On January 14, the NSA disclosed
a serious vulnerability in the CryptoAPI service of the Windows 10 operating system (vulnerability identifier
: CVE-2020-0601) and in a rare public Cybersecurity Advisory
, the agency offered further details about this issue.
An interesting detail is that this Cybersecurity Advisory has two serial numbers in the same format as the NSA uses on their Top Secret intelligence reports, some of which have been published by Wikileaks and as part of the Snowden-leaks.
The serial numbers on the NSA's Cybersecurity Advisory from January 14, 2020
The NSA's Cybersecurity Advisory has three groups of numbers, the last one being the date of the document in the format month/day/year, which is typical
for the United States.
The first group seems to be an external serial number, while the second group is more like an internal serial number. Below, the components of both serial numbers will be discussed in detail.External serial number
The first serial number on the public Cybersecurity Advisory is similar to the serial numbers on a range of highly classified intelligence reports which were published by Wikileaks in June and July 2015 and in February 2016. These documents were not attributed to Edward Snowden
, so they were probably provided by a still unknown "second source".
These intelligence reports were part of various editions of the "Global SIGINT Highlights - Executive Edition" briefings. Wikileaks published only one report in the original layout with header and a disclaimer. In the bottom right corner they have one or two serial numbers, one number for each source of intelligence:
NSA intelligence report about an intercepted conversation between French president
François Hollande and prime minister Jean-Marc Ayrault, May 22, 2012.
(Watermarked by Wikileaks - Click to enlarge)
The serial numbers are followed by a timestamp in the standard military notation: for example, 161711Z stands for the 16th day, 17 hours and 11 minutes ZULU (= Greenwich Mean) Time, with the month and the year as mentioned in the briefing.
The first five intelligence reports published by Wikileaks were from 2006 to 2012 and have the following serial numbers:
These kind of briefings are called serialized reports
, which are described in the NSA SIGINT Reporter's Style and Usage Manual
as "The primary means by which we provide foreign intelligence information to intelligence users, most of whom are not part of the SIGINT community. A report can be in electrical, hard-copy, video, or digital form, depending on the information's nature and perishability."
The NSA Style Manual also explains the serial numbers
of these reports: "Serial numbers are assigned to NSA reports on a one-up annual basis according to the PDDG issuing the report. Every serial includes the classification level, the PDDG of the originator, and a one-up annual number, as in the following examples:
The classification level
of a report can be represented by a variety of codes. Comparing the first part of the serial number with the classification marking of a particular report shows that they are assigned according to the following scheme:
|1 = Confidential (C)|
2 = Secret (S)
3 = Top Secret (TS)
| ||E = ?|
G = TS/Comint-Gamma
I = ?
S = ?
U = Unclassified
| ||Z-G = TS/Comint-Gamma|
Z-3 = TS/Comint
The Producer Designator Digraph
(PDDG) consists of a combination of two letters and/or numbers and designates a particular "collector". These codes refer to NSA collection facilities and programs, but those with double vowels stand for the signals intelligence agencies of the Five Eyes partnership, as was already revealed in Nicky Hager's book Secret Power
AA = GCHQ, United Kingdom
EE = DSD, now ASD, Australia
II = GCSB, New Zealand
OO = NSA, United States
UU = CSE, Canada
The one-up annual number
doesn't seem like a continuous number for each year: on the Windows vulnerability report the one-up number is 104201, which would mean that the NSA produced already over one hundred thousand reports in the first two weeks of 2020 alone. That's not realistic, so maybe there are number ranges assigned to each producer or something similar.
Finally, the year
in which the report was issued is represented by its last two digits. Internal serial number
The second series of letters and numbers on the NSA's Cybersecurity Advisory seems to be an internal serial number. In this case it's PP-19-0031, a format that we also saw on the draft of the famous NSA Inspector General's report
about the STELLARWIND program, which was leaked by Edward Snowden. This draft report is dated March 24, 2009 and has the serial number ST-09-0002:
Comparing these two serial numbers indicate that the two digits in the middle represent the year and the last four digits are most likely a one-up annual number. The first two letters may be an internal code for the producer: the office, bureau or unit that prepared and issued the report.
This two-letter code doesn't correspond to the PDDG and also not to NSA's organizational designators
, which has D1 for the Office of the Inspector General, so there must be another, unknown system for these codes. Conclusion
After this comparative analysis it has become clear that the serial numbers (and the date) of the NSA's Cybersecurity Advisory can be explained as follows: