7.5.3 — SIGINT & ELINT — maturity: live

Encrypted Traffic Analytics

Characterising encrypted communications by volume, timing, frequency, and emitter behaviour to derive intelligence without breaking the encryption itself.

Auto-drafted reference page — content reviewed for shape, individual references not yet link-checked.

Modern adversaries encrypt everything, but encryption hides content — not behaviour. Satellite-borne RF survey payloads can passively collect metadata signatures: burst duration, inter-arrival timing, carrier frequency, modulation scheme, and geolocation of the emitting terminal. These traffic-analysis observables survive end-to-end encryption entirely intact and, when fused across a constellation, reveal operational tempo, command-and-control hierarchy, and readiness cycles of target organisations without a single decryption key.

A LEO constellation of microsatellites carrying wideband RF survey receivers passes over any point on Earth multiple times per day, capturing the electromagnetic environment in snapshot windows of two to eight minutes per overpass. On-board signal detection and parametric extraction run before downlink, compressing raw IQ data into structured emission records. Ground-side ML pipelines cluster emitters by fingerprint, track them across overpasses, and correlate traffic spikes against open-source event data to assign intent labels with quantifiable confidence scores.

The operational payoff is substantial. Intelligence analysts receive automated alerts when a previously dormant emitter cluster surges in activity — a reliable precursor indicator for force mobilisation, logistics marshalling, or covert coordination. Combined with sibling capabilities in §7.5.2 Communication Network Mapping and §7.5.4 Pattern-of-Life Intelligence, the traffic-analytics layer closes the loop: analysts know not just where emitters are but when they become operationally significant, without waiting for adversary communications to be decrypted or leaked.

What matters

Traffic metadata is legally and technically distinct from content interception, giving states a defensible collection posture under domestic signals-intelligence law.
Encryption strength is irrelevant: timing and volume analysis of TLS, SATCOM, and tactical waveforms yields high-confidence activity indicators regardless of key length.
Burst-mode LEO collection windows of 2–8 minutes per overpass are sufficient to characterise duty cycles, synchronise collection with known schedules, and detect anomalous surges.
A foreign commercial RF-survey provider will gate or embargo access to data covering allied or client territories under political pressure, eliminating the intelligence product at the worst possible moment.

Sovereignty score: 9/10 — A nation that cannot conduct independent encrypted traffic analytics cedes its most sensitive warning indicator to the collection priorities and business terms of a foreign government or commercial operator.

US ITAR and EAR controls classify wideband RF survey receivers as munitions or dual-use items; a foreign vendor can legally suspend data delivery to your nation without notice under US government direction.
Traffic-analytics targets will include allied entities, senior government communications, and domestic counterintelligence subjects — data that must never transit a foreign ground station or processing environment.
Commercial providers optimise collection scheduling for paying customers and alliance priorities, not for the specific emitters, frequencies, and geographies that matter to your national intelligence requirement.
Loss of this capability during a crisis — exactly when adversary communications surge and commercial providers face political pressure to restrict access — leaves decision-makers blind to the one indicator most likely to pre-empt surprise.

Reference architecture

Payload: Wideband RF survey receiver, 20 MHz to 18 GHz tunable, direction-finding array with 3-satellite TDOA/FDOA geolocation to ≤500 m CEP; on-board FPGA for signal detection, parametric extraction (frequency, bandwidth, modulation class, burst duration, power), and IQ compression before downlink
Bus class: 12U cubesat cluster of 3 formation-flying satellites per orbital plane, ~24 kg each, 80 W payload power; formation maintained to <2 km baseline for TDOA geometry
Orbit: Low Earth Orbit, 500–550 km altitude, 45° inclination for mid-latitude theatre coverage; 18-satellite walker constellation (6 planes × 3 satellites), delivering 4–6 overpasses per day at any target latitude with 2–8 minute collection windows
Ground segment: 3-station national network (S-band TT&C, X-band high-rate downlink at 150 Mbps); primary station co-located with national SIGINT processing facility; encrypted uplink for tasking; no commercial ground-station use
Software & data
Latency
Cost band
Lead time

References

ITU Radio Regulations — Passive Monitoring and Spectrum Management — The ITU Radio Regulations define frequency coordination and monitoring obligations for member states. Sovereign spectrum-monitoring satellites operate within this framework, providing legal grounding for passive RF collection missions.
NATO STANAG 4607 — Ground Moving Target Indicator Format — NATO's sensor-data interoperability standards illustrate the alliance's dependence on agreed intelligence data formats. Nations contributing sovereign SIGINT data to alliance pools must control how that data is formatted, disseminated, and restricted.
HawkEye 360 — RF Analytics Technology Overview — HawkEye 360 demonstrates that cluster-based LEO microsatellite formations can geolocate and characterise RF emissions globally. Their commercial service validates the constellation architecture but also illustrates the dependency risk of relying on a foreign commercial provider.
Spire Global — Maritime and Aviation SIGINT Payloads — Spire's hosted-payload and data-as-a-service model shows how RF metadata collection at scale can be operationalised rapidly. However, service agreements are subject to US export and re-export control, limiting sovereign freedom of action.
NSA/CSS — Signals Intelligence (SIGINT) Overview — The NSA's public SIGINT overview describes traffic analysis as a foundational intelligence discipline distinct from content collection. It confirms that metadata patterns reliably expose organisational behaviour and operational intent.