RSS

The NSA's org chart

November 27, 2013, at 5:13 PM

Here is the latest version of the National Security Agency's unofficial org chart, a mind map I have been updating ever since Edward Snowden made it cool to obsess about the NSA. My goal is to turn the map into a functional description of how NSA works, not just what NSA is. It's a work in progress.

It's difficult enough to keep track of all the cover terms the NSA uses for databases, systems, and intercept points, but it's almost impossible, even given a wealth of classified documents, to figure out how these discrete entities relate to each other. The NSA's FISA collection adds a another dimension of complexity.

In general, the chain of signals intelligence, excluding FISA, operates this way:

Analyst figures out whom to target, or gets an order to target someone.

Analyst validates the target as having foreign intelligence value and eliminates, to a reasonable degree, the possibility that the selector is connected to a U.S. person.

Analyst figures out how to best collect intelligence on the target.

Analyst "tasks" the selector, using a front end system to connect to the stream of raw SIGINT that NSA collects from its collection points, called SIG-ADs.

Analyst uses another database to analyze the collected intelligence, and performs a variety of data manipulations to discover links, assess significance, and uncover leads.

Analyst writes a report based on the analysis.

The raw data is ingested into one of many final resting place databases, many of them soon to be physically located in Utah.

At each step of this process, a different tool with a different cover term is used. Hence the complexity.

An analyst might use the Universal Tasking Tool to turn an email address or phone number into a "selector" that he or she can then use other databases to query. Once validated as a legitimate foreign intelligence target, the selectors live, virtually, in two databases: Octave and Contraoctave.

The analyst then queries BoundlessInformant, which is the interface on top of a huge metadata repository called GM-PLACE, to figure out how to best collect intelligence on the target, or what data stream to sift through to see if the target/selector is communicating in that stream.

So now, the analyst can task the selector to a larger NSA system, like XKEYSCORE, allowing him or her to check whether that selector is active and with whom it is communicating, and, in many cases, read, or listen to, in real time, the content of a call or email.

The analytical product goes into one of about a dozen databases; the metadata for internet communications resides in MARINA, and the metadata for telephone calls is stored in MAINWAY.

The actual content is stored, for differing periods of time, in PROTON, NUCLEON, CONVEYANCE and PINWALE.

If the analyst works with FISA Amendments Act data, like telephone records from U.S. providers, he or she is generally working with PRISM, if analyzing the communications of a particular, known and judicially/internally approved target, or with MAINWAY, which contains a segregated section for United States telephone records.

If the analyst is collecting on a foreign target whose communications pass through the United States, he or she will almost certainly be using XKEYSCORE to filter or more of the cables (or streams) that transit through the country or collect. They can task XKEYSCORE to look at specific cable nodes if they know what internet provider the target uses. Each company that provides NSA with transiting data — think of the data splitters at AT&T hubs — has its own cover term associated with ALL operations.

Sources: author's reporting and research; Cryptome.org; MatthewAid (matthewaid.com), Edward Snowden documents; Top Level Telecommunications website; http://electrospaces.blogspot.com; reporting by The New York Times; el Globo; The Guardian; the Washington Post.

EDITORS' PICKS

THE WEEK'S AUDIOPHILE PODCASTS: LISTEN SMARTER

Facebook

Twitter

RSS

Subscribe to the Week