30 May 2001: Add Neil King's WSJ article and message.
29 May 2001
Date: Sun, 27 May 2001 21:43:45 -0400
From: Dave Emery <email@example.com>
To: Steve Bellovin <firstname.lastname@example.org>
Subject: Re: NSA tapping undersea fibers?
On Wed, May 23, 2001 at 04:08:34PM -0700, Steve Bellovin wrote:
> There's a long, fascinating article [below] in the 23 May Wall Street
> on how NSA is (allegedly) tapping undersea fiber optic cables.
> not clear that this is feasible, but the article claims that the
> USS Jimmy Carter, a nuclear-powered sub, is undergoing a $1 billion,
> five-year retrofit to equip it to do the taps. The article points
> that even if they can tap the cable, there's another problem: making
> sense of that much data.
I think the later argument is just as disengenuous as the late 60's Bell
System officials who said exactly the same thing about the open unencrypted
microwave radio telephone links of that era. Both those microwave
links and the undersea fibers contain highly structured and organized information
streams - individual voice channels, T1s, T3s, IP streams, wideband data
circuits are not at all difficult to extract from the composite traffic and
mapping the layout of the whole river of information is by no means
overwhelmingly difficult (and might be aided by quiet help from the carriers
or individual employees of the carriers). And the mapping tends to
be pretty static over time, or at least to change in predictable ways.
Finding and recording the most interesting circuits is by no means an
insurmountable task - nor is filtering out most of the stuff that isn't
interesting. The only hard problem is if the NSA insists on groveling
through absolutely everything sent, but this is true of their problem in
general these days and not just special to undersea cables. And
clearly the right undersea cables contain an awful lot of useful stuff if
you are the NSA...
And given modern high capacity digital storage systems, handling low gigabytes
a second is not that difficult either (most current undersea cable systems
only transmit between 2.5 and 20 gigabits a second or so). IO
bandwidths in large fast servers are of this order or more these days...
The much more interesting problem that gets rather short shrift in the WSJ
article is how the real time time critical intercepts get from a submarine
hiding in stealth 1200 feet under the ocean to Fort Meade and then to policy
makers. Some fraction of the traffic is still interesting after weeks
or months when tapes or disks can be flown back to Fort Meade but much more
of it is only useful if it is available within seconds or minutes during
a crisis and not weeks or months later. Traditional microwave radio and satellite
intercepts get back to Fort Meade or the RSOCs in milliseconds but as more
and more traffic flows through cables that can only be tapped by hiding billion
dollar nuclear submarines a lot of the timeliness of NSA operations goes
The IVY BELLS tap technology exmplyed against Soviet analog undersea cables
in the 70s allegedly involved hooking up a nuclear radioisotope powered pod
with tape recorders in it that was left in place for almost a year between
submarine visits to recover the tapes - this would be rather hard to do with
the gigabytes per second flowing through a modern fiber cable - there is
no (unclassified) recording technology with anything like the storage capacity
to record everything or even a significant fraction of everything for that
long a period in a form factor that would fit in a pod on the sea floor.
According to published accounts, in the early Reagan years the intelligence
community considered running their own fiber cable to the tap site
on the Soviet analog cables to recover the data in real time - I imagine
that the same thing has been considered as a solution to the current problem
of recovering data from undersea fiber taps while it is still fresh enough
to be useful. But in general it is a harder problem than actually tapping
the cable or dealing with the rivers of data it contains.
Dave Emery N1PRE, email@example.com DIE Consulting, Weston, Mass.
PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0
24 88 C3 18
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to firstname.lastname@example.org
[Thanks to Neil King]
Deep Secrets: As Technology Evolves, Spy Agency Struggles To Preserve Its
Its Limited Success in Tapping Undersea Cable Illustrates Challenges Facing
Huge Haystack, Few Needles
By Neil King Jr.
Staff Reporter of The Wall Street Journal
WASHINGTON -- For decades, the National Security Agency did most of its spying
by plucking information out of thin air. With a global network of listening
stations and satellites, the NSA eavesdropped on phone conversations in Saddam
Hussein's bunker, snatched Soviet missile-launch secrets and once caught
Brezhnev in his limousine chatting about his mistress.
The NSA's task was relatively simple then because most international phone
and data traffic moved via satellites or microwave towers. The agency sucked
up those signals and sorted through them with supercomputers. Few of its
eavesdroppers risked life or limb, and those they spied upon were often none
But today the NSA's snooping capabilities are in jeopardy, undermined by
advances in telecommunications technology. Much of the information the agency
once gleaned from the air waves now travels in the form of light beams through
fiber-optic cables crisscrossing continents and ocean floors. That shift
has forced the NSA to seek new ways to gather intelligence -- including tapping
undersea cables, a technologically daunting, physically dangerous and potentially
In the mid-1990s, the NSA installed one such tap, say former intelligence
officials familiar with the covert project. Using a special spy submarine,
they say, agency personnel descended hundreds of feet into one of the oceans
and sliced into a fiber-optic cable. The mixed results of the experiment
-- particularly the agency's inability to make sense of the vast flood of
data unleashed by the tap -- show that America's pre-eminent spy service
has huge challenges to overcome if it hopes to keep from going deaf in the
Details of the NSA cable-tapping project are sketchy. Individuals who confirm
the tap won't specify where or when it occurred. It isn't known whether the
cable's operator detected the intrusion, though former NSA officials say
they believe it went unnoticed. Nor is it known whether the NSA has attempted
other taps since. Efforts to intercept all sorts of signals -- ranging from
military radar to international phone calls -- are among the most highly
classified U.S. government operations. Leaking information about interception
methods is a federal crime punishable by imprisonment.
In an interview, Air Force Lt. Gen. Michael Hayden, the NSA's director, laughed
when asked whether the NSA had tapped undersea cables. "I'm not going to
sit here and dissuade you from your views," he said. But he suggested that
access isn't the problem. Rather, he said, the sheer volume and variety of
today's communications means "there's simply too much out there, and it's
too hard to understand."
Veterans of the undersea fiber-optic cable business say an undersea tap would
strain the limits of technology, and cable operators aren't happy that the
NSA may have pulled one off. "We don't believe this is possible, but assuming
it was, there's no way we want someone trying to get into our cables," says
Frank Denniston, chief technical officer for London-based Flag Telecom Holdings
Ltd., one of the half-dozen or so companies that dominate the industry.
"It's our job to keep the data on our cables as safe and secure as possible,"
Mr. Denniston adds. "Any tap would automatically create a weakness and could
bring down the entire system."
Undersea taps would pose tricky legal issues for the agency, too. For example,
U.S. law forbids the NSA to intentionally intercept and process the phone
calls and e-mails of U.S. citizens without court approval. Such communications
make up a sizable slice of undersea cable traffic.
Some outside analysts and U.S. intelligence officials think the NSA should
abandon such efforts in favor of more narrowly targeted intelligence-gathering
efforts. One intelligence official estimates that tapping all the world's
undersea cables, assuming it could be done, would cost more than $2 billion
a year. And no one knows whether the NSA will ever have enough computing
power to analyze the resulting gusher of digital data.
Even so, the agency has been pushing ahead. At General Dynamics Corp.'s Electric
Boat shipyard in Groton, Conn., the Navy is deep into a five-year, $1 billion
retrofit of the USS Jimmy Carter, a nuclear-powered vessel that intelligence
experts say will be the premier U.S. spy sub when it hits the seas in 2004.
Among its many planned features, says one former official familiar with the
project: state-of-the-art technology for undersea fiber-optic taps.
The NSA's Lt. Gen. Hayden and Navy officials decline to comment on the USS
Jimmy Carter's mission.
In the late 1980s, satellites and microwave towers still carried more than
90% of all international voice and data traffic, including diplomatic cables.
Most were easy pickings for the NSA's spy satellites and earthbound listening
stations scattered from Japan and Australia to the moors of England. Back
then, the agency also found it relatively easy to tap the kind of low-capacity
copper lines that carried phone calls across oceans.
All that began to change in 1988, when AT&T Corp. completed the world's
first transoceanic fiber-optic cable. Called TAT-8, the cable snaked more
than 3,000 miles along the Atlantic floor from New Jersey to Britain. Its
two fibers, running through a cable as narrow as a man's wrist, could carry
nearly 40,000 phone conversations at once, five times the capacity of the
best undersea copper cables and comparable to all the trans-Atlantic voice
traffic then handled by satellites.
The first trans-Pacific fiber-optic cable entered service in 1991. A
17,000-mile-long Flag Telecom cable connecting Europe with North Africa,
the Middle East, Southeast Asia and Japan came on line in 1997. And Russia
and China began laying thousands of miles of fiber, depriving the NSA of
entire time zones of once easily accessible transmissions.
The NSA recognized from the start that fiber optics could be a problem. In
early 1989, the agency assembled a team of researchers in a small warren
of labs at its headquarters in Fort Meade, Md. Other researchers fanned out
to corporate research centers to bone up on the new technology. Their mission,
according to one former NSA researcher who worked on it, was to find a way
to get inside fiber-optic cables and secretly siphon off the data moving
Fiber optics had been touted as the first mode of long-distance communication
impervious to eavesdropping. The technology allows thousands of phone calls,
faxes, e-mail messages and encrypted data files, translated into beams of
light, to travel through a single strand of glass as thin as a human hair.
Most undersea cables now typically contain eight such strands, or fibers.
Extracting the data inside requires gaining access to those light beams --
in the dark, high-pressure realm of the ocean's depths.
Undersea fiber-optic cables are sheathed in a thick steel husk and buried
in a yard-deep trench. But once the water depth exceeds 1,000 feet, they
usually are left to run uncovered along the ocean floor. Industry experts
believe the NSA tap must have occurred in deep waters far out at sea, where
the cable would be exposed and the risks of being seen would be lower. Some
cable operators make frequent surveillance flights hundreds of miles from
shore, mainly to keep track of fishing boats whose nets or anchors might
rip their cables.
Former intelligence officials say the agency made its tap with the help of
a customized sub. "It's a submarine capable of bringing a length of cable
inside a special chamber, where the men then do the work," while the sub
hugs the ocean floor, says one former official. The surface ships used by
undersea-cable companies to install and repair cables have similar chambers
-- called jointing rooms -- where crews work on the delicate fibers. When
repairing a broken cable, cable companies generally lift one end of the rupture
to the surface and into the jointing room, splice in a new length of cable,
then lift the other end of the rupture and repeat the process.
In 1997, the NSA and the Navy proposed equipping the USS Jimmy Carter with
such a chamber, as part of a "special operations" upgrade to the $2.4 billion
Some members of Congress doubted that the cost of the upgrade would be worth
the intelligence gains. And, in closed meetings with lawmakers on Capitol
Hill, several top intelligence officials in the Clinton administration fought
to kill the project. They lost the battle in late 1998, when Congress agreed
to enlarge the sub to accommodate what the Navy called "advanced technology
for naval special warfare and tactical surveillance." Plans called for the
upgrade to include facilities that would enable the NSA to tap undersea cables,
people familiar with it say. The Navy declines to discuss details of the
retrofit, which is now under way. The vessel's intended mission could have
Norman Polmar, a naval and intelligence expert, says any undersea tapping
probably would be done in a custom-designed chamber that detaches from the
sub. "The Navy would not be keen on bringing a high-voltage cable into a
submarine," says Mr. Polmar, a part-time consultant to Congress and the Pentagon
who has followed the submarine project closely. Moreover, he says, "Having
a cable running through a sub for a day or more would tie the sub down in
a way that could endanger lives."
He says the Jimmy Carter is meant to have "lock-out capability" to allow
divers to leave and enter the sub. Plans also call for special thrusters
that will allow the vessel to hover near the ocean floor for long periods,
a technology that would enable it to supply oxygen and power to an undersea
The Jimmy Carter is expected to replace the USS Parche, a Cold War-era sub
used extensively to spy on the Soviets. The Parche, set for retirement in
2003, tapped a number of undersea Soviet copper cables during the 1970s and
1980s, according to the 1998 book "Blind Man's Bluff," a history of
submarine-based spying written by Sherry Sontag and Christopher Drew. The
NSA declines to comment.
The Parche is equipped with a claw-like device to pluck fairly large objects
off the ocean floor. The sub used in the NSA tap probably was fitted with
a similar system used to lift the cable into the jointing room, which would
then have been emptied of water, experts say.
"This wouldn't be any ordinary submarine," says Marc Dodeman, an engineer
with Margus Co., of Edison, N.J., a pioneer in undersea-cable installation
and repair. "It would have to have some way to take in a cable, while sitting
on the ocean floor, without leaking water. That would require some intense
Technicians fixing a damaged cable usually make such repairs above water
and under antiseptic conditions. Dust or seawater in the submerged chamber
could ruin an exposed fiber. Making a surreptitious tap of a live cable would
also require circumventing the electrical charge -- usually around 10,000
volts -- which is used to power the devices that keep the speeding light
"Exposing that electricity to the water, or severing it at all, would shut
down the entire system," says Peter Runge, chief of research and development
for TyCom Ltd., Morristown, N.J., one of the world's largest submarine cable
companies and a majority-owned unit of Tyco International Ltd. The shutdown
would defeat the tap and alert the cable operator that something was amiss,
adds Mr. Runge, making the odds of success extremely small. TyCom and its
rivals say that any interruptions or outages they have experienced were caused
by fishermen's nets, anchors -- or, in earlier days, shark bites -- but none
of the circumstances suggested tampering.
There are basically two ways to extract light, and thus data, from a fiber:
by bending the fiber so that some light radiates through the fiber's thin
polymer cladding, and by splicing the fiber, Mr. Runge says. Bending fiber
is an imprecise science. The NSA tap probably required splicing a second
fiber to each of the fibers, splitting the data into two identical streams.
But that would pose yet another problem. "Splice the line, and you cut off
the light, at least momentarily," says Wayne Siddall, an optical engineer
at Corning Fiber in Corning, N.Y. Even a second's interruption could be noticed
by a cable's operator. Cable companies typically build systems with duplicate
lines that take diverging routes, in case one of them is damaged or severed.
One retired NSA optical specialist insists that the NSA devised a way to
splice a fiber without being detected. "Getting into fiber is delicate work,
but by no means impossible," the former specialist says. Neither he nor the
NSA will discuss the matter further.
After the tap had been completed, the hard work of interpreting the data
began -- and it proved difficult for the NSA, say those familiar with the
project. "What we got was a blast of digital bits, like a fire hydrant spraying
you in the face," says one former NSA technician with knowledge of the project.
"It was the classic needle-in-the-haystack pursuit, except here the haystack
starts out huge and grows by the second," the former technician says. NSA's
computers simply weren't equipped to sort through so much data flying at
them so fast.
That's not likely to change soon. The NSA long boasted some of the most powerful
computers on earth. But the agency's technological edge dulled as the equipment
aged and money grew tight. The NSA's budget is classified, but individuals
familiar with it say it is about two-thirds what it was a decade ago, even
before accounting for inflation.
At the same time, new undersea cables are carrying more and more information.
A cable TyCom is laying across the Pacific will have the capacity to carry
the equivalent of 100 million phone calls at a time.
Flag Telecom expects to throw the switch on a new trans-Atlantic cable this
summer whose eight fibers will have the capacity to move more information
than all the cables now crossing the Atlantic. Some computer experts say
that the power to digest what will stream through the Flag cable could require
a doubling of the NSA's computing power -- and huge costs. The NSA's tapping
project, from research to tap, cost hundreds of millions of dollars, individuals
familiar with it say.
Yet the NSA's Lt. Gen. Hayden says he isn't discouraged. At the moment, he
likes to say, technology is the NSA's enemy. But computing power will allow
it to process greater masses of data, which he says he hopes will eventually
"allow a single analyst to extract wisdom from vast volumes of raw information."
From: "Robert Windrem" <email@example.com>
Date: Tue, 29 May 2001 07:07:00 -0400
One key point everyone seems to have missed: more than 90% of the world's
submarine cables make landfall at least once on the territory of a UKUSA
nation, where tapping is a lot easier, particularly if the owner of the cable
is cooperative. And there is plenty of historical evidence to suggest
that cooperation has taken place.
For example, much of the trans-Pacific cables' capacity is reserved for
pass-through traffic, Asian traffic that is carried across North America
and on to Europe, Africa or South America.
As a producer for NBC News, I have always been mystified at all the attention
paid to Echelon and the little paid to tapping of submarine cables.