Digint Narrative

UK SECRET DRAFT The Digint Programme (DRAFT VERSION 0.11) The purpose of this document to provide background for HMT and the Cabinet Office on the Security Service’s Digint Programme. [Insert security/FoI disclaimer] Defining the Digint Programme’s challenge Collecting and exploiting intelligence from the ‘digital footprint’ created by investigative targets presents law enforcement and intelligence agencies with new and developing challenges. These challenges increase when this material occurs in high volume for multiple targets. Some of the processes for collecting and deriving value from such material are relatively immature, others well established. There is no doubt that the take up by investigative targets of the technologies that leave a digital footprint provides a rich vein of intelligence that is set to grow in importance and cannot be ignored. The Digint Programme is a response to four specific challenges:  Target use of technologies that leave a ‘digital footprint’ is rapidly gaining importance within intelligence investigations  At the same time, increased usage generates a vast body of information for us to work through if we are to build a clear intelligence assessment  The underlying technologies and behaviours create a complex and changing environment that demands a strong combination of agility and collaboration between many partners if we are to become more effective and not fall behind – and where possible increase assurance  Improvements in this area will only represent value for money if they support capabilities that are complementary to and supportive of the two major intelligence collection programmes, IMP and SigMod Current roles and responsibilities HMG’s response to the intelligence challenge of the Internet and Internet Protocol (IP) networks and systems is based on close cooperation and collaboration between the relevant agencies. The benefits to HMG are in the areas of enhanced national security, the protection of economic well being, and the detection and prevention of serious and organised crime. At the highest level, two disciplines must be mastered: (1) Collection, which covers accessing information, capturing faithful representations UK SECRET -1-

UK SECRET DRAFT of it, and making technical sense of the 1’s and 0’s and (2) Exploitation which includes the processing, analysis and use of what has been collected. Figure 1 - Illustration of the key disciplines required to support the development of intelligence Collect the information we want Turn the information into a usable format Make the information available (1) Collection Provide intelligence to desks Assess intelligence (2) Exploitation Investigation To do this two generic types of material must be worked: Content (information generated by the investigative target, such as the words in his email) and Communications Data or ‘CD’ (information required by the communication service provider to allow the target to use their services, such as his subscription information via which they are able to collect payment). A further division exists between strategic collection solutions for which the technology remains in place once established, versus tactical solutions which are deployed temporarily to gather intelligence on specific high priority targets via, for example, close access and/or covert entry techniques. (1) Collection of intelligence from the internet, internet protocol networks and systems, and related devices Figure 2a – Primary responsibilities Domestic (strategic) Law enforcement agencies developing requirements (e.g., SOCA, HMRC) Domestic (tactical, based on individual targets) Communications Data (CD) Content Overseas (strategic and tactical) IMP developing solution Security Service NTAC UK SECRET -2- GCHQ

UK SECRET DRAFT As indicated in figure 2a, the primary existing collection capabilities are cleanly allocated between the Security Service and NTAC (domestic) and GCHQ (overseas collection) with key gaps being filled by the law enforcement agencies and IMP. There are also several opportunities for collaboration and sharing of key capabilities, which become more apparent once the major programmes are overlaid, see figure 2b. Figure 2b – Key programmes Domestic (tactical, based on individual targets) Digint Content Overseas (strategic and tactical) IMP Law enforcement agencies developing requirements (e.g., SOCA, HMRC) Communications Data (CD) Domestic (strategic) IMP developing solution EIS NTAC programme Security Service NTAC SigMod GCHQ This representation also illustrates the absence of overlap between the Digint, IMP and SigMod programmes owing to the fact that each supports distinct and complementary UK collection capabilities. However, these complementarities create strong dependencies – for example, the Digint Programme could continue to deliver benefits in isolation of IMP, but would fail markedly to achieve its overall assurance objectives were it not for the NTAC and EIS capabilities that IMP is driving. (2) Exploitation of collected intelligence Exploitation responsibilities are allocated along similar geographic lines, as shown in Figure 3. UK SECRET -3-

UK SECRET DRAFT Figure 3 – Key exploitation responsibilities Origin of threat Domestic National Security Overseas Security Service GCHQ Economic wellbeing and serious crime SIS Law enforcement agencies (including HMRC, SOCA) Close partnership is essential to effective exploitation because, due to the nature of modern communications networks, the line between ‘domestic’ and ‘international’ is often blurred. In particular, domestic terrorists will often receive recruitment, radicalisation, fundraising, propaganda, or even direct command and control from overseas. Even as early as 2003, Operation OVERT found evidence of each of the above internet uses. Further details on the roles and responsibilities associated with the above images are contained in the annex to this document. The Security Service’s response In the area of national security the Security Service is already finding that its investigative targets use the internet, computers and smart phones extensively – including the advanced capabilities they offer. This is particularly the case in its CT work. Because terrorist planning can often span many countries, the internet provides an important tool to terrorists for communication with contacts overseas. It also offers to them apparent security benefits (although these are often perceived rather than real). As a result, collecting and exploiting this sort of target usage of technology offers real value to counter-terrorism both within the UK and outside. This includes ‘upstream work’ where investigations focus on threats posed to the UK by individuals based in foreign countries. UK SECRET -4-

UK SECRET DRAFT The Digint Programme The Security Service’s Digint Programme is being set up, with support from GCHQ, SIS, and the IMP Programme to transform its ability to work with Internet and other IP data, specifically for CT, but more generally for wider national security purposes. At this stage, the programme has three main ambitions: 1. Build the foundations of a strategic capability with our partners The Digint Programme, NTAC, GCHQ and the IMP are dependent on each other to address collectively the challenges of ‘the internet age’ and its associated threats to national security. We have to work together if we are to solve this difficult problem and provide the desired level of assurance. This joint approach will also contribute value for money by avoiding duplication of spend, sharing relevant tools and tradecraft, and focussing investment on those parts of the intelligence apparatus best placed to deliver. In particular: - GCHQ’s SigMod transformation and GCHQ and IMP’s EIS capability will substantially enhance the breadth and depth of intelligence collected and exploited from overseas upon which the Service will be able to draw, thereby reducing the volume of collection for which it would need to find a tactical collection solution. - GCHQ and IMP’s NTAC Programme will deliver a strategic domestic content collection capability that will also begin to reduce the requirement on the Service to deliver new tactical collection activities. - The Service’s Digint Programme focuses investment on the narrow range of tactical collection activities that offer greatest assurance with respect to the activities of key investigative targets, and on those exploitation activities that will drive greatest investigative benefits with respect to UK domestic threats. In turn, the data, tools and intelligence that results from these activities have been shown to enhance the efficacy of the key strategic solutions already mentioned, and will continue to do so. 2. Solve the immediate challenge The Security Service has already become the principal collector and exploiter of targets’ digital footprint in the domestic space. By dint of its specific needs and role, some of the techniques it uses are unique to the Service. But its UK SECRET -5-

UK SECRET DRAFT efforts, which have already grown significantly over the last few years are in imbalance. It can currently collect (whether itself or through partners such as NTAC) significantly more than it is able to exploit fully. This creates a real risk of ‘intelligence failure’ ie from the Service being unable to access potentially life-saving intelligence from data that it has already collected. The Service’s primary need therefore is to develop at pace through the Digint Programme capabilities (i.e. processes, people and technology) which will enable it to improve investigative value from its collection investment, now and in the future, in a way that is compatible with developments in IMP and GCHQ. 3. Extend coverage Given the increasing importance of a target’s ‘digital footprint’ to investigations, a substantial increase in coverage is required. The Service therefore seeks to collect and exploit more material, and its target is double what it currently collects by end FY 10/11 so as to allow coverage of all priorities of CT investigation. The enhanced capabilities will be targeted and specific in scope and thus will satisfy the central legal requirements of necessity and proportionality, as well as being cost effective. They are also well placed to address growing evidence of threats coming from people on the peripheries of investigations, the events on Christmas Day in Detroit being a recent example. Successful achievement of ambitions 1 and 2 will be essential if we are to protect our existing capabilities in the face of evolving technology and target behaviours. Ambition 3 will need to adapt to any shift in the level of terrorist activity or the level of assurance that the Service is required to provide. Further details around the programme’s approach and benefits can be found in the 6th November 2010 Digint Strategy and the Digint Programme’s draft Outline Business Case. This latter document is seeking HMT approval during March 2010. UK SECRET -6-

UK SECRET DRAFT Annex – further description of current roles and responsibilities  Collection responsibilities may be further divided into five broad categories, based principally on geography (Domestically or Internationally -focused) and scale (Strategic or Tactical): o Strategic (large-scale, enduring) domestically-focused collection of Content day to day is the responsibility of NTAC, which is accountable to Director GCHQ. The Interception Modernisation Programme (IMP)1 is responsible for funding NTAC’s transformation of its domestic Content collection operations so as to be fit for purpose for the internet and IP networks. o The IMP is also responsible for providing the future IP Strategic domestically-focused collection solution for CD. At present, the Communications Service Providers provide requested CD direct to the agencies that need it. Determining an ‘internet-proof’ solution for CD – i.e. one that can address the growing range of services available to internet users while maintaining HMG capabilities to provide CD that can be used in evidence by Law Enforcement agencies – requires legislative change which IMP must deliver. o Individual agencies develop and deploy methods for Tactical (smallscale, short-term) domestically-focused collection of Content and CD where the strategic solutions are inadequate. To date this has mainly been by the Security Service, although others such as SOCA and HMRC are developing requirements in this space. o Strategic internationally-focused collection of Content and CD falls to GCHQ. Its ‘Mastering the Internet’, ‘Better Analysis’ and ‘Support to Military Operations’ programmes address the requirements in this space. o Tactical internationally-focused collection of Content and CD is also worked by GCHQ, filling gaps on a case by case basis often in partnership with SIS and MoD. 1 Managed by the Home Office’s new Communications Capabilities Directorate UK SECRET -7-

UK SECRET  DRAFT Exploitation responsibilities are divided primarily by geography and purpose. For example, is there an overseas threat to our national security, is there a domestic threat to the nation’s security, or are we working to secure an important criminal conviction? o the Security Service leads for national security purposes on exploitation of the digital ‘footprint’ created within the UK by investigative targets. It does this in close partnership with GCHQ which concentrates principally though not exclusively in the exploitation of targets overseas. SIS helps fill some niche gaps outside the UK. Close partnership is essential because, due to the nature of modern communications networks, the line between ‘domestic’ and ‘international’ is often blurred. In particular, domestic terrorists will often receive recruitment, radicalisation, fundraising, propaganda, or even direct command and control from overseas. Even as early as 2003, Operation OVERT found evidence of each of the above internet uses. o GCHQ (often in partnership with SIS and with occasional niche assistance from the Security Service) leads on exploiting communications and IT networks for the purpose of countering national security, economic wellbeing and serious crime threats that originate from overseas. o Law enforcement agencies (including SOCA and HMRC) exploit communications in support of the detection and prevention of serious and organised crime. They are assisted in this by GCHQ and, on occasions, SIS for targets overseas and by NTAC for targets in the UK. UK SECRET -8-