CNO LEGAL AUTHORITIES

Office of General Counsel

 

Ob'ectives for Toda?s Brief

Overview of SIGINT law

Overview of Information Assurance Law

What d0 1 need to know?

How do 1 apply this Stuff to what I?m
doing?

 

 llelpful Questions

What authorities are being used to collect the
information that I?m looking at?

Where is this information being collected?
SIGINT platforms? Tutelage sensors? ?Collateral Source?

Who will receive access to the collected information?

What retention and dissemination restrictions apply to
the collected information
(9.9., SIGINT Procedures, Service Provider Rules, eta)?

 

The Imortance of ?Purose?

The urose governs the restrictions imposed upon the collection.

 

If they get nothing else out of the briefing, they need to know and remember
that SIGINT is collected for (F I) purposes and they must apply the
SIGINT (Fl) rules (PISA and USSID SP0018) to all raw SIGINT and 
collection is done for system/data security purposes and they must apply (for
now, though IAD is coming up with their own procedures like USSID 18) DOB
regulation 5240.1-R and the rules to stay within the Wiretap Act Service
Provider exception. COMSEC collection by JCMA is typically done for
security purposes and follows National Telecomms and Info Systems Security
Directive (NTISSD) 600.

(U) Key Authorities Restrictions

Linited States Constitution

Lxecutive Order 13333, lntelligence Activities?
Intellieence Directive ?Signals intelligence?
National Security Directive 43, ?National Policy for the
Security 01 National Security Telecommunications 
lnlormation Systems?

l?itle ol the ()mnihus (Irime (jontrol Act ltitu??, as

amended by the Electronic Communications Privacy Act of

1986 (18 U.S.C Sections 2511-2521, 2701-2711) ?Federal
Wiretap Act?

l-?oreigtt Intelligence Stu?yeillance (PISA) as amended by
the FISA Amendments Act (FAA)

()ther l-?ederal [ans

DOD Regulation 5240.1-R and SP0018

 

(NTOC and ANO) were not given any additional authorities. The
idea is to use the same authorities more effectively and take advantage of the
same expertise (analytical and technical) that is used to defend and exploit.

(U) US. Constitution

Article 11 (Power)

?The President shall be Commander in
Chief of the Army and and
conducts foreign affairs.

 

Article II power not unlimited.

(U) Executive Order 12333

?United States intelligence Acthities," dated December 4, 1981(as
amended by EU. 1328-1 2003 13355 2004 and 13-170 2008

SECDEF. in cm3rdination with DNI.
is executive agent for SIGINT. See Section 1.10( 

DIRNSA is the functional mana<1 er l'or SIGINT.

See Section 

DIRNSA is the National for National Securitv Svstems and is
responsible to SECDEF and DNI. See Section 

No other department or agency may conduct signals

intelligence activities, except as otherwise deleated the SECDEF,
after coordination with DNI. See Section 

Collection done in accordance with procedures approved by the Attomev
General. See Section 2.4. 18

Assist Law Enforcement and other Civil See Section 2.6.

 

The collection done by electronic surveillance and using
monitoring devices, requires procedures. Procedures established by the head of
the IC element and approved by the AG, after consultation with the DN I must
protect constitutional and other legal rights and limit use to lawful
governmental purposes.

Assist LE and other Civil authorities. has procedures in place to
provide assistance. These procedures provide protection of SA resources,
equities, sources and methods.

Differentiate Reporting for lead purposes and use for LE. For instance,
disseminate SIGINT to FBI re the fact that a foreign intruder is in a US system;
FBI may start their own investigation (which could start as a 
investigation because believe to be foreign before turning to a criminal
investigation.)

**If the SIGINT system incidentally collected a US hacker conducting
intrusion activities, give to OGC who will have to report a potential violation
of US law (The Computer Fraud and Abuse Act.) Also, SIGINT must avoid
any further collection of that US person hacker**

From IAD side, can provide threat reports or OGC can report a violation units of the military for investigation if an intrusion is seen in
the systems. IAD could not assist without a request for technical
assistance (and a warrant from the units) if a specific system user
is under investigation.

Authorit to conduct CNE

(5) E0 12333 assigns NSA the Signals lntelligence 
Mission, which includes COMINT and in turn CNE.

(U) CNE evolved as a natural transition of the foreign intelligence
collection mission of SIGINT. As communications moved from telex
to computers and switches, NSA pursued those same communications.

(U) 2 type of CNE activities:

(U) Collection Activities? designed to acquire foreign intelligence
information from the target computer system.

(S) Enablin Activitie?? designed to obtain or facilitate access to
the target computer system for possible later CNA, or force use of
alternate communication systems.

 

CNE has evolved as a natural transition of the foreign intelligence collection
mission of SIGINT. COMINT mission includes CNE.

Two types of CNE activities: the collection of 1, CI, SMO information and
enabling activities that allow access. Collections activities are those designed
to acquire foreign intelligence information from the target computer system and
enabling activities are those activities designed to obtain or facilitate access to
the target computer system.

Constitution
Fourth Amendment
The right of the people to be secure in their

ersons houses a ers ande ects a ainst
unreasonable searches and seizures, shall not

be violated, and no warrants shall issue,
but upon probable cause, supported by Oath
or affirmation, and particularly describing the

place to be searched and the persons or things
to be seized.

 

Applies to SID and IAD. Purpose is to protect USPS from unreasonable
searches and seizures by the U36 and employees, contractors and
military or Agents of the Government. Can go over the fact that in ones
personal life, a person can do whatever s/he likes unless there is a law against
it. In contrast, the U56 is only allowed to do what it is authorized to do.

Supreme Court Cases

Olmstead v. US.
(1928)

Katz v. US.



Prior to ?67, Gov could surveil/intercept comms as long as didn?t make
physical intrusion into constitutionally protected area home)

Describe cases.

 

10

Electronic Surveillance

Supreme Court rules ELSUR is a

search and seizure under the 4th Amendment to the US.
Constitution. . Depending 

How it?s done.
Where it?s done.

Aiainst whom it?s done.
Wh it?s done.

 

11

Electronic Surveillance
History

Privacy rights developed in case law

Court determines electronic surveillance is a
search and seizure under the 

Amendment

Statute passed in 1968 (Ominibus Crimes
Control and Safe Streets Act?the
Wiretap Act)

Scope

Purpose was to give LE procedures to allow
Electronic Surveillance for Law Enforcement
purposes

 

Congress also knew intelligence agencies and government required to do ES
for F1 and Comsec purposes. Service providers needed to do surveillance of
their own systems. More exceptions written into the law.

(U) Federal Wiretap Act

Crime to intentionally intercept or endeavor to intercept or procure
any other person to intercept any wire, oral, or electronic
communication.

Crime to intentionally use or disclose or endeavor to use or
disclose to any other person the contents of any wire, oral, or
electronic communication 11? they know or have reason to know
that the interception violated federal law.

Fed statute starts by saying it is illegal.

 

13

(U) WIRETAP EXCEPTIONS

Interception fo_rl'oreign intelligence mses
permissible if conducted in accordance with Foreiin
Intelliience Surveillance Act and/or other applicable
procedures.

Interception with prior consent of one 

interceted communication is OK under federal statute
but be aware of state two?party consent statutes if acting
in private capacity.

 

-Will talk about the FI exception when briefing SIGINT rules

-Consent?for IA and F1. Scope of consent matters. Drives expectation of privacy. (But
see Long case.) Also, the system consent banners do n_0t mean that there is
consent for NSA SIGINT to stan looking at systems for I purposes. 
SIGINT consent BEFORE tasking any US identifier, to include DOD, as a single
selector for SIGINT system SIGINT consent is two fold: 1. the actual
consent, and 2. approval of the purpose of the consensual SIGINT
collection by 

For Soaring Eagle, NSA has SIGINT consent from STRATCOM Commander for the
DOD NIPRNET and SIPRNET systems and data. NSA has SIGINT consent from
DIA for JWICS systems and data.

Service Providers?providers need to see if email got to the right place. Make sure
bandwidth being used properly, not being stolen etc. Are limited to purpose. Once a
target is identified and there is another purpose C1 or LE) talk to OGC.

Trespassers-used when a service provider asks another service provider for
information on an intruder one hop out. Can View trespasser info for LE, intel, system
protect purposes. 4 requirements: need system owner permission; act under color of
law; only trespasser?s comms, not legit user; stop when investigation purpose done.

14

(U) WIRETAP EXCEPTIONS

CCWISEC Monitoring by US Government personnel is
permissible if conducted in accordance with Attorney
General-approved procedures (see NTIS SD No. 600).

Service uroxs?iders may intercept or monitor
communications on their systems
1) to ensure the systems are functioning properly or

2) to protect their rights or property in their systems.



 

-Will talk about the FI exception when briefing SIGINT rules

-Consent?for IA and F1. Scope of consent matters. Drives expectation of privacy. (But
see Long case.) Also, the system consent banners do n_ot mean that there is
consent for NSA SIGINT to Stan looking at systems for I purposes. 
SIGINT consent BEFORE tasking any US identifier, to include DOD, as a single
selector for SIGINT system SIGINT consent is two fold: 1. the actual
consent, and 2. approval of the purpose of the consensual SIGINT
collection by 

For Soaring Eagle, NSA has SIGINT consent from STRATCOM Commander for the
DOD NIPRNET and SIPRNET systems and data. NSA has SIGINT consent from
DIA for JWICS systems and data.

Service Providers?providers need to see if email got to the right place. Make sure
bandwidth being used properly, not being stolen etc. Are limited to purpose. Once a
target is identified and there is another purpose C1 or LE) talk to OGC.

Trespassers-used when a service provider asks another service provider for
information on an intruder one hop out. Can View trespasser info for LE, intel, system
protect purposes. 4 requirements: need system owner permission; act under color of
law; only trespasser?s comms, not legit user; stop when investigation purpose done.

15

Other Federal Laws

Computer Fraud and Abuse Act
Illegal to obtain unautltot'i/cd at ms or tint/tor i/cd tit 
to am prom lt'tl oinputt't'.
Does not apply ifgenerally available to the public using legitimate
kno wl edge/"t ool  ervi ces.
If going beyond what is publicly available, it is considered CNE
and USSID DA3655 and all SIGINT rules apply.

ix ll cue/Mimi 
similar to luu'.

Includes non-communications data.

non-attribution. covered accounts are for open source
research. not CNE (NSA Policy 6-6) Eliciting in/brination 
disclosure o/?gov affiliation is not allowed.

mission?related research at home is an OPSE concern

 

-Line between open source and unauthorized access a fine one sometimes.
E.g. facebook pages only available to friends and family are not publicly
available etc. Can also use an analogy-if don?t lock door, doesn?t mean it is an
invitation for intruders to come in. If a default password is being used by a
less than competent Admin type, it still would not be publicly available.

-Be aware if using info only gained from SIGINT or other special collection
to access/monitor US systems, often will not be publicly available.

-If going beyond authorized access for I purpose, SIGINT rules, to include
ISA law, and TAO USSID applies. F4, monitoring device on computers in
the U.S. applies.

-If doing stuff at home, outside the scope of employment, may be subject to
the federal law (no exceptions apply.

-N SA was granted authority from the President to collect not only COMINT
but any other data at rest on a foreign target computer while conducting out
CNE missions. (Also have a delegation from SECDEF for room audio and
video.)

-Open source policy: Eliciting info while under cover has undisclosed
participation issues and Privacy Act issues; even some open source research is
not done from home for opsec concerns. Have uncovered and covered
accounts for publicly available info research.

16

Intel Community History

Church/Pike Commissions investigate
Intelligence Community

Abuses of power found

 

Describe Shamrock, Watchlisting, narcotics collection.

Computer Security Act ?87. E0 12333 gave DIRN SA the comsec mission for
the fed government. Congress concerned that an intel agency had authority
over traditional civilian agencies (with personal information like the social
security administration, the IRS etc) so Congress passed the CSA and gave
the developing standards and guidelines for the security of non-national
security systems to Commerce?s National Institute of Standards and
Technology (N IST). Gave SA authority over national security systems.

17

SICINI
Congressional Inquiries into the IC
Committees Found

51 GIN information TO, FROM, and
ABOUT US. Citizens was:

Improperly Collected

Improperly Retained

Improperly Disseminated

Look at USSID SP0018. There is a section on Collection, retention,
dissemination. If in compliance with USSID, are in compliance with 
amendment in each of these activities.

 

18

Committee Findins and Results of
lnvestiations

Termination of illegal
collection activities

Executive Order requiring the
establishment of procedures
relating to US. person
information

Greater Executive and
Legislative Oversight

 

19

Congressional/Executive
Response to IC Abuses

Federal Law Foreign Intelligence
Surveillance Act

EO. 12333
Intelligence Activities

Executive Order

Dod 5240.1-R and USSID
Regulations and Sp0018

. . 
Procedure-5 Minimization Procedures

ISA only applies to the collection.

rules incorporated into USSID SP0018 which is supposed to be the
working document.

 

20

Core SIGINT authority From
E0 12333

0 to collect, process, analyze, produce, ana
disseminate signals intelligence
information and data to support national
and departmental missions and for:

- foreign intelligence:

-counterintelligence.? or

- the conduct of military operations.

 

All the front end selectors and queries on SIGINT raw traffic databases are
based on requirements given to SA by DNI or secdef. The
National Intelligence Priorities Framework. SIGINT committee validates the
requirements. Info Needs from customers based on SIGINT
requirements and clarify the broader SIGINT requirements.

Change in the ED. 12333 allows the IC agencies to take into account the
responsibilities and requirements of State, local, and tribal governments and,
as appropriate, private sector entities, when undertaking the collection and
dissemination of information and intelligence to protect the US. See Section

1.1(f)

This probably applies to both SIGINT and IA information but
SA would still not typically disseminate directly to those entities, due to
classification law and requirements and protection of sources and methods
(mainly from the SIGINT side). A cut-out fed gov agency can help sanitize
the information. Sanitization is different than the ?minimization? procedures
that are required. The latter is for protection of sources and methods, the latter
for protection of USP information privacy rights.

21

SIGINT Taretin/Collection

NSA has "core" authority to
intentionally target the following:

Persons,
who are located overseas,

(C) for the purpose of collecting
Foreign intelligence,
Counter Intelligence and
Support to Military Operations information (Fl
purposes).

 

22

REMEMBER if it?s SIGINT
rules/procedures: USSID SP0018

Purpose is to balance . . .
The Government?s need [or foreign intelligence information
with
Individual Privacy Rights

In a way that is . . .Speei/ie enough to be useful
But not so spet'i/it? so that each new technology
renders it obsolete

 

23

SIGINT Targeting Specific Communicants
USSID SP0018 Section 4

The Four Rules

Foreign Persons outside the US 
interest fair game

No Foreign Persons in the US. (unless
diplomatically-immune and using passive
collection) must have Attorney General approval

No US. Persons in the US. without a Court Order

No US. Persons outside the US. without Court
Order

 

It is the communicant that matters. Do you have a foreign communicant overseas? If
you have foreign hacker using a US computer, can develop selection
strategy to collect the foreign hackers comms using a US computer similar to
targeting, for instance, Equipment does not have
expectation of privacy. may use a US IP address in conjunction with a
selector that will collect only the foreign intruder?s comms on, not any legitimate
USP user of, that US computer. May not intentionally target a known USP
communicants in the US.

Contrast: May query on US IP address in for system
protection mission but may n_ot query on a US IP address as straight hit in SIGINT.
Will get legit users of the US computer with that IP address.

Can query/select in the SIGINT collection, foreign IP addresses found in Bluesash.

Same technology looks for intrusion signatures in Bluesash/Tutelage and SIGINT.
Can share technology. masterworks is SIGINT collection technology called
Cynecs when deployed to Bluesash sites. Strickler (Sigint Tickler)/Tickler the
same.)

-If making federated queries, the most restrictive (SIGINT) rules apply. Therefore,
data repositories must keep data sourced so that know what procedures to
apply to the data but also so that can make queries on just
Bluesash/Tutelage (least restrictive), just SIGINT or on both. Keep data sourced
arcsight has the data color coded by source) so that know which
procedures to apply to which data. SIGINT procedures must be applied to SIGINT
data; IA procedures to the 1A data.
24

Targeting Issues

Presumptions

(If no other in/Ormation is available)

In the U.S., then US. person

Outside the U.S., then foreigner

 

E.g. all that is known is that the hacker came from/through a Pakistani ISP.
Presume is foreign.

If all that is known is that the intrusion is from a US ISP, then presume is a
USP.

SIGIN Targeting
Issues

U.S. Person Information
(need additional authority)
(Did not know  Person)

(Legitimate [Oreign target; acquire US.
Person 

REVERSE Target foreign entity to intentionally acquire
U. 5. Person 

 

-No a USP communication without
additional authority.

-If used a presumption, and you find out you have been
communcations to/from/about a USP, then
must stop collection (or get the correct authority), cancel reports, and report in
the IG quarterly.

-Incidental collection, then apply the dissemination procedures.

-Cann0t target a foreign entity just to acquire USP communications. When
targeting the foreign hacker and using a US IP address in conjunction with the
foreign hacker signature, that is not reverse targeting. Your collection is
focused on the foreign hacker communications, what the foreign hacker is
doing and what data the foreign hacker is stealing. There are no legitimate
USP comms and it is impossible to know what or whose data the foreign
hacker is exfiltrating.

26

US Government Communications

Communications to or from any officer or employee
of the US Government, or any state or local
government may not be intentionally intercepted
and must be destroyed upon recognition.

Excmtion to the destruction requirement include
anomalies that reveal a otential vulnerability to US
communications security. Get a destruction waiver
and authority to disseminate the US person
information.

 

If there is no legitimate USG communicant, there is no USG communications.
That is different than collecting a foreign intruder stealing a bunch of USG
information. All that USG information is incidental.

USSID SP0018 5.4.c. and d. Other exceptions include: Significant foreign
intelligence or evidence of a crime or threat of death or serious bodily
harm to any person.

This section also talks about USP to USP communications and US-US
communications destruction requirements.

27

US Government Communications

If a foreign intruder is just using a US computer
and is not communicating, with any legitimate
US Government official or employee, it is not
considered to be US Government
communications; report following dissemination
procedures.

Socially engineered emails to US Government
or officials ARE US Government
communications.

 

Targeting by Subject Matter
USSID SP0018, Section 5

Applies to the use of selection terms to
communications on the
basis of CONTENT, not necessarily on
the basis of the IDENTITY of the
communicants

Covered in the ?Processing? Section of
SP0018

 

E.g. hacker signatures. Hacker signatures pull in a lot. Focus on foreign target
use of intrusion capabilities. Defeat out any USP use of the hacker signature.
Worst thing NT 0C could do is to turn the SIGINT system to collect against a
USP hacker. It is not basically doing surveillance for LE purpose
without warrant. If incidentally collect information on USP hacking into a
protected computer, this is a violation of law that should be reported to DL
violations for OGC to refer. Do not want to see any/many of these.

29

Targeting by Subject Matter
USSID SP0018, Section 5

No selection terms that are reasonably likely
to intercept or have intercepted
US. person communications
UNLESS

there is reason to believe that

Foreign Intelligence will be obtained

 

3O

Targeting by Subject Matter
USSID SP0018, Section 5

Selection terms that

have intercepted or are likely to intercept

U.S. Person communications
MUST BE DESIGNED

(to the greatest extent practicable under the
circumstances)

to DEFEAT communications
that do not contain foreign intelligence

Pay attention to what is being collected. SA has a positive responsibility to
defeat out to the extent possible collection of USP comms.

 

31

(S) SIGINT Dissemination Procedures
(USSID SPOO 18, Section 7)

Incidental USP information in valid collection, apply
?minimization? procedures

?Minimization? means, prior to disseminating any
information obtained through collection,
evaluate information for foreign intelligence and decide if
any incidentally acquired US person information is
suitable for dissemination.

The information to, from, or about a USP must be
necessary to understand the F1 or assess its meaning in
order to not minimize.

 

-Can query in Bluesash/Tutelage on IP address seen in SIGINT without it
being a dissemination of the SIGINT raw traffic. If decide to task that US IP
address in Bluesash/Tutelage on the deny list) then it is a dissemination of
a US identity and must get SIGINT dissem approval.

NTOC has upfront dissemination authority for intrusions into .mil/.gov
systems. Need to alert ITF-GNO, DISA, the network owner of intrusions in a
timely manner and the IP addresses intruded into are necessary to
understanding the intell

32

(S) SIGINT Dissemination Procedures
(USSID SP0018, Section 7)

If necessary, include the USP information,
focusing on the Fl, but only disseminate the
actual USP identity with appropriate level

dissemination authority. (.mil)

ldents in is a good source.

 

ACCESS and RETENTION
to Raw Traffic containing USP
information-USSID SP0018, Section 6

5 Years on?line

up to 10 years off-line?historical searches
Retention exceptions determination, tech
data, evaluated data)

E.O. 12333, Section 2.3

Limited to SIGINT droduction Jersonnel
Recognizes intrusiveness of SIGINT

Maintains SIGINT within community of individuals
trained on Amendment Procedures

 

FISA Overview

 

FISA Definitions
U.S. Persons
US. Citizen

Permanent Resident Alien
(Green Card Holder)

Corporations (incorporated in the US.)

Associations (primary membership
composed of US. persons)

U.S. ?agged ships/aircraft definition)

 

36

FISA Definitions
Foreign Power

A foreign government or any component
thereof

A faction ofa foreign nation

An entity openly acknowledged to be
directed or controlled by a foreign
government(s)

A group engaged in international terrorism

A foreign based political organization

 

37

FISA Definitions

An officer or employee of a foreign power

A spy, terrorist, saboteurs, aider/abbettor,
or conspirator

 

e.g. USP hacker not included unless can show state sponsorship. Then get
appropriate approval. If a USP is the hacker, it is a law enforcement issue and
should be referred to OGC.

Other 1 requirements for alien smuggling, narcotics, organized crime, gun
running, money laundering are similar. If a USP was involved, 
could not target unless working for a foreign power or also a spy, terrorist,
saboteur, or aider/abbettor/conspirator.

38

 ISA Restrictions

(S Sl REL) l?ederal Lau Regulates the collection ol loreign
intelligence il it lalls into 1 ol 4 categories ol ?electronic
surveillancez"

1. (F1) Intentional collection of the communications sent by or

intended to be received by a particular, known US. person
who is in the United States.

2. (F2) Wiretaps in the United States.

3. (F3) The acquisition of certain radio communications where
all parties to that communication are located in the United
States.

4. (F4) Installation. and use of a device in the United States for
monitoring ol inlormation in which a person has a
reasonable expectation ol privacy.

 

 

NTOC I believe has a ISA on the?in order to collect-

intrusions into the-network.

 
 

F4 is where CN usually falls. Other devices includes accessing/CNE against
a computer located in the US.

39

FISA Amendment Act (FAA) of 2008
6304

The Amendment Act was signed into law
by President Bush in July 2008.

FAA replaced the Protect America Act (PAA)
(also known as Modernization"). PAA was signed into
law on Sunday, 5 August 2007, amending the FISA act, for a
period of 180 days (until 15 February 2008). PAA Established
a standard and set the stage for FAA.

 

40

FAA

The new FISA Amendments Act (FAA) modified the FISA
to include changes to collection that:

1. falls into categories 2-4 of "electronic surveillance? and the target is a
non-US Person outside the US. (collection off a provider.

2. targets a US. Person

FAA is Title VII of the FISA. It includes:

- targeting non USP outside the US. collection inside the US. with
service provider assistance.

- m. USP outside the US. collection inside the US. with service
provider assistance.

- 704. USP located outside the US. collection outside the US. without
service provider assistance BO. 12333 collection; old 2.5 authority)
- mi, USP with concurrent FISA collection inside the US. (M. i.e. l1
authority) and collection outside the US. without service provider
assistance (705b, i.e. BO. 12333 collection: o d 2.5 authority).

 

FAA section 702, foreign governments certification: NTOC uses the authorit
to tetget hat wete to the?

NTOC wants another 702 certification to target foreign hackers outside the
US for I purposes. Because attribution is hard, just having to prove
foreigness and an I purpose is especially useful to NTOC. However, the
selectors will likely not be the hard/strong selectors Do] is used to.

41

SIGIN Targeting Specific
Communicants

Foreign Persons outside the US. of 
interest Examples:

1. US address used by itself
2. US IP in conjunction with an Intrusion Signature
3. - PKI certificates

 

1. Request to select based on a foreign hacker signature in conjunction with a
DOD military IP address. Nothing seen in SIGINT. The SIGINT system
doesn?t see everything. Collection architecture has to be in place. So,
without asking, analyst put the DOD military IP address in as a straight hit
and obtained hundreds of hits.

2. PKI certificates were compromised. In SIGINT without additional

authority, may look for revoked certificates because no legitimate
person should be usin . Can also look for valid certificates only in
con'unction with theh signatures so will only collect
the?using the certificate (but will not find new uses of-ise
of the certificates.) My not look for expired certificates because the

legitimate person could renew. May not look for valid certificates
without obtaining the person?s consent.

3. Had incidental collection of an* using an army email address
and getting into army systems. May co ect against that army email
address because had evidence that it was being used by a foreign person
outside the US. Reported to the army on the intrusion. Wanted to collect
for a short while to see what the foreign target was doing/after.

Unfortunately, after two weeks, a legitimate army person also started
using that email address. Now we have USG comms.

 

   

42

Information Assurance Legal
Framework

Executive Order 12333 

is the National Mana er for National Securit 
S/stems and is responsible to SECDEF and See
Section 

National Securit I Directive 42, ?National

Policy for the Security of National Security
Telecommunications Information Systems?

Regulation 5240.1-R Governs collection of
USP information by 

 

(U) National Security Directive 42

President designated as the ?National Manager" for
National Security Telecommunications and lnl'ormation?s Systems
Security.

Among other things, directed to assess the overall
security posture of and disseminate inlormation on threats to and
Vulnerabilities oi national securiu sx stems.

Establishes, inter alia, policies and organization to protect national
security systems that process:

- Classified information

- Intelligence activities

- Ct'yptologic activities

- Command and control

- Weapon or weapons svstem

- or intelligence mission. except for systems used for routine
administrative and business applications.

SS includes unclass systems if involved in intel activities, military or intell
missions (includes monitoring because includes
IPRNET.) However, SS does not typically include those systems
supporting National Security Systems: Personnel, financing, accounting
systems typically not 

E.g. Centcorn commander uses electrical power grid of central Florida. Not a
national security system but may look at whether or not has a direct contract
with centcom which can bring them under the SS rubric.

 

44

(U) National Security Directive 42
Continued

Disseminate all?source inlormation on threats to LB national
securitx stems. (NSD-42, 

NSA may monitor l\'SSs ithout a request lor technical
assistance or request lor a \?ttlnerahilitt assessment from the
system owner. Includes requests for monitoring, red teaming, blue
teaming, system forensics.

it above request made ol~ NSA then must have certification from
the system owner that there is a notice and consent policy in place,
ol~ the activity must fit within Service Provider rules and 1A
procedures.

Requester may ptit restrictions on the collection/monitoring,
access, retention, use or dissemination contained in Ground Rules.

Ground Rules are established to between SA and the requester. 
must follow the service provider rules to stay within the exception, 
regulation 52490.1-R AND the Ground Rules for this activity.

being done for JTF-GNO and also Soaring Eagle is strictly under
Service Provider (JCMA still will need a legal cert in order to be legal.)

 

45

(U IA rocedures: Service Provider

rules and Re 5240.1-R
Includes DOD 
NISIRT monitoring

must be
consistent with ensuring system functionality or

furthering the protection of the service provider?s rights
and property in their systems/network.

ls USP information disclosure necessary? 
Retention of USP information limited (90 days per 

Regulation 5240.1-R or in accordance with the agreed
upon Ground Rules.)

 

-N SA is the service provider for SA net and DOD IPRNET 
monitoring per Instructions 0-8530.1 and O-8530.2)

-Disclosure of foreign intrusions to SID is fine under the service provider rules.
All foreign comms intrusions into are suspect and can be disseminated for
SID to help find out attribution, how intrusion works etc.

-Access and dissemination are part of disclosure of the data and must be for
ensuring system functionality/protection of the provider?s rights and property.

-Dod regulation allows collection/retention of USP information that arises out
of a lawful comsec investigation. However, SA must determine that the USP
information fits within that criteria within 90 days.

-**The Ground Rules may have different retention periods.

Oversight and Compliance policy (IAD Management Directive 20)

46

(S) Global Defense of US Networks

0 IA authorities allow NSA to monitor or other national security
systems for indications ol~ inaliciotis activity in response to a request
from the system owner. and disseminate that information iaw
procedures.

The Coin niter Security Act ol? 1987 (as amended by the FISMA)
requires NIST to collaborate with NSA and does not preclude NSA
from providing security support to Federal departments and agencies
outside the national security sector. In a .Vlemorandum ol~
Understanding dated March 1989. NIST and NSA agreed that NSA
could upon request by Federal agencies. their contractors. and other
government-sponsored entities conduct assessments ol? the hostile
intelligence threat to Federal information systems. provide technical
assistance. and recommend products and solutions to secure systems
against the threat.

*1 ?ollon's the IA procedures for technical assistance to other

agencies 

 

-Many players in the CND/cyber security. The difficult managerial task is to
make the respective authorities and monitoring systems work well together
since, to be effective, network defense has to be efficient and timely.

-Tech assist outside SSs-Also Executive Order 12333, which was revised in
July 2008. Sections 2.6(c) and permit SA to provide specialized
equipment, technical knowledge, and assistance of expert personnel for use by
any department or agency and render any other assistance and cooperation to
civil authorities not precluded by law. Any provision of assistance of expert
personnel must be approved in each case by OGC.

47

(S) Global Defense of US Networks

0 National Securit Presidential Directive 54/Homeland Security
Presidential Directive 23 (signed in January 2008) applies to all
Federal Government information systems except national
security systems and information systems.

0 Under an implementation plan signed by the President in
August 2008, NSA is to provide DHS with the same
technological capability that uses to protect 
systems. Because the capability involves classified
information, it constitutes a national security system and
NSA will provide technical assistance to DHS at its request.

 

The Comprehensive National Cybersecurity Initiative (CNCI) also called
the cyber initiative is directed in NSPD 23 and the
implementation plan. DHS is lead and it only covers federal government
systems, not commercial. NSA is just providing technical assistance and
services. Technical services typically refer to the SA will
perform for DHS. NSA may not keep any of the data sent to NSA for
(with the exception of some keys necessary for
services). SA may not monitor .gov communications. If DHS
is going to request technical assistance from NSA to look at .gov traffic,
certain certifications and oversight must be done first. It may be that SA
could detail an analyst to DHS.

PL. 108-458, 118 Stat 3638, 17 December 2004.

48

(S) Global Defense of US Networks

DHS or other federal agencies can use standard service
provider authorities to monitor .goy networks for
indications of malicious activity

Owners or operators of privately owned critical
infrastructure systems can use service provider authorities
to monitor their networks for indications of malicious
activity but no federal agency has been provided general
authority to perform such monitoring for privately owned
networks.

 

(8) Global Defense of US Networks

0 STRATCOM has been delegated CNA and CND-RA
authorin to attack foreign targets that threaten US
interests .

0 SECDEF in Nov 2009 placed Joint Task Force-Global
Network Operations (JTF-CNO) under the operational
control of Commander, CYBERCOM

DIRNSA is now dual hated as Commander CYBERCOM
2010?).

role is not Defensive collection: authorities allow
to monitor foreign systems for indications of foreign L?yhel?
attacks against US systems and disseminate that intelligence based on
requirements.

 

- The officer serving as the Director, Defense Information Systems Agency
(DISA) will continue to serve as Commander of JTF-GNO and will remain
responsible for providing the JTF-GNO network and information assurance
technical assistance as required.

(U) Additional Authorities

is the the Executive Secretary for all DOD, Do], and 1C
tleconlliction regarding computer netuorlx attaclx and exploitation
activities. (Trilateral DOD, Do], and 1C dated April 2007.)

SECDEF designated the officer serving as to be the
(Iommantler, (IYBERCUM (Max 3010)

As directed by Commander. USSTRATCONL CYBERCONI coordinates
the development of. plans for. deconl'licts. and executes
cvber warfare to achieve global militarv objectives

JTF-GNO. OPCON to CYBERCOM. directs the operation and defense
of the Global Information Grid

 

SCEs under and JFCC-NW, esp in TAO ROC conduct CNE so
those on the target networks day in and day out can be assigned to JFCC-NW
for the time necessary to conduct the CNA activities. JFCC-
NW issued memorandum allowing personnel to be detailed to
JFCC-NW for the time necessary to conduct the CNA, then they revert back to
doing CNE. These personnel can conduct CNE while conducting CN A.
Personnel detailed to JFCC-NW get training on the execute order, standing
rules of engagement, and supplemental rules of engagement.

51

 G10bal__D_efense_gf_Ll?MM

0 The Federal Information Securitv lVlanagement Act
FISMA left intact the roles assigned to NIST and
NSA but provides the Office of lVIanagement and
Budget (OMB) an expanded information security
oversight responsibilities over all Executive Branch
departments and agencies. required to set up a
central Federal information security incident center
which is US CERT.

 

FISMA: 44 U.S.C. 3541 et seq., P.L. 107-347, 116 Stat 2899, 25 November
2002.

The Intelligence Reform and Terrorism Prevention Act of 2004[1] required
the President to create an information sharing environment for the sharing of
terrorism information in a manner consistent with national security and civil
liberties. The President was to designate a program manager responsible for
information sharing across the Government who would issue standards,
procedures, and guidelines for the operation of the information sharing system
that are consistent with guidance from the President, OMB, and the DN1.
Today, the program manager is in the Office of the DN1.

52

 Global Defense of US Networks

cont. Agencies with national security systems are
to share information about information security incidents,
threats, and vulnerabilities with US CERT to the extent
consistent with standards and guidelines for such systems

issued in accordance with law and as directed by the
President.

The Homeland Securit/ Act of 2002 gave the SECDHS
wide access to information relating to threats of terrorism
against the United States and to all information concerning
the vulnerability of the infrastructtu?e of the United States,
or other vulnerabilities of the United States, to terrorism.

 

(S) Implementing the PROCEDURES

You are targeting using a

signature in SIGINT. You see that the

put a troj an into the UMD web server. Can you
query using the UMD web server IP address in

Bluesash/Tutelage?

You see in Bluesash/Tutelage that the UMD mail
server sent a troian to the DOD NIPRNET. You
believe it is a Can you task the UMD
mail server IP address in 

 

1. Yes, can look for anything suspicious in the IA data to protect the system.
The initial SIGINT can be disseminated in a report if it satisfies a
requirement. If task the Bluesash/Tutelage deny list, must
obtain dissemination approval.

2. No, not as a direct hit but may use a-signature in conjunction with the
UMD mail server IP address.

3. The collection is valid. The target is a foreign person overseas. No USG
communications because the target is not communicating with a legitimate
USG official or employee or even a legitimate USP. All the exfiltrated data
is incidental. Use dissemination procedures. Because this type of exfiltrated
data potentially can contain so much USP information, OGC advises that
this type of exfiltrated data be segregated from the rest of the SIGINT raw
traffic and is made availabe only to those who have the mission to
collect/report on these types of foreign intrusions. The exfiltrated data does
not contain any Fl other than what is reported in order to understand what
the foreign hacker was seeking, and what the foreign hacker obtained for
damage assessments.

54

(S) Implementing the PROCEDURES

You are targeting an
hacker has implanted a US companv?s commuter
overseas. You are collecting the
exfiltration of information and communications
from that US company?s computer that contains
communications between the US company and a

US Government organization.

Is the collection valid?
Do you have USG communications.
What do you do with the information?

 

1. Yes, can look for anything suspicious in the IA data to protect the system.
The initial SIGINT can be disseminated in a report if it satisfies a
requirement. If task the Bluesash/Tutelage deny list, must
obtain dissemination approval.

  

2. No, not as a direct hit but may use
UMD mail server IP address.

3. The collection is valid. The target is a foreign person overseas. No USG
communications because the target is not communicating with a legitimate
USG official or employee or even a legitimate USP. All the exfiltrated data
is incidental. Use dissemination procedures. Because this type of exfiltrated
data potentially can contain so much USP information, OGC advises that
this type of exfiltrated data be segregated from the rest of the SIGINT raw
traffic and is made availabe only to those who have the mission to
collect/report on these types of foreign intrusions. The exfiltrated data does
not contain any Fl other than what is reported in order to understand what
the foreign hacker was seeking, and what the foreign hacker obtained for
damage assessments.

ignature in conjunction with the

55

 Reporting Conventions

Need to know what data you are working
with.

Need to follow the correct

purpose/procedures for the type of data
collected. If reporting both and IA
information, must follow both rules.

USSID 18 minimization is not sanitization. Policy governs sanitization to
protect sources and methods. Important sometimes when have intrusion
activity.

 

56

 Oversioht Cont liance

'Oversight Compliance is everyone?s responsibility.
'Local management has responsibility to ensure day-to-day activities are
carried out in accordance with applicable law and policy direction.

piotetluies Inust he lot and

dissemination.

li\l) must he lot tollt'ttion it'tt'ntion and
dissemination. Dissemination taking both sets of procedures into account can
be done.

'Contrary to popular belief. it is usually smarter to ask permission first rather
than seek forgiveness later.

i( has personnel to questions.

Refer to USSID SP 0018 and IAD Oversight and Compliance policy, IAD
Management Directive 20.

 

57

 Com ')liance on the NTOC floor

'Personnel from other organizations sit on the NTOC I'loor.
NTOC has signed MoUs with these organizations granting the
personnel ?dual-parent? authority.

'These personnel are working under NSA SIGINT and IA
authorities (as well as their own ?parent? authorities) and max
see the ram trallic. l\o Dissemination Ran trallic back to the
orgaui?atious themselves, must follow dissemination rules.

'The sharable SIGINT raw tral'l'ic does include ran data
derived lroni nor [-81 NBA.

'Any FBI PISA disseminated must retain the FBI PISA caveat
on all lurther disseminations.

 

The idea of the TOC ?oor is to allow all the personnel on the ?oor to be able
to collaborate, indicate what information is relevant to their organizations
mission and facilitate dissemination. However, dissemination back to the
organizations themselves is a dissemination and must follow the dissemination
rules.

58

Questions to REMEMBER

What authorities are being used to collect information
that I?m looking at?

Where is this information being collected?
SIGINT platforms? -Tutelage sensors? ?Collateral source?

Who will receive access to the collected information?

What retention and dissemination restrictions apply to
the collected information

(9.9., SIGINT Procedures, COMSEC Procedures, Service
Provider Rules, eta)?

 

 QUESTIONS 

 

 illance Purposes



Law Enforcement l?oreign Intelligence 10 Service Provider Information

5v stems Admin.

Security 



l{engations

l?ederal Law
US. Constitution 4th Amendment
Electronic Communications Privacy Act
Stored Electronic Communications Privacy Act
(Iomputer I'raud and Abuse Act

l'oreign Intelligence Surveillance Act

Many federal laws in this area because of information privacy rights.

Must follow the procedures that apply to the purpose. If mix purposes and
procedures, may find themselves outside one of the exceptions to the federal
laws.

[SECPA-diminished Expectation of Privacy but still need supoena.]

CF AA-prohibits intentional, unauthorized access to a ?protected computer?
any computer that has been or is involved in interstate commerce to
include foreign computers) Exceed authorized access-protect from insider
threat included. Allows intel and LE and protect activities. For protect, still
need permission from the system owner.

 

61

COMSEC Monitoring
NTISSD No. 600

Telecommunications or information system?s ?owner? must
request COMSEC services.

Must certify existence of notification process that system?s users
know that their use of the system constitutes implied consent to

COMSEC monitoring. CONSENT BANNERS

Dissemination of collected information usually done without
attribution to a particular individual.

2 exceptions-passing of classified info.
Evidence of a significant crime or it is necessary in order to
mitigate the vulnerability.

Used really only by JCMA

Non attribution because purpose is to secure systems, not to be punitive.

 

62

(S) NSCID 6

is tasked with establishing an effective, unified
organization and controlling all collection and
processing activities of the United States so that it is
effective, efficient, and coordinated.

Toward this end, the Central Security Service (military
was established under the in

accordance with a plan approved by the SECDEF.
includes Electronics intelligence (ELINT) and
Communications Intelligence (COMINT).

COMINT is technical and intelligence information derived
from foreign communications by other than the intended
recipients.

Mention something about ELINT not having an expectation of privacy but is
still bound by the mission of SA.

 

63

(U) Authorities Continued

Develop Computer Network Attack capabilities,

Not employ

Conduct analysis of foreign information infrastructure systems
for CNA technology development,

Develop analytic modeling and simulation techniques to
characterize vulnerabilities of information systems and
effectiveness of developed CNA techniques.

'SecDef Memo dated 3 March 1997.

 

Because NTOC works closely with JFCC-NW to provide support, provide info
on other computer network related authorities at Meade.

CNE and CNE enabling activities can easily be converted to CNA
capabilities. purpose is to conduct or enable CNE. Sometimes fine line
between CNE enabling and CNA. Look at purpose and what the capability
does.

Funding can be an issue.

SA does not have authority to conduct CNA

64

(S) NSCID 6, dated 17 February 1972

DIRNSA responsible for the SIGINT mission of
the United States, except for certain SIGINT
activities conducted in support of clandestine CIA
operations (NSCID 5)

Pursuant to his SIGINT authority, DIRNSA has
promulgated USSID SP0018 and other policies to
govern the collection, processing, retention, and
dissemination of SIGINT, especially SIGINT that
includes US person information.

 

(S) NSCID 6

COMINT activities shall be construed to mean those
activities that produce COMINT by the collection and
processing of foreign communications passed by radio,
wire, or other electromagnetic means, and by the
processing of foreign communications, however
transmitted.

Collection comprises search, intercept, and direction
l?inding.

Processing comprises range estimation,
transmitter/operator identification, signal analysis, traffic
analysis, study of plain text, the
fusion of these processes, and the reporting of results.

 

I don?t? go over this in any detail at all. The important piece is the definition
and how the SCEs fit.