Since the start of the Snowden-revelations in 2013, many people got the impression that the US National Security Agency (NSA) mainly intercepts the communications of ordinary citizens. In reality, the NSA is part of the Department of Defense and as such, a large part of its job is to collect data for tactical military purposes.
A good example of the latter task comes from an internal NSA damage assessment report about the 2001 Hainan Island incident, in which an EP-3E electronic surveillance aircraft collided with a Chinese fighter jet and had to make an emergency landing on the Chinese island of Hainan.
The report was among the Snowden-documents and published by The Intercept on April 10. As will be shown here, it provides many details about both the interception and the encryption equipment aboard the EP-3E aircraft.
A Lockheed EP-3E electronic surveillance aircraft from the US Navy
(photo: US Navy - click to enlarge)
The purpose of the report was to review and assess the damage to cryptologic sources and methods and the response of the US SIGINT agencies to the crisis. The second was to review and assess emergency destruction of classified material and the emergency procedures.
In general, damage to Communications Security (COMSEC) systems, like cryptographic devices, keying material and encryption methodology, was considered low, mainly because cryptographic devices are designed in anticipation of being lost or compromised.
For Signals Intelligence (SIGINT), the equipment to intercept communications and other signals as well as the results of these efforts, there was an opposite approach: the assumption had been that sensitive SIGINT material would be protected at all time, or destroyed before it was lost or compromised.
Because emergency destruction techniques didn't kept pace with technology, especially where they often no longer reside in hardware, but in software. The Hainan incident revealed that existing destruction procedures were outdated and inadequate. Also, individual and crew training appeared to be deficient and lacked realism and context.
Nevertheless, damage in the realm of tactical SIGINT was assessed to be medium, which means that the damage was recoverable with concerted effort.
The EP-3E aircraft
The EP-3E aircraft is a modified version of the Lockheed P-3 Orion, which is a four-engine turboprop aircraft developed for the US Navy and introduced in the 1960s. The Platform Integration division of the military contractor L-3 converted several P-3Cs into the EP-3E, which is also known as ARIES (Airborne Reconnaissance Integrated Electronic System). The Navy has 11 EP-3Es, the last of which was delivered in 1997.
The plane generally has a crew of 24, including linguists, cryptographers and technicians. The EP-3E that flew over the South China Sea carried an 18-member reconnaissance team from the Navy, Marines, and Air Force, in addition to a 6-member flight crew. The position of their workstations can be seen in this schematic from the damage assessment report:
Other tactical SIGINT spy planes are the Boeing RC-135 COBRA BALL, COMBAT SENT or RIVET JOINT of the US Air Force, the De Havilland RC-7 Airborne Reconnaissance Low (ARL) of the US Army and the Beechcraft (R)C-12 Huron, which is used by the Army, the Navy, the Air Force and the Marine Corps.
Together with other flying spying platforms like drones and satellites, these planes contribute to what is called Overhead Collection. The NSA's other primary information channels are cable access, hacking operations, joint NSA-CIA units and foreign partnerships.
COMINT stands for Communications Intelligence, which is information derived from the interception of foreign communications, either between people or between machines. Together, COMINT and ELINT (see below) are called SIGINT.
The COMINT collection system onboard the EP-3E consisted of antiquated HF, VHF, and UHF receivers, a rudimentary signal distribution network, and narrowband cassette recorders. The COMINT collection system used the ALD-9 antenna and processor package. In addition to installed equipment, six carry-on computers were onboard.
The COMINT equipment was generally unclassified with the exception of two carry-on computers, a SCARAB computer containing the LUNCHBOX PROFORMA processor and a laptop containing MARTES analysis tools. All data on these two systems was considered compromised.
Although other planes in the military’s spy fleet had recently undergone a major surveillance equipment upgrade, the plane that ended up in Chinese hands was two weeks away from getting one, so the equipment was old and outdated and a lot of it didn’t work properly.
The SCARAB is a portable computer device that contained the LUNCHBOX processor, which uses software to process 40 worldwide PROFORMA signals, some teleprinter and pager signals, datalink signals for the HUNTER and PREDATOR drones, and the Joint Air to Surface Stand Off Missile (JASSM) datalink. Additionally, the SCARAB computer contained the XBIT Signals Analysis software for bit manipulation and BLACKMAGIC demodulation software.
The SCARAB computer containing the LUNCHBOX processor for PROFORMA data
(photo: EP-3E incident report - click to enlarge)
PROFORMA is the codename for digital command and control data communications that relay information and instructions to and from radar systems, weapon systems (like surface-to-air missiles, anti-aircraft artillery, fighter aircraft), and control centers.
Exploitation of this information provides US and allied warfighters nearly instantaneous situational awareness data from a target country's radar systems. This information supplements US sensor systems while providing insight into the target country’s decision process.
Several working aides aboard the EP-3E provided details about Russian-designed PROFORMA signals used by North Korea, Russia, Vietnam, and possibly China. This material detailed the association of signals to specific weapon systems. China was known to use two of the signals resident in the LUNCHBOX processor.
For the 2001 mission over the South China Sea, the Science and Technology (S&T) Operator aboard the EP-3E was tasked to collect and process PROFORMA signals possibly associated with Chinese SA-10 surface-to-air missiles and Chinese short-range air navigation.
Besides the SCARAB computer, there was also a Tadpole Ultrabook IIi laptop, which contained the MARTES software tools, the RASIN Manual, the RASIN Manual Working Aid and the Telegraphic Codes Manual.
RASIN stands for Radio Signals Notation and is the COMINT Signal Classification System for classifying and reporting a wide variety of signals with their associated parametrics and characteristics. Together, the RASIN manual and the aforementioned files provided a comprehensive overview of how US intelligence exploits an adversary’s signal environment.
The Tadpole Ultrabook IIi laptop with MARTES software tools
(photo: EP-3E incident report - click to enlarge)
MARTES is the name of a set of software tools for collecting, analyzing, and processing signals. A new version of MARTES is released approximately every six months, and it is generally divided into COMINT, FISINT and ELINT tools.
A portable, digital player/recorder used to collect the signals analyzed by MARTES contained a tape of 45 minutes of enciphered and unenciphered Chinese Navy communications. The unenciphered portions carried speech segments that identified Chinese communicants.
The compromise of the largely tactical COMINT documentation was rated medium. The most sensitive and damaging documentation contained detailed collection requirements against Chinese military datalink and microwave signals. The tasking data included frequencies, data rates, dish sizes, and target communicants.
Also compromised was the ability of the US to collect Chinese submarine signal transmissions and make subsequent vessel correlations. This compromise could prompt the Chinese to modify that particular signal.
ELINT stands for Electronic Intelligence and comprises the technical and intelligence information obtained from the intercept and analysis of noncommunication, electromagnetic radiations.
The ELINT systems onboard the EP-3E included a disparate collection of antennas, signal distribution networks, wideband and narrowband receivers, recorders, and processing and display equipment. The bulk of these systems were off-the-shelf devices that, although designed for the ELINT mission, contained no particularly sensitive technologies.
The system that were of a specific concern after the Hainan incident included the AN/ULQ-16 and the AN/ALQ-108. The AN/ULQ-16 is a computerized pulse processor used to make detailed timing measurements of radar signals. The AN/ALQ-108 is an enemy IFF (Identify Friend or Foe) interrogation system, which is used to actively and passively exploit early Soviet IFF and range extension signals.
Emergency destruction of the ELINT equipment during the Hainan incident was largely ineffective. The crew zeroized (deleted) all memories and erased all mission data, but the rugged construction of critical components and lack of destruction tools prevented adequate destruction.
For internal communications, the EP-3E uses the the Digital Communications Management System (DCMS). All operational crew positions have access to the DCMS with headsets or through their helmets, with the exception of personnel in the galley and observers in the flight station. Communication paths between crew members are divided into various audio networks.
For communications with the outside world, there are numerous radios onboard, which connect to a variety of radio networks. Short-range communications are conducted using both plain voice and secure VHF and UHF radios. When the aircraft is on a mission for Sensitive Reconnaissance Operations (SRO), long-range communications with NSA and military operation centers are conducted via HF radio and over secure UHF satellite networks.
The EP-3E was equipped with the following radio transmitter/receivers (transceivers):
- Two AN/ARC-94 HF radios for long-range communication. One (HF-1) is configured for secure modem communications and is encrypted using a KG-84C encryption device. The other (HF-2) is configured for voice communications and can be encrypted using a KYV-5 encryption device.
- Three AN/ARC-206 radios for UHF line-of-sight communications. UHF-1 and UHF-2 are controlled by the Senior Evaluator (SEVAL) and are configured for voice communications. Both can be encrypted using KY-58 encryption devices. A third AN/ARC-206 radio is configured for line-of-sight datalink operations.
- Two AN/ARC-182 radios for VHF or UHF line-of-sight communications. Both are controlled from the flight station and are configured for voice communications. Both can be encrypted using KY-58 encryption devices. The control units for these radios have a switch setting allowing an easy and immediate change to emergency frequencies.
- One LST-5 satellite radio for secure UHF voice satellite communications. The radio can only be controlled locally at its location is in an avionics bay inside the aircraft cabin. It is encrypted using a KY-58 encryption device.
- The OL-390 Digital Communications Group and its associated UHF radio are used for secure satellite modem communications. The radio is controlled by the secure communications operator and is encrypted using a KG-84A encryption device. Because this radio shares distribution and antenna equipment with the LST-5, simultaneous transmission using both radios is not possible.
For securing voice and data communications, the EP-3E had 16 encryption devices onboard, of the following types:
- The KY-58, which is used for voice and data encryption at 16 Kb/sec over AM/FM, VHF and UHF radio and satellite channels. The device can be used for data up to the classification level TOP SECRET. It accepts keys from the family of Common Fill Devices and also incorporates remote keying. The production of the KY-58, which is part of the VINSON family, was completed in 1993.
- The KG-84, which is used for data encryption at 64 Kb/sec over radio and satellite channels. The KG-84 can be used for communications up to the level of TOP SECRET, depending on the key-set that is loaded, and is fully complient with NSA TEMPEST standards. Like similar encryption devices, the KG-84 can be controlled either locally, or remotely (for example from the cockpit) through a Remote Control Unit (RCU).
KG-84C (left) and a KG-84A (right) encryption devices
(photo: EP-3E incident report - click to enlarge)
- The KYV-5, which is used for voice or data encryption over HF, VHF and UHF radio and satellite channels. The KYV-5 is a relatively small communications security module which is attached to a larger CV-3591 converter, together forming a TACTERM unit. The device is part of the Advanced Narrowband Digital Voice Terminal (ANDVT) family.
The damage assessment report isn't clear about whether the Chinese removed these encryption devices from the plane before giving it back to the US. The particular equipment had previously been compromised, though not directly to China, and the report also mentions that components of for example the KG-84 had also been available through sites like eBay.
Beside the KY-58, KG-84 and KYV-5 encryption devices, the EP-3E also carries KYK-13 and KOI-18 electronic fill devices, a KL-43 off-line encryption device, and a Global Positioning System (GPS) unit.
The EP-3E that landed on the Hainan island also carried keying and other cryptographic materials for its various secure devices, including Top Secret keying material in canisters, entire codebooks, and call sign lists. In all, this was much more than what was needed for the mission: nearly a month's worth of keying material and codebook pages that were not scheduled to become effective until well after the scheduled landing.
Instead, the use of an electronic key loading device such as the CYZ-10 Data Transfer Device (DTD) could have eliminated the risk of hardcopy keying material compromise. These devices can hold multiple keys, load multiple devices, and are easily zeroized.
During the Hainan incident, most cryptographic keys and codebooks had been jettisoned by the plane's crew, but the remaining material was considered compromised. However, all the encryption keys (except for the worldwide GPS key) were replaced by new ones within 15 hours of the EP-3E's emergency landing.
A COMSEC Material System (CMS) box containing cryptographic keying material
(photo: EP-3E incident report)
The radio equipment onboard the EP-3E conntected to the following networks:
- The Global High Frequency System (GHFS), which is a worldwide network of highpower HF stations that provides air/ground HF command and control radio communications between ground agencies and US military aircraft. The GHFS network supports Sensitive Reconnaissance Operations aircraft by passing encoded advisory conditions (NICKELBACK), position reports and administrative traffic. As of October 1, 2002, the network was renamed into High Frequency Global Communications System (HFGCS).
- The Pacific Tributary Network (PTN), which is a UHF secure voice satellite network that provides COMINT advisory support and threat warning to deployed US and allied forces. Network participants include the Pacific Reconnaissance Operations Center (PACROC), which provides coordination and flight following to SRO aircraft, the NSA's Kunia Regional SIGINT Operations Center (KRSOC) on Hawaii and the National Security Operations Center (NSOC) at Fort Meade.
- The SENSOR PACER network, which is a UHF secure low data-rate digital satellite network that provides time-sensitive SIGINT reporting, COMINT advisory support, threat warning, and administrative traffic support to Sensitive Reconnaissance Operations platforms worldwide. Network participants include KRSOC and the Tactical SIGINT Interaction Center at Kadena AB, Okinawa (TSIC-K).
- The SIERRA ONE Early Warning network, which is a UHF secure voice satellite network utilized by 5th and 7th Fleet Orion P-3's and EP-3E's for tactical reporting and coordination. Network participants include all PACOM Tactical Support Centers (TSC) and CTF 57/72, Kami Seya, Japan.