Spies for Hire
Page 25
The project was formally canceled in 2005 when General Keith Alexander assumed the directorship of NSA. But Congress wasn’t pleased and had already taken action. In 2004, in response to the debacle, the Senate took the extraordinary step of taking away the NSA’s independent acquisition powers and handed them over to the Department of Defense; they would only be returned when Congress certified that NSA’s business practices had “improved substantially.”71 “Congress took this action because of serious deficiencies in NSA’s systems acquisition capabilities that prevented the Agency from effectively modernizing signals intelligence capabilities to meet new threats,” the Senate Intelligence Committee noted. The suspension was still in effect in 2007.72 By March of that year, the NSA was still processing much less than one percent of the data it was collecting. The agency has simply “been overwhelmed” by the explosion of information, Senator Jay Rockefeller, the chairman of the Senate Intelligence Committee, concluded.73
Despite the project’s cancellation, however, SAIC is apparently working on Trailblazer’s successor program. In its investor prospectus mentioned earlier, SAIC said it had nine thousand active government contracts as of July 31, 2006. Listed among them was a contract called EXECUTELOCUS, described as the former “Trailblazer Technical Development Program.” The customer was listed as “confidential.” The NSA, as I said before, would not comment on any matter involving its contractors, and SAIC declined as well. “In a situation like this, we would defer to our government customer and deny comment completely,” SAIC spokesperson Ron Zollars told me.
According to industry officials I spoke to, the NSA turned over far too much to the private sector. “SAIC did a terrible job of managing Trailblazer,” a contractor who provided data mining technologies for the project told me. “I had people work on it as subs, but they quit and would not work on the program because it was badly managed—badly managed by SAIC and NSA—not because they didn’t try, but because they didn’t have the ability to manage the program.” This contractor, who once worked for the NSA and agreed to speak about Trailblazer only if granted anonymity, also had harsh words for Hayden, the former NSA director. “Trailblazer was his, and he [screwed] it up. He’s in my view the worst director NSA ever had. He left after five years still talking about ‘them,’ not ‘us.’ He never took responsibility for anything that went bad, including Trailblazer, and this was his thing.”
Critics of intelligence contracting see Trailblazer as the ultimate example of what goes wrong when huge projects are handed over to large corporations. “Trailblazer, as executed by SAIC, is one of the lasting disgraces of this era,” says Robert David Steele, a former CIA case officer who once chaired an IT steering committee for the Intelligence Community.74 John Gannon, the former chairman of the CIA’s National Intelligence Council and a senior executive with BAE Systems, called Trailblazer a “monumental failure” that “resulted from our expectation that the private sector could do it for us. What we needed to do was to have the contractor do what we couldn’t do ourselves.” Trailblazer, he added, is a case where “the government let the private sector get ahead of the government. When that happens the private sector doesn’t perform competently, and the government loses its ability to manage, with disastrous results. When you look where the numbers of analysts in units are heavily contractor, the government really does lose its ability to maintain quality control. And that is definitely not a good thing in my judgment.”75
Part of the problem, intelligence expert John Pike told me, may have been differing interpretations between SAIC and the NSA over data mining. “My instinctive gut reaction tells me that’s where they got into trouble,” says Pike, the director of GlobalSecurity.org. “There was something about the specification process that fouled them up. There was something about the key performance parameters that either SAIC didn’t understand, or that all the various little fiefdoms within NSA didn’t understand. Or they started out with one set of requirements and then over time the requirements just got out of control on them.” In addition, after 9/11, the NSA was processing data “on a scale that was larger than had previously been done. So both the agency and the contractor were outside of their experience base.”76
McConnell himself may have settled the case in his eye-popping interview with the El Paso Times in August 2007. “There’s a sense that we’re doing massive data mining,” he said. “In fact, what we’re doing is surgical. A telephone number is surgical. So if you know what number, you can select it out.”77 That seemed to negate almost a decade’s worth of work and research on Project Trailblazer, which was probably the mother of massive data mining schemes; but as McConnell knew, it simply hadn’t worked. His comments seemed to indicate that the NSA was going back to its traditional role that began with the reading of telegrams—that is, selecting certain people to be targeted based on human intelligence and simple link and relationship analysis.
Even prior to McConnell’s remarks, it was clear the NSA’s experience with Trailblazer had convinced intelligence officials that large-scale project contracting was eroding the NSA’s ability to do its job. In November 2006, Eric Haseltine, who left the NSA in 2005 to become the ODNI’s associate director for science and technology, warned contractors at a conference on geospatial intelligence that change was afoot. “We need to have a variety of small, agile, and quick programs because we don’t know what the future holds,” he said. “We may have to dynamite the huge, decades-long multibillion-dollar programs and run in their place a whole plethora of small, quick programs. If we don’t do that, we will become fossils.”78 A few months later, the Defense Information Systems Agency, which buys IT for the Pentagon and works closely with the NSA on protecting the nation’s IT infrastructure, announced that agencies under its command—including NSA—would be required to buy “easy-to-implement commercial solutions” that could be subdivided into smaller projects. “The day of the big systems integrator is over,” said Brigadier General David Warner, DISA’s executive officer for command and control programs.79
The NSA’s start in small-scale data mining programs may have originated with the Total Information Awareness program started by Navy Rear Admiral John Poindexter and briefly described in chapter 2. In 2001, Poindexter was working as the senior vice president for a Beltway bandit called Syntek Technologies, which had research contracts with the Defense Advanced Research Projects Agency and other government agencies. After the 9/11 attacks, he persuaded DARPA to fund an early-warning system for detecting terrorists and other national security crises.80 Using data mining techniques culled from years of DARPA research, Poindexter and his colleagues began sifting through huge public databases holding private information where terrorists might leave “footprints”—credit card purchases, rental agreements, medical histories, e-mails, airline reservations, and phone calls. By searching this “total information” using every search engine imaginable, Poindexter believed the government could develop a national surveillance database that would be able to pick up the trail of unknown terrorists and stop the next attack. He called his project a “Manhattan Project for Counter-Terrorism.” DARPA was interested, and funded it. Poindexter was soon director of DARPA’s Information Awareness Office.
TIA was not a secret program. It received considerable attention in the trade press covering information technology and government research. The scope of its mandate was breathtaking: the Information Awareness Office was instructed to “imagine, develop, apply, integrate, demonstrate and transition” IT systems that would “counter asymmetric threats by achieving total information awareness”—thus the name and acronym.81 Poindexter himself spoke frequently about his work. In August 2002, he delivered a speech to a DARPA Tech conference in Anaheim, California, and spelled out the aims of his new project. In the new world of terrorism and asymmetric threats, the United States faces an enemy organized in “shadowy networks” that are difficult to identify yet dedicated to the destruction “of our way of life,” he said.82
He re
minded his listeners of the recent Cold War past: tracking the elusive enemy of today, he said, was analogous to the “anti-submarine warfare problem of finding submarines in an ocean of noise.” We had to penetrate that “noise” with information technology—finding new sources of data, mining that information and creating actionable intelligence. The key place to look, he argued, was in the “transaction space”:
If terrorist organizations are going to plan and execute attacks against the United States, their people must engage in transactions and they will leave signatures in this information space…. Currently, terrorists are able to move freely throughout the world, to hide when necessary, to find sponsorship and support, and to operate in small, independent cells, and to strike infrequently, exploiting weapons of mass effects and media response to influence governments. We are painfully aware of some of the tactics that they employ. This low-intensity/low-density form of warfare has an information signature. We must be able to pick this signal out of the noise. Certain agencies and apologists talk about connecting the dots, but one of the problems is to know which dots to connect. The relevant information extracted from this data must be made available in large-scale repositories with enhanced semantic content for easy analysis to accomplish this task. The transactional data will supplement our more conventional intelligence collection.83
Thus was born the TIA, one of the most controversial projects launched by the Bush administration.
Much of the initial work on TIA was handled by SAIC and Booz Allen Hamilton. Hicks & Associates, a consulting firm wholly owned by SAIC, won the $19 million contract to build the prototype system.84 And, as mentioned earlier, Booz Allen won more than $63 million worth of contracts,85 and Mike McConnell, who was Booz Allen’s executive vice president in 2002 with authority over the company’s military intelligence programs, was a key figure in making his company the prime contractor.
During his confirmation hearing as DNI in 2007, McConnell told the Senate Intelligence Committee that DARPA’s mining of transactional data from credit card companies and other private entities was an important weapon against terrorists. “What’s happening today is the terrorists are using those very systems for their own benefit—think of it as command and control for remote terrorists, who have a particular ideology they’re attempting to spread so they can communicate around the globe,” he said. DARPA, he added, merely wanted to move data mining “from where it was to where it could be” to keep ahead of the terrorists. Other contractors involved, according to the Electronic Privacy Information Center, included Alphatech, a subsidiary of BAE Systems; SAIC’s Telcordia Technologies; Raytheon; Lockheed Martin Information Technology; Veridian Systems; and more than a dozen other smaller companies.86
One of the companies funded by TIA was SRD, a company founded by Las Vegas entrepreneur Jeffrey Jonas that is now owned by IBM. During the 1990s, Jonas developed a unique software that allowed casinos to search their internal databases to watch for hidden relationships between casino employees and problem gamblers placed on the state of Nevada’s Exclusionary List (which bans those gamblers from doing business in the casinos). The software works differently than most data surveillance programs. It doesn’t use information to predict the behavior of its subjects; instead, it uses names of known people as starting points to discover relationships and patterns that can reveal people working in cahoots. Second, it is designed to help an organization make use of its own data—such as employee records—and therefore doesn’t require access to other databases that could violate a person’s privacy. These two functions are perfect for matching people against a static list like the Exclusionary List.
But as casinos like the MGM Mirage began putting the software to work to comply with the law, the software also began identifying insider threats the casinos weren’t aware of. There was the accounts payable manager who was also a vendor. There was the high-roller getting free rooms and free meals, who happened to be the roommate of the casino worker entering all his points on the computer. And there was the blackjack dealer who shared an apartment with a gambler who always seemed to win when he played that dealer’s table. His software, Jonas told me, doesn’t help you find the next criminal. But “if you know a bad guy, then our technology helps you find that bad guy in your data to make sure he’s not right under your fingers.”87
In 2000, Jonas was invited by the NSA to Northern Virginia to attend a national conference on information security. There, he found himself amidst the area’s rapidly growing Intelligence-Industrial Complex. Among the many speakers at the conference were executives from Booz Allen Hamilton, AT&T, TRW, IBM, ManTech International, and Lockheed Martin and officials from the NSA, DARPA, and the Department of Justice. Jonas’s specialty of tracking “sophisticated scams and collusion-based relationships” was described by the NSA planners on their Web site as “an exciting topic that invariably captures the interest of everyone associated with the field of security.” One of the officials watching was Chris Tucker, who was at that time the chief strategist at In-Q-Tel, the CIA investment bank. He thought Jonas’s software might have immediate relevance to the government, and began introducing him to people in the Intelligence Community. In January 2001, SRD became only the second company to receive an equity investment from In-Q-Tel. But after the September 11 terrorist attacks, In-Q-Tel began looking at SRD’s software—and its ability to find human relationships among various streams of data—in a new light. In the immediate aftermath of the attacks, In-Q-Tel made a second investment in SRD and helped Jonas tweak his software to make it faster (neither SRD nor In-Q-Tel would specify the size of its investments). “We also did a special project to help larger organizations,” Jonas said. One of those organizations was the NSA. Jonas wouldn’t confirm or deny if SRD has contracts with the NSA. But after the attacks, he said, “a couple of government entities” used SRD’s software “to see if there was a bigger plot—was there really twenty planes and all that. But I don’t have security clearances, so I can’t get that close to that.”
Around the same time, Poindexter’s TIA project came calling, and contracted with SRD for some of its research. “I’m intimately familiar with [TIA],” said Jonas. At the time of his first contract with TIA, Jonas said, he was enthusiastic about the program because it was spending between 5 and 7 percent of its budget on privacy technology. For the first time in a mass surveillance program, he said, considerable resources were going into software that would protect the rights of U.S. citizens from unwarranted invasions of their privacy. Among the projects, Jonas told me, were immutable audit logs, which recorded everything done by a software program so audit bodies—such as the Pentagon’s Office of Inspector General or a congressional committee—could go back in time to see how an intelligence or law enforcement agency used particular programs to monitor people.
After TIA came to light in 2003, Congress defunded the program.88 But the program lived on at the National Security Agency. In 2006, Shane Harris, a reporter with National Journal, discovered that key parts of TIA, including the prototype search program developed by SAIC, had been moved from DARPA to the NSA’s research component, the Advanced Research and Development Activity (ARDA) office, located at NSA headquarters in Fort Meade (according to the Congressional Research Service, ARDA spends NSA money on research that can “solve some of the most critical problems facing the US intelligence community”89). The NSA had been one of the first users of Poindexter’s data after he started the TIA program, and began installing nodes on the TIA’s classified network in early 2003, according to Harris.
Another TIA program, designed to build “information technologies to help analysts and policy makers anticipate and pre-empt terrorist attacks,” was also moved to ARDA and renamed Topsail; subsequently, SAIC won a $3.7 million contract for that project, according to Harris.90 In 2006, the DNI took over management of ARDA and renamed it the Research and Development Experimentation Capability, or RDEC. The Armed Forces Communications and Electronics Association, which r
epresents many defense intelligence contractors, describes RDEC as “a virtual network in which new tools (and tool integration) can be tested and evaluated apart from the DoD infrastructure.”91
To the chagrin of privacy advocates, however, none of the privacy projects initially funded by TIA made the move to the NSA. “The program now has been killed, and all the privacy work is dead,” Jonas told me in 2006 (neither the NSA nor the ODNI would comment).
It’s impossible to know if the NSA’s TIA programs are still being funded. In any case, the NSA has responded to its IT problems and the new mandate from the Pentagon by funding small-scale data mining projects to troll the Internet and cyberspace for clues to the next terrorist attack. The projects, which come under the name Turbulence, have become the top priority of NSA director Keith Alexander. According to reports in the Baltimore Sun and Washington Technology, it has cost upward of $500 million, and has concentrated primarily on searching the Internet for networks believed to be used by terrorists and terrorist sympathizers, and targeting those networks for key words that might provide clues to future attacks on U.S. citizens and soldiers. According to the Baltimore Sun, Turbulence includes nine core programs designed to map “social networks based on intercepted communications, embedding technology on networks to collect data, and searching for patterns across hundreds of NSA databases.”92