An NSA document newly published today suggests two interesting facts that haven't previously been reported.

The Intercept, which published the document, highlighted that in it the NSA expresses fear that it may be teaching Iran how to hack, but there are two other points in the document that merit attention.

One concerns the spy tool known as Flame; the other refers to concerns the NSA had about partnering with the British spy agency Government Communications Headquarters and Israeli intelligence in surveillance operations.

Did GCHQ Partner With the NSA on Flame?

In the document, prepared in April 2013 for a meeting between the NSA director and GCHQ, the author cites the Flame attack against Iran as an example of a US/GCHQ partnership. Flame was a massive spy platform exposed by Kaspersky Lab and Symantec in 2012. Flame targeted more than 10,000 machines in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa and was active for at least six years before it was discovered. It used some of the same code that Stuxnet used, leading researchers to conclude that it had been created by the same US/Israel teams that had created Stuxnet. The Washington Post reported in 2012 that the US and Israel were both behind Flame, quoting anonymous US officials. But the new Snowden document hints that GCHQ might have been involved in Flame with the US.

Although the document doesn't say overtly that GCHQ partnered with the US in creating and unleashing Flame, it hints obliquely at cooperation. The document notes that the NSA has "successfully worked multiple high-priority surges with GCHQ" and cites Flame as an example. But, oddly, it doesn't say they worked together on creating Flame. Instead, it simply cites Iran's discovery of Flame in a list of projects on which the GCHQ and the US collaborated.

These jointly worked events include "the storming of the British Embassy in Tehran; Iran's discovery of computer network exploitation tools on their networks in 2012 and 2013; and support to policymakers during the multiple rounds of P5 plus 1 negotiation on Iran's nuclear program," the document reads. The reference to an embassy attack presumably refers to the 2011 attack on the British embassy by protestors in Iran. The reference to the P5 plus 1 relates to negotiations between Iran and Western powers over Iran's nuclear program. The network attacks are identified by name as the Flame attacks in another part of the document.

It's unclear what else this might refer to if not the two countries partnering in the creation and unleashing of Flame. Other documents leaked by Edward Snowden have spelled out in more detail how the NSA and GCHQ have partnered over the years in other spy operations, ranging from sharing data siphoned from undersea cables to the hacking of telecom networks, like Belgium's Belgacom, to monitor mobile traffic. The new document suggests that the two countries might also have partnered on Flame in some way, though it's unclear to what extent. If this is correct, and the previous Post is correct as well, it would mean the three nations teamed up to spy on Iran, presumably over its nuclear program.

NSA Expresses Concern About Partnering with GCHQ and Israel

Although there are numerous examples released in the Snowden documents of NSA-GCHQ cooperation as well as NSA-Israeli cooperation, the 2013 document published today expresses concern about a trilateral agreement between the three nations.

It appears in a section discussing a collaboration between the NSA, GCHQ and ISNU—a reference to the Israeli SIGINT National Unit, the Israeli counterpart to the NSA. Under the heading "Potential Landmines," the document notes that GCHQ has long pushed to work with the NSA and ISNU "in a trilateral arrangement to prosecute the Iranian target." And it notes that the NSA and GCHQ have agreed to share information gleaned from their separate partnerships with Israeli intelligence. But with regard to a trilateral partnership, the NSA had reservations. The document notes that the "SID policy has been opposed to such a blanket arrangement."

SID refers to the Signals Intelligence Directorate. Under the SID Management Directive 422 (.pdf), the intelligence community is prohibited from delegating a mission to a non-USSS element—that is, a non-US SIGINT System—without first obtaining a memo of understanding between the NSA and the non-US entity. NSA activities are government by a number of directives, most important among them is USSID 18, which governs what the US can and cannot collect on US persons and how it must handle information collected incidentally on them. Including a foreign spy agency in data collection raises issues about oversight and legality if it involves data pertaining to U.S. persons. This may be in part why the NSA was concerned.

As noted, the NSA has partnered separately with both the GCHQ and Israeli on intelligence collection. Previously released Snowden documents discussed how the NSA shared raw intelligence with Israel.

And according to the new document, the US, UK and Israeli spy agencies engaged in discussions in 2013 about a possible three-way partnership in tackling issues with Iran. "In January 2013, during an NSA-ISNU analytic workshop on Iranian Leadership, the first ever trilateral VTC on an Iranian issue was held with NSA, CCHQ and ISNU particiants," it notes.

But the US was apparently hesitant about expanding the surveillance agreement outside of the issue of Iran. "The trilateral relationship is limited to the topic and will serve as a proof of concept of this kind of engagement," the document notes. But "this specific trilateral should not be interpreted as a broad change of approach." In other words, in areas not to do with Iran, the NSA and CCHQ have agreed to continue to share information gleaned from their respective bilateral relationships with the ISNU, but apparently are reluctant to make Israel a part of their exclusive club on a regular basis.