w.

DOClD: 3803783

This publication is a product of the National Securitv Agell1lcy his­tory pro~amo It presents a historicID"perspecti'\"e tor 11ll1form21­tionaI and educational purpose§\ is ffie result of independentresearch, and does :not :neceSSalrllXy reflect a position of NSAjCSS or any other UoSo government entity.

I Cover Photo: u.s. embassy in Moscow at the time ofthe GUNMAN ~

project.L ~~

Declassified and approved for release by NSA. CIA &. State Dept onb'I-'1 ~-~O'I 'I I)ursuant to E.O. '135~6 MDR 58453

DOClD: 3803783lOP SECREI/7COIVlINIJlREL 10 USA, A:US, CK!{, GlUt, N2':L

'1'01' S~CU't'//COfiflIftft'//R:EL~O US1\:, *US, eM", GBR, 1l~L

-,.. -

DOClD 3803783'f'ot' SECft£'f't/COr.IHff//REL 'FO USA, AUS, eMt, CBR, P>t~L

r

, ." .. ,--"'~. , .' . ..- , IN" ""', :~

- - ..' ." -.... ~¥ "". ;;> c · -. ·" }i

j;'h

t(U) Table ofContents ,

"~,t;~

Page ..~

(U) Introduction. ..·..... ...·... ······· ······· ······· ··········. .1 ,.;' ~

(U) The Catalyst. ..·.······ ·· ······ · ············ ············· · ·· .2 c..

(U) The Race to Remove and Replace Embassy Equipment. ·4.,

··········· '",

(U) The Discovery . ···.·······.················ ·..····.··. ···....8.-

(U) Reactions to the GUNMAN Find. ·· ············· ······· ······· · .11>

"'

(U) Implant Characteristics · ······· · ····· ······· ······ · · ····· ··· .12

,(U) Damage Assessment. ····························· · ··········15

(U) A Cunning Enemy ············· ······· ······ ············· ····15

'.,

(U) GUNMANImpact.;....... . ......· . · .... . ..... . ...... ·....... .17

(U) Conclusions . ..···.················· ······· ······ ·········..19

(U) Acknowledgements.t

········· ··························· ·· ·· .20

(U)Notes. ........···.······································ ·· .20 ,

(U)Index. ........·.·· ·.······· ····.·. ······· · ···.·······. ···· .23

,

~~

.,., .

'FOt' SECRE'Ft/COMHff//REL 'FO USA, IMS, GYt, CBR, P>t~L Page iii

DOClD: 3803783TOP S:ECltM11COMtN'f'f/KEL 'FO US:z't, I.tUS, G\fl GHR, N~L

(U) Learningfrom the Enemy:The GUNMAN Project

(U) Introduction

CU) On 25 March 1985, CBS television nightlynews broke the following shocking story:

• CU) Dan Rather: "In another U.S.-Sovietdevelopment, Pentagon correspondentDavid Martin has been told how Sovietsecret police in Moscow have been gettingthe latest word on sensitive U.S. embassydocuments even before U.S. offici~s readthem."

CU) David Martin: "Informed sources tellCBS News that for at least one year, andprobably longer, the American embassy inMoscow was the victim of a sophisticatedelectronic spy operation which gave Sovietleaders an inside look at what U.S. dip­lomats were doing and planning. Sovietagents secretly installed tiny sensing devic­es in about a dozen embassy typewriters.The devices picked up the contents of docu­ments typed by embassy secretaries andtransmitted them by antennas hidden inthe embassy walls. The antennas, in turn,relayed the signals to a listening post out­side the embassy....

CU) "Depending on the location of thebugged typewriters, the Soviets were ableto receive copies of everything from routineadministrative memos to highly classifieddocuments.

• CU) "One intelligence officer said the poten­tial compromise of sensitive informationshould be viewed with 'considerable seri­ousness'.

CD) "Another intelligence expert said no oneknows for sure how many or what secretswere compromised. A third official calledthe entire affair a fiasco."l

CUI/r'OUO) How accurate was the CBS report?The following paper will examine the nature ofthe Soviet electronic penetration and the damageassessment of Soviet access to typewriters at theU.S. embassy in Moscow. This history of ProjectGUNMAN will also answer such questions as howwere the typewriter bugs discovered and how didthey work.

CU) Countries have spied on each other by gath­ering information from embassies for centuries.The United States and the Soviet Union were ofcourse archenemies during the Cold War C1945 tothe fall of the Soviet Union in 1991), and there isa long history of attempts by the Soviets to gainaccess to information from the U.S. embassy andits diplomatic apparatus. Perhaps the most famousincident of Soviet espionage was the Great Sealimplant.

CU) On 4 August 1945, Soviet school childrenpresented a carving of the Great Seal of the U.S.to Averell Harriman, the U.S. ambassador to theSoviet Union. The carving hung in Spaso house,the ambassador's residential office' in Moscow,until 1952, when the U.S. State Department dis­covered that there was a microphone hidden insidethe carving that the Soviets turned on at will. Thisbug was not a standard microphone and could notbe detected unless it was in use. For six years theSoviets were able to eavesdrop on the conversationsof the U.S. ambassador.2 The Soviet threat to U.S.embassy security was both well-documented andreal.

Page 1

DOClD: 3803783I UP SEeMI j j COWIIt<llj jtmL TO tJSA, ADS, CMt4' 6Blt, N2":L

iffl" The typewriter bugs marked a newlevel of sophistication because they wereelectromechanical. For the first time, theSoviets gathered information from a pieceof equipment that held written plain textinformation. Prior to the discovery of thesebugs, the U.S. believed that the Russianshad only used room audio bugs with micro­phones or listening devices to eavesdrop onAmerican embassy activities. As a totalitar­ian society, the Soviet Union valued eaves­dropping and thus developed ingeniousmethods to accomplish it.

CUI/POUO) The 1980s were a peri­od of strained relations between the U.S.and the Soviet Union. One manifestationof those strains was Project GUNMAN,which involved the replacement of U.S.embassy equipment in Moscow and the dis-covery and evaluation of typewriter bugs.GUNMAN was not the only threat to the U.S.embassy in Moscow. The U.S. began to build anew office for its Moscow embassy in 1979. Thebuilding, however, was riddled with bugs, and theU.S. eventually rejected it. That story, however, isa subject for another paper. This paper is the storyof the GUNMAN attack and the role of NSA in itsdiscovery.

~O 1. 4. (e)

(U) Fig. 1. IBM Selectric typewriter ~p 1.4. (d)P.L. 86-36OGA

etrated typewriters in the U.S. embassy in '+'1oscowwas correct in that the attack took place. H(:>wever,some of the details in the report were oversimpli­fied. According to CBS, "the bugs might still b~ inplace had it not been for a warning from a fri~ri~y

government whose own embassy had been the tar­get of a similar eavesdropping operation."3f \\

:==========~II

CUHFOUO) Organizations with intelligenceresponsibilities must be able to respond quicklyand creatively to unforeseen threats. How did NSArespond to this Soviet threat? To answer that ques­tion, this monograph will examine the role of NSAleadership and its ability to move a bureaucracyinto action. To curtail future threats, intelligenceorganizations must also maintain the ability tolearn from the activities of their enemies. Whattechniques did NSA use to learn from Soviet bug­ging efforts?

-t811 \

(U) The Catalyst

EOL4.(<;)P.L. 86-36

ts1 The CBS 25 March 1985 report thatannounced to the world that the Soviets had pen-

Page 2 TOfl S~Cft:E't't/COMIN'f'h'R£L'FO USA., f.lUS, CA;p.J' CRR, ~;n.

•

P.L. 86-36

I briefed Ken DeGrqffenreid [thesenior director of intelligence pro­grams on the National SecurityCouncil]. Next we briefed Admiral

~NSA briefed the secretary of defense, CasparWeinberger, on the threat and its proposed plan ofaction. Weinberger said that this problem shouldbe brought to the attention of the president imme­diately.1 Iw:pom Deeley assignedto work with the White House; explained that theapproval from President Reagan forthe~SA planof action came in record time.

United States could exPect to be a high prioritytarget.6 TheI I~arning was the catalyst forNSAaction.

~~~~~~ P.L. 86-36

-tS7 Under the leadershipgfWalter Deeley,the deputy director for communication security,andl kth~ chief of R9, a division inthe Research and Development organization, NSAmanagement developed a plan to remove, replace,and examine telecommunications and informa­tion processing equipment at the U.S. embassyin Moscow. NSA was to handle all aspects of theplan on an absolutely need-to-know basis. NSAwanted to remove the equipment so that it could beexamined in the U.S. to allow for a more thoroughinspection than could be conducted on the embassygrounds. NSA also wanted to keep the Soviet Unionfrom learning about the effort and interfering withU.S. objectives. The Soviets had a history of poi­soning or using other means to injure techniciansfrom other countries who investigated bugs in their

ti· b' 7 EO 1. 4. (e)respec ve em assles. EO 1 . 4. (d)

P.L. 86-36

~General Faurer did not want to bri~fhis

plan to the State Department because relationsbetween NSA and State were poor. NSA had beenwriting critical reports about inadequate security inState Department facilities for several years. Faureralso believed that CIA would mishandle the NSA

plan because1 11_-

.............................

···············1

I

Eo). 4. (e)

3 8.ID3'i1c8:B:.... ..' EO 1. 4. (e)

~OPSE(3R:E'i'//COi\IHff'ffR£L~O US:A, AUS, C2fdif GBR, NZL/"'/ P. L. 86- 3 6OGA

""---__~------:----.....IIThedevelop­ment of this bug required competent personnel,time, and money. The very manufacture of thecomponents required a massive and modern infra­structure serviced by many people. This combina­tion of resources led to the assumption that otherunits were available.4

EO 1. 4 .leJEOOLOC~ :P.L. 86-36dGA

P,:L"8 6 - 3 6

,~ Afterlearning about the bug, the DIRNSAsentL·lfrQIll R9, the research anddevelopment organization, and I Ifromthe COMSEC organizationtoc:::::::Jto examme theimplant. It was unlJ,sualfor these organizations tohave a reasont6~ork together. This was the firstof IIl,anye~amplesof collaboration that developedbehveen the two entities to uncover and under­stand the GUNMAN threat.

1P.L. 86-36

EO .4. (e) •

P.L. 86-36 •OGA -f5tIIfound that this

implant represented a major Soviet technologicalimprovement over their previous efforts. The bugcould be rapidly and easily installed by nontechni­cal personnel; it resisted detection by conventionalmethods; and it was wireless and remotely con­trolled. Search by disassembly and visual inspec­tion, when conducted by any but the best trainedtechnicians, would normally be unproductive. Allconcluded that if the Soviet KGB would go to theselengths against a Western ally, then certainly the

'fOP S~eU'f//eOl'fnN't'f/ft£L~O USA, AUS, C2fdif 6BR, Ni3L Page 3

DOCID: 3803783TOP SECRET//COMHffffREL ~O USA, AUS, eA:N GlUt, N2':L

OGA

We could not simply show up to takean inventory because we could notrisk alerting the Soviets. Instead, tele­communication personnel from NSA

The first problem that we faced wasthe lack ofa centralized inventory atthe embassy. The problem was fur­ther complicated because individualdepartments had software tailoredto their specific needs. For instance,we could not simply replace all oftheWang computers.] I

________---ll Keeping track of

all of the various software was hardenough, but keeping track ofall ofthevariations was a nightmare. With theassistance of a few trusted commu­nication center embassy employees,we were able to obtain diagrams andblueprints of equipment. However,wefound thatfrequently the originaldiagram did not always match withthe equipment that had been actuallydelivered.

iS1 Security concerns were another challenge

identified by I Ip . L. 86- 3 6

(U) The Race to Remove and ReplaceEmbassy Equipment

~ The first goal of the GUNMAN Project, toreplace all of the electronic equipment in the U.S.embassy in Moscow with signaturized equipment,was a daunting challenge. Electronic equipmentincluded teletype machines, printers, computers,cryptographic devices, and copiers - in short,almost anything that plugged into a wall socket.NSA staffhad to move quickly to replace equipment

to.... avoid tiPPin}ts hand to the Soviets. Accordingt~ ho was involved with the procure­ment and shipment of the upgraded equipment toMoscow, Walter Deeley gave the staff one hundreddays to complete this phase ()fth.eproject.1 Istated,

P.L. 86-36

John Poindexter [the deputy nation­al security adviser, who became thenational security adviser in 1985J.Admiral Poindexter wrote the neces­sary memorandum and within afewdays we had a signed document ofauthorizationfrom the president.

Admiral Poindexter toldine tobrief the secretary of state [GeorgeSchultzJ and the director of CentralIntelligence [William CaseyJ, and noone else. I pleaded to briefLawrenceEagleburger [deputy undersecretaryfor political affairsJ, because Ifearedthat I could not reach the secretary ofstate ifwe needed help in gaining thecooperation of the State Department.After much begging, Poindexterrelented. This incident is an indica­tion ofthe concernfor security withinthe u.S. government.9

~ Developing and gaining approval of a planto respond to a possible security threat in approxi­mately six months were significant accomplish­ments for a large bureaucracy such as NSA. Theywere a testament to the leadership ofWalter Deeley,a manager who took risks and made decisions.Right from the start of GUNMAN, the research andCOMSEC directorates worked together. This type ofcollaboration was very effective but a very unusualphenomenon in the 1980s. Overcoming bureau­cratic hurdles was also possible because during the1980s the Reagan administration had an overarch­ing concern with the Soviet threat to the U.S.

CU) President Reagan approved the GUNMANproject in February 1984.

CU) Even after presidential approval, knowl­edge of GUNMAN was still tightly held within thegovernment. I IfuIther explained:

Page 4 TOP SECRET/fCOMHIT/fREL ~O US2\:, *US, C:z\:N EiBR, N't'iL

,.DOClD: 3803783

E.O 1. 4. (c)P;L. 86-36

~ot' SECR:E't'//COMI~ttREL~O US:A, AUS, CAN EiBR, "P.~L

EO 1.4. (c)P.L. 86-36

Pages

This was another example of collaboration betweenorganizations within NSA.

-t8t A separate area on the NSAW campus,known as the T. Motor Pool area, contained fourtrailers that were used to stage the equipment. T2used the first trailer to test each piece of equipmentto ensure its proper function. In the second trailer,S651 inspected each item by x-ray. They also disas­sembled every item to record anomalies that wouldbe stored in their standards library for future ref­erence during examination when the e ui mentcame back from the field.

in the third trailer and used the last trailer for stor­age.EO 1. 4. (c)

P.L. 86-36

ffi Every possible precaution was tak~n duringthe entire project to ensure that the repla~ement

equipment remained secure. NSA staff ghardedagainst tampering by using several levels of detec­tion devices. Some methods were applied to\theequipment itself, while others involved the pack~g-Iing of the eqUiPment.I:.1

TOt' SECRET//COi\IIUT//REL TO U&.r, AUS, Ct\N GBR, ~J~L

\\L-w-e-r-e--~~--:-;'---;----=~

~ Because of the need for fast delivery to theembassy once the equipment arrived in Moscow,NSA had to be certain that each piece of equipmentworked. There would be notime to repair anything. NSAalso wanted to make sure thatthe replacement equipmentwas not tampered with whileen route. The COMSEC orga-nization took a number ofsteps not only to safeguardthe equipment in transit, butalso to determine whether itwas tampered with when itwas brought back for periodicexamination after being oper-ational in the field. For thenext two months, personnelprimarily from S65 and· T2worked feverishly to preparethe equipment for shipment.

EO 1.4. (c) ('fSz7'~I//;Rftt_F_i_q_,2_,_'--- ,..........1

P.L. 86-36OGA

~ NSA used a variety of methods to quicklypurchase similar or upgraded equipment for theembassy. Approximately 40 percent of the equip­ment had to be purchased while 60 percent wasavailable from the Agency and other sources. NSAwas unable to obtain 250 IBM Selectric typewritersrequired by the embassy in part because of theirpower requirement. The Soviet Union used 220­volt 60 cycle electricity. Typewriters were not avail­able from European sources, and the IBM factoryin Lexington, Kentucky, had depleted most of itsstock. NSA was able to acquire only fifty typewrit­ers, so they replaced typewriters that were used inthe most sensitive areas of the embassy. NSA wasable to meet the requirements for all other equip­ment.ll

DOClD: 3803783f30 1. 4. (c)

~.L. 86-36

TOP SECREF//COl\tINFffIWL '1'0 USA, AUS, CAN 8BR, NlSL

-

I ~Personnel used various tamper-proof methods t<>\ .package the equipment. For example, equipmentlwas sealed in special plastic ba s that could not be ••replicated in the Soviet Union

INext, the crates were placed in'1-----------'

trailers for easier transport and additional security.

ISome boxes con-

-tSt The staff took extraordinary measures toensure the security ofthe equipment during its ship-

To the ~ The equipment was shipped to Moscow in~b-e-s-t-of-N-S-A-'s-kn-o-w-l-e-d-ge-,-t-h-e-S-o-Vl-'e-ts-di-'d-n---'ot inter-I I From NSA, the Armed Forces Courier

fere with any of the equipment that was shipped to Service shipped the equipment to Dover Air Forcethe embassy or returned to Fort Meade.12 Base. Two cleared couriers accompanied the equip­

ment, which was flown by military transport toFrankfurt, Germany.

~Another example of atten­tion to every detail of securitywas the rental of a special craneto load the plane. The regularcrane was not operational whenthe equipment arrived. The flightwas scheduled to leave in threehours. The equipment could notmiss that flight because NSA per­sonnel did not want to store it atDover. Therefore, the plane wasloaded using a rented crane.

~The equipment was flown into Moscow instages on a Lufthansa aircraft, a common StateDepartment procedure. The Soviets were not sur­prised by an influx of equipment entering theembassy because such activity was typical in thespring. The only way to get equipment into the

/ ~ Fig. 3. CONEX boxes used to ship equipment to andfrom/ the u.s. embassy. The boxes were over 30feet long, 8feet

/ tall, and 8feet wide. Boxes in theforeground were wrapped/ in burla.]Ja.~cl.Hsecuredwith steel strips.1EOi~H4H~m(~)HHHHHHH .. I I(back to cam~e~ra-::-)T".-------

P.L~8Ei-36

~ehtto the embassy. In preparation for shipment,boxes ~feqllipment were placed in crates whichwere wrapped.ihbllrlap. Burlap signified that theseitems were to be treated, as U.S. diplomatic cargoand would not be subjecttojnspection by Sovietcustoms officials. As a furthe~secllrity measure,the burlap was stapled onto each cr~te~1 I

~The equipment was storedand guarded by U.S. personnel ata warehouse in Germany until itcould be flown into Moscow. Thiswas necessary because there wasno place at the embassy to storeten tons ofequipment. The embas­sy attic had been damaged in a firein 1978 and was not stable enoughto hold such heavy equipment.

Page 6 TOP ~~C~T//COl\UNT//RELTO USA, MJS, €*f( 6Bft:, N2':L

DOCID: 3803783TOP ~~C~T//CO~Uwr//RIi;I.TO USA, ."....uS, CAN 6814:, N1JL

P.L. 86-36

-fBj-Fig. 4. U.S. embassy in Moscow. Equipmentwas lifted in and out ofthis building, possiblyfrom the roof, since the Soviets had shut down

the elevator.

embassy was by using a hoist from the outside. Thishoist was frozen all winter and inoperable, makinglarger deliveries necessary in the spring. However,the Soviets did turn off the electricity to the embas­sy elevator for preventive maintenance after thefirst day of the influx of equipment. Most of theapproximately ten tons of equipment that wentinto the embassy and the eleven tons that came outhad to be carried manml~Jyl I(Note: Some sources !fiaintain that less equipmentwent into the emb.assy as replacements because theequipments \:yer~ upgraded models. Other sourcesmaintaiIl·tnat eleven tons came out of the embassybec~us~ there were bags of sensitive trash that NSA.wanted to examine back at Fort Meade.)

P.L. 86-36

~ The true nature of the GUNMAN proj­ect was successfully masked from most embassyemployees. Ambassador Arthur Hartman learnedabout the project via a handwritten note that NSApersonnel personally delivered when they arrivedat the embassy. Ambassador Hartman announcedthat there was to be an upgrade ofembassy commu­nications, which accounted for all of the replacedequipment.141 Ireported that embassypersonnel were happy because they received newequipment and upgrades without having to useany of their own funding.15

(UI/FOUO) The embassy environment madethe swap of equipment even more difficult. BobSurprise, a State Department employee who wasthe deputy chief of the communications center atthe Moscow embassy, described the facility as old,decrepit, and outdated. As an employee in the U.S.Foreign Service, he had worked in many facilitiesin similar shape throughout the world. Surprisereported that it was difficult to move equipmentaround because the halls were only thirty-six inch­es wide and the elevator could hold only four pas­sengers, never mind equipment. The only way toget some equipment moved was to manually haulit up and down the stairs. Surprise further stated,

I did not mind the rugged workingconditions or long hours becauseI was accustomed to it from otherembassy work. Every embassy is atthe mercy ofthe host country becauseit must depend on the hostfor water,electricity and heat just as any otherbuilding in a country is dependent onthat country for utilities. It was moredYTicult inMoscow because we had anadversarial relationship. Sometimesthe Soviets played games by shuttingoffutilities.16

(Ui/FOUO) Thomas Bell, the head of the StateDepartment communication center at the Moscowembassy, further described the atmosphere at

TOP SECRET/jCOMINF,'jREL 'FO U&A, ADS, (M:N 8BR, NZL Page 7

DOCID: 3803783'1'61' SI!:CltE't'ttC6MIN't't/K::EL 'FO DS*:, ADS, C2\N 6BR,~L

P.L. 86-36

the embassy as very intense. Nobody trusted theSoviets.

Workers took theirjobs seriously. Wewere always under the watcliful eye ofthe Soviets, even in ourpersonal life. Ilived in an apartment outside theu.S. compound. I would come hometo find my freezer unplugged, shirtsmissing from my closet, or a dirtyglass in the sink that had containedliquor. I am sure that the apartmentwas bugged. Americans had no priva­cy.17

ff&) The replacement of all of the embassy elec­tronic equipment had to occur with minimal impacton the missionl Ian NSA employee whowas sent to the U.S. embassy in Moscow to carryout the replacement of the equipment, describedthe activities as follows:

I arrived late on a Saturday and beganwork early on Sunday morning. I hadtwo kinds of tasks, protect the equip­ment that was held overnight in theattic and help with the unloadingand loading of equipment. I broughtalarms and sensors that I set up inthe attic. I ran the wires down to themarine guards on the sixthjZoor. Noone interfered with our equipmentwhile we were there.

P.L. 86-36

The logistics of the operation werehandled superbly. A shipping clerkwas part of the team. He opened thediplomatic pouch, uncrated the equip­m~ntand opened the box. We carriedthe equipment down to its position.

Whilel Iand others on theteam set up the new piece of equip­ment, others brought the old one backto the atticwhere itwas repackaged inthe box that contained the new equip­ment. We spent lots of time running

up and down the stairs. The teletypemachines were really, really heavy.They were also very wide and couldbarelyfit through the stairways.

We started changing equipment inthe State Department communication

center·r

IWe systematically.....--:---:-------'worked our way through the rest ofthe building. I was at the embassy forten days. It was a real adventure.is

-f81 The exchange of equipment between NSAand the U.S. embassy in Moscow was anotherexample of overcoming bureaucratic delays. NSApersonnel demonstrated a tremendous capacity forhard work. They also exhibited deep dedication tothe mission.

P.L. 86-36(U) The Discovery

~ Since S65, COMSEC Standards andAdvanced Technology Division, was an office thathandled a wide variety of special projects, it wasappropriate to give this division the lead in lookingfor bugs in U.S. equipment. I Ithe headof this division, reported that he pulled together ateam of the best minds to work on this challengingtask. This assignment was an unusual one for NSA

was careful to assign the "rightL.n-u-m"""T""e-r-o"rif,...p-e-op....l;-e~to the task. I did not want peoplestumbling over each other and getting in each ­other's way. We needed space for people to do theirwork. Too many people would have created confu­sion. I did not want them inadvertently missinganything."19

P.L. 86-36

OGA

PageS '1'61' SI!:C~t/C6MIN't'ttltl:L'1'6 tJS:A, :AtJS, C:AN GlUt, N2':L

DOCID: 3803783TOP ~:f:e~Tf/COMIN'f'ffR:EL'FO USA, /iUS, G'\N U8&, P>t~L

P.L. 86-36

fSt Fig. 5. Primary x-ray machine used indetecting equipment bugs. This was a portable

machine about 8 inches deep, 6 inches wide,and 12-15 inches long. The x-ray machine was

pointed at the object on top ofthe sheet ofx-ray film.

~ As the equipment from the embassy wasreturned to NSA, the COMSEC organization begana lengthy inspection process of each item. Theequipment had to be inspected methodically toprevent the destruction of important evidence. Theaccountable COMSEC equipment was examinedin the labs inside the OPS-3 or S building, theCOMSEC facility on Fort Meade, while the nonac­countable COMSEC equipment was stored andexamined in the trailers'. Each item was inspectedvisually and then x-rayed. The x-rays were com­pared with known standards for each item.20

(U//¥OUO) I 1/ a physicist whoworked in S6S, described the atmosphere as thesearch for bugs proceeded at NSA

The adrenalin was really flowing.About twenty-five ofus were involvedin the search. We all recognized theimportance ofour work. NSA's repu­tation was on the line, and it was upto us to find something. We felt surethat the Soviets were taking advan­tageofus.

We worked six days a week anddid not even complain about roughworking conditions. When we startedworking in the trailers, there were nosteps up to the entrance. The entrancewas aboutfourfeet offthe ground. Wefound some cinder blocks and emptyspools that had contained mesh wireto help us enter the trailer. Eventuallywe got steps, phones, and air condi­tioning, and life improved.21

-EStWalter Deeley had a long varied career at theAgency. He had a reputation for being strong willed,abrasive, but committed to the mission. Directorsof the Agency turned to him when they neededsomeone to accomplish a difficult job. As the headof the COMSEC organization, Deeley wanted thequestion of whether the Soviets were bugging U.S.equipment answered quickly. He demonstrated hisimpatience by swapping managers for the projectin midstream.22 He also offered a $S,ooo bonus tothe person who found a bug.23 $'. L . 8 6 - 3 6

(U//FOUO)IIan engineeringtechnician in S6S who was working on this project,enjoyed the challenge of searching for a bug in U.S.equipment. According tol Ithe 1980s were atime when people felt patriotism and pride in theircountry.

We knew who the enemy was andwanted to limit his effect. Ifrequently .", .

TOP S}';.CIHlT//COMHIT//REL 'FO USA:, AUS, CAN 68ft:, N2':L Page 9

----'r---------- __

DOCID: 3803783'fOfl SECR£'fiiCOMINTi/REL TO US*, /iUS, G\:N GBR, n:p: L. 86- 3 6

worked at night and on the weekendsby myself in the trailer examiningequipment. After we had looked atall of the crypto gear, we eventuallymade our way to examining the type­writers. I took a typewriter apartto look at all of the possible placeswhere a bug could be inserted. I cre­ated an image of these areas whichenabled me to take fewer but clearerx-rays ofthe important sections.24

ect. I could hardly wait for morningwhen my colleagues would return. 26

~L...- .....lcontinued the story.

The next morning, Mike,l'--- _

another engineer, and I argued aboutwhether we had an anomaly or abugged typewriter. Some typewrit­ers had memory now which couldaccountfor additional circuits. Whatled us to conclude that this typewrit-

CUI/FOYO) On a Monday evening, 23 July,I Inoticed an extra coil on the powerswitch of an IBM Selectric typewriter. He decidedto x-ray the whole machine from top to bottom. Thex-rays of the keyboard proved to be very interest-ing.2~ ~tated:

'P. L. 86-36

..... .... arrived, we informed him

and he called inIIand other experts from R9. DeeleyiTiformed the DIRNSA. Now the paceofour work really increased. We hadto thoroughly examine all embassytypewriters in the USSR because mostlikely there were more bugs. We hadto educate other U.S. embassy person­nel from East Bloc countries on howto search for bugs. We also began

(U//HJU()) Fig. 6. Engineers I .. uuuuuu ,1(le./lJ(lltclI ~isassemblingtypewriter

er was probably bugged was the loca­tion of so many circuits in a\metalbar that went along the length ofthe machine. When our

When I saw those x-rays, my responsewas 'holy.r**'. They really were bug­ging our equipment. I was very excit­ed, but no one was around to tell thenews. My wife was an NSA employee,but I could not even tell her because ofthe level of classification of the proj-

P.L. 86-36

EO 1.4. (c)P.L. 86-36

Page 10 'fOfl SEC~'f//COMIN'T//ltl:LTO tJ~, lttJ5, 0'rN GER:, NZL

DOClD: 3803783TOP SECREFffCOMlNT//REL~O Us-A, kUS, C2\N 68ft:, r,2!:L

CU//FOU011 lclaimed to have no specialtalent. .

CU//vOllO) One morniIjg, with no time forpreparation, I rwas told to brief thedeputy director, Robert Rich, on the GUNMANimplant. She did the best she could with the brief­ing, but determined that she would learn as muchas possible about the subject. Since the engineerswere ve bus with their investi ations

~ While the search for additional bugs con­tinued, the secrecy of GUNMAN remained par­amount.1 l1?riefed Agency seniorsabout GUNMAN. People wetepriefed one at a timein an anechoic chamber, which was a soundproofanti-echo room used to conduct techhkal tests. Shereported that the reaction to the news ra:nged fromastonishment to anger. ...~. L. 86- 3 6

handpicked the people to brief President Reagan atthe White House. R9 grabbed publicity, too."30 AsCount Galeazzo Ciano summed up human naturein his diary in World War II, "As always, victoryfinds a hundred fathers but defeat is an orphan."

P.L. 86-36

-t&) The discovery that the Soviets had buggeda typewriter in the U.S. embassy in Moscow didnot diminish the level of secrecy surrbunding theGUNMAN projecd la tech­nical writer in S64, the Tempest.office, whichwas located next to S65, saw large amounts ofequipment going up and down the halL She evenhelped with the procurement of film and packag­ing materials. She learned about the true nature ofthe GUNMAN project only after the implant wasdiscovered. Even then her sup~fvisorswore her tokeep the information secret.

"---_----'soon became the NSA GUNMAN briefer.

the diffieult task ofreverse engineer­ing the bug to see how it worked. Ihad been discouraging the wide useof x-rays because we had diffieul­ty obtaining Polaroid film. Polaroidonly made about 3,000 sheets offilma year. We had used 10,000 sheetsand were having trouble obtainingfilm. Thank goodness Mike ignoredmy advice and x-rayed the entiremachine. There was no way to seethat bug without x-rays.27

Another lesson that GUNMAN taughtus was to expand our thinking. Manyofus in the COMSEC area expected the

\\ bug to be in crypto or other COMSEC\~quipment. It ended up being in a~pewriter that produced plain text.W~ had to pay more attention toplmn text communication devices ifwe were to keep u.s. communica­tions·seeure.29

I found that bug by luck. After look- ,..ing at so many x-rays day after dayfor so many hours, I could easilyhave missed it. I'm glad that I sawit. I certainly was delighted with the$5,000 cash award. 28

86-36l?;L.

................~ Ibelieved that the GUNMAN expe-

rience had an important positive effect on theCOMSEC organization.

(U) ReacticillS to the GUNMAN Find

CU/lFaUO)1 Icharacterized thereaction to the GUNMAN find within the organi­zations that had worked on the project as chaotic."Everyone jumped on the bandwagon and wantedto take credit for the find. Everyone wanted to be onstage. S65 was pushed into the background. Deeley

CUI/Poua) Over time, the need to warn o~ers

of the Soviet threat grew,and NSA began to briefother members of the intelligence communIty.Balancing the need for secrecy versus the need towarn a ainst a threat was a difficult task.

briefed the GUNMAN project for seven'---_....years. One of the highlights for her was briefing thePresident's Foreign Intelligence Advisory Board.Normally this task would fall to Agency seniors,

TOP SI!iC~//COMnrr//RliLTO USA, fAUS, Ct~ GBR, n~L Page 11

DOClD: 3803783

'j?L. 86-36't'OP SECM't'f1CO~IIN't'ttML'1'0 US2\:, AUS, CAN 6ftlt, N2';L

but none were available so she was able to go tothe White House to make the resentation.31

-t81 NSA analysts left no stone unturned inreverse engineering the implant. The COMSEC andResearch organizations 'devoted considerable timeand effort into studying all aspects of the bug. NSAwas determined' to learn from the enemy. As thefollowing discussion demonstrates, reverse engi-

neering was very successful. Analysts uncoverednumerous characteristics of the implant.

(D) A brief explanation of the general charac­teristics of IBM Selectric typewriters will aid in theunderstanding of how the implant worked. Mosttypewriters had metal arms that swung up againsta ribbon to type a letter. IBM Selectrics, however,were unique because they used a round ball withnumbers and letters around the outside surface.When a typist struck a key, the ball moved intoposition over an inked plastic ribbon and descend­ed to imprint the character onto the paper.

~ The lot of equipment from the U.S. embassyin Moscow that was shipped back to NSA containedforty-four typewriters, six of which were bugged.The first step in evaluating the implant was to com­pare a bugged with a nonbugged typewriter. As S65and R9 personnel disassembled the typewritersside by side, they took video and still photographyof each part to ensure a thorough evaluation. Someof the unique characteristics of bugged typewrit­ers were that these typewriters had an additionalspring lug and screw; had a modified switch; andhad modified bails (the official term for bail isinterpose latch) or arms that controlled the pitchand rotation of the ball.

~ Reverse engineering was another exampleofhow entities within NSA worked in collaborationeven though they were in different organizations.Personnel from S65 and R9 divided the reverseengineering tasks. R9 personnel focused on theoperational aspects of the bug. S65 personnelremoved the printed wire assemblies and deter­mined the emanation capabilities. Together, S65and R9 personnel drew logic diagrams describingthe circuits. S65 persoimel also trained people fromother agencies to perform visual and x-ray inspec­tions of equipment in the field so that they couldlook for bugs. This training paid off because sevenadditional typewriters in the Moscow embassy andthree typewriters in the Leningrad consulate con­tained implants. A total of sixteen bugs were foundin twelve IBM Selectric II typewriters and four IBM

(U//POUO) In 1985, when the story of theSoviet bug of U.S. typewriters in the Moscowembassy broke on the CBS nightly news, WilliamCasey, the director of the Central IntelligenceAgency, was furious. He demanded a list of every­one that NSA had briefed on the GUNMAN project.I Iwas glad that she was able to supplythat list. Casey eventually dropped the investigationof the leak because the task of discovery w~s impos­sible. Too many people knew about GUNMAN.33

w 0 so wor ed in S64, reported thathe an took a GUNMAN briefing

'. on the road to warn our allies of the Soviet threat.I ~ole was to answer technical questions

from the audience.32

(U) Implant Characteristics86-36

\':' ..... ~ A discussion arose within the COMSEC\'" organization about whether the GUNMAN bug

\" "should be reverse engineered by a contractor or\\ bythe organization itself. Engineers such as

. ···.mslste t at t ey had the capability to dothis workl Igained reverse engineering expe­rience at a previous job with Naval Intelligence.34Management sided with the engineers, and reverseengineering of the GUNMAN bug became an in­house project. This was an important decisionbecause it e:p.abled NSA to learn a great deal aboutthe ingenuity of the Soviets and to gain a betterunderstanding of the threat. This decision alsoshowed that management and subordinates had agood working relationship and that subordinateshad initiative. It was an atmosphere that furtheredthe Agency's ability to fully carry out its mission.

I .//I /r ,/

I'P.L., '--,

Page 12 '1'01' SECU't'/tCOMIN"f'tiML '1'0 USA, AUS, CAN 8BR, NZL

DOClD: 3803783'FOP SECRE'FI/COl'lfHffffREL '1'0 US2\:, AUS, CAN 6Bft:, N}l';L

~Fig·7·Exploded viewsofbugged power

switch

Selectric III typewriters. Common features werefound in all sixteen typewriters: six ferromagneticmagnetizable bails were replaced with six nonfer­romagnetic nonmagnetizable bails with a verystrong magnet in the tip; all the typewriters con­tained a modified comb support bar which housedthe bug; all used burst transmissions at the 30, 60,or 90 MHZ range via radio frequency.

-f81 The Soviets continually upgraded andimproved their implants. There were five varietiesor generations of bugs. Three types of units oper­ated using DC power and contained either eight,nine, or ten batteries. The other two types oper­ated from AC power and had beacons to indicatewhether the typewriter was turned on or off. Someof the units also had a modified on and off switchwith a transformer, while others had a specialcoaxial screw with a spring and lug. The modifiedswitch sent power to the implant. Since the battery­powered machines had their own internal source ofpower, the modified switch was not necessary. Thespecial coaxial screw with a spring and lug con­nected the implant to the typewriter linkage, andthis linkage was used as an antenna to transmit the

informatiQn as it was being typed.35 Later battery­powered implants had a test point underneath anend screw. By removing the screw and inserting aprobe, an individual could easily read battery volt­age to see if the batteries were still active.

~The ingenuity of the Soviets was remarkablebecause they did not merely move from batteriesas a source of power to alternating current. Therewere early versions and later versions of bugs thatused both sources of power. NSA found that thefirst three implants were battery powered. Thefirst of these was shipped to Moscow in October1976, and the other two were shipped in April of1977. The first bug that used alternating currentas its source of power was shipped to Moscow inNovember 1977.The remaining nine machines thatwere found in Moscow used alternating currentas their source of power and were more advancedthan the first AC-powered bug. Five of the advancedmodel AC bugged typewriters were delivered toMoscow in February 1982. The remainder weredelivered in January of 1984.36 The later battery­powered bugged typewriters found in the consulate

I UP SECRET!! CONIINT11lmL '1'0 US2\:, AUS, CAN 8BR, N~L Page 13

DocrD: 3803783TOP SI!:CtmT//COMINT7'/'ti:L T6 USi\, AU'S, CAN 6BR, NZL

in Leningrad were shipped in April of 1977 andMarch of 1982.37

~All of the implants were quite sophis­ticated. Each implant had a magnetometer thatconverted the mechanical energy of key strokesinto local magnetic disturbances. The electronicspackage in the implant responded to these distur­bances, categorized the underlying data, and trans­mitted the results to a nearby listening post. Datawere transmitted via radio frequency. The implantwas enabled by remote control.38 Another advan­tage of these bugs was easy installation. Engineersestimated that a skilled technician could installan implant in a typewriter in a half hour.39 Theintegrated circuits were very sophisticated for thattime period. The circuits contained one bit corememory, an advancement that NSA engineers hadnever seen.40

(U) When the press learned that the Sovietswere bugging typewriters in the U.S. embassy in1985, reporters tried to describe the characteristicsof these bugs. One of the more technical explana­tions appeared in the June 1985 edition of Discovermagazine. How accurate was that description?

(U) In an article entitled "Tapping the Keys," abugging expert offered the following explanation ofthe Soviet bug:

The Soviets must have taken advan­tage of the way the Selectric types.A metal ball covered with charac­ters spins so that the appropriatecharacter strikes the paper and thenspins back to its starting point. Thetime it takes to accomplish the rota­tion to each letter is different. A low­tech listening device planted in theroom could transmit the sounds of atyping Selectric to a computer. Thecomputer could then easily measurethe time intervals between each keystroke and the character being put on

the paper, and thus determine whichcharacter had been tappedAt./P . L. 86- 3 6

-tsJ1 1an~~~i:"7lJ the COMSECorganization, who was involved hi reverse engineer­ing the GUNMAN bug, explainyd that the press hada good idea, but it was inaccutate: •"IBM Selectrictypewriters used a spinning ball to get the rightcharacter on the paper. The bug was not based onsound or timing. "1 lfurther~laborated: "TheSoviets were very good with m~tal. Housing thebug in a metal bar was ingenious. The bar was dif­ficult to open and it really concealed the bug frominspection."421 ran engineer fromR9 who also worked on this project, agreed:

To the naked eye, the bar looked likea single unit. You could not see thatit could be opened. The use of lowpower and short transmission burstsalso made it d@cult to detect thisbug. The bug contained integratedcircuits that were very advanced forthat time period. The implant wasreally very sophisticated.43

The discovery of this bug by NSA technicianswas a significant technical achievement.

(U//FOUO~ The press did not understand thelevel of sophistication of the GUNMAN bug. Forinstance, an article from Time magazine speculated"the Soviets somehow encoded the machine's typ­ing function, giving each character a distinguishingelectronic or magnetic signature."44

..(T~//se In reality, the movement of the bailsdetermined which character had been typedbecause each character had a unique binary move­ment corresponding to the bails. The magneticenergy picked up by the sensors in the bar wasconverted into a digital electrical signal. The signalswere compressed into a four-bit frequency selectword. The bug was able to store up to eight four-bitcharacters. When the buffer was full, a transmitter

Page 14 'fOp SE€Rirrf/€O~IIN'Fi/R£L'1'0 USh, AUS, CltN GBR, N1iL

DOCID: 3803783TOP SEeR£TffcOMI~//REL'fO US*:, AUS, C1\ff fiSK:, N2':L OGA

in the bar sent the information out to Soviet sen­sors.

(T£//£I) There was some ambiguity in deter­mining which characters had been typed. NSAanalysts using the laws of probability were able tofigure out how the Soviets probably recovered text.Other factors which made it difficult to recovertext included the following: The implant could notdetect characters that were typed without the ballmoving. If the typist pressed space, tab shift, orbackspace, these characters were invisible to theimplant. Since the ball did not move or tilt whenthe typist pressed hyphen because it was located atthe ball's home position, the bug could not read thischaracter either.45

(U) Damage Assessment

(~ Despite the ambiguities in knowing whatcharacters were typed, the typewriter attack againstthe U.S. was a lucrative source of information forthe Soviets. It was difficult to quantify the damageto the U.S. from this exploitation because it went onfor such a long time. The FBI examined typewriterinventory records to determine when the sixteenbugged machines arrived at the Moscow embassyand the Leningrad consulate, where the typewrit­ers were located in each facility, and to whom theywere assigned. The FBI was unable to uncover theanswers to these questions for several reasons. TheState Department had a policy at both the embassyand consulate of routinely destroying records everytwo years. State Department personnel normallyrotate to new assignments every two years soresponsibility for procurement of typewriters andinventory controls and maintenance changed fre­quently. There was no continuity of procedures forinventory contro1.46

OGA

(U) A Cunning Enemy

~ Why did the U.S. fail to detect bugs in itstypewriters for so long? One ofthe main reasons thebugs remained undetected for approximately eightyears was that the U.S. used outdated and inappro­priate techniques and equipment when conductinginspections and made mistakes in analysis. Anotherimportant reason was that the Soviets proved to bea cunning enemy. Much of the equipment used byU.S. Technical Security Countermeasure (TSCM)teams dated back to the 1950S. The GUNMANdevice used burst transmissions that were so shortthe signal disappeared from the spectrum before itcould be recognized by the older spectrum analyz­ers used by the TSCM teams. Burst transmissionsalso occurred intermittently due to the speed of thetypist. Since the devices were remotely controlled,

TOP SEeRET//eO:i\H~ffR£L'fO US",,-, ADS, CAN GBR, Ni'iL Page 15

DOCID: 3803783

IOF SECImT11CtlMIt'V'f'11ItEL '1'0 US2\:, AUS, CAN 6BR,~L

the Soviets could turn them off when inspectionteams were in the area. Newer spectrum analyzershad memory and could integrate energy detectedover a period of time. Newer analyzers may havedetected the GUNMAN device, but there wouldhave to be an element of luck. When using thespectrum analyzer, the typewriter would have tobe turned on, the bug would have to be on, andthe analyzer would have to be tuned to the rightfrequency range.

~ The design of the GUNMAN bar indicatedthat the Soviets had knowledge of techniques usedby American TSCM teams when inspecting facili­ties. For instance, the Soviets must have knownthat the U.S. used nonlinear detectors "t>ecausethe GUNMAN device was designed to filter outfrequency harmonics, which is an integral part ofwhat a nonlinear detector is searching for. TheSoviets also used snuggling techniques to hide thetransmission of the bug in the noise of the trans­mission of television stations. They deliberatelyset the devices in the same frequency band as theirtelevision stations so that U.S. analyzers wouldmiss the transmissions.

(~Once the GUNMAN bug was discovered,it became clear that some U.S. analysts had mis­interpreted clues over the years. In 1978 inspec­tors found an antenna in the chimney in the U.S.embassy in Moscow. The intelligence communitywas never able to figure out the purpose of thatantenna. Typewriters were examined in 1978, butthe technician did not find any bugs. The techni­cian assumed that if a modification had been madeto a typewriter it would be in the power structure.Therefore, he took x-rays of only the start capacitorand switch and the motor. In 1978 the source ofpower for the implants was batteries so no changeswere made to the power structure of the typewriter.Technicians missed the bugs.

~l rI I the SOViets exercised great caution Withtheir own electric typewriters. They prohibitedtheir staff from using electric typewriters for classi­

OGA

fied information. Manual typewriters that were tobe used for the processing of classified informationwere to be shipped from Moscow to other Sovietembassies only in diplomatic pouches. When thesetypewriters were not in use at the various embas­sies, they were to be stored in sealed containers.49

Despite these indications of Soviet exploitation oftypewriters, the U.S. Department of State took noaction to protect its typewriters.50

(~ Some consolation from the U. S perspectivewas that there was no indication that a U.S. personwas involved in the GUNMAN attack. The implantdevices were most likely installed by the SovietIntelligence Service when the typewriters wereunder the control of Soviet customs officials beforethey reached their destination at the embassy orconsulate.5011

I ~2 Thesefacts do not diminish the ingenuity and. deter­mination of the Soviets. As DIRNSA LTG Faurer

I · d EO 1. 4. (c)exp ame : P . L . 8 6 - 3 6

I think people tend to fall into thetrap of being disdainful too often oftheir adversaries. Recently, we tend­ed to think that in technical matterswe were ahead of the Soviet Union- for example in computers, aircraftengines, cars. In recent years, wehave encountered surprise after sur­prise and are more respectful. Mostfolks would now concede that theyhave enormously narrowed the gapand have caught us in a number ofplaces.53

OGA

Page 16 TtlI' SECImT11CtlMIN't'11ImL't'tl usn, kUS, €i\N 8BR, Ni'iL

DOCID: 3803783'fOY SECR££ffCOMIN'fffR£L '1'0 USA, A-US, G\N GGR, mL

P.L. 86-36

(U)GUNMAN Impact

~ The GUNMAN project had a major impacton the intelligence communityas a whole. Itbroughtabout a greater understanding of the thinking andoperations in a.totalitarian society. The communitybecame more aware of the hostile electronic threatagainst the U.S. NI rxplained, "If anyother agency such as CIA or the State Departmenthad discovered the bug, this change would not haveoccurred because they would not have publicizedthe incident." NSA, however, briefed all levels ofgovernment to warn them of the danger. NSA wasnot out to assess blame; it took the problem-solvingapproach.54

~ The State Department had a lax attitudetoward embassy security in part because theyviewed the relationship with other countries ina different light. Diplomatic staff were guests inother countries, according to the State Department.State had a mindset of developing relationshipsand learning the culture; security was not their topemphasis.55

CU) When the GUNMAN story broke in thepress, the State Department was forced to takesecurity more seriously. The Bureau of DiplomaticSecurity of the U.S. State Department and itsDiplomatic Security Service CDSS) were estab­lished officially on 4 November 1985. This bureau'spurview covered all aspects of the security needsfor the department, for its facilities at home andabroad, and for its employees and their fami­lies. The importance of the new organization wasindicated by making its head an assistant secretaryof state.56

t8t Numerous panels were formed to investi­gate not only how and why the Soviets were ableto bug embassy typewriters, but also all areas ofembassy security. These anels made numerousrecommendations.

Only"-----.....,,""':"'l"'"-----'l"""":'.,.....---.,.....""""l"'----'

some of the recommendations were implemented

OGA

due to a lack of cooperation between the varioussegments of the intelligence community. The con­gressional committees on intelligence oversightthreatened to reorganize the technical securitycountermeasures organizations within the variousagencies to bring about coordination and reduceduplication of effort. The Senior Interagency Groupfor Intelligence was formed to avoid congressionalaction. This body attempted to get the agencies towork together, but they found it difficult to shareinformation with each other. Both the CIA and theFBI reorganized and upgraded their technical secu­rity organizations.57

fBj-GUNMAN had a long-term positive effecton the State Department's policies and proceduresfor shipping plain text processing equipment. In1988 the State Department built the facility toinspect and package all plain text processing equip­ment that is shipped overseas. This facility is stillin operation today. The Department also main­tains a list of preferred items that will enhancesecurity.58 In comparison to the rest of the intel­ligence community, many people believe that theState Department has the best security measurestoday for protecting unclassified equipment that isshipped abroad. P. L. 86- 3 6

t&) GUNMAN also hacisorile positive effects onNSA. As! Ian engineer in the researchand development organization during the time ofGUNMAN, explained:

Before 1984 the community did notbelieve NSA and its abilities. As aresult ofthe 1984 work on GUNMAN,the stature ofNSA in terms ofdealingwith the embassy security communi­ty changed radically. We became thevoice to listen to, and I'm very proudofthat.59

-"i.

'f'Ot' SECltE'f'jjCOMIN'f'jjltEL '1'0 US7\:, AUS, CAIq- 66ft:, r~L Page 17

DOCID: 3803783 OGA

'fOF SECR:E'f//COMIN'f'jjItEL '1'6 tfSA, A:tf~, elm' GlUt, N2'.:L

I asked the COMSEC custodian wherehe stored the keying material. Heshowed me the plastic bags that hadcontained a tamper-proof canister.He praised the use ofthe plastic bagsand said they were great for storingfish bait. To my horror, the fellowwas removing all of the key fromthe canister which was intended forkey storage. Instead of removingonly the key neededfor that day, hewas taking it out all at once, whichtotally eliminated the tamper protec-

E&) Because of the GUNMAN revelationsand other compromises, such as the Walker spyring, NSA expanded its anti-tamper program.Customers were more receptive to using thesesolutions because they recognized the securitythreat. Technicians at NSA, such as

invented new"-----:----~-.;----.:---:------.;-~

anti-tamper technologies such as holograph andprism labels that could not be easily duplicatedby an adversary who tried to remove them from apackage.64 On 1 May 1989, in recognition of boththe growth and importance of these technologies,the INFOSEC organization consolidated all of itsanti-tamper programs into a new separate division,Y26, the Protective Technologies ImplementationDivision.65 In recognition of the need to train cus­tomers in the proper use of tamper technologies,a separate awareness and education branch wasestablished within the division. Prior to the forma­tion of this branch, technologies were provided tothe customer without any emphasis on their properuse~ Iwho worked as a chemistin vanous technology tamper programs, reportedon a visit that she made to seea.customer on theUSS Witman in the spring of 1984:

P.L. 86-36

00 In the late 197()S,1 Icame to NSA fromClA to start an anti-tampertechnology program. In the spring of 1984, whenNSAseI1f replacement equipment to the Moscow

P.L. 86-36OGA

f8t Plans that had been stalled were imple­mented because of GUNMAN. For instance, theNational Security Council promulgated NationalSecurity Decision Directive (NSDD) 145. This direc­tive, signed on 17 September 1984, made DIRNSAthe national manager for telecommunications andautomation information systemss~curity.61

P. L,S6-36

(~) After the GUNMAN revelations, sever"ilchanges came about within the COMSEC orga­nization at NSA. While the GUNMAN discov­ery was not the only cause for these changes,it certainly influenced their implementation. In1985 the name of the COMSEC organization waschanged to the Information Security (INFOSEC)organization.62Information security denoted anexpansion of responsibilities for the organization.The organization had more to protect than just thetransmission of information. This name changealso reflected the greater awareness of the need toprotect plain text information and the intention ofthe DDI to place greater emphasis on the protec­tion of plain text. NSA management reorganizedthe INFOSEC organization to better handle itsinformation security responsibilities. For instance,the organization became more involved in tech­nical security countermeasures. The TechnicalSecurity Engineering Center, X3, created on 14May 1986, became responsible for advanced tech­nology development, fabrication security - thesecurity of equipment as it is being built - techni­cal security, and facility evaluation. Plans called forX3 and R9, which was responsible for the exploita­tion of the adversary's communications, to jointlyconduct facility evaluations. NSA hoped to improvetechnical security through this more coordinatedapproach.63

1II embassy,] I

L...- ----J----------.... NSA had its own program to protect keying mate-rial and equipment, but it was small in comparison

h CIAP.L. 86-36

to t e program. OCiA

Page 18 'fOF SECIffi'f//COMIN'fffREL 'fO US1\:, *US, OAN GBR, Ni!iL

OOClO: 3803783TOP SI'JCR:ETjfCOl\HN'Fh'R£L 'FO USA,~ CAN 68ft:, flW)L

tion. Without training, what couldwe expect? 66

Because of these developments, NSA became aleader in technical security.

(U) Conclusions

+8) From approximately 1976 to 1984, theSoviet Union used electromechanical implants togather information from typewriters located in theU.S. embassy in Moscow and the U.S. consulate inLeningrad. Project GUNMAN was NSA's plan toremove communications and information process­ing equipment from the U.S. embassy in Moscowand bring it back to Fort Meade. Phase two of theproject was to thoroughly examine each piece ofequipment in search of a bug. GUNMAN was wellplanned and well executed. Within five monthsten tons of equipment was procured and deliveredto the embassy without interruption to embassyoperations. Eleven tons of equipment was broughtback to Fort Meade, and the first bug was discov­ered on 24 July 1984. NSA managers were ableto move a large bureaucracy into action to meet amajor threat to u.s. security. The actual discoveryof the bug demonstrated the talent of NSA techni-

pn.~~D~'l~Tcularl~ ICU) Eight months after the GUNMAN discov­

ery, the story broke in the press. By highlightingthe damage, press coverage helped to focus theattention of the U.S. government on improving thesecurity of its information. The press did not fullyunderstand the level of sophistication of GUNMANtechnology. They also did not appreciate the effortand talent used to discover the bug.

~ The GUNMAN experience had many posi­tive effects on the Agency. NSA elements sharedinformation and worked more cooperatively. TheCOMSEC organization gained a deeper appre­ciation of the ingenuity of the Soviets and thus agreater understanding of the threat to U.S. commu­nications. GUNMAN demonstrated that the Sovietswer~D!nterested\ \

OGA

I lin exploiting crypto communications.More Agency personnel gained expertise in reverseengineering, and there was a greater appreciationof the benefits of these techniques. NSA placedgreater emphasis on the development of anti-tam­per solutions to protect equipment, and customerswere more interested in using these technologies.NSA learned valuable lessons from the enemy.

ftB As a result of GUNMAN, NSA gained astronger reputation as an expert in technical secu­rity within the U.S. government. Consequently,NSA was called upon to evaluate facilities and toprovide advice to other segments of the govern­ment.

E&) The GUNMAN incident had the greatestimpact on the Department of State. Because ofGUNMAN and other security problems, the StateDepartment developed better security policies andprocedures, especially in the areas of inspectionand shipment of equipment. These practices arestill in effect today.

~ GUNMAN did not have as much of animpact on the rest of the intelligence community.Individual agencies upgraded their own technicalsecurity efforts, but the intelligence communitydid not work cooperatively or share information.There was a great flurry of investigations in whichthe U.S. attempted to learn from the Soviets. Thequestion was not did we learn from the enemy, buthow long will the U.S. government and the intel­ligence community remember the lessons that theylearned from the GUNMAN project?

CU) Although the GUNMAN discovery occurredover twenty years ago and the Soviet Union was dis­solved in 1991, the GUNMAN story is still relevantfor the intelligence community. GUNMAN illus­trated what can happen when we underestimatethe capabilities of an adversary. It also highlightedthe need for vigilance in maintaining security.

TOP SECR:ETjfCOl\'IIm//R:EL TO Ut~M:, hUS, CAN GBR, N2JL Page 19

EC[):O[:.]f): 3803783f.L. 86-36OGA '1'01' SEetffi't'l/eO~IIN't'//tffiL'1'0 USA, AUS, CAN 8BR, N~L

!.f.L. 86-36

nterviewers: Linda Murdock and Sharon Maneki.(Center for Cryptologic History)

ral Histo 2006- 8

Interviewers: Linda Murdock and~S~h-ar-o-n-M-a-ne~ki~·-.(~Center for CryptoJ6gicHist6ry)

/::, .

P.L. 86-36

Interviewers: Linda Murdock and Sharon.....__...1

Maneki. (Center for Cryptologic History)20. (UI/FOUO) S65 COMSEC Standards and

Advanced Technology Division, Evaluation of ProjectGUNMAN. 28 January 1985. (NSAArchives, accession

number 49509)21. (U ) Oral History 2006-17

11. (U//OOUO)I Ni~ject GUNMAN:After the Smoke Cleared." November 19~6, 10-11. (NSA

Archives, accession number 46286) • .• \,12. (U/;,FOUO) S65 COMSEC ,P\~ndards and

Advanced Technology Division, Evalu~ti?n of Project

GUNMAN, 28 January 1985. (NSA Arclll~~' accessionnumber 49509) • •••••

13· (Ut1FOU01 t'PrbjectGUNMAN:After the Smoke Cleared." November 1986\,14. (NSA

Archives, accession number 46286) •... \ \\\14. (U/;,FOUO) The COMSEC OrganiZationl NSA, A

Special Report to the U.S. Congress: Project GIJNMAN.March, 1985, "Background." (NSA archives, ~ccession

number 48399)

15· (u/lpeUO) Oral Histo r:--..::..:;.._..:.:.a..,...................- ....Interviewers: Tom Johnson an-....._-_....Cryptologic History) •\ \

16. (U//FOUO) Oral History 2007-20, R()b~rt

Surprise; Interviewers: Linda Murdock and Sh~rQn

Maneki. (Center for Cryptologic History)17. (U/fFOUO) Oral Histo 200-2

Interviewers: Linda Murdock andL..-_--J

Maneki. (Center for Cryptologic History)19. (UI/FOUO) Oral Histo 200 -06

Interviewers: Linda Murdock and Shar.pnL...:-M~an-e':'"'ki:-.~(Center for Cryptologic History) ii

22. (U/t¥OUO) I Itelephone¢~nversa-tion with Sharon Maneki, 18 December 2006:

23. (UI/FOUO) Oral-History 1998-14,1.........----Interviewers: Tom Johnson andl· .. ...rCenter

for Cryptologic History) ! ii /

24. (UI/FOUO) Oral History 'Z,007-07,

(U) Acknowledgements

Interviewer;' Tom Johnson. (Center·for~Cryp~-t-o:-lo-gI:-·c-H...Ii·story) ii /./

10. (UIIFOUO) OralHisto~ 1998-141 / IInterviewers: Tom Johrt~ona~{ tcenter forCryptologic History) ii/:/

CD) I also wish to acknowledge the technicaldirector of the CCH and the editorial staff for theirguidance and assistance. They greatly enhancedthe clarity and readability of the manuscript.

CD) I wish to acknowledge the men and womenof NSA who graciously and enthusiasticallydescribed their experience with Project GUNMAN.I also appreciated their patience and willingnessto explain technical details of the project. Thispublication would not have been possible withouttheir assistance.

(U)Notes1. (U) Transcript, CBS Nightly News. M,arch 25,

1985·2. (U) George F. Kennan, Memoirs: 1950 to 1963.

(New York N. Y.: Pantheon Books, 1972), 152-157.• 3. (U) Transcript, CBS Nightly News. March 25,• 1985.

4· -ffflr

1 1-1.-..~5.l('(u~/+/F~OgUgfO~~Co>rraialiiHIiiSstt<orrryVI.19[}<9~8~177.,ILTGLincoln D.Faurer; Interviewer: Tom Johnson. (Oral history inter­views are kept at the Center for Cryptologic History.)

6. (UI/FOUO) the COMSEC Organization, NSA, ASpecial Report to the U.S. Congress: Project GUNMAN.March, 1985 "Background." (NSA Archives, accession

number 48399)7. (UI/FOUO~ t'Project GUNMAN:

After the Smoke Cleared." NoveI9ber 1986, 7-8. (NSAArchives, accession number 462?6)

8. (UI/FOUO) Oral History 1998-17, LTG LincolnD. Faurer; Interviewer: Toryi Johnson. (Center forCryptologic History) /

9. (UI/FOUO) Oral/History 1996-3,

P.L. 86-36

Page 20 TOY SECRfffffCOMINT//REL TO USA, AUS, CAN 8BR, 1'i~L

86-36

L. 86-36

42. (UI/FODO) Oral History 2006-47,

00 ey an S aron Maneen er for Cryptologic History)

44. (U) Time, 8 April 1985, "A Deadly SeriousGame."

45. (U//FOUO~ "GUNMAN Text Recovery fromIBM Selectric III Typewriters." C Expository ReportNO.18-91, 19 July 1991. (NSA Archives, accession num­

ber 49509)46. (U) "Parting Shot: Espionage Russia." (Federal

Bureau of Investigation) March 15, 1985, 2. (NSAArchives, accession number 49509)

47. (U) Report on the GUNMAN Project by aDamage Assessment Team of the Department of State.

July 11, 1985.48. ~Jr-----------

Interviewers: Linda Murdock and Sharon'------'Maneki. (Center for Cryptologic History)

43. (Ul/FOVO) Oral History 2008-79,

25. (U//fOUO) Oral Histo 2006-1

TOP SECRET/lCOMHffffREL TO USfl, AUS, C:t\:N GBR:, N~L

""'--__....... Interviewers: Linda Murdock and SharonManeki. (CenterJor Cryptologic History)

28. (Ur:/FOO:(7) Oral Histo 200-0

.1.---- Interviewers: Linda Murdock and SharonManeki. (Center for Cryptologic History)

31. (U Oral Histo\ 2006-....... ...J Interviewers: Lin~a Murdock andSharon Maneki. (Center for Cryptologlc History)

32. (UjfFOUOj Oral History 1998-15~ I 49· (U//FOU01 rProject GUNMAN~Interviewer: Dr. Thomas R. Johnson. (Center for After the Smoke Cleared." November 1986, 19-21. (NSACryptologic History) Archives, accession number 46286)\. •

33. (Uf/FOUO) Oral Histo 2006-0, 50. (UI/FOUO)I ~~:T4e Legacy ofnterviewers: Linda Murdock GUNMAN." (briefing to the NSA workforce},fNovember

L..",.....---:-::---;-:....S aron Maneki. (Center for Cryptologic History) 2000. (NSA archives, accession number 49509) •

. U Oral Histo 2006- r-----., 51. (U) "Parting Shot: Espionage Russia." "(F~eralInterviewers: Linda Murdock and Sharon Bureau of Investigation) March 15, 1985, 10. (N,SA

'-M:-:-a-n-eki;-:"'"'.~(C":!!:'enter for Cryptologic History) Archives, accession number 49509)/ .... iP • L .

35. (U) S65 COMSEC Standards and Advanced 52. (U//FOUO~ 1"Pf6Je~tGUNMAN:Technology Division, Evaluation of Project GUNMAN. After the Smoke Cleared." Novem~er 1986, 40. (NSA28 January 1985. (NSA Archives, accession number Archives, accession number 46286)49509) 53· (U) Ronald Kessler, Moscow Station: How the

36. (U) ''Twelfth Interim Analysis Report on the KGB Penetrated the American Embassy. (New York,GUNMAN Find." 18 October 1984. NY: Macmillan Publishing Co., 1989), 97.

37. (U) "Thirteenth Interim Analysis Report on the 54. (Ui/FOUO) Oral History 1998-~5~r---------'1GUNMAN Find." 25 October 1984. Interviewer: Dr. Thomas R. J()hrison. (Center for

38. (U) "Sixth Interim Analysis Report on the Cryptologic History) ,GUNMAN Find." 6 September 1984. 5 . ( OralHi~to 20

39. (U) "First Interim Analysis Report on the Interviewers; Linda Murdock and SharonGUNMAN Find," no date. L.-M-an- eki-·-.-(Cented6;'Cryptologic History) •

40. (U//FOUO) Oral Histo 200 -0 r-----, 56. (U)J:{~raig Barker, The Protection ofDiplomaticL..- ..."Interviewers: David Cooley and Sharon Pers?T.tnel, Chapter 1. (Burlington, Vermont: Ashgate

Maneki. (Center for Cryptologic History) Publishing Co., 2006) EO 1.4. (c)

41. (U) Discover, June 1985. "Tapping the Keys." !// P. L. 86- 3 6P.L. 86-36 OGA

Interviewers: Linda Murdock..~:-----.,---=~

Sharon Mapeki. (Center for Cryptologic History),..-----,

27. ( J Oral Histo 2006-1

Interviewers:\Linda Murdock and SharonL......,-~~~

Maneki. (Center for Cryptol()gic History)30. (U//FOUOj Oral Histo 200 -06

Interviewers: Linda Murdock anda.,.~..,......~

'. '. (Center for Cryptologic History)26.... (Ui/FOUO) Oral Histo 200-0

interviewers: Linda Murdock and... '":::":""""--:-:~-;-:--}Sharon Maneki. (Center for Cryptologic History)

~----.29. ( Oral Histo 2006-1

DocrD: 3803783P.L. 86-36

TOP SECR£FffCOMINF//~LTO USA, l'.zUS, Gy;r GlUt, ~~1. Page 21

DOCID: 3803783

'f'OP SECltE'f'11COMfN'f'I/KEL '1'0 US*:, AUS, C2\N 6BR, NZL

57· (UI/FOUOl I"Project GUNMAN:After the Smoke Cleared." November 1986,23-25. (NSAArchives, accession number 46286)r---"';""'---...,

58. (U) Oral History 2007-18,

:';.P.L. 86-36

Interviewers: Linda Murdock and Sharonane . Center for Cryptologic History)

Interviewers: Linda~M:-:-u-rd~o-c~k-an-d7""::S~h-a-ro-n""""':'M"':'a-n-e"';'ki-:-·.~(Centerfor Cryptologic

History). U Oral Histo 200-

Interviewers: Linda Murdock and~M~an-e"""".(Center for Cryptologic History)

60. (U//FOuol IC0I'I'~spondencebye-mail with author.

61. (U//¥OUOf-------,~"l?roject?UNMMl':After the Smoke Cleared." November 1986, 37; (NSAArchives, accession number 46286)

62. (U//FOUO) Organization Audit Trail Database(OATS).

Afte~3~~/~:~:O~leared.9S NovemJ;ro;:;~~~~~Archives, accession number 46286)

64. (U//FOUO) Oral History 2006-17,(e-mail attachment to transcript.) Interviewers:

L..,,-~--'

Linda Murdock and Sharon Maneki. (Center forCryptologic History)

65. (U//FOUO) Organization Audit Trail Database(OATS)

66. (U//FOUO) Oral Histo 200-2

Page 22 TOP SECRETf/COl\HNTf/REL TO USA, AUS, CMl GBR; NZ3L

DOClD: 3803783J:QP ~JAC~J://CQ~41Nf//~LTQ USh, t'..US, CAN GBa, P't~L

"'" -

P.L. 86-36

·P. L. 86-36OGA

Harriman, Averell 1Hartman, Ambassador Arthur 7

delivering to embassy 6inspection process 8-9preparing for shipment 5-6replacement process 7-8

I

H

F

1 ·P,1OGreat Seallmplant example

Faurer, General Lincoln 2-3, 16Federal Bureau ofInvestigation (FBI) IS, 17Foreign Intelligence Advisory Board IIEO 1. 4. (c)I tEO 1.4. (d)

P.L. 86-36G P.L. 86-36 OGA

(U) Index

discovery of implant 8-11

E

D

Eagleburger, Lawrence 4

/1 III· employees, U.S. embassy 7

equipmentacquiring replacements 5

r ~4,7Casey, William 4,12 <OGAcash bonus, offered for bug discovery 9, II ..CBS news report 1-2,12 ../Central Intelligence Agency (CIA)I /// rCold War 1/1,.0·~---

COMSEC organization 18/COMSEC Standards angAdvanced Technology Division 8

I IS···con ressional investigations 17 EO 1. 4. (c)

15 P. L. 86- 3 6

IBM Selectric typewritersacquiring replacements 5characteristics of 12, 14implant discovery 10implant operation 14

impact of GUNMAN 17-19implant

characteristics 12, 14discovery of 8-11reasons undetected 15-16

Information Security (INFOSEC) 18inspecting equipment 9

5 inventory of embassy equipment, laci<,oL'Eo 1. 4. (c)

;-....:~~~:.l;}~~:;:.:t~~:::.:~~:::..e~:;:;t~::.::::.::~:;,;::.;,il..~:.:;::~.::;:;N:..:le.:;:::.:~:..:("::D:.;s~:';S~~"":"17:..... .....,t ..... ~GB 3, 15'\6 .....J///// ~:~1

. : 6~~~~ 12-3

Ir-M-----118·····/···,······/···

1.....--;"""'""_-----,1 3media coverage 1-2, 12, 14

r.L. 86-36

\A

\. acquiring replacement equipment 5

\I 18f. anti-tamper technology program 18

~.•......•.....• approval of prol·ect GUNMAN plan 4I ~~ \10_~~B

CJwens.i

17

• 0• 12, 14, 18, u. nt• Bureau of Diplomatic Security 17

P.L. 86-36

I UP SELKE I 77COMIN'T//ImL 'f'0 US1\:, 1\US, CAN GBa, N~L Page 23

DOCID: 3803783TOP SECR£T/lCOi\IINF/lREL TO US*, AUS, &iN GBR, UZL

\p •.L. 86-36....

N TSCM. See U. S. Technical Security Countermeasure

National Secl,lrity Council 3, 18National Security Decision Directive (NSDD) 145 18

w

X3 18x-ray technology, use of 5,9-10, 12

Union of Soviet Socialist Republics (USSR)eavesdropping techniques 2espionage examples 1KGB 3,15-16NSA concerns about alerting 5Soviet Intelligence Service 16

U.S. embassy in Moscow 6-8U.S. Technical Security Countermeasure (TSCM) 15

Y26 18

y

u

....... Weinberger, Caspar 3I 13-4

X

...

...

OPS 3 building 9

R

· R9 3,10-12,18• radio frequency 13• reactions to implant discovery II• Reagan, President Ronald 3-4, 11• replacing equipment 4, 7-8.• reverse engineering 12

[ ~-;~, 17

S

p

••• packaging, tamper-proof 5-6

I p2•• plam text 11•. plan to remove equipment 3.. Poindexter, Admiral John 4

• • Polaroid film shortage 11• • power switch 13• •preparing equipment for shipment 5-6

•1 118Protective Technologies Implementation Division 18

... o

S64 11-12S65 5,8-9,11-12S651 5S building 9Schultz, Georg~ 4security during equipment shipment 6Senior Intera ency Group for Intelligence 17

16

<.,

T

T2 5TlOOZ teleprinters, implants placed in 2-3tamper detection devices 5Technical Security Engineering Center 18T Motor Pool 5

i·

l Page 24 ~OF' SE€~~//€OMIN"f'i/ltl:L~O USA, AUS, CAr, 6ftlt, NEt