Communication intelligence (COMINT)
The interception and analysis of the radio communications is the main application of COMINT systems.
COMINT targets communication signals to improve field awareness.
COMINT systems are based on detection, analysis and direction finding of targeted communication emissions in order to support real-time decision-making.
It is unique among intelligence collection assets for its ability to reveal the intercepted source’s posture, activity and intent, thanks to the access of data and voice content.
The growing density, diversity and complexity of communications calls for highly automated interception and exploitation means able to early detect and locate potential threats.
A synthetic segmentation of this sector:
SEGMENT 1: STRATEGIC HF COMINT SYSTEM (0.5 MHz to 30 MHz)
SEGMENT 2: STRATEGICAL & TACTICAL V/UHF COMINT SYSTEM (20 MHz to 3 or 6 GHz)
SEGMENT 3: GSM COMINT
SEGMENT 4: SATELLITE COMINT
SEGMENT 5: INTERNET COMINT
COMMUNICATION INTELLIGENCE basic content
COMINT (Communication Intelligence) is the study of all electromagnetic signals used to send information from point A to point B (the B may be multiple).
The study and analysis of communicating signals break down into several levels of study:
- The study of the carrier signal with the objective of decoding the signal that means to transform an electromagnetic signal into an actionable information (sound, image, data etc.).
The result of the signal study is described in a database in order to capitalize on the knowledge gained.
This database will be very important for electronic warfare to allow it to identify the frequencies and types of modulation used by communication networks.
The vast majority of analyses do not go beyond this stage, either because the content is of no interest, or because it is encrypted and deciphering is not a priority, or because the signal is already identified.
Even if the content is not exploited, the type of transmission already gives a certain amount of information (origin and recipient, volume of data, etc.) of interest to the intelligence.
For example, a significant increase in transmissions can give an indication of a particular military activity and allows anticipating events.
- The study of the binary trains for digital transmissions with the aim being to determine data packets, codes, addresses. While data themselves can be encrypted, it is not always the case for headers or addresses that can provide the identity of the transmitter and receiver. This step is a prerequisite before the deciphering of a message.
- The decryption of the data: the huge computing power and the amount of time needed limit the decryption to only a small portion of the encrypted transmissions.
The content of the transmissions, once available, is transferred to analysts who will extract information from the content.
IMPORTANCE OF COMINT FOR ELECTRONIC WARFARE & INTELLIGENCE
COMINT capabilities become more and more important assets for a military force on a battlefield. These are the main reasons:
- On the battlefield, it is key to know the enemy intentions and command actions through communications.
- On the battlefield, the weapon systems are more and more interconnected through communication links.
- On the battlefield, more and more air platforms are «silent and stealth» but have to use communication links (data-links, communication networks) to act and coordinate.
- In many military operational scenarios, the only way to detect, localize, and know the enemy’s intentions can only be acquired through the communication they use.
- Communication intelligence (including decryption) was a key asset to win the last wars. Since then, it has been even more important to give battlespace superiority.
- Mastering the spectrum in Electronic warfare, for a global approach, absolutely needs to implement solutions that covers the fields of communication and cyber warfare.
The information gathering addresses the radio communication activities aims to catch both the RF parameters, like the carriers’ frequency, the bandwidths and the modulation types, and the information exchanged between the users or terminals, just relying on the intercepted communications.
Concerning the RF parameters (the physical level of the radio link), the “Signal-In-Space” (SIS) includes the timing and the frequency characteristic of the aerial transmitted signal.
The SIS, at the source, mathematically defines the formal time-depending function representing the theoretical signal an emitter should transmit.
The SIS provides also the emitter with a fingerprint of the transmitted signal.
The evolution of the radio communications pushed the above RF parameters to more complex structures adopting protocol level structures and the relevant networking information, that’s what is currently defined as “waveform”, being it either a wireless communication standard or a legacy radio access technology.
About the information exchanged by the end users, its acquisition cannot be generally performed in real-time, as the waveform’s protocol recognition and mainly the data encryption require a highly intensive digital processing to be performed on post-processing off-line only.
In addition, the encryption algorithm and the related key become generally available just after an intensive intelligence operation.
In summary, a conventional COMINT system provides the users with the following capabilities in a frequency range covering at least VHF and UHF bands, e.g. 30 ÷ 3000 MHz with extension of the frequency coverage down to the HF band (1 ÷30 MHz) for some specific missions:
- Detection and DF of communication emissions.
- High accuracy measurement of electromagnetic parameters of intercepted emitters (frequency, bandwidth, amplitude, DOA).
- High sensitivity.
- Full azimuth coverage.
- Automatic track synthesis and picture compilation.
- Localization of selected emitters.
- Generation of automatic alerts.
- Classification (modulation recognition);
- Access to communication signal content (Demodulation & decoding, audio listening);
- Technical identification (communication waveform/protocol recognition) of intercept emitters on the basis of “EW Library”;
- Extensive Data Recording (NB, of selected emitters) and WB (I/Q data of the entire IBW)
- Support for Offline “deep” technical analysis by Playback.
Nowadays, there are some key additional requirements to add for an effective COMINT function:
- Surveillance Bandwidth from HF to UHF (6 GHz)
- Communication Signal Interception to/from Satellites
- Cellular mobile phone Communication Signal Interception (active and passive)
- Interception of all new protocols and internet
Competitive COMINT products perform the above capabilities also against large IBW signals generated by very short bursts and fast FH emitters.
This further requirement encompasses a wide BW dynamic, including military, professional (e.g. narrow band standards like TETRA and APCO P25) and commercial mobile communications.
The off-line analysis is the item that offers an extensive growth capability, as it allows the operator to program it autonomously in order to expand the set of supported waveforms (or new decoders, as sometime they are called).
IMPORTANCE OF COMINT FOR CYBER WARFARE
Traditionally, Electronic Warfare (EW) and Cyber Warfare (CW) were considered as independent disciplines.
However, as communications systems have moved to commodity hardware and as radar and navigation systems began to depend on networked operations using commodity network hardware, the boundaries between the two fields have begun blur.
Convergence between EW and CW mitigates the differences creating a new parallel for common operations. They can provide effects that deny or degrade spectrum allowing for the control and exploitation of the network.
“The synchronisation and coordination of cyber and electromagnetic activities, delivering operational advantage thereby enabling freedom of movement, and effects, while simultaneously, denying and degrading adversaries’ use of the electromagnetic environment and cyberspace”.
Inside the operational cycle of CEMA, COMINT plays a key role for the following functions: Information Collection, Reverse Engineering, and Wireless signal analysis, Information gathering (for both mission preparation and mission execution).
INTERCEPTION OF MOBILE COMMUNICATIONS
It is nowadays compulsory for a COMINT system to have this capability.
One of the main techniques used is the implementation of “pirate” antennas that emit a signal powerful enough that all nearby phones automatically connect to them instead of choosing the operators’ antenna.
The phones in range transmit their subscriber credentials to this IMSI-catcher. As long as the link is established with the IMSI-catcher antenna, it can intercept anything that passes through the phone.
To avoid this, 3G, 4G and especially 5G have strengthened their protection systems.
This is based on the AKA (Authentication and Key Agreement) protocol.
It validates the authentication of the phone on cellular networks.
It establishes keys to encrypt communications.
Moreover, in the case of 5G, this protection had to be unstoppable.
Not enough apparently since with their method and a device at just over 1,000 dollars, the researchers managed to get through this security.
How? By deciphering the last bits of the sequence number operated by the AKA protocol.
With this technique and these last bits alone, researchers could identify the identity of the subscriber and identify the metadata of the mobile activity.
Apart from active techniques such as IMSI catchers, there are also a number of passive techniques to intercept GSM communications.
Cyber surveillance and the interception of electronic communications refer to several categories of action, and therefore involve techniques adapted to the objective and specific technologies. Interception does not stop at the capture of the message, the data, and the signal.
Storage, processing and analysis systems need to be added.
Interception, which wants to capture a message to read it, does not use the same means as the one that aims to stop messages.
All technologies, techniques, technical capabilities of interception and cyber surveillance are therefore, on the face of it, extremely broad.
It is necessary to try to group them in order to have a schematic view of the broad categories of techniques and technologies that can be involved and mobilized.
The privacyinternational.org site identifies four categories of technologies that can be mobilized for the monitoring of communications:
- Internet monitoring that consists of the capture of data in the Internet.
Technology can be deployed at any point in the physical and electronic systems of the internet.
It is possible to use technical tools (to connect physically to networks) and software (monitoring is not only interception: the analysis of data from the internet is part of this monitoring). - Monitoring of mobile telephony that is the capture of information in the mobile network (International Mobile data).
One of the key technologies of this monitoring is the IMSI (International Mobile Subscriber Identity) Catcher.
This tool allows to intercept, in the sense “capture” but also to send messages to phones.
It is therefore not a question of passive interception, but of interfering in the network and exchanges. - Fixed telephony interception that refers to the capture of Public Switched Telephone Networks (PSTNs).
Technology solutions sold by companies now allow the monitoring of such networks in a country. - Intrusion technologies that allow malware to be smuggled on mobile phones and computers, allowing operators to take control of target devices.
Privacy International says trespassing is certainly one of the most invasive forms of surveillance.