The story of the inadequacy of allied communications security (Comsec) at the beginning of the Second World War and its gradual improvement tends to focus on signals carrying textual messages, the transition to machine-based rather than book-based encryption systems, and eventually to on-line encipherment, enabling the 'BRUSA Circuit' which linked the UK and US, Australia, Canada, and communications centres serving major allied commands around the world on secure HF radio. It was always possible, though, to deny adversaries any chance of intercepting a message by not transmitting it on a channel accessible to them. For example, transatlantic cables, while theoretically tappable, weren't vulnerable in practice. That meant that the most sensitive material could be sent between the UK and the US without danger of enemy interception. The material would still be encrypted so that as few as possible of the people handling the traffic would see the content, but the authorities on both sides of the Atlantic could be confident that the material would not be seen. This was incredibly expensive – at busy periods a million dollars a month just to US cable companies – but uninterceptable.
But what about telephone calls? There were no secure speech systems before SIGSALY was first used in July 1943. Instead, scrambler systems were used to invert the voice signal. For calls within the UK this was a weaker analogue of the cables: scrambling would be enough to stop operators at exchanges from overhearing the content of a call even though they would know that a call was taking place. There was no doubt that the Germans would be able to 'deinvert' the signal and hear the clear speech if they had access to the telephone lines, but the UK authorities were confident that they hadn't.
The one problem was international telephony. There were no voice grade cables across the Atlantic until the mid-1950s, so international calls had to be made a) on HF which was interceptable and b) protected only by a scrambler, which under certain conditions was processable by German Sigint. Add to the mix the fact that the Prime Minister and the President valued personal contact, and weren't prepared only to communicate in writing, and the potential for significant breaches of security was very high indeed.
Three days after Mussolini was sacked by the King Victor Emmanuel, and after the Italian Government had begun secretly to negotiate armistice terms with the allies, President and Prime Minister had a conversation which led to such a breach. Here is the German report:
'At 0100 hours a radiotelephone conversation between Churchill and Roosevelt was intercepted. It concerned a proclamation by Gen Eisenhower and an imminent armistice with Italy.
Churchill: "We do not wish any armistice terms to be recommended by us until we are formally requested to do so."
Roosevelt:
"That's right."
Then they discussed the matter of British prisoners of war in the hands of the Italians with regard to preventing their (the British POW's) removal to the "land of the Huns". Therefore, Churchill wanted to send a dispatch to the King of Italy. Roosevelt took it upon himself to address a statement of his own to "Emmanuel". "I don't quite know just how I'm going to do it."
This is clear proof that secret negotiations between the Anglo-Saxon powers and Italy have been under way.
The Deputy Chief of the Armed Forces Operations Staff made the following observation on this subject: There are some 60,000 British POW's in Italy. The proposals of the Commander in Chief South that these POW's be evacuated from Sardinia and southern Italy have not been acted upon. The Office of Foreign Affairs has been requested to consider the matter.'
This was almost certainly not the first the Germans knew of Italian plans to request an armistice, and, anyway, they had begun to send more troops to Italy as soon as Mussolini had been deposed, but this was, as the German report of the conversation said, clear proof that Italy was ready to change sides.
When I was GCHQ Historian I liked to show a copy of this report to visitors and ask what they thought. The reaction was always the same: the President and the Prime Minister shouldn't have been allowed to speak on insecure links that the Germans could intercept and process. If I then asked who had the authority to tell them that they weren't allowed to speak to each other there was less certainty. It would be a brave official who would attempt to stop them and few people thought that Churchill would meekly accept such advice. 'The King?' one visitor said.
My reaction – at least my first reaction – is different: why was there no secure means for Churchill and Roosevelt to speak to each other? Why did it take until July 1943 (ironically, a fortnight before this particular conversation took place) to develop and field a workable system and why did the UK have to adopt a US system?
I've written enough about the fact that GC&CS didn't take Comsec seriously enough to explain this in part, but I think it's also the case that securing voice communications, which has to be done on-line, was too difficult, and was therefore left to one side until the UK heard that the US was working on a solution. At just about the same time as Alan Turing visited the Bell laboratories and was briefed on the progress of SIGSALY Tommy Flowers was proposing an entirely new sort of machine, Colossus – what would eventually become the computer – to solve the biggest cryptanalytical problem facing GC&CS, and the GPO effort required to make that work probably precluded similar investment in secure speech as well.
The
British answer was to copy the US system, but a project (BANGLE) which began in
1944 and which aimed to build 20 machines, based on SIGSALY but miniaturised
sufficiently to be used from a 4-ton truck, was unsuccessful and was eventually
abandoned in 1953. PICKWICK at the end of the 1950s was the first entirely
British system.
Very interesting. Various techniques might have reduced the risk of interception, though they would not eliminate it. At any one time of day there would have been quite a spread of frequencies that could be used for the UK-US circuit, and even though the Germans would have been monitoring that spread as intensively as they could, it would have been near impossible to cover the whole range all the time. Therefore, as long as the call began on a prearranged but not preannounced pair of frequencies there would be an initial period during which interception might be assumed to have not yet occurred. (The pair of frequencies refers to different ones in each direction over the Atlantic for each side of the conversation, meaning that the Germans would have to find - and descramble - both to get the full exchange.) A second possible risk mitigation would have been to change the frequencies at regular intervals during the call, though this would interrupt the conversation and been frustrating for the two men. There should also have been a tight limit to the overall duration of the call, but again, this meant someone would have had to, in the end, tell the two to shut up!
ReplyDeleteYou are right, of course. The Germans need to have a spectrum analyser and be lucky to be on watch at or near the start of the call, while the allies needed to be slick during the set-up. But if the PM decided at 10.00 one evening that he was going to call the president, then much of the set up would happen on an en clair link.
DeleteThere comes a point where the need to communicate overwhelms the need for security and thus can edge towards the boundaries of the risk envelope. Risk Management in modern parlance. Never ever easy.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteHere is a list of the known SIGSALY terminals and their operations as of 17 DEC 1945 from a fellow researcher's trawl of all 16 boxes of SIGSALY in the National Archives.
ReplyDelete#1: LONDON - JUL 1943. Extension run to War Cabinet Office. Originally procured for Washington. Sent to London.
#2 WASHINGTON - MAR 1943. Extension run to Navy Department at the Munitions Building. Originally procured for London. Sent to DC.
#3 ALGIERS (OCT 1943-APR 1944). Installation begun 12 August 1943. Returned to US in April 1944.
#4 BRISBANE (NOV 1943-JAN 1944) to Manila (JUN 1944)
#5 HONOLULU (Ft. Shafter) (DEC 1943). Extension run to CINCPAC at Pearl Harbor.
#6 FRANKFURT, GERMANY (JUN 1945). (RIBBON) Originally procured as spare. Terminal sent to Italy, but not installed. Moved to London and held pending invasion of Continent.
#7 WASHINGTON (MAR 1944) Originally procured for London. Due to load, second terminal added in DC. Extension run to Navy Department at the Munitions Building.
#8 PARIS (26 OCT 1944) (SAMPLE) Originally procured for Washington.
#9 OL-31 Barge (MAY 1945) Originally procured for Alaska. Used at Manila until Terminal #4 moved from Brisbane to Manila. Terminal #9 was then moved to Tokyo and put in service OCT-1945, pending arrival of a permanent SIGSALY terminal (which will be #11).
#10 GUAM (MARCH 1945) (NEPTUNE) Originally procured for China. Installed for the Navy, but run by Army. Extension run to USSTAF HQ for the AAF.
#11 OAKLAND, CA (OCT 1944-OCT 1945). Originally procured as Spare. Held for installation in Moscow if needed. Finally installed in Oakland. Removed from service on 31 Oct 1945 for shipment to Tokyo for permanent installation there.
#12 BERLIN (DECEMBER 1945). Not on original procurement order circa 1943.
REQUIREMENTS:
Terminal Room (22x35 ft with 10 ft ceiling and 180 psf floor load capacity. Due to security, terminal room must be free of windows.) This contains 54 equipment bays.
Dispatch Room (15x15 ft) aka control room.
Conference Room (15x20 ft approx) - Large conference table, 6 to 8 chairs, telephone instrument and 6-8 monitor receivers wired to the conference table.
Power/Storage Room (22x40 ft) Holds 2 x 50 KW 3 phase generators + voltage regulators + air conditioning. Also used to store spares and act as a shop for maintenance.
Due to the enormous heat level of the equipment (25 kW) and the need to provide 70F and 65% humidity for the equipment, each terminal has a 15 ton air conditioning plant sent with it; so total full power load is 60 kW.
On 21 JUNE 1945, the existence of SIGSALY was downgraded from SECRET to RESTRICTED and it was made known that it was approved to carry up to TOP SECRET discussions.
This was partially due to the enormous cost of running the system, as every day they had to do a full systems check and handshake with the other terminals to synch everything up in case someone wanted to use it that day.
With it at SECRET, not many people knew about it and so utilization was very low compared to the systems' theoretical capacity.