As I was stealthily gathering government secrets for the 2013 book I wrote about national security, a source of unimpeachable reliability tipped me off to a big one. The source told me that, in the course of a National Security Agency "information assurance" exercise, the agency discovered cellphone site emulators and even infrastructure around the White House and in downtown Washington, D.C., that did not belong to any companies actually licensed to install them.
The source told me they were "ghost-grabbers." At least one foreign intelligence agency managed to figure out a way to spy on cellphone calls originating from the area around the White House. Although White House security briefings routinely included warnings about foreign intelligence monitoring of personal and unencrypted cellphones, this was the first time that such an operation had been confirmed to exist in the heart of Washington, D.C.
This, I felt, was a pretty juicy story. I tried to find out more. My source provided some more details.
The NSA, intending to probe the U.S. Secret Service and the White House Communications Agency for security gaps in their communication practices, had obtained a map of the Communication Commission-approved cell towers and antennae in the area, most of them leased to Verizon, AT&T, and Sprint, and subleased to other carriers. Then, techs working for the NSA's "Red Cell" team used both conventional radio frequency scanners and some secret spy technology to intercept the cell signals that originated from various parts of the 18-acre campus that houses the White House and the executive offices of the president.
Using direction-finding gear, they were able to discern which towers most of the RF traffic was being directed to. They could then subject that traffic to tests: Could they see metadata patterns that revealed who was making a call to whom without having access to the phone records themselves? Could they, on the fly, intercept unencrypted communications, and listen to the content of the conversations? The NSA had obtained access to cellphone call records under its then-secret interpretation of Section 215 of the PATRIOT Act. Members of the Red Cell team who did the field monitoring could compare the signals they gathered with the location data the NSA collected in bulk and figure out which Secret Service and WHCA communications were vulnerable to interception. The Secret Service and WHCA had requested this exercise — the government wasn't secretly probing these agencies without their consent.
The last piece of information the source imparted to me was surprising. I asked if anyone — the FBI, maybe? — had done anything to any of the equipment they had found. Did they test it forensically? Did they remove it? What had happened next?
The source was not able to tell me.
As we completed the book, and as I reported on security as part of my job at National Journal, I tried to confirm the story. I could not. The FBI would not say if it had opened a counterintelligence investigation. The Secret Service wouldn't comment. Senior intelligence and national security officials would not bite. I could not find a second source. I did not have the story.
Fast forward to 2018. The Department of Homeland Security now officially acknowledges that there are numerous so-called "IMSI carriers" around Washington, D.C., cell site emulators that probably belong to foreign intelligence services. After Sen. Ron Wyden (D-Ore.), a member of the intelligence committee, wrote to DHS about "rogue cell site simulators," a DHS infrastructure official said that, yes, the devices were ubiquitous and a "real and growing threat."
I then discovered the answer to my last question: Was anything done six years ago when cruder variants of the things were originally found?
An intelligence community consultant told me that the FBI and the NSA worked together to figure out who had placed the devices, first, by covertly installing diversionary loops on the transmitters, which would, I was told, give clues about where the signals were being diverted. Was there some sort of microwave mechanism that was directing them to the Israeli, the Chinese, or the Russian embassies? (Each of those countries have signals intelligence vaults in their D.C. embassies, just like the NSA and CIA have their "Special Collection Services" hiding in embassies and other places across the world.)
The FBI also began covert physical surveillance on some of the devices they found. Inevitably, if they were valuable collection tools, the cell site emulators would need maintenance or service. Collecting on the collection of foreign intelligence services, something only the FBI is allowed to do inside the United States, would allow the intelligence community to build a picture of potential targets and to harden them. This is basic SIGDEV — Signals Development — and has been a staple of the spy world since the signals intelligence revolution in World War II.
The official said that the foreign intelligence services used a flaw in the information exchange system that cellphone companies used to share metadata with each other. The flaws were built into the maw by a result of a mismatch between the transferring software and hardware on the one hand, and the ramshackle and highly interdependent architecture of the system on the other.
In 2011 and 2012, communications techs called that protocol "Signaling System 7." It was in use throughout the world. The NSA, in fact, exploited its vulnerability to intercept cellphone calls in foreign capitals. This exploitation capability was a tightly wrapped secret seven years ago. It was the primary technology, in fact, that the NSA used to identify and track the cellphones of foreign leaders. Many carriers have moved away from the protocol but, so far as I am aware, the SS7 security flaws are still used by intelligence services to monitor cellphones remotely.
The government won't say today what the status of its investigations are, and I can think of a number of reasons why. For one thing, I'm sure the FBI uses all the same exploitation technology to collect against foreign intelligence operatives inside Washington, D.C.
But that sort of counterintelligence collection raises a legal question. Let's say that, in the course of gathering the "full take" inside the U.S., some foreign intelligence agency unwittingly blurped up because their covert communications capacities were compromised. And let's say that virtually every conversation was wholly domestic — that is, the caller was a U.S. citizen and the recipient was a U.S. citizen. It's a reasonable assumption. But it also means that the FBI can't legally listen to the call, especially if they have a reason to believe it's entirely domestic. A FISA order would be required on one of the subjects at a minimum. It is not clear how the NSA and the FBI treat the content that they wittingly intercept from unwitting foreign intelligence services operating in the United States. We don't know. The agencies won't say.
Legally, the FBI would not even be able to store the content of conversations that American citizens had on cellphones that were either trapped by foreign intelligence services unless it helped them identify some other flaw in the arcane area of national security communication protocols. In the same way, the NSA contends that it can collect certain encrypted messages if it believes that the encryption was enabled for the purposes of defeating intelligence and national security equities.
Seeing just one part of the picture instantiates a natural curiosity to want to know more. Police use of Stingray devices is a problem we know about. But the extent of intelligence and counterintelligence exploitation of the same devices in Washington, D.C., are opaque. And since the government now admits that lots of sensitive data is being swept up by rogue actors inside the United States, we need to demand more answers.