“This debriefing could not be done overnight,” according to a former high-ranking officer in the GRU, the Russian military intelligence service. “There is no way that Snowden would not be fully debriefed,” he said. He also said GRU specialists in signals intelligence would be called in.
Putin’s approval of the Snowden operation was not without consequences. Not only did Obama make good on his threat to cancel the pre-Olympics summit with Putin, but also, as it turned out, the Snowden exfiltration proved a turning point in the “reset” of U.S.-Russian relations. Having to accept the onus of declining relations with the Obama administration, Putin, it seems safe to assume, attempted to get the bonus of the NSA’s communications intelligence from Snowden. The GRU, the SVR, and other Russian intelligence services would not stop questioning Snowden, even if it took years, until they had squeezed out of him whatever state secrets he had. Because Snowden was rewarded with sanctuary, a residence, and bodyguards, there is no reason to doubt that he refused to accommodate his hosts. While he might continue to see himself as a whistle-blower on a supranational scale, as far as Russian intelligence was concerned, he was an espionage source.
For an intelligence service, the game is not over when it obtains state secrets. It still needs to fog over the extent of its coup, as said earlier, to prolong the value of the espionage. Hence it is likely that the story that Snowden had thoroughly destroyed all the stolen data in the month prior to departing for Russia, as well as the story that he had turned down all requests to be questioned by the FSB and other Russian intelligence officials, was part of the legend constructed for him. The repetitions of these uncorroborated claims in his press interviews might also have enhanced his public image for the ACLU effort to get clemency for him. Even so, in view of the importance of such communications intelligence to Russia, it would be the height of naïveté for U.S. or British intelligence to accept such claims as anything more than camouflage.
As for Snowden’s motive, I see no reason to doubt his explanation that he stole NSA documents to expose its surveillance because he believed that it was an illicit intrusion into the privacy of individuals. Such disaffection is not a unique situation in the intelligence business. Many of Russia’s worldwide espionage sources before Snowden were also dissatisfied employees who had access to classified secrets. Like some of them, Snowden used his privileged access to reveal what he considered the improper activities of the organization for which he worked. In that sense, I fully accept that he began as a whistle-blower, not as a spy. It was also as a whistle-blower that he contacted Laura Poitras, Glenn Greenwald, and Barton Gellman, who published the scoops he provided in Der Spiegel, The Guardian, and The Washington Post.
Snowden’s penetration went beyond whistle-blowing, however. In the vast number of files he copied were documents that contained the NSA’s most sensitive sources and methods that had little if anything to do with domestic surveillance or whistle-blowing.
Snowden could not have acted entirely alone. It will be recalled that the deepest part of his penetration was during the five weeks he worked at the National Threat Operations Center in Hawaii as a contract employee of Booz Allen Hamilton. It was there that he copied Level 3 files, including the so-called road map to the gaps in American intelligence. During this period, Snowden had neither the passwords nor the system administrator’s privileges that would allow him to copy, transfer, and steal the electronic files. He therefore must have obtained that assistance from someone who had the passwords and privileges. Other workers there might have shared his sensibilities and antipathy toward NSA surveillance. It therefore seems entirely plausible that he found a co-worker willing to cooperate or, vice versa, a co-worker found him. Snowden might not have been aware of his new accomplice’s true motives or affiliations, but without some co-worker’s providing him with entry to the sealed-off computers, he could not have carried out the penetration. To our knowledge, whoever helped him evidently did not want to expose himself to prosecution or defect from the NSA. That was Snowden’s role. By accepting the sole blame in the video that Poitras made about him in Hong Kong, Snowden shielded anyone else from suspicion, which was, as he told Poitras, his purpose. Whoever helped him may still be working at the NSA.
To be sure, there remains that other glaring gap in the chain of events that led Snowden to Moscow: his whereabouts and activities during his first eleven days in Hong Kong. Mike Rogers, the chairman of the House Select Committee on Intelligence, even suggested, without any evidence, that Snowden might have been taken to mainland China during this period. What drove his speculation was the admission of U.S. intelligence that despite its vast global resources for searching credit card charges, banking transactions, hotel registrations, e-mails, police records, and even CCTV cameras, neither it nor its allies were able to find a trace of Snowden during that time. It was, in a phrase made famous by the former secretary of defense Donald Rumsfeld, “a known unknown.” Just as likely he could have been staying in a well-prepared safe house anywhere in Hong Kong or even at the home of an unknown associate. All that is really known is that soon after he emerged from this venue, moved to the Mira hotel, and gave his celebrated interview to journalists, he was safely settled in Russia.
Snowden’s actions appear squarely at odds with his assertions of serving his country’s interests. Even accepting that he began with a sincere desire to be a world-class whistle-blower, his mission evolved, deliberately or not, into one that led him to disclose key communications intelligence secrets to a foreign power with an agenda that is hardly aligned with his country’s interests. A defector is defined in the Cambridge English Dictionary as “a person who leaves his or her own country or group to join an opposing one.” Snowden’s actions fit that description. In the end, it is Snowden’s actions, not his words, that matter.
CHAPTER 29
The “War on Terror” After Snowden
Because of a number of unauthorized disclosures and a lot of hand-wringing over the government’s role in the effort to try to uncover these terrorists, there have been some policy and legal and other actions that make our ability collectively, internationally, to find these terrorists much more challenging.
—CIA DIRECTOR JOHN BRENNAN,
in response to the Paris terrorist attack, November 2015
ON THE EVENING of November 13, 2015, nine jihadist terrorists acting on behalf of ISIS brought normal life in Paris to a screeching halt. Three suicide bombers blew themselves up at the stadium at Saint-Denis while President Hollande was inside attending a match between France and Germany. Other terrorists that night killed 130 people at cafés, restaurants, and a theater. Three hundred and eighty-eight others were wounded in the carnage. Abdelhamid Abaaoud, a twenty-eight-year-old Belgian citizen of Moroccan origins who served ISIS as a logistics officer in Syria in 2014, planned the attack over many months with the help of others in Syria. To organize it, they smuggled three suicide bombers into Europe through Greece, raised financing, set up a base in the Molenbeek section of Brussels, imported deactivated assault weapons from Slovenia that were restored by a technician, bought ammunition, acquired suicide vests, obtained “burner” cell phones, rented cars, and, two months before the attack, rented three additional apartments under fake identities to conceal the operation. Finally, in November, they made online bookings for quarters in Paris for the nine attackers. Even though Abaaoud was well-known to Western intelligence services, none of the communications surrounding the preparations for the attack came to the attention of the NSA or its allied services in Europe. A critical find for the investigators enabled them to unravel the chain that eventually led them to the perpetrators, but it had nothing to do with electronic surveillance. A cell phone belonging to one of them was found by the security forces, following a broad search they conducted, which included trash cans situated in the vicinity of the concert halls. So this breakthrough in the investigation had nothing to do with systematic data analysis conducted prior to the attack.
&nb
sp; Indeed, in the sequence of the Paris events, as in other terror events, the challenge is not just bringing culprits to justice. It is preventing the terrorists from carrying out their attack to begin with. Police cannot constantly protect “soft targets” such as restaurants, cafés, theaters, and street gatherings. The only practical means by which a government can prevent such attacks is to learn in advance their planning and preparations. One means of acquiring this information is by listening in on the channels through which members of loosely knit terrorist organizations, such as ISIS, communicate. This form of intelligence gathering obviously works best so long as the terrorists remain unaware that the communication channels they are using are being monitored. Once they find out that their messages and conversations are being intercepted, they will likely find a safer means to communicate important information. For that reason, communications intelligence organizations keep the sources and methods they employ for monitoring these channels in a tightly sealed envelope of secrecy.
Yet, in June 2013, the NSA found that envelope had been breached by Snowden, who knowingly compromised three programs that it used to keep track of terrorist organizations around the world. The first system he divulged, and the one that received the most public attention, was what the NSA called the “215” program because it had been authorized by Section 215 of the Patriot Act of 2001. This program compiled the billing records of every phone call made in America. The data included the number called and the duration of the call but not the name of the caller. This anonymous data was archived into a huge database. The idea was that when any foreigner on the FBI’s watch list of terrorists called any number in the United States, the FBI could trace that person’s entire chain of telephone contacts to try to determine if he or she was connected to a known terrorist cell. There was, however, a major flaw in this program: it did not cover e-mail and other Internet messaging, which by 2013 had largely replaced telephone calls. In addition, terrorist organizations, after the tracking down of Osama bin Laden in 2011, had become fully aware of the vulnerability of telephoning overseas. So although the NSA could cite a handful of early successes that “215” yielded, Snowden’s exposure of it did only limited damage.
Snowden did vastly more damage by revealing the PRISM program, also called “702” because it was authorized in 2008 by Section 702 of the Foreign Intelligence Surveillance Act. Its effectiveness proceeded from the misplaced confidence that terrorist organizations in Iraq, Syria, Afghanistan, and Pakistan had in the encryption and other safeguards used by giant Internet companies, such as Apple, Google, Twitter, and WhatsApp. They evidently had not known that in 2007 the NSA found a way to intercept this data before it was encrypted. The Internet, despite metaphors such as “the cloud” and “cyberspace,” initially travels through fiber cables, almost all of which run through the United States and its Five Eyes allies. So by 2013 the NSA was able to access 91 percent of the Internet before it was encrypted. This so-called upstream data included Google searches, tweets on Twitter, social media postings, Skype conversations, messages on Xbox Live, instant messages sent over WhatsApp, and e-mails sent via the Internet. The NSA could also read concealed messages in photographs and online game moves. According to a declassified 2015 inspector general’s analysis, the actual interceptions in this program in 2013 were mainly limited to the communications of preselected foreign terrorists.
Until the Snowden breach was revealed on June 6, 2013, this program gave U.S. intelligence a valuable tool for gathering unexpected intelligence. Snowden must have been aware of how highly the NSA valued this program because, according to the documents he released, PRISM was “the number one source of raw intelligence used for NSA analytic reports.” From the continued use of these intercepted channels by suspected terrorists on the NSA’s watch lists, it could be reasonably assumed that these users were unaware of the NSA’s capacity to intercept their messages on the unencrypted Internet.
Unlike the telephone program that Snowden revealed, the PRISM program produced actionable intelligence until the time when Snowden blew it. General Hayden, who was NSA director during the three years following the 9/11 attack, wrote that these surveillance powers, among other things, “uncovered illicit financing networks, detected suspect travel, discovered ties to aviation schools, linked transportation employees to associates of terrorists, drew connections to the illicit purchases of arms, tied U.S. persons to Khalid Sheikh Mohammed, and discovered a suspect terrorist on the no-fly list who was already in the United States.” More specifically, just between 2007 and 2013, according to the testimony of NSA and FBI officials, it resulted in the preempting of at least forty-five terrorist attacks. Almost all of the thwarted attacks occurred outside the jurisdiction of the United States, and therefore did not result in U.S. prosecutions. One of the plots that targeted Americans was a planned attack using high explosives on the subways in Grand Central station and the Times Square station at rush hour in New York City in 2009. It was averted after British intelligence supplied the NSA with the e-mail address of the terrorist suspect Najibullah Zazi in Aurora, Colorado. The PRISM surveillance program then traced it to an IP address on the watch list associated with Rashid Rauf, an al-Qaeda bomb maker in Pakistan. Zazi, evidently unaware that e-mails sent via Yahoo! could be intercepted before they were encrypted by Yahoo!, continued sending e-mails to Rauf as he prepared to assemble the bombs in early September 2009. As a result, the NSA search of its database yielded e-mails from Zazi discussing the proportions of explosives to be used. These e-mails recovered through the PRISM program, according to an analysis done for the Senate Judiciary Committee in 2014, provided the “critical lead” that led to the arrest of Zazi and his confederates before they could detonate bombs in the subways of New York City. The members of the House and Senate Select Committees on Intelligence had no doubt that the 702 program played a key role in aborting this plot they had been secretly briefed on in 2009. Dianne Feinstein, the chair of the Senate Select Committee, pointed out with privileged knowledge that it saved “subway cars stuffed to the gunwales with people”; Representative Mike Rogers also spoke with privileged knowledge when he said on June 9, 2013, referring to the 702 program, “I can tell you in the Zazi case in New York, it’s exactly the program that was used.”
The third NSA program of interest to terrorists that Snowden revealed was called XKeyscore. Using Internet data from PRISM, the NSA had created the equivalent of digital fingerprints for suspected foreign terrorists on watch lists. The “fingerprint” for each suspect was based on his or her search pattern on the Internet. These algorithms made it difficult for suspects to hide on the Internet by using aliases. Once a suspect was “fingerprinted,” any attempt to evade surveillance by using a different computer and another user name would be detected by the XKeyscore algorithms. The “fingerprints” only worked so long as XKeyscore remained secret from those on the watch list. After Snowden exposed it, suspects could evade surveillance by changing their search patterns when they changed their aliases.
Further enabling furtive Internet users to evade the surveillance of the government, Snowden offered specific tips about the secret sources and methods used by both the NSA and the British GCHQ. He revealed in a public interview, for example, that the GCHQ had deployed the first “full-take” Internet interceptor that “snarfs everything, in a rolling buffer to allow retroactive investigation without missing a single bit.” When asked how to circumvent it, he replied, “You should never route through or peer with the UK under any circumstances. Their fibers are radioactive, and even the Queen’s selfies to the pool boy get logged.” Aside from this warning about using Internet providers whose wiring passes through Britain, he also warned Internet users about trusting the encryption of any U.S.-based Internet company because of their secret relationships with the NSA. He added that the NSA considered “telecom collaborators to be the jewels in their crown of omniscience.” He also gave a warning about the attention the NSA was paying to “jihadi forums.” He said that
to avoid being automatically “targeted” by the NSA, one needed to avoid them.
These precise tips for evading U.S. and British surveillance were not accidentally leaked. Snowden supplied them in written answers to interrogatives sent to him by Poitras and Appelbaum in May 2013 while he was still at the NSA. He also carefully orchestrated the exposure of the PRISM surveillance programs, precisely specifying, as Greenwald writes in his book No Place to Hide, who was to release the “scoops” in which newspapers. He gave Gellman a seventy-two-hour ultimatum for exposing PRISM, as we know. He further provided Poitras with well-organized files for publications revealing, among other things, that the NSA had paid RSA, a leading computer security provider, to build flawed encryption protocols, which allowed the NSA to read encrypted messages on computers and online video games. In short, he used these journalists to accomplish his purpose. In light of the way he micromanaged the leaks, it is difficult to conclude that he did not deliberately plan to compromise and render useless these U.S. and British operations.
Whatever he intended, he clearly succeeded in blowing the cover off NSA’s operations authorized under the Foreign Intelligence Surveillance Act for monitoring terrorists’ activities. After all, terrorist groups are no different from other criminal enterprises in their need to keep their communications secret from the authorities pursuing them. If they find out that the police are tapping their phone lines or intercepting other channels of communication, they can be expected to either stop using them or use them to divert attention away from their real plans.
How America Lost Its Secrets Page 31
