Satellites and SIGINT

From the blog:

Full article here:


Signal intelligence 101: SIGINT targets

In order to start a series of articles about the American signal intelligence satellites, written with guest author Rob1, I thought it could be interesting to give some background on what those satellites listen to. So here is a quick overview of the various types of signal intelligence targets, with an emphasis on the Cold War period.

Historical Context

The discovery of radio waves revolutionized communications. Instead of having to transport messages by horse, train or plane, and instead of having to build long telegraph lines, it became possible to transmit information instantaneously between two points without any infrastructure in-between.

The advantage was obvious, especially for military applications. Remote outposts, ships at sea, and planes, could easily receive their orders and report their status. Conversely, being able to intercept those communications became equally critical. During World War II for instance, the Allied forces put a lot of resources in intercepting and decrypting German and Japanese communications. After the war, the political situation changed, and for the Americans the USSR became the focus of their intelligence effort. The closed nature of the Soviet government and society made it a tough target to crack. US diplomatic presence, and US spies in the Eastern bloc, brought some light on the Soviet activities, but much of it remained inaccessible.

To gather more information, the US turned to signals intelligence (SIGINT) – the collection and analysis of electronic emissions – in order to answer the most pressing political and military questions. Because SIGINT relies on collecting signals from targets, different questions will result in collection against different targets. A few of those targets are listed below, with a bias towards installations targeted by the USA in the Soviet Union.

Read the rest of the article at it’s source:

New HF Direction finding methods from Isreal

The new ELK 7065 from IAI:

From the link:

The ELK-7065 is a state-of-the-art HF COMINT system suitable for the harsh electromagnetic environment characterizing the HF band. The system tags and identifies signals characteristics in a multi-dimensional domain, composed of signal identifiers such as power, center frequency, modulation, geo-location, polarization and more. These techniques enable swift labeling of the received signals, identification and reliable Electronic Order of Battle (EOB) generation. The unique front-end technology allows installation on board compact airborne platforms, such as mission aircraft of all sizes and UAVs.

More info HERE!


And last but not least, a Youtube video:


OPSEC and RF Security

Modern radios are made to be used by people with little training or experience. Usually if two radios are set to the same frequency, two people can start using them effectively in very little time. Radios are used in warehouses, department stores, hotels, film sets, and a myriad of other locations. The information in this blog may seem to be overkill, but these procedures are intended to work in a high threat environment where bad radio procedures put lives at risks. Here, we will look at some of the security implications that come about from radio use.


Operational Security, (OPSEC) is the process of keeping information that could be used against you from your adversaries. There are several broad categories of information that we will focus on. We want to deny our enemies information that can reveal the following information:

1) Capabilities. By knowing what your group is capable of, an enemy can act so as to negate your strengths, or deny you employing your capabilities to their fullest effect. If an enemy knows you are capable of shooting down helicopters, they will limit their use of helicopters in your area of operations to deny your group those kills.

2) Limitations. By knowing what your group is not capable of, an opponent can exploit those limits for their own gain. If your opponent knows you can not shoot down helicopters, they may use more helicopters to move about, so as to avoid ground based IED’s, and ambushes.

3) Identification. Personal and functional identification can both help an adversary against you. a)Functional identification is identifying the purpose of a group or unit. Observing a bunch of men in uniform is some information, but being able to determine if they are a logistics company, vs a medical treatment team, vs special forces unit all dictate different reactions.
b) Personal identification is identifying individual people within a group. Knowing that the commander of a unit is Captain John Doe, of 1234 main street, Anytown, would allow an adversary to possibly pressure or otherwise compromise Captain Doe’s family, and thus gain an advantage.

4) Location. Knowing where a unit is allows an opposition force (OPFOR) to maneuver to intercept, block, avoid, attack, or follow that group. If OPFOR knows you are based on north ridge of Candy Mountain they can plan an appropriate attack.

5) Intentions. Knowing what a group plans to do allows for the enemy to take actions to reduce the effectiveness of those actions. If your enemy knows you plan to attack an outpost tomorrow at dawn, they can move in reinforcements, or set a trap, or move to intercept before you arrive, ect…

6) Activities. Knowing what you are doing at the current time allows your adversary to adjust their plans accordingly. If your adversary knows you are currently setting up a camp, then they can probably assume you are not about to attack them, and operations they carry out at that time are safer to execute.

7) Effects of enemy action. Knowing what effect their own actions have had on your group will allow an enemy to adjust their planning and operations to better effect. If an enemy knows that their last attack was very effective, then they will continue to carry out the same kind of attacks, where as if an attack had little or no effect, they may change their methods.

Information from any of the above categories may also give the enemy information in other categories. Knowing your intent to go to a certain position at some time in the future, reveals a future location. Identifying a units function hints at some capabilities and limitations. That is why it is crucial for OPSEC to protect this information.

Imagine the following radio exchange between an infantry platoon, B1, and their command, B6:

B6: “Team 1, Team 1, this is command, do you copy? Over.

B1: “Command, this is Team 1, go ahead. Over.

B6: “Hey Bob, we took a licking from OPFOR yesterday out by Candy Mountain. They destroyed our HF radio, so we do not have any long range commo at the moment. Well, anyway, we are going to attack their outpost on the north side of Happy Valley tomorrow morning. Rendezvous at Grid 1213141589 at 0500. We will place the mortars just east of that location, and attack at 0600. Over.

B1: “Roger, We copy all that, Frank. We will head out tonight, and layup about an hour south of the rendezvous, until 0400, and then head in. see ya there, and stay safe. Over

B6: “Roger that Bob. Team 1, this is command. Over and out

The above exchange is full of OPSEC violations. Personal ID of Frank, and Bob; functional ID. of command and team; capabilities of having mortars, limitations of command not having a HF radio; locations of the rendezvous, layup, and mortar positions, intent of their plan and the effect of the previous attack. It is a goldmine of information for the OPFOR. Based on this information, the OPFOR can ambush Team 1 in route to their layup, or rendezvous, or sabotage the mortar position, or attack the rendezvous before Team 1 links up, or reinforce their outpost, or vacate it and lay traps, ect…

We can mitigate these OPSEC violations by following the standard operating procedures (SOP’s) found in Volume 1 of the Signals Handbook.    By only transmitting what is necessary, and by following the proper format, The above exchange becomes the following:

B6: “Bravo 1, Bravo 1, This is Bravo 6, Over.

B1: “Bravo 6, This is Bravo 1, go ahead, Over

B6: “Rally at Grid 121314589, at 0500. Over.

B1: “Wilco, Out.

We can see with this new exchange, we have eliminated a lot of the OPSEC compromises. There is still a location, and some intent, but it is a lot less actionable than the first exchange. Any additional information about the attack, or mortar positions can be exchanged by B1 and B6 in person at the rendezvous.

By following good SOP’s we can reduce, but not entirely eliminate OPSEC compromises. We can further reduce our OPSEC compromises by employing good COMSEC.


Communications Security (COMSEC) is the process of protecting the content of our communications. There are a number of approaches that can be used to implement COMSEC, from technological to procedural. Technological methods include encrypted radios, frequency hopping radios, steganography (hiding communications within other messages), and certain bands or modes of radio communication. Procedural methods include using codewords, codebooks, and manual encryption.
Good COMSEC lets us achieve better OPSEC.

Looking at the exchange above, we see that the OPSEC compromises still there are the grid location, and time to be there. Since “Bravo 1” and “Bravo 6” are following army convention then it also hints that B6 is command, compromising functional identification, so just by adding code names and DRYAD based encryption (As discussed in Volume 1 ) we can remove the rest of the OPSEC compromises:

B6: “Whirlwind, Whirlwind, This is Thunderhead. Over.

B1: “Thunderhead, this is Whirlwind. Go ahead. Over.

B6: “Rally at grid I set Charlie, November, Quebec, Yankee, Alpha, Foxtrot, Juliett, X-Ray, Bravo, Hotel, at time, I set: Lima, India, November, Foxtrot, Victor. Over.

B1: “Wilco. Out.

Now our transmission only tells them that we will be going somewhere, sometime. By using the DRYAD encryption we are denying them information about location and time. If we deem that even that little bit of information is too much of a compromise of OPSEC, we can either encrypt the whole message via a one time pad, or use the a codebook and the DRYAD sheet to also encrypt the “rally” and “time” parts of the message.


Another part of the OPSEC plan should include transmission security (TRANSEC.) Because an opponent may be using signals intelligence, (SIGINT) we need to take measures to minimize the radio signals they can detect. The longer a radio is transmitting, the greater chance the opponent’s SIGINT element will detect it, and possibly radio locate, or radio direction find the transmitting radio.

The simple fact that a radio transmission is being received at all, may give a rough idea of the location of the transmitter, and radiolocation can pinpoint it, compromising the location. This is a breach of OPSEC. Even if everything is encrypted, link analysis (keeping track of who talks to who) can allow an analyst to get some general functional identification of units, such as defining what element is the command and control element. This breach of OPSEC would allow a small enemy force to determine which unit to attack yields the biggest reward.

There are a number of methods that help improve TRANSEC. The most important method is to only transmit when absolutely necessary for the mission, or the security of other friendly or allied units.

When transmissions must be made, keeping them short helps TRANSEC, as well as changing frequencies at regular intervals. Use the lowest transmit power needed to make the communication. Use directional antennas. Use unusual bands or modes.

D) Threat SIGINT Capabilities

The United States armed forces employ high levels of TRANSEC and COMSEC technology, and procedures when operating in a hostile environment. Those technologies and procedures are supported by thousands of personnel at every echelon of the force. Unfortunately, a small team does not have the resources to execute every COMSEC and TRANSEC measure. For the purpose of this handbook, we will divide threat forces SIGINT capability into 5 categories.

1) None. When there is no adversary or opponent, there is no one to offer any SIGINT threat. We operate in this condition for some administration and camp duties. It is also appropriate for training that is not focused on communications. For example, range safety officers communicating with each other over a large rifle range.
We do not need to take any special precautions in a no SIGINT threat environment.

2) Low. We consider it a low SIGINT threat when we do not have a defined opponent, or our opponent is not likely to have any active SIGINT capability. A looting gang in the aftermath of a natural disaster would be an example of a low SIGINT threat. In this environment, our biggest danger is “inadvertant SIGINT” If some people in the threat group are using some commonly available radios such as FRS/GMRS or CB radios, and our group also uses those same types of radios, then there is a chance that we accidentally end up on the same channel as the threat group, and they may hear our transmissions.
Precautions to take in a low SIGINT threat environment include using radio SOP’s to keep transmissions short and to the point. Code words and code names generally provides enough COMSEC to foil any OPFOR listening to our transmissions. If available, use radios that are not as common as CB, and FRS/GMRS.

3) Medium. We define a medium SIGINT threat as a group that has nascent SIGINT capabilities. This may include professional criminal organizations, or other small tactical teams/groups. The equipment used would most likely be one or several handheld radio scanners. Most commercially available radio scanners these days can scan or search the VHF and UHF radio bands, and can listen to FM analog voice transmissions. Some of the newer (and more expensive) scanners can also decode the APCO/P25 digital voice transmissions that many public safety agencies are switching to. If the public safety agency is using encryption on their radios, however, the scanner cannot decode it. Medium SIGINT threat groups may also have persistance, and record radio intercepts, and perform intelligence analysis on radio activity. Basic link analysis may be employed.
Precautions that should be taken against medium SIGINT threats include using radios that do not use analog FM voice, or P25 digital. Using unusual frequencies, and of course keeping transmissions to a minimum will help with TRANSEC. If you are able to use non-P25 digital modes, then code words and code names should suffice for COMSEC. If you must use analog or P25, then you should employ full COMSEC measures including one time pads, and DRYAD/code book encryption.

4) Advanced. Advanced SIGINT threats are groups that contain as members: radio experts, avid scanner hobbyist, or communications professionals with access to professional level equipment. They will have more capabilities than can be offered by just having scanners. They may have surveillance receivers, spectrum analyzers, frequency counters, wideband receivers, or computer based “software defined radio” (SDR) receivers. An advanced SIGINT capability may be able to decode any non-encrypted digital communications, and may have radio direction finding and radiolocation systems. They will also perform intelligence analysis on all radio activity.
Precautions against advanced capabilities include all “medium” precautions, but only employing full COMSEC. Nothing should be sent un-encrypted.

5) High/professional. High SIGINT threat opponents include professional military, and large government law enforcement agencies. They will have well funded SIGINT capabilities with multiple professional staff. They will be able to call on experts around the world and devote tremendous resources to breaking your OPSEC. They may have computer hackers, and technologists that can derive OPSEC information from other electronic sources.
Precautions against professional SIGINT threats: do not use computers or radios. If you absolutely must, then keep use to a minimum, and be crafty. Expect being crafty to fail.