Signals intelligence: Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>Howard C. Berkowitz
(counter-counterbattery example of ELINT)
m (Text replacement - "{{subpages}}" to "{{PropDel}}<br><br>{{subpages}}")
 
(26 intermediate revisions by 7 users not shown)
Line 1: Line 1:
{{subpages}}
{{PropDel}}<br><br>{{subpages}}
'''Signals intelligence'''', often abbreviated '''SIGINT''' is an [[intelligence (information gathering|intelligence collection discipline]] based on interception of signals, usually electromagnetic,  between people (i.e., COMINT or communications intelligence) or between machines (i.e., ELINT or electronic intelligence), or mixtures of the two. As sensitive information is often encrypted, SIGINT often involves the use of [[cryptanalysis]]. However, traffic analysis&mdash;the study of who is signalling whom and in what quantity&mdash;can often produce valuable information, even when the messages themselves cannot be decrypted.   
{{TOC|right}}
'''Signals intelligence''', often abbreviated '''SIGINT''' is an [[Intelligence (information gathering)|intelligence collection discipline]] based on interception of signals, usually electromagnetic,  between people (i.e., COMINT or communications intelligence) or between machines (i.e., ELINT or electronic intelligence), or mixtures of the two. As sensitive information is often encrypted, SIGINT often involves the use of [[cryptanalysis]]. However, traffic analysis&mdash;the study of who is signalling whom and in what quantity&mdash;can often produce valuable information, even when the messages themselves cannot be decrypted.   


As a means of collecting intelligence, SIGINT is a subset of [[intelligence collection management]], which, in turn, is a subset of [[intelligence cycle management]].
As a means of collecting intelligence, SIGINT is a subset of [[intelligence collection management]], which, in turn, is a subset of [[intelligence cycle management]].  


Intercepting written but encrypted communications, and extracting information, probably did not wait long after the development of writing. A simple encryption system, for example, is the [[Caesar cipher]].  Electronic interception appeared as early as 1900, during the Boer War. The Boers had captured some British radios, and, since the British were the only people transmitting at the time, had signals rather obvious to intercept.<ref name=Lee>{{cite web
Intercepting written but encrypted communications, and extracting information, probably did not wait long after the development of writing; see [[cipher]], and a more technical discussion under [[cryptography]]. A simple encryption system, for example, is the [[Caesar cipher]].  Electronic interception appeared as early as 1900, during the Boer War. The Boers had captured some British radios, and, since the British were the only people transmitting at the time, had signals rather obvious to intercept.<ref name=Lee>{{cite web
   | last = Lee
   | last = Lee
   | first = Bartholomew
   | first = Bartholomew
Line 11: Line 12:
   | accessdate = 2007-10-08 }}</ref>
   | accessdate = 2007-10-08 }}</ref>
==More technical definitions of SIGINT and its branches==
==More technical definitions of SIGINT and its branches==
In the [[United States]] and other nations involved with [[NATO]], SIGINT is defined as   
In the [[United States of America]] and other nations involved with [[NATO]], SIGINT is defined as   
<ref name=JP1-02>{{citation
<ref name=JP1-02>{{citation
   | last = US Department of Defense
   | last = US Department of Defense
Line 18: Line 19:
   | date=12 July 2007
   | date=12 July 2007
   | url = http://www.dtic.mil/doctrine/jel/new_pubs/jp1_02.pdf
   | url = http://www.dtic.mil/doctrine/jel/new_pubs/jp1_02.pdf
  | accessdate = 2007-10-01}} </ref>:
}} </ref>:


:*A category of intelligence comprising either individually or in combination all communications intelligence (COMINT), electronic intelligence (ELINT), and foreign instrumentation signals intelligence, however transmitted.  
:*A category of intelligence comprising either individually or in combination all '''[[communications intelligence]]''' (COMINT), '''[[electronic intelligence]]''' (ELINT), and foreign instrumentation signals intelligence, however transmitted.  


:*Intelligence derived from communications, electronic, and foreign instrumentation signals."
:*Intelligence derived from communications, electronic, and foreign instrumentation signals."
Line 29: Line 30:


==Disciplines Shared across the Branches==
==Disciplines Shared across the Branches==
An excellent Australian analysis of how the pieces came together, from targeting to physical destruction of radars, in [[Desert Storm]] was written by Carlo Kopp. <ref name=Kopp>{{cite web
An excellent Australian analysis of how the pieces came together, from targeting to physical destruction of radars, in [[Operation Desert Storm]] was written by Carlo Kopp. There were different requirement for search radar and for the different area defense and point defense missile systems, and how these guided the Suppression of Enemy Air Defense ([[SEAD]]) attacks on the radars, command centers, and missiles. <ref name=Kopp>{{cite web
   | last = Kopp
   | last = Kopp
   | first = Carlo
   | first = Carlo
Line 54: Line 55:
  | title = Precision SIGINT Targeting System (PSTS)
  | title = Precision SIGINT Targeting System (PSTS)
  | publisher = Federation of American Scientists
  | publisher = Federation of American Scientists
  | journal = Intelligence Research Program}}</ref> A U.S. targeting system under development in the late 1990s, PSTS, constantly sends out information that helps the interceptors properly aim their antennas and tune their receivers.  Larger intercept aircraft, such as the [[EP-3]] or [[RC-135]], have the onboard capability to do some target analysis and planning, but others, such as the  RC-21  GUARDRAIL, are completely under ground direction. GUARDRAIL aircraft are fairly small, and usually work in units of three to cover a tactical SIGINT requirement, where the larger aircraft tend to be assigned strategic/national missions.
  | journal = Intelligence Research Program}}</ref> A U.S. targeting system under development in the late 1990s, PSTS, constantly sends out information that helps the interceptors properly aim their antennas and tune their receivers.  Larger intercept aircraft, such as the [[EP-3 Aries II]], [[RC-135 RIVET JOINT]] or [[RC-135 COMBAT SENT]] have the onboard capability to do some target analysis and planning, but others, such as the  [[RC-12 GUARDRAIL]], are completely under ground direction. GUARDRAIL aircraft are fairly small, and usually work in units of three to cover a tactical SIGINT requirement, where the larger aircraft tend to be assigned strategic/national missions.


In other words, before the detailed process of targeting begins, someone has to decide there is a value in collecting information about something. While it would be possible to direct signals intelligence collection at a major sports event, the systems would capture a great deal of noise, news signals, and perhaps announcements in the stadium.  If, however, an antiterrorist organization believed that a small group would be trying to coordinate their efforts, using short-range unlicensed radios, at the event, SIGINT targeting of radios of that type would be reasonable. Targeting would not know where in the stadium the radios might be, or the exact frequency they are using; those are the functions of subsequent steps such as signal detection and direction finding.
In other words, before the detailed process of targeting begins, someone has to decide there is a value in collecting information about something. While it would be possible to direct signals intelligence collection at a major sports event, the systems would capture a great deal of noise, news signals, and perhaps announcements in the stadium.  If, however, an antiterrorist organization believed that a small group would be trying to coordinate their efforts, using short-range unlicensed radios, at the event, SIGINT targeting of radios of that type would be reasonable. Targeting would not know where in the stadium the radios might be, or the exact frequency they are using; those are the functions of subsequent steps such as signal detection and direction finding.


Once the decision to target is made, the various interception points need to cooperate, since resources are limited. A
Once the decision to target is made, the various interception points need to cooperate, since resources are limited. Knowing what interception equipment to use becomes easier when a target country buys its radars and radios from known manufacturers, or is given them as part of foreign military aid. National intelligence services keep libraries of devices manufactured by their own country and others, and then use a variety of techniques to learn what equipment is acquired by a given country.
Knowing what interception equipment to use becomes easier when a target country buys its radars and radios from known manufacturers, or is given them as part of foreign military aid. National intelligence services keep libraries of devices manufactured by their own country and others, and then use a variety of techniques to learn what equipment is acquired by a given country.
 
See "The Target - The Iraqi IADS" for a discussion on how the Iraqi air defense system was targeted in 1991.<ref name=Kopp />  Note the different requirement for search radar and for the different area defense and point defense missile systems, and how these guided the Suppression of Enemy Air Defense ([[SEAD]]) attacks on the radars, command centers, and missiles.


Knowledge of physics and electronic engineering further narrows the problem of what types of equipment might be in use. An intelligence aircraft flying well outside the borders of another country will listen for long-range search radars, not short-range fire control radars that would be used by a mobile air defense. Soldiers scouting the front lines of another army know that the other side will be using radios that must be portable and not have huge antennas.
Knowledge of physics and electronic engineering further narrows the problem of what types of equipment might be in use. An intelligence aircraft flying well outside the borders of another country will listen for long-range search radars, not short-range fire control radars that would be used by a mobile air defense. Soldiers scouting the front lines of another army know that the other side will be using radios that must be portable and not have huge antennas.
Line 67: Line 65:
===Signal detection===
===Signal detection===
Whether a signal is human communications (e.g., a radio), the intelligence collection specialists have to know it exists. If the targeting function described above learns that a country has a radar that operates in a certain frequency range, the first step is to use a sensitive receiver, with one or more antennas that listen in every direction, to find an area where such a radar is operating. Once the radar is known to be in the area, the next step is to find its location.
Whether a signal is human communications (e.g., a radio), the intelligence collection specialists have to know it exists. If the targeting function described above learns that a country has a radar that operates in a certain frequency range, the first step is to use a sensitive receiver, with one or more antennas that listen in every direction, to find an area where such a radar is operating. Once the radar is known to be in the area, the next step is to find its location.
[[Image:SpectrumAnalyzer-Superhet.png|thumb|Simplified [[spectrum analyzer]] display of [[superheterodyne receiver|superheterodyned]],[[amplitude modulated]] signals]]
[[Image:SpectrumAnalyzer-Superhet.png|thumb|Simplified [[spectrum analyzer]] display of [[superheterodyne|superheterodyned]],[[amplitude modulation|amplitude modulated]] signals]]
If operators know the probable frequencies of transmissions of interest, they may use a set of receivers, preset to the frequencies of interest.  These are the frequency (horizontal axis) versus power (vertical axis) produced at the transmitter, before any filtering of signals that do not add to the information being transmitted. Received energy on a particular frequency may start a recorder, and alert a human to listen to the signals if they are intelligible (i.e., COMINT). If the frequency is not known, the operators may look for power on primary or [[sideband]] frequencies using a [[spectrum analyzer]]  signals] Information from the spectrum analyzer is then used to tune receivers to signals of interest. For example, in this simplified spectrum, the actual information is at 800 KHz and 1.2 MHz.
If operators know the probable frequencies of transmissions of interest, they may use a set of receivers, preset to the frequencies of interest.  These are the frequency (horizontal axis) versus power (vertical axis) produced at the transmitter, before any filtering of signals that do not add to the information being transmitted. Received energy on a particular frequency may start a recorder, and alert a human to listen to the signals if they are intelligible (i.e., COMINT). If the frequency is not known, the operators may look for power on primary or [[sideband]] frequencies using a [[spectrum analyzer]]  signals] Information from the spectrum analyzer is then used to tune receivers to signals of interest. For example, in this simplified spectrum, the actual information is at 800 KHz and 1.2 MHz.
[[Image:DirectionalSpectra.png|thumb|left|Hypothetical displays from four spectrum analyzers connected to directional antennas. The transmitter is at bearing 090]]
[[Image:DirectionalSpectra.png|thumb|left|Hypothetical displays from four spectrum analyzers connected to directional antennas. The transmitter is at bearing 090]]
Line 74: Line 72:
Spread-spectrum communications is an [[Electronic counter-countermeasures|electronic counter-countermeasures (ECCM)]] technique to defeat looking for particular frequencies.  Spectrum analysis can be used in a different ECCM way, to identify frequencies not being jammed or not in use.
Spread-spectrum communications is an [[Electronic counter-countermeasures|electronic counter-countermeasures (ECCM)]] technique to defeat looking for particular frequencies.  Spectrum analysis can be used in a different ECCM way, to identify frequencies not being jammed or not in use.
===Direction-finding===
===Direction-finding===
{{main|Radio_direction_finding}}
{{main|Direction finding}}
The earliest, and still common, means of [[direction finding]] is to use directional antennas as [[goniometer]]s, so that a line can be drawn from the receiver through the position of the signal of interest. See [[HF/DF]]. Knowing the compass bearing, from a single point, to the transmitter does not locate it. Where the bearings from multiple points, using goniometry, are plotted on a map, the transmitter will be located at the point where the bearings intersect. This is the simplest case; a target may try to confuse listeners by having multiple transmitters, giving the same signal from different locations, switching on and off in a pattern known to their user but apparently random to the listener.  
The earliest, and still common, means of [[direction finding]] is to use directional antennas as [[goniometer]]s, so that a line can be drawn from the receiver through the position of the signal of interest. HF/DF, pronounced "huff-duff", was the term used in the [[Battle of the Atlantic]] in locating German submarines. Knowing the compass bearing, from a single point, to the transmitter does not locate it. Where the bearings from multiple points, using goniometry, are plotted on a map, the transmitter will be located at the point where the bearings intersect. This is the simplest case; a target may try to confuse listeners by having multiple transmitters, giving the same signal from different locations, switching on and off in a pattern known to their user but apparently random to the listener.


Individual directional antennas have to be manually or automatically turned to find the signal direction, which may be too slow when the signal is of short duration.  One alternative is to use the [[Wullenweber]] array technique. [[Image:Flugplatz Gablingen - Funkanlage.jpg|thumb|AN/[[FLR-9]] [[Wullenweber]] antenna array of the [[Bundesnachrichtendienst]] near [[Augsburg]], [[Germany]]]]In this method, several concentric rings of antenna elements simultaneously receive the signal, so that the best bearing will ideally be clearly on a single antenna or a small set. Wullenweber arrays for high-frequency signals are enormous, referred to as "elephant cages" by their users.  
Since modern weapons can home in on and attack transmitters, the antennas of a military unit frequently are placed a hopefully safe distance from the user of the transmitter. While this is much more difficult for ships, moving ground vehicles, and aircraft, even they may do so by towing antennas or putting the transmitter in an [[unmanned aerial vehicle]].


An alternative technique to tunable directional antennas, or large omnidirectional arrays such as the Wullenweber, is to measure the [[time of arrival]] of the signal at multiple points, the points using [[GPS]] or a similar method to have precise time synchronization. The points at which the receivers can be placed can be on ground stations, ships, aircraft, or satellites, giving great flexibility.
Individual directional antennas have to be manually or automatically turned to find the signal direction, which may be too slow when the signal is of short duration.  One alternative, now obsolete, is to use the Wullenweber array technique. In this method, several concentric rings of antenna elements simultaneously receive the signal, so that the best bearing will ideally be clearly on a single antenna or a small set. Wullenweber arrays for high-frequency signals are enormous, referred to as "elephant cages" by their users.  


Since modern weapons can home in on and attack transmitters, the antennas of a military unit frequently are a hopefully safe distance from the user of the transmitter.
The current alternative to tunable directional antennas, or large omnidirectional arrays such as the Wullenweber, is to measure the [[time of arrival]] of the signal at multiple points, the points using [[GPS]] or a similar method to have precise time synchronization.  The points at which the receivers can be placed can be on ground stations, ships, aircraft, or satellites, giving great flexibility.


===Traffic analysis===
===Traffic analysis===
Line 87: Line 85:
When locations are known, usage patterns may emerge, and inferences drawn. [[Traffic analysis]] is the discipline of drawing patterns from information flow among a set of senders and receivers, whether those senders and receivers are designated by location determined through [[direction finding]], by addressee and sender identifications in the message, or even [[MASINT]] techniques for "fingerprinting" transmitters or operators. Message content, other than the sender and receiver, is not necessary to do traffic analysis, although more information can be helpful.  
When locations are known, usage patterns may emerge, and inferences drawn. [[Traffic analysis]] is the discipline of drawing patterns from information flow among a set of senders and receivers, whether those senders and receivers are designated by location determined through [[direction finding]], by addressee and sender identifications in the message, or even [[MASINT]] techniques for "fingerprinting" transmitters or operators. Message content, other than the sender and receiver, is not necessary to do traffic analysis, although more information can be helpful.  


For example, if a certain type of radio is known to be used only by tank units, even if the position is not precisely determined by direction finding, it may be assumed that a tank unit is in the general area of the signal. Of course, the owner of the transmitter can assume someone is listening, so might set up tank radios in an area where he wants the other side to believe he has actual tanks. As part of [[Operation Quicksilver (WWII)|Operation Quicksilver]], part of the [[deception]] plan for the invasion of Europe at the [[Battle of Normandy]], radio transmissions simulated the headquarters and subordinate units of the fictitious [[First United States Army Group]] (FUSAG), commanded by [[George S. Patton]], to make the German defense think that the main invasion was to come at another location. In like manner, fake radio transmissions from Japanese aircraft carriers, before the [[Battle of Pearl Harbor]], were made from Japanese local waters, while the attacking ships moved under strict radio silence.
For example, if a certain type of radio is known to be used only by tank units, even if the position is not precisely determined by direction finding, it may be assumed that a tank unit is in the general area of the signal. Of course, the owner of the transmitter can assume someone is listening, so might set up tank radios in an area where he wants the other side to believe he has actual tanks. As part of [[Operation Quicksilver (WWII)|Operation Quicksilver]], part of the [[deception]] plan for the invasion of Europe at the [[Battle of Normandy]], radio transmissions simulated the headquarters and subordinate units of the fictitious [[First United States Army Group]] (FUSAG), commanded by [[George Patton]], to make the German defense think that the main invasion was to come at another location. In like manner, fake radio transmissions from Japanese aircraft carriers, before the [[Pearl Harbor (World War II)|attack on Pearl Harbor]], were made from Japanese local waters, while the attacking ships moved under strict radio silence.


Traffic analysis need not focus on human communications. For example, if the sequence of a radar signal, followed by an exchange of targeting data and a confirmation, followed by observation of artillery fire, this may identify an automated counterbattery system. A radio signal that triggers navigational beacons could be a landing aid system for an airstrip or helicopter pad that is intended to be low-profile.
Traffic analysis need not focus on human communications. For example, if the sequence of a radar signal, followed by an exchange of targeting data and a confirmation, followed by observation of artillery fire, this may identify an automated counterbattery system. A radio signal that triggers navigational beacons could be a landing aid system for an airstrip or helicopter pad that is intended to be low-profile.
Line 93: Line 91:
Patterns do emerge. Knowing a radio signal, with certain characteristics, originating from a fixed headquarters may be strongly suggestive that a particular unit will soon move out of its regular base. The contents of the message need not be known to infer the movement.
Patterns do emerge. Knowing a radio signal, with certain characteristics, originating from a fixed headquarters may be strongly suggestive that a particular unit will soon move out of its regular base. The contents of the message need not be known to infer the movement.


There is an art as well as science of traffic analysis. Expert analysts develop a sense for what is real and what is deceptive. Harry Kidder, for example, was one of the star cryptanalysts of World War II, a star hidden behind the secret curtain of SIGINT <ref>{{cite web
There is an art as well as science of traffic analysis. Expert analysts develop a sense for what is real and what is deceptive.<ref>{{cite web
   | last = Whitlock
   | last = Whitlock
   | first = Duane
   | first = Duane
Line 101: Line 99:
   | issue = 4
   | issue = 4
   | date = Autumn 1995
   | date = Autumn 1995
   | url = http://www.ibiblio.org/pha/ultra/nwc-01.html
   | url = http://www.ibiblio.org/pha/ultra/nwc-01.html }}</ref>.  Modern hobbyist, monitoring radio communications, can have quite sophisticated approaches. <ref name=>{{citation
  | accessdate = 2007-09-30 }}</ref>.
| url = http://www.textfiles.com/hamradio/nigelden.ham
| title = A Layman's Guide to Traffic Analysis
| first = Nigel | last = Ballard | date = July 23, 1990}}</ref>


===Electronic Order of Battle===   
===Electronic Order of Battle===   
Line 117: Line 117:
:#SCS: Spectrum Certification System
:#SCS: Spectrum Certification System
:#EC/S: Equipment Characteristics/Space
:#EC/S: Equipment Characteristics/Space
:#TACDB: platform lists, sorted by nomenclature, which contain links to the C-E equipment complement of each platform, with links to the parametric data for each piece of equipment, mlitary unit lists and their subordinate units with equipment used by each unit.
:#TACDB: platform lists, sorted by nomenclature, which contain links to the C-E equipment complement of each platform, with links to the parametric data for each piece of equipment, military unit lists and their subordinate units with equipment used by each unit.


[[Image:JSC-Databases-and-Flow.GIF| thumb |EOB and related data flow]]
[[Image:JSC-Databases-and-Flow.GIF| thumb |EOB and related data flow]]
Line 144: Line 144:
:* Networks build-up
:* Networks build-up


Separation of the intercepted spectrum and the signals intercepted from each sensors must take place in an extremely small period of time, in order to separate the deferent signals to different transmitters in the battlefield. The complexity of the separation process depends on the complexity of the transmission methods (e.g., [[Frequency-hopping spread spectrum|hopping]] or [[Time division multiple access]] (TDMA)).  
Separation of the intercepted spectrum and the signals intercepted from each sensors must take place in an extremely small period of time, in order to separate the deferent signals to different transmitters in the battlefield. The complexity of the separation process depends on the complexity of the transmission methods (e.g., [[Frequency agility|hopping]] or [[time division multiple access]] (TDMA)).  


By gathering and clustering data from each sensor, the measurements of the direction of signals can be optimized and get much more accurate then the basic measurements of a standard [[direction finding]] sensor.<ref name=Kessler>{{citation
By gathering and clustering data from each sensor, the measurements of the direction of signals can be optimized and get much more accurate then the basic measurements of a standard [[direction finding]] sensor.<ref name=Kessler>{{citation
Line 163: Line 163:
   | url = http://www.nrl.navy.mil/content.php?P=03REVIEW207
   | url = http://www.nrl.navy.mil/content.php?P=03REVIEW207
   | accessdate = 2007-10-26 }}</ref>.
   | accessdate = 2007-10-26 }}</ref>.
==COMINT==
COMINT (Communications Intelligence) is a sub-category of SIGINT that engages in dealing with messages or voice information derived from the interception of foreign communications. It should be noted that COMINT is commonly referred to as SIGINT, which can cause confusion when talking about the broader intelligence disciplines. The US Joint Chiefs of Staff defines it as "Technical information and intelligence derived from foreign communications by other than the intended recipients".<ref name=JP1-02 />
COMINT, which is defined to be communications among people, will reveal some or all of the following:
:#Who is transmitting and or where they are located. If the transmitter is moving, the report may give a plot of the signal against location.
:#If known, the organizational function of the transmitter
:#The time and duration of transmission, and the schedule if it is a periodic transmission
:#The frequencies and other technical characteristics of their transmission
:#If the transmission is encrypted or not, and if it can be decrypted. If it is possible to intercept either an originally transmitted cleartext or obtain it through cryptanalysis, the language of the communication and a translation (when needed)
:#The addresses, if the signal is not a general broadcast and if addresses are retrievable from the message. These stations may also be COMINT (e.g., a confirmation of the message or a response message), ELINT (e.g., a navigation beacon being activated) or both. Rather than, or in addition to, an address or other identifier, there may be information on the location and signal characteristics of the responder
===Voice interception===
A basic COMINT technique is to listen for voice communications, usually over radio but possibly "leaking" from telephones or from wiretaps. If the voice communications are encrypted, the encryption first must be solved through a process of introelectric diagram in order to listen to the conversation, although traffic analysis (q.v.) may give information simply because one station is sending to another in a radial pattern. It is important to check for various cross sections of conversation. It is equally important to make sure that you have the correct x pattern in relation to the a2 pattern.{{Clarifyme|date=March 2008}}<!--an original drawing, or a link to an online or scanned US government document would be great--> These can be found by using the SIGINT set given to all Naval communications officers and enlisted personnel with direct access to SIGINT communications.{{Clarifyme|date=March 2008}}<!--by set, are you talking about a secure orderwire used for coordination among SIGINT (or COMINT, which we are discussing here) personnel, or actual interception/analysis systems such as AN/SLR-25 with AN/SSQ-120 or the AN/SSQ-137?-->{{Fact|date=February 2008}}<!--we need a published citation for this. Unfortunately, personal experience can't be cited -- I used to work for a retired DIRNSA but our unclassified conversations were never published-->
Obviously, the interceptor must understand the language being spoken. In the Second World War, the United States used volunteer communicators known as [[code talkers]], who used languages such as [[Navajo]], [[Comanche]] and [[Choctaw]], which would be understood by few people, even in the U.S., who did not grow up speaking the language. Even within these uncommon languages, the code talkers used specialized codes, so a "butterfly" might be a specific Japanese aircraft. British forces made more limited use of [[Welsh language|Welsh]] speakers for the additional protection.
While modern electronic encryption does away with the need for armies to use obscure languages, it is certainly possible that guerilla groups might use rare dialects that few outside their ethnic group would understand.
===Text interception===
Not all communication is in voice. Morse code interception was once very important, but [[Morse code]] telegraphy is now obsolescent in the western world, although possibly used by special operations forces. Such forces, however, now have portable cryptographic equipment. Morse code is still used by military forces of former Soviet Union countries.
Specialists scan radio frequencies for character sequences (e.g., electronic mail) and facsimile.
===Signaling channel interception===
A given digital communications link can carry thousands or millions of voice communications, especially in developed countries. Without addressing the legality of such actions, the problem of identifying which channel contains which conversation becomes much simpler when the first thing intercepted is the ''signaling channel'' that carries information to set up telephone calls.  In civilian and many military use, this channel will carry messages in [[Signaling System 7]] protocols.
Retrospective analysis of telephone calls can be made from [[Call detail record|call detail records (CDR)]] used for billing the calls.
===Monitoring friendly communications===
More a part of communications security than true intelligence collection, SIGINT units still may have the responsibility of monitoring one's own communications or other electronic emissions, to avoid providing intelligence to the enemy. For example, a security monitor may hear an individual transmitting inappropriate information over an unencrypted radio network, or simply one that is not authorized for the type of information being given.  If immediately calling attention to the violation would not create an even greater security risk, the monitor will call out one of the BEADWINDOW codes<ref>{{cite web
  | last = Combined Communications-Electronics Board (CCEB)
  | title = ACP 124(D) Communications Instructions: Radio Telegraph Procedure
  |date=January 1987
  | url = http://www.nor.com.au/community/sarc/acp124~1.pdf
  | ID = ACP 224(D)
  | accessdate = 2007-10-02 }}</ref> used by Australia, Canada, New Zealand, the United Kingdom, the United States, and other nations working under their procedures. Standard BEADWINDOW codes (e.g., "BEADWINDOW 2") include:
:# '''Position:''' (e.g., disclosing, in an insecure or inappropriate way, "Friendly or enemy position, movement or intended movement, position, course, speed, altitude or destination or any air, sea or ground element, unit or force.
:# '''Capabilities:''' "Friendly or enemy capabilities or limitations. Force compositions or significant casualties to special equipment, weapons systems, sensors, units or personnel. Percentages of fuel or ammunition remaining."
:# '''Operations:''' "Friendly or enemy operation – intentions progress, or results. Operational or logistic intentions; mission participants flying programmes; mission situation reports; results of friendly or enemy operations; assault objectives."
:# '''Electronic warfare (EW):''' "Friendly or enemy electronic warfare (EW) or emanations control (EMCON) intentions, progress, or results. Intention to employ electronic countermeasures (ECM); results of friendly or enemy ECM; ECM objectives; results of friendly or enemy electronic counter-countermeasures (ECCM); results of electronic support measures/tactical SIGINT (ESM); present or intended EMCON policy; equipment affected by EMCON policy."
:# '''Friendly or enemy key personnel:''' "Movement or identity of friendly or enemy officers, visitors, commanders; movement of key maintenance personnel indicating equipment limitations."
:# '''Communications security (COMSEC):''' "Friendly or enemy COMSEC breaches. Linkage of codes or codewords with plain language; compromise of changing frequencies or linkage with line number/circuit designators; linkage of changing call signs with previous call signs or units; compromise of encrypted/classified call signs; incorrect authentication procedure."
:# '''Wrong circuit:''' "Inappropriate transmission. Information requested, transmitted or about to be transmitted which should not be passed on the subject circuit because it either requires greater security protection or it is not appropriate to the purpose for which the circuit is provided."
:# Other codes as appropriate for the situation may be defined by the commander.
In WWII, for example, the Japanese Navy made possible the interception and death of the Combined Fleet commander, Admiral [[Isoroku Yamamoto]], by BEADWINDOW 5 and 7 violations. They identified a key person's movement over a low-security cryptosystem.
==ELINT==
'''ELINT''' stands for '''EL'''ectronic Signals '''INT'''elligence, and refers to [[list of intelligence gathering disciplines|intelligence-gathering]] by use of electronic sensors. Its primary focus lies on non-communications signals intelligence. The Joint Chiefs of Staff define it as "Technical and geolocation intelligence derived from foreign noncommunications electromagnetic radiations emanating from other than nuclear detonations or radioactive sources."<ref name =JP1-02 />
Signal identification is performed by analyzing the collected parameters of a specific signal, and either matching it to known criteria, or recording it as a possible new emitter. ELINT data is usually highly classified information, and is protected as such.
The data gathered is typically pertinent to the electronics of an opponent's defense network, especially the electronic parts such as [[radar]]s, [[surface-to-air missile]] systems, aircraft, etc. ELINT can be used to detect ships and aircraft by their radar and other electromagnetic radiation; commanders have to make choices between not using radar ([[EMCON]]), intermittently using it, or using it and expecting to avoid defenses. ELINT can be collected from ground stations near the opponent's territory, ships off their coast, aircraft near or in their airspace, or by satellite. 
=== Complementary relationship to COMINT===
Combining other sources of information and ELINT allows [[traffic analysis]] to be performed on electronic emissions which contain human encoded messages. The method of analysis differs from [[SIGINT]] in that any human encoded message which is in the electronic transmission is not analyzed during ELINT. What is of interest is the type of electronic transmission and its location. For example during the [[Second Battle of the Atlantic|Battle of the Atlantic]] in [[World War II]], [[Ultra]] COMINTwas not always available because [[Bletchley Park]] was not always able to read the U-Boat [[Enigma machine|Enigma]] traffic. But "[[Huff-Duff]]" (High Frequency Direction Finder) was still able to find where the [[U-Boat]]s were by analysis of radio transmissions and the positions through triangulation from the direction located by two or more Huff-Duff systems. The [[Admiralty]] was able to use this information to plot courses which took convoys away from high concentrations of U-Boats.
Yet other ELINT disciplines include intercepting and analyzing enemy weapons control signals, or the [[Identification, friend or foe]] responses from transponders in aircraft used to distinguish enemy craft from friendly ones.
===Role in Air Warfare===
A very common area of ELINT is intercepting radars and learning their locations and operating procedures.  Attacking forces may be able to avoid the coverage of certain radars, or, knowing their characteristics, [[electronic warfare]] units may jam radars or send them deceptive signals. Confusing a radar electronically is called a "soft kill", but military units will also send specialized missiles at radars, or bomb them, to get a "hard kill".
Knowing where each surface-to-air missile and [[anti-aircraft artillery]] system is and its type means that air raids can be plotted to avoid the most heavily defended areas and to fly on a flight profile which will give the aircraft the best chance of evading ground fire and fighter patrols. It also allows for the [[jamming]] or [[Spoofing attack|spoofing]] of the enemy's defence network (see [[electronic warfare]]). Good electronic intelligence can be very important to stealth operations; [[stealth aircraft]] are not totally undetectable and need to know which areas to avoid. Similarly, conventional aircraft need to know where fixed or semi-mobile [[anti-aircraft|air defence]] systems are so that they can shut them down or fly around them.
===ELINT and ESM===
'''Electronic Support Measures (ESM)''' are really ELINT techniques, but the term is used in the specific context of tactical warfare. ESM give the information needed for '''Electronic Attack (EA)''' such as jamming. EA is also called '''Electronic Counter-Measures'''.  ESM provides information needed for '''Electronic Counter-Counter Measures (ECCM)''', such as understanding a spoofing or jamming mode so one can change one's radar characteristics to avoid them.
===ELINT for Meaconing ===
Meaconing<ref>{{citation
  | last = US Army
  | authorlink = US Army
  | title = Chapter 4:  Meaconing, Intrusion, Jamming, and Interference Reporting
  | work = Field Manual 23-33, Communications Techniques: Electronic Counter-Countermeasures
  | date=17 July 1990
  | url = http://www.fas.org/irp/doddir/army/fm24-33/fm243_5.htm
  | id = FM 23-33
  | accessdate =  2007-10-01}}</ref>  is the combined intelligence and electronic warfare of learning the characteristics of enemy navigation aids, such as radio beacons, and retransmitting them with incorrect information. There are tales, perhaps apocryphal, that the meaconing was so confusing that an enemy aircraft landed, quite smoothly, at an airport of the other side.
===FISINT===
===FISINT===
{{main|FISINT}}
[[Foreign instrumentation signals intelligence]] (FISINT) is a sub-category of ELINT, monitoring primarily non-human communication. Foreign instrumentation signals include (but not limited to) [[telemetry]] (TELINT),  tracking systems, and video data links.  TELINT is an important part of [[national means of technical verification]] for arms control.
FISINT (Foreign instrumentation signals intelligence) is a sub-category of ELINT, monitoring primarily non-human communication. Foreign instrumentation signals include (but not limited to) [[telemetry]] (TELINT),  tracking systems, and video data links.  TELINT is an important part of [[national means of technical verification]] for arms control.
 
===Counter-ELINT===
Still at the research level are techniques that can only be described as [[MASINT#Research Programs: Smart Dust and WolfPack|counter-ELINT]], which would be part of a [[SEAD]] campaign. It may be informative to compare and contrast counter-ELINT with [[ECCM]].


==SIGINT versus MASINT==
==SIGINT versus MASINT==
 
{{seealso|MASINT}}
{{main|MASINT}}


SIGINT and [[MASINT|Measurement and Signature Intelligence]] (MASINT) are closely, and sometimes confusingly, related <ref>{{cite web
SIGINT and [[MASINT|Measurement and Signature Intelligence]] (MASINT) are closely, and sometimes confusingly, related <ref>{{cite web
Line 268: Line 178:
The SIGINT disciplines of communications and electronic intelligence focus on the information in those signals themselves, as with COMINT detecting the speech in a voice communication or ELINT measuring the [[Radar signal characteristics|frequency, pulse repetition rate, and other characteristics]] of a radar.  
The SIGINT disciplines of communications and electronic intelligence focus on the information in those signals themselves, as with COMINT detecting the speech in a voice communication or ELINT measuring the [[Radar signal characteristics|frequency, pulse repetition rate, and other characteristics]] of a radar.  


MASINT also works with collected signals, but is more of an analysis discipline. There are, however, unique MASINT sensors, typically working in different regions or domains of the electromagnetic spectrum, such as infrared or magnetic fields. While NSA and other agencies have MASINT groups, the Central MASINT Office is in the [[Defense Intelligence Agency]] (DIA).
MASINT also works with collected signals, but is more of an analysis discipline. There are, however, unique MASINT sensors, typically working in different regions or domains of the electromagnetic spectrum, such as infrared or magnetic fields. While NSA and other agencies of the [[United States intelligence community]] have MASINT groups, the Central MASINT Office is in the [[Defense Intelligence Agency]] (DIA).
   
   
Where COMINT and ELINT focus on the intentionally transmitted part of the signal, MASINT focuses on unintentionally transmitted information. For example, a given radar antenna will have [[sidelobe]]s emanating from other than the direction in which the main antenna is aimed. The RADINT (radar intelligence) discipline involves learning to recognize a radar both by its primary signal, captured by ELINT, and its sidelobes, perhaps captured by the main ELINT sensor, or, more likely, a sensor aimed at the sides of the radio antenna.
Where COMINT and ELINT focus on the intentionally transmitted part of the signal, MASINT focuses on unintentionally transmitted information. For example, a given radar antenna will have [[sidelobe]]s emanating from other than the direction in which the main antenna is aimed. The RADINT (radar intelligence) discipline involves learning to recognize a radar both by its primary signal, captured by ELINT, and its sidelobes, perhaps captured by the main ELINT sensor, or, more likely, a sensor aimed at the sides of the radio antenna.


MASINT associated with COMINT might involve the detection of common background sounds expected with human voice communications. For example, if a given radio signal comes from a radio used in a tank, if the interceptor does not hear engine noise or higher voice frequency than the voice [[modulation]] usually uses,  even thought the voice conversation is meaningful, MASINT might suggest it is a deception, not coming from a real tank.
MASINT associated with COMINT might involve the detection of common background sounds expected with human voice communications. For example, if a given radio signal comes from a radio used in a tank, if the interceptor does not hear engine noise or higher voice frequency than the voice [[modulation]] usually uses,  even thought the voice conversation is meaningful, MASINT might suggest it is a deception, not coming from a real tank.
See [[HF/DF]] for a discussion of SIGINT-captured information with a MASINT flavor, such as determining the frequency to which a ''receiver'' is tuned, from detecting the frequency of the [[beat frequency oscillator]] of the [[superheterodyne]] receiver.


==Defensive SIGINT==
==Defensive SIGINT==
Line 281: Line 189:
One must begin by defining the threat. It is considerably more difficult to defend against detection that one is signaling, as opposed to defending against an opponent discovering the content of the transmitted message. Appropriate encryption can protect against content interception, but protecting against signal detection, especially with a capable opponent, requires measures to make the signal hard to detect -- which can also make it difficult for the intended recipient to receive the signal. Any defensive program needs to consider the nature of the threat and the capabilities of the opponent.
One must begin by defining the threat. It is considerably more difficult to defend against detection that one is signaling, as opposed to defending against an opponent discovering the content of the transmitted message. Appropriate encryption can protect against content interception, but protecting against signal detection, especially with a capable opponent, requires measures to make the signal hard to detect -- which can also make it difficult for the intended recipient to receive the signal. Any defensive program needs to consider the nature of the threat and the capabilities of the opponent.
===Strong and well-managed encryption===
===Strong and well-managed encryption===
 
{{main|cryptography}}
While [[encryption]] is discussed at length in other articles, it should not be forgotten that if one wants to protect messages and files, encryption is central to the defense. As important as the encryption process itself may be, it is vulnerable if the [[keys]] are not strong and protected, and, on computers, that the [[cleartext]] is deleted when not needed.  Seemingly obvious, but too often neglected, is making a practice of having as little cleartext hard copy as possible.
While [[cryptography|encryption]] is discussed at length in other articles, it should not be forgotten that if one wants to protect messages and files, encryption is central to the defense. As important as the encryption process itself may be, it is vulnerable if the [[cryptographic key]]s are not strong and protected, and, on computers, that the [[cleartext]] is deleted when not needed.  Seemingly obvious, but too often neglected, is making a practice of having as little cleartext hard copy as possible.


===Appropriate transmission security===
===Appropriate transmission security===
Line 377: Line 285:
   | url = http://www.fas.org/irp/nsa/rainbow/tg030.htm
   | url = http://www.fas.org/irp/nsa/rainbow/tg030.htm
   | accessdate =  }}</ref>. They send out an unauthorized signal by stealing bandwidth from a legitimate, often encrypted channel. One low-bandwidth method would be to send information by varying the inter-block transmission times. A [[Steganography|steganographic]] covert channel might use the low-order bit of pixels in a graphic image, perhaps not even consecutive pixels, in a manner that would not be obvious to a person looking at the graphic.
   | accessdate =  }}</ref>. They send out an unauthorized signal by stealing bandwidth from a legitimate, often encrypted channel. One low-bandwidth method would be to send information by varying the inter-block transmission times. A [[Steganography|steganographic]] covert channel might use the low-order bit of pixels in a graphic image, perhaps not even consecutive pixels, in a manner that would not be obvious to a person looking at the graphic.
==People of SIGINT==
[[Image:Turing memorial.jpg|left|200px|Memorial to Alan Turing]]
People who work in SIGINT often work under heavy stress. First, it is a secret world, about which they cannot share their work with outsiders, and must conform to intense security scrutiny. Second, the work can take immense patience and concentration.  An informal mental health check on cryptanalysts is to show them a telephone directory: if they start looking for patterns, and scream in frustration, they need rest if not treatment.
Security aspects have led to tragedies, such as that of [[Alan Turing]],<ref>{{citation
| url = http://www.number10.gov.uk/Page20571
| author = [[Gordon Brown]]
| date = 10 September 2009
| title = Treatment of Alan Turing was “appalling” - PM
| publisher = Office of the U.K. Prime Minister}}</ref> although most Western signals intelligence agencies now accept open homosexuality. There is always the danger, however, that the oppressive security will not detect a serious spy.
Mental health concerns are very real. [[William Friedman]], arguably the greatest cryptanalyst in history, broke down in 1940, before the final breach of the Japanese PURPLE system, and never could return to full-time cryptanalysis.
[[Image:NSA National Vigilance Park.jpg|thumb|200px|NSA National Vigilance Park, memorializing aircraft lost on SIGINT missions]][[Image:NSAmemorialTheyServedInSilence.jpg|left|200px|thumb|Memorial, inside the [[National Security Agency]] headquarters building, to all personnel who died on SIGINT duty]]
SIGINT collectors can and do die in action; the first American killed in the [[Vietnam War]], [[National Security Agency and Southeast Asia, 1954-1961#US Deployment and Casualty (1960)|SP4 James T. Davis]] was a soldier on a SIGINT mission.<REF name=Knight>{{citation
  | last = Knight
  | first = Judson
  | title = Army Security Agency
  | url = http://www.espionageinfo.com/An-Ba/Army-Security-Agency.html
}}</ref>


==References==
==References==
 
{{Reflist|2}}
{{Reflist | 2}}

Latest revision as of 05:49, 8 April 2024

This article may be deleted soon.
To oppose or discuss a nomination, please go to CZ:Proposed for deletion and follow the instructions.

For the monthly nomination lists, see Category:Articles for deletion.


Signals intelligence, often abbreviated SIGINT is an intelligence collection discipline based on interception of signals, usually electromagnetic, between people (i.e., COMINT or communications intelligence) or between machines (i.e., ELINT or electronic intelligence), or mixtures of the two. As sensitive information is often encrypted, SIGINT often involves the use of cryptanalysis. However, traffic analysis—the study of who is signalling whom and in what quantity—can often produce valuable information, even when the messages themselves cannot be decrypted.

As a means of collecting intelligence, SIGINT is a subset of intelligence collection management, which, in turn, is a subset of intelligence cycle management.

Intercepting written but encrypted communications, and extracting information, probably did not wait long after the development of writing; see cipher, and a more technical discussion under cryptography. A simple encryption system, for example, is the Caesar cipher. Electronic interception appeared as early as 1900, during the Boer War. The Boers had captured some British radios, and, since the British were the only people transmitting at the time, had signals rather obvious to intercept.[1]

More technical definitions of SIGINT and its branches

In the United States of America and other nations involved with NATO, SIGINT is defined as [2]:

  • Intelligence derived from communications, electronic, and foreign instrumentation signals."

The JCS definition may overemphasize "foreign instrumentation signals". That part should be considered in combination with MASINT, which is closely linked to foreign instrumentation such as telemetry or radionavigation. An ELINT sensor may find a radar, and then cue (i.e., guide) a COMINT sensor for listening in on the talk between the radar and its remote users. A nonspecific SIGINT sensor can cue a Frequency Domain MASINT sensor that can help identify the purpose of the signal. If MASINT cannot identify the signal, then the intelligence organization may task an IMINT aircraft or satellite to take a picture of the source, so photointerpreters can try to understand its functions.

Being a broad field, SIGINT has many sub-disciplines. The two main ones are COMmunications INTelligence (COMINT) and ELectronic INTelligence (ELINT). There are, however, some techniques that can apply to either branch, as well as to assist FISINT or MASINT.

Disciplines Shared across the Branches

An excellent Australian analysis of how the pieces came together, from targeting to physical destruction of radars, in Operation Desert Storm was written by Carlo Kopp. There were different requirement for search radar and for the different area defense and point defense missile systems, and how these guided the Suppression of Enemy Air Defense (SEAD) attacks on the radars, command centers, and missiles. [3]

Targeting

A collection system has to know to look for a particular signal. "System", in this context, has several nuances. Targeting is an output of the process of developing collection requirements:

"1. An intelligence need considered in the allocation of intelligence resources. Within the Department of Defense, these collection requirements fulfill the essential elements of information and other intelligence needs of a commander, or an agency.
"2. An established intelligence need, validated against the appropriate allocation of intelligence resources (as a requirement) to fulfill the essential elements of information and other intelligence needs of an intelligence consumer." [2]

Need for multiple, coordinated receivers

First, even with a geographically fixed target, atmospheric conditions, sunspots, the target's transmission schedule and antenna characteristics, and other factors, mean that a given signal intercept sensor is not guaranteed to be able to "hear" the signal of interest, even if the opponent made no attempt to make the signal hard to intercept. Among the most basic countermeasures against interception is frequent changing of frequency, and other transmission characteristics such as polarization. Such countermeasures mean that an intercept aircraft could not get off the ground if it had to carry antennas and receivers for every possible frequency and signal type.

Second, locating the transmitter's position is usually part of SIGINT. Triangulation and more sophisticated radiolocation techniques, such as time of arrival methods, require multiple receiving points at different locations. These receivers send location-relevant information to a central point, or perhaps to a distributed system in which all participate, such that the information can be correlated and a location computed.

Intercept management

Modern SIGINT systems, therefore, have substantial communications among intercept platforms. Even if some platforms are clandestine, there is a broadcast of information telling them where and how to look for signals.[4] A U.S. targeting system under development in the late 1990s, PSTS, constantly sends out information that helps the interceptors properly aim their antennas and tune their receivers. Larger intercept aircraft, such as the EP-3 Aries II, RC-135 RIVET JOINT or RC-135 COMBAT SENT have the onboard capability to do some target analysis and planning, but others, such as the RC-12 GUARDRAIL, are completely under ground direction. GUARDRAIL aircraft are fairly small, and usually work in units of three to cover a tactical SIGINT requirement, where the larger aircraft tend to be assigned strategic/national missions.

In other words, before the detailed process of targeting begins, someone has to decide there is a value in collecting information about something. While it would be possible to direct signals intelligence collection at a major sports event, the systems would capture a great deal of noise, news signals, and perhaps announcements in the stadium. If, however, an antiterrorist organization believed that a small group would be trying to coordinate their efforts, using short-range unlicensed radios, at the event, SIGINT targeting of radios of that type would be reasonable. Targeting would not know where in the stadium the radios might be, or the exact frequency they are using; those are the functions of subsequent steps such as signal detection and direction finding.

Once the decision to target is made, the various interception points need to cooperate, since resources are limited. Knowing what interception equipment to use becomes easier when a target country buys its radars and radios from known manufacturers, or is given them as part of foreign military aid. National intelligence services keep libraries of devices manufactured by their own country and others, and then use a variety of techniques to learn what equipment is acquired by a given country.

Knowledge of physics and electronic engineering further narrows the problem of what types of equipment might be in use. An intelligence aircraft flying well outside the borders of another country will listen for long-range search radars, not short-range fire control radars that would be used by a mobile air defense. Soldiers scouting the front lines of another army know that the other side will be using radios that must be portable and not have huge antennas.

Signal detection

Whether a signal is human communications (e.g., a radio), the intelligence collection specialists have to know it exists. If the targeting function described above learns that a country has a radar that operates in a certain frequency range, the first step is to use a sensitive receiver, with one or more antennas that listen in every direction, to find an area where such a radar is operating. Once the radar is known to be in the area, the next step is to find its location.

Simplified spectrum analyzer display of superheterodyned,amplitude modulated signals

If operators know the probable frequencies of transmissions of interest, they may use a set of receivers, preset to the frequencies of interest. These are the frequency (horizontal axis) versus power (vertical axis) produced at the transmitter, before any filtering of signals that do not add to the information being transmitted. Received energy on a particular frequency may start a recorder, and alert a human to listen to the signals if they are intelligible (i.e., COMINT). If the frequency is not known, the operators may look for power on primary or sideband frequencies using a spectrum analyzer signals] Information from the spectrum analyzer is then used to tune receivers to signals of interest. For example, in this simplified spectrum, the actual information is at 800 KHz and 1.2 MHz.

Hypothetical displays from four spectrum analyzers connected to directional antennas. The transmitter is at bearing 090

Real-world transmitters and receivers usually are directional. In the figure to the left, assume that each display is connected to a spectrum analyzer connected to a directional antenna aimed in the indicated direction.

Countermeasures to interception

Spread-spectrum communications is an electronic counter-countermeasures (ECCM) technique to defeat looking for particular frequencies. Spectrum analysis can be used in a different ECCM way, to identify frequencies not being jammed or not in use.

Direction-finding

For more information, see: Direction finding.

The earliest, and still common, means of direction finding is to use directional antennas as goniometers, so that a line can be drawn from the receiver through the position of the signal of interest. HF/DF, pronounced "huff-duff", was the term used in the Battle of the Atlantic in locating German submarines. Knowing the compass bearing, from a single point, to the transmitter does not locate it. Where the bearings from multiple points, using goniometry, are plotted on a map, the transmitter will be located at the point where the bearings intersect. This is the simplest case; a target may try to confuse listeners by having multiple transmitters, giving the same signal from different locations, switching on and off in a pattern known to their user but apparently random to the listener.

Since modern weapons can home in on and attack transmitters, the antennas of a military unit frequently are placed a hopefully safe distance from the user of the transmitter. While this is much more difficult for ships, moving ground vehicles, and aircraft, even they may do so by towing antennas or putting the transmitter in an unmanned aerial vehicle.

Individual directional antennas have to be manually or automatically turned to find the signal direction, which may be too slow when the signal is of short duration. One alternative, now obsolete, is to use the Wullenweber array technique. In this method, several concentric rings of antenna elements simultaneously receive the signal, so that the best bearing will ideally be clearly on a single antenna or a small set. Wullenweber arrays for high-frequency signals are enormous, referred to as "elephant cages" by their users.

The current alternative to tunable directional antennas, or large omnidirectional arrays such as the Wullenweber, is to measure the time of arrival of the signal at multiple points, the points using GPS or a similar method to have precise time synchronization. The points at which the receivers can be placed can be on ground stations, ships, aircraft, or satellites, giving great flexibility.

Traffic analysis

For more information, see: Traffic analysis.

When locations are known, usage patterns may emerge, and inferences drawn. Traffic analysis is the discipline of drawing patterns from information flow among a set of senders and receivers, whether those senders and receivers are designated by location determined through direction finding, by addressee and sender identifications in the message, or even MASINT techniques for "fingerprinting" transmitters or operators. Message content, other than the sender and receiver, is not necessary to do traffic analysis, although more information can be helpful.

For example, if a certain type of radio is known to be used only by tank units, even if the position is not precisely determined by direction finding, it may be assumed that a tank unit is in the general area of the signal. Of course, the owner of the transmitter can assume someone is listening, so might set up tank radios in an area where he wants the other side to believe he has actual tanks. As part of Operation Quicksilver, part of the deception plan for the invasion of Europe at the Battle of Normandy, radio transmissions simulated the headquarters and subordinate units of the fictitious First United States Army Group (FUSAG), commanded by George Patton, to make the German defense think that the main invasion was to come at another location. In like manner, fake radio transmissions from Japanese aircraft carriers, before the attack on Pearl Harbor, were made from Japanese local waters, while the attacking ships moved under strict radio silence.

Traffic analysis need not focus on human communications. For example, if the sequence of a radar signal, followed by an exchange of targeting data and a confirmation, followed by observation of artillery fire, this may identify an automated counterbattery system. A radio signal that triggers navigational beacons could be a landing aid system for an airstrip or helicopter pad that is intended to be low-profile.

Patterns do emerge. Knowing a radio signal, with certain characteristics, originating from a fixed headquarters may be strongly suggestive that a particular unit will soon move out of its regular base. The contents of the message need not be known to infer the movement.

There is an art as well as science of traffic analysis. Expert analysts develop a sense for what is real and what is deceptive.[5]. Modern hobbyist, monitoring radio communications, can have quite sophisticated approaches. [6]

Electronic Order of Battle

Generating an Electronic order of battle (EOB) requires identifying SIGINT emitters in an area of interest, determining their geographic location or range of mobility, characterizing their signals, and, where possible, determining their role in the broader organizational order of battle. EOB covers both COMINT and ELINT. [7] The Defense Intelligence Agency maintains an EOB by location. The Joint Spectrum Center (JSC) of the Defense Information Systems Agency supplements this location database with five more technical databases:

  1. FRRS: Frequency Resource Record System
  2. BEI: Background Environment Information
  3. SCS: Spectrum Certification System
  4. EC/S: Equipment Characteristics/Space
  5. TACDB: platform lists, sorted by nomenclature, which contain links to the C-E equipment complement of each platform, with links to the parametric data for each piece of equipment, military unit lists and their subordinate units with equipment used by each unit.
EOB and related data flow

For example, several voice transmitters might be identified as the command net (i.e., top commander and direct reports) in a tank battalion or tank-heavy task force. Another set of transmitters might identify the logistic net for that same unit. An inventory of ELINT sources might identify the medium- and long-range counter-artillery radars in a given area.[8] If a commander knows he is facing such sensors, he will try to attack a different area with his artillery.

SIGINT units will identify changes in the EOB, which might indicate enemy unit movement, changes in command relationships, and increases or decreases in capability.

Using the COMINT gathering method enables the intelligence officer to produce an electronic order of battle by traffic analysis and content analysis among several enemy units. For example, if the following messages were intercepted:

  1. U1 from U2, requesting permission to proceed to checkpoint X.
  2. U2 from U1, approved. please report at arrival.
  3. (20 minutes later) U1 from U2, all vehicles have arrived to checkpoint X.

This sequence shows that there are two units in the battlefield, unit 1 is mobile, while unit 2 is in a higher hierarchical level, perhaps a command post. One can also understand that unit 1 moved from one point to another which are distant from each 20 minutes with a vehicle. If these are regular reports over a period of time, they might reveal a patrol pattern. Direction-finding and Radiofrequency MASINT could help confirm that the traffic is not deception.

The EOB buildup process is divided as following:

  • Signal separation
  • Measurements optimization
  • Data Fusion
  • Networks build-up

Separation of the intercepted spectrum and the signals intercepted from each sensors must take place in an extremely small period of time, in order to separate the deferent signals to different transmitters in the battlefield. The complexity of the separation process depends on the complexity of the transmission methods (e.g., hopping or time division multiple access (TDMA)).

By gathering and clustering data from each sensor, the measurements of the direction of signals can be optimized and get much more accurate then the basic measurements of a standard direction finding sensor.[9] By calculating larger samples of the sensor's output data in near real-time, together with historical information of signals, better results are achieved.

Data fusion correlates data samples from different frequencies from the same sensor, "same" being confirmed by direction finding or radiofrequency MASINT. If an emitter is mobile, direction finding, other than discovering a repetitive pattern of movement, is of limited value in determining if a sensor is unique. MASINT then becomes more informative, as individual transmitters and antennas may have unique sidelobes, unintentional radiation, pulse timing, etc.

Network build-up among between each emitter (communication transmitter) to another enables creation of the communications flows of a battlefield[10].

FISINT

Foreign instrumentation signals intelligence (FISINT) is a sub-category of ELINT, monitoring primarily non-human communication. Foreign instrumentation signals include (but not limited to) telemetry (TELINT), tracking systems, and video data links. TELINT is an important part of national means of technical verification for arms control.

SIGINT versus MASINT

See also: MASINT

SIGINT and Measurement and Signature Intelligence (MASINT) are closely, and sometimes confusingly, related [11]. The SIGINT disciplines of communications and electronic intelligence focus on the information in those signals themselves, as with COMINT detecting the speech in a voice communication or ELINT measuring the frequency, pulse repetition rate, and other characteristics of a radar.

MASINT also works with collected signals, but is more of an analysis discipline. There are, however, unique MASINT sensors, typically working in different regions or domains of the electromagnetic spectrum, such as infrared or magnetic fields. While NSA and other agencies of the United States intelligence community have MASINT groups, the Central MASINT Office is in the Defense Intelligence Agency (DIA).

Where COMINT and ELINT focus on the intentionally transmitted part of the signal, MASINT focuses on unintentionally transmitted information. For example, a given radar antenna will have sidelobes emanating from other than the direction in which the main antenna is aimed. The RADINT (radar intelligence) discipline involves learning to recognize a radar both by its primary signal, captured by ELINT, and its sidelobes, perhaps captured by the main ELINT sensor, or, more likely, a sensor aimed at the sides of the radio antenna.

MASINT associated with COMINT might involve the detection of common background sounds expected with human voice communications. For example, if a given radio signal comes from a radio used in a tank, if the interceptor does not hear engine noise or higher voice frequency than the voice modulation usually uses, even thought the voice conversation is meaningful, MASINT might suggest it is a deception, not coming from a real tank.

Defensive SIGINT

There are a number of ways that a person or organization can defend against SIGINT. There is a delicate balance between the level of protection and the actual threat, as expressed in the clichés about "tinfoil hats".

One must begin by defining the threat. It is considerably more difficult to defend against detection that one is signaling, as opposed to defending against an opponent discovering the content of the transmitted message. Appropriate encryption can protect against content interception, but protecting against signal detection, especially with a capable opponent, requires measures to make the signal hard to detect -- which can also make it difficult for the intended recipient to receive the signal. Any defensive program needs to consider the nature of the threat and the capabilities of the opponent.

Strong and well-managed encryption

For more information, see: cryptography.

While encryption is discussed at length in other articles, it should not be forgotten that if one wants to protect messages and files, encryption is central to the defense. As important as the encryption process itself may be, it is vulnerable if the cryptographic keys are not strong and protected, and, on computers, that the cleartext is deleted when not needed. Seemingly obvious, but too often neglected, is making a practice of having as little cleartext hard copy as possible.

Appropriate transmission security

When using radio transmitters, use directional antennas that have as little "spillover" into sidelobes as possible. If it is most important to hide the location of a transmitter, the minimum is to cable the antennas as far as possible away from the transmitter proper. In many circumstances, aiming the antenna upward to a satellite will help hide its location.

The amount of total transmission power needs to be minimized, and the power preferably should be split into multiple and changing frequencies using spread spectrum techniques. If possible, avoid transmitting when hostile SIGINT satellites or monitoring aircraft are overhead.

If in an urban area, avoid using regular commercial power to transmit. There are ways in which the signal can "leak" into power and ground lines. The adversary may turn off power to an area, which will tell him there is a line-operated transmitter if the transmission stops, and that there is a battery-powered transmitter if it continues.

Use highly variable transmission schedules and vary frequencies if technically possible. Also see low probability of intercept.

Appropriate receiving security

If Operation RAFTER-style intercept is a threat, protect against this form of unintentional radiation MASINT by using optoisolators or other shielded techniques (e.g, waveguides) to bring in the radio frequency received signal, and shield the local oscillator and intermediate frequency stages in the superheterodyne receiver. This technique should be far less effective against the new generation of software-defined radio.

Unintentional radiation on power or ground circuits is a threat here as well; use appropriate TEMPEST or other techniques.

Protection against compromising emanations

There are risks that electronic, acoustic, or other information could "leak" from a computer system or other electronic communications devices.

The Risk

Understanding details of the risks requires a substantial knowledge of electronics, but a simple example might serve. Many people have put a radio receiver near a computer, to listen to music as they work, and discovered that the radio suffered clicks, squeals, and other interference. These interfering signals are radiating from various parts of the computer, especially its display but often also from the power and grounding system. TEMPEST is the name for one family of protective measures against an opponent intercepting these emanations and extracting sensitive information from them.

While not strictly within the scope of protecting against "leakage", a place where sensitive information is processed or discussed needs protection against hidden microphones, wiretaps, and other "bugging". Sometimes, an electronic sweep to verify TEMPEST compliance reveals the presence of hidden transmitters. Again, there is probably more suspicion than reality in most cases. A member of a crime organization, in the middle of a nasty divorce, or a foreign intelligence agent might have reason to worry, but, even with the serious questions about warrantless surveillance in the US and other countries, there is little reason for someone to go to the risk and expense of illegal surveillance on an ordinary citizen. TEMPEST is usually associated with direct electromagnetic radiation from the device, either free-space or through power and ground lines. TEMPEST generically talks about acoustic isolation, but that is fairly easily solved through physical security and noise damping, as well as searches for microphones.

There are several threats that have not been officially defined in the unclassified literature. Nevertheless, there are some informed guesses [12]:

  • NONSTOP is a threat that involves some type of coupling of compromising RF energy from a classified system, which "leaks" into an independent RF-transmitting or -recording device such as cell phones, PDAs, pager, alarm systems. Commercial AM/FM radios are not considered a risk.
  • HIJACK is a similar threat of coupling, but to some type of digital computer or related equipment.
  • TEAPOT is a very different vulnerability, which appears to apply to incidental audio modulation of the backscatter from an RF, typically microwave, directed into the secure area. A passive resonant cavity bug of this type was discovered in a Great Seal of the United States presented by the USSR, but containing a resonant cavity with a wall that moved with sound in the room, thus imposing frequency modulation onto the backscattered signal.

Mitigation and Countermeasures

The word TEMPEST itself, and its meaning, are unclassified. Some of the techniques for measuring the compliance of a piece of equipment, or whether it is actually emitting compromising emanations, are classified. A good deal of the information has come into public view either through Freedom of Information Act queries[13], books talking about interception techniques, inferences drawn from partially released documents, and straightforward thinking by electronic engineers. Some documents released fully or partially under FOIA:

  1. Red/Black Installation Guidance [14]
  2. Specification for Shielded Enclosures[15]
  3. Specification for Shielded Enclosures (partially redacted) [16]

A number of individuals have made a hobby of ferreting out TEMPEST and related information[17], and firms in the broader-than-TEMPEST business of Technical Surveillance Countermeasures TSCM also reveal concepts[18].

Protection against side channel attacks and covert channels

A side channel attack is an unintentional vulnerability of an encryption device, not related to the encryption algorithm.[19] Potential vulnerabilities include different processing and thus transmission speeds for blocks of plaintext with certain statistical characteristics, changes in power consumption, or compromising emanations.

Covert channels are deliberate means to elude communications security[20]. They send out an unauthorized signal by stealing bandwidth from a legitimate, often encrypted channel. One low-bandwidth method would be to send information by varying the inter-block transmission times. A steganographic covert channel might use the low-order bit of pixels in a graphic image, perhaps not even consecutive pixels, in a manner that would not be obvious to a person looking at the graphic.

People of SIGINT

Memorial to Alan Turing

People who work in SIGINT often work under heavy stress. First, it is a secret world, about which they cannot share their work with outsiders, and must conform to intense security scrutiny. Second, the work can take immense patience and concentration. An informal mental health check on cryptanalysts is to show them a telephone directory: if they start looking for patterns, and scream in frustration, they need rest if not treatment.

Security aspects have led to tragedies, such as that of Alan Turing,[21] although most Western signals intelligence agencies now accept open homosexuality. There is always the danger, however, that the oppressive security will not detect a serious spy.

Mental health concerns are very real. William Friedman, arguably the greatest cryptanalyst in history, broke down in 1940, before the final breach of the Japanese PURPLE system, and never could return to full-time cryptanalysis.

NSA National Vigilance Park, memorializing aircraft lost on SIGINT missions
Memorial, inside the National Security Agency headquarters building, to all personnel who died on SIGINT duty

SIGINT collectors can and do die in action; the first American killed in the Vietnam War, SP4 James T. Davis was a soldier on a SIGINT mission.[22]

References

  1. Lee, Bartholomew. Radio Spies -- Episodes in the Ether Wars. Retrieved on 2007-10-08.
  2. 2.0 2.1 US Department of Defense (12 July 2007), Joint Publication 1-02 Department of Defense Dictionary of Military and Associated Terms
  3. Kopp, Carlo (June/July/August, 1993). Desert Storm: The Electronic Battle. Australian Aviation. Retrieved on 2007-09-30.
  4. "Precision SIGINT Targeting System (PSTS)", Intelligence Research Program
  5. Whitlock, Duane (Autumn 1995). The Silent War against the Japanese Navy.
  6. Ballard, Nigel (July 23, 1990), A Layman's Guide to Traffic Analysis
  7. 743d Military Intelligence (MI) Battalion (August 1999). Warfighter Guide to Intelligence 2000. Joint Spectrum Center, (US) Defense Information Services Agency. Retrieved on 2007-10-26.
  8. Daniel W. Caldwell, Radar planning, preparation and employment of 3-tiered coverage: LCMR, Q-36 and Q-37
  9. Kessler, Otto, SIGINT Change Detection Approach, Defense Advanced Research Projects Agency
  10. Terry, I. (2003), "US Naval Research Laboratory - Networked Specific Emitter Identification in Fleet Battle Experiment Juliet", NRL Review. Retrieved on 2007-10-26
  11. Interagency OPSEC Support Staff (IOSS) (May 1996). Operations Security Intelligence Threat Handbook: Section 2, Intelligence Collection Activities and Disciplines. Retrieved on 2007-10-03.
  12. McNamara, Joel (2002). The Complete, Unofficial TEMPEST Information Page.
  13. Cryptome: various TEMPEST and related documents (2003). Retrieved on 2007-10-16.
  14. National Security Agency (2 December 1995). NSTISSAM TEMPEST/2-95, Red/Black Installation Guidance. Retrieved on 2007-10-16.
  15. National Security Agency (24 October 1994). Specification NSA No. 94-106, Red/Black Installation Guidance. Retrieved on 2007-10-16.
  16. National Security Agency (29 September 1993). NSTISSI No. 7000, Tempest Countermeasures for Facilitiea. Retrieved on 2007-10-16.
  17. McNamara, Joel (2004). The Complete, Unofficial TEMPEST Information Page. Retrieved on 2007-10-16.
  18. Granite Island Group (2005). Technical Surveillance Countermeasures. Retrieved on 2007-10-16.
  19. Bar-El, Hagai, What are side channel attacks?
  20. National Computer Security Center (November 1993). NCSC-TG-030 VERSION-1 A Guide to Understanding Covert Channel Analysis of Trusted Systems ("Light Pink Book").
  21. Gordon Brown (10 September 2009), Treatment of Alan Turing was “appalling” - PM, Office of the U.K. Prime Minister
  22. Knight, Judson, Army Security Agency
Retrieved from "https://citizendium.org/wiki/index.php?title=Signals_intelligence&oldid=952126"