Deception is employed to obscure the nature and the extent of the espionage theft. One of the most famous examples of this principle was the deception used by British intelligence in World War II to conceal its success in breaking the German ciphers generated by the Enigma machines. If German naval intelligence had discovered Britain was able to read the ciphers it used to communicate with its U-boats, it would have stopped using them. So British intelligence hid its coup by supplying false information to known German spies to account for the sinking of U-boats, including the canard that British aerial cameras could detect one ingredient in the paint used to camouflage the U-boats.
That same hoary principle of deception applies to modern-day communications intelligence. If the Russian, Chinese, or any other adversary intelligence service got its hands on the documents stolen by Snowden from the NSA’s repositories in Hawaii in 2013, it would likely employ deception, including well-crafted lies, to create as much ambiguity as possible as to the missing documents. From this counterintelligence perspective, the intelligence issue that spawned the great divide cannot be resolved by accepting the uncorroborated statements made by a source, such as Snowden, who may be in the hands of the Russian security services in Moscow.
By the same token, the calculations made by NSA officials about the extent of the theft are also suspect. After all, the NSA is an intelligence service that often engages in secret machinations. We know that its top officials reported to the House and Senate Intelligence Committees, as well as the president’s national security adviser, that Snowden compromised over one million documents. But if this was disinformation, it is difficult to see its purpose. Inflating the extent of the damage of the Snowden breach to the president, Congress, and the secretary of defense obviously reflected poorly on their own management of the NSA, and their own careers. Yet such a possibility cannot be precluded in the arcane world of intelligence.
As in any case involving the loss of state secrets, uncontested facts remain in extremely short supply. The opinion-laden appellatives such as “patriot” and “traitor” that have tended to fill the gap in the great divide do little to address the important mystery of how many thousands of state secrets were taken from the United States. How did Snowden breach the supposedly formidable defenses of the NSA? Did he have any assistance? How did he escape to Moscow? And what was the final destination of the stolen documents? How Snowden succeeded in this coup cannot simply be pieced together from his own statements and interviews. The story also requires a visit into the wilderness of mirrors of a counterintelligence investigation. For this endeavor, it is necessary to return to the crime scene: the NSA’s base in Hawaii.
CHAPTER 14
The Crime Scene Investigation
Any private contractor, not even an employee of the government, could walk into the NSA building, take whatever they wanted, and walk out with it and they would never know.
—EDWARD SNOWDEN, Moscow, 2014
FIFTEEN MILES NORTHWEST of Honolulu on the island of Oahu, adjacent to the sprawling Wheeler Air Force Base, is a 250,000-square-foot, man-made mound of earth and reinforced concrete surrounded by an electrified fence. Inside the mound is a three-story structure originally built by the air force in World War II as a bombproof aircraft repair facility. In the Cold War, it was modernized to withstand enemy chemical, biological, radiological, or electromagnetic pulse attacks and was used by the navy’s operation center for its Pacific fleet. After the Cold War, the huge edifice was turned over to the NSA, which, as stated earlier, had been created as an intelligence service to intercept the communications and signals of foreign countries after World War II, a mission that included vacuuming into its giant computer arrays telephone messages, missile telemetry, submarine signals, and virtually everything on the electromagnetic spectrum of interest to the U.S. Defense Department and U.S. intelligence agencies. As the NSA developed it, this Hawaiian base became one of its primary regional bases for gathering Asian communications intelligence. It provided a valuable window on the activities of adversary nations in the Pacific region and was able to monitor the ballistic missile tests and submarine activities of China, North Korea, and Russia. By 2013, the Kunia base had a vast array of state-of-the-art technology, including ninety Cray supercomputers arranged in a horseshoe configuration, used to decipher and make sense of the intercepted signals from China, Russia, and North Korea. At the heart of the Hawaiian complex was a unit with both military and civilian employees. A large share of the civilians who ran the computers worked under two-year contracts with the NSA’s leading civilian contractor, Booz Allen Hamilton.
General Alexander, who, as I said, headed the NSA in 2013, first learned about an impending story in The Guardian on June 4, while he was in Germany meeting with its top intelligence officials, from Janine Gibson, The Guardian’s American website editor. She had notified the NSA it intended to break a story focusing on the organization. It took NSA counterintelligence less than forty-eight hours to determine that a civilian employee at the base from which documents were stolen had not reported back to work on May 22. His civilian supervisor had delayed reporting the absence to the NSA until May 28. It also determined that the missing civilian employee, Snowden, had lied on his application for a medical leave and had flown to Hong Kong. Personal records showed he was being trained as an analyst at the Threat Operations Center and had worked there for less than six weeks. He had taken the medical leave on May 18 and left the country by plane. By June 6, he had become the NSA’s main suspect.
Alexander flew to Washington, D.C., after assigning the sensitive job of investigating the breach to a team headed by Richard “Rick” Ledgett, who was then director of the NSA’s Threat Operations Center at the NSA’s headquarters in Fort Meade, Maryland. Ledgett was the logical choice to head the damage assessment investigation because the center’s regional branch in Hawaii was under his command. Ledgett flew to Hawaii, where his first task was to reconstruct the chronology of Snowden’s moves, or, as the tactic is called in counterintelligence parlance, “walking the cat back.”
The NSA had also notified the FBI of Snowden’s possible involvement in the theft of state secrets in the first week of June. The FBI is in charge of criminal investigations of civilian U.S. intelligence workers, even if the alleged crime occurs on an NSA base. The FBI immediately dispatched a task force of agents to investigate a potential espionage case in Hawaii. When questioned, Lindsay Mills said Snowden was away on a business trip. After determining from airline and hotel data that he was in Hong Kong, the FBI realized Snowden was a possible intelligence defector. It froze his credit and bank cards. It also notified the passport office in the State Department and the legal attachés at the Hong Kong consulate. The legal attachés, who were actually FBI field agents posted in Hong Kong, located Snowden at the Mira hotel on June 8. On the evening of June 9, Snowden revealed in his twelve-minute video posted on the Guardian website that he was the source of the stolen NSA documents. Because Hong Kong is part of China, U.S. law enforcement did not have the means to recover them.
At that point, determining the magnitude of the theft of documents became a critical concern of the investigation. Aside from the few dozen documents published by The Guardian and The Washington Post, what else had Snowden stolen?
Within the next few days, a small army of forensic investigators from the FBI, the Defense Department, and the “Q” counterintelligence division of the NSA swarmed onto the NSA base in Hawaii. The proximate crime scene for their investigation was the National Threat Operations Center. They examined the cubicle where Snowden had last worked and then began retracing all his activities at the NSA from 2009 to 2013. To begin with, they needed to find out how many documents from the center had been copied and taken by Snowden.
Meanwhile, the Defense Intelligence Agency (the Pentagon’s own intelligence service) was kept partially in the dark. Although the NSA is officially part of the Department of Defense, it operated with a high degree of autonomy with its o
wn inspector general, investigative staff, and reporting channels. The DIA did not learn from the NSA that Snowden had stolen military documents concerning the joint Cyber Command until July 10. The number of stolen military documents from the Department of Defense was staggering. The DIA found from its forensic examination that Snowden had copied “over 900,000” military files. Many of these non-NSA files came from the Cyber Command, which had been set up in 2011 by the NSA and the army, navy, marine, and air force cryptological services to combat the threat of warfare in cyberspace. The loss was considered of such importance that between 200 and 250 military intelligence officers worked day and night for the next four months, according to the DIA’s classified report, to “triage, analyze, and assess Department of Defense impacts related to the Snowden compromise.” The job of this unit, called the Joint Staff Mitigation Oversight Task Force, was to attempt to contain the damage caused by the Snowden breach. In many cases, containment meant shutting down NSA operations in China, Russia, North Korea, and Iran so they could not be used to confuse and distract the U.S. military.
The NSA and the Defense Department were not the only government agencies concerned with determining the extent of the breach. The NSA acted as a service organization for the CIA through handling most if not all of its requests for communications intelligence to support both its international espionage and its analytic operations. Although the CIA and the NSA were both part of the so-called intelligence community, the NSA did not immediately share with the CIA details of the Snowden breach. Despite the immense potential damage of the theft, it was not until June 10 that the CIA’s director, John Owen Brennan, and his deputy, Michael Morell, were briefed by the NSA. When Morell realized how much data Snowden had taken, he was astounded.
“You might have thought of all the government entities on the planet, the one least vulnerable to such grand theft would have been the NSA,” he wrote. “But it turned out that the NSA had left itself vulnerable.” According to Morell, he bluntly told the NSA briefer that it was urgent for the CIA to be brought in on the case. After all, the CIA had employed Snowden only four years earlier. Specifically, Morell said, the CIA needed to find out three things: Had CIA documents been part of Snowden’s haul? How long had Snowden been stealing documents? Had Snowden been working “with any foreign intelligence service, either wittingly or not”?
According to Morell, the effort to get a direct answer from NSA officials to these three key questions “proved maddeningly difficult.” He found that in mid-June NSA officials with whom he dealt were so “distraught at the massive security breach” that initially they refused to allow even CIA officers to participate in the ongoing security review. A former NSA executive told me there was “near panic” at the NSA. Finally, Morell called Chris Inglis, a former professor of computer science who had risen to be the NSA’s deputy director at the time of the breach. Inglis, who headed operations for the NSA, told him “the news was not good.” Among the data copied by Snowden were a large number of CIA secrets. By the time the CIA learned that its secrets had been compromised, Snowden was headed to Russia.
The investigation of a crime involving potential espionage is no easy task. In this case, it required attempting to solve a jigsaw puzzle in which not only were key pieces missing but also, because it involved adversary intelligence services, some of the found pieces might deliberately have been twisted to mislead the U.S. investigators.
By late July, NSA investigators had made their initial assessment. They determined that most of the material had been taken from sealed-off areas known in intelligence speak as “compartments,” which in this case were files stored on computers that were isolated from any network. Each compartment electronically tracks all the activities that occur in it on its logs, including the password identity of any person who has gained entry to any compartment. From a forensic examination of these logs, NSA investigators were quickly able to reconstruct the timeline of the theft. The logs showed that an unauthorized party without proper passwords had begun copying files in mid-April, which was just days after Snowden began his job at the center. The illicit activity ended just before Snowden’s last day of work there. So this piece fit in with Snowden’s guilt.
The size of the theft was another matter. Ledgett was certainly in a position to know (in the shake-up that followed, he would replace Inglis as deputy director of the NSA). According to Ledgett, the perpetrator had “touched” 1.7 million documents, moving from compartment to compartment. Of these “touched” documents, according to the analysis of the logs, more than one million of them had been moved by the unauthorized party in mid-May to an auxiliary computer intended to be used for temporary storage by authorized service personnel. Finally, the data was transferred off this auxiliary computer presumably to thumb drives or other external storage devices. This download occurred just days before Snowden left the NSA on May 17, 2013, having told the agency that he needed a medical leave of absence.
The quantity of stolen documents, 1.7 million, does not necessarily reveal the damage and can itself be misleading. Many documents do not reveal current or known sources or methods, and others may have little value to an enemy. And a large portion of the documents might have been duplications. The quality of some of these documents is another matter. Just one document that exposed a source or method of which enemies are unaware can be of immense value. One such document taken by Snowden provided what Ledgett called “a roadmap” to the NSA’s current secret operations, revealing to an adversary such as Russia, China, or Iran “what we know, what we don’t know, and, implicitly, a way to protect themselves.” There were many documents in the Snowden breach that met these criteria, according to a national security official at the Obama White House.
General Alexander closely followed the investigation as it developed over the summer of 2013. By then, of course, the whole world knew that Snowden had stolen a vast trove of NSA documents. Alexander saw major inconsistencies developing between Snowden’s personal account of the theft and what had actually happened. The timeline established by the government’s investigators did not match Snowden’s story line. “Something is not right,” Alexander said in an interview.
For one thing, Snowden had made the claim to journalists, four months after he was in Russia, that he had turned over all the documents he took from the NSA’s compartments to Poitras and Greenwald in Hong Kong. On August 18, the investigators had the opportunity to examine the files that Snowden had given to Poitras and Greenwald. This discovery came when British authorities, under Schedule 7 of Britain’s Terrorism Act, detained David Miranda, Greenwald’s romantic partner, at Heathrow Airport. Miranda was suspected of acting as a courier for Greenwald and Poitras. According to Greenwald’s account, Snowden had given both him and Poitras identical copies of the NSA documents in Hong Kong. When Greenwald returned home to Rio de Janeiro, he found his copy was corrupted. But Poitras still had her digital copy of whatever stolen documents Snowden had distributed to them. So Greenwald dispatched Miranda from Rio to Berlin to get a copy of Poitras’s thumb drive. On the return trip, Miranda’s plane stopped at Heathrow, where British authorities detained him and temporarily took the thumb drive from him. Poitras had written out the password for Greenwald, and Miranda kept it with the thumb drive. The British copied the contents and shared them with the NSA. As a result, the NSA discovered that Snowden had only given Poitras fifty-eight thousand documents. The damage assessment team under Ledgett determined that some of these documents had been edited out of much larger documents that the NSA logs showed Snowden had copied. By the count of both the NSA and the Defense Department teams, almost one million documents were unaccounted for. What happened to the missing documents?
The NSA investigation found that the chronology of the theft of documents did not support Snowden’s claim to journalists that he had only been seeking whistle-blowing documents. Most of the documents he took first did not concern the domestic activities of the NSA. Only toward the end of the theft did
he copy documents that would qualify as whistle-blowing. The court order to Verizon that was the basis of the initial Guardian exposé was only issued by the FISA court on April 27, 2013. The other main whistle-blowing document he revealed, the PowerPoint presentation about PRISM, was only issued in April 2013. Yet Snowden had been downloading documents for at least nine months before he copied these documents.
When I discussed the chronology of the copied documents with a former government official briefed on the investigation, he suggested that Snowden’s purpose might have changed between 2012 and 2013. When I asked him what might have induced the change, he replied, “That is one of the unanswered questions.” That Snowden only took these two whistle-blowing documents at the tail end of his nine-month operation, and after he had contacted Poitras and Greenwald, suggests he might have had another motive prior to contacting journalists. In light of this chronology, the investigation had to consider the possibility that his whistle-blowing was, partly if not wholly, a cover for another enterprise.
Snowden told journalists he had access to “millions of records that [he] could walk out the door with at any time with no accountability, no oversight, no auditing, the government didn’t even know they were gone.” However, he was not among the limited number of individuals at the center who had access to these documents. Both the NSA’s and Booz Allen’s employment records showed that Snowden had not yet completed his requisite on-the-job training when he carried out the theft. Consequently, he had not yet been provided with the passwords he needed to get the documents. Even if he had remained at the NSA long enough to finish his training, he would only have been provided with the password to the particular compartment relevant to his work, not to all compartments. The tight control over these passwords was, according to a former top NSA official, a critical part of the NSA’s security framework. He told me that Snowden, at least during the period of the thefts in April and May 2013, had no more legitimate access to the compartments than the cleaning personnel. Somehow, though, Snowden converted his proximity to access.
How America Lost Its Secrets Page 15
