30 May 2001: Add Neil King's WSJ article and message.
29 May 2001
Date: Sun, 27 May 2001 21:43:45 -0400
From: Dave Emery <die@die.com>
To: Steve Bellovin <smb@research.att.com>
Cc: cryptography@wasabisystems.com
Subject: Re: NSA tapping undersea fibers?
On Wed, May 23, 2001 at 04:08:34PM -0700, Steve Bellovin wrote:
> There's a long, fascinating article [below] in the 23 May Wall Street
Journal
> on how NSA is (allegedly) tapping undersea fiber optic cables.
It's
> not clear that this is feasible, but the article claims that the
> USS Jimmy Carter, a nuclear-powered sub, is undergoing a $1 billion,
> five-year retrofit to equip it to do the taps. The article points
out
> that even if they can tap the cable, there's another problem: making
> sense of that much data.
I think the later argument is just as disengenuous as the late 60's Bell System officials who said exactly the same thing about the open unencrypted microwave radio telephone links of that era. Both those microwave links and the undersea fibers contain highly structured and organized information streams - individual voice channels, T1s, T3s, IP streams, wideband data circuits are not at all difficult to extract from the composite traffic and mapping the layout of the whole river of information is by no means overwhelmingly difficult (and might be aided by quiet help from the carriers or individual employees of the carriers). And the mapping tends to be pretty static over time, or at least to change in predictable ways. Finding and recording the most interesting circuits is by no means an insurmountable task - nor is filtering out most of the stuff that isn't interesting. The only hard problem is if the NSA insists on groveling through absolutely everything sent, but this is true of their problem in general these days and not just special to undersea cables. And clearly the right undersea cables contain an awful lot of useful stuff if you are the NSA...
And given modern high capacity digital storage systems, handling low gigabytes a second is not that difficult either (most current undersea cable systems only transmit between 2.5 and 20 gigabits a second or so). IO bandwidths in large fast servers are of this order or more these days...
The much more interesting problem that gets rather short shrift in the WSJ article is how the real time time critical intercepts get from a submarine hiding in stealth 1200 feet under the ocean to Fort Meade and then to policy makers. Some fraction of the traffic is still interesting after weeks or months when tapes or disks can be flown back to Fort Meade but much more of it is only useful if it is available within seconds or minutes during a crisis and not weeks or months later. Traditional microwave radio and satellite intercepts get back to Fort Meade or the RSOCs in milliseconds but as more and more traffic flows through cables that can only be tapped by hiding billion dollar nuclear submarines a lot of the timeliness of NSA operations goes away.
The IVY BELLS tap technology exmplyed against Soviet analog undersea cables in the 70s allegedly involved hooking up a nuclear radioisotope powered pod with tape recorders in it that was left in place for almost a year between submarine visits to recover the tapes - this would be rather hard to do with the gigabytes per second flowing through a modern fiber cable - there is no (unclassified) recording technology with anything like the storage capacity to record everything or even a significant fraction of everything for that long a period in a form factor that would fit in a pod on the sea floor.
According to published accounts, in the early Reagan years the intelligence community considered running their own fiber cable to the tap site on the Soviet analog cables to recover the data in real time - I imagine that the same thing has been considered as a solution to the current problem of recovering data from undersea fiber taps while it is still fresh enough to be useful. But in general it is a harder problem than actually tapping the cable or dealing with the rivers of data it contains.
--
Dave Emery N1PRE, die@die.com DIE Consulting, Weston, Mass.
PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0
24 88 C3 18
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
[Thanks to Neil King]
Its Limited Success in Tapping Undersea Cable Illustrates Challenges Facing NSA
Huge Haystack, Few Needles
By Neil King Jr.
Staff Reporter of The Wall Street Journal
WASHINGTON -- For decades, the National Security Agency did most of its spying by plucking information out of thin air. With a global network of listening stations and satellites, the NSA eavesdropped on phone conversations in Saddam Hussein's bunker, snatched Soviet missile-launch secrets and once caught Brezhnev in his limousine chatting about his mistress.
The NSA's task was relatively simple then because most international phone and data traffic moved via satellites or microwave towers. The agency sucked up those signals and sorted through them with supercomputers. Few of its eavesdroppers risked life or limb, and those they spied upon were often none the wiser.
But today the NSA's snooping capabilities are in jeopardy, undermined by advances in telecommunications technology. Much of the information the agency once gleaned from the air waves now travels in the form of light beams through fiber-optic cables crisscrossing continents and ocean floors. That shift has forced the NSA to seek new ways to gather intelligence -- including tapping undersea cables, a technologically daunting, physically dangerous and potentially illegal task.
In the mid-1990s, the NSA installed one such tap, say former intelligence officials familiar with the covert project. Using a special spy submarine, they say, agency personnel descended hundreds of feet into one of the oceans and sliced into a fiber-optic cable. The mixed results of the experiment -- particularly the agency's inability to make sense of the vast flood of data unleashed by the tap -- show that America's pre-eminent spy service has huge challenges to overcome if it hopes to keep from going deaf in the digital age.
Details of the NSA cable-tapping project are sketchy. Individuals who confirm the tap won't specify where or when it occurred. It isn't known whether the cable's operator detected the intrusion, though former NSA officials say they believe it went unnoticed. Nor is it known whether the NSA has attempted other taps since. Efforts to intercept all sorts of signals -- ranging from military radar to international phone calls -- are among the most highly classified U.S. government operations. Leaking information about interception methods is a federal crime punishable by imprisonment.
In an interview, Air Force Lt. Gen. Michael Hayden, the NSA's director, laughed when asked whether the NSA had tapped undersea cables. "I'm not going to sit here and dissuade you from your views," he said. But he suggested that access isn't the problem. Rather, he said, the sheer volume and variety of today's communications means "there's simply too much out there, and it's too hard to understand."
Veterans of the undersea fiber-optic cable business say an undersea tap would strain the limits of technology, and cable operators aren't happy that the NSA may have pulled one off. "We don't believe this is possible, but assuming it was, there's no way we want someone trying to get into our cables," says Frank Denniston, chief technical officer for London-based Flag Telecom Holdings Ltd., one of the half-dozen or so companies that dominate the industry.
"It's our job to keep the data on our cables as safe and secure as possible," Mr. Denniston adds. "Any tap would automatically create a weakness and could bring down the entire system."
Undersea taps would pose tricky legal issues for the agency, too. For example, U.S. law forbids the NSA to intentionally intercept and process the phone calls and e-mails of U.S. citizens without court approval. Such communications make up a sizable slice of undersea cable traffic.
Some outside analysts and U.S. intelligence officials think the NSA should abandon such efforts in favor of more narrowly targeted intelligence-gathering efforts. One intelligence official estimates that tapping all the world's undersea cables, assuming it could be done, would cost more than $2 billion a year. And no one knows whether the NSA will ever have enough computing power to analyze the resulting gusher of digital data.
Even so, the agency has been pushing ahead. At General Dynamics Corp.'s Electric Boat shipyard in Groton, Conn., the Navy is deep into a five-year, $1 billion retrofit of the USS Jimmy Carter, a nuclear-powered vessel that intelligence experts say will be the premier U.S. spy sub when it hits the seas in 2004. Among its many planned features, says one former official familiar with the project: state-of-the-art technology for undersea fiber-optic taps.
The NSA's Lt. Gen. Hayden and Navy officials decline to comment on the USS Jimmy Carter's mission.
In the late 1980s, satellites and microwave towers still carried more than 90% of all international voice and data traffic, including diplomatic cables. Most were easy pickings for the NSA's spy satellites and earthbound listening stations scattered from Japan and Australia to the moors of England. Back then, the agency also found it relatively easy to tap the kind of low-capacity copper lines that carried phone calls across oceans.
All that began to change in 1988, when AT&T Corp. completed the world's first transoceanic fiber-optic cable. Called TAT-8, the cable snaked more than 3,000 miles along the Atlantic floor from New Jersey to Britain. Its two fibers, running through a cable as narrow as a man's wrist, could carry nearly 40,000 phone conversations at once, five times the capacity of the best undersea copper cables and comparable to all the trans-Atlantic voice traffic then handled by satellites.
The first trans-Pacific fiber-optic cable entered service in 1991. A 17,000-mile-long Flag Telecom cable connecting Europe with North Africa, the Middle East, Southeast Asia and Japan came on line in 1997. And Russia and China began laying thousands of miles of fiber, depriving the NSA of entire time zones of once easily accessible transmissions.
The NSA recognized from the start that fiber optics could be a problem. In early 1989, the agency assembled a team of researchers in a small warren of labs at its headquarters in Fort Meade, Md. Other researchers fanned out to corporate research centers to bone up on the new technology. Their mission, according to one former NSA researcher who worked on it, was to find a way to get inside fiber-optic cables and secretly siphon off the data moving through them.
Fiber optics had been touted as the first mode of long-distance communication impervious to eavesdropping. The technology allows thousands of phone calls, faxes, e-mail messages and encrypted data files, translated into beams of light, to travel through a single strand of glass as thin as a human hair. Most undersea cables now typically contain eight such strands, or fibers. Extracting the data inside requires gaining access to those light beams -- in the dark, high-pressure realm of the ocean's depths.
Undersea fiber-optic cables are sheathed in a thick steel husk and buried in a yard-deep trench. But once the water depth exceeds 1,000 feet, they usually are left to run uncovered along the ocean floor. Industry experts believe the NSA tap must have occurred in deep waters far out at sea, where the cable would be exposed and the risks of being seen would be lower. Some cable operators make frequent surveillance flights hundreds of miles from shore, mainly to keep track of fishing boats whose nets or anchors might rip their cables.
Former intelligence officials say the agency made its tap with the help of a customized sub. "It's a submarine capable of bringing a length of cable inside a special chamber, where the men then do the work," while the sub hugs the ocean floor, says one former official. The surface ships used by undersea-cable companies to install and repair cables have similar chambers -- called jointing rooms -- where crews work on the delicate fibers. When repairing a broken cable, cable companies generally lift one end of the rupture to the surface and into the jointing room, splice in a new length of cable, then lift the other end of the rupture and repeat the process.
In 1997, the NSA and the Navy proposed equipping the USS Jimmy Carter with such a chamber, as part of a "special operations" upgrade to the $2.4 billion sub.
Some members of Congress doubted that the cost of the upgrade would be worth the intelligence gains. And, in closed meetings with lawmakers on Capitol Hill, several top intelligence officials in the Clinton administration fought to kill the project. They lost the battle in late 1998, when Congress agreed to enlarge the sub to accommodate what the Navy called "advanced technology for naval special warfare and tactical surveillance." Plans called for the upgrade to include facilities that would enable the NSA to tap undersea cables, people familiar with it say. The Navy declines to discuss details of the retrofit, which is now under way. The vessel's intended mission could have been modified.
Norman Polmar, a naval and intelligence expert, says any undersea tapping probably would be done in a custom-designed chamber that detaches from the sub. "The Navy would not be keen on bringing a high-voltage cable into a submarine," says Mr. Polmar, a part-time consultant to Congress and the Pentagon who has followed the submarine project closely. Moreover, he says, "Having a cable running through a sub for a day or more would tie the sub down in a way that could endanger lives."
He says the Jimmy Carter is meant to have "lock-out capability" to allow divers to leave and enter the sub. Plans also call for special thrusters that will allow the vessel to hover near the ocean floor for long periods, a technology that would enable it to supply oxygen and power to an undersea chamber.
The Jimmy Carter is expected to replace the USS Parche, a Cold War-era sub used extensively to spy on the Soviets. The Parche, set for retirement in 2003, tapped a number of undersea Soviet copper cables during the 1970s and 1980s, according to the 1998 book "Blind Man's Bluff," a history of submarine-based spying written by Sherry Sontag and Christopher Drew. The NSA declines to comment.
The Parche is equipped with a claw-like device to pluck fairly large objects off the ocean floor. The sub used in the NSA tap probably was fitted with a similar system used to lift the cable into the jointing room, which would then have been emptied of water, experts say.
"This wouldn't be any ordinary submarine," says Marc Dodeman, an engineer with Margus Co., of Edison, N.J., a pioneer in undersea-cable installation and repair. "It would have to have some way to take in a cable, while sitting on the ocean floor, without leaking water. That would require some intense engineering."
Technicians fixing a damaged cable usually make such repairs above water and under antiseptic conditions. Dust or seawater in the submerged chamber could ruin an exposed fiber. Making a surreptitious tap of a live cable would also require circumventing the electrical charge -- usually around 10,000 volts -- which is used to power the devices that keep the speeding light beams strong.
"Exposing that electricity to the water, or severing it at all, would shut down the entire system," says Peter Runge, chief of research and development for TyCom Ltd., Morristown, N.J., one of the world's largest submarine cable companies and a majority-owned unit of Tyco International Ltd. The shutdown would defeat the tap and alert the cable operator that something was amiss, adds Mr. Runge, making the odds of success extremely small. TyCom and its rivals say that any interruptions or outages they have experienced were caused by fishermen's nets, anchors -- or, in earlier days, shark bites -- but none of the circumstances suggested tampering.
There are basically two ways to extract light, and thus data, from a fiber: by bending the fiber so that some light radiates through the fiber's thin polymer cladding, and by splicing the fiber, Mr. Runge says. Bending fiber is an imprecise science. The NSA tap probably required splicing a second fiber to each of the fibers, splitting the data into two identical streams.
But that would pose yet another problem. "Splice the line, and you cut off the light, at least momentarily," says Wayne Siddall, an optical engineer at Corning Fiber in Corning, N.Y. Even a second's interruption could be noticed by a cable's operator. Cable companies typically build systems with duplicate lines that take diverging routes, in case one of them is damaged or severed.
One retired NSA optical specialist insists that the NSA devised a way to splice a fiber without being detected. "Getting into fiber is delicate work, but by no means impossible," the former specialist says. Neither he nor the NSA will discuss the matter further.
After the tap had been completed, the hard work of interpreting the data began -- and it proved difficult for the NSA, say those familiar with the project. "What we got was a blast of digital bits, like a fire hydrant spraying you in the face," says one former NSA technician with knowledge of the project. "It was the classic needle-in-the-haystack pursuit, except here the haystack starts out huge and grows by the second," the former technician says. NSA's computers simply weren't equipped to sort through so much data flying at them so fast.
That's not likely to change soon. The NSA long boasted some of the most powerful computers on earth. But the agency's technological edge dulled as the equipment aged and money grew tight. The NSA's budget is classified, but individuals familiar with it say it is about two-thirds what it was a decade ago, even before accounting for inflation.
At the same time, new undersea cables are carrying more and more information. A cable TyCom is laying across the Pacific will have the capacity to carry the equivalent of 100 million phone calls at a time.
Flag Telecom expects to throw the switch on a new trans-Atlantic cable this summer whose eight fibers will have the capacity to move more information than all the cables now crossing the Atlantic. Some computer experts say that the power to digest what will stream through the Flag cable could require a doubling of the NSA's computing power -- and huge costs. The NSA's tapping project, from research to tap, cost hundreds of millions of dollars, individuals familiar with it say.
Yet the NSA's Lt. Gen. Hayden says he isn't discouraged. At the moment, he likes to say, technology is the NSA's enemy. But computing power will allow it to process greater masses of data, which he says he hopes will eventually "allow a single analyst to extract wisdom from vast volumes of raw information."
-v-
From: "Robert Windrem" <rwindrem@home.com>
To: <die@die.com>
Cc: <smb@research.att.com>,
<cryptography@wasabisystems.com>
Subject: tapping
Date: Tue, 29 May 2001 07:07:00 -0400
One key point everyone seems to have missed: more than 90% of the world's submarine cables make landfall at least once on the territory of a UKUSA nation, where tapping is a lot easier, particularly if the owner of the cable is cooperative. And there is plenty of historical evidence to suggest that cooperation has taken place.
For example, much of the trans-Pacific cables' capacity is reserved for pass-through traffic, Asian traffic that is carried across North America and on to Europe, Africa or South America.
As a producer for NBC News, I have always been mystified at all the attention paid to Echelon and the little paid to tapping of submarine cables.