FAIRVIEW overview with notes

TOP SSO FAIRVIEW Overview TOP

TOP SECRET//SI/OC//NOFORN AGENDA (U) FAIRVIEW DEFINED (U) OPERATIONAL AUTHORITIES/CAPABILITIES (U) STATS: WHO IS USING DATA WE COLLECTED (U) FAIRVIEW WAY AHEAD AND WHAT IT MEANS FOR YOU • (U) QUESTIONS • • • • TOP SECRET//SI/OC//NOFORN

TOP SECRET//SI/OC//NOFORN (TS//SI//NF) International Cables (TS//SI//NF) TOP SECRET//SI/OC//NOFORN

Brief discussion of global telecommunications infrastructure. How access points in the US can collect on communications from “bad guy” countries (least cost routing, etc.)

TOP SECRET//SI/OC//NOFORN WHERE SSO IS ACCESSING YOUR TARGET (TS//SI//NF) TARGET SSO UNILATERAL PROGRAMS CA BL E TAP MAIL, VOIP, CLOUD SERVICES CORP PARTNER SSO BLARNEY AND PRISM SSO CORP RAM-A RAM-I/X RAM-T RAM-M DGO WINDSTOP MYSTIC FAIRVIEW STORMBREW OAKSTAR TOPI PINWALE XKEYSCORE TOP SECRET//SI/OC//NOFORN TURMOIL (TS//SI//NF)

TOP SECRET//SI/OC//NOFORN FAIRVIEW DEFINED • (TS//SI//NF) Large SSO Program involves NSA and Corporate Partner (Transit, FAA and FISA) • (TS//SI//REL FVEY) Cooperative effort associated with midpoint collection (cable, switch, router) • (TS//SI//NF) The partner operates in the U.S., but has access to information that transits the nation and through its corporate relationships provide unique accesses to other (TS//SI//NF) telecoms and ISPs 5 (TS//SI//NF) TOP SECRET//SI/OC//NOFORN

TOP SECRET//SI/OC//NOFORN Unique Aspects (C) Access to massive amounts of data (C) Controlled by variety of legal authorities (C) Most accesses are controlled by partner (C) Tasking delays TOP SECRET//SI/OC//NOFORN

(TS//SI//NF) Key Points: 1) SSO provides more than 80% of collection for NSA. SSO’s Corporate Portfolio represents a large portion of this collection. 2) Because of the partners and access points, the Corporate Portfolio is governed by several different legal authorities (Transit, FAA, FISA, EO12333), some of which are extremely time-intensive. 3) Because of partner relations and legal authorities, SSO Corporate sites are often controlled by the partner, who filters the communications before sending to NSA. 4) Because we go through partners and do not typically have direct access to the systems, it can take some time for OCTAVE/UTT/Cadence tasking to be updated at site (anywhere from weekly for some BLARNEY accesses to a few hours for STORMBREW).

TOP SECRET//SI/OC//NOFORN Transit Authority (TS//SI//NF) (TS//SI//NF) TOP SECRET//SI/OC//NOFORN

TOP SECRET//SI/OC//NOFORN Transit Authority • (S//SI//REL FVEY) Communications must be confirmed foreign-to- foreign. • (S//SI //REL FVEY) Filters at front-ends to ensure only authorized traffic is forwarded to the DNR and DNI selection engines. • (S//SI //REL FVEY) Occasionally the TOPI discovers that one end of the intercept is actually in the US. We refer to this as a “domestic incident”. • (C) TOPI’s must inform SSO Corp Team when this occurs via email alias . SSO files a formal report to NSA/SV for each occurrence of a domestic incident. TOP SECRET//SI/OC//NOFORN

•(S//SI) Transit Authority – Only allows those SSO programs operating under this authority to collect communications which are confirmed to be foreign-to-foreign. • (S//SI) SSO programs operating under this authority have filters at their collection front-ends to ensure only authorized traffic (i.e. foreign-to-foreign) is forwarded to the DNR and DNI selection engines (driven by UTT/CADENCE/OCTAVCE tasking). • (S//SI) Despite best efforts, occasionally there may be an “authorized” DNR or DNI hit forwarded to the TOPI, which based on TOPI analysis eventually determines that one-end of the intercept is actually in the US. We refer to this as a “domestic incident”. This usually occurs in the DNR world, where one-end of the intercept will make a reference to being in the US. • (C) TOPI’s must inform SSO Corp Team when this occurs via email report to NSA/SV for each occurrence of a domestic incident. . SSO files a formal

TOP SECRET//SI/OC//NOFORN US-990 FAIRVIEW-TRANSIT (TS//SI//NF) US-990 (PDDG-UY) – key corporate partner with access to international cables, routers, and switches. (TS//SI//NF) Key Targets: Global (C) DNR: Directory ONMR (C) DNI: Port 25 only under Transit Authority All port traffic under FAA Authority Cyber access TOP SECRET//SI/OC//NOFORN

Key points: 1) 2) 3) 4) 5) Explanation of Port 25 and 3-Swing Algorithm. 60 million foreign-to-foreign emails in the FAIRVIEW environment ever day; 5 million after 3-Swing Algorithm. FAA collection under SIGADs US-984XR and US-984X2. FISA collection under SIGAD US-984T (COWBOY). Tasking through UTT, Cadence, and OCTAVE. Data in PINWALE (YANKEE), XKEYSCORE, MAINWAY, TOYGRIPPE, BLACKPEARL, TWISTEDPATH, NUCLEON, and DISHFIRE.

TOP SECRET//SI/OC//NOFORN US-984X* - FAA (TS//SI//NF) US-984XR (PDDG: YC-DNI) and US-984X2 (PDDG: 29-DNR) –collecting under FAA authority. Must be justified under FAA Certification and selector must be foreign. (C) DNI and DNR collection (U//FOUO) “go FAA” for more information. TOP SECRET//SI/OC//NOFORN

TOP SECRET//SI/OC//NOFORN US-984T - FISA (TS//SI//NF) US-984T– Must be justified under FISA warrant. (C) DNI collection (U//FOUO) “go FISA” for more information. TOP SECRET//SI/OC//NOFORN

TOP SECRET//SI/OC//NOFORN FAIRVIEW Targeting Capabilities FAA SMS Targeting FAA IP Targeting • • (TS//SI// REL FVEY) DISHFIRE/SPYDER are not partitioned to support FAA SMS targeting • (TS//SI//NF) Category: 4208 SIGAD: US-984X2 • (TS//SI// REL FVEY) Data can be found in PINWALE • (TS//SI// REL FVEY) Began APR/MAY 2011 • • (TS//SI//NF) If you know an IP is foreign and all actors using that IP is a valid target, then it can be tasked via UTT (TS//SI//REL FVEY) 25 IPs tasked through UTT (TS//SI//NF) Collect anything coming from that IP (TS//SI//NF) IP addresses approved for 702 IP Subnet tasking Filter Target 30-Jul-12 Yes Yes Faded Aftermath 24-Jul-12 Yes CARBONFURY 30-Aug-12 Yes TOP SECRET//SI/OC//NOFORN Date of DOJ/ODNI pre-approval 2-Feb-13 (TS//SI//NF)

TOP SECRET//SI/OC//NOFORN US-3105S1 FAIRVIEW/TAO Shaping (TS//SI//REL FVEY) US-3105S1 (PDDG: DU) - FAIRVIEW support to Tailored Access Office (TAO) shaping operations collecting under E.O. 12333 authority * NATIVEFLORA – Case Notation: (TS//SI) Key Targets: (S//SI) (DNI collection) * UNICORNSANDWICH – Case Notation: (TS//SI) Key Targets: (S//SI) (DNI collection) * CROSSEYEDBEAR – Case Notation: (TS//SI) Key Targets: (S//SI) (DNI collection) * SCORCHERSIX – Case Notation: (TS//SI) Key Targets: (S//SI) (DNI collection) * TROPICTHUNDER – Case Notation: (TS//SI) Key Targets: (S//SI) (DNI collection) * DARKTHUNDER – SUSPENDED Case Notation: (TS//SI) Key Targets: (S//SI) DNI collection * STEELFLAUTA – SUSPENDED Case Notation: (TS//SI) Key Targets: (S//SI) DNI collection Note: Expect more TAO/SSO shaping efforts in near future. TOP SECRET//SI/OC//NOFORN

TOP SECRET//SI/OC//NOFORN Collection Type – 12 months collection (1 Jan 2012 – 31 Dec 2012) based on Serialized Product Reports COLLECTION BY CATEGORY 3000 2500 (TS//SI//NF) 2416 S2D Issued Product Reports 2199 2000 1692 1500 1000 405 500 218 106 37 0 FORNSAT SSO TAO OTHER SCS TOP SECRET//SI/OC//NOFORN Specials SMO (TS//SI//NF) Classified By: Derived From: NSA/CSSM 1-52 Dated: 20070108 Declassify On: 20380201

Look at FAA. Just look at it. - 12 months collection (1 Jan 2012 31 Dec 2012) based on Serialized Product Reports COLLECTION BY CATEGORY 3WD ruomqm 2500 5m- FORNSAT SSO TAO OTHER 568 Snail:

TOP SECRET//SI/OC//NOFORN SSO Programs – 12 months of collection (1 Jan 2012 – 31 Dec 2012) based on Serialized Product Reports (TS//SI//NF) 900 S2D Issued Product Reports 800 SSO PROGRAMS 806 700 600 538 500 408 400 393 297 300 200 159 159 65 100 33 28 16 14 I/X RA M AR KS T OA YS TI C M -M RA M BL AR NE Y FA IR VI EW ST OR M BR EW -A RA M -T RA M DG O DS TO P W IN BL AR NE Y (P RI S M ) 0 (TS//SI//NF) TOP SECRET//SI/OC//NOFORN Classified By: Derived From: NSA/CSSM 1-52 Dated: 20070108 Declassify On: 20380201

Look at FAA. Just look at it. momgm 6-,w-T 880 Program - 12 months of collection (1 Jan 2012 - 31 Dec 2012) based on Serialized Product Reports 550 PROGRAMS 90 Issued Mun ?mm mum-mm

TOP SECRET//SI/OC//NOFORN SSO Corp Programs Support to S2D (TS//SI//NF) SSO-FAIRVIEW Programs contributed to 159 S2D Product Reports in 2012. This represented ~1.4% of total S2D Product Reports for 2012. TOP SECRET//SI/OC//NOFORN

(TS//SI//NF) 159 PRODUCT REPORTS ATTRIBUTED TO FAIRVIEW. 11’591 PRODUCTS PRODUCED BY S2D IN 2012.

TOP SECRET//SI/OC//NOFORN SSO Corp Support to S2D (TS//SI//NF) SSO Corp Program BLARNEY US-984* (less US-984X*) S2D1 Product Reports S2D2 Product Reports S2D3 Product Reports S2D4 Product Reports 12 2 151 - PRISM (US-984XN) 273 291 150 35 US-984X* FAA (not US-984XN) 286 340 164 35 STORMBREW (US-983) 27 4 7 3 FAIRVIEW (US-990) 46 13 21 9 9 - 7 2 STORMBREW (US-984XA-XH) 18 22 2 - FAIRVIEW (US-984XR, US-984X2) 17 43 18 - STORMBREW (US-984P) - - - - FAIRVIEW (US-984T) - - - - 411 401 329 48 OAKSTAR (US-3277, US-3354, US-3206, US- 3251, US3230, US-3217, US-3273, US-3333, US-3247) Total Serialized Product Reports (TS//SI//NF) TOP SECRET//SI/OC//NOFORN

TOP SECRET//SI/OC//NOFORN FAA DNI Tasking (30 Jan) (TS//SI//NF) Increase in number of selectors tasked to FAA/PRISM % Points Change From Compared to Dec 2011 Dec2011 Product Line All DNI Selectors Tasked DNI Selectors Tasked to SSO_CT_N (FAA/PRISM) % of DNI Selectors Tasked to FAA/PRISM S2A 9650 987 10% -5 +232 S2B 12872 2263 18% +6 +842 S2C 8763 1059 12% +3 +468 S2D 10846 3796 35% +11 +1872 S2E 18061 6935 38% -4 +938 S2F 3577 1011 28% +2 +423 S2G 12788 4172 33% +2 +1019 S2H 10497 828 8% +6 +660 S2I 14945 11461 77% -1 +818 S2J 1077 242 22% -2 -55 12 TOP SECRET//SI/OC//NOFORN (TS//SI//NF)

TOP SECRET//SI/OC//NOFORN TOPI Access To FAA Data • (TS//SI//NF) Analysts must have FAA training and RAGTIME – A & C access to view all the data • (TS//SI//NF) SSO Corporate FAA DNI traffic is available in PINWALE under the SWEETSMACK2 (CT) SOURSMACK2 (FG, CP) partitions/visibility groups • (TS//SI//NF) FAIRVIEW FAA DNR data is accessible to all in NUCLEON, SIGAD = US-984X2 22 TOP SECRET//SI/OC//NOFORN

TOP SECRET//SI/OC//NOFORN FAIRVIEW CAPABILITIES AND WAY AHEAD • (TS//SI//NF) FAIRVIEW is using the EVILOLIVE list as front-end filter, which gives the widest aperture to pull traffic into TURMOIL • • • SCALEABLE – expanding with addition of IPv6 FLEXIBLE – SSO updated daily Dynamic – filters updated every 2 weeks but can be updated within 24 hrs if required • (TS//SI//NF) FAIRVIEW transit DNI is developing capability to expand to POP3 • (TS//SI//NF) FAIRVIEW transit DNR safeguards – • • • 23 number normalization (OPC/DPC) – REGEX rules TOPIs are the last line of defense in reporting one-end domestic incidents to SSO and requesting data purge SSO improving processes for reporting infractions and implementing fixes TOP SECRET//SI/OC//NOFORN

TOP SECRET//SI/OC//NOFORN Corporate Portfolio FAIRVIEW (C) US-990 (C) US-984XR (C) US-984X2 (C) US-984T OAKSTAR FAIRVIEW (T) FAIRVIEW (FAA) FAIRVIEW (FAA) FAIRVIEW (FISA) BLARNEY (C) US-984 (C) US-984X* FISA collection FAA collection (C) US-3206 (C) US-3217 (C) US-3230 (C) US-3247 (C) US-3251 (C) US-3273 (C) US-3277 (C) US-3354 MONKEYROCKET* SHIFTINGSHADOW ORANGECRUSH YACHTSHOP ORANGEBLOSSOM SILVERZEPHYR (T/FAA) BLUEZEPHYR COBALTFALCON SSO Corporate/TAO Shaping STORMBREW (C) US-983 STORMBREW (T) (C) US-984XA-H STORMBREW (FAA) (C) US-984P STORMBREW (FISA) (C) US-3105S1 T= Transit TOP SECRET//SI/OC//NOFORN

Systems under a corporate program can be completely unrelated to one another (e.g., everything in OAKSTAR is different). *MONKEYROCKET is expected to become non-operational at the end of 2013. Blue-colored systems operate under Transit Authority. US-3150 is an umbrella SSO SIGAD for the Extended Enterprise.

TOP SECRET//SI/OC//NOFORN Help Us Help You • (TS//SI//REL FVEY) Submit Surrey Requirements to Unconventional Collection Discipline, with US-990 as a nominated SIGAD. (Protect your accesses) • (TS//SI//REL FVEY) Task FAIRVIEW in CADENCE dictionaries and UTT (we have ~5 million emails/day that make it past our authorization process and which then get sent to our dictionaries to see if any are tasked by our customers). • (TS//SI//REL FVEY) Accurate inclusion of Case Notation in reporting records. Permits us to backtrack and determine productive links and keep them on copy. • (TS//SI//REL FVEY) General Feedback – things going right (gee-whiz products which FV contributed to), things that can be improved. • (TS//SI//REL FVEY) Take advantage of FAA tasking. If you can justify it under existing FAA Certifications, you should be tasking your selectors under FAA authority. This opens up the FAIRVIEW program to do more than just port-25 collection (which is what we only do under Transit Authority). 25 TOP SECRET//SI/OC//NOFORN

TOP SECRET//SI/OC//NOFORN Contact Us Collection Managers FAIRVIEW Mission Management “DL sso_corp_mm” “go FAIRVIEW” “go theSSO” – Takes you to the SSO webpage “SSO Corporate Portfolio” Wiki-NF TOP SECRET//SI/OC//NOFORN

1) Questions about individual accesses should be sent to the appropriate collection manager. 2) Questions about tasking should be sent to Mission Management. 3) All the information in this brief (in much more detail) can be found on the SSO Corporate Portfolio pages on WIKINOFORN.