW (US-990) began delivering High
Level Structure Survey (HLSS) SCAN1 data from the program’s 6 cable accesses to
TWISTEDPATH. HLSS is signal level characterization, providing the mux structure of
the signal and various overhead data values. HLSS is a characterization of the signal
environment, and as it is established provides a first indication of high level changes in
the environment where a deeper analysis is required. The HLSS includes, among other
things, a J1 overhead byte which carries identifying information about the user/operator
of that link, such as a specific network provider, corporation, etc., which is a high value
data item to analysts. This effort is a first step towards the eventual utilization of more
advanced Automated Characterization & Survey (ACS) capabilities (i.e., Scan 2)within
the program.
(TS//SI//REL FVEY) This delivery marks another major milestone in the program’s
efforts to automate survey at the cable sites. In FY10, FAIRVIEW’s production and
survey case notations became compliant with SSO case notation specifications. Now,
in FY11 the program can finally deliver that data to NSA for analytical use. The new
auto survey system is comprised of both partner and agency developed components.
FAIRVIEW is currently surveying all circuits not in production at its 6 cable sites every
3-5 days depending on the size of the sites, covering some 1,836 circuits in all. Over the
next several months all circuits in production will be added to auto survey, bringing the
total number of circuits surveyed to 2,076, finishing another important phase of this
large and complex effort.
POC: REDACTED, S3322, REDACTED / REDACTED, S3321, REDACTED
(TS//SI//REL FVEY) FAIRVIEW Carrier Grade VoIP (SIP Protocol) Transit Collection
Activated
By REDACTED on 2011-01-28 1401
(TS//SI//REL FVEY) On 19 January 2011, FAIRVIEW (US-990) began delivery of
Carrier Grade Corporate VoIP (SIP Protocol) under Transit Authority. This involves the
circuits. Since the cable was repaired and returned to service (5 Aug), FAIRVIEW
operations has tasked 205 E1 DNR circuits and 37 DNI circuits for collection.
Enviornmental survey continues to compare the old enviornment footprint to the new
environment footprint and FAIRVIEW operations will continue to task collection for all
new and restored circuits.
POC: REDACTED, S35333, REDACTED (FAIRVIEW Collection Manager)
(TS//SI//REL FVEY) FAIRVIEW High Level Structural Survey (HLSS) Data Populating
TWISTEDPATH Data Repository
By REDACTED on 2011-01-28 1431
(TS//SI//REL FVEY) On 12 January 2011, FAIRVIEW (US-990) began delivering High
Level Structure Survey (HLSS) SCAN1 data from the program’s 6 cable accesses to
TWISTEDPATH. HLSS is signal level characterization, providing the mux structure of
the signal and various overhead data values. HLSS is a characterization of the signal
environment, and as it is established provides a first indication of high level changes in
the environment where a deeper analysis is required. The HLSS includes, among other
things, a J1 overhead byte which carries identifying information about the user/operator
of that link, such as a specific network provider, corporation, etc., which is a high value
data item to analysts. This effort is a first step towards the eventual utilization of more
advanced Automated Characterization & Survey (ACS) capabilities (i.e., Scan 2)within
the program.
(TS//SI//REL FVEY) This delivery marks another major milestone in the program’s
efforts to automate survey at the cable sites. In FY10, FAIRVIEW’s production and
survey case notations became compliant with SSO case notation specifications. Now,
in FY11 the program can finally deliver that data to NSA for analytical use. The new
auto survey system is comprised of both partner and agency developed components.
FAIRVIEW is currently surveying all circuits not in production at its 6 cable sites every
3-5 days depending on the size of the sites, covering some 1,836 circuits in all. Over the
next several months all circuits in production will be added to auto survey, bringing the
total number of circuits surveyed to 2,076, finishing another important phase of this
large and complex effort.
POC: REDACTED, S3322, REDACTED / REDACTED, S3321, REDACTED
(TS//SI//REL FVEY) FAIRVIEW Carrier Grade VoIP (SIP Protocol) Transit Collection
Activated
By REDACTED on 2011-01-28 1401
(TS//SI//REL FVEY) On 19 January 2011, FAIRVIEW (US-990) began delivery of
Carrier Grade Corporate VoIP (SIP Protocol) under Transit Authority. This involves the
diversification of the program’s Voice collection posture to include VoIP as the
communications networks converge and move beyond PSTN. This capability follows
our PSTN authorization model and takes advantage of least cost routing services
offered by the FAIRVIEW Partner. However, this algorithm incorporates automated
feedback loops for improving authorization effectiveness as part of the process.
(TS//SI//REL FVEY) This new capability rests on a large and complex system which
collects, processes, authorizes, and selects calls using both SIP and H.323 VOIP
protocol technology from 26 separate IP backbone router nodes. Traffic generated by
this VoIP algorithm is unique due to additional authorization attributes and changes in
routing across authorization domains (i.e., Transit, FAA and Court Ordered). A large
component of this eligible traffic is to/from high interest areas such as Pakistan.
POC: REDACTED, S3321, REDACTED 3
(TS//SI) Activation of NSA’s First Ever Extended TURMOIL (E-TML) Capability
By REDACTED on 2011-01-28 1359
(TS//SI) As of 1715Z on January 10, 2011, SSO’s FAIRVIEW Program turned up the
Agency’s first E-TML operational flow. This achievement is the result of several years of
coordinated effort between SSO and T1 and will be the first of many within FAIRVIEW
and ultimately across all relevant SSO Programs. Over the next couple of years, E-TML
will migrate towards becoming a viable, widely available, NCC product.
(TS//SI) E-TML extends TURMOIL filtering and selection into commercial accesses in a
way that meets Partner OPSEC requirements while protecting sensitive Agency
information. This type of access is common to many Corporate Partners – distributed,
unclassified, commercial accesses with moderate, but limited transport bandwidth to
SCIFed processing sites. E-TML Filtering and selection at the access point greatly
reduces the amount of data needing to be sent back to processing SCIFs over the
limited bandwidth available for that purpose. As a result, it is possible to move from the
current heavily IP filtered, bulk forwarded collection of a tiny portion of the typical
Terabyte or more SSO access toward full coverage.
(TS//SI) The E-TML concept is one where the hardware at the unclassified, commercial
accesses is commercially available, unclassified, and compatible with Partner OPSEC
cover missions. Intrinsic to the design, however, are a range of security
countermeasures meant to deal with both Partner OPSEC concerns and to allow the
hosting of sensitive software or selector information. In FAIRVIEW, with the guidance of
IAD and NSA Security, this set of countermeasures along with layers of additional
physical security, OPSEC processes and procedures, and commercial encryption were
implemented to mitigate any risk. A risk assessment was conducted regarding hosting
unclassified software based on TURMOIL’s first stage packet filter and DFCE, patterns
derived from classified selectors, and the possible future hosting of classified software
in the E-TML front-end. After review by both SID and NSA Security, the residual risk
diversification of the program’s Voice collection posture to include VoIP as the
communications networks converge and move beyond PSTN. This capability follows
our PSTN authorization model and takes advantage of least cost routing services
offered by the FAIRVIEW Partner. However, this algorithm incorporates automated
feedback loops for improving authorization effectiveness as part of the process.
(TS//SI//REL FVEY) This new capability rests on a large and complex system which
collects, processes, authorizes, and selects calls using both SIP and H.323 VOIP
protocol technology from 26 separate IP backbone router nodes. Traffic generated by
this VoIP algorithm is unique due to additional authorization attributes and changes in
routing across authorization domains (i.e., Transit, FAA and Court Ordered). A large
component of this eligible traffic is to/from high interest areas such as Pakistan.
POC: REDACTED, S3321, REDACTED 3
(TS//SI) Activation of NSA’s First Ever Extended TURMOIL (E-TML) Capability
By REDACTED on 2011-01-28 1359
(TS//SI) As of 1715Z on January 10, 2011, SSO’s FAIRVIEW Program turned up the
Agency’s first E-TML operational flow. This achievement is the result of several years of
coordinated effort between SSO and T1 and will be the first of many within FAIRVIEW
and ultimately across all relevant SSO Programs. Over the next couple of years, E-TML
will migrate towards becoming a viable, widely available, NCC product.
(TS//SI) E-TML extends TURMOIL filtering and selection into commercial accesses in a
way that meets Partner OPSEC requirements while protecting sensitive Agency
information. This type of access is common to many Corporate Partners – distributed,
unclassified, commercial accesses with moderate, but limited transport bandwidth to
SCIFed processing sites. E-TML Filtering and selection at the access point greatly
reduces the amount of data needing to be sent back to processing SCIFs over the
limited bandwidth available for that purpose. As a result, it is possible to move from the
current heavily IP filtered, bulk forwarded collection of a tiny portion of the typical
Terabyte or more SSO access toward full coverage.
(TS//SI) The E-TML concept is one where the hardware at the unclassified, commercial
accesses is commercially available, unclassified, and compatible with Partner OPSEC
cover missions. Intrinsic to the design, however, are a range of security
countermeasures meant to deal with both Partner OPSEC concerns and to allow the
hosting of sensitive software or selector information. In FAIRVIEW, with the guidance of
IAD and NSA Security, this set of countermeasures along with layers of additional
physical security, OPSEC processes and procedures, and commercial encryption were
implemented to mitigate any risk. A risk assessment was conducted regarding hosting
unclassified software based on TURMOIL’s first stage packet filter and DFCE, patterns
derived from classified selectors, and the possible future hosting of classified software
in the E-TML front-end. After review by both SID and NSA Security, the residual risk
was deemed acceptable..
POCs: REDACTED, S3321, 769-4104 / REDACTED, S3321, REDACTED
(TS//SI//REL) ANTI-MYTH Effort
By REDACTED on 2009-12-07 1642
(TS//SI//REL) The FAIRVIEW program is entering the final test phases of what is
believed to be the first deployment of anti-myth COURIERSKILL dictionaries for a nonFAA collection site, in this case FAIRVIEW's SMTP (port 25) transit collection source.
This initiative began in May of 2009 and has involved countless hours of collaboration
between SSO FAIRVIEW, UTT and CADENCE personnel. Combined with the
introduction of realm-based restrictions in UTT for this site group, limiting the site group
to selector realms relevant to a SMTP flow, the anti-myth permutations in our new
dictionaries are hoped to greatly decrease if not eliminate instances of message over
sampling off of this flow which, although by itself not an authorization violation, was
politically problematic for our partner relationship and negatively impacted the quality
and excessive quantity of our collection delivery to PINWALE.
(TS//SI//REL) This initiative was levied against the UTT strong selector dictionaries, but
the FAIRVIEW program intends to proceed with a rebuild of the weak selection
CADENCE-only dictionary also levied against this flow, complete with new operational
policy guidelines that will be communicated to analysts in the first quarter of CY2010.
(TS//SI//REL) Where applicable, the Corporate Portfolio Mission Management team
intends to apply the "lessons learned" from this FAIRVIEW initiative across other SSO
Corporate Programs to improve the accuracy and quality of intercept across multiple
programs.
(U//FOUO) POC: REDACTED, ODD Corporate Portfolio Manager, REDACTED,
REDACTED(s)
was deemed acceptable..
POCs: REDACTED, S3321, 769-4104 / REDACTED, S3321, REDACTED
(TS//SI//REL) ANTI-MYTH Effort
By REDACTED on 2009-12-07 1642
(TS//SI//REL) The FAIRVIEW program is entering the final test phases of what is
believed to be the first deployment of anti-myth COURIERSKILL dictionaries for a nonFAA collection site, in this case FAIRVIEW's SMTP (port 25) transit collection source.
This initiative began in May of 2009 and has involved countless hours of collaboration
between SSO FAIRVIEW, UTT and CADENCE personnel. Combined with the
introduction of realm-based restrictions in UTT for this site group, limiting the site group
to selector realms relevant to a SMTP flow, the anti-myth permutations in our new
dictionaries are hoped to greatly decrease if not eliminate instances of message over
sampling off of this flow which, although by itself not an authorization violation, was
politically problematic for our partner relationship and negatively impacted the quality
and excessive quantity of our collection delivery to PINWALE.
(TS//SI//REL) This initiative was levied against the UTT strong selector dictionaries, but
the FAIRVIEW program intends to proceed with a rebuild of the weak selection
CADENCE-only dictionary also levied against this flow, complete with new operational
policy guidelines that will be communicated to analysts in the first quarter of CY2010.
(TS//SI//REL) Where applicable, the Corporate Portfolio Mission Management team
intends to apply the "lessons learned" from this FAIRVIEW initiative across other SSO
Corporate Programs to improve the accuracy and quality of intercept across multiple
programs.
(U//FOUO) POC: REDACTED, ODD Corporate Portfolio Manager, REDACTED,
REDACTED(s)