 Acknowledgements.

  I would like to thank David Wagner, John Kelsey, and Bruce Schneier
 of the Counterpane Internet Security, Inc. for their much-seeing
 eye on encryption algorithms; TheHex for letting me write for the
 magazine 'Datazine', which can be download at tdcore.com; everyone
 at #Cracking4Newbies and #evidence, especially Crkill98, for their
 corporation and friendship during the harder times.

 Taxonomy of Communications Intelligence (comint).

  Cryptography is otten considered, particularly by those primarily con-
cerned with security, to be the only serious barrier to communications
intelligence. Histories of the field have generally fostered this impression
by painting a picture of war between codemakers and codebreakers. In
practice, spying on communications is a multi-stage activity in which each
stage plays an essential role. It is entirely possible that the cryptanalysis of
a message, once the message has been identified and captured, may be less
difficult than acquiring and filtering the traffic to locate it. On balance,
the greatest problem in communications intelligence--as in most efforts
to learn things--is sorting out the information you are after from the
information you are not.

  The 'sine qua non' of communications intelligence is acquisition of signals.
Without communications in the form of radio waves, electrical currents in
wires, written materials, or copied disks and tapes, there can be no work
for cryptographic or intelligence analyst. The interception of communications
presents both a strategic and a tactical aspect.

  Strategically, it is crucial to learn as much as one can about an opponent's
communications infrastructure. The first step is to come up with the most
precise possible description of the target--what the military call the
'order of battle'. If the target is a country, it may have millions of
residents who in turn make millions of phone calls every days. Most of these
calls are not of interest; the people who make them do not work for the
government or in critical industries and say little of intelligence value.
Describing the target is one of the many areas where 'collateral intelligence--
information from sources other than covert interception of communications--plays
a vital role. Most of the information about a country and its government can be
learned from open sources, such as phone books, newspapers, histories, and
government manuals. Some, however, will come from covert sources such as spies,
and some will come from communications intelligence itself.

  Once the targets have been precisely identified, it is necessary to discover
how they communication with one another. Are their communications carried
by high-frequency radio, by satellite, or by microwave? How accessible the
communications are and how they can be acquired is a function of the means
chosen. High-frequency radio and satellite trasmissions are the most accessible.
At the time of World War II, most radio communications and thus most of what
was intercepted was HF. Such signals bounce back and fourth between the
ionosphere and the ground and can travel thousands of miles. This property
makes intercontinental radio communication possible; at the same time, it
makes it essentially impossible to keep HF signals out of the hands of
opponents. Today a large fraction of radio communication is carried by
sattelite. Satellite downlinks typically have 'footprints' thousands of
miles across that spread over more than one country. Terrestrial microwave
communications are significantly harder to intercept. They travel between
towers a few miles or tens of miles apart. Intercept facilities on the
ground must generally be located within a few tens of miles of the micro-
wave path and often require facilities in the target country. In the 1970s
and the 1980s, there was a war of words between US and Soviet diplomats
over Soviet microwave interception activities from a residence the Soviet
maintained at Glen Cove, New York (Broad 1982).

  As with the organization structure, a target's communication practices
can often be derived from open sources. Since national and international
organizations cooperate in allocating the radio spectrum, it is easier to
identify the frequencies used for millitary, police, or air traffic control
communications by consulting regulations and standards than by direct
spectrum monitoring.

  The output of the strategic of 'targeting' phase of communications in-
telligence is a map of the opponent's communications, which will guide
the selection of locations, frequencies, and times of day at which moni-
toring is conducted. Interception can also be conducted from many sorts
of platforms; ground stations, aircraft, ships, embassies, covert locations,
and orbiting satellites.

  The United States has several major intercept facilities within its borders
and a host of others abroad. Despite attempts to keep these locations secret,
many, including Menwith Hill in Britain, Alice Springs in Australia,
ALERT in Canada, Osburg in Germany, Misawa in Japan, Yakima in U.S. Washington,
Sugar Grove in U.S., Karamürsel in Istanbul, Camp Humphreys in China, Bad Aibling
in Austria, Kunia in Marcus Necker Ridge, and Shemaya in Aleutian Islands.

  The Soviet Union made extensive use of small ships as collection platforms.
Usually operating under very thin cover as fishing trawlers, these boats
carried large antennas and were thought to be making their biggest catch
in the electromagnetic spectrum. The United States has been less successful
with this approach. In the 1960s it commissioned two ships described as
research vessels, the 'Liberty' and the 'Pueblo', for intercept duty.
The 'Liberty' was attacked by the Israelis, for no publicly apparent
reason, while supposedly intercepting Arab communications in the Eastern
Mediterranean during the Six Day War of 1967. A year later, the 'Pueblo'
was captured by the North Koreans. It turned out to have been carrying
many top-secret documents for which it had no apparent need, and most
of these fell to its captors. As quietly as it has begun, the United
States ceased using small ships as collection platforms.

  Airborne collection, by comparison, has been an important component
of US COMINT for decades. Boeing 707s, under the military designation
RC-135, are equipped with antennas and signal-processing equipment.
These aircraft can loiter off foreign coasts for hours at a time.
Flying at altitudes of 30,000 feet or higher, they can pick up radio
transmissions from well inland.

  The use of embassies to do intercept work exemplifies the twilight-zone
character of intelligence. Despite widespread 'knowledge' that many em-
bassies are engaging in intelligence collection, such activity is a
breanch of diplomatic etiquette that could result in diplomat's being
asked to leave the host country if discovered. All the equipment used
must therefore be smuggled in or constructed on the spot and must be
made from components small enough to fit inconspicuously in the "dip-
lomatic bag"--a troublesome limitation of sizes of antennas. Politics
and public relations aside, if an embassy is not suspected of interception,
it is likely to be more successful. Mike Frost, a Canadian intelligence
officer who spent most of his career intercepting host-country communications
from Canadian embassies, reported that the Chinese put up a building to
block radio reception at the US embassy in Beijing but failed to protect
themselves against the Canadian embassy because they did not realize
that it too was engaged in interception (Frost 1994).

  Interception can also be conducted from covert locations that do not
enjoy the legal protection of diplomatic immunity. Britain operated a
covert direction-finding facility in neutral Norway during World War I
(Wight 1987, p. 9). In the early 1950s, the CIA established a group
known as "Staff D" to carry out interception from covert locations.

  One of the most ambitious undertakings in communications intelligence
has been the development of intercept satellites, which did not arrive
on the scene till roughly a decade after their camera-carrying cousins.
Low-altitude satellites are not well suited to intercept work. They are
relatively close to the transmitter, which is good, but they are moving
quickly relative to the Earth, which is not. No sooner have they acquired
a signal than they move on and lose it again, because the source has
passed below the horizon. The comparison with communications satellites
is interesting. The mainstay of satellite-mediated communications has
been satellites in synchronous orbits, 22,500 miles up. Only recently have
communications satellites been placed in low orbits. Tens of satellites
are required so that as soon as one moves out of range of a transmitter
on the ground, another comes close enough to take over. Systems of this
kind have the advantage that the satellites and the transmitters are
cooperating. A system in which the satellites were attempting continuous
coverage of uncooperative targets would be far more complex, and to our
knowledge, none has been attempted.

  Because they are in very high orbits, intercept satellites must carry
antennas tens or hundreds of feet across. It is difficult to make an
antenna of this size light enough to be lifted into synchronous orbit.
In addition, the antenna must be launched in a folded configuration,
which adds complexity and detracts from reliability. In sum, communications
intercept satellites are more complex and expensive than other types.

  Because of its huge size and the low population density of much of
its territory, the Soviet Union made more extensive use of radio
communications than the United States or Western Europe. Most of the
territory of the Soviet Union was far north and not conveniently
served by synchronous satellites, so the Soviets developed a
family of communication satellites, called Molniya, that move in
polar orbits. A "Molniya orbit" passes over the Northern Hemisphere at
very high altitude and thus moves quite slowly during this part of
its journey. Its perigee, in contrast is low over the Southern
Hemisphere, and that part of the trip goes very quickly. The result
is that most of the time the satellite "hangs" above the Northern
Hemisphere, where it can be used for high-altitude communications.
In order to spy on these communications, the US built satellites,
called Jumpseat, that move in Molniya orbits. These satellites
are in a position to listen to both radio transmissions from the
ground and those from Molniya satellites.

  Communications intelligence depends for its success on tactical
as well as strategic elements. When an intercept station has been
put in the right location, operates at the right time of the day,
points its antenna in the right direction, and tunes its radio to
the right frequencies, it is rewarded with a flood of traffic too
large to record, let alone analyze. The process of examinig in-
tercepted traffic to determine what is to be retained and what is
not may be as "simple" as detecting which channels within a trunk
are active or as complex as recognizing the topic of a conversation.
Typical selection processes include active channel detection, called
and calling number identification, speaker identification, keyword
spotting (in either text or voice), fax recognition, and semantic
information processing.

  The difficulty of locating and isolating just the right messages
is an intrinsic consequence of the volume of traffic in modern
communications. Communications intercept equipment must decide
in a faction of a second whether to record a message it has
detected or to permit the message to escape. Often it must make
the dicision to record communications of which it has only one
part. If, for example, the two directions of a telephone call
are carried on separate facilities, an individual intercept
point may have access to only one side of the conversation.
Although the entire call may in fact be recorded, so that both
sides of the conversation will ultimately be available to an
analyst, it wil be recorded by two devices acting independently.
Should either fail to detect that the call is of interest, and
therefore fail to record it, the utility of the other component
will be vastly reduced. The problem of identifying traffic of
interest among all possible traffic is the problem of 'search'.

  Communications are organized at many levels. The entities
communicating have addresses--in radio these are called 'call signs'
(commonly known in the case of commercial stations as 'call letters';
in the case of telephones they are telephone numbers; in the case
of computer networks, they are IP addresses, email addresses, URLs,
etc. Messages follow 'routes', which in turn are made up of 'links'
or 'hops' on 'trucks'. Within an individual trunk, messages are
'multiplexed' into channels, which make up the trunk much as
lanes make up a road.

  At the lowest level, intercept equipment sits and looks through
the space in which messages might be found. At each frequency, or
time slot, or code pattern, it listens to see if there is any
traffic at all. It may well be the case that most of the channels
in a trunk are inactive most of the time.

  When intercept equipment detects an active channels, it must
decide whether to record what it finds here. This depends on the
'diagnosis': characterization of the form and the significance of
the signal that has been found. If the channel is a telephone
channel, for example, the likely possibilities are voice, fax, and
data. The intercept device must try to decide what it is hearing
and may then discriminate more carefully depending on the category.
The first step will usually be to listen for dial pulses or touch
tones and attempt to determine what number is calling and what
number is being called. If the call is voice, the device may attempt
to determine what language is in use, or even listen for keywords.
If the call is fax, it may try to determine whether the transmission
is text or pictures. If the call carries data, it will attempt to
determine what type of modem is in use and what codes (ASCII, Baudot,
EBCDIC) or data formats are present. When text is detected, the
equipment may go further and apply semantic processing to determine
the subject of the message in much the same way that a search engine
tries to locate a topic of interest on the World Wide Web.

  One strategy followed by many pieces of intercept equipment should
be a caution to anyone using cryptography; if an intercepted message
is found to be encrypted, it is automatically recorded. This is
possible because at present only a small fraction of the world's
communications are encrypted. The first lesson to be drawn from
this is that if you encrypt smething you had better do it well;
otherwise you will only succeed in drawing attention to yourself.
The second is that as the use of cryptography increases, the privacy
of everyone's traffic benefits.

  Once traffic has been diagnosed as interesting, it will be recorded.
This is not as simple as it sounds. Typically a signal can be recorded
in several different formats, depending on how well it has been
understood. It is always possible to make a recording of the waveform
being received, but this may turn out to be much bulkier than the
message it encodes. For example, recording a modem signal carrying
2400 bits per second of information (about 240 characters a second),
without demodulating it, uses up to 48-kilobyte-per-second capacity
of a digital audio tape. A direct recording of the signal is thus
20 times the size of the message it contains.

  Neither diagnosis, nor recording, nor any form of analysis that
may be done on an intercepted signal can be separated from 'signal
processing'--study of the signal by mathematical and computational
means. Digital signal processing (one of the fastest-growing areas
in computing) is revolutionizing communications. The availability
of $100 modems is a consequence of the availability of signal-
processing chips costing a few dollars apiece.

  Demodulating modem signals (which accounts for most of the signal
processing in data interception) is far harder for an intercept
device than for the modems used by the sender and the receiver.
Present-day modems go through a period of training at the beginning
of a call during which they study the communications path and "discuss"
how best to make use of it. Even if the intercept device is listening
to this "conversation", it cannot transmit without revealing its
presence, and thus it cannot engage in the negotiations. The signal
quality available to the intercept device is therefore rarely as
good as that available to the communicating modems.

  Only after traffic has been located, demodulated, and recorded do
we finally get to the most famous process in communications intelligence,
the process of breaking codes: crypanalysis. This document is not the
place for a technical discussion of cryptanalysis (check my other papers
for more on cryptanalysis); such discussions now abound in both the
technical and the historical literature of cryptography. It is, however,
the place for a discussion of the process of cryptanalysis.

  Most of the public literature, both technical and historical, is
devoted to 'research cryptanalysis', the process of breaking codes
for the first time. This is naturally an indispensable component
of any production cryptanalytic organization, but does not account for
most of its budget or most of its personnel. The object of "codebreaking"
is the development of 'methods' that can be applied to intercepted
traffic to produce plaintext. In modern cryptanalysis, this is often done
entirely by computers, without human intervention.

  The process of converting ciphertext to plaintext is called 'exploitation'.
It follows a process of 'diagnosis' closely related to the more general
diagnosis of traffic discussed above.

  The heart of a communications intelligence organization, however, is
not cryptanalysis but 'traffic analysis'-- a study of the overall
characteristics (length, timing, addressing, frequencies, modulation etc.)
of communications. Traffic analysis by itself provides a broad picture
of the activities of communicating organizations (Wright 1987).
Moreover, it is essential to assessing the signaling plan, the traffic
patterns, and the relationships among communicating entities. Elaborate
databases of observed traffic (Hersh 1986, pp. 258-259) underlie all
comint activities.

  A last operational point that bedevils communications intelligence is
'retention'--the preservation of intercepted signals for short or long
periods of time until they can be processed, cryptanalyzed, interpreted,
or used. As we have noted, storing a signal that the holder is unable
to restore to its original form typically takes far more memory than
storing an understandable signal. This is justified because, enciphered
messages can be of value even if they are first read only months or
years after they were originally sent. During World War II, Allied
cryptanalysts were sometimes weeks or even months behind on some
classes of traffic (Welchman 1982). Some signals intercepted during
the Cuban missile crisis of 1962 were not read until two years
later (Hersh 1987). In what is probably the granddaddy of ciphertext
longevity, Soviet messages sent in the 1940s were still being studied
in the 1970s (Wright 1987). Managing the storage of intercepted material
is thus a major problem in all signals intelligence activities.

  After all of the technical processes characteristic of communications
intelligence, the 'product' enters in to the part of the process common
to information from all intelligence sources: interpretation, evaluation,
dissemination. One process looms larger over comint than over perhaps
any other intelligence material: 'sanitization'--removal from the
intelligence product of information that would reveal its sources.
Sanitization to greater or lesser degress produces intelligence of
varying levels of classification.


 Contacting the Author.

  Http: I'll make psyops.cjb.net soon.
  IRC: #DataCore@Undernet, #r00tAccess@DALnet
  E-mail: Psyops@evidence2k.de, psyops@scientist.com

 note: Don't contact me to request a defacement - I will not reply.