NSA Classification ECI = Exceptionally Controlled Information

ECI is a classification above Top Secret. It's for things that are so sensitive they're basically not written down, like the names of companies whose cryptography has been deliberately weakened by the NSA, or the names of agents who have infiltrated foreign IT companies.

As part of the Intercept story on the NSA's using agents to infiltrate foreign companies and networks, it published a list of ECI compartments. It's just a list of code names and three-letter abbreviations, along with the group inside the NSA that is responsible for them. The descriptions of what they all mean would never be in a computer file, so it's only of value to those of us who like code names.

This designation is why there have been no documents in the Snowden archive listing specific company names. They're all referred to by these ECI code names.

EDITED TO ADD (11/10): Another compilation of NSA's organizational structure.

Posted on October 16, 2014 at 6:22 AM • 25 Comments

Comments

Nick POctober 19, 2014 8:08 PM

I see there's confusion about ECI, SCI, etc. I'm going to try to clear it up as I've been wading through stuff like this a long time.

Understanding the U.S. classification system

Simplifying it, our classification system is based on clearance, classification level, and need to know. It started with several basic levels: Unclassified, Sensitive But Unclassified (SBU), Confidential (C), Secret (S), and Top Secret (TS). Clearance is how much trust they've put into the person, often through investigation & profiling. Their clearance's classification level puts an absolute limit on their access at that level or below. However, what is *supposed* to determine actual ability to access information is the following combination: the person is cleared for that information *and* has a valid need to know.

A problem was quickly identified: people with S & TS clearances had access to entirely too much information without formal ways to enforce need to know. So, they added codewords (or "compartments") that come after the documentation's classification level to represent more specific forms of access. These are the "S // SOMEWORD" notations you see. So, now the person must be cleared at that level and for SOMEWORD compartment, along with a valid need to know. The document might have several codewords required & codewords can even be protected by other codewords. It was a nice start.

Certain codewords represented high secrecy information. Examples include information on sensitive weapons, intelligence collection, satellite imagery, etc. So, they created a clearance level above Top Secret called TS/SCI. They then designated certain compartments as SCI. This designation is mainly useful in making it easier to spot the juicy documents. Honest workers not cleared will avoid them by reflex. Less dishonest workers can be filtered out using technology like guards. The security standards, countermeasures, etc are supposed to increase with each level. Interfaces between TS/SCI and lesser classifications are supposed to use only the strongest security technology. Guards are common with at least automatic reviews that look for certain codewords or "dirty words."

Problem was, even that wasn't enough because people will lie & the integration trend kept going. Enemy spies might access the network, get SCI, etc. They devised the Special Access Programs in response to this. I've previously posted the NIPSOM Indusrial Security Manual & SAP supplement showing the extra means they go to protect them. These programs get their own facilities, dedicated personnel, codewords, document handling, computers, networks, etc. The people running the SAP, from commander down, are told to tell nobody anything of what goes on inside. A few Congressional committees are told of these, they can't ask too many questions, and they essentially fund it blind since they're not cleared for internal operations. And tens of billions annually go into these programs.

Pentagon claimed even this wasn't secret enough for certain capabilities. They devised the Unacknowledged SAP where even fewer would know in the Pentagon and Congress. IIRC they're the heads of a few committees. Further, USAP participants are encouraged to have a cover story and lie to anyone that asks about the program. Merely saying "neither confirm nor deny" might raise suspicions that a solid cover story can avoid. USAP's also typically fake their addresses, phone numbers, locations, and so on per the SAP security supplement document. Like an SAP, even the President can get information on these unless he was on the authorized list. Several USAP's that later saw the light of day are the SR71 Blackbird, B-2 Bomber, and the rendition/torture programs. As you might guess, USAP's are an even better way to hide criminal activity & financial waste than a SAP. And billions go into USAP's annually.

The final designation is "waived" USAP's. These are considered so sensitive that Pentagon claims even Congress oversight isn't allowed. They tend to start them without advanced notification. They might drop a line or two to a few Congressmen. It's clear that these programs are truly black programs as everyone is in the dark except a few in Pentagon. This is an ideal way to hide criminal activity, esp against Congress or American people. These simply shouldn't exist given Pentagon's moral and financial track record.

That's all from government's own descriptions of the classification system. There's another layer that those researching have noticed in previous declassified black programs and to a degree in current SAP's/USAP's. That layer is use of private contractors to further compartmentalize things. The public agencies are held quite accountable for what they do when classification fails. Private agencies have the Fourth and Fifth Amendments on top of that. Major defense contractors have long been the ones executing most SAP's. If the data is split & compartmentalized among these, it becomes both legally and practically that much more difficult to track it all down to see the big picture. This strategy was intentional as far as I can tell by past programs (eg Manhattan Project, MKULTRA), although it might be organizational habit by now.

Now looking at Snowden situation

All of this starts becoming more clear as we look at Snowden's situation. I figured they'd have most criminal activity & key capabilities behind SAP's/USAP's. That would physically isolate Snowden from them and prevent him from seeing these things. I was quite amazed by how much he really had access to. It was a clear failure of almost every security requirement in classified information systems. That the U.S. govt policy shifted to more integration of intelligence rather than walls, he was a TS/SCI admin in a location where many compartments converged, in a *private corporation*, and with almost no security explains why get got what he got. Still, I straight up told people here that Snowden didn't get everything: the best stuff he wouldn't know existed or at least couldn't physically connect to. The SAP's, like many sensitive networks, should have tech such as guards with an automated or human review process that essentially reclassified select releases of information to TS/SCI with certain codewords (eg Five Eyes, NOFORN).

I loved ECI release as it matched the prediction. Each major capability was run in a separate SAP with the overall effort contained in another SAP. Each SAP was associated with specific codewords. Even ECI is a COMINT designation already published by different writers (example). Most development and specifics of the capabilities happen in the isolated confines of the SAP's. The codewords allow specific people with TS/SCI clearance & need to know to see summary information or specific authorized capabilities. This is exactly what we see with these leaks. They're bullet points of a capability & no more.

The documents also show they're using the deception provision of SAP's. One document says an organization does only overt intelligence work at Unclass, only clandestine intelligence at S, and works with U.S. companies to backdoor products at (TS/SCI/ECI if I recall). Another says we break foreign ciphers at one level, that we have strong cryptographic capabilities at the next, and near ECI level that we're just backdooring U.S. & foreign products. At a low level they're encouraging companies, at a higher codeword the FBI "compels" them somehow. At each level people not only know more privileged information: they deceive the people not cleared at that level, including the public or Congress, about what they're doing. And as one progresses through SAP's their operational capacity becomes stronger with even less accountability.

So, ECI isn't anything new. It's just a codeword representing certain SAP's related to SIGINT. It's been around. The new information is what they're using it for. Still plenty of codewords, codewords protected by codewords, SAP's, USAP's, USAP's within SAP's, SAP's created to indirectly be run by USAP's, and so on. So many combinations of secret constructions to dodge accountability combined with a financial accounting system that can't properly account for almost a trillion in transactions. Well, it was narrowed down to "only" $800 billion last I checked.

So, is it highway robbery? The subversion of the republic? Something else? Truth: we're not cleared to know, they can legally lie to everyone about it, it's a crime to admit it, and anyone cleared in Congress/OvalOffice couldn't tell us either. That's why I say classification reform is necessary before we can get the black programs in check.

CuriousOctober 20, 2014 3:00 AM

From the list of codenames, it looks to me like there might perhaps be just the same one in each departement that is the "control authority", i.e not being different people being the control authority in any one section/departement for example. Or, ofc, the blacked out areas are just made that way, to hide the amount of text having been hidden.

I wonder, would it make sense to black out documents prior to being filed and/or classified? Presumably, an unredacted copy would be needed elsewhere or information might get lost in time. Anyone releasing official documents to the public (FOIA), would then as I imagine, be compelled to classify a document that has already been redacted. Don't know if something like that would make good sense though.

It is tempting to think of info not being documented, but maybe "ECI" classified stuff are just documents that aren't digitalized?
Is all the NON-ECI classified stuff digitalized?

Would one somehow expect a stacking of classifications from a single document? One document being split into two or more, with different types of classification?

CuriousOctober 20, 2014 3:07 AM

I wrote: "Anyone releasing official documents to the public (FOIA), would then as I imagine, be compelled to classify a document that has already been redacted."

Uh, I guess I meant that they would then obviously not be in a position to unredact stuff in a document on request, and perhaps woulld be compelled to come up with some excuse for passing on a pre-redacted document. :|

Maybe I am forgetting something. Documents seem to often if not always have some kind of classification code on the very left side of the text. Have no idea who creates them, or how.

CuriousOctober 20, 2014 3:59 AM

I am sorry, I just realized that that the redacted part in the "ECI" document probably isn't there in the original document. The last few days of trying to add a comment, but failing probably ended up being distracting to me. Too eager to write something here.

Btw, a lot of the code names seemed new to me, but maybe that is just me.

SkepticalOctober 20, 2014 12:43 PM

@Nick: The documents also show they're using the deception provision of SAP's. One document says an organization does only overt intelligence work at Unclass, only clandestine intelligence at S, and works with U.S. companies to backdoor products at (TS/SCI/ECI if I recall).

I think you gave a good overview, but there are a few points that I'd disagree with.

The various "fact of" classifications don't reveal cover stories or any deception because the "fact of" disclosures don't contradict one another. None says that a program does only "overt" collection, for example. Instead, the fact that a program collects from open sources may be classified at one level; the fact that a program also uses clandestine means to collect may be classified differently; and the fact that the same program uses covert means may be classified differently from the prior two. None of these facts are cover stories, and can all be true.

Re acknowledged vs unacknowledged SAPs: My understanding is that it's less nefarious than as you present it. Regardless of whether a SAP is acknowledged or unacknowledged, there are disclosure requirements that seem to apply equally to both. For waived programs, as you can see in the same law, the disclosure requirements are narrowed to include the chairperson and ranking minority member of a few different Congressional committees - but the disclosure requirement isn't optional.

These Congressional disclosure requirements are on top of the access that agencies within the executive branch have to detect illegal activity.

What further oversight would you have put in place?

As to Snowden, it's impossible to know with reasonable certainty what Snowden compromised without knowing a lot of specifics that we don't know. Knowledge that compartmentalization occurs tells us only that the compromise may not extend to every program, nothing more. But he clearly had access that extended well beyond his authorization (at least in part by compromising the credentials of those he worked with). That he found nothing criminal is quite telling, though of course one can always argue that "it's just in another compartment that he couldn't access."

Coyne TibbetsOctober 20, 2014 1:12 PM

A stunning revelation: That there are only 17,576 of these programs! And here I thought there was no limit!

Unless they go to an Extended Trigraph, of course.

P/KOctober 20, 2014 3:09 PM

In other countries, information that is Top Secret codeword protected might be not in any digital file and just on paper, in order to protect it more strictly, but given the scale of NSA, I think even ECI information has to be digitalized, but stored on stand-alone computers and/or separate networks, only accessible in secure rooms, etc.

Regarding the NSA units: a far more detailed overview of the internal organization of NSA is on my weblog: http://electrospaces.blogspot.com/2014/01/nsas-organizational-designations.html

Green SquirrelOctober 20, 2014 3:28 PM

"The descriptions of what they all mean would never be in a computer file"

I bet it is - or at least an awful lot of them are.

Actually SkepticalOctober 20, 2014 11:26 PM

@Skeptical

As to Snowden, it's impossible to know with reasonable certainty what Snowden compromised without knowing a lot of specifics that we don't know. Knowledge that compartmentalization occurs tells us only that the compromise may not extend to every program, nothing more. But he clearly had access that extended well beyond his authorization (at least in part by compromising the credentials of those he worked with). That he found nothing criminal is quite telling, though of course one can always argue that "it's just in another compartment that he couldn't access."

I believe PRISM was clearly criminal. That was a day 1 revelation. Note the corporate denials immediately after by Google and others that they were knowingly participating. This is simple criminal hacking/espionage done by the NSA against a domestic company. Or am I getting some aspect of that wrong?

P/KOctober 20, 2014 11:49 PM

Regarding PRISM: NSA isn't spying against a domestic company, it just orders US companies to provide them with communications of foreigners who are considered to be of foreign intelligence interest. This is authorized by section 702 of the FISA Amendments Act.

Actually SkepticalOctober 21, 2014 12:29 AM

Regarding PRISM: NSA isn't spying against a domestic company, it just orders US companies to provide them with communications of foreigners who are considered to be of foreign intelligence interest. This is authorized by section 702 of the FISA Amendments Act.

That would have made a lot more sense if the companies hadn't strongly denied participating. The two situations are precisely as different as having a warrant, and not having one. AFAICS

P/KOctober 21, 2014 8:20 PM

The companies never denied that they comply with lawful requests by the government. But it wasn't NSA that came to them, but the FBI, asking them for data under section 702 FAA authority. From Snowden-documents published later on, we know that NSA didn't contact the companies directly, but that FBI was in between.

So the companies could honestly deny that they cooperated with NSA, and as PRISM was an internal NSA codename, they heard that name for the first time from the press, just like everybody else.

Had the Snowden and Greenwald be more careful in their reporting by explaining these details (instead of claiming that NSA had "direct access"), then we could have asked the companies whether they handed over data to the FBI - then their answer would have been different.

Actually SkepticalOctober 22, 2014 2:03 AM

Had the Snowden and Greenwald be more careful in their reporting by explaining these details (instead of claiming that NSA had "direct access"), then we could have asked the companies whether they handed over data to the FBI - then their answer would have been different.

Ok, I can at least grok your revision of history now. You assert the NSA did *NOT* have "direct access". I'll note that for future reference. And by presumption, you also assert the NSA never gained unauthorized access of a domestic computer system owned by individuals or corporations? I.e. without a warrant.

I don't find the assertions credible, but at least I can follow the logic now, even if I disagree with the premises.

As for Skeptical's original blanket assertion of Snowden finding nothing criminal, my next finger would point to the so called "LOVINT". I'm curious to hear how the government's defenders spin that as 'non-criminal'.

Actually SkepticalOctober 22, 2014 2:12 AM

actually, I'll remind the peanut gallery to check their timelines. The above assertions about the reason for the corporate denials are still clearly incredulous to me due to the timeline of corporate and government statements after the fact. The supposed explanation PK mentions above absent any NSA/Google wrongdoing doesn't mesh well with my memory of how the events unfolded. If it was as innocent as that (i'm bending over backwards entertaining the theory), the timeline of statements from the NSA, FBI, and Google after the news stories would have been very different. While I can follow the logic of the theory, I still don't buy it based on how long it took that line of explanation to materialize in the discussion. Future anthropologists would be well served to examine the timeline of that defense in detail.

Careless WhispersOctober 22, 2014 10:40 AM

Arguing over legality of these programs is rather pointless, consider the fact that none of these people will be brought to court except leakers themselves, or whistleblowers if you must. The further you dig, the further you don't want to dig.

Nick POctober 22, 2014 12:49 PM

@ Careless Whispers

On the contrary, understanding the legal structure supporting black programs is very important for any effort to get them regulated. A number of laws might need to be changed just to allow the main reform law to work. Otherwise, they'll say "This law says don't tell you or I get 15 years minimum. This new law says tell you or I might do a few years. Damned if I do, damned if I don't. I'd rather stonewall or bullshit you because it's a grey area, with that resulting in less time if I'm charged."

I'm in favor of just clean slating it. Take all the pieces of National Security Act, etc that make sense. Filter out anything that doesn't. Then, repeal all existing M.I.C.-related laws while passing the reformed version of them in combination with new laws on accountability, whistleblower protection, etc. Empower an agency like GAO to bring criminal charges for violations. This could work if Congress backed it without them needing to understand all the technicalities of existing laws.

Clive RobinsonOctober 22, 2014 3:38 PM

@ Nick P,

The problem with what you suggest is it does not stop the "boys club" mentality, which would mean that investigators would not look very hard, nor would people whistle blow.

Thus you need to incentivise them with a reward of say 20% of budjet and or assets recovered.

There is nothing like the smell of a "Bring in Dead or Alive Reward" to get the Bounty hunters on even the best of "black spooks" tails, and also happy to turn in their co-workers if they can show lack of effort that indicates collusion...

Nick POctober 22, 2014 6:32 PM

@ Clive Robinson

Incentives will be important. However, your solution rewards them for arrests or convictions. This incentive already causes innocent people problems across America thanks to quotas, prosecutorial discretion, conviction rate junkies, etc.

The reason I mention GAO is that they do their job of accountability and exposing corruption on a regular basis without commissions. They do it because they believe in their work, have a culture of integrity, and it's a good job. So, an organization with good pay, personnel selection, and culture should be fine. My next concern was foreign TLA's using them to get access to sensitive operations. Or a group like CIA trying to infiltrate them and sabotage things to derail investigations.

Really Truly SkepticalOctober 23, 2014 9:48 AM

Moral of the story: All of your equipment is compromised. Everything.

Why even bother with these discussions? Do you really think you'll ever have any privacy on an electronic medium? You never did.

vas pupOctober 24, 2014 8:52 AM

That is how GB keeps name of undercover officers secret:
http://www.bbc.com/news/magazine-29743857
They understand betraying today's undercover agents or CI's identity will backfire their capability to recruit same staff tomorrow. Sex was always the tool of Intel (inside or outside the country) through 'honey' traps, using hookers, etc. The statement in the last paragraph of the article in the link is ill-founded. Did you recall 007?

Clive RobinsonOctober 24, 2014 10:08 AM

@ Vas Pup,

There is rather more to the MPS story than comes through in the article.

Firstly you need to understand that in the "spying game" there are three types of information gathering personnel,

1, Officers - directly employed by the organisation.
2, Contractors - indirectly employed by the organisation.
3, Agents - those who supply information either under duress or by conviction etc.

The likes of the MPS now don't have officers in direct contact they handle the contractors or agents. This gives all sorts of deniability options that cannot exist for Officers with direct contact, thus whilst "sex is off the cards for officers" the same is not true for contractors or agents.

One thing about contractors is unlike agents, they get to know of each other over time from shared ops such as a four or five person team doing a black bag job or other one off infiltration to plant technical devices or copy intel.

And like officers contractors tend to club together to unwind and relax much the same as most other "work mates", and part of tha unwinding process is to tell stories they can "dine out on" or atleast get a drink or three out of.

Without going into to many details one contractor had a deep cover job, and became involved with one of the protestors for quite a while. Although there were no children there was a house a joint mortgage and a cat they shared. The story of how the contractor extricated themselves is quite funny, I asked her what she had got out of it and after a moments thought said "custody of the cat"...

But the important thing to note is that whilst officers have all sorts of back up and support contractors don't get back up and very little support, but the do get a solid legend and the income is way way higher than officers hence getting a mortgage, loan, creditcards, travel documents, CV etc as part of the cover is the same as for an ordinary person and tax etc is sorted out, they may even be "put into umbrella jobs" where they are employed in a regular organisation in what appears to their unknowing legitimate work colleagues as a normal way. Agents however have no backup, no support and any money they get is "illegal earnings" and off all books and in liue of pay they may get "investment stears" in much the same way politicians have in the past.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.