- FIB TO USA, VEY SECURITY CLASSIFICATION NSA STAFF PROCESSING FORM TO EXREG CONTROL NUMBER KCC CONTROL SIGINT DIR 2012-704 8353?1 13-11 THRU ACTION EXREG SUSPENSE SUBJECT APPROVAL KCC SUSPENSE IGN RE SSO's Support to the FBI for Implementation of [j 3 Am ELEMENT SUSPENSE their Cyber FISA Orders CI V2. V3. V07 SUMMARY RECOMMENDATION: Approve the provision of the assistance to FBI, with the proviso that the FBI remains responsible for any additional expenses incurred. PURPOSE: To obtain the SIGINT Director's approval for the Of?ce of Special Source Operations to provide ongoing technical assistance to the Federal Bureau of Investigation (FBI) for the implementation of the various orders they have obtained, and will obtain, from the Foreign Intelligence Surveillance Court (FISC) in certain ber cases invol?vin a cuts of forei powers (cg. - soon, The preparation of this Staff Processing Form was a collaborative-effort between 880 and the NSA Of?ce of General Counsel (OGC). BACKGROUND: On December 20, 2011, NSA received a request for technical assistance from the FBI seeking access to infrastructure established by NSA for collection of foreign intelligence from US telecommunications providers. The FISC has issued a number of orders at the request of the FBI authorizing electronic surveillance directed at communications related to computer intrusions being conducted by foreign powers. The orders include some that are limited to pen register/trap and trace (PRTT) information as well as others that authorize collection of. content. The ?rst of these for which NSA assistance has been requested is directed at communications related to intrusions conducted by the? (Docket Number 11-91), regarding what FBI refers to as STYGIAN FLOW. In mid?2011, prior to receipt of the request for technical assistance, 880 became aware of plans to seek these orders and has been in discussions with FBI throughout the latter half of the year, in the belief that use of NSA's collection/processing infrastructure would allow the FBI to COORDINATIONIAPPROVAL NAME AND DATE NAME AND DATE OFFICE OFFICE OGC 3037?. ?f S3 i?eZO'x?Z NTOC ORIGINATOR ?a s3ss M:2011.12.210i:qz:m ?1600' FORM AS79605 REV NOV 200 ersedes A6796 FEB 05 which is obsolete mwm?aw 3< up sscunm CLASSIFICATION Derived From: Manna! 1?52 Dated; a January 2007 TO USA, VEY Dectassify On: 20320108 SV POC 20111221 TO USA, FVEY sacumrv Page 2 of 4: CATS 2012-704 TO USA, FVEY) SSO's Support to the FBI for Implementation of their Cyber FISA Orders maximize the value of the collection without incurring the expenses associated with duplication of that infrastructure. Although FBI conducts numerous electronic surveillances without assistance, the vast majority of them are directed against targets located inside the United States, and U.S. providers served with ISC orders are ordinarily able to identify and deliver to the FBI most, if not all, of the targets' communications that they carry. That is because such electronic surveillance is typically effected at a point or points in the provider?s infrastructure in physical proximity to the target's location. In the case of computer intrusions being conducted by foreign powers, the providers may be carrying a target's communications, but it is much more dif?cult to identify and locate them, because the communications in question will enter and leave the United States via any convenient path, and their path may be obscured to avoid detection. In other words, in these cases, because the target's location is outside the United Statues and not well-characterized, effecting the surveillance via traditional means is not effective. However, in support of FAA and in anticipation of the need to conduct similar collection activities for computer network defense purposes, over the last decade, NSA has expended a signi?cant amount of resources to create collection/processing capabilities at many of the chokepoints operated by U.S. providers through which international communications enter and leave the United States. Collection at such chokepoints is much better suited to electronic surveillance directed at targets located outside the United States than BI's traditional means of collection. In theory, FBI could rely on the orders it has obtained to direct U.S. providers to conduct surveillance at these chokepoints without relying on NSA capabilities, but it would take a considerable amount of time to do so, and FBI would have to reimburse the providers to recreate duplicate) what NSA has already put in place. The cost alone would be prohibitive, and the time lost in doing so would necessarily result in a loss of foreign intelligence. The assistance being sought by the FBI is limited in nature. The U.S. providers served with Secondary Orders in this matter will assume full responsibility for the provisioning of and content collection to the FBI. Since all of the authorized "facilities" (typically known as "targeted selectors" in NSA parlance) to date are Internet Protocol (IP) addresses used by the targets, there is no question as to the providers' abilities to employ devices under their control routers) to provision fully-compliant, authorized intercept. Neither the previders nor the FBI will require NSA's Government off the Shelf (GOTS) Digital Network Intelligence (DNI) collection and processing solutions TURMOIL, XKEYSCORE). Instead, metadata and full content derived from the authorized intercept will be produced using Commercial off the Shelf (COTS) processing solutions. If these COTS processing solutions involve components developed at expense and used, primarily, for NSA's Cyber survey purposes, the 830 will make care?il and informed decisions prior to authorizing use of these components. TO USA, VEY SECURITY CLASSIFICATION TO USA, FVEY secum'rv CLASSIFICATION Page 3 of 4: CATS 2012-704 TO USA, FVEY) Support to the FBI for Implementation of their Cyber FISA Orders Prior to authorizing use of the extensive secure Wide Area Networks established at the two primary providers (cover terms, LITHIUM and ARTIF ICE, respectively) as the end-to-end data delivery infrastructure to connect intercept and processing locations with the FBI's designated Cyber data repository at the Engineering Research Facility, Quantico, VA, 880 will make careful and informed decisions to ensure this capability is undertaken on a 100% non-interference basis with NSA's current and future data backhaul needs on these same networks. All data (metadata and/or content) collected under the auspices of these ISC orders will be forwarded securely and directly to the designated FBI repository. The ISC orders do contain a provision, as follows: personnel participating in this joint investigation may have access to raw data prior to minimization." However, access to raw data by NTOC members of the NCIJTF will be facilitated under the purview of the FBI and not through any actions that $80 might take as the collected data passes through NSA's secure Wide Area Networks. Should the BI's cyber orders from the ISC be modified in the future to authorize raw data retention by NSA, $80 will coordinate with all cognizant NSA offices Data Governance, OGC, SV) to ensure the proper data delivery mechanism is put in place. Should the FBI require a sustained and high-level of dedicated analytical resources cleared, technical manpower) at the providers in order to optimize the collection effectiveness of their and content orders, they will contract for those services directly with the providers. If, on the other hand, the BI's requirement for provider analytical support is more ad hoc and aperiodic in nature during the period of time these orders remain in effect, 880 will make careful and informed decisions prior to authorizing labor charges against the relevant SSO contracts with the providers for these services on behalf of the FBI. Any charges that cannot be justi?ed as necessary for NSA purposes will not be made unless/until FBI agrees to reimburse NSA. DISCUSSION: If SID decides to approve the requested assistance, 830 will assist the FBI in effecting any cyber orders submitted to it after the has veri?ed that each of them contains language permitting NSA's involvement. As stated in Attachment 1, NSA will have the opportunity to review and respond to any proposed use of ISA?derived information from these collections prior to the Attorney General authorizing the use of such information in any criminal proceedings. The assistance 580 is being asked to provide to the FBI will not preclude NSA's SIGINT targeting of these same fully-quali?ed, overseas IP addresses under the auspices of the FISA Continued. . . TO USA, FVEY sa?i'inrv CLASSIFICATION TO USA, FVEY secuam' CLASSIFICATION Page 4 of 4: CATS 2012-704 TO USA, FVEY) Support to the FBI for Implementation of their Cyber FISA Orders The assistanCe 880 is being asked to provide to the FBI will not preclude SIGINT targeting of these same fully-quali?ed, overseas IP addresses under the auspices of the ISA Amendments Act (FAA) of 2008. To the contrary, the relatively recent discovery of these FBI Cyber FISA orders and the countless pages of SIGINT-derived evidence that was cited in the respective Applications to the FISC have already formed the basis for a dialog between OGC and the Department of Justice's National Security Division. (C) DIRECTOR, SIGNALS INTELLIGENCE DECISION: CONCUR: 5g QMAE 5 827??/ 5/ NON-CONCUR: DATE: TO USA, FVEY SECURITY CLASSIFICATION