Pentagon sharing classified cyber threat intelligence with companies
Thursday, April 30, 2009
Thursday, April 30, 2009
In response to an unprecedented wave of attacks on the Defense Department's computer networks, and possible theft of information about U.S. weapons systems by foreign governments, the Pentagon has quietly begun sharing classified intelligence about hackers and online threats with the country's biggest defense contractors. The new intelligence partnership, which has not been previously reported, is known as the Defense Industrial Base initiative, or "the DIB."
Tomorrow’s edition of National Journal will feature this story, which has already been posted to the Web site. (Free to non-subscribers.)
Also, in light of recent press reports about cyber spies penetrating the U.S. electrical grid, I’m enclosing a link to a story we ran last year on the cover of the magazine: “Computer hackers in China, including those working on behalf of the Chinese government and military, have penetrated deeply into the information systems of U.S. companies and government agencies, stolen proprietary information from American executives in advance of their business meetings in China, and, in a few cases, gained access to electric power plants in the United States.”
Labels: Cyber War, Homeland Security, Intelligence, Technology
Full Article
Hacking the Hill
Friday, December 19, 2008
The cover story of today's National Journal features a narrative about an unidentified hacker (or perhaps hackers) who compromised the computers of eight members of Congress and seven committees in the House of Representatives. Some members publicly blame China for the incident, and one calls it a case of “overseas espionage.” The story shows how House information security personnel discovered the penetration and worked to contain it.
Friday, December 19, 2008
The cover story of today's National Journal features a narrative about an unidentified hacker (or perhaps hackers) who compromised the computers of eight members of Congress and seven committees in the House of Representatives. Some members publicly blame China for the incident, and one calls it a case of “overseas espionage.” The story shows how House information security personnel discovered the penetration and worked to contain it.
Labels: Cyber War, Intelligence, Politics, Technology
Full Article
Toxic Information
Friday, October 17, 2008
U.S. intelligence officials are increasingly worried that hackers could wreak havoc on the financial system. Read the story here in National Journal.
Not that we need it, but here's yet another reason to worry about havoc in financial markets: U.S. intelligence officials increasingly fear that computer hackers could wreck banks and large financial institutions, or send stock markets into one more panicked frenzy, by covertly manipulating data and spreading false information.
In interviews and speeches over the past few months, senior counterintelligence and security officials laid out some dire scenarios. They're all predicated on a determined individual or small group fabricating information in such a way that the public sees a different picture of financial health than exists, either at a particular company or in broad markets.
For example, imagine a large brokerage finds itself suddenly saddled with huge losses because a disgruntled employee falsified information in the company's accounting systems, thus ensuring that billions of dollars in losses never show up on the books. Or think about the tumult that would ensue if someone hacked into a stock exchange and changed individual share prices, unleashing a flood of buy and sell orders.
These kinds of nightmare events shape the thinking of the senior Bush administration officials in charge of protecting the nation's computer infrastructure. They're concerned that financial institutions, while aware of the risks posed by lax information security, haven't taken bold enough steps to tighten up their own defenses and thus are imperiling a global system that is utterly dependent on accurate information.
The current crisis in mortgage-backed securities underscores the consequences of inaccurate information. Analysts often labeled those investments safe because they relied on outdated mortgage-default rates to assess the loans' riskiness. Their flawed calculus was presumably unintentional.
But imagine the damage that intentionally feeding the market bad information could cause. "Let's say instead of bringing down the systems at the New York Stock Exchange, you were able to corrupt the data in the exchange's system," Joel Brenner, the government's top counterintelligence officer, posited in an interview with National Journal in May. "If that happened, the market would lose confidence in the prices. 'Gee, I thought I bought a million shares at X, not X plus 10 cents.' What would happen to trading? The clearing mechanism would grind to a halt at the end of the day."
It may sound improbable, and Brenner stressed that the security on stock exchanges is "very, very good." But he and other senior officials say that the financial system as a whole is not sufficiently protected. The economic damages from massive fraud, they note, could exceed those caused by an act of terrorism. And at a time when the global financial system is teetering on collapse, financial networks are becoming more interlinked and hackers are perfecting their techniques.
Officials don't base their hypotheses on unfounded fears. Indeed, the world has already seen that one person, with a reasonable level of technical skill, can make whole economies shudder.
In January, Societe Generale, one of France's largest financial services companies, discovered that a midlevel trader had made a series of complex and bogus futures transactions by hacking into the bank's security and trading systems. Jerome Kerviel disabled an automatic-alert mechanism that should have flagged his reckless transactions. And he stole passwords that gave him access to accounting records, which he falsified to cover his tracks. He even constructed fake e-mails about fictitious trades to make his activities seem real. When the trader's managers discovered Kerviel's fraud, they spent a weekend trying to reconcile the trades in the open market. The bank's losses totaled more than $7 billion.
"The unwinding of such a massive position put immense pressure on the futures market," according to Eben Esterhuizen, an investment analyst who covered the story for The Panelist, a financial news blog. "Other traders saw the plunge in futures amid massive and mysterious selling ... and they started selling everything else."
U.S. markets were closed the following Monday, on January 21, for the Martin Luther King Jr. holiday. But world stock markets dipped dramatically. Kerviel's fraudulent transactions had not yet been publicly revealed, so no one could point to a specific cause for the drop. To fend off a spreading panic, Federal Reserve Board Chairman Ben Bernanke cut the interest rate that the Fed charges banks for overnight loans by 0.75 percent. It was the Fed's biggest ever emergency cut, and it was precipitated in large part by Kerviel's massive disinformation campaign.
Rogue traders like Kerviel have caused big losses before, but never this big. In 1995, trader Nick Leeson brought down Britain's Barings Bank by causing approximately $1 billion in losses. Leeson, however, worked in the area of the company that also oversaw his activities. Kerviel, on the other hand, was a back-office employee and technophile who learned how to circumvent Societe Generale's computer systems.
The Kerviel case got the attention of senior security officials in the Bush administration. In a public address in September, Melissa Hathaway, who manages the cyber-security portfolio for the director of national intelligence, described it as a prime example of how an insider hacker can, with relative ease, shake the global economy.
Hathaway said that the case is one of several hacking incidents that have informed the policy behind the Bush White House's national cyber-security initiative, an ambitious and largely classified plan that officials are rolling out in the administration's final months. The insider threat ranked "first and foremost" among the so-called attack vectors that officials have reviewed, she said. The cyber-plan is aimed primarily at government networks, but Hathaway, like Brenner and other experts in government, has spent much of her time discussing unaddressed risks to private networks, particularly in the financial sector.
To get a sense of just how susceptible financial markets are to disinformation, consider how wildly stock prices fluctuate because of a rumor. Earlier this month, Apple's share price tumbled by more than 10 percent moments after a post on a CNN website claimed that paramedics had rushed Steve Jobs, the company's CEO, from his home after an apparent heart attack. The site solicits "user-generated content," but CNN does not verify it. The poster claimed that an anonymous source with firsthand information had supplied the tip about Jobs, and the report seemed real enough to spark a panic. (Jobs had pancreatic cancer, and his health has been a constant source of worry for investors.)
The company quickly denied the report, and Apple's stock rebounded, but not before dipping under $100 a share for the first time in nearly a year and a half. CNN removed the fake report from its site.
This wasn't the first time that bad information has shaken the markets. In January 2006, an error in NASDAQ's reporting system prompted several websites and online brokers to display incorrect price shifts on various stocks. The prices were correct, but the scale of price changes was not. Some stocks seemed to be up when they were really down, and some seemed to be falling when their share price was actually on the rise. In Japan, trading was halted, and investors found themselves unable to sell losing stocks or to buy up new ones at a discount.
"When you have this kind of problem, it calls into question the entire system," Yakov Amihud, a finance professor at New York University's Stern School of Business, told the Associated Press at the time. "As an investor, you question whether the liquidity in that market is there, whether you can buy or sell exactly when you want to. And maybe you decide to sell off your stocks if you don't trust the system."
These mishaps were also inadvertent. But for financial institutions, officials say, the lesson is clear: Companies must address the safety and soundness of their information systems in the face of all kinds of potential threats. "This is not happening. And this needs to happen," says Tom Kellermann, who was the senior data-risk management specialist at the financial division of the World Bank Group and who now sits on a bipartisan commission writing a comprehensive cyber-security assessment for the next U.S. administration. The threat to financial networks has been a key area of concern for the commission.
"The reality is, we've been building our vaults out of wood in cyberspace for too long," Kellermann says.
Friday, October 17, 2008
U.S. intelligence officials are increasingly worried that hackers could wreak havoc on the financial system. Read the story here in National Journal.
Not that we need it, but here's yet another reason to worry about havoc in financial markets: U.S. intelligence officials increasingly fear that computer hackers could wreck banks and large financial institutions, or send stock markets into one more panicked frenzy, by covertly manipulating data and spreading false information.
In interviews and speeches over the past few months, senior counterintelligence and security officials laid out some dire scenarios. They're all predicated on a determined individual or small group fabricating information in such a way that the public sees a different picture of financial health than exists, either at a particular company or in broad markets.
For example, imagine a large brokerage finds itself suddenly saddled with huge losses because a disgruntled employee falsified information in the company's accounting systems, thus ensuring that billions of dollars in losses never show up on the books. Or think about the tumult that would ensue if someone hacked into a stock exchange and changed individual share prices, unleashing a flood of buy and sell orders.
These kinds of nightmare events shape the thinking of the senior Bush administration officials in charge of protecting the nation's computer infrastructure. They're concerned that financial institutions, while aware of the risks posed by lax information security, haven't taken bold enough steps to tighten up their own defenses and thus are imperiling a global system that is utterly dependent on accurate information.
The current crisis in mortgage-backed securities underscores the consequences of inaccurate information. Analysts often labeled those investments safe because they relied on outdated mortgage-default rates to assess the loans' riskiness. Their flawed calculus was presumably unintentional.
But imagine the damage that intentionally feeding the market bad information could cause. "Let's say instead of bringing down the systems at the New York Stock Exchange, you were able to corrupt the data in the exchange's system," Joel Brenner, the government's top counterintelligence officer, posited in an interview with National Journal in May. "If that happened, the market would lose confidence in the prices. 'Gee, I thought I bought a million shares at X, not X plus 10 cents.' What would happen to trading? The clearing mechanism would grind to a halt at the end of the day."
It may sound improbable, and Brenner stressed that the security on stock exchanges is "very, very good." But he and other senior officials say that the financial system as a whole is not sufficiently protected. The economic damages from massive fraud, they note, could exceed those caused by an act of terrorism. And at a time when the global financial system is teetering on collapse, financial networks are becoming more interlinked and hackers are perfecting their techniques.
Officials don't base their hypotheses on unfounded fears. Indeed, the world has already seen that one person, with a reasonable level of technical skill, can make whole economies shudder.
In January, Societe Generale, one of France's largest financial services companies, discovered that a midlevel trader had made a series of complex and bogus futures transactions by hacking into the bank's security and trading systems. Jerome Kerviel disabled an automatic-alert mechanism that should have flagged his reckless transactions. And he stole passwords that gave him access to accounting records, which he falsified to cover his tracks. He even constructed fake e-mails about fictitious trades to make his activities seem real. When the trader's managers discovered Kerviel's fraud, they spent a weekend trying to reconcile the trades in the open market. The bank's losses totaled more than $7 billion.
"The unwinding of such a massive position put immense pressure on the futures market," according to Eben Esterhuizen, an investment analyst who covered the story for The Panelist, a financial news blog. "Other traders saw the plunge in futures amid massive and mysterious selling ... and they started selling everything else."
U.S. markets were closed the following Monday, on January 21, for the Martin Luther King Jr. holiday. But world stock markets dipped dramatically. Kerviel's fraudulent transactions had not yet been publicly revealed, so no one could point to a specific cause for the drop. To fend off a spreading panic, Federal Reserve Board Chairman Ben Bernanke cut the interest rate that the Fed charges banks for overnight loans by 0.75 percent. It was the Fed's biggest ever emergency cut, and it was precipitated in large part by Kerviel's massive disinformation campaign.
Rogue traders like Kerviel have caused big losses before, but never this big. In 1995, trader Nick Leeson brought down Britain's Barings Bank by causing approximately $1 billion in losses. Leeson, however, worked in the area of the company that also oversaw his activities. Kerviel, on the other hand, was a back-office employee and technophile who learned how to circumvent Societe Generale's computer systems.
The Kerviel case got the attention of senior security officials in the Bush administration. In a public address in September, Melissa Hathaway, who manages the cyber-security portfolio for the director of national intelligence, described it as a prime example of how an insider hacker can, with relative ease, shake the global economy.
Hathaway said that the case is one of several hacking incidents that have informed the policy behind the Bush White House's national cyber-security initiative, an ambitious and largely classified plan that officials are rolling out in the administration's final months. The insider threat ranked "first and foremost" among the so-called attack vectors that officials have reviewed, she said. The cyber-plan is aimed primarily at government networks, but Hathaway, like Brenner and other experts in government, has spent much of her time discussing unaddressed risks to private networks, particularly in the financial sector.
To get a sense of just how susceptible financial markets are to disinformation, consider how wildly stock prices fluctuate because of a rumor. Earlier this month, Apple's share price tumbled by more than 10 percent moments after a post on a CNN website claimed that paramedics had rushed Steve Jobs, the company's CEO, from his home after an apparent heart attack. The site solicits "user-generated content," but CNN does not verify it. The poster claimed that an anonymous source with firsthand information had supplied the tip about Jobs, and the report seemed real enough to spark a panic. (Jobs had pancreatic cancer, and his health has been a constant source of worry for investors.)
The company quickly denied the report, and Apple's stock rebounded, but not before dipping under $100 a share for the first time in nearly a year and a half. CNN removed the fake report from its site.
This wasn't the first time that bad information has shaken the markets. In January 2006, an error in NASDAQ's reporting system prompted several websites and online brokers to display incorrect price shifts on various stocks. The prices were correct, but the scale of price changes was not. Some stocks seemed to be up when they were really down, and some seemed to be falling when their share price was actually on the rise. In Japan, trading was halted, and investors found themselves unable to sell losing stocks or to buy up new ones at a discount.
"When you have this kind of problem, it calls into question the entire system," Yakov Amihud, a finance professor at New York University's Stern School of Business, told the Associated Press at the time. "As an investor, you question whether the liquidity in that market is there, whether you can buy or sell exactly when you want to. And maybe you decide to sell off your stocks if you don't trust the system."
These mishaps were also inadvertent. But for financial institutions, officials say, the lesson is clear: Companies must address the safety and soundness of their information systems in the face of all kinds of potential threats. "This is not happening. And this needs to happen," says Tom Kellermann, who was the senior data-risk management specialist at the financial division of the World Bank Group and who now sits on a bipartisan commission writing a comprehensive cyber-security assessment for the next U.S. administration. The threat to financial networks has been a key area of concern for the commission.
"The reality is, we've been building our vaults out of wood in cyberspace for too long," Kellermann says.
Labels: Cyber War, Director of National Intelligence, Economy, Financial Crisis, Homeland Security, Technology
Full Article
Surveillance Standoff
Friday, April 04, 2008
In the old days, everyone was linked to a lug nut, and Jim Kallstrom liked it that way.
It was 1985, a simpler time for a cop like Kallstrom, who was in charge of setting telephone wiretaps on suspected drug dealers and mobsters for the FBI's New York City field office. In New York, Kallstrom's cases were often won on the basis of incriminating evidence surreptitiously snatched from the mouths of criminal defendants through their phone lines. With a mere 203,000 Americans using mobile phones, people were still tied to the ground, and that gave Kallstrom's world a certain comforting order.
On any given day, he could stand on a street corner in Manhattan, gaze up at an apartment building with its neat rows and columns of units stacked atop each other, and know that inside each one there was a telephone, tethered by thin copper wire to a single point, sometimes several miles away. In his mind's eye, Kallstrom could have imagined shrinking himself to the size of an electron and traveling over the phone line, down to the bottom of the building, then shooting beneath the streets, until he ended up in the basement of the telephone company's switching station. There, the wire emerged, pegged to a rack by a single copper lug nut. Acres of racks lined the walls, each holding rows and columns of lug nuts and their wires, neatly stacked atop each other -- the city of New York in analog miniature.
With a warrant in hand, Kallstrom could tell the technicians at the phone office, with whom he had become friendly over the years, "Go up on RR326." The tech would walk to the rack, find the wire, and clamp on a listening device. Instantly, Kallstrom became an invisible interloper.
FBI agents and federal prosecutors depended on these legal wiretaps to penetrate drug cartels, incriminate money launderers, and spy on mob families. And they needed to be absolutely certain that the line they were on belonged to the suspected dealer, or launderer, or capo named in the court-approved warrant. Not the guy in the apartment next door. Not someone down the block. This guy. This phone. RR326. Lest the agents violate a judge's order, and perhaps land themselves in jail, this had to be the very same line that snaked back through the subterranean maze of Manhattan, through all those blocks of concrete caverns, back to that certain apartment building, up through the walls and out of the jack and into the phone that was in the hand and next to the mouth of Kallstrom's target. It was, by design and necessity, a neat, specific system.
And then it all went sideways.
Kallstrom's friends in the phone company put him on notice in 1985: Over the next few years, those racks and stacks of wires and lug nuts would be swept into the technological dustbin. The telephone network was going digital. Technicians would no longer stand at a rack; they would sit at a keyboard. In some parts of the country that had already made the change, phone calls were traveling as a stream of 1's and 0's. Thousands of lines commingled in a single computer. When New York went digital, the phone techs told Kallstrom, they would no longer be able to tap him directly into RR326. In fact, they couldn't even tell him for sure where RR326 resided in this new engineering matrix.
At the same time that the phone companies were preparing for the transition to digital, the use of cellphones -- which were inherently harder to tap because they used phone lines differently than analog devices -- mushroomed. From 1985 to '86, the number of registered mobile-phone subscribers in the United States doubled to 500,000. Within two years after that, the number climbed to 1.6 million. By the end of the decade, the cellphone universe had skyrocketed past 4 million.
Organized crime was an early adopter of the mobile phone. In a communications technique presaging that of Islamic terrorists today, members of the Colombian Cali drug cartel operating in New York would briefly use a phone, toss it, and get a new one. To tap a mobile device, technicians had to install listening equipment on the new version of a lug nut -- an "electronic port." But in most switching stations in New York, there were only half a dozen or so ports available at any one time. Federal prosecutors and agents had to stand in line at phone company offices and fight with each other over whose investigation should take priority. Some prosecutors threatened to haul company employees into court on contempt charges so they could explain to a judge why the phone company was unwilling to execute a wiretap order.
Electronic surveillance, once such a dependable, relatively easy craft, was becoming inordinately difficult, Kallstrom thought. The phone companies, whose annual revenues from mobile subscriptions were cresting over $2 billion in the late 1980s, showed little willingness to make the FBI's life easier. As the 1990s approached, with the promise of more digitization and more mobility, Kallstrom called his bosses in Washington: "If we don't do something, we'll be out of the wiretapping business."
A Battle Begins
Kallstrom may have been the first to alert the FBI and the Justice Department to this new reality. The digital revolution generated a constant tension that exists to this day, a push and pull between the federal government in one camp and technology corporations and civil-liberties activists in the other to control the development of the global communications system, and so the balance of power in the Information Age.
This struggle's latest manifestation is the intensely politicized effort to rewrite the Foreign Intelligence Surveillance Act. At issue is nothing less than the government's authority to broadly monitor communications networks to spot terrorists and other national security threats. The Bush administration finds itself across the battle lines from many of the same groups that more than a decade ago argued that the government was already extending its reach too far into personal conversations in the name of pursuing criminals.
While FISA governs wiretapping for intelligence-gathering purposes, as distinct from law enforcement, surveillance in both worlds follows the same essential philosophy -- the best evidence in a court of law or in an intelligence operation is one's own words. Today's dispute is not very different from the one that occurred during the dawn of digitization in the 1990s. Indeed, both are part and parcel of the same long-running debate.
No one should believe that real-time government surveillance of the communications network is an idea born of the 9/11 attacks or that it results solely from the Bush administration's aggrandizing of executive power. The legal arguments that the government has asserted to support increased surveillance of digital space were first put forth in 1994, under a Democratic president, and they had little to do with the threat of Islamic extremism.
Nor should anyone mistake the roots of the vociferous opposition to today's wiretapping from civil libertarians and privacy advocates. Many of these groups and their allies have been battling to restrict the government's use of new, potentially invasive technologies for a generation. The Bush White House is only their latest adversary, albeit the most formidable. These activists and their allies in the business world have been motivated by different but mutually supportive goals: to extend constitutional safeguards to the digital realm, and to keep the government from suffocating technological development with burdensome surveillance laws. Some in those ranks would have liked, and indeed tried, to make the digital network a wiretap-free zone.
But despite the occasionally extreme positions and deeply held convictions of all of these players, the most important laws governing wiretapping, electronic surveillance, and privacy have been the product of negotiation, of people gathering in a room, sitting at a table, and talking -- sometimes screaming -- until they reached a settlement. The current debate, however, is missing that crucial spirit. Whereas before, adversaries trusted each other enough at a basic level to make deals, however temporary, today's opposing sides seem unwilling to compromise to pass new surveillance laws that the nation can live with. It's not entirely clear where or why minds turned so stubborn. But to understand today's political calcification, it helps to recall a simpler time.
The Art Of Compromise
Jerry Berman was a veteran of the privacy wars, seemingly born for the role of liberal, dogmatic activist. In the early 1950s, his father, a labor leader, was investigated by the House Un-American Activities Committee. A native of Hawaii, the younger Berman moved with his family to California, where he enrolled at the University of California (Berkeley). After earning his bachelor's and master's, and, in 1967, his law degree, Berman began lobbying for the American Civil Liberties Union. He became an authority on the intersection of national security and technology, schooled by the exposure of illegal FBI spying operations aimed at political organizations, war protesters, and leftist activists. In 1978, Berman helped to craft the Foreign Intelligence Surveillance Act, which set new restrictions on the government's domestic intelligence-gathering. He was present at the creation of several important pieces of surveillance legislation, and he helped secure individual privacy protections.
In playing his role, Berman didn't adhere to a hard-and-fast position but instead embraced his own brand of "principled pragmatism." By his logic, the interests of privacy and national security were not incompatible. If all sides -- government, industry, civil-liberties activists -- could find ways to "maximize the good and minimize the harm," as he liked to say, they could strike a satisfactory balance and create workable laws. This idea guided his work on FISA and other legislation, sometimes to the consternation of more-ideological activists who employed him to lobby Congress on their behalf.
Perhaps that was because principled pragmatism recognized an unsavory reality: In Washington, those who show up to play the game make the rules. Negotiation requires sacrifice. Sacrifice requires flexibility. Some people would rather break than bend. But compromise is how things get done, and Berman accepted it. As a colleague summarized Berman's general approach to lawmaking, "You can stand on your principle and get your ass handed to you, or you can engage in the process and get a better deal."
In the summer of 1994, the FBI and the Justice Department made a bold play to force the telecom carriers to help them conduct legal wiretaps. They put forth a proposal that would require the companies to build their networks so that law enforcement agents serving a warrant could access them in real time. The legality of wiretapping was not in question. The government wanted legal assurance that it could tap, at any time, and that the industry had an obligation under law to comply with the government's proper authority.
No more computer-related hassles, no more standing in line to plug into mobile-phone ports. Law enforcement agents, federal spymasters, and prosecutors wanted a comprehensive remedy to what they called the "digital telephony" problem. Their chief advocates were Kallstrom and Louis Freeh, the recently appointed FBI director, a former special agent and federal prosecutor who had used wiretaps to secure convictions in some of the most complicated organized-crime investigations in history. Freeh personally pushed for the new law, showing up unannounced in reluctant lawmakers' offices to press them for support and even sitting in on committee markups -- an unprecedented move for an FBI director -- to stare members down.
Clipper Chip
The 1994 proposal was only the latest in a series of government efforts to strengthen its control of the telecommunications network. In the late 1980s, Justice officials had gotten as far as placing language in an anti-crime bill that would have allowed the attorney general to set standards for telecommunications equipment, effectively making that federal official the network's architect-in-chief. (The bill did not pass.)
In 1993, Bill Clinton, in one of his first presidential directives, announced that engineers at the National Security Agency, the intelligence community's electronic surveillance arm, had developed a cutting-edge microcircuit, called the "Clipper" chip, to scramble telephone conversations. The administration intended to promote the installation of the Clipper technology in U.S. telephones, and planned to hold "in escrow" the digital keys to decrypt any conversation. In other words, the federal government would build the lock and keep the key, an idea that inspired a reaction somewhere between outrage and apoplexy among technologists and privacy advocates, who ultimately killed the idea.
In that atmosphere of hostility and skepticism, Berman went to work. Beginning in August 1994, he convened a series of meetings with senior law enforcement officials under the auspices of a privacy and security coalition he had formed with more than four dozen activist groups and technology companies -- including the biggest telecom provider of all, AT&T -- plus the U.S. Telephone Association, IBM, and software makers such as Microsoft. The goal was to resolve differences over the government's proposal to ensure federal access to telecommunications networks. Berman also brought in two powerful Democratic lawmakers and noted civil libertarians, Sen. Patrick Leahy of Vermont and then-Rep. Don Edwards, whose district included California's Silicon Valley. Everyone in the negotiating room had some familiarity with technology issues, and professional experience in law enforcement or Justice Department oversight.
The meetings featured intense, nitty-gritty debates over the technical aspects of the law. The FBI wanted guarantees that the telecom system would never mature beyond the reach of its wiretaps. Some companies saw this as heavy-handed regulation, and a number of telecom officials shared the activists' belief that the government was in fact after a permanent covert backdoor into the phone system. The negotiations helped to somewhat dampen the suspicions, however, and the talks went forward because no one in the room disagreed with the fundamental premise that the government had the right to wiretap.
But outside of the meetings, divisions festered among the interest groups. Berman represented the Electronic Frontier Foundation, which champions the public interest in the digital realm, but its board couldn't decide whether compromise was prudent or perilous. Berman felt he had to persuade his colleagues, in another series of heated meetings, to work in the middle. To him, that meant that the legislative negotiations would follow an inviolate principle: We will only craft solutions to known problems. No writing of laws aimed at encompassing future problems. If the FBI has difficultly accessing the public telephone network, then the law will address only that public telephone network.
In addition to identifying a philosophical guideline, this approach served a more strategic goal -- to keep the FBI's hands off the Internet, which was so new in 1994 as to be practically notional. Internet service providers such as America Online and Prodigy had only a handful of subscribers, and the first Web browser had been released that year, in a beta test version. Still, Berman and others knew that the FBI would never willingly agree to stay off the information superhighway, because Internet-based information held tremendous potential value for law enforcement.
During one meeting, David Johnson, a lawyer who had helped to craft the Electronic Communications Privacy Act in 1986, held up a glass jar full of rocks and asked, "How many of you would say this jar is full?" Most people agreed that it was. Johnson took a fistful of pebbles and dropped them into the jar. They tinkled down through the rocks, finding resting places in the empty spaces. Then he poured sand into the jar. As it cascaded into the empty spaces, Johnson told the onlookers that the sand was like the unseen, seemingly insignificant "transactional data" that traveled on the Internet. Transactional data includes the routing information for a text-based message -- where it comes from, where it goes, and what path it follows -- and the series of digits that make up an Internet address. This information would someday be of enormous value to the government, he said, just as phone call records, as opposed to actual conversations, already were. The transactional data were small but meaningful -- like the tiny grains of sand that kept filling the volume of the jar.
CALEA
Johnson's vivid illustration convinced many of the participants that the new law mustn't extend too far. Again, the issue wasn't whether law enforcement had a right to information but how much power the government should have over the means to get it. Leahy and Edwards, who formally introduced the legislation shortly thereafter, declared that it would apply solely to the public telephone network. The law specifically exempted "information services," which the parties agreed included Internet companies and electronic-messaging technologies.
The Communications Assistance for Law Enforcement Act passed in the closing days of the 103rd Congress, two weeks before Republicans won control of both chambers in November 1994. CALEA (pronounced kuhLEEuh) would let the industry set its own standards to meet the Justice Department's needs. The department could list its surveillance requirements, but the act let companies decide how to build their equipment. Justice won the right to petition the Federal Communications Commission if its officials felt that the companies weren't fulfilling their obligations. But civil-liberties groups also secured the right to challenge the government's requirements in court.
It was a true compromise, hard won but workable. For Berman, principled pragmatism had carried the day. For others, however, the compromise had given away too much.
The board of the Electronic Frontier Foundation had seen the proverbial legislative sausage being made and found it distasteful. Even though the directors had agreed to every aspect of the law, which Berman explained to them, within weeks after its passage he left the EFF and formed his own outfit, the Center for Democracy and Technology, to continue his brand of lobbying. The EFF pulled up stakes in Washington the following year and moved to San Francisco, where it continues to play a leading role in supporting lawsuits against telecommunications companies -- most notably AT&T, its former ally -- for their role in assisting the government with warrantless wiretapping after the 9/11 attacks.
At the time, Berman confided to Kallstrom, whom he thought had always acted in good faith for the FBI, "My work on CALEA got me fired."
Kallstrom was apparently happy to see his more idealistic opponents leave town. "You didn't get fired, Jerry," he replied. "You got promoted."
Making Demands
Had the FBI and the Justice Department stopped there, had the government settled for secure access to phone networks, the history of Internet privacy and civil liberties might have turned out differently. But just weeks after President Clinton signed CALEA in January 1995, conflict erupted between the government and the phone carriers over the kind of network access the law provided. The raft of compromise that had carried the deal sprung a leak.
FBI officials knew in 1994 that they were making a mistake by leaving cyberspace out of CALEA. They understood the Internet's potential as a communications device and an intelligence tool -- that is, after all, why CALEA's authors exempted "information services."
"Did we know that it was idiotic to carve that out?" Kallstrom asks now. "Yes, we did." Criminals have always been among the first to embrace new technology. It was foolish to think that they wouldn't turn to the Internet for any number of nefarious gambits. But, Kallstrom says, government officials opted "to fight another day" over Internet access. Privacy advocates were dragging their feet in the negotiations. Delay would invite more debate, probably more hearings, and possibly a less favorable outcome. The political decision was made: "Let's take what we can get here."
In early 1995, the Justice Department issued its list of requirements for wiretapping, known as the punch list. Not surprisingly, many telecom executives and their attorneys viewed the demands as unreasonable. Al Gidari, a lawyer representing the wireless industry, was among the first to see the FBI's requirements, during the initial meeting to develop standards for CALEA, which was held that spring in Vancouver, British Columbia. The Justice Department's wish list, he said, amounted to "the Cadillac of wiretaps."
"Everything they could ever think of to gold plate and put on the Cadillac was in that document," Gidari recalls. Meeting its expectations represented "an exponential increase in complexity, not a linear increase.... They were very dictatorial ... technical requirements -- the very thing that Congress said it wasn't up to [the FBI] to figure out."
The standards meeting was tense and awkward, and the sides were unevenly matched. Gidari recalls a dozen or more FBI agents, in neat blue suits, all buttoned down and looking ready to roll over anyone who stood in their way. Arrayed on the opposite side of the table was a group of laid-back and casually dressed network engineers from all the major telecom equipment manufacturers and carriers that was tasked with the unenviable job of telling the bureau that the industry planned to build a much less complex system. It wasn't what the FBI agents wanted to hear.
Over the next few years, the Justice Department continued to seek increasingly sophisticated surveillance capabilities, including real-time geographical tracking of mobile phones; the ability to monitor all parties in a conference call regardless of whether they are on hold or participating; and "dialed digit extraction," a record of any numbers that a subject under surveillance punched in during a call, such as a credit card or bank account number. The government got a lot of what it wanted, but not all.
To be sure, criminals' use of new technologies helped drive the law enforcement demands. But telecom carriers worried that the cost of compliance was too high and that the FBI's technical requirements were illegally broad. CALEA, they argued, had forbidden the government from requiring specific system designs or technologies.
The FCC's Turn
Justice, frustrated by its inability to get all the demands on the punch list, finally asked the FCC to step in. In 1997, the Cellular Telecommunications Industry Association, which then represented mobile carriers, and the Center for Democracy and Technology complained to the commission that the negotiations had deadlocked because of "unreasonable demands by law enforcement for more surveillance features than either CALEA or the wiretap laws allow." The FCC, however, sided with the Justice Department on a host of requirements that privacy groups found overly broad. The tussle dragged on for two more years and ended up in the U.S. Court of Appeals for the District of Columbia Circuit, which overruled the FCC. After the commission took up matters again, it granted some of the FBI's requests, and the CALEA standards were amended.
When Justice Department officials reported to Congress on CALEA implementation in January 1998, no manufacturer of telecom equipment said that the FBI's demands were impossible to meet, but they did say that complying would be difficult and very expensive. (Although Congress had set aside $500 million to reimburse companies for retrofitting their networks, the law required the carriers to bear the cost of compliance on any equipment put in place after CALEA was enacted. Several experts believe that the final cost for compliance on telephone networks has been two to eight times the amount originally allotted.)
The level of government surveillance was so low at that time that some questioned why the FBI wanted such multifaceted access at all. In 1994, federal and state authorities were running 1,154 wiretaps nationwide, mostly for drug investigations, at an average cost of $50,000. The government was asking carriers to "design a nuclear rocket ship" for a rarely used tool, Gidari thought. "In [the FBI's] view, there was no limit to the expense the carrier should spare in order to save a life."
CALEA continued to evolve, shaped by the ongoing arguments over the terms of its birth. Activists and carriers thought that the FBI was reneging on its bargain, asking for more than the law allowed. The FBI believed that carriers were stalling when they failed to meet compliance deadlines. As all sides dug in, the meetings on implementation turned bitter. FBI and Justice officials slammed their hands on tables and screamed at carrier representatives, Gidari recalls. "You're unpatriotic! What do you want to do, help the criminals?"
The government asked those same questions after September 11, 2001. And this time, telecommunications carriers responded. Outside the normal FISA warrant process, which covers intelligence-gathering, carriers opened access to their networks, their customer call data, and their valuable transactional information -- the kind that CALEA had intended to exclude. President Bush and his administration believed that the extraordinary nature of the terrorist attacks demanded emergency actions that FISA couldn't accommodate, and the carriers answered the call from law enforcement and intelligence agencies. But government officials also seized on the post-9/11 mentality to change other surveillance laws and procedures, which they believed -- just as their predecessors did in 1994 -- were out of step with technology and reality. About three years after 9/11, officials set their sights on rewriting CALEA.
Claiming The Internet
In August 2004, in response to a petition by the Justice Department, the FBI, and the Drug Enforcement Administration, the FCC expanded CALEA to cover Internet communications, including voice calls and instant messages. The Electronic Frontier Foundation sued, along with industry, civil-liberties, and academic groups. In 2005, the Court of Appeals ruled 2-1 to defer to the FCC's reading of the law.
Many of those who had helped craft CALEA believed that the commission had misread the law and acted on a post-9/11 impulse to give the government more, not less, access to information. But to the FCC, new Internet technologies that operate a lot like telephones blurred the distinction between "information services" and the kinds of technology that CALEA was meant to cover.
After 9/11, law enforcement and intelligence agencies took a variety of measures, apart from wiretaps, to collect and mine potentially valuable information from the Internet. With the cooperation of telecom companies, government accumulated lots of transactional data -- including e-mail header information and lists of websites visited by targeted individuals -- to support counter-terrorism operations. Viewed solely as a reaction to the terrorist attacks of 2001, this kind of collection might seem extraordinary. But through the longer lens of history, the government's steady march into cyberspace is not surprising.
Law enforcement agencies have never suffered for lack of access to the phone network. Kallstrom recalls only a few instances in which agents were unable to execute a wiretap order because of new technology. But as digital, mobile technology has proliferated, the copper lug nuts that Kallstrom remembers from the 1980s have disappeared. Today, state and federal agents spend most of their tap time on mobile devices. In 1994, most wiretaps, by far, targeted private residences. There were few taps on mobile devices. Ten years later, 88 percent of the 1,710 wiretaps were on mobile devices. Only 5 percent were on residential lines. Without CALEA, some experts believe that Kallstrom's initial fears would have come true and the federal government would have been shut out of the wiretapping business.
Jerry Berman never wanted that to happen. Although he cannot accept that the law that was meant to minimize the government's influence over the Internet is now being used to facilitate it, he is willing to negotiate on CALEA again, if that is what's necessary to satisfy all parties.
That willingness to talk extends to FISA, as well, and Berman's Center for Democracy and Technology has been actively involved in the current agitations over the law. But whenever he and his cohorts have extended the hand of compromise to Congress or the administration, he says, they have been disappointed. Any attempt to revamp FISA, or to clarify CALEA, "is impossible in the current climate," Berman says. "There is no sense that you could get the kind of negotiation we got in 1994."
FISA And CALEA
One has to wonder how strong that spirit of compromise really was in 1994, and whether it was already ebbing. If the FBI was willing to take what it could get on CALEA and go on to fight another day, did the government really "settle" at all? Literally weeks after CALEA was signed the Justice Department and the FBI came roaring back with new demands. What killed the penchant for negotiation? Was it the moderates' loss of power in both political parties after the 1994 Republican revolution? Was it the entrenchment of civil-liberties activists? Was it the Bush White House's extravagant interpretation of executive power? Was it 9/11?
Berman spends a lot of time pondering these questions and thinking about next moves. He divides his time between Washington, where he chairs his group's board of directors, and a home he built on the Cacapon River near Berkeley Springs, W.Va. "We just have people in bunkers now," Berman says ruefully.
The FISA debate is currently hung up on whether companies that assisted warrantless surveillance after 9/11 should have retroactive legal immunity for any laws they may have broken. CALEA has something to say about that, too. The law requires that carriers be able to deliver call identification information to the government remotely. According to Beryl Howell, Sen. Leahy's lead CALEA staffer, that provision was meant to keep government agents from sitting in the phone companies' offices to execute their wiretaps.
It is a basic tenet of wiretapping law, whether for intelligence or law enforcement, that the communications companies act as a buffer between their customers and the government, she says, and that telecom carriers must make their own determination whether official requests are, in fact, legal. That the companies would now assert, in defense of their cooperation, that the government determined that post-9/11 requests were legal, strikes Howell as outrageous.
If ever there was a time for the bare-knuckled negotiations of the past, it's now. It's not at all clear, though, who could play the role of Jerry Berman, the one to bring people into the room to scream and yell at each other and emerge feeling better for it -- and possibly even coming to a compromise. As things stand, Congress appears more likely to punt the FISA debate to the new administration, and has shown little interest in revisiting CALEA.
The constant tension that once kept this system in balance has reached a breaking point. There is no push and pull. Maybe the stakes are too high for compromise. But until that spirit returns, Berman says, "there will be no peace."
Published in National Journal
Friday, April 04, 2008
In the old days, everyone was linked to a lug nut, and Jim Kallstrom liked it that way.
It was 1985, a simpler time for a cop like Kallstrom, who was in charge of setting telephone wiretaps on suspected drug dealers and mobsters for the FBI's New York City field office. In New York, Kallstrom's cases were often won on the basis of incriminating evidence surreptitiously snatched from the mouths of criminal defendants through their phone lines. With a mere 203,000 Americans using mobile phones, people were still tied to the ground, and that gave Kallstrom's world a certain comforting order.
On any given day, he could stand on a street corner in Manhattan, gaze up at an apartment building with its neat rows and columns of units stacked atop each other, and know that inside each one there was a telephone, tethered by thin copper wire to a single point, sometimes several miles away. In his mind's eye, Kallstrom could have imagined shrinking himself to the size of an electron and traveling over the phone line, down to the bottom of the building, then shooting beneath the streets, until he ended up in the basement of the telephone company's switching station. There, the wire emerged, pegged to a rack by a single copper lug nut. Acres of racks lined the walls, each holding rows and columns of lug nuts and their wires, neatly stacked atop each other -- the city of New York in analog miniature.
With a warrant in hand, Kallstrom could tell the technicians at the phone office, with whom he had become friendly over the years, "Go up on RR326." The tech would walk to the rack, find the wire, and clamp on a listening device. Instantly, Kallstrom became an invisible interloper.
FBI agents and federal prosecutors depended on these legal wiretaps to penetrate drug cartels, incriminate money launderers, and spy on mob families. And they needed to be absolutely certain that the line they were on belonged to the suspected dealer, or launderer, or capo named in the court-approved warrant. Not the guy in the apartment next door. Not someone down the block. This guy. This phone. RR326. Lest the agents violate a judge's order, and perhaps land themselves in jail, this had to be the very same line that snaked back through the subterranean maze of Manhattan, through all those blocks of concrete caverns, back to that certain apartment building, up through the walls and out of the jack and into the phone that was in the hand and next to the mouth of Kallstrom's target. It was, by design and necessity, a neat, specific system.
And then it all went sideways.
Kallstrom's friends in the phone company put him on notice in 1985: Over the next few years, those racks and stacks of wires and lug nuts would be swept into the technological dustbin. The telephone network was going digital. Technicians would no longer stand at a rack; they would sit at a keyboard. In some parts of the country that had already made the change, phone calls were traveling as a stream of 1's and 0's. Thousands of lines commingled in a single computer. When New York went digital, the phone techs told Kallstrom, they would no longer be able to tap him directly into RR326. In fact, they couldn't even tell him for sure where RR326 resided in this new engineering matrix.
At the same time that the phone companies were preparing for the transition to digital, the use of cellphones -- which were inherently harder to tap because they used phone lines differently than analog devices -- mushroomed. From 1985 to '86, the number of registered mobile-phone subscribers in the United States doubled to 500,000. Within two years after that, the number climbed to 1.6 million. By the end of the decade, the cellphone universe had skyrocketed past 4 million.
Organized crime was an early adopter of the mobile phone. In a communications technique presaging that of Islamic terrorists today, members of the Colombian Cali drug cartel operating in New York would briefly use a phone, toss it, and get a new one. To tap a mobile device, technicians had to install listening equipment on the new version of a lug nut -- an "electronic port." But in most switching stations in New York, there were only half a dozen or so ports available at any one time. Federal prosecutors and agents had to stand in line at phone company offices and fight with each other over whose investigation should take priority. Some prosecutors threatened to haul company employees into court on contempt charges so they could explain to a judge why the phone company was unwilling to execute a wiretap order.
Electronic surveillance, once such a dependable, relatively easy craft, was becoming inordinately difficult, Kallstrom thought. The phone companies, whose annual revenues from mobile subscriptions were cresting over $2 billion in the late 1980s, showed little willingness to make the FBI's life easier. As the 1990s approached, with the promise of more digitization and more mobility, Kallstrom called his bosses in Washington: "If we don't do something, we'll be out of the wiretapping business."
A Battle Begins
Kallstrom may have been the first to alert the FBI and the Justice Department to this new reality. The digital revolution generated a constant tension that exists to this day, a push and pull between the federal government in one camp and technology corporations and civil-liberties activists in the other to control the development of the global communications system, and so the balance of power in the Information Age.
This struggle's latest manifestation is the intensely politicized effort to rewrite the Foreign Intelligence Surveillance Act. At issue is nothing less than the government's authority to broadly monitor communications networks to spot terrorists and other national security threats. The Bush administration finds itself across the battle lines from many of the same groups that more than a decade ago argued that the government was already extending its reach too far into personal conversations in the name of pursuing criminals.
While FISA governs wiretapping for intelligence-gathering purposes, as distinct from law enforcement, surveillance in both worlds follows the same essential philosophy -- the best evidence in a court of law or in an intelligence operation is one's own words. Today's dispute is not very different from the one that occurred during the dawn of digitization in the 1990s. Indeed, both are part and parcel of the same long-running debate.
No one should believe that real-time government surveillance of the communications network is an idea born of the 9/11 attacks or that it results solely from the Bush administration's aggrandizing of executive power. The legal arguments that the government has asserted to support increased surveillance of digital space were first put forth in 1994, under a Democratic president, and they had little to do with the threat of Islamic extremism.
Nor should anyone mistake the roots of the vociferous opposition to today's wiretapping from civil libertarians and privacy advocates. Many of these groups and their allies have been battling to restrict the government's use of new, potentially invasive technologies for a generation. The Bush White House is only their latest adversary, albeit the most formidable. These activists and their allies in the business world have been motivated by different but mutually supportive goals: to extend constitutional safeguards to the digital realm, and to keep the government from suffocating technological development with burdensome surveillance laws. Some in those ranks would have liked, and indeed tried, to make the digital network a wiretap-free zone.
But despite the occasionally extreme positions and deeply held convictions of all of these players, the most important laws governing wiretapping, electronic surveillance, and privacy have been the product of negotiation, of people gathering in a room, sitting at a table, and talking -- sometimes screaming -- until they reached a settlement. The current debate, however, is missing that crucial spirit. Whereas before, adversaries trusted each other enough at a basic level to make deals, however temporary, today's opposing sides seem unwilling to compromise to pass new surveillance laws that the nation can live with. It's not entirely clear where or why minds turned so stubborn. But to understand today's political calcification, it helps to recall a simpler time.
The Art Of Compromise
Jerry Berman was a veteran of the privacy wars, seemingly born for the role of liberal, dogmatic activist. In the early 1950s, his father, a labor leader, was investigated by the House Un-American Activities Committee. A native of Hawaii, the younger Berman moved with his family to California, where he enrolled at the University of California (Berkeley). After earning his bachelor's and master's, and, in 1967, his law degree, Berman began lobbying for the American Civil Liberties Union. He became an authority on the intersection of national security and technology, schooled by the exposure of illegal FBI spying operations aimed at political organizations, war protesters, and leftist activists. In 1978, Berman helped to craft the Foreign Intelligence Surveillance Act, which set new restrictions on the government's domestic intelligence-gathering. He was present at the creation of several important pieces of surveillance legislation, and he helped secure individual privacy protections.
In playing his role, Berman didn't adhere to a hard-and-fast position but instead embraced his own brand of "principled pragmatism." By his logic, the interests of privacy and national security were not incompatible. If all sides -- government, industry, civil-liberties activists -- could find ways to "maximize the good and minimize the harm," as he liked to say, they could strike a satisfactory balance and create workable laws. This idea guided his work on FISA and other legislation, sometimes to the consternation of more-ideological activists who employed him to lobby Congress on their behalf.
Perhaps that was because principled pragmatism recognized an unsavory reality: In Washington, those who show up to play the game make the rules. Negotiation requires sacrifice. Sacrifice requires flexibility. Some people would rather break than bend. But compromise is how things get done, and Berman accepted it. As a colleague summarized Berman's general approach to lawmaking, "You can stand on your principle and get your ass handed to you, or you can engage in the process and get a better deal."
In the summer of 1994, the FBI and the Justice Department made a bold play to force the telecom carriers to help them conduct legal wiretaps. They put forth a proposal that would require the companies to build their networks so that law enforcement agents serving a warrant could access them in real time. The legality of wiretapping was not in question. The government wanted legal assurance that it could tap, at any time, and that the industry had an obligation under law to comply with the government's proper authority.
No more computer-related hassles, no more standing in line to plug into mobile-phone ports. Law enforcement agents, federal spymasters, and prosecutors wanted a comprehensive remedy to what they called the "digital telephony" problem. Their chief advocates were Kallstrom and Louis Freeh, the recently appointed FBI director, a former special agent and federal prosecutor who had used wiretaps to secure convictions in some of the most complicated organized-crime investigations in history. Freeh personally pushed for the new law, showing up unannounced in reluctant lawmakers' offices to press them for support and even sitting in on committee markups -- an unprecedented move for an FBI director -- to stare members down.
Clipper Chip
The 1994 proposal was only the latest in a series of government efforts to strengthen its control of the telecommunications network. In the late 1980s, Justice officials had gotten as far as placing language in an anti-crime bill that would have allowed the attorney general to set standards for telecommunications equipment, effectively making that federal official the network's architect-in-chief. (The bill did not pass.)
In 1993, Bill Clinton, in one of his first presidential directives, announced that engineers at the National Security Agency, the intelligence community's electronic surveillance arm, had developed a cutting-edge microcircuit, called the "Clipper" chip, to scramble telephone conversations. The administration intended to promote the installation of the Clipper technology in U.S. telephones, and planned to hold "in escrow" the digital keys to decrypt any conversation. In other words, the federal government would build the lock and keep the key, an idea that inspired a reaction somewhere between outrage and apoplexy among technologists and privacy advocates, who ultimately killed the idea.
In that atmosphere of hostility and skepticism, Berman went to work. Beginning in August 1994, he convened a series of meetings with senior law enforcement officials under the auspices of a privacy and security coalition he had formed with more than four dozen activist groups and technology companies -- including the biggest telecom provider of all, AT&T -- plus the U.S. Telephone Association, IBM, and software makers such as Microsoft. The goal was to resolve differences over the government's proposal to ensure federal access to telecommunications networks. Berman also brought in two powerful Democratic lawmakers and noted civil libertarians, Sen. Patrick Leahy of Vermont and then-Rep. Don Edwards, whose district included California's Silicon Valley. Everyone in the negotiating room had some familiarity with technology issues, and professional experience in law enforcement or Justice Department oversight.
The meetings featured intense, nitty-gritty debates over the technical aspects of the law. The FBI wanted guarantees that the telecom system would never mature beyond the reach of its wiretaps. Some companies saw this as heavy-handed regulation, and a number of telecom officials shared the activists' belief that the government was in fact after a permanent covert backdoor into the phone system. The negotiations helped to somewhat dampen the suspicions, however, and the talks went forward because no one in the room disagreed with the fundamental premise that the government had the right to wiretap.
But outside of the meetings, divisions festered among the interest groups. Berman represented the Electronic Frontier Foundation, which champions the public interest in the digital realm, but its board couldn't decide whether compromise was prudent or perilous. Berman felt he had to persuade his colleagues, in another series of heated meetings, to work in the middle. To him, that meant that the legislative negotiations would follow an inviolate principle: We will only craft solutions to known problems. No writing of laws aimed at encompassing future problems. If the FBI has difficultly accessing the public telephone network, then the law will address only that public telephone network.
In addition to identifying a philosophical guideline, this approach served a more strategic goal -- to keep the FBI's hands off the Internet, which was so new in 1994 as to be practically notional. Internet service providers such as America Online and Prodigy had only a handful of subscribers, and the first Web browser had been released that year, in a beta test version. Still, Berman and others knew that the FBI would never willingly agree to stay off the information superhighway, because Internet-based information held tremendous potential value for law enforcement.
During one meeting, David Johnson, a lawyer who had helped to craft the Electronic Communications Privacy Act in 1986, held up a glass jar full of rocks and asked, "How many of you would say this jar is full?" Most people agreed that it was. Johnson took a fistful of pebbles and dropped them into the jar. They tinkled down through the rocks, finding resting places in the empty spaces. Then he poured sand into the jar. As it cascaded into the empty spaces, Johnson told the onlookers that the sand was like the unseen, seemingly insignificant "transactional data" that traveled on the Internet. Transactional data includes the routing information for a text-based message -- where it comes from, where it goes, and what path it follows -- and the series of digits that make up an Internet address. This information would someday be of enormous value to the government, he said, just as phone call records, as opposed to actual conversations, already were. The transactional data were small but meaningful -- like the tiny grains of sand that kept filling the volume of the jar.
CALEA
Johnson's vivid illustration convinced many of the participants that the new law mustn't extend too far. Again, the issue wasn't whether law enforcement had a right to information but how much power the government should have over the means to get it. Leahy and Edwards, who formally introduced the legislation shortly thereafter, declared that it would apply solely to the public telephone network. The law specifically exempted "information services," which the parties agreed included Internet companies and electronic-messaging technologies.
The Communications Assistance for Law Enforcement Act passed in the closing days of the 103rd Congress, two weeks before Republicans won control of both chambers in November 1994. CALEA (pronounced kuhLEEuh) would let the industry set its own standards to meet the Justice Department's needs. The department could list its surveillance requirements, but the act let companies decide how to build their equipment. Justice won the right to petition the Federal Communications Commission if its officials felt that the companies weren't fulfilling their obligations. But civil-liberties groups also secured the right to challenge the government's requirements in court.
It was a true compromise, hard won but workable. For Berman, principled pragmatism had carried the day. For others, however, the compromise had given away too much.
The board of the Electronic Frontier Foundation had seen the proverbial legislative sausage being made and found it distasteful. Even though the directors had agreed to every aspect of the law, which Berman explained to them, within weeks after its passage he left the EFF and formed his own outfit, the Center for Democracy and Technology, to continue his brand of lobbying. The EFF pulled up stakes in Washington the following year and moved to San Francisco, where it continues to play a leading role in supporting lawsuits against telecommunications companies -- most notably AT&T, its former ally -- for their role in assisting the government with warrantless wiretapping after the 9/11 attacks.
At the time, Berman confided to Kallstrom, whom he thought had always acted in good faith for the FBI, "My work on CALEA got me fired."
Kallstrom was apparently happy to see his more idealistic opponents leave town. "You didn't get fired, Jerry," he replied. "You got promoted."
Making Demands
Had the FBI and the Justice Department stopped there, had the government settled for secure access to phone networks, the history of Internet privacy and civil liberties might have turned out differently. But just weeks after President Clinton signed CALEA in January 1995, conflict erupted between the government and the phone carriers over the kind of network access the law provided. The raft of compromise that had carried the deal sprung a leak.
FBI officials knew in 1994 that they were making a mistake by leaving cyberspace out of CALEA. They understood the Internet's potential as a communications device and an intelligence tool -- that is, after all, why CALEA's authors exempted "information services."
"Did we know that it was idiotic to carve that out?" Kallstrom asks now. "Yes, we did." Criminals have always been among the first to embrace new technology. It was foolish to think that they wouldn't turn to the Internet for any number of nefarious gambits. But, Kallstrom says, government officials opted "to fight another day" over Internet access. Privacy advocates were dragging their feet in the negotiations. Delay would invite more debate, probably more hearings, and possibly a less favorable outcome. The political decision was made: "Let's take what we can get here."
In early 1995, the Justice Department issued its list of requirements for wiretapping, known as the punch list. Not surprisingly, many telecom executives and their attorneys viewed the demands as unreasonable. Al Gidari, a lawyer representing the wireless industry, was among the first to see the FBI's requirements, during the initial meeting to develop standards for CALEA, which was held that spring in Vancouver, British Columbia. The Justice Department's wish list, he said, amounted to "the Cadillac of wiretaps."
"Everything they could ever think of to gold plate and put on the Cadillac was in that document," Gidari recalls. Meeting its expectations represented "an exponential increase in complexity, not a linear increase.... They were very dictatorial ... technical requirements -- the very thing that Congress said it wasn't up to [the FBI] to figure out."
The standards meeting was tense and awkward, and the sides were unevenly matched. Gidari recalls a dozen or more FBI agents, in neat blue suits, all buttoned down and looking ready to roll over anyone who stood in their way. Arrayed on the opposite side of the table was a group of laid-back and casually dressed network engineers from all the major telecom equipment manufacturers and carriers that was tasked with the unenviable job of telling the bureau that the industry planned to build a much less complex system. It wasn't what the FBI agents wanted to hear.
Over the next few years, the Justice Department continued to seek increasingly sophisticated surveillance capabilities, including real-time geographical tracking of mobile phones; the ability to monitor all parties in a conference call regardless of whether they are on hold or participating; and "dialed digit extraction," a record of any numbers that a subject under surveillance punched in during a call, such as a credit card or bank account number. The government got a lot of what it wanted, but not all.
To be sure, criminals' use of new technologies helped drive the law enforcement demands. But telecom carriers worried that the cost of compliance was too high and that the FBI's technical requirements were illegally broad. CALEA, they argued, had forbidden the government from requiring specific system designs or technologies.
The FCC's Turn
Justice, frustrated by its inability to get all the demands on the punch list, finally asked the FCC to step in. In 1997, the Cellular Telecommunications Industry Association, which then represented mobile carriers, and the Center for Democracy and Technology complained to the commission that the negotiations had deadlocked because of "unreasonable demands by law enforcement for more surveillance features than either CALEA or the wiretap laws allow." The FCC, however, sided with the Justice Department on a host of requirements that privacy groups found overly broad. The tussle dragged on for two more years and ended up in the U.S. Court of Appeals for the District of Columbia Circuit, which overruled the FCC. After the commission took up matters again, it granted some of the FBI's requests, and the CALEA standards were amended.
When Justice Department officials reported to Congress on CALEA implementation in January 1998, no manufacturer of telecom equipment said that the FBI's demands were impossible to meet, but they did say that complying would be difficult and very expensive. (Although Congress had set aside $500 million to reimburse companies for retrofitting their networks, the law required the carriers to bear the cost of compliance on any equipment put in place after CALEA was enacted. Several experts believe that the final cost for compliance on telephone networks has been two to eight times the amount originally allotted.)
The level of government surveillance was so low at that time that some questioned why the FBI wanted such multifaceted access at all. In 1994, federal and state authorities were running 1,154 wiretaps nationwide, mostly for drug investigations, at an average cost of $50,000. The government was asking carriers to "design a nuclear rocket ship" for a rarely used tool, Gidari thought. "In [the FBI's] view, there was no limit to the expense the carrier should spare in order to save a life."
CALEA continued to evolve, shaped by the ongoing arguments over the terms of its birth. Activists and carriers thought that the FBI was reneging on its bargain, asking for more than the law allowed. The FBI believed that carriers were stalling when they failed to meet compliance deadlines. As all sides dug in, the meetings on implementation turned bitter. FBI and Justice officials slammed their hands on tables and screamed at carrier representatives, Gidari recalls. "You're unpatriotic! What do you want to do, help the criminals?"
The government asked those same questions after September 11, 2001. And this time, telecommunications carriers responded. Outside the normal FISA warrant process, which covers intelligence-gathering, carriers opened access to their networks, their customer call data, and their valuable transactional information -- the kind that CALEA had intended to exclude. President Bush and his administration believed that the extraordinary nature of the terrorist attacks demanded emergency actions that FISA couldn't accommodate, and the carriers answered the call from law enforcement and intelligence agencies. But government officials also seized on the post-9/11 mentality to change other surveillance laws and procedures, which they believed -- just as their predecessors did in 1994 -- were out of step with technology and reality. About three years after 9/11, officials set their sights on rewriting CALEA.
Claiming The Internet
In August 2004, in response to a petition by the Justice Department, the FBI, and the Drug Enforcement Administration, the FCC expanded CALEA to cover Internet communications, including voice calls and instant messages. The Electronic Frontier Foundation sued, along with industry, civil-liberties, and academic groups. In 2005, the Court of Appeals ruled 2-1 to defer to the FCC's reading of the law.
Many of those who had helped craft CALEA believed that the commission had misread the law and acted on a post-9/11 impulse to give the government more, not less, access to information. But to the FCC, new Internet technologies that operate a lot like telephones blurred the distinction between "information services" and the kinds of technology that CALEA was meant to cover.
After 9/11, law enforcement and intelligence agencies took a variety of measures, apart from wiretaps, to collect and mine potentially valuable information from the Internet. With the cooperation of telecom companies, government accumulated lots of transactional data -- including e-mail header information and lists of websites visited by targeted individuals -- to support counter-terrorism operations. Viewed solely as a reaction to the terrorist attacks of 2001, this kind of collection might seem extraordinary. But through the longer lens of history, the government's steady march into cyberspace is not surprising.
Law enforcement agencies have never suffered for lack of access to the phone network. Kallstrom recalls only a few instances in which agents were unable to execute a wiretap order because of new technology. But as digital, mobile technology has proliferated, the copper lug nuts that Kallstrom remembers from the 1980s have disappeared. Today, state and federal agents spend most of their tap time on mobile devices. In 1994, most wiretaps, by far, targeted private residences. There were few taps on mobile devices. Ten years later, 88 percent of the 1,710 wiretaps were on mobile devices. Only 5 percent were on residential lines. Without CALEA, some experts believe that Kallstrom's initial fears would have come true and the federal government would have been shut out of the wiretapping business.
Jerry Berman never wanted that to happen. Although he cannot accept that the law that was meant to minimize the government's influence over the Internet is now being used to facilitate it, he is willing to negotiate on CALEA again, if that is what's necessary to satisfy all parties.
That willingness to talk extends to FISA, as well, and Berman's Center for Democracy and Technology has been actively involved in the current agitations over the law. But whenever he and his cohorts have extended the hand of compromise to Congress or the administration, he says, they have been disappointed. Any attempt to revamp FISA, or to clarify CALEA, "is impossible in the current climate," Berman says. "There is no sense that you could get the kind of negotiation we got in 1994."
FISA And CALEA
One has to wonder how strong that spirit of compromise really was in 1994, and whether it was already ebbing. If the FBI was willing to take what it could get on CALEA and go on to fight another day, did the government really "settle" at all? Literally weeks after CALEA was signed the Justice Department and the FBI came roaring back with new demands. What killed the penchant for negotiation? Was it the moderates' loss of power in both political parties after the 1994 Republican revolution? Was it the entrenchment of civil-liberties activists? Was it the Bush White House's extravagant interpretation of executive power? Was it 9/11?
Berman spends a lot of time pondering these questions and thinking about next moves. He divides his time between Washington, where he chairs his group's board of directors, and a home he built on the Cacapon River near Berkeley Springs, W.Va. "We just have people in bunkers now," Berman says ruefully.
The FISA debate is currently hung up on whether companies that assisted warrantless surveillance after 9/11 should have retroactive legal immunity for any laws they may have broken. CALEA has something to say about that, too. The law requires that carriers be able to deliver call identification information to the government remotely. According to Beryl Howell, Sen. Leahy's lead CALEA staffer, that provision was meant to keep government agents from sitting in the phone companies' offices to execute their wiretaps.
It is a basic tenet of wiretapping law, whether for intelligence or law enforcement, that the communications companies act as a buffer between their customers and the government, she says, and that telecom carriers must make their own determination whether official requests are, in fact, legal. That the companies would now assert, in defense of their cooperation, that the government determined that post-9/11 requests were legal, strikes Howell as outrageous.
If ever there was a time for the bare-knuckled negotiations of the past, it's now. It's not at all clear, though, who could play the role of Jerry Berman, the one to bring people into the room to scream and yell at each other and emerge feeling better for it -- and possibly even coming to a compromise. As things stand, Congress appears more likely to punt the FISA debate to the new administration, and has shown little interest in revisiting CALEA.
The constant tension that once kept this system in balance has reached a breaking point. There is no push and pull. Maybe the stakes are too high for compromise. But until that spirit returns, Berman says, "there will be no peace."
Published in National Journal
Labels: Foreign Intelligence Surveillance Act, Intelligence, Law, Politics, Technology, Terrorism
Full Article
NSA Sought Data Before 9/11
Friday, November 02, 2007
Beginning in February 2001, almost seven months before the 9/11 terrorist attacks, the government's top electronic eavesdropping organization, the National Security Agency, asked a major U.S. telecommunications carrier for information about its customers and the flow of electronic traffic across its network, according to sources familiar with the request. The carrier, Qwest Communications, refused, believing that the request was illegal unless accompanied by a court order.
After terrorists attacked the United States on September 11, the NSA again asked Qwest, as well as other telecom companies, for similar information to help the agency track suspects with the aim of preventing future attacks, current and former officials have said. The companies responded in various ways, with Qwest being the most reluctant to cooperate. However, in February 2001, the NSA's primary purpose in seeking access to Qwest's network apparently was not to search for terrorists but to watch for computer hackers and foreign-government forces trying to penetrate and compromise U.S. government information systems, particularly within the Defense Department, sources said. Government officials have long feared a "digital Pearl Harbor" if intruders were to seize control of these systems or other key U.S. infrastructures through the Internet.
A former White House official, who at the time was involved in network defense and other intelligence programs, said that the early 2001 NSA proposal to Qwest was, "Can you build a private version of Echelon and tell us what you see?" Echelon refers to a signals intelligence network operated by the NSA and its official counterparts in Australia, Canada, New Zealand, and the United Kingdom.
The NSA realized that it was blind to many of the new online threats and to who was using the privately owned telecom networks, and it thought that Qwest was in a position to help. The agency needed better intelligence in the face of a burgeoning Internet, and Qwest was then building a high-speed network for phone and Internet traffic that had caught the attention of senior intelligence officials. The NSA, in effect, wanted Qwest to be the agency's online eyes and ears.
Another source said that the NSA wanted to analyze the calls, e-mails, and other transmissions crossing Qwest's lines, to detect patterns of suspicious activity. Telecom carriers routinely monitor their networks for fraudulent activity, the former White House official noted, and so the companies "have an enormous amount of intelligence-gathering" capability. They don't have to target individual customers to "look for wacky behavior," or "groups communicating with each other in strange patterns." That information could augment intelligence that the NSA and other agencies were gathering from other sources, the former official said.
Qwest's then-chief executive officer, Joseph Nacchio, rejected the NSA's request. "He didn't want to go along with that," and his refusal was not greeted warmly in the intelligence community, the former White House official said. Another source, a former high-ranking intelligence official, said that other companies, both before and after 9/11, had less of a problem complying with government requests if they were accompanied by a legal order. The ex-official added that some companies were willing to offer data and to assist the government "as necessary" on a voluntary basis, without a court order.
Nacchio has said publicly that the NSA asked Qwest for customer records after the 2001 terrorist attacks. But the nature of the agency's request before 9/11 has not been disclosed previously. Sources familiar with the activities spoke to National Journal on the condition of anonymity, because the work is still classified.
By early 2001, the NSA was aware of the growing threat of terrorism and was monitoring communications among Al Qaeda members overseas. But the agency, the Defense Department, and the White House also feared Internet-based attacks on U.S. government installations, and they believed that other countries were increasingly interested in cyberspace as a battlefield.
At the same time, the NSA was hesitant to conduct any surveillance activities that might violate long-standing prohibitions on domestic intelligence-gathering without court orders. One way to get the information that the agency and others deemed necessary for network defense was from the telecom carriers.
Nacchio, it appears, believed that the NSA's pre-9/11 request for access to Qwest's network was illegal. The former White House official said that the intelligence-gathering was not targeted at Qwest's U.S. customers, but he acknowledged that handing over customer information without a lawful order could violate the Electronic Communications Privacy Act, a 1986 law that extended wiretapping restrictions on phone calls to include electronic information transmitted by and stored in a computer.
After 9/11, that law was amended by the USA PATRIOT Act, and it became easier for the government to obtain certain private communications. When reports surfaced last year that telecom carriers were participating in a post-9/11 NSA program to analyze customer calling patterns for terrorism indicators, Nacchio's attorney stated publicly that Qwest had refused "to make private telephone records of Qwest customers available to the NSA immediately following [enactment of] the Patriot Act." Nacchio had concluded that the NSA's requests violated the privacy requirements of another law, the Telecommunications Act, his attorney said.
The question of Qwest's involvement with the NSA before 9/11 has surfaced in recent weeks because of Nacchio's appeal of his criminal conviction on 19 counts of insider trading. Nacchio was sentenced to six years in prison in July, but he remains free pending his appeal. He contends that the NSA retaliated against Qwest for not complying with its request by denying the company work under a multibillion-dollar program called Groundbreaker, which outsourced the NSA's unclassified information-technology systems. Federal prosecutors deny that allegation, noting that Qwest was a member of the team that ultimately won the Groundbreaker deal in August 2001.
Nacchio wasn't allowed to use his retaliation argument at his trial. But details of Qwest's interactions with the NSA, as well as years of work that the company performed for the Defense Department and the intelligence community, are contained in legal documents filed by his defense team and made public three weeks ago. Although the documents are partially redacted, they reveal that Qwest aggressively pursued business with the NSA while trying to put off officials' entreaties for more access to the company's network, requests that persisted for years.
The documents state that Nacchio and another senior Qwest executive met with NSA officials at their headquarters at Fort Meade, Md., on February 27, 2001. At this meeting, the agency proposed Qwest's participation in certain activities whose details are redacted from the court documents.
"Nacchio said it was a legal issue, and they should not do something their general counsel told them not to do," according to federal investigators who interviewed the former head of Qwest's government business unit, James F.X. Payne. "Nacchio projected that he might do it if they could find a way to do it legally."
Payne told investigators that the NSA requests came up "in meetings after meetings." Investigators quoted Payne as saying, "There was a feeling also that the NSA acted as agents for other government agencies." Payne could not be reached for comment.
Although the NSA's specific request for an Echelon-like program may have worried Qwest's attorneys, it appears that the company was sharing other kinds of proprietary information about its network with the Pentagon in the months before 9/11.
In May 2001, then-Commerce Secretary Donald Evans told the Senate Appropriations Committee that his department had helped to persuade Qwest to "share proprietary information with the Defense Department to evaluate the vulnerability of its network." (The Commerce Department includes an agency that is responsible for telecom policy.) Qwest, Evans noted, was the largest carrier in the Rocky Mountain corridor. That area is home to some of the military's most important command-and-control facilities, including the U.S. Strategic Command, which oversees nuclear weapons.
By the time the NSA asked for Qwest's assistance in February 2001, the company had become a darling of the Internet Age. Founded in 1988 by Philip Anschutz, who owned the Southern Pacific Railroad, Qwest built the first all-digital, fiber-optic network by laying lines alongside railroad tracks, then linking to terminals in key locations to provide high-speed Internet and data connections.
The Defense Department operates its own classified networks, which are more resistant to attack, but Qwest's network was faster, more expansive, and more technologically advanced. Nacchio's legal documents show that from the late 1990s and into the new century, Qwest was chasing at least two lucrative deals to build private, secure networks for defense and intelligence agencies.
Qwest's first high-level contact with the NSA may have occurred as early as 1997. Late that year, according to Nacchio's legal briefs, Qwest was informed that a military "general officer wanted to meet with Mr. Nacchio." Two weeks later, a three-star (lieutenant) general and his aide showed up at Nacchio's Denver office and told him that they had "heard about Qwest's new network." Nacchio described the operation and "talked about his background at AT&T, with which they were already familiar," the documents state. Nacchio had spent more than a quarter-century with AT&T before taking over at Qwest in 1997.
At some point, the general -- whose name and affiliation are omitted from the documents -- asked to speak privately with Dean Wandry, who led Qwest's government business unit at the time. "The general told Mr. Wandry that he ran the largest telecom operation in the world, he had looked at Qwest's network, and he wanted to use it for government purposes," the documents state. By law, the head of the NSA must be at least a three-star general or a vice admiral. In 1997, Lt. Gen. Kenneth Minihan was the director. He was replaced in 1999 by Lt. Gen. Michael Hayden, who is now a four-star general and the director of the CIA. Hayden declined to be interviewed for this story. An assistant to Minihan, who is now a managing director with Paladin Capital Group, a private equity firm in Washington, said he was unavailable for comment.
A number of former intelligence officials said that the description of a three-star general running the "largest telecom operation in the world" seemed to fit the NSA. In 1997, the Defense Information Systems Agency, which manages a large telecom enterprise, was also run by a lieutenant general. But that agency's operations are smaller than the NSA's. Also, Qwest's first contact with DISA occurred after the 1997 meeting with the unnamed military officer, according to Nacchio's legal filings. Qwest has done unclassified work for DISA, and it received a large contract from the agency as recently as last year.
After the Denver meeting, Wandry told Nacchio "that there was a big opportunity here for Qwest," the court filings state. Nacchio received a security clearance "a short time later." Qwest then received a contract from the agency, which Nacchio wanted to announce publicly. He was "refused permission," the briefs state, but he "understood at the time this was the beginning of a relationship which had enormous potential for future work. This proved increasingly true as time went on."
Qwest certainly worked for the NSA beginning at least in 1999. A search of Internet number registration files shows that the company allocated a portion of its network that year to the Maryland Procurement Office at Fort Meade, which is the NSA's contracting unit. An e-mail from employees in Qwest's government business group, sent in December 1999, requested a meeting with senior executives "to discuss the potential opportunity with the Maryland customer." (DISA, it should be noted, is headquartered in Virginia.) By 2001, the company was pursuing the NSA's Groundbreaker contract. And in March of that year, Payne, who by then was running the company's federal business, wrote in an e-mail to colleagues that Qwest was already a "provider" of telecom services to the NSA through existing contracts.
Meanwhile, concern was rising at the NSA that the proliferating global Internet might become a weapon for U.S. adversaries. As early as June 1998, then-NSA Director Minihan testified before the Senate Governmental Affairs Committee about "a wide array of malicious actors -- including hackers, terrorists, and nation-states," all of whom threatened "users of networked information systems."
Minihan singled out Russia and China; the latter, he said, had already incorporated cyber-warfare into its military training. He also pointed to the emergence of "transnational security challenges," including terrorism, drug trafficking, and international organized crime. "These opportunists, enabled by the explosion of technology and the availability of inexpensive, secure means of communication, pose a significant threat to the interests of the United States and its allies," Minihan said.
A former senior NSA official said that the agency also worried that because these groups understood privacy laws so well, they knew how to avoid detection and could predict what the NSA would, and wouldn't, do to track them. "There was such a nuanced understanding of how to tie us in knots and use American law against us, that there were certainly pockets of people saying, 'We've got to be assertive; we've got to be more aggressive on this,' " the former official said.
Hayden, who ran the NSA from 1999 to 2005, was well known for his willingness to push operations to the legal edge. "We're pretty aggressive within the law," Hayden said in public remarks after 9/11. "As a professional, I'm troubled if I'm not using the full authority allowed by law."
Hayden has repeated that refrain since the attacks. But former intelligence officials doubted that he would have authorized any request to Qwest, or other companies, that he believed violated the law. They noted, however, that many in the agency had long thought that monitoring "metadata," such as a phone number, the length of a call, or a series of calls placed from a particular phone, didn't implicate privacy because such information didn't constitute the "content" of a message -- its written or spoken words.
Published in National Journal
Friday, November 02, 2007
Beginning in February 2001, almost seven months before the 9/11 terrorist attacks, the government's top electronic eavesdropping organization, the National Security Agency, asked a major U.S. telecommunications carrier for information about its customers and the flow of electronic traffic across its network, according to sources familiar with the request. The carrier, Qwest Communications, refused, believing that the request was illegal unless accompanied by a court order.
After terrorists attacked the United States on September 11, the NSA again asked Qwest, as well as other telecom companies, for similar information to help the agency track suspects with the aim of preventing future attacks, current and former officials have said. The companies responded in various ways, with Qwest being the most reluctant to cooperate. However, in February 2001, the NSA's primary purpose in seeking access to Qwest's network apparently was not to search for terrorists but to watch for computer hackers and foreign-government forces trying to penetrate and compromise U.S. government information systems, particularly within the Defense Department, sources said. Government officials have long feared a "digital Pearl Harbor" if intruders were to seize control of these systems or other key U.S. infrastructures through the Internet.
A former White House official, who at the time was involved in network defense and other intelligence programs, said that the early 2001 NSA proposal to Qwest was, "Can you build a private version of Echelon and tell us what you see?" Echelon refers to a signals intelligence network operated by the NSA and its official counterparts in Australia, Canada, New Zealand, and the United Kingdom.
The NSA realized that it was blind to many of the new online threats and to who was using the privately owned telecom networks, and it thought that Qwest was in a position to help. The agency needed better intelligence in the face of a burgeoning Internet, and Qwest was then building a high-speed network for phone and Internet traffic that had caught the attention of senior intelligence officials. The NSA, in effect, wanted Qwest to be the agency's online eyes and ears.
Another source said that the NSA wanted to analyze the calls, e-mails, and other transmissions crossing Qwest's lines, to detect patterns of suspicious activity. Telecom carriers routinely monitor their networks for fraudulent activity, the former White House official noted, and so the companies "have an enormous amount of intelligence-gathering" capability. They don't have to target individual customers to "look for wacky behavior," or "groups communicating with each other in strange patterns." That information could augment intelligence that the NSA and other agencies were gathering from other sources, the former official said.
Qwest's then-chief executive officer, Joseph Nacchio, rejected the NSA's request. "He didn't want to go along with that," and his refusal was not greeted warmly in the intelligence community, the former White House official said. Another source, a former high-ranking intelligence official, said that other companies, both before and after 9/11, had less of a problem complying with government requests if they were accompanied by a legal order. The ex-official added that some companies were willing to offer data and to assist the government "as necessary" on a voluntary basis, without a court order.
Nacchio has said publicly that the NSA asked Qwest for customer records after the 2001 terrorist attacks. But the nature of the agency's request before 9/11 has not been disclosed previously. Sources familiar with the activities spoke to National Journal on the condition of anonymity, because the work is still classified.
By early 2001, the NSA was aware of the growing threat of terrorism and was monitoring communications among Al Qaeda members overseas. But the agency, the Defense Department, and the White House also feared Internet-based attacks on U.S. government installations, and they believed that other countries were increasingly interested in cyberspace as a battlefield.
At the same time, the NSA was hesitant to conduct any surveillance activities that might violate long-standing prohibitions on domestic intelligence-gathering without court orders. One way to get the information that the agency and others deemed necessary for network defense was from the telecom carriers.
Nacchio, it appears, believed that the NSA's pre-9/11 request for access to Qwest's network was illegal. The former White House official said that the intelligence-gathering was not targeted at Qwest's U.S. customers, but he acknowledged that handing over customer information without a lawful order could violate the Electronic Communications Privacy Act, a 1986 law that extended wiretapping restrictions on phone calls to include electronic information transmitted by and stored in a computer.
After 9/11, that law was amended by the USA PATRIOT Act, and it became easier for the government to obtain certain private communications. When reports surfaced last year that telecom carriers were participating in a post-9/11 NSA program to analyze customer calling patterns for terrorism indicators, Nacchio's attorney stated publicly that Qwest had refused "to make private telephone records of Qwest customers available to the NSA immediately following [enactment of] the Patriot Act." Nacchio had concluded that the NSA's requests violated the privacy requirements of another law, the Telecommunications Act, his attorney said.
The question of Qwest's involvement with the NSA before 9/11 has surfaced in recent weeks because of Nacchio's appeal of his criminal conviction on 19 counts of insider trading. Nacchio was sentenced to six years in prison in July, but he remains free pending his appeal. He contends that the NSA retaliated against Qwest for not complying with its request by denying the company work under a multibillion-dollar program called Groundbreaker, which outsourced the NSA's unclassified information-technology systems. Federal prosecutors deny that allegation, noting that Qwest was a member of the team that ultimately won the Groundbreaker deal in August 2001.
Nacchio wasn't allowed to use his retaliation argument at his trial. But details of Qwest's interactions with the NSA, as well as years of work that the company performed for the Defense Department and the intelligence community, are contained in legal documents filed by his defense team and made public three weeks ago. Although the documents are partially redacted, they reveal that Qwest aggressively pursued business with the NSA while trying to put off officials' entreaties for more access to the company's network, requests that persisted for years.
The documents state that Nacchio and another senior Qwest executive met with NSA officials at their headquarters at Fort Meade, Md., on February 27, 2001. At this meeting, the agency proposed Qwest's participation in certain activities whose details are redacted from the court documents.
"Nacchio said it was a legal issue, and they should not do something their general counsel told them not to do," according to federal investigators who interviewed the former head of Qwest's government business unit, James F.X. Payne. "Nacchio projected that he might do it if they could find a way to do it legally."
Payne told investigators that the NSA requests came up "in meetings after meetings." Investigators quoted Payne as saying, "There was a feeling also that the NSA acted as agents for other government agencies." Payne could not be reached for comment.
Although the NSA's specific request for an Echelon-like program may have worried Qwest's attorneys, it appears that the company was sharing other kinds of proprietary information about its network with the Pentagon in the months before 9/11.
In May 2001, then-Commerce Secretary Donald Evans told the Senate Appropriations Committee that his department had helped to persuade Qwest to "share proprietary information with the Defense Department to evaluate the vulnerability of its network." (The Commerce Department includes an agency that is responsible for telecom policy.) Qwest, Evans noted, was the largest carrier in the Rocky Mountain corridor. That area is home to some of the military's most important command-and-control facilities, including the U.S. Strategic Command, which oversees nuclear weapons.
By the time the NSA asked for Qwest's assistance in February 2001, the company had become a darling of the Internet Age. Founded in 1988 by Philip Anschutz, who owned the Southern Pacific Railroad, Qwest built the first all-digital, fiber-optic network by laying lines alongside railroad tracks, then linking to terminals in key locations to provide high-speed Internet and data connections.
The Defense Department operates its own classified networks, which are more resistant to attack, but Qwest's network was faster, more expansive, and more technologically advanced. Nacchio's legal documents show that from the late 1990s and into the new century, Qwest was chasing at least two lucrative deals to build private, secure networks for defense and intelligence agencies.
Qwest's first high-level contact with the NSA may have occurred as early as 1997. Late that year, according to Nacchio's legal briefs, Qwest was informed that a military "general officer wanted to meet with Mr. Nacchio." Two weeks later, a three-star (lieutenant) general and his aide showed up at Nacchio's Denver office and told him that they had "heard about Qwest's new network." Nacchio described the operation and "talked about his background at AT&T, with which they were already familiar," the documents state. Nacchio had spent more than a quarter-century with AT&T before taking over at Qwest in 1997.
At some point, the general -- whose name and affiliation are omitted from the documents -- asked to speak privately with Dean Wandry, who led Qwest's government business unit at the time. "The general told Mr. Wandry that he ran the largest telecom operation in the world, he had looked at Qwest's network, and he wanted to use it for government purposes," the documents state. By law, the head of the NSA must be at least a three-star general or a vice admiral. In 1997, Lt. Gen. Kenneth Minihan was the director. He was replaced in 1999 by Lt. Gen. Michael Hayden, who is now a four-star general and the director of the CIA. Hayden declined to be interviewed for this story. An assistant to Minihan, who is now a managing director with Paladin Capital Group, a private equity firm in Washington, said he was unavailable for comment.
A number of former intelligence officials said that the description of a three-star general running the "largest telecom operation in the world" seemed to fit the NSA. In 1997, the Defense Information Systems Agency, which manages a large telecom enterprise, was also run by a lieutenant general. But that agency's operations are smaller than the NSA's. Also, Qwest's first contact with DISA occurred after the 1997 meeting with the unnamed military officer, according to Nacchio's legal filings. Qwest has done unclassified work for DISA, and it received a large contract from the agency as recently as last year.
After the Denver meeting, Wandry told Nacchio "that there was a big opportunity here for Qwest," the court filings state. Nacchio received a security clearance "a short time later." Qwest then received a contract from the agency, which Nacchio wanted to announce publicly. He was "refused permission," the briefs state, but he "understood at the time this was the beginning of a relationship which had enormous potential for future work. This proved increasingly true as time went on."
Qwest certainly worked for the NSA beginning at least in 1999. A search of Internet number registration files shows that the company allocated a portion of its network that year to the Maryland Procurement Office at Fort Meade, which is the NSA's contracting unit. An e-mail from employees in Qwest's government business group, sent in December 1999, requested a meeting with senior executives "to discuss the potential opportunity with the Maryland customer." (DISA, it should be noted, is headquartered in Virginia.) By 2001, the company was pursuing the NSA's Groundbreaker contract. And in March of that year, Payne, who by then was running the company's federal business, wrote in an e-mail to colleagues that Qwest was already a "provider" of telecom services to the NSA through existing contracts.
Meanwhile, concern was rising at the NSA that the proliferating global Internet might become a weapon for U.S. adversaries. As early as June 1998, then-NSA Director Minihan testified before the Senate Governmental Affairs Committee about "a wide array of malicious actors -- including hackers, terrorists, and nation-states," all of whom threatened "users of networked information systems."
Minihan singled out Russia and China; the latter, he said, had already incorporated cyber-warfare into its military training. He also pointed to the emergence of "transnational security challenges," including terrorism, drug trafficking, and international organized crime. "These opportunists, enabled by the explosion of technology and the availability of inexpensive, secure means of communication, pose a significant threat to the interests of the United States and its allies," Minihan said.
A former senior NSA official said that the agency also worried that because these groups understood privacy laws so well, they knew how to avoid detection and could predict what the NSA would, and wouldn't, do to track them. "There was such a nuanced understanding of how to tie us in knots and use American law against us, that there were certainly pockets of people saying, 'We've got to be assertive; we've got to be more aggressive on this,' " the former official said.
Hayden, who ran the NSA from 1999 to 2005, was well known for his willingness to push operations to the legal edge. "We're pretty aggressive within the law," Hayden said in public remarks after 9/11. "As a professional, I'm troubled if I'm not using the full authority allowed by law."
Hayden has repeated that refrain since the attacks. But former intelligence officials doubted that he would have authorized any request to Qwest, or other companies, that he believed violated the law. They noted, however, that many in the agency had long thought that monitoring "metadata," such as a phone number, the length of a call, or a series of calls placed from a particular phone, didn't implicate privacy because such information didn't constitute the "content" of a message -- its written or spoken words.
Published in National Journal
Labels: Cyber War, Law, National Security Agency, Technology, Terrorism
Full Article
The Liberator
Friday, September 21, 2007
Mike Wertheimer may be the most dangerous man in U.S. intelligence. You would probably never guess it, judging from his lengthy and opaque title -- assistant deputy director of national intelligence for analytic transformation and technology. A perfect testament to the well-worn bureaucratic tradition of offering little insight by tossing around a lot of words.
Wertheimer's squishy and unassuming title only hints at some vague, general notion of what he actually does for a living. Particularly for the uninitiated, the moniker buries a sense of authority beneath a pair of prefixes (assistant deputy) and offers an unsatisfying buzzword descriptor (transformation), whose etymology points to some consultant's pocket glossary. The title screams "middle management" and thus reassures, "This guy is not a threat."
That message is especially ironic, because to thousands of powerful career employees in the American intelligence community, Wertheimer is, in fact, very threatening. He threatens to upend their world, to change the way they work, and to foist on them the values of a younger generation of spies, who happen to outnumber them. He also threatens to change the way that policy makers use intelligence to reach decisions, and so to "transform" the intelligence agencies' role in the government. All of this makes Mike Wertheimer very dangerous to people who oppose his basic assumptions. And he knows that. He also knows that, to many thousands more in the intelligence field, he is something of a savior.
To understand the origins and purpose of Wertheimer's office, of which he is the first occupant, it helps to refer to a document that also bears a lengthy title, the report by the Commission on the Intelligence Capabilities of the United States Regarding Weapons of Mass Destruction. Better known as the WMD commission report, it provides a painstaking explanation of how 15 intelligence agencies collectively failed to discover that Saddam Hussein's Iraq possessed no weapons of mass destruction.
The contrary assertion that he did have those weapons -- and thus was a threat to the Middle East and a potential benefactor for terrorists -- was, of course, the Bush administration's chief casus belli for the Iraq war. The claim was backed up at the highest levels of the intelligence community in a National Intelligence Estimate released to Congress in October 2002. The WMD commission, which published its findings in 2005, echoed the sentiments of many intelligence professionals, including some who had participated in and blessed the flawed prewar analysis, by pronouncing the episode "one of the most public -- and most damaging -- intelligence failures in recent American history."
Wertheimer's job is to prevent any more such failures and to make sure that the intelligence agencies can accurately predict a host of catastrophic events, including terrorist attacks and disease outbreaks. The commission laid much of the blame for the bad call on Iraq at the feet of analysts, whom it called "the voice of the intelligence community." Although the problems begin with the failure to collect the right information in the first place, the commission particularly faulted the analysts' inability to make sense of intelligence, and to present their judgments to decision makers. During his time in government, Colin Powell was widely regarded among professionals as a decision maker who understood this inherently murky process. He would say to his intelligence officers, "Tell me what you know, tell me what you don't know, and then tell me what you think is most likely to happen." When that analysis breaks down, as it did with Iraq, "the consequences can be grave," the commission wrote.
To be sure, many career analysts object to the "flaws" the commission cited in their tradecraft, regarding both Iraq and another notorious intelligence failure: the September 11, 2001, terrorist attacks. But very few argue with the substance, or the roots, of these breakdowns. The "intelligence community," as the agencies are collectively known, hardly operates as one, and this lack of coordination and -- especially -- collaboration among analysts means that agency leaders and their clients often don't know what the analysts don't know. The disconnect also means that contrary analysis -- of which there was a significant amount in the run-up to the Iraq war -- may find no quarter in analysts' final judgments. It is a disastrous situation for policy makers, who are increasingly turning to nongovernment experts and the news media for rapid, cogent analysis that the intelligence agencies can't always provide.
The WMD commission identified the fix: "Integrate the community of analysts." That's easier said than done, of course, but Wertheimer and others who understand how very un-integrated the analysts are today know that it is prescriptive advice that they can't afford to reject.
The Threat Within
"Post-9/11, we coined a term, the 'asymmetric threat,' " Wertheimer says. "That's a fancy way of describing a future in which the targets for intelligence, the things that we will focus on, are built, designed, and operate completely differently than the way we do." Transformation, that fuzzy word in his title, means "removing that asymmetry."
Before the attacks, the intelligence community was "like a power builder -- very muscular but not very fast," Wertheimer says. Today, the agencies need to be swift. They need to analyze more information faster. But analysts also need new ways to connect to one another, to benefit from one another's knowledge. If a specialist on sub-Saharan Africa at the Defense Intelligence Agency is studying terrorist inroads into tribal communities, shouldn't a CIA expert in Africa studies know that? Might she have something useful to contribute to the inquiry?
Collaboration isn't an especially novel concept, and the WMD commission wasn't the first to suggest that analysts do more of it. But Wertheimer is the first official in the Office of the Director of National Intelligence -- the "czar" of the community -- to make collaboration a full-time job. Gen. Michael Hayden, the former principal deputy director of national intelligence who is now the CIA director, created the position after talking with Wertheimer two years ago about how to change the way the community operates. The new intelligence director, Mike McConnell, has forcefully backed the transformational efforts, as has his deputy in charge of analysis, Tom Fingar, a career analyst who used to run intelligence at the State Department. Fingar, who is essentially the only official layer between Wertheimer and McConnell, is the political muscle in this endeavor. Wertheimer is the idea man, "my philosopher of transformation," as Fingar recently put it.
Transformation has less to do with changing procedures than with changing people. A key pillar is a suite of new information-sharing and collaborative technologies that look and feel a lot like Google, Wikipedia, and MySpace, the networking and search tools that younger analysts grew up using at home and in their dorm rooms. These newcomers have been baffled to find that these 21st-century staples aren't widely used within the intelligence community.
The first of the new intelligence tools came online recently. Analysts can now log on to Intellipedia, a collaborative knowledge base that they can use to swap leads and examine one another's work. (Officials say that Intellipedia helped one group of analysts create a helpful report on Iraqi insurgents' use of chlorine gas to increase the lethality of improvised explosive devices.) Later this year, Wertheimer's team will launch A-Space ("A" for analyst), modeled after MySpace and the popular website Facebook. Officials hope the new site will help analysts create social networks outside established channels.
In addition to the new tools, Wertheimer and his colleagues have created unusual training programs. One sends analysts to a monthlong retreat at a classified location where they work alongside private-sector experts to investigate complex intelligence topics. Another takes young analysts out of their assigned jobs for two years and puts them through an intensive training program where they learn the tradecraft but also such on-the-ground spy skills as defensive driving and weapons handling. Agencies will ultimately deploy these analysts to global hot spots to support spies in the field.
It's no accident that Wertheimer and his team are aiming these new tools and programs at the younger crowd. Sixty percent of U.S. intelligence analysts have five years of experience or less on the job. In the larger intelligence community of about 100,000 employees, which includes clandestine operatives and support staff, those young workers are about 40 percent of the rolls. America's spies are decidedly green, and they're not comfortable -- or particularly useful -- working in bureaucratic silos without Internet browsers, instant messaging, and social networking sites on their desktops.
In his quest for transformation, Wertheimer is playing to this youthful workforce that finds collaboration neither newfangled nor threatening. For these analysts, networking is just the way information moves. But to the intelligence establishment, information is power, and relinquishing it means losing that power, as the WMD commission and many other critics have repeatedly lamented. It seems illogical to the generation of electronic socializers, but when information moves around, and becomes known to people who don't have the "need to know," veteran members of the community view it as no longer special because it's no longer secret. Too much collaboration also threatens to reveal the sources and methods by which agencies obtain information -- secrets they must zealously guard lest those sources dry up or get killed.
Sharing and secrecy are opposing forces. So this is Wertheimer's task: Transform the massive intelligence bureaucracy into a collaborative network, in which loose lips are, in a way, encouraged; introduce technologies that many seasoned analysts neither understand nor trust; and build a cadre of young, ambitious rookies, who just can't believe they're not allowed to check their personal e-mail at work, into the future of the business.
The opposition is fierce. When The New York Times wrote about A-Space recently, analysts commented about the piece, and about Wertheimer, on a private intelligence community blog. Some recorded their dramatic dissent. "I guarantee," one intelligence employee wrote, "Mike Wertheimer will cause people to get killed over this."
"I am threatening the status quo," Wertheimer says. "And that's a hard pill to swallow for anybody."
Taking the Blame
Wertheimer, 50, is a mathematician who earned his master's and Ph.D. from the University of Pennsylvania. He spent 21 years as a cryptologist at the National Security Agency, and rose to become the agency's most senior technical leader. On paper, he fits the stereotype captured in an old joke among NSA hands: "How can you tell an extroverted analyst? He's the one who looks at your shoes when he's talking."
But Wertheimer defies typecasting. When he speaks, he looks people in the eye, but often from above -- he is 6 feet, 1 inch tall. He has arching eyebrows that signal when he's listening but also serve as a warning for when he's about to descend with an impassioned argument or an analogy that he thinks perfectly captures what he's up against. (In a recent conversation, Wertheimer compared the government's attempts at collaboration to the Borg, the supremely villainous race of cyber-aliens on Star Trek: The Next Generation who "assimilate" whole societies by stripping people of individual character traits and turn them into one giant collective.) If you spotted Wertheimer in a room, or even better, watched him work a room, you might wonder why he hasn't sought his fortune on the motivational speaking circuit.
When he speaks, you get the feeling that he's talking to you. He reveals a lot about himself, which might be unsettling if he weren't so earnest about connecting his flaws and fears to his intelligence work. At a recent conference on analytic transformation in Chicago, Wertheimer confessed to a crowd of more than 400 people that after the 9/11 attacks he felt personally responsible for not anticipating Al Qaeda's strike. He became depressed, he said, and was inconsolable until his father snapped him out of it. "I don't blame you for this," Wertheimer's dad told him, and then warned, "You're scaring your kids," who thought that whenever their father had to rush back to the office, something very bad was about to happen. Wertheimer briefly left government in 2003 to work as a technology consultant but returned two years later.
Wertheimer is like a number of other veteran intelligence officials who were involved in the global hunt for terrorists before 9/11. They feel that their own actions -- more precisely, their inactions -- allowed the disaster. Wertheimer says he blames himself and his colleagues. He thinks he personally failed and, accepting his part in a broken system, he seems to have no qualms about tearing it down and rebuilding.
"It is something that he can appreciate as being absolutely critical to the future of this country and the protection of the country, and when you hear him speak, you get caught up in that emotion," says Tim Sample, a former analyst and staff director of the House Select Committee on Intelligence who knows Wertheimer well. Sample is president of the nonprofit Intelligence and National Security Alliance, which co-hosted the Chicago conference with the intelligence director's office.
In large measure, Wertheimer's charisma comes from his willingness to defy tradition. "We are going to share more," he said in his Chicago speech. "We are going to take risks." Directing his remarks at those who would rather preserve the status quo, he said, "For the first time, the challenge is not why we can't do it; it's how you're going to find a way to secure this." Rather than appeasing members of the intelligence community who blanch at collaboration and its attendant security risks, Wertheimer lays the burden on their shoulders and tells them that if collaboration doesn't happen, they'll take the blame.
But if Wertheimer succeeds, it probably won't be by convincing his intransigent opponents. Rather, he will work with that younger generation at whom transformation is aimed. By and large, these newer members of the community are optimistic and, like him, believe that the intelligence community is dangerously broken.
"It's Huge"
Sean Wohltman, a 25-year-old counter-terrorism analyst with the National Geospatial-Intelligence Agency, embodies the kind of optimistic disillusionment that Wertheimer wants to harness. Two years after defending his master's thesis in geographic information science at Virginia Tech University, Wohltman joined the government "following a call for patriotism," he said. He encountered "disappointment and disillusionment" in his first three months on the job, however.
As Wohltman explained to the Chicago conference, "When I first logged on to what I expected to be a terminal from 24's [counter-terrorist unit] command center, I was instead driven to my agency's home page, which flashed information about an upcoming picnic and links to fill out my health insurance. And not only that, it launched in Netscape." Those in the audience who laughed understood that Netscape is an obsolete Internet browser.
Later, Wohltman explained why it mattered to him that the intelligence agencies were so far behind the technological curve. In 1999, when the popular and controversial music file-sharing system Napster debuted, he pointed out, Ricky Martin's "Livin' la Vida Loca" and other corporately manufactured pop hits topped the Billboard charts. Only artists from big record labels got mass recognition, and listeners were cut off from the bounty of independent and innovative artists who excelled in a variety of musical styles. But that year, Napster's collaborative technology allowed fans of lesser-known artists to share songs, which in turn boosted their recognition, fanned their popularity, and led to greater awareness of the wider music scene. It also fueled the market for independent music and challenged the record companies' dominance of the industry.
Taking Wohltman's analogy, Wertheimer says that the intelligence agencies could be compared to the record companies. Information is filtered through a hierarchical process that culminates in senior executives choosing what intelligence to disseminate to customers. Similar to Napster, tools such as Intellipedia and A-Space -- known as "disruptive technologies" -- bypass this process and get more information out to a wider audience.
But will collaboration guarantee better analysis? Did Napster improve music quality? Did it benefit the industry as a whole? Recording artists and companies sued Napster for copyright infringement, and the network shut down in 2001, eventually to be reborn as a pay-for-service system.
Napster did pave the way for other innovative technologies, which adapted to customers' demands to buy music a la carte, rather than having to pay for an entire album. Today, Apple's iTunes sells songs for 99 cents and threatens the record companies' control of their own products. Collaboration, in a sense, won out, and customers' demand for more music, delivered in new ways, has opened the market to more artists. "Will this lead to better music?" Wertheimer asks. "I can't believe that it will not."
Wertheimer and other transformation proponents often point to iTunes, and the hugely successful iPod music player, to support their theory that collaboration can fundamentally change and improve people's lives. And they reason that A-Space, Intellipedia, and other innovative services will create demand in the intelligence community and overwhelm the transformation naysayers.
Wertheimer channels the enthusiasm of Apple's CEO and co-founder, Steve Jobs, whose rousing keynote speeches, known as "Stevenotes," command more press coverage and world attention than speeches by most members of Congress. But as with Jobs, some skeptics question both the substance and the goal behind Wertheimer's zeal.
Early in Jobs's career, a co-worker coined the term "reality distortion field" to describe the aura that the Apple prophet cast over his spellbound audiences. The term could easily apply to Wertheimer's enthusiastic showmanship. Wikipedia describes RDF as "the idea that Steve Jobs is able to convince people to believe almost anything with a mix of charm, charisma, exaggeration, and marketing. RDF is said to distort an audience's sense of proportion or scale. Small advances are applauded as breakthroughs. Interesting developments become turning points, or huge leaps forward." (The phenomenon has been applied to other leaders, as well.)
Wertheimer does, in fact, applaud certain advances as breakthroughs that others -- particularly those outside of government -- might find underwhelming. For instance, one planned transformation program, the Library of National Intelligence, would be a repository of all the documents produced by all of the agencies. Eventually, Wertheimer hopes, analysts will search the library for key terms, and an automated system will help to judge who should have access to classified materials. He calls this program "huge."
Why is it huge? Some observers would have a hard time believing that the agencies didn't already have such a resource, the kind that most large organizations take for granted. LexisNexis, for example, contains copies of every article published in most of the country's periodicals. Following basic business practices, most companies compile and retain their internal documents for research and for legal purposes.
Wertheimer is careful to put things in perspective. "It's big," he says of the library. But then he quickly follows up: "For us, it's huge." And he's right. Much to the consternation of the WMD commission and others, this is a giant leap for the intelligence community, a kind of moon-landing moment.
But do collaborative libraries -- and wikis, blogs, networking websites, and special training -- make transformation worthwhile?
Change Without End
Mark Lowenthal retired in 2005 as the assistant director of central intelligence for analysis and production. Among seasoned intelligence officials, he is considered one of the most knowledgeable authorities on analysis, the agencies' shortcomings in that regard, and the education of young analysts in the ways of the tradecraft. So in Chicago, when Lowenthal stood up to question why Wertheimer and the DNI's office are expending so much energy on transformation, people listened intently.
"You are urging this transformation for an end that I do not understand," he told Wertheimer. "Collaboration is not an end in itself, to my mind. You want to do this, I think, ... to make analysis better. What does that mean? It means it would be faster? It would be more comprehensible? It would be more accurate more often? I don't think you have a way of knowing at the end of the day when you get there."
Lowenthal doesn't dismiss collaboration out of hand, and he has spent a sizable part of his career trying to create a true intelligence community. But his remarks reflected a palpable skepticism among those who think that it is impossible to know whether Wertheimer's ideas will actually fix intelligence. Lowenthal told him, "I think, unfortunately, a lot of this is pandering to a bunch of commissions that have no understanding of what we do for a living, or the nature of our work, and to a workforce. And I don't think that's a sufficient ground for a transformation. And so I'm left here wondering, what's the end state? For what reason?"
Wertheimer responded that he didn't have a satisfactory answer. The best he could offer, he said, were anecdotes. He has spent the past two years talking to analysts and trying to figure out what those who achieved real breakthroughs -- overcoming "hard problems," he said -- had in common.
The few successes were not enough to prove a theory, he admitted. But the one trait these breakthrough-makers shared was -- perhaps not surprisingly -- collaboration. These were analysts who challenged old assumptions, re-examined evidence that had been set aside as useless, and shared information beyond normal channels. They also, Wertheimer said, ignored their bosses' admonitions that such inquiries -- going back to ground that had been plowed unproductively before -- were "career killers." Bucking authority is another of Wertheimer's recurring themes. He says that a colleague once told him, "You will have succeeded when you become really hard to manage."
Wertheimer, however, plays down the notion of analysts as revolutionaries. "I don't like the thought that transformation is changing something from the past to something new," he says. Rather, transformation is about "creating an environment in which more things could happen than could happen in the past. It's liberating. Let's call it 'analytic liberation.' "
Wertheimer seems perfectly comfortable working in this gray area, where there is no obvious way to know whether his ideas are working and where concepts change on the fly (transformation becomes liberation) and the end goal isn't defined at the outset. Were it not for the DNI's backing, such a nebulous, high-risk approach to preventing another intelligence disaster might never take flight. Wertheimer might still go down in flames, but taking that risk appears to suit him just fine. "We can't afford the kinds of mistakes that we're making based on the way we're doing business today. It's just the bottom line," he said. Riffing off the intelligence blogger's comments, he added, "If I'm the first one to get killed, so be it."
The Hard Sell
Bravado may obscure Wertheimer's pragmatic streak. He is provocative and excitable, and sometimes brash. But those who know him well say that he is also humble and self-deprecating.
He frets that he will become too personally associated with his cause. "I'm a little worried about this being too personality-driven," he says. "This has got to be about ideas. We have to sell people on the ideas."
Wertheimer knows that the reason his pitch isn't resonating with enough people his own age is because he has failed to demonstrate how middle managers and veteran analysts -- the people who are feeling most threatened -- can take part in this grand enterprise, how they can be "liberated." Wertheimer, the realist, has promised to find a place for them. But he does not apologize for embracing young analysts and for assaulting the culture that reared him. "We don't allow our people to reach their full potential," he told the audience in Chicago. "This is a society, this is a community, that tamps down potential."
"We treat [analysis] like a guild," Wertheimer said later, a society of apprentices who study at the feet of masters. "This is like making a fine violin or studying opera. That [approach] makes a lot of sense at the scale that you build violins or have opera singers. But we're talking about massive [numbers] of young people coming in.... They learn on their own. They don't read the rule book. They don't read the owner's manual," he said. "They click buttons and investigate, and if they get bored, they do something else."
If the two sides of this generational divide are irreconcilable, Wertheimer doesn't seem worried, because the rookies have the clear majority. "It's simply a matter of time," he said. "Now, the question we all have in our minds is, how much time can we afford? We can't afford another day."
Several younger colleagues once asked Wertheimer to name his greatest career achievement at the National Security Agency. At one time, he said, he was the world's leading expert on a certain cryptographic technology, the smartest man alive on that one subject. But "that's not what makes me so accomplished," he said. "It's that I'm no longer the No. 1 expert, and that the experts are in this room, because I taught them. And they exceeded everything I could have done on my own."
That's one way Wertheimer judges success: Someone comes along and does it better. It doesn't quite answer his critics' concerns that his ideas might be flawed to begin with. But Wertheimer is a strong believer in the "wisdom of crowds." He and his bosses are betting that collaboration is the way to fix what's broken with intelligence and, by extension, to keep people from dying. If they are right that transformation, in all its forms, is the key to stopping another terrorist attack, or to avoiding another catastrophic intelligence failure, then it seems a decent bet that the next generation of analysts will follow Wertheimer's lead.
"If I can just start something for which a handful of folks better and smarter than me take over," he said, "if you could put that in my epitaph, I would die a happy man."
Published in National Journal
Friday, September 21, 2007
Mike Wertheimer may be the most dangerous man in U.S. intelligence. You would probably never guess it, judging from his lengthy and opaque title -- assistant deputy director of national intelligence for analytic transformation and technology. A perfect testament to the well-worn bureaucratic tradition of offering little insight by tossing around a lot of words.
Wertheimer's squishy and unassuming title only hints at some vague, general notion of what he actually does for a living. Particularly for the uninitiated, the moniker buries a sense of authority beneath a pair of prefixes (assistant deputy) and offers an unsatisfying buzzword descriptor (transformation), whose etymology points to some consultant's pocket glossary. The title screams "middle management" and thus reassures, "This guy is not a threat."
That message is especially ironic, because to thousands of powerful career employees in the American intelligence community, Wertheimer is, in fact, very threatening. He threatens to upend their world, to change the way they work, and to foist on them the values of a younger generation of spies, who happen to outnumber them. He also threatens to change the way that policy makers use intelligence to reach decisions, and so to "transform" the intelligence agencies' role in the government. All of this makes Mike Wertheimer very dangerous to people who oppose his basic assumptions. And he knows that. He also knows that, to many thousands more in the intelligence field, he is something of a savior.
To understand the origins and purpose of Wertheimer's office, of which he is the first occupant, it helps to refer to a document that also bears a lengthy title, the report by the Commission on the Intelligence Capabilities of the United States Regarding Weapons of Mass Destruction. Better known as the WMD commission report, it provides a painstaking explanation of how 15 intelligence agencies collectively failed to discover that Saddam Hussein's Iraq possessed no weapons of mass destruction.
The contrary assertion that he did have those weapons -- and thus was a threat to the Middle East and a potential benefactor for terrorists -- was, of course, the Bush administration's chief casus belli for the Iraq war. The claim was backed up at the highest levels of the intelligence community in a National Intelligence Estimate released to Congress in October 2002. The WMD commission, which published its findings in 2005, echoed the sentiments of many intelligence professionals, including some who had participated in and blessed the flawed prewar analysis, by pronouncing the episode "one of the most public -- and most damaging -- intelligence failures in recent American history."
Wertheimer's job is to prevent any more such failures and to make sure that the intelligence agencies can accurately predict a host of catastrophic events, including terrorist attacks and disease outbreaks. The commission laid much of the blame for the bad call on Iraq at the feet of analysts, whom it called "the voice of the intelligence community." Although the problems begin with the failure to collect the right information in the first place, the commission particularly faulted the analysts' inability to make sense of intelligence, and to present their judgments to decision makers. During his time in government, Colin Powell was widely regarded among professionals as a decision maker who understood this inherently murky process. He would say to his intelligence officers, "Tell me what you know, tell me what you don't know, and then tell me what you think is most likely to happen." When that analysis breaks down, as it did with Iraq, "the consequences can be grave," the commission wrote.
To be sure, many career analysts object to the "flaws" the commission cited in their tradecraft, regarding both Iraq and another notorious intelligence failure: the September 11, 2001, terrorist attacks. But very few argue with the substance, or the roots, of these breakdowns. The "intelligence community," as the agencies are collectively known, hardly operates as one, and this lack of coordination and -- especially -- collaboration among analysts means that agency leaders and their clients often don't know what the analysts don't know. The disconnect also means that contrary analysis -- of which there was a significant amount in the run-up to the Iraq war -- may find no quarter in analysts' final judgments. It is a disastrous situation for policy makers, who are increasingly turning to nongovernment experts and the news media for rapid, cogent analysis that the intelligence agencies can't always provide.
The WMD commission identified the fix: "Integrate the community of analysts." That's easier said than done, of course, but Wertheimer and others who understand how very un-integrated the analysts are today know that it is prescriptive advice that they can't afford to reject.
The Threat Within
"Post-9/11, we coined a term, the 'asymmetric threat,' " Wertheimer says. "That's a fancy way of describing a future in which the targets for intelligence, the things that we will focus on, are built, designed, and operate completely differently than the way we do." Transformation, that fuzzy word in his title, means "removing that asymmetry."
Before the attacks, the intelligence community was "like a power builder -- very muscular but not very fast," Wertheimer says. Today, the agencies need to be swift. They need to analyze more information faster. But analysts also need new ways to connect to one another, to benefit from one another's knowledge. If a specialist on sub-Saharan Africa at the Defense Intelligence Agency is studying terrorist inroads into tribal communities, shouldn't a CIA expert in Africa studies know that? Might she have something useful to contribute to the inquiry?
Collaboration isn't an especially novel concept, and the WMD commission wasn't the first to suggest that analysts do more of it. But Wertheimer is the first official in the Office of the Director of National Intelligence -- the "czar" of the community -- to make collaboration a full-time job. Gen. Michael Hayden, the former principal deputy director of national intelligence who is now the CIA director, created the position after talking with Wertheimer two years ago about how to change the way the community operates. The new intelligence director, Mike McConnell, has forcefully backed the transformational efforts, as has his deputy in charge of analysis, Tom Fingar, a career analyst who used to run intelligence at the State Department. Fingar, who is essentially the only official layer between Wertheimer and McConnell, is the political muscle in this endeavor. Wertheimer is the idea man, "my philosopher of transformation," as Fingar recently put it.
Transformation has less to do with changing procedures than with changing people. A key pillar is a suite of new information-sharing and collaborative technologies that look and feel a lot like Google, Wikipedia, and MySpace, the networking and search tools that younger analysts grew up using at home and in their dorm rooms. These newcomers have been baffled to find that these 21st-century staples aren't widely used within the intelligence community.
The first of the new intelligence tools came online recently. Analysts can now log on to Intellipedia, a collaborative knowledge base that they can use to swap leads and examine one another's work. (Officials say that Intellipedia helped one group of analysts create a helpful report on Iraqi insurgents' use of chlorine gas to increase the lethality of improvised explosive devices.) Later this year, Wertheimer's team will launch A-Space ("A" for analyst), modeled after MySpace and the popular website Facebook. Officials hope the new site will help analysts create social networks outside established channels.
In addition to the new tools, Wertheimer and his colleagues have created unusual training programs. One sends analysts to a monthlong retreat at a classified location where they work alongside private-sector experts to investigate complex intelligence topics. Another takes young analysts out of their assigned jobs for two years and puts them through an intensive training program where they learn the tradecraft but also such on-the-ground spy skills as defensive driving and weapons handling. Agencies will ultimately deploy these analysts to global hot spots to support spies in the field.
It's no accident that Wertheimer and his team are aiming these new tools and programs at the younger crowd. Sixty percent of U.S. intelligence analysts have five years of experience or less on the job. In the larger intelligence community of about 100,000 employees, which includes clandestine operatives and support staff, those young workers are about 40 percent of the rolls. America's spies are decidedly green, and they're not comfortable -- or particularly useful -- working in bureaucratic silos without Internet browsers, instant messaging, and social networking sites on their desktops.
In his quest for transformation, Wertheimer is playing to this youthful workforce that finds collaboration neither newfangled nor threatening. For these analysts, networking is just the way information moves. But to the intelligence establishment, information is power, and relinquishing it means losing that power, as the WMD commission and many other critics have repeatedly lamented. It seems illogical to the generation of electronic socializers, but when information moves around, and becomes known to people who don't have the "need to know," veteran members of the community view it as no longer special because it's no longer secret. Too much collaboration also threatens to reveal the sources and methods by which agencies obtain information -- secrets they must zealously guard lest those sources dry up or get killed.
Sharing and secrecy are opposing forces. So this is Wertheimer's task: Transform the massive intelligence bureaucracy into a collaborative network, in which loose lips are, in a way, encouraged; introduce technologies that many seasoned analysts neither understand nor trust; and build a cadre of young, ambitious rookies, who just can't believe they're not allowed to check their personal e-mail at work, into the future of the business.
The opposition is fierce. When The New York Times wrote about A-Space recently, analysts commented about the piece, and about Wertheimer, on a private intelligence community blog. Some recorded their dramatic dissent. "I guarantee," one intelligence employee wrote, "Mike Wertheimer will cause people to get killed over this."
"I am threatening the status quo," Wertheimer says. "And that's a hard pill to swallow for anybody."
Taking the Blame
Wertheimer, 50, is a mathematician who earned his master's and Ph.D. from the University of Pennsylvania. He spent 21 years as a cryptologist at the National Security Agency, and rose to become the agency's most senior technical leader. On paper, he fits the stereotype captured in an old joke among NSA hands: "How can you tell an extroverted analyst? He's the one who looks at your shoes when he's talking."
But Wertheimer defies typecasting. When he speaks, he looks people in the eye, but often from above -- he is 6 feet, 1 inch tall. He has arching eyebrows that signal when he's listening but also serve as a warning for when he's about to descend with an impassioned argument or an analogy that he thinks perfectly captures what he's up against. (In a recent conversation, Wertheimer compared the government's attempts at collaboration to the Borg, the supremely villainous race of cyber-aliens on Star Trek: The Next Generation who "assimilate" whole societies by stripping people of individual character traits and turn them into one giant collective.) If you spotted Wertheimer in a room, or even better, watched him work a room, you might wonder why he hasn't sought his fortune on the motivational speaking circuit.
When he speaks, you get the feeling that he's talking to you. He reveals a lot about himself, which might be unsettling if he weren't so earnest about connecting his flaws and fears to his intelligence work. At a recent conference on analytic transformation in Chicago, Wertheimer confessed to a crowd of more than 400 people that after the 9/11 attacks he felt personally responsible for not anticipating Al Qaeda's strike. He became depressed, he said, and was inconsolable until his father snapped him out of it. "I don't blame you for this," Wertheimer's dad told him, and then warned, "You're scaring your kids," who thought that whenever their father had to rush back to the office, something very bad was about to happen. Wertheimer briefly left government in 2003 to work as a technology consultant but returned two years later.
Wertheimer is like a number of other veteran intelligence officials who were involved in the global hunt for terrorists before 9/11. They feel that their own actions -- more precisely, their inactions -- allowed the disaster. Wertheimer says he blames himself and his colleagues. He thinks he personally failed and, accepting his part in a broken system, he seems to have no qualms about tearing it down and rebuilding.
"It is something that he can appreciate as being absolutely critical to the future of this country and the protection of the country, and when you hear him speak, you get caught up in that emotion," says Tim Sample, a former analyst and staff director of the House Select Committee on Intelligence who knows Wertheimer well. Sample is president of the nonprofit Intelligence and National Security Alliance, which co-hosted the Chicago conference with the intelligence director's office.
In large measure, Wertheimer's charisma comes from his willingness to defy tradition. "We are going to share more," he said in his Chicago speech. "We are going to take risks." Directing his remarks at those who would rather preserve the status quo, he said, "For the first time, the challenge is not why we can't do it; it's how you're going to find a way to secure this." Rather than appeasing members of the intelligence community who blanch at collaboration and its attendant security risks, Wertheimer lays the burden on their shoulders and tells them that if collaboration doesn't happen, they'll take the blame.
But if Wertheimer succeeds, it probably won't be by convincing his intransigent opponents. Rather, he will work with that younger generation at whom transformation is aimed. By and large, these newer members of the community are optimistic and, like him, believe that the intelligence community is dangerously broken.
"It's Huge"
Sean Wohltman, a 25-year-old counter-terrorism analyst with the National Geospatial-Intelligence Agency, embodies the kind of optimistic disillusionment that Wertheimer wants to harness. Two years after defending his master's thesis in geographic information science at Virginia Tech University, Wohltman joined the government "following a call for patriotism," he said. He encountered "disappointment and disillusionment" in his first three months on the job, however.
As Wohltman explained to the Chicago conference, "When I first logged on to what I expected to be a terminal from 24's [counter-terrorist unit] command center, I was instead driven to my agency's home page, which flashed information about an upcoming picnic and links to fill out my health insurance. And not only that, it launched in Netscape." Those in the audience who laughed understood that Netscape is an obsolete Internet browser.
Later, Wohltman explained why it mattered to him that the intelligence agencies were so far behind the technological curve. In 1999, when the popular and controversial music file-sharing system Napster debuted, he pointed out, Ricky Martin's "Livin' la Vida Loca" and other corporately manufactured pop hits topped the Billboard charts. Only artists from big record labels got mass recognition, and listeners were cut off from the bounty of independent and innovative artists who excelled in a variety of musical styles. But that year, Napster's collaborative technology allowed fans of lesser-known artists to share songs, which in turn boosted their recognition, fanned their popularity, and led to greater awareness of the wider music scene. It also fueled the market for independent music and challenged the record companies' dominance of the industry.
Taking Wohltman's analogy, Wertheimer says that the intelligence agencies could be compared to the record companies. Information is filtered through a hierarchical process that culminates in senior executives choosing what intelligence to disseminate to customers. Similar to Napster, tools such as Intellipedia and A-Space -- known as "disruptive technologies" -- bypass this process and get more information out to a wider audience.
But will collaboration guarantee better analysis? Did Napster improve music quality? Did it benefit the industry as a whole? Recording artists and companies sued Napster for copyright infringement, and the network shut down in 2001, eventually to be reborn as a pay-for-service system.
Napster did pave the way for other innovative technologies, which adapted to customers' demands to buy music a la carte, rather than having to pay for an entire album. Today, Apple's iTunes sells songs for 99 cents and threatens the record companies' control of their own products. Collaboration, in a sense, won out, and customers' demand for more music, delivered in new ways, has opened the market to more artists. "Will this lead to better music?" Wertheimer asks. "I can't believe that it will not."
Wertheimer and other transformation proponents often point to iTunes, and the hugely successful iPod music player, to support their theory that collaboration can fundamentally change and improve people's lives. And they reason that A-Space, Intellipedia, and other innovative services will create demand in the intelligence community and overwhelm the transformation naysayers.
Wertheimer channels the enthusiasm of Apple's CEO and co-founder, Steve Jobs, whose rousing keynote speeches, known as "Stevenotes," command more press coverage and world attention than speeches by most members of Congress. But as with Jobs, some skeptics question both the substance and the goal behind Wertheimer's zeal.
Early in Jobs's career, a co-worker coined the term "reality distortion field" to describe the aura that the Apple prophet cast over his spellbound audiences. The term could easily apply to Wertheimer's enthusiastic showmanship. Wikipedia describes RDF as "the idea that Steve Jobs is able to convince people to believe almost anything with a mix of charm, charisma, exaggeration, and marketing. RDF is said to distort an audience's sense of proportion or scale. Small advances are applauded as breakthroughs. Interesting developments become turning points, or huge leaps forward." (The phenomenon has been applied to other leaders, as well.)
Wertheimer does, in fact, applaud certain advances as breakthroughs that others -- particularly those outside of government -- might find underwhelming. For instance, one planned transformation program, the Library of National Intelligence, would be a repository of all the documents produced by all of the agencies. Eventually, Wertheimer hopes, analysts will search the library for key terms, and an automated system will help to judge who should have access to classified materials. He calls this program "huge."
Why is it huge? Some observers would have a hard time believing that the agencies didn't already have such a resource, the kind that most large organizations take for granted. LexisNexis, for example, contains copies of every article published in most of the country's periodicals. Following basic business practices, most companies compile and retain their internal documents for research and for legal purposes.
Wertheimer is careful to put things in perspective. "It's big," he says of the library. But then he quickly follows up: "For us, it's huge." And he's right. Much to the consternation of the WMD commission and others, this is a giant leap for the intelligence community, a kind of moon-landing moment.
But do collaborative libraries -- and wikis, blogs, networking websites, and special training -- make transformation worthwhile?
Change Without End
Mark Lowenthal retired in 2005 as the assistant director of central intelligence for analysis and production. Among seasoned intelligence officials, he is considered one of the most knowledgeable authorities on analysis, the agencies' shortcomings in that regard, and the education of young analysts in the ways of the tradecraft. So in Chicago, when Lowenthal stood up to question why Wertheimer and the DNI's office are expending so much energy on transformation, people listened intently.
"You are urging this transformation for an end that I do not understand," he told Wertheimer. "Collaboration is not an end in itself, to my mind. You want to do this, I think, ... to make analysis better. What does that mean? It means it would be faster? It would be more comprehensible? It would be more accurate more often? I don't think you have a way of knowing at the end of the day when you get there."
Lowenthal doesn't dismiss collaboration out of hand, and he has spent a sizable part of his career trying to create a true intelligence community. But his remarks reflected a palpable skepticism among those who think that it is impossible to know whether Wertheimer's ideas will actually fix intelligence. Lowenthal told him, "I think, unfortunately, a lot of this is pandering to a bunch of commissions that have no understanding of what we do for a living, or the nature of our work, and to a workforce. And I don't think that's a sufficient ground for a transformation. And so I'm left here wondering, what's the end state? For what reason?"
Wertheimer responded that he didn't have a satisfactory answer. The best he could offer, he said, were anecdotes. He has spent the past two years talking to analysts and trying to figure out what those who achieved real breakthroughs -- overcoming "hard problems," he said -- had in common.
The few successes were not enough to prove a theory, he admitted. But the one trait these breakthrough-makers shared was -- perhaps not surprisingly -- collaboration. These were analysts who challenged old assumptions, re-examined evidence that had been set aside as useless, and shared information beyond normal channels. They also, Wertheimer said, ignored their bosses' admonitions that such inquiries -- going back to ground that had been plowed unproductively before -- were "career killers." Bucking authority is another of Wertheimer's recurring themes. He says that a colleague once told him, "You will have succeeded when you become really hard to manage."
Wertheimer, however, plays down the notion of analysts as revolutionaries. "I don't like the thought that transformation is changing something from the past to something new," he says. Rather, transformation is about "creating an environment in which more things could happen than could happen in the past. It's liberating. Let's call it 'analytic liberation.' "
Wertheimer seems perfectly comfortable working in this gray area, where there is no obvious way to know whether his ideas are working and where concepts change on the fly (transformation becomes liberation) and the end goal isn't defined at the outset. Were it not for the DNI's backing, such a nebulous, high-risk approach to preventing another intelligence disaster might never take flight. Wertheimer might still go down in flames, but taking that risk appears to suit him just fine. "We can't afford the kinds of mistakes that we're making based on the way we're doing business today. It's just the bottom line," he said. Riffing off the intelligence blogger's comments, he added, "If I'm the first one to get killed, so be it."
The Hard Sell
Bravado may obscure Wertheimer's pragmatic streak. He is provocative and excitable, and sometimes brash. But those who know him well say that he is also humble and self-deprecating.
He frets that he will become too personally associated with his cause. "I'm a little worried about this being too personality-driven," he says. "This has got to be about ideas. We have to sell people on the ideas."
Wertheimer knows that the reason his pitch isn't resonating with enough people his own age is because he has failed to demonstrate how middle managers and veteran analysts -- the people who are feeling most threatened -- can take part in this grand enterprise, how they can be "liberated." Wertheimer, the realist, has promised to find a place for them. But he does not apologize for embracing young analysts and for assaulting the culture that reared him. "We don't allow our people to reach their full potential," he told the audience in Chicago. "This is a society, this is a community, that tamps down potential."
"We treat [analysis] like a guild," Wertheimer said later, a society of apprentices who study at the feet of masters. "This is like making a fine violin or studying opera. That [approach] makes a lot of sense at the scale that you build violins or have opera singers. But we're talking about massive [numbers] of young people coming in.... They learn on their own. They don't read the rule book. They don't read the owner's manual," he said. "They click buttons and investigate, and if they get bored, they do something else."
If the two sides of this generational divide are irreconcilable, Wertheimer doesn't seem worried, because the rookies have the clear majority. "It's simply a matter of time," he said. "Now, the question we all have in our minds is, how much time can we afford? We can't afford another day."
Several younger colleagues once asked Wertheimer to name his greatest career achievement at the National Security Agency. At one time, he said, he was the world's leading expert on a certain cryptographic technology, the smartest man alive on that one subject. But "that's not what makes me so accomplished," he said. "It's that I'm no longer the No. 1 expert, and that the experts are in this room, because I taught them. And they exceeded everything I could have done on my own."
That's one way Wertheimer judges success: Someone comes along and does it better. It doesn't quite answer his critics' concerns that his ideas might be flawed to begin with. But Wertheimer is a strong believer in the "wisdom of crowds." He and his bosses are betting that collaboration is the way to fix what's broken with intelligence and, by extension, to keep people from dying. If they are right that transformation, in all its forms, is the key to stopping another terrorist attack, or to avoiding another catastrophic intelligence failure, then it seems a decent bet that the next generation of analysts will follow Wertheimer's lead.
"If I can just start something for which a handful of folks better and smarter than me take over," he said, "if you could put that in my epitaph, I would die a happy man."
Published in National Journal
Labels: Director of National Intelligence, Human Capital, Intelligence, Management, Technology, Terrorism
Full Article
Intelligence Innovation Lags
Friday, August 03, 2007
America's declining influence over scientific and technological innovation has had "an enormous impact" on U.S. intelligence agencies, and "makes it more likely that our adversaries can employ the very same -- or perhaps even more advanced" -- science and technology than that available to the United States. That's the assessment from the Intelligence Science Board, which advises senior intelligence leaders.
In a report issued in November, parts of which were recently obtained by National Journal, the board warned that although the United States remains the world leader in some fields of science and engineering, that position is slipping -- and the slide imperils the intelligence community's ability to adapt to a dramatically changing technological landscape that terrorists are increasingly exploiting.
Terrorists have used the Internet, which has enabled a "worldwide diffusion" of knowledge, to gather and transmit scientific and technological know-how, leading to "incredible capabilities that our adversaries have exploited and used to further the goals of radical Islam," the report states. The assessment doesn't specify the capabilities, but terrorists are widely known to use the Internet to communicate with each other, disseminate propaganda, and publish information on building bombs and designing attacks.
The report, which is marked "For Official Use Only," was prepared for the Office of the Director of National Intelligence; National Journal obtained portions of it from a source outside that office. It casts the U.S. decline in overall research and development as an enormous challenge to the intelligence agencies' ability to collect information about new adversaries. The board calls for "an entirely new approach to increasing the contribution of" science and technology to intelligence capabilities, but it offers a bleak assessment of the progress made on that front. "Neither the intelligence community nor the S&T establishment," the report states, "has put forth viable strategies for accomplishing this change."
Against this backdrop, the DNI is launching a research-and-development effort to provide "breakthrough" technologies for the intelligence agencies, including sensors and communications devices that can help human spies collect more-detailed information. This research extends beyond the traditional realm of satellite imagery and eavesdropping to include an emphasis on devices that spies can use to narrowly target individuals and groups, and to anticipate their movements.
Beginning next year, R&D efforts that have application for many, or all, of the intelligence agencies will be centralized in a single outfit called the Intelligence Advanced Research Projects Activity and dubbed iARPA. Modeled after the Defense Department's hugely successful DARPA, which developed stealth aircraft and paved the way for the Internet, iARPA will pull together research funds from across the agencies to increase the chances of fielding new, better technologies, according to Steve Nixon, director of science and technology for the DNI.
The research agency will officially open its doors in October 2008. Its goal is to ensure that new technologies don't take the intelligence agencies by surprise, Nixon said. But it will also look for tools to surprise America's adversaries and to collect information about them in ways they haven't anticipated or don't understand. "We really need to pursue surprise in the intelligence community more than we have before," Nixon said.
During the Cold War, the United States deployed fleets of spy satellites to track Soviet military movements. But terrorists operate in a fundamentally different way than do nation states -- their network "resembles a metastasized cancer that has spread through the world body," according to the intelligence board. Terrorists are, by their very nature, harder to track and anticipate. For that reason, "precisely targeted intelligence represents the best way to combat spreading terrorism," and the intelligence community must do a better job of developing the tools to do that, the report states.
According to Nixon, iARPA will focus on improving intelligence collection and analysis. "We think we can do more to help analysts deal with information," he said. Today, much of the most valuable information about terrorism resides in the world of open sources -- the Internet, the media, and academia. The intelligence agencies have spent millions of dollars on efforts to keep this multiplicity of sources and huge volume of information from overwhelming their analysts.
The Intelligence Science Board emphasized that U.S. spies need to keep pace with the increasingly rapid development and deployment of new technologies but found that, in large measure, the government is in the dark about new R&D and unable to direct it.
The report starkly states: "The government now has far less control than before over the problems addressed, the selection of personnel to perform the work, and the locations where the work is carried out, and less knowledge than ever before of what work is actually being done." Decades ago, the federal government, and particularly military and space programs, were the primary drivers of American R&D. Over time, that balance shifted, and today the private sector directs almost all new research.
The new research unit will absorb research funds from three other agencies: the Disruptive Technology Office, once overseen by the National Security Agency and now under the DNI, which designs and vets computer programs that help analysts cope with large sets of data; a CIA research unit called the Intelligence Technology Innovation Center; and the National Technology Alliance, which focuses on a range of issues, including biological, chemical, and nuclear countermeasures. The alliance is housed at the National Geospatial Intelligence Agency, which produces imagery and detailed maps for military and homeland-security operations.
Some intelligence officials are hopeful about iARPA's potential. "It could be a good thing," said Mark Reardon, director of the National Technology Alliance. Founded in 1987, the NTI encourages small businesses, especially those not accustomed to working with the government, to bring new technologies to the intelligence community.
The CIA "has made a serious commitment of resources -- people and dollars -- to strengthen technology programs" at the community-wide level, meaning those that apply to more than one intelligence agency, said Paul Gimigliano, an agency spokesman. "Those resources would be at the heart of iARPA. But we still need, and will still have, a strong focus on research and innovation within the CIA itself," he said. The agency has a "full range of technical issues intrinsic to the agency's specialty, clandestine operations," he added.
Nixon said that the agencies whose funds iARPA is subsuming had worked on projects with outside applications but were all under pressure to meet their own needs. He emphasized that iARPA is not taking over all of the other agencies' research budgets. "We're talking about money that was only set aside for future community research."
The Intelligence Science Board urged caution when combining all research programs under one umbrella, arguing that doing so could stymie innovation and "maximize the probability of failure, not success" if the new efforts were inadequately funded. "That legacy would have agonizing consequences," the report stated.
The board also wrote that its members "enthusiastically support the iARPA concept" but asserted that existing research programs "lack adequate staffing and finances." (The intelligence research budgets are classified.) The board urged the director of national intelligence to use his authority to reallocate agency budgets and to fund iARPA "at a minimum of double the level of the existing organizations." A funding increase, the board argued, was needed to free up more money for new ideas and longer-term projects, "and avert poaching on programs already under way."
One former intelligence official, who asked not to be identified because Congress has yet to pass next year's intelligence budget, worried that Congress hasn't sufficiently funded iARPA, and questioned whether administration officials had pushed hard enough for more money. The official also described significant resistance at the individual agencies to giving up any resources, and cautioned that iARPA could stymie innovation if it "stovepipes" research and development all in one place.
Nixon, while not addressing the specifics of the report, said that iARPA will centrally manage contracts and projects but that outside researchers and other agencies will handle much of the work. He also said that, following the DARPA model, the new agency would limit the tenure of its managers as a way of ensuring a constant flow of new talent and ideas.
Published in National Journal
Friday, August 03, 2007
America's declining influence over scientific and technological innovation has had "an enormous impact" on U.S. intelligence agencies, and "makes it more likely that our adversaries can employ the very same -- or perhaps even more advanced" -- science and technology than that available to the United States. That's the assessment from the Intelligence Science Board, which advises senior intelligence leaders.
In a report issued in November, parts of which were recently obtained by National Journal, the board warned that although the United States remains the world leader in some fields of science and engineering, that position is slipping -- and the slide imperils the intelligence community's ability to adapt to a dramatically changing technological landscape that terrorists are increasingly exploiting.
Terrorists have used the Internet, which has enabled a "worldwide diffusion" of knowledge, to gather and transmit scientific and technological know-how, leading to "incredible capabilities that our adversaries have exploited and used to further the goals of radical Islam," the report states. The assessment doesn't specify the capabilities, but terrorists are widely known to use the Internet to communicate with each other, disseminate propaganda, and publish information on building bombs and designing attacks.
The report, which is marked "For Official Use Only," was prepared for the Office of the Director of National Intelligence; National Journal obtained portions of it from a source outside that office. It casts the U.S. decline in overall research and development as an enormous challenge to the intelligence agencies' ability to collect information about new adversaries. The board calls for "an entirely new approach to increasing the contribution of" science and technology to intelligence capabilities, but it offers a bleak assessment of the progress made on that front. "Neither the intelligence community nor the S&T establishment," the report states, "has put forth viable strategies for accomplishing this change."
Against this backdrop, the DNI is launching a research-and-development effort to provide "breakthrough" technologies for the intelligence agencies, including sensors and communications devices that can help human spies collect more-detailed information. This research extends beyond the traditional realm of satellite imagery and eavesdropping to include an emphasis on devices that spies can use to narrowly target individuals and groups, and to anticipate their movements.
Beginning next year, R&D efforts that have application for many, or all, of the intelligence agencies will be centralized in a single outfit called the Intelligence Advanced Research Projects Activity and dubbed iARPA. Modeled after the Defense Department's hugely successful DARPA, which developed stealth aircraft and paved the way for the Internet, iARPA will pull together research funds from across the agencies to increase the chances of fielding new, better technologies, according to Steve Nixon, director of science and technology for the DNI.
The research agency will officially open its doors in October 2008. Its goal is to ensure that new technologies don't take the intelligence agencies by surprise, Nixon said. But it will also look for tools to surprise America's adversaries and to collect information about them in ways they haven't anticipated or don't understand. "We really need to pursue surprise in the intelligence community more than we have before," Nixon said.
During the Cold War, the United States deployed fleets of spy satellites to track Soviet military movements. But terrorists operate in a fundamentally different way than do nation states -- their network "resembles a metastasized cancer that has spread through the world body," according to the intelligence board. Terrorists are, by their very nature, harder to track and anticipate. For that reason, "precisely targeted intelligence represents the best way to combat spreading terrorism," and the intelligence community must do a better job of developing the tools to do that, the report states.
According to Nixon, iARPA will focus on improving intelligence collection and analysis. "We think we can do more to help analysts deal with information," he said. Today, much of the most valuable information about terrorism resides in the world of open sources -- the Internet, the media, and academia. The intelligence agencies have spent millions of dollars on efforts to keep this multiplicity of sources and huge volume of information from overwhelming their analysts.
The Intelligence Science Board emphasized that U.S. spies need to keep pace with the increasingly rapid development and deployment of new technologies but found that, in large measure, the government is in the dark about new R&D and unable to direct it.
The report starkly states: "The government now has far less control than before over the problems addressed, the selection of personnel to perform the work, and the locations where the work is carried out, and less knowledge than ever before of what work is actually being done." Decades ago, the federal government, and particularly military and space programs, were the primary drivers of American R&D. Over time, that balance shifted, and today the private sector directs almost all new research.
The new research unit will absorb research funds from three other agencies: the Disruptive Technology Office, once overseen by the National Security Agency and now under the DNI, which designs and vets computer programs that help analysts cope with large sets of data; a CIA research unit called the Intelligence Technology Innovation Center; and the National Technology Alliance, which focuses on a range of issues, including biological, chemical, and nuclear countermeasures. The alliance is housed at the National Geospatial Intelligence Agency, which produces imagery and detailed maps for military and homeland-security operations.
Some intelligence officials are hopeful about iARPA's potential. "It could be a good thing," said Mark Reardon, director of the National Technology Alliance. Founded in 1987, the NTI encourages small businesses, especially those not accustomed to working with the government, to bring new technologies to the intelligence community.
The CIA "has made a serious commitment of resources -- people and dollars -- to strengthen technology programs" at the community-wide level, meaning those that apply to more than one intelligence agency, said Paul Gimigliano, an agency spokesman. "Those resources would be at the heart of iARPA. But we still need, and will still have, a strong focus on research and innovation within the CIA itself," he said. The agency has a "full range of technical issues intrinsic to the agency's specialty, clandestine operations," he added.
Nixon said that the agencies whose funds iARPA is subsuming had worked on projects with outside applications but were all under pressure to meet their own needs. He emphasized that iARPA is not taking over all of the other agencies' research budgets. "We're talking about money that was only set aside for future community research."
The Intelligence Science Board urged caution when combining all research programs under one umbrella, arguing that doing so could stymie innovation and "maximize the probability of failure, not success" if the new efforts were inadequately funded. "That legacy would have agonizing consequences," the report stated.
The board also wrote that its members "enthusiastically support the iARPA concept" but asserted that existing research programs "lack adequate staffing and finances." (The intelligence research budgets are classified.) The board urged the director of national intelligence to use his authority to reallocate agency budgets and to fund iARPA "at a minimum of double the level of the existing organizations." A funding increase, the board argued, was needed to free up more money for new ideas and longer-term projects, "and avert poaching on programs already under way."
One former intelligence official, who asked not to be identified because Congress has yet to pass next year's intelligence budget, worried that Congress hasn't sufficiently funded iARPA, and questioned whether administration officials had pushed hard enough for more money. The official also described significant resistance at the individual agencies to giving up any resources, and cautioned that iARPA could stymie innovation if it "stovepipes" research and development all in one place.
Nixon, while not addressing the specifics of the report, said that iARPA will centrally manage contracts and projects but that outside researchers and other agencies will handle much of the work. He also said that, following the DARPA model, the new agency would limit the tenure of its managers as a way of ensuring a constant flow of new talent and ideas.
Published in National Journal
Labels: Director of National Intelligence, Intelligence, Technology, Terrorism
Full Article
Signals and Noise
Friday, June 16, 2006
People like to say that the world changed on 9/11. That it became a more confusing place. But for two men, as buildings and bodies burned, the world became much clearer.
On the morning of September 11, 2001, John Poindexter, a 65-year-old retired rear admiral and President Reagan's onetime national security adviser, was driving to his office at a technology firm in Arlington, Va. He was 5 miles north of the Pentagon.
Poindexter's wife, Linda, rang his cellphone. Airplanes had flown into the twin towers in New York City, and one just crashed into the Pentagon, she said. "But Mark is OK. He wasn't in the building." Mark, one of the Poindexters' five sons, was a commander on the chief of naval operations' staff. His offices sat where the plane crashed, but most of the staff had cleared out earlier to accommodate Pentagon renovations.
"First, I was relieved that Mark was not in the building," Poindexter recalled in interviews in 2004. "Next, I realized this was a well-coordinated attack of the type that we had been working to prevent."
Poindexter was the senior vice president at Syntek Technologies. Under contract with the Defense Advanced Research Projects Agency (DARPA), the Pentagon's renowned innovation center, he helped to design early-warning systems for countering terrorism and other security crises. The technologies would sift through huge, disconnected databases for useful intelligence -- telltale events, names, or places that hinted at malicious intentions -- and then connect the pieces to predict an attack.
"I wondered if the intelligence community had ever considered the use of commercial airplanes as weapons by terrorists," Poindexter said. The signals were there, hiding in a sea of noise. At least 19 hijackers had crossed the border, used credit cards to buy plane tickets, made phone calls to associates, taken pilot training. They left digital footprints every step of the way.
Poindexter arrived at Syntek and found his co-workers huddled around a television. "The first tower had collapsed before I got there, and I watched as the second one came crashing down, in what seemed like slow motion," Poindexter said.
"I was discouraged," he continued. "We had not been able to gain acceptance by the intelligence community of the technologies and concepts that we had developed. It had been a long, slow process over the past six years." Poindexter's staff left for home. "I stayed most of the day, thinking about what needed to be done."
Some 30 miles away, at the headquarters of the National Security Agency in Fort Meade, Md., Michael Hayden, a 56-year-old Air Force lieutenant general and the agency's director, had been working for two hours when the first plane pierced the World Trade Center's North Tower. Almost immediately, submachine-gun-toting guards and bomb-sniffing dogs fanned out across the NSA campus, the nerve center of the most sophisticated electronic spying network ever devised.
As the planes struck their targets, Hayden ordered all non-essential workers to evacuate. He called his wife, Jeanine, asked her to find their three children and headed to the counter-terrorism center.
The agency's "CT shop" housed the experts and linguists who tracked terrorists' foreign communications. Lately, they had intercepted more than usual. The center's offices were located near the top floor of a high-rise.
On 9/11, "for obvious reasons, we had tried to move as many folks as possible into our adjacent lower buildings, but we really couldn't afford to move the counter-terrorism shop," Hayden told a 9/11 congressional inquiry in October 2002. Hayden found the CT staff "emotionally shattered" and crying, but "defiantly tacking up blackout curtains on their windows to mask their location."
Domestic terrorist attacks, though a surprise, were not altogether unanticipated after the 1993 bombing of the World Trade Center. But Hayden knew that on the all-important home front, the NSA was deaf. "Sadly, NSA had no [signals] suggesting that Al Qaeda was specifically targeting New York and Washington, D.C., or even that it was planning an attack on U.S. soil," Hayden told the inquiry. "Indeed, NSA had no knowledge before September 11 that any of the attackers were in the United States."
To avoid charges of domestic spying, the NSA could not monitor Americans inside the country and some foreigners here -- absent a court order. They didn't constitute "foreign-intelligence value," in agency parlance. As Hayden explained in January at the National Press Club, even if the NSA had known of the hijackers' presence, "[they] would have been presumed to have been protected persons, U.S. persons," and therefore of no foreign-intelligence value, he said, his voice tensing. The agency also struggled to keep up with the overwhelming amount of raw intelligence it received every day, most of which was not related to terrorism.
Hayden understood that the terrorists had hatched their plans in this country. They had communicated here, moved about publicly, and left signals. If other terrorists were here, Hayden wanted to find them. "The standard by which we decided ... what [information] was relevant and valuable, and therefore, what was reasonable [to collect], would understandably change, I think, as smoke billowed from two American cities and a Pennsylvania farm field. And we acted accordingly."
Poindexter and Hayden knew that the signals of a future attack dwelled in a sea of noise full of mostly innocent activities. To find the enemies among us, they'd have to look, and listen, everywhere. Over the next two years, Poindexter and Hayden would hunt for signals on the sea. Sometimes they crossed paths.
While Poindexter's and Hayden's journeys were ostensibly separate, they hoped to arrive at the same destination -- knowing what terrorists would do before they acted.
Hayden left the NSA in 2005, to become the second-in-command of all intelligence agencies, but his successor continued his efforts. Some thought Poindexter's trek was finished when, three years ago, Congress eliminated funding for his early-warning research, amid fierce criticism from privacy-rights groups and civil libertarians. But Poindexter's brainchild lives on, in pursuit of the same elusive goal, and one of its biggest patrons is none other than Hayden's old harbor, the NSA. Today, the two men's visions appear more intertwined than ever.
Setting Sail
On the morning of September 12, Poindexter called his friend Brian Sharkey, with whom he had worked on the early-warning systems. They lamented that they hadn't achieved their ultimate vision -- "total information awareness" of terrorist planning.
They decided to urge DARPA to back a full-fledged "TIA" system, as Poindexter called it, comprising the data-mining and analysis tools they had been designing, along with new ones. TIA would train its eyes not only on government databases but also on those caches of valuable, and presumably private, information where terrorists left their footprints, such as credit card purchases, e-mails, and plane and car rental reservations.
"We knew we must work fast and build a convincing case," Poindexter said in an interview. On October 15, 2001, he pitched his plan to DARPA's director, Tony Tether, comparing TIA to another pursuit of a war-ending weapon. Poindexter titled his presentation "A Manhattan Project for Counter-Terrorism."
The government had once harnessed the brightest minds to build the atom bomb. Now Poindexter wanted the sharpest computer scientists and terrorist experts to build an information weapon. He even suggested ensconcing TIA team members at a secret government facility, surrounded by high fences and concertina wire, to remind them of the seriousness, urgency, and sensitivity of their work.
Tether was impressed, and he said that if Poindexter returned to government and ran TIA, DARPA would fund it. Two months later, Poindexter became the director of the agency's Information Awareness Office and kicked off a slew of multimillion-dollar research projects. One of them was designed to create privacy protections so that TIA wouldn't ensnare anyone who wasn't a terrorist. Poindexter's original plan to make TIA classified was changed; making the program public helped to attract new ideas.
While Poindexter pitched DARPA, Hayden met with Bush administration officials about the NSA's role in a future war. The agency was monitoring communications among known or suspected terrorists, regardless of geographic location, under existing authority that allowed domestic surveillance as part of a terrorism investigation. But that authority would eventually expire.
Shortly after the 9/11 attacks, then-CIA Director George Tenet asked Hayden, "Is there anything more you can do?" In response, Hayden said at his recent nomination hearing to be CIA director, "I said, 'Not within my current authorities.' And [Tenet] invited me to come down and talk to the administration about what more could be done."
Hayden proposed monitoring terrorists' communications into and out of the United States indefinitely. Such a program would have to have specific boundaries, he testified. It would have to be "technologically possible," "operationally relevant" to the mission -- foiling or catching terrorists -- and "lawful."
The NSA "would work ... where all three of those [requirements] intersected," Hayden said. It wasn't the surveillance envisioned under the 1978 Foreign Intelligence Surveillance Act, Hayden conceded. This was "hot pursuit" of communications, a distinction that still isn't well understood, but one that Hayden said gave the NSA a faster way to find terrorist signals.
President Bush was impressed. Hayden "showed me the plans.... I said, 'That makes a lot of sense to me,' " Bush said in a speech in February. "I remember some of those phone calls coming out of California," where some of the 9/11 hijackers were living, "just thinking, maybe if we'd have listened to those on a quick-response basis, you know, it might have helped prevent the attacks." On October 4, 2001, the president issued an order "that laid out the underpinnings for what I described," Hayden said at his confirmation hearing. "The math was pretty straightforward. I could not not do this."
Joining Forces
Unbeknownst to each other, Poindexter and Hayden started rigging up separate efforts. In February 2002, Poindexter established a secure, classified computer network for testing analysis software and tools that might be worked into TIA. As the system came together, this experimental network would be the engineers' Bonneville Salt Flats, a place to test-drive the state of the art. If tools passed muster there, they might end up in the design Poindexter had in mind.
"If there was a vendor with some great gizmo, they'd have to go through an arduous one- or two-year process to get that accredited by an intelligence agency," said Robert Popp, who was the No. 2 TIA official and Poindexter's deputy. "That didn't fit our parameters. We wanted to kick around these various technologies to see their utility. The network could put it through that whole two-year process in a few months."
Since intelligence agencies would be some of the ultimate users of TIA, Poindexter wanted them involved. He already had good contacts from his earlier work as a contractor on early-warning systems. He invited agencies to participate in TIA experiments by establishing "nodes," desktop computers connected directly to the network and housed in the agencies' offices. No agency collected more raw, noisy intelligence than the NSA, which was desperate to find ways to interpret the signals. It would be a natural TIA user, and so in late 2002, Poindexter met with NSA officials, including Hayden, and encouraged them to consider his approach.
The NSA agreed to participate in the experiments, and started installing nodes on the TIA network in early 2003. Poindexter also invited the Defense Intelligence Agency, the CIA, and several military combatant commands and intelligence brigades. All of the agencies used real data in the experiments. And the network was designed to let them share their intelligence. They could merge and cross-check, all in a closed environment. In that sense, the network was more than a test bed. It was also an information exchange.
Hayden seemed reticent about TIA, according to people who were privy to the early experiments. He was loathe to be seen publicly supporting the program. That may have been because the NSA was pursuing its own Holy Grail of analysis, apart from Poindexter's work. Indeed, the NSA's effort went back some years but had largely failed.
In the late 1990s, the NSA considered a novel approach to intercepting huge amounts of e-mail and phone traffic as part of a project called ThinThread. According to The Baltimore Sun, which revealed the program's existence last month, "ThinThread's information-sorting system was viewed by some in the agency as a competitor to Trailblazer, a $1.2 billion program that was being developed with similar goals.
The NSA was committed to Trailblazer, which later ran into trouble and has been essentially abandoned." A component of ThinThread exists today and is part of the domestic surveillance program, but it is less sophisticated and has created "a subpar tool for sniffing out information," The Sun reported.
In September 2002, just before the NSA joined Poindexter's laboratory, the agency's primary research unit began another TIA-like quest. The Advanced Research and Development Activity (ARDA), housed at NSA headquarters, awarded $64 million in contracts for the Novel Intelligence From Massive Data program, which was, according to former government officials, a spin-off of work that Poindexter and his team had begun almost a year earlier. At least six of the contractors who worked on TIA also worked on the NSA's version. Hayden's ship, it seems, was watching Poindexter's closely.
Rise and Fall
By mid-2002, the NSA was already secretly collecting huge amounts of phone and Internet data, as part of the terrorism program that Bush authorized. The agency was keen on finding a way to manage it all, but had found no technologies that could meet its dual needs -- sustaining a massive influx of information, in real time, and locating meaningful signals in it -- said sources who knew of the problem.
According to two former government officials, the NSA tried using the data-sorting and analysis tools developed under TIA. The early results, however, were unspectacular. When NSA researchers matched their data against those experimental computer programs, the tools crashed under the strain, one of the former officials said. The researchers did not conduct the tests on the network itself, sources said, suggesting that the NSA took tools that the network developed and used them on its own, without the knowledge of Poindexter's staff.
Documents show that the TIA network participants have tested at least four dozen tools using real intelligence data. The documents don't indicate which tools the NSA or any other agency specifically examined, but they do show that the NSA tested its own, homegrown versions on the TIA network as well.
The NSA was one of biggest players on the TIA network, but not the only one. As months passed, more agencies joined, and some began using TIA for real intelligence operations.
For instance, in 2003 the Pentagon's Criminal Investigation Task Force, which was established to fuse law enforcement and intelligence techniques in fighting terrorism, was interrogating detainees at the U.S. military facility at Guantanamo Bay, Cuba. Stacks of interrogation reports piled up, and the interrogators struggled to make sense of the information they contained. Some detainees frequently mentioned the same names or places. Some detainees claimed to know each other. Others didn't. The interrogators turned to the TIA network to help sort out the hundreds of reports and potential leads.
"They provided the interrogation reports to analysts, and [the analysts], using several link-analysis tools provided by TIA, tried to discover interesting nonobvious relationships," Popp said. Link analysis detects connections between people through common associates or backgrounds, and creates web-like diagrams of the connections.
"The link-analysis tools showed the interrogators things that were not apparent to them -- very valuable, useful information that they could then use in follow-up interrogations." Popp said that the investigators also knew after they concluded their interrogations that some detainees were not terrorists, so those reports were used to create a sort of baseline for what a nonterrorist looked like. The tools could then be calibrated to disregard certain attributes and search for others that were salient, Popp said.
TIA made more data available to the network members. Poindexter's team built a database of simulated intelligence reports about terrorists, including fake accounts of their daily activities that left transactional footprints, so that members could see how well the tools worked on information that mirrored their own.
The TIA researchers nicknamed the database "Ali Baba," a former official said, after the fictional Arabian Nights character who opens a cave hiding fabulous treasures by uttering the words "Open Sesame." Today, troops in Iraq use "Ali Baba" as a slang catchall for insurgents and suspected terrorists.
The TIA network also added real databases of known or suspected terrorists, as well as the people, places, and activities that had been linked to them. These caches, known as "entity databases," were highly classified and were open to other agencies with nodes on the network, according to former TIA officials and documents on the program.
As critics were chastising intelligence agencies for not sharing enough information about terrorism before 9/11, the TIA network partners were actively swapping leads and finding ways to give one another access to their highly classified intelligence.
Poindexter set out an ambitious schedule to enlarge the network and build an eventual TIA system. Every three months, an experiment was aimed at a specific milestone, such as creating an entity database, finding new ways for analysts to collaborate, or testing tools that uncovered terrorist aliases and hidden links between groups. Each experiment period had a code name -- "Mistral," "Sirocco," "Rafale," "Noreaster." The nomenclature paid homage to Poindexter's passion: sailing. Each name is a type of wind.
The TIA network was quickly becoming the most active experiment of its kind. In the network's first year, the number of individual users at agencies increased more than 35 times, from seven to 250. By August 2003, the network had 23 nodes and 320 users.
And then, the bottom fell out.
TIA had come under intense scrutiny from lawmakers and privacy advocates in late 2002, when a series of news articles brought the program to the attention of national policy makers. One piece, by New York Times columnist William Safire, assailed the program as a "far-out Orwellian scenario." It seized on Poindexter's plan to look at databases of personal information as a potential intelligence source. Safire derided TIA as the ultimate snooping machine.
TIA's existence was never a secret, and technology journalists had written about the program. But the national media attention raised questions about just how far the Bush administration was willing to go in the war on terrorism.
Safire also reminded readers that Poindexter was the central figure in the Reagan administration's greatest scandal. Poindexter oversaw the secret sale of missiles to Iran, in exchange for American hostages, and then funneled the proceeds to the anti-communist Contras in Nicaragua. In 1990, he was convicted on multiple felony counts stemming from the affair; an appeals court overturned the convictions a year later. "This ring-knocking master of deceit is back again with a plan even more scandalous than Iran-Contra," Safire wrote.
Poindexter had feared his past would catch up with him and tar TIA, he said in interviews. After Safire's column ran, Defense Secretary Donald Rumsfeld barred Poindexter from speaking publicly. Lawmakers were outraged that the government had even proposed TIA, much less put a once-convicted felon in charge.
Poindexter continued his work, but late in July 2003, The Times revealed that his group was studying a futures market that would let terrorism analysts place bets on likely attacks. Although academics and economists praised the idea -- futures markets can accurately predict commodities prices, housing sales, and sometimes even elections -- it looked perverse when it was attached to Poindexter's shop. The Pentagon forced Poindexter to resign less than two weeks later.
Aggrieved lawmakers and civil libertarians declared victory in September, when Congress eliminated funding in the Defense Department budget for TIA. But they might have missed the fine print. Lawmakers allowed classified intelligence funds to be spent on a "program ... for processing, analysis, and collaboration tools for counter-terrorism foreign intelligence." The program was TIA. And it was about to move to a new home, at the headquarters of the NSA.
Inherit the Winds
As National Journal revealed in February, the NSA's Advanced Research and Development Activity took over TIA and carried on the experimental network in late 2003. ARDA continued vetting new tools and even kept the aggressive experiment schedule, still named after different winds, documents show.
But it discontinued some programs, most notably a multimillion-dollar effort to build privacy-protection technologies. ARDA also abandoned the effort to build audit trails in TIA, which would have permanently recorded any abuse by users.
The experimental network's name was changed from TIA, to erase any connection to its past. Today it's called the Research Development and Experimental Collaboration (RDEC, pronounced ARdeck). The NSA is the biggest player, with at least 15 nodes as of December 2004, according to official documents. "I think it's considerably more today," said a former government official knowledgeable about RDEC. A spokesman for the NSA said he had no information to provide about the network.
Popp, the former TIA deputy director, emphasized that he didn't know if the NSA is using RDEC directly for the domestic surveillance program. "NSA is a big place," he said.
However, some of the tools that TIA developed and experimented with, Popp said, "no question, are the same sorts of tools that the NSA eavesdropping program could possibly use -- meaningfully -- for analytical purposes, based on what's publicly known about it. This certainly seems plausible to me." Popp has recently co-edited a book on technologies for counter-terrorism, and legal and policy structures for implementing them.
"I would bet that the tools NSA is using today [as part of the domestic program] are not the ones they started out with," said a former government official who was close to TIA and the NSA.
RDEC could enhance the domestic surveillance program if the NSA used it as an information-sharing device, to cross-check names and events with other agencies and firm up links, former officials said. In January, The Washington Post reported that the NSA shared information obtained from the domestic program with other agencies, including the Defense Intelligence Agency and the Counterintelligence Field Activity, a Pentagon counter-terrorism group that has collected information about war protesters near military facilities. Both agencies have nodes on RDEC.
The Defense Intelligence Agency, which like the NSA is overseen by the Pentagon, is one of the largest RDEC users. In an interview, Lewis Shepherd, the chief of the agency's Requirements and Research Group, said that RDEC is "the most successful attempt at bringing together a wide variety of analysts and agencies to work and think outside of the box collaboratively," specifically on counter-terrorism. "[It] opens access to a variety of data sources to different tools that haven't been able to access that data."
For example, RDEC lets analysts conduct repeated keyword searches on many different data streams, Shepherd said. It "sparks out-of-the-box innovation in how we do information-sharing."
Asked to elaborate on that innovation, Shepherd said, "It's all classified." But he offered the NSA as a general example. The agency's analysts are well trained in working with electronic signals, but they don't have much history in using other sources, such as satellite photos. RDEC lets NSA analysts, and others, "refine" the way they do their work, Shepherd said.
The former government official who was close to TIA and the NSA said it was "conceivable" that the NSA would use the RDEC to share information from the domestic program with other agencies. "It's a very good forum for doing that," the former official said.
Legacy
On October 6, 2001, two days after Bush cleared Hayden to turn the NSA's ears inward, Hayden met with about 80 agency employees in a large conference room. They became the workforce of the secret program, and Hayden told them what they were allowed to do. "I was explaining what the president had authorized," Hayden recalled at his CIA nomination hearing. "And I ended up by saying, 'And we're going to do exactly what he said and not one photon or one electron more.' And I think that's what we've done."
Hayden had set boundaries -- what was technologically possible, relevant, and lawful. But he has vowed that the NSA will live on the edge of those boundaries. A great fan of sports analogies, Hayden has said in private and public gatherings that for years the NSA played defense against its adversaries. A legal line of scrimmage kept the agency from tackling terrorists inside the country.
But after 9/11, the lines of play were redrawn. The NSA would go right up to the boundaries. "My spikes will have chalk on them," Hayden reportedly told one group when describing the NSA's new game plan. He was clear: "We're pretty aggressive within the law. As a professional, I'm troubled if I'm not using the full authority allowed by law."
Poindexter also thought that 9/11 clarified his purpose. "The attacks brought ... the war to our home," he wrote in his resignation letter in 2003. "After ... 9/11, I felt compelled to do what I could to make sure that never happened again." No one had done enough on 9/10 to stop the next day's horrors. Poindexter and Hayden wouldn't make the same mistake twice.
Poindexter is gone from government, but he still maintains contacts within the intelligence community and exerts a quiet influence. Hayden left the NSA in April 2005 to become the first deputy director of national intelligence. From that office, he oversaw all intelligence activities. Later this year, the office will take over management of the Advanced Research and Development Activity, which runs RDEC. Hayden took over as CIA director in May.
Although they've moved on, Poindexter and Hayden have left a wide wake. Whether or not Poindexter's masterwork has become the centerpiece of Hayden's terrorist hunt, their sails were cut from the same cloth. Their goals were the same. The former official who was close to TIA and the NSA thinks that Hayden didn't want to be associated with Poindexter, either publicly or in government, given his controversial nature.
"I think that Hayden was concerned that [Poindexter's] research was going to call attention, and that would eventually lead people to ask questions about what NSA was doing," the former official said. When TIA was ensnared in controversy, Hayden stayed quiet about the NSA's involvement.
But Hayden was watching, and following the admiral's lead, the former official thinks. Today, what the NSA is known to be doing looks enough like TIA to suggest that Poindexter inspired Hayden and his team. "It's clear to me now, in hindsight, why Hayden really was so unwilling to publicly acknowledge TIA," the former official said. "It's because Hayden was doing many of the things Poindexter did."
Published in National Journal.
Friday, June 16, 2006
People like to say that the world changed on 9/11. That it became a more confusing place. But for two men, as buildings and bodies burned, the world became much clearer.
On the morning of September 11, 2001, John Poindexter, a 65-year-old retired rear admiral and President Reagan's onetime national security adviser, was driving to his office at a technology firm in Arlington, Va. He was 5 miles north of the Pentagon.
Poindexter's wife, Linda, rang his cellphone. Airplanes had flown into the twin towers in New York City, and one just crashed into the Pentagon, she said. "But Mark is OK. He wasn't in the building." Mark, one of the Poindexters' five sons, was a commander on the chief of naval operations' staff. His offices sat where the plane crashed, but most of the staff had cleared out earlier to accommodate Pentagon renovations.
"First, I was relieved that Mark was not in the building," Poindexter recalled in interviews in 2004. "Next, I realized this was a well-coordinated attack of the type that we had been working to prevent."
Poindexter was the senior vice president at Syntek Technologies. Under contract with the Defense Advanced Research Projects Agency (DARPA), the Pentagon's renowned innovation center, he helped to design early-warning systems for countering terrorism and other security crises. The technologies would sift through huge, disconnected databases for useful intelligence -- telltale events, names, or places that hinted at malicious intentions -- and then connect the pieces to predict an attack.
"I wondered if the intelligence community had ever considered the use of commercial airplanes as weapons by terrorists," Poindexter said. The signals were there, hiding in a sea of noise. At least 19 hijackers had crossed the border, used credit cards to buy plane tickets, made phone calls to associates, taken pilot training. They left digital footprints every step of the way.
Poindexter arrived at Syntek and found his co-workers huddled around a television. "The first tower had collapsed before I got there, and I watched as the second one came crashing down, in what seemed like slow motion," Poindexter said.
"I was discouraged," he continued. "We had not been able to gain acceptance by the intelligence community of the technologies and concepts that we had developed. It had been a long, slow process over the past six years." Poindexter's staff left for home. "I stayed most of the day, thinking about what needed to be done."
Some 30 miles away, at the headquarters of the National Security Agency in Fort Meade, Md., Michael Hayden, a 56-year-old Air Force lieutenant general and the agency's director, had been working for two hours when the first plane pierced the World Trade Center's North Tower. Almost immediately, submachine-gun-toting guards and bomb-sniffing dogs fanned out across the NSA campus, the nerve center of the most sophisticated electronic spying network ever devised.
As the planes struck their targets, Hayden ordered all non-essential workers to evacuate. He called his wife, Jeanine, asked her to find their three children and headed to the counter-terrorism center.
The agency's "CT shop" housed the experts and linguists who tracked terrorists' foreign communications. Lately, they had intercepted more than usual. The center's offices were located near the top floor of a high-rise.
On 9/11, "for obvious reasons, we had tried to move as many folks as possible into our adjacent lower buildings, but we really couldn't afford to move the counter-terrorism shop," Hayden told a 9/11 congressional inquiry in October 2002. Hayden found the CT staff "emotionally shattered" and crying, but "defiantly tacking up blackout curtains on their windows to mask their location."
Domestic terrorist attacks, though a surprise, were not altogether unanticipated after the 1993 bombing of the World Trade Center. But Hayden knew that on the all-important home front, the NSA was deaf. "Sadly, NSA had no [signals] suggesting that Al Qaeda was specifically targeting New York and Washington, D.C., or even that it was planning an attack on U.S. soil," Hayden told the inquiry. "Indeed, NSA had no knowledge before September 11 that any of the attackers were in the United States."
To avoid charges of domestic spying, the NSA could not monitor Americans inside the country and some foreigners here -- absent a court order. They didn't constitute "foreign-intelligence value," in agency parlance. As Hayden explained in January at the National Press Club, even if the NSA had known of the hijackers' presence, "[they] would have been presumed to have been protected persons, U.S. persons," and therefore of no foreign-intelligence value, he said, his voice tensing. The agency also struggled to keep up with the overwhelming amount of raw intelligence it received every day, most of which was not related to terrorism.
Hayden understood that the terrorists had hatched their plans in this country. They had communicated here, moved about publicly, and left signals. If other terrorists were here, Hayden wanted to find them. "The standard by which we decided ... what [information] was relevant and valuable, and therefore, what was reasonable [to collect], would understandably change, I think, as smoke billowed from two American cities and a Pennsylvania farm field. And we acted accordingly."
Poindexter and Hayden knew that the signals of a future attack dwelled in a sea of noise full of mostly innocent activities. To find the enemies among us, they'd have to look, and listen, everywhere. Over the next two years, Poindexter and Hayden would hunt for signals on the sea. Sometimes they crossed paths.
While Poindexter's and Hayden's journeys were ostensibly separate, they hoped to arrive at the same destination -- knowing what terrorists would do before they acted.
Hayden left the NSA in 2005, to become the second-in-command of all intelligence agencies, but his successor continued his efforts. Some thought Poindexter's trek was finished when, three years ago, Congress eliminated funding for his early-warning research, amid fierce criticism from privacy-rights groups and civil libertarians. But Poindexter's brainchild lives on, in pursuit of the same elusive goal, and one of its biggest patrons is none other than Hayden's old harbor, the NSA. Today, the two men's visions appear more intertwined than ever.
Setting Sail
On the morning of September 12, Poindexter called his friend Brian Sharkey, with whom he had worked on the early-warning systems. They lamented that they hadn't achieved their ultimate vision -- "total information awareness" of terrorist planning.
They decided to urge DARPA to back a full-fledged "TIA" system, as Poindexter called it, comprising the data-mining and analysis tools they had been designing, along with new ones. TIA would train its eyes not only on government databases but also on those caches of valuable, and presumably private, information where terrorists left their footprints, such as credit card purchases, e-mails, and plane and car rental reservations.
"We knew we must work fast and build a convincing case," Poindexter said in an interview. On October 15, 2001, he pitched his plan to DARPA's director, Tony Tether, comparing TIA to another pursuit of a war-ending weapon. Poindexter titled his presentation "A Manhattan Project for Counter-Terrorism."
The government had once harnessed the brightest minds to build the atom bomb. Now Poindexter wanted the sharpest computer scientists and terrorist experts to build an information weapon. He even suggested ensconcing TIA team members at a secret government facility, surrounded by high fences and concertina wire, to remind them of the seriousness, urgency, and sensitivity of their work.
Tether was impressed, and he said that if Poindexter returned to government and ran TIA, DARPA would fund it. Two months later, Poindexter became the director of the agency's Information Awareness Office and kicked off a slew of multimillion-dollar research projects. One of them was designed to create privacy protections so that TIA wouldn't ensnare anyone who wasn't a terrorist. Poindexter's original plan to make TIA classified was changed; making the program public helped to attract new ideas.
While Poindexter pitched DARPA, Hayden met with Bush administration officials about the NSA's role in a future war. The agency was monitoring communications among known or suspected terrorists, regardless of geographic location, under existing authority that allowed domestic surveillance as part of a terrorism investigation. But that authority would eventually expire.
Shortly after the 9/11 attacks, then-CIA Director George Tenet asked Hayden, "Is there anything more you can do?" In response, Hayden said at his recent nomination hearing to be CIA director, "I said, 'Not within my current authorities.' And [Tenet] invited me to come down and talk to the administration about what more could be done."
Hayden proposed monitoring terrorists' communications into and out of the United States indefinitely. Such a program would have to have specific boundaries, he testified. It would have to be "technologically possible," "operationally relevant" to the mission -- foiling or catching terrorists -- and "lawful."
The NSA "would work ... where all three of those [requirements] intersected," Hayden said. It wasn't the surveillance envisioned under the 1978 Foreign Intelligence Surveillance Act, Hayden conceded. This was "hot pursuit" of communications, a distinction that still isn't well understood, but one that Hayden said gave the NSA a faster way to find terrorist signals.
President Bush was impressed. Hayden "showed me the plans.... I said, 'That makes a lot of sense to me,' " Bush said in a speech in February. "I remember some of those phone calls coming out of California," where some of the 9/11 hijackers were living, "just thinking, maybe if we'd have listened to those on a quick-response basis, you know, it might have helped prevent the attacks." On October 4, 2001, the president issued an order "that laid out the underpinnings for what I described," Hayden said at his confirmation hearing. "The math was pretty straightforward. I could not not do this."
Joining Forces
Unbeknownst to each other, Poindexter and Hayden started rigging up separate efforts. In February 2002, Poindexter established a secure, classified computer network for testing analysis software and tools that might be worked into TIA. As the system came together, this experimental network would be the engineers' Bonneville Salt Flats, a place to test-drive the state of the art. If tools passed muster there, they might end up in the design Poindexter had in mind.
"If there was a vendor with some great gizmo, they'd have to go through an arduous one- or two-year process to get that accredited by an intelligence agency," said Robert Popp, who was the No. 2 TIA official and Poindexter's deputy. "That didn't fit our parameters. We wanted to kick around these various technologies to see their utility. The network could put it through that whole two-year process in a few months."
Since intelligence agencies would be some of the ultimate users of TIA, Poindexter wanted them involved. He already had good contacts from his earlier work as a contractor on early-warning systems. He invited agencies to participate in TIA experiments by establishing "nodes," desktop computers connected directly to the network and housed in the agencies' offices. No agency collected more raw, noisy intelligence than the NSA, which was desperate to find ways to interpret the signals. It would be a natural TIA user, and so in late 2002, Poindexter met with NSA officials, including Hayden, and encouraged them to consider his approach.
The NSA agreed to participate in the experiments, and started installing nodes on the TIA network in early 2003. Poindexter also invited the Defense Intelligence Agency, the CIA, and several military combatant commands and intelligence brigades. All of the agencies used real data in the experiments. And the network was designed to let them share their intelligence. They could merge and cross-check, all in a closed environment. In that sense, the network was more than a test bed. It was also an information exchange.
Hayden seemed reticent about TIA, according to people who were privy to the early experiments. He was loathe to be seen publicly supporting the program. That may have been because the NSA was pursuing its own Holy Grail of analysis, apart from Poindexter's work. Indeed, the NSA's effort went back some years but had largely failed.
In the late 1990s, the NSA considered a novel approach to intercepting huge amounts of e-mail and phone traffic as part of a project called ThinThread. According to The Baltimore Sun, which revealed the program's existence last month, "ThinThread's information-sorting system was viewed by some in the agency as a competitor to Trailblazer, a $1.2 billion program that was being developed with similar goals.
The NSA was committed to Trailblazer, which later ran into trouble and has been essentially abandoned." A component of ThinThread exists today and is part of the domestic surveillance program, but it is less sophisticated and has created "a subpar tool for sniffing out information," The Sun reported.
In September 2002, just before the NSA joined Poindexter's laboratory, the agency's primary research unit began another TIA-like quest. The Advanced Research and Development Activity (ARDA), housed at NSA headquarters, awarded $64 million in contracts for the Novel Intelligence From Massive Data program, which was, according to former government officials, a spin-off of work that Poindexter and his team had begun almost a year earlier. At least six of the contractors who worked on TIA also worked on the NSA's version. Hayden's ship, it seems, was watching Poindexter's closely.
Rise and Fall
By mid-2002, the NSA was already secretly collecting huge amounts of phone and Internet data, as part of the terrorism program that Bush authorized. The agency was keen on finding a way to manage it all, but had found no technologies that could meet its dual needs -- sustaining a massive influx of information, in real time, and locating meaningful signals in it -- said sources who knew of the problem.
According to two former government officials, the NSA tried using the data-sorting and analysis tools developed under TIA. The early results, however, were unspectacular. When NSA researchers matched their data against those experimental computer programs, the tools crashed under the strain, one of the former officials said. The researchers did not conduct the tests on the network itself, sources said, suggesting that the NSA took tools that the network developed and used them on its own, without the knowledge of Poindexter's staff.
Documents show that the TIA network participants have tested at least four dozen tools using real intelligence data. The documents don't indicate which tools the NSA or any other agency specifically examined, but they do show that the NSA tested its own, homegrown versions on the TIA network as well.
The NSA was one of biggest players on the TIA network, but not the only one. As months passed, more agencies joined, and some began using TIA for real intelligence operations.
For instance, in 2003 the Pentagon's Criminal Investigation Task Force, which was established to fuse law enforcement and intelligence techniques in fighting terrorism, was interrogating detainees at the U.S. military facility at Guantanamo Bay, Cuba. Stacks of interrogation reports piled up, and the interrogators struggled to make sense of the information they contained. Some detainees frequently mentioned the same names or places. Some detainees claimed to know each other. Others didn't. The interrogators turned to the TIA network to help sort out the hundreds of reports and potential leads.
"They provided the interrogation reports to analysts, and [the analysts], using several link-analysis tools provided by TIA, tried to discover interesting nonobvious relationships," Popp said. Link analysis detects connections between people through common associates or backgrounds, and creates web-like diagrams of the connections.
"The link-analysis tools showed the interrogators things that were not apparent to them -- very valuable, useful information that they could then use in follow-up interrogations." Popp said that the investigators also knew after they concluded their interrogations that some detainees were not terrorists, so those reports were used to create a sort of baseline for what a nonterrorist looked like. The tools could then be calibrated to disregard certain attributes and search for others that were salient, Popp said.
TIA made more data available to the network members. Poindexter's team built a database of simulated intelligence reports about terrorists, including fake accounts of their daily activities that left transactional footprints, so that members could see how well the tools worked on information that mirrored their own.
The TIA researchers nicknamed the database "Ali Baba," a former official said, after the fictional Arabian Nights character who opens a cave hiding fabulous treasures by uttering the words "Open Sesame." Today, troops in Iraq use "Ali Baba" as a slang catchall for insurgents and suspected terrorists.
The TIA network also added real databases of known or suspected terrorists, as well as the people, places, and activities that had been linked to them. These caches, known as "entity databases," were highly classified and were open to other agencies with nodes on the network, according to former TIA officials and documents on the program.
As critics were chastising intelligence agencies for not sharing enough information about terrorism before 9/11, the TIA network partners were actively swapping leads and finding ways to give one another access to their highly classified intelligence.
Poindexter set out an ambitious schedule to enlarge the network and build an eventual TIA system. Every three months, an experiment was aimed at a specific milestone, such as creating an entity database, finding new ways for analysts to collaborate, or testing tools that uncovered terrorist aliases and hidden links between groups. Each experiment period had a code name -- "Mistral," "Sirocco," "Rafale," "Noreaster." The nomenclature paid homage to Poindexter's passion: sailing. Each name is a type of wind.
The TIA network was quickly becoming the most active experiment of its kind. In the network's first year, the number of individual users at agencies increased more than 35 times, from seven to 250. By August 2003, the network had 23 nodes and 320 users.
And then, the bottom fell out.
TIA had come under intense scrutiny from lawmakers and privacy advocates in late 2002, when a series of news articles brought the program to the attention of national policy makers. One piece, by New York Times columnist William Safire, assailed the program as a "far-out Orwellian scenario." It seized on Poindexter's plan to look at databases of personal information as a potential intelligence source. Safire derided TIA as the ultimate snooping machine.
TIA's existence was never a secret, and technology journalists had written about the program. But the national media attention raised questions about just how far the Bush administration was willing to go in the war on terrorism.
Safire also reminded readers that Poindexter was the central figure in the Reagan administration's greatest scandal. Poindexter oversaw the secret sale of missiles to Iran, in exchange for American hostages, and then funneled the proceeds to the anti-communist Contras in Nicaragua. In 1990, he was convicted on multiple felony counts stemming from the affair; an appeals court overturned the convictions a year later. "This ring-knocking master of deceit is back again with a plan even more scandalous than Iran-Contra," Safire wrote.
Poindexter had feared his past would catch up with him and tar TIA, he said in interviews. After Safire's column ran, Defense Secretary Donald Rumsfeld barred Poindexter from speaking publicly. Lawmakers were outraged that the government had even proposed TIA, much less put a once-convicted felon in charge.
Poindexter continued his work, but late in July 2003, The Times revealed that his group was studying a futures market that would let terrorism analysts place bets on likely attacks. Although academics and economists praised the idea -- futures markets can accurately predict commodities prices, housing sales, and sometimes even elections -- it looked perverse when it was attached to Poindexter's shop. The Pentagon forced Poindexter to resign less than two weeks later.
Aggrieved lawmakers and civil libertarians declared victory in September, when Congress eliminated funding in the Defense Department budget for TIA. But they might have missed the fine print. Lawmakers allowed classified intelligence funds to be spent on a "program ... for processing, analysis, and collaboration tools for counter-terrorism foreign intelligence." The program was TIA. And it was about to move to a new home, at the headquarters of the NSA.
Inherit the Winds
As National Journal revealed in February, the NSA's Advanced Research and Development Activity took over TIA and carried on the experimental network in late 2003. ARDA continued vetting new tools and even kept the aggressive experiment schedule, still named after different winds, documents show.
But it discontinued some programs, most notably a multimillion-dollar effort to build privacy-protection technologies. ARDA also abandoned the effort to build audit trails in TIA, which would have permanently recorded any abuse by users.
The experimental network's name was changed from TIA, to erase any connection to its past. Today it's called the Research Development and Experimental Collaboration (RDEC, pronounced ARdeck). The NSA is the biggest player, with at least 15 nodes as of December 2004, according to official documents. "I think it's considerably more today," said a former government official knowledgeable about RDEC. A spokesman for the NSA said he had no information to provide about the network.
Popp, the former TIA deputy director, emphasized that he didn't know if the NSA is using RDEC directly for the domestic surveillance program. "NSA is a big place," he said.
However, some of the tools that TIA developed and experimented with, Popp said, "no question, are the same sorts of tools that the NSA eavesdropping program could possibly use -- meaningfully -- for analytical purposes, based on what's publicly known about it. This certainly seems plausible to me." Popp has recently co-edited a book on technologies for counter-terrorism, and legal and policy structures for implementing them.
"I would bet that the tools NSA is using today [as part of the domestic program] are not the ones they started out with," said a former government official who was close to TIA and the NSA.
RDEC could enhance the domestic surveillance program if the NSA used it as an information-sharing device, to cross-check names and events with other agencies and firm up links, former officials said. In January, The Washington Post reported that the NSA shared information obtained from the domestic program with other agencies, including the Defense Intelligence Agency and the Counterintelligence Field Activity, a Pentagon counter-terrorism group that has collected information about war protesters near military facilities. Both agencies have nodes on RDEC.
The Defense Intelligence Agency, which like the NSA is overseen by the Pentagon, is one of the largest RDEC users. In an interview, Lewis Shepherd, the chief of the agency's Requirements and Research Group, said that RDEC is "the most successful attempt at bringing together a wide variety of analysts and agencies to work and think outside of the box collaboratively," specifically on counter-terrorism. "[It] opens access to a variety of data sources to different tools that haven't been able to access that data."
For example, RDEC lets analysts conduct repeated keyword searches on many different data streams, Shepherd said. It "sparks out-of-the-box innovation in how we do information-sharing."
Asked to elaborate on that innovation, Shepherd said, "It's all classified." But he offered the NSA as a general example. The agency's analysts are well trained in working with electronic signals, but they don't have much history in using other sources, such as satellite photos. RDEC lets NSA analysts, and others, "refine" the way they do their work, Shepherd said.
The former government official who was close to TIA and the NSA said it was "conceivable" that the NSA would use the RDEC to share information from the domestic program with other agencies. "It's a very good forum for doing that," the former official said.
Legacy
On October 6, 2001, two days after Bush cleared Hayden to turn the NSA's ears inward, Hayden met with about 80 agency employees in a large conference room. They became the workforce of the secret program, and Hayden told them what they were allowed to do. "I was explaining what the president had authorized," Hayden recalled at his CIA nomination hearing. "And I ended up by saying, 'And we're going to do exactly what he said and not one photon or one electron more.' And I think that's what we've done."
Hayden had set boundaries -- what was technologically possible, relevant, and lawful. But he has vowed that the NSA will live on the edge of those boundaries. A great fan of sports analogies, Hayden has said in private and public gatherings that for years the NSA played defense against its adversaries. A legal line of scrimmage kept the agency from tackling terrorists inside the country.
But after 9/11, the lines of play were redrawn. The NSA would go right up to the boundaries. "My spikes will have chalk on them," Hayden reportedly told one group when describing the NSA's new game plan. He was clear: "We're pretty aggressive within the law. As a professional, I'm troubled if I'm not using the full authority allowed by law."
Poindexter also thought that 9/11 clarified his purpose. "The attacks brought ... the war to our home," he wrote in his resignation letter in 2003. "After ... 9/11, I felt compelled to do what I could to make sure that never happened again." No one had done enough on 9/10 to stop the next day's horrors. Poindexter and Hayden wouldn't make the same mistake twice.
Poindexter is gone from government, but he still maintains contacts within the intelligence community and exerts a quiet influence. Hayden left the NSA in April 2005 to become the first deputy director of national intelligence. From that office, he oversaw all intelligence activities. Later this year, the office will take over management of the Advanced Research and Development Activity, which runs RDEC. Hayden took over as CIA director in May.
Although they've moved on, Poindexter and Hayden have left a wide wake. Whether or not Poindexter's masterwork has become the centerpiece of Hayden's terrorist hunt, their sails were cut from the same cloth. Their goals were the same. The former official who was close to TIA and the NSA thinks that Hayden didn't want to be associated with Poindexter, either publicly or in government, given his controversial nature.
"I think that Hayden was concerned that [Poindexter's] research was going to call attention, and that would eventually lead people to ask questions about what NSA was doing," the former official said. When TIA was ensnared in controversy, Hayden stayed quiet about the NSA's involvement.
But Hayden was watching, and following the admiral's lead, the former official thinks. Today, what the NSA is known to be doing looks enough like TIA to suggest that Poindexter inspired Hayden and his team. "It's clear to me now, in hindsight, why Hayden really was so unwilling to publicly acknowledge TIA," the former official said. "It's because Hayden was doing many of the things Poindexter did."
Published in National Journal.
Labels: Intelligence, National Security Agency, Technology, Terrorism, Total Information Awareness
Full Article
More than Meets the Ear
Friday, March 17, 2006
The National Security Agency's warantless surveillance program is broader than officials have described.
The Bush administration has assiduously avoided any talk about the actual workings of its program to intercept the phone calls and e-mails of people in the United States who are suspected of having links to terrorists abroad. Officials' unwavering script goes like this: Present the legal justifications for the president to authorize domestic electronic surveillance without warrants, but say nothing about how the National Security Agency actually does it -- or about what else the agency might be doing.
But when Attorney General Alberto Gonzales appeared before the Senate Judiciary Committee on February 6 to answer questions about the program, what he didn't say pulled back the curtain on how the NSA decides which calls and e-mails to monitor. The agency bases those decisions on a broad and less focused surveillance than officials have publicly described, a surveillance that may, or may not, be legal.
In a hearing that lasted more than eight hours, Gonzales, who didn't testify under oath, dutifully batted away senators' inquiries about "operational details" and stayed silent, under determined questioning by some Democrats, about other warrantless programs that the president might have secretly authorized. When the hearing finally ended, so did Gonzales's comments on the program.
Until 22 days later. On February 28, Gonzales sent committee Chairman Arlen Specter, R-Pa., a six-page letter, partly to respond to questions he was unprepared to answer at the hearing, but also "to clarify certain of my responses" in the earlier testimony. In the letter, Gonzales took pains to correct any "misimpressions" that he might have created about whether the Justice Department had assessed the legality of intercepting purely domestic communications, for example, as opposed to those covered by the NSA program, in which one party is outside the United States. The attorney general didn't say that Justice had contemplated the legality of purely domestic eavesdropping without a warrant, but he also didn't say it hadn't.
Gonzales's letter was intriguing for what else it didn't say, especially on one point: With exacting language, he narrowed the scope of his comments to address only "questions relating to the specific NSA activities that have been publicly confirmed by the president." Then, as if to avoid any confusion, Gonzales added, "Those activities involve the interception by the NSA of the contents of communications" involving suspected terrorists and people in the United States.
Slightly, and with a single word, Gonzales was tipping his hand. The content of electronic communications is usually considered to be the spoken words of a phone call or the written words in an electronic message. The term does not include the wealth of so-called transactional data that accompany every communication: a phone number, and what calls were placed to and from that number; the time a call was placed; whether the call was answered and how long it lasted, down to the second; the time and date that an e-mail message was sent, as well as its unique address and routing path, which reveals the location of the computer that sent it and, presumably, the author.
Considering that terrorists often talk and write in code, the transactional data of a communication, properly exploited, could yield more valuable intelligence than the content itself. "You will get a very full picture of a person's associations and their patterns of activity," said Jim Dempsey, the policy director of the Center for Democracy and Technology, an electronic-privacy advocacy group. "You'll know who they're talking to, when they're talking, how long, how frequently.... It's a lot [of information]. I mean, a lot."
According to sources who are familiar with the details of what the White House calls the "terrorist surveillance program," and who asked to remain anonymous because the program is still classified, analyzing transactional data is one of the first and most important steps the agency takes in deciding which phone calls to listen to and which electronic messages to read. Far from the limited or targeted surveillance that Gonzales, President Bush, and intelligence officials have described, this traffic analysis examines thousands, perhaps hundreds of thousands, of individuals, because nearly every phone number and nearly every e-mail address is connected to a person.
Patterns in the Sea
Analysis of telephone traffic patterns helps analysts and investigators spot relationships among people that aren't always obvious. For instance, imagine that a man in Portland, Ore., receives a call from someone at a pay phone in Brooklyn, N.Y., every Tuesday at 9 a.m. Also every Tuesday, but minutes earlier, the pay phone caller rings up a man in Miami. An investigator might look at that pattern and suspect that the men in Portland and Miami are communicating through the Brooklyn caller, who's acting as a kind of courier, to mask their relationship. Patterns like this have led criminal investigators into the inner workings of drug cartels and have proved vital in breaking these cartels up.
Terrorists employ similar masking techniques. They use go-betweens to circuitously route calls, and they change cellphones often to avoid detection. Transactional data, however, capture those behaviors. If NSA analysts -- or their computers -- can find these patterns or signatures, then they might find the terrorists, or at least know which ones they should monitor.
Just after 9/11, according to knowledgeable sources, the NSA began intercepting the communications of specific foreign persons and groups named on a list. The sources didn't specify whether persons inside the United States were monitored as part of that list. But a former government official who is knowledgeable about NSA activities and the warrantless surveillance program said that this original list of people and groups, or others like it, could have formed the base of the NSA's surveillance of transactional data, the parts of a communication that aren't considered content.
If the agency started with a list of phone numbers, it could find all the numbers dialed from those phones. The NSA could then learn what numbers were called from that second list of numbers, and what calls that list received, and so on, "pushing out" the lists until the agency had identified a vast network of callers and their transactional data, the former official said. The agency might eavesdrop on only a few conversations or e-mails. But starting with even an initial target list of, say, 10 phone numbers quickly yields a web of hundreds of thousands of communications, because the volume increases exponentially with every new layer of callers.
To find meaningful patterns in transactional data, analysts need a lot of it. They must set baselines about what constitutes "normal" behavior versus "suspicious" activity. Administration officials have said that the NSA doesn't intercept the contents of a communication unless officials have a "reasonable" basis to conclude that at least one party is linked to a terrorist organization. To make any reasonable determination like that, the agency needs hundreds of thousands, or even millions, of call records, preferably as soon as they are created, said a senior person in the defense industry who is familiar with the NSA program and is an expert in the analytical tools used to find patterns and connections. Asked if this means that the NSA program is much broader and less targeted than administration officials have described, the expert replied, "I think that's correct."
In theory, finding reasonable connections in data is a straightforward and largely automated process. Analysts use computer programs based on algorithms -- mathematical procedures for solving a particular problem -- much the same way that meteorologists use data models to forecast the weather. Counter-terrorism algorithms look for the transactional indicators that match what analysts recognize as signs of a plot.
Of course, those algorithms must be sophisticated enough to spot many not-so-obvious patterns in a mass of data that are mostly uninteresting, and they work best when the data come from many sources. Algorithms have proven useful for detecting frequent criminal activity, such as credit card fraud. "Historical data clearly indicate that if a credit card turns up in two cities on two continents on the same day, that's a useful pattern," says Jeff Jonas, a computer scientist who invented a technology to connect known scam artists who are on casinos' watch lists with new potential grifters, and is now the chief scientist of IBM Entity Analytics. "The challenge of predicting terrorism is that unlike fraud, we don't have the same volume of historical data to learn from," Jonas said. "Compounding this is the fact that terrorists are constantly changing their methods and do their best to avoid leaving any digital footprints in the first place."
The obvious solution would be to write an algorithm that is flexible and fast enough to weigh millions of pieces of evidence, including exculpatory ones, against each other. But according to technology experts, and even the NSA's own stated research accomplishments, that technology has not been perfected.
The Bleeding Edge
The NSA began soon after the 9/11 terrorist attacks to collect transactional data from telecommunications companies. Several telecom executives said in press accounts that their companies gave the NSA access to their switches, the terminals that handle most of the country's electronic traffic. One executive told National Journal that NSA officials urged him to hand over his company's call logs. When he resisted, the officials implied that most of his competitors had acceded to the agency's request.
Not long after the surveillance program started, in October 2001, the NSA began looking for new tools to mine the telecom data. The agency, the industry expert said, considered some that the Defense Department's Total Information Awareness program was developing. TIA was an ambitious and controversial experiment to find patterns of terrorist activity in a much broader range of transactions than just telephone data. But NSA officials rejected the TIA tools because they were "too brittle," the expert said, meaning that they failed to manage the torrent of data that the NSA wanted to analyze. He noted the irony of rejecting the TIA technologies -- which privacy advocates had characterized as huge, all-seeing, digital dragnets -- because they couldn't handle the size of the NSA's load.
In the fall of 2002, a federal research-and-development agency that builds technologies primarily for the NSA launched another search for pattern-detection solutions. The Advanced Research and Development Activity, ARDA, issued $64 million in contracts for the Novel Intelligence for Massive Data, or NIMD, program. Its goal was "to help analysts deal with information overload, detect early indicators of strategic surprise, and avoid analytic errors," according to ARDA's public call for proposals released last year. In essence, NIMD is an early-warning system, which is how the administration has described the terrorist surveillance program. In 2003, ARDA also took over research of the tools being developed under TIA.
While the NSA was searching for the next generation of data-sifters, it continued to rely on less sophisticated tools. For an example, the former government official who spoke to NJ cited applications that organize data into broad categories, allowing analysts to see some relationships but obscuring some of the nuance in the underlying information. The results of this kind of category analysis can be displayed on a graph. But the graph might reveal only how many times a particular word appears in a conversation, not necessarily the significance of the word or how it relates to other words. Technologists sarcastically call these diagrams BAGs -- big-ass graphs.
Such was the state of affairs when the NSA started looking for terrorist patterns in a telephonic ocean. So, instead of looking for a tool that could cull through the data, the agency decided to "reverse" the process, starting with the data set and working backward, looking for algorithms that could work with it.
The NSA has made some breakthroughs, the industry expert said, but its solution relies in part on a technological "trick," which he wouldn't disclose. Another data-mining expert, who also asked not to be identified because the NSA's work is classified, said that computer engineers probably started with the telecom companies' call data, looked for patterns, and then wrote algorithms to detect them as they went along, tweaking the algorithms as needed.
Such an ad hoc approach is brittle in its own right. For starters, if analysts are working with algorithms designed to detect only certain patterns, they could be missing others, the technology expert said. At the same time, the more dependent the algorithms are on identifying very specific patterns of behavior, the more vulnerable the NSA's monitoring is to being foiled if terrorists discover what the agency is watching for, or if they change their behavior. A more complex algorithm that considers thousands, or even millions, of patterns is harder to defeat.
The industry expert added that NSA officials have worried that "if you knew what the technical trick was they were doing [to make the surveillance program function], you wouldn't have to know what specific algorithms" the agency was using. This reliance on a "trick" makes the program very vulnerable to defeat and helps explain why the Bush administration is so keen on cloaking its inner workings."
It's pretty bleeding-edge," the expert said, referring to a technology that's unperfected and therefore prone to instability. "We're talking about dumping hundreds of thousands or millions of records" into a system. In an unsophisticated system, connections among people can emerge that look suspicious but are actually meaningless. A book agent who represents a journalist who once interviewed Osama bin Laden, for example, doesn't herself necessarily know bin Laden. But she might turn up in an NSA search of transactional data. "False positives will happen," the expert said.
Gonzales and former NSA Director Michael V. Hayden have said that career agency employees decide to eavesdrop only if they have a "reasonable" basis to believe one party to a communication is a terrorist or connected to a terrorist organization. But what determines reasonableness? In a January speech at the National Press Club, Hayden drew a distinction between the Fourth Amendment's requirement that "no warrants shall issue, but upon probable cause," and its protection against "unreasonable searches and seizures."
When a journalist in the crowd questioned his logic, Hayden heatedly replied, "If there's any amendment to the Constitution that employees of the National Security Agency are familiar with, it's the Fourth. And it is a reasonableness standard in the Fourth Amendment.... I am convinced that we are lawful, because what it is we're doing [intercepting content] is reasonable." He said that the terrorist attacks fundamentally altered the NSA's thinking. "The standard of what [information] was relevant and valuable, and therefore, what was reasonable, would understandably change, I think, as smoke billowed from two American cities and a Pennsylvania farm field. And we acted accordingly."
Aside from the question of whether NSA employees, rather than federal judges, are qualified to determine what constitutes a reasonable search, that determination provides much of the basis for deciding whose communications will be intercepted without a warrant. If the technology the NSA is using to determine what constitutes a reasonable search is unsophisticated, the industry expert said, "you're talking about tapping a phone based on a statistical correlation."
A New Legal Battle?
Gonzales's narrowly tailored letter to Sen. Specter raised more questions than it answered. Democrats were outraged by what they saw as the attorney general's attempt to alter his testimony and to obstruct senators' attempts to fully assess the program's legal basis. "Much of your letter is devoted to not providing answers to the questions of a number of us regarding legal justifications for activities beyond those narrowly conceded by you to have already been confirmed by the president," Sen. Patrick Leahy of Vermont, the Judiciary Committee's ranking Democrat, wrote to the attorney general in a follow-up letter.
Leahy also raised the question of what else Gonzales hadn't told lawmakers. The attorney general's letter contained "disturbing suggestions ... that there are other secret programs," Leahy wrote. In Gonzales's letter to Specter, the attorney general had referred to "other intelligence activities" and to his inability to discuss them; he left open the possibility that the president may not have authorized these activities. Gonzales wrote, "When I testified in response to questions from Sen. Leahy, 'Sir, I have tried to outline ... what the president has authorized, and that is all that he has authorized,' I was confining my remarks to the Terrorist Surveillance Program as described by the president."
Gonzales's testimony was meant to defend the program's legality. But as more about the NSA's operations become known, new legal questions arise, including one that goes to the heart of how officials reasonably identify suspected terrorists.
Under normal criminal law, content is defined as "any information concerning the substance, purport, or meaning of [a] communication," but the definition of content under the law that governs electronic eavesdropping on U.S. persons for intelligence purposes is different and is potentially in conflict with normal jurisprudence. That law, the Foreign Intelligence Surveillance Act, states that content "includes any information concerning the identity of the parties ... or the existence, substance, purport, or meaning of [their] communication."
A phone number can be used to identify a person, said Dempsey of the Center for Democracy and Technology, who for nine years was assistant counsel to the House Judiciary Subcommittee on Civil and Constitutional Rights. Does that mean that a phone number is "content" under the law? FISA, enacted in 1978, didn't envision today's technology, when anyone with an Internet connection can use a phone number to find someone's name, address, and even an aerial photograph of his house, Dempsey said.
"I just cannot read [FISA] and figure out what it means in the context of analysis of [transactional] data," he added. "Presumably somebody in the administration thinks they understand it.... Whether that's providing any clear guidance" to the people working on the NSA program, "that's not clear."
Friday, March 17, 2006
The National Security Agency's warantless surveillance program is broader than officials have described.
The Bush administration has assiduously avoided any talk about the actual workings of its program to intercept the phone calls and e-mails of people in the United States who are suspected of having links to terrorists abroad. Officials' unwavering script goes like this: Present the legal justifications for the president to authorize domestic electronic surveillance without warrants, but say nothing about how the National Security Agency actually does it -- or about what else the agency might be doing.
But when Attorney General Alberto Gonzales appeared before the Senate Judiciary Committee on February 6 to answer questions about the program, what he didn't say pulled back the curtain on how the NSA decides which calls and e-mails to monitor. The agency bases those decisions on a broad and less focused surveillance than officials have publicly described, a surveillance that may, or may not, be legal.
In a hearing that lasted more than eight hours, Gonzales, who didn't testify under oath, dutifully batted away senators' inquiries about "operational details" and stayed silent, under determined questioning by some Democrats, about other warrantless programs that the president might have secretly authorized. When the hearing finally ended, so did Gonzales's comments on the program.
Until 22 days later. On February 28, Gonzales sent committee Chairman Arlen Specter, R-Pa., a six-page letter, partly to respond to questions he was unprepared to answer at the hearing, but also "to clarify certain of my responses" in the earlier testimony. In the letter, Gonzales took pains to correct any "misimpressions" that he might have created about whether the Justice Department had assessed the legality of intercepting purely domestic communications, for example, as opposed to those covered by the NSA program, in which one party is outside the United States. The attorney general didn't say that Justice had contemplated the legality of purely domestic eavesdropping without a warrant, but he also didn't say it hadn't.
Gonzales's letter was intriguing for what else it didn't say, especially on one point: With exacting language, he narrowed the scope of his comments to address only "questions relating to the specific NSA activities that have been publicly confirmed by the president." Then, as if to avoid any confusion, Gonzales added, "Those activities involve the interception by the NSA of the contents of communications" involving suspected terrorists and people in the United States.
Slightly, and with a single word, Gonzales was tipping his hand. The content of electronic communications is usually considered to be the spoken words of a phone call or the written words in an electronic message. The term does not include the wealth of so-called transactional data that accompany every communication: a phone number, and what calls were placed to and from that number; the time a call was placed; whether the call was answered and how long it lasted, down to the second; the time and date that an e-mail message was sent, as well as its unique address and routing path, which reveals the location of the computer that sent it and, presumably, the author.
Considering that terrorists often talk and write in code, the transactional data of a communication, properly exploited, could yield more valuable intelligence than the content itself. "You will get a very full picture of a person's associations and their patterns of activity," said Jim Dempsey, the policy director of the Center for Democracy and Technology, an electronic-privacy advocacy group. "You'll know who they're talking to, when they're talking, how long, how frequently.... It's a lot [of information]. I mean, a lot."
According to sources who are familiar with the details of what the White House calls the "terrorist surveillance program," and who asked to remain anonymous because the program is still classified, analyzing transactional data is one of the first and most important steps the agency takes in deciding which phone calls to listen to and which electronic messages to read. Far from the limited or targeted surveillance that Gonzales, President Bush, and intelligence officials have described, this traffic analysis examines thousands, perhaps hundreds of thousands, of individuals, because nearly every phone number and nearly every e-mail address is connected to a person.
Patterns in the Sea
Analysis of telephone traffic patterns helps analysts and investigators spot relationships among people that aren't always obvious. For instance, imagine that a man in Portland, Ore., receives a call from someone at a pay phone in Brooklyn, N.Y., every Tuesday at 9 a.m. Also every Tuesday, but minutes earlier, the pay phone caller rings up a man in Miami. An investigator might look at that pattern and suspect that the men in Portland and Miami are communicating through the Brooklyn caller, who's acting as a kind of courier, to mask their relationship. Patterns like this have led criminal investigators into the inner workings of drug cartels and have proved vital in breaking these cartels up.
Terrorists employ similar masking techniques. They use go-betweens to circuitously route calls, and they change cellphones often to avoid detection. Transactional data, however, capture those behaviors. If NSA analysts -- or their computers -- can find these patterns or signatures, then they might find the terrorists, or at least know which ones they should monitor.
Just after 9/11, according to knowledgeable sources, the NSA began intercepting the communications of specific foreign persons and groups named on a list. The sources didn't specify whether persons inside the United States were monitored as part of that list. But a former government official who is knowledgeable about NSA activities and the warrantless surveillance program said that this original list of people and groups, or others like it, could have formed the base of the NSA's surveillance of transactional data, the parts of a communication that aren't considered content.
If the agency started with a list of phone numbers, it could find all the numbers dialed from those phones. The NSA could then learn what numbers were called from that second list of numbers, and what calls that list received, and so on, "pushing out" the lists until the agency had identified a vast network of callers and their transactional data, the former official said. The agency might eavesdrop on only a few conversations or e-mails. But starting with even an initial target list of, say, 10 phone numbers quickly yields a web of hundreds of thousands of communications, because the volume increases exponentially with every new layer of callers.
To find meaningful patterns in transactional data, analysts need a lot of it. They must set baselines about what constitutes "normal" behavior versus "suspicious" activity. Administration officials have said that the NSA doesn't intercept the contents of a communication unless officials have a "reasonable" basis to conclude that at least one party is linked to a terrorist organization. To make any reasonable determination like that, the agency needs hundreds of thousands, or even millions, of call records, preferably as soon as they are created, said a senior person in the defense industry who is familiar with the NSA program and is an expert in the analytical tools used to find patterns and connections. Asked if this means that the NSA program is much broader and less targeted than administration officials have described, the expert replied, "I think that's correct."
In theory, finding reasonable connections in data is a straightforward and largely automated process. Analysts use computer programs based on algorithms -- mathematical procedures for solving a particular problem -- much the same way that meteorologists use data models to forecast the weather. Counter-terrorism algorithms look for the transactional indicators that match what analysts recognize as signs of a plot.
Of course, those algorithms must be sophisticated enough to spot many not-so-obvious patterns in a mass of data that are mostly uninteresting, and they work best when the data come from many sources. Algorithms have proven useful for detecting frequent criminal activity, such as credit card fraud. "Historical data clearly indicate that if a credit card turns up in two cities on two continents on the same day, that's a useful pattern," says Jeff Jonas, a computer scientist who invented a technology to connect known scam artists who are on casinos' watch lists with new potential grifters, and is now the chief scientist of IBM Entity Analytics. "The challenge of predicting terrorism is that unlike fraud, we don't have the same volume of historical data to learn from," Jonas said. "Compounding this is the fact that terrorists are constantly changing their methods and do their best to avoid leaving any digital footprints in the first place."
The obvious solution would be to write an algorithm that is flexible and fast enough to weigh millions of pieces of evidence, including exculpatory ones, against each other. But according to technology experts, and even the NSA's own stated research accomplishments, that technology has not been perfected.
The Bleeding Edge
The NSA began soon after the 9/11 terrorist attacks to collect transactional data from telecommunications companies. Several telecom executives said in press accounts that their companies gave the NSA access to their switches, the terminals that handle most of the country's electronic traffic. One executive told National Journal that NSA officials urged him to hand over his company's call logs. When he resisted, the officials implied that most of his competitors had acceded to the agency's request.
Not long after the surveillance program started, in October 2001, the NSA began looking for new tools to mine the telecom data. The agency, the industry expert said, considered some that the Defense Department's Total Information Awareness program was developing. TIA was an ambitious and controversial experiment to find patterns of terrorist activity in a much broader range of transactions than just telephone data. But NSA officials rejected the TIA tools because they were "too brittle," the expert said, meaning that they failed to manage the torrent of data that the NSA wanted to analyze. He noted the irony of rejecting the TIA technologies -- which privacy advocates had characterized as huge, all-seeing, digital dragnets -- because they couldn't handle the size of the NSA's load.
In the fall of 2002, a federal research-and-development agency that builds technologies primarily for the NSA launched another search for pattern-detection solutions. The Advanced Research and Development Activity, ARDA, issued $64 million in contracts for the Novel Intelligence for Massive Data, or NIMD, program. Its goal was "to help analysts deal with information overload, detect early indicators of strategic surprise, and avoid analytic errors," according to ARDA's public call for proposals released last year. In essence, NIMD is an early-warning system, which is how the administration has described the terrorist surveillance program. In 2003, ARDA also took over research of the tools being developed under TIA.
While the NSA was searching for the next generation of data-sifters, it continued to rely on less sophisticated tools. For an example, the former government official who spoke to NJ cited applications that organize data into broad categories, allowing analysts to see some relationships but obscuring some of the nuance in the underlying information. The results of this kind of category analysis can be displayed on a graph. But the graph might reveal only how many times a particular word appears in a conversation, not necessarily the significance of the word or how it relates to other words. Technologists sarcastically call these diagrams BAGs -- big-ass graphs.
Such was the state of affairs when the NSA started looking for terrorist patterns in a telephonic ocean. So, instead of looking for a tool that could cull through the data, the agency decided to "reverse" the process, starting with the data set and working backward, looking for algorithms that could work with it.
The NSA has made some breakthroughs, the industry expert said, but its solution relies in part on a technological "trick," which he wouldn't disclose. Another data-mining expert, who also asked not to be identified because the NSA's work is classified, said that computer engineers probably started with the telecom companies' call data, looked for patterns, and then wrote algorithms to detect them as they went along, tweaking the algorithms as needed.
Such an ad hoc approach is brittle in its own right. For starters, if analysts are working with algorithms designed to detect only certain patterns, they could be missing others, the technology expert said. At the same time, the more dependent the algorithms are on identifying very specific patterns of behavior, the more vulnerable the NSA's monitoring is to being foiled if terrorists discover what the agency is watching for, or if they change their behavior. A more complex algorithm that considers thousands, or even millions, of patterns is harder to defeat.
The industry expert added that NSA officials have worried that "if you knew what the technical trick was they were doing [to make the surveillance program function], you wouldn't have to know what specific algorithms" the agency was using. This reliance on a "trick" makes the program very vulnerable to defeat and helps explain why the Bush administration is so keen on cloaking its inner workings."
It's pretty bleeding-edge," the expert said, referring to a technology that's unperfected and therefore prone to instability. "We're talking about dumping hundreds of thousands or millions of records" into a system. In an unsophisticated system, connections among people can emerge that look suspicious but are actually meaningless. A book agent who represents a journalist who once interviewed Osama bin Laden, for example, doesn't herself necessarily know bin Laden. But she might turn up in an NSA search of transactional data. "False positives will happen," the expert said.
Gonzales and former NSA Director Michael V. Hayden have said that career agency employees decide to eavesdrop only if they have a "reasonable" basis to believe one party to a communication is a terrorist or connected to a terrorist organization. But what determines reasonableness? In a January speech at the National Press Club, Hayden drew a distinction between the Fourth Amendment's requirement that "no warrants shall issue, but upon probable cause," and its protection against "unreasonable searches and seizures."
When a journalist in the crowd questioned his logic, Hayden heatedly replied, "If there's any amendment to the Constitution that employees of the National Security Agency are familiar with, it's the Fourth. And it is a reasonableness standard in the Fourth Amendment.... I am convinced that we are lawful, because what it is we're doing [intercepting content] is reasonable." He said that the terrorist attacks fundamentally altered the NSA's thinking. "The standard of what [information] was relevant and valuable, and therefore, what was reasonable, would understandably change, I think, as smoke billowed from two American cities and a Pennsylvania farm field. And we acted accordingly."
Aside from the question of whether NSA employees, rather than federal judges, are qualified to determine what constitutes a reasonable search, that determination provides much of the basis for deciding whose communications will be intercepted without a warrant. If the technology the NSA is using to determine what constitutes a reasonable search is unsophisticated, the industry expert said, "you're talking about tapping a phone based on a statistical correlation."
A New Legal Battle?
Gonzales's narrowly tailored letter to Sen. Specter raised more questions than it answered. Democrats were outraged by what they saw as the attorney general's attempt to alter his testimony and to obstruct senators' attempts to fully assess the program's legal basis. "Much of your letter is devoted to not providing answers to the questions of a number of us regarding legal justifications for activities beyond those narrowly conceded by you to have already been confirmed by the president," Sen. Patrick Leahy of Vermont, the Judiciary Committee's ranking Democrat, wrote to the attorney general in a follow-up letter.
Leahy also raised the question of what else Gonzales hadn't told lawmakers. The attorney general's letter contained "disturbing suggestions ... that there are other secret programs," Leahy wrote. In Gonzales's letter to Specter, the attorney general had referred to "other intelligence activities" and to his inability to discuss them; he left open the possibility that the president may not have authorized these activities. Gonzales wrote, "When I testified in response to questions from Sen. Leahy, 'Sir, I have tried to outline ... what the president has authorized, and that is all that he has authorized,' I was confining my remarks to the Terrorist Surveillance Program as described by the president."
Gonzales's testimony was meant to defend the program's legality. But as more about the NSA's operations become known, new legal questions arise, including one that goes to the heart of how officials reasonably identify suspected terrorists.
Under normal criminal law, content is defined as "any information concerning the substance, purport, or meaning of [a] communication," but the definition of content under the law that governs electronic eavesdropping on U.S. persons for intelligence purposes is different and is potentially in conflict with normal jurisprudence. That law, the Foreign Intelligence Surveillance Act, states that content "includes any information concerning the identity of the parties ... or the existence, substance, purport, or meaning of [their] communication."
A phone number can be used to identify a person, said Dempsey of the Center for Democracy and Technology, who for nine years was assistant counsel to the House Judiciary Subcommittee on Civil and Constitutional Rights. Does that mean that a phone number is "content" under the law? FISA, enacted in 1978, didn't envision today's technology, when anyone with an Internet connection can use a phone number to find someone's name, address, and even an aerial photograph of his house, Dempsey said.
"I just cannot read [FISA] and figure out what it means in the context of analysis of [transactional] data," he added. "Presumably somebody in the administration thinks they understand it.... Whether that's providing any clear guidance" to the people working on the NSA program, "that's not clear."
Labels: Intelligence, Law, National Security Agency, Technology, Terrorism
Full Article
TIA Lives On
Thursday, February 23, 2006
A controversial counter-terrorism program, which lawmakers halted more than two years ago amid outcries from privacy advocates, was stopped in name only and has quietly continued within the intelligence agency now fending off charges that it has violated the privacy of U.S. citizens.
Research under the Defense Department's Total Information Awareness program -- which developed technologies to predict terrorist attacks by mining government databases and the personal records of people in the United States -- was moved from the Pentagon's research-and-development agency to another group, which builds technologies primarily for the National Security Agency, according to documents obtained by National Journal and to intelligence sources familiar with the move. The names of key projects were changed, apparently to conceal their identities, but their funding remained intact, often under the same contracts.
It is no secret that some parts of TIA lived on behind the veil of the classified intelligence budget. However, the projects that moved, their new code names, and the agencies that took them over haven't previously been disclosed. Sources aware of the transfers declined to speak on the record for this story because, they said, the identities of the specific programs are classified.
Two of the most important components of the TIA program were moved to the Advanced Research and Development Activity, housed at NSA headquarters in Fort Meade, Md., documents and sources confirm. One piece was the Information Awareness Prototype System, the core architecture that tied together numerous information extraction, analysis, and dissemination tools developed under TIA. The prototype system included privacy-protection technologies that may have been discontinued or scaled back following the move to ARDA.
A $19 million contract to build the prototype system was awarded in late 2002 to Hicks & Associates, a consulting firm in Arlington, Va., that is run by former Defense and military officials. Congress's decision to pull TIA's funding in late 2003 "caused a significant amount of uncertainty for all of us about the future of our work," Hicks executive Brian Sharkey wrote in an e-mail to subcontractors at the time. "Fortunately," Sharkey continued, "a new sponsor has come forward that will enable us to continue much of our previous work." Sources confirm that this new sponsor was ARDA. Along with the new sponsor came a new name. "We will be describing this new effort as 'Basketball,' " Sharkey wrote, apparently giving no explanation of the name's significance. Another e-mail from a Hicks employee, Marc Swedenburg, reminded the company's staff that "TIA has been terminated and should be referenced in that fashion."
Sharkey played a key role in TIA's birth, when he and a close friend, retired Navy Vice Adm. John Poindexter, President Reagan's national security adviser, brought the idea to Defense officials shortly after the 9/11 attacks. The men had teamed earlier on intelligence-technology programs for the Defense Advanced Research Projects Agency, which agreed to host TIA and hired Poindexter to run it in 2002. In August 2003, Poindexter was forced to resign as TIA chief amid howls that his central role in the Iran-Contra scandal of the mid-1980s made him unfit to run a sensitive intelligence program.
It's unclear whether work on Basketball continues. Sharkey didn't respond to an interview request, and Poindexter said he had no comment about former TIA programs. But a publicly available Defense Department document, detailing various "cooperative agreements and other transactions" conducted in fiscal 2004, shows that Basketball was fully funded at least until the end of that year (September 2004). The document shows that the system was being tested at a research center jointly run by ARDA and SAIC Corp., a major defense and intelligence contractor that is the sole owner of Hicks & Associates. The document describes Basketball as a "closed-loop, end-to-end prototype system for early warning and decision-making," exactly the same language used in contract documents for the TIA prototype system when it was awarded to Hicks in 2002. An SAIC spokesman declined to comment for this story.
Another key TIA project that moved to ARDA was Genoa II, which focused on building information technologies to help analysts and policy makers anticipate and pre-empt terrorist attacks. Genoa II was renamed Topsail when it moved to ARDA, intelligence sources confirmed. (The name continues the program's nautical nomenclature; "genoa" is a synonym for the headsail of a ship.)
As recently as October 2005, SAIC was awarded a $3.7 million contract under Topsail. According to a government-issued press release announcing the award, "The objective of Topsail is to develop decision-support aids for teams of intelligence analysts and policy personnel to assist in anticipating and pre-empting terrorist threats to U.S. interests." That language repeats almost verbatim the boilerplate descriptions of Genoa II contained in contract documents, Pentagon budget sheets, and speeches by the Genoa II program's former managers.
As early as February 2003, the Pentagon planned to use Genoa II technologies at the Army's Information Awareness Center at Fort Belvoir, Va., according to an unclassified Defense budget document. The awareness center was an early tester of various TIA tools, according to former employees. A 2003 Pentagon report to Congress shows that the Army center was part of an expansive network of intelligence agencies, including the NSA, that experimented with the tools. The center was also home to the Army's Able Danger program, which has come under scrutiny after some of its members said they used data-analysis tools to discover the name and photograph of 9/11 ringleader Mohamed Atta more than a year before the attacks.
Devices developed under Genoa II's predecessor -- which Sharkey also managed when he worked for the Defense Department -- were used during the invasion of Afghanistan and as part of "the continuing war on terrorism," according to an unclassified Defense budget document. Today, however, the future of Topsail is in question. A spokesman for the Air Force Research Laboratory in Rome, N.Y., which administers the program's contracts, said it's "in the process of being canceled due to lack of funds."
It is unclear when funding for Topsail was terminated. But earlier this month, at a Senate Intelligence Committee hearing, one of TIA's strongest critics questioned whether intelligence officials knew that some of its programs had been moved to other agencies. Sen. Ron Wyden, D-Ore., asked Director of National Intelligence John Negroponte and FBI Director Robert Mueller whether it was "correct that when [TIA] was closed, that several ... projects were moved to various intelligence agencies.... I and others on this panel led the effort to close [TIA]; we want to know if Mr. Poindexter's programs are going on somewhere else."
Negroponte and Mueller said they didn't know. But Negroponte's deputy, Gen. Michael V. Hayden, who until recently was director of the NSA, said, "I'd like to answer in closed session." Asked for comment, Wyden's spokeswoman referred to his hearing statements.
The NSA is now at the center of a political firestorm over President Bush's program to eavesdrop on the phone calls and e-mails of people in the United States who the agency believes are connected to terrorists abroad. While the documents on the TIA programs don't show that their tools are used in the domestic eavesdropping, and knowledgeable sources wouldn't discuss the matter, the TIA programs were designed specifically to develop the kind of "early-warning system" that the president said the NSA is running.
Documents detailing TIA, Genoa II, Basketball, and Topsail use the phrase "early-warning system" repeatedly to describe the programs' ultimate aims. In speeches, Poindexter has described TIA as an early-warning and decision-making system. He conceived of TIA in part because of frustration over the lack of such tools when he was national security chief for Reagan.
Tom Armour, the Genoa II program manager, declined to comment for this story. But in a previous interview, he said that ARDA -- which absorbed the TIA programs -- has pursued technologies that would be useful for analyzing large amounts of phone and e-mail traffic. "That's, in fact, what the interest is," Armour said. When TIA was still funded, its program managers and researchers had "good coordination" with their counterparts at ARDA and discussed their projects on a regular basis, Armour said. The former No. 2 official in Poindexter's office, Robert Popp, averred that the NSA didn't use TIA tools in domestic eavesdropping as part of his research.
But asked whether the agency could have used the tools apart from TIA, Popp replied, "I can't speak to that." Asked to comment on TIA projects that moved to ARDA, Don Weber, an NSA spokesman said, "As I'm sure you understand, we can neither confirm nor deny actual or alleged projects or operational capabilities; therefore, we have no information to provide."
ARDA now is undergoing some changes of its own. The outfit is being taken out of the NSA, placed under the control of Negroponte's office, and given a new name. It will be called the "Disruptive Technology Office," a reference to a term of art describing any new invention that suddenly, and often dramatically, replaces established procedures. Officials with the intelligence director's office did not respond to multiple requests for comment on this story.
Thursday, February 23, 2006
A controversial counter-terrorism program, which lawmakers halted more than two years ago amid outcries from privacy advocates, was stopped in name only and has quietly continued within the intelligence agency now fending off charges that it has violated the privacy of U.S. citizens.
Research under the Defense Department's Total Information Awareness program -- which developed technologies to predict terrorist attacks by mining government databases and the personal records of people in the United States -- was moved from the Pentagon's research-and-development agency to another group, which builds technologies primarily for the National Security Agency, according to documents obtained by National Journal and to intelligence sources familiar with the move. The names of key projects were changed, apparently to conceal their identities, but their funding remained intact, often under the same contracts.
It is no secret that some parts of TIA lived on behind the veil of the classified intelligence budget. However, the projects that moved, their new code names, and the agencies that took them over haven't previously been disclosed. Sources aware of the transfers declined to speak on the record for this story because, they said, the identities of the specific programs are classified.
Two of the most important components of the TIA program were moved to the Advanced Research and Development Activity, housed at NSA headquarters in Fort Meade, Md., documents and sources confirm. One piece was the Information Awareness Prototype System, the core architecture that tied together numerous information extraction, analysis, and dissemination tools developed under TIA. The prototype system included privacy-protection technologies that may have been discontinued or scaled back following the move to ARDA.
A $19 million contract to build the prototype system was awarded in late 2002 to Hicks & Associates, a consulting firm in Arlington, Va., that is run by former Defense and military officials. Congress's decision to pull TIA's funding in late 2003 "caused a significant amount of uncertainty for all of us about the future of our work," Hicks executive Brian Sharkey wrote in an e-mail to subcontractors at the time. "Fortunately," Sharkey continued, "a new sponsor has come forward that will enable us to continue much of our previous work." Sources confirm that this new sponsor was ARDA. Along with the new sponsor came a new name. "We will be describing this new effort as 'Basketball,' " Sharkey wrote, apparently giving no explanation of the name's significance. Another e-mail from a Hicks employee, Marc Swedenburg, reminded the company's staff that "TIA has been terminated and should be referenced in that fashion."
Sharkey played a key role in TIA's birth, when he and a close friend, retired Navy Vice Adm. John Poindexter, President Reagan's national security adviser, brought the idea to Defense officials shortly after the 9/11 attacks. The men had teamed earlier on intelligence-technology programs for the Defense Advanced Research Projects Agency, which agreed to host TIA and hired Poindexter to run it in 2002. In August 2003, Poindexter was forced to resign as TIA chief amid howls that his central role in the Iran-Contra scandal of the mid-1980s made him unfit to run a sensitive intelligence program.
It's unclear whether work on Basketball continues. Sharkey didn't respond to an interview request, and Poindexter said he had no comment about former TIA programs. But a publicly available Defense Department document, detailing various "cooperative agreements and other transactions" conducted in fiscal 2004, shows that Basketball was fully funded at least until the end of that year (September 2004). The document shows that the system was being tested at a research center jointly run by ARDA and SAIC Corp., a major defense and intelligence contractor that is the sole owner of Hicks & Associates. The document describes Basketball as a "closed-loop, end-to-end prototype system for early warning and decision-making," exactly the same language used in contract documents for the TIA prototype system when it was awarded to Hicks in 2002. An SAIC spokesman declined to comment for this story.
Another key TIA project that moved to ARDA was Genoa II, which focused on building information technologies to help analysts and policy makers anticipate and pre-empt terrorist attacks. Genoa II was renamed Topsail when it moved to ARDA, intelligence sources confirmed. (The name continues the program's nautical nomenclature; "genoa" is a synonym for the headsail of a ship.)
As recently as October 2005, SAIC was awarded a $3.7 million contract under Topsail. According to a government-issued press release announcing the award, "The objective of Topsail is to develop decision-support aids for teams of intelligence analysts and policy personnel to assist in anticipating and pre-empting terrorist threats to U.S. interests." That language repeats almost verbatim the boilerplate descriptions of Genoa II contained in contract documents, Pentagon budget sheets, and speeches by the Genoa II program's former managers.
As early as February 2003, the Pentagon planned to use Genoa II technologies at the Army's Information Awareness Center at Fort Belvoir, Va., according to an unclassified Defense budget document. The awareness center was an early tester of various TIA tools, according to former employees. A 2003 Pentagon report to Congress shows that the Army center was part of an expansive network of intelligence agencies, including the NSA, that experimented with the tools. The center was also home to the Army's Able Danger program, which has come under scrutiny after some of its members said they used data-analysis tools to discover the name and photograph of 9/11 ringleader Mohamed Atta more than a year before the attacks.
Devices developed under Genoa II's predecessor -- which Sharkey also managed when he worked for the Defense Department -- were used during the invasion of Afghanistan and as part of "the continuing war on terrorism," according to an unclassified Defense budget document. Today, however, the future of Topsail is in question. A spokesman for the Air Force Research Laboratory in Rome, N.Y., which administers the program's contracts, said it's "in the process of being canceled due to lack of funds."
It is unclear when funding for Topsail was terminated. But earlier this month, at a Senate Intelligence Committee hearing, one of TIA's strongest critics questioned whether intelligence officials knew that some of its programs had been moved to other agencies. Sen. Ron Wyden, D-Ore., asked Director of National Intelligence John Negroponte and FBI Director Robert Mueller whether it was "correct that when [TIA] was closed, that several ... projects were moved to various intelligence agencies.... I and others on this panel led the effort to close [TIA]; we want to know if Mr. Poindexter's programs are going on somewhere else."
Negroponte and Mueller said they didn't know. But Negroponte's deputy, Gen. Michael V. Hayden, who until recently was director of the NSA, said, "I'd like to answer in closed session." Asked for comment, Wyden's spokeswoman referred to his hearing statements.
The NSA is now at the center of a political firestorm over President Bush's program to eavesdrop on the phone calls and e-mails of people in the United States who the agency believes are connected to terrorists abroad. While the documents on the TIA programs don't show that their tools are used in the domestic eavesdropping, and knowledgeable sources wouldn't discuss the matter, the TIA programs were designed specifically to develop the kind of "early-warning system" that the president said the NSA is running.
Documents detailing TIA, Genoa II, Basketball, and Topsail use the phrase "early-warning system" repeatedly to describe the programs' ultimate aims. In speeches, Poindexter has described TIA as an early-warning and decision-making system. He conceived of TIA in part because of frustration over the lack of such tools when he was national security chief for Reagan.
Tom Armour, the Genoa II program manager, declined to comment for this story. But in a previous interview, he said that ARDA -- which absorbed the TIA programs -- has pursued technologies that would be useful for analyzing large amounts of phone and e-mail traffic. "That's, in fact, what the interest is," Armour said. When TIA was still funded, its program managers and researchers had "good coordination" with their counterparts at ARDA and discussed their projects on a regular basis, Armour said. The former No. 2 official in Poindexter's office, Robert Popp, averred that the NSA didn't use TIA tools in domestic eavesdropping as part of his research.
But asked whether the agency could have used the tools apart from TIA, Popp replied, "I can't speak to that." Asked to comment on TIA projects that moved to ARDA, Don Weber, an NSA spokesman said, "As I'm sure you understand, we can neither confirm nor deny actual or alleged projects or operational capabilities; therefore, we have no information to provide."
ARDA now is undergoing some changes of its own. The outfit is being taken out of the NSA, placed under the control of Negroponte's office, and given a new name. It will be called the "Disruptive Technology Office," a reference to a term of art describing any new invention that suddenly, and often dramatically, replaces established procedures. Officials with the intelligence director's office did not respond to multiple requests for comment on this story.
Labels: Intelligence, National Security Agency, Technology, Total Information Awareness
Full Article
Intelligence Designs
Friday, December 02, 2005
In the spring of 2000, a year and a half before the 9/11 attacks, Erik Kleinsmith made a decision that history may judge as a colossal mistake.
Then a 35-year-old Army major assigned to a little-known intelligence organization at Fort Belvoir in Virginia, Kleinsmith had compiled an enormous cache of information -- most of it electronically stored -- about the Al Qaeda terrorist network. It described the group's presence in countries around the world, including the United States.
It was of great interest to military planners eager to strike the terrorists' weak spots. And it may have contained the names of some of the 9/11 hijackers, including the ringleader, Mohamed Atta.
The intelligence data totaled 2.5 terabytes, equal to about 12 percent of all printed pages held by the Library of Congress. Neither the FBI nor the CIA had ever seen the information. And that spring, Kleinsmith destroyed every bit of it.
Why did he do that? And how did a midlevel officer in a minor intelligence outfit obtain that information in the first place? Those questions lie behind the latest phase of a simmering controversy in Washington: whether something could have been done to prevent the terror attacks of September 11.
Kleinsmith worked for an Army project code-named "Able Danger." This past summer, a number of former project members -- none of whom had worked for Kleinsmith -- came forward to say that Able Danger had identified Atta and linked him to a convicted terrorist who is still serving time in federal prison for his role in the 1993 bombing of the World Trade Center.
The Able Danger members recalled charts showing names and pictures of suspects, and their links to each other. Rep. Curt Weldon, an outspoken Pennsylvania Republican and longtime supporter of intelligence reform, has demanded to know why the charts were never shared with an agency positioned to halt the attacks.
He also points out that the 9/11 commission failed to include any mention of Able Danger in its final report, which is regarded as an authoritative history of the attacks. The Pentagon searched more than 80,000 documents and found no chart with the name "Mohamed Atta." Weldon has accused the government of a cover-up and called for a criminal investigation.
But Able Danger, for all its intrigue, is just one piece of the unusual intelligence practices that Kleinsmith was engaged in, years before 9/11. In the late 1990s, Kleinsmith was the chief of intelligence for the Army's Land Information Warfare Activity, a support unit assigned to the Intelligence and Security Command. LIWA had broad authority to assist the Army and all military commands in conducting "information operations," a broad discipline that includes information warfare, public deception in combat, and intelligence analysis.
The Army's hub in this effort was the aptly named Information Dominance Center, based at Fort Belvoir. Since the late 1990s, the IDC has been home to some of the most innovative, unconventional, and controversial minds in the intelligence business. In its futuristic-style building -- its interior spaces designed by a Hollywood set artist to mimic the bridge of the starship Enterprise, complete with a large captain's chair in the center of the main room -- the IDC covered a range of topics.
Analysts tracked computer hackers who were targeting military networks, watched for potential avenues of Chinese government espionage, and charted the working relationships among foreign terrorists. To do this, the IDC relied heavily on a novel technique called "data mining."
On a recent afternoon at a coffee shop in Springfield, Va., not far from the IDC, Kleinsmith explained how data mining works. Putting pen to paper, Kleinsmith sketched clumps of circles, then surrounded some with concentric, wavy perimeters, until he'd drawn a crude version of a topographical map.
In data mining, he explained, a powerful search engine is used to "harvest" tens of thousands of Web pages that contain key words of interest -- "Al Qaeda" and "bin Laden," for instance. Another tool, called a data visualization program, then creates a three-dimensional map showing which words appear most often and how they relate.
The features and contours of the map tell an analyst about the underlying information's significance, Kleinsmith said. High peaks represent words that appear frequently. Peaks close together signal words that share some context. The analysts can click on a peak and pull up the information that helped create it. With data mining, analysts don't just read information, they "see" it. Kleinsmith called this kind of data mining "intelligence on steroids," and it was the IDC's hallmark.
Data mining works best with large sets of information, so it's particularly useful for Internet searches. At the IDC, Kleinsmith and three colleagues mapped Al Qaeda for Able Danger by mining open sources and fusing their results with classified government intelligence. But in addition to the mass of information they returned on suspected terrorists, they collected thousands of names of U.S. citizens.
People's names and personal information litter the Internet. Data harvesting, by its very nature, is indiscriminate and sweeping. Unavoidably, along with "Osama Bin Laden," an often-mentioned name like "Bill Clinton" will be harvested. That says a lot about the power, and the limits, of data mining, and why Kleinsmith destroyed what he had; the military is not supposed to be gathering information on U.S. citizens.
A First Test
From its earliest days, the IDC was a haven for renegades who wanted to use technology to step outside traditional intelligence-gathering, which relies heavily on classified sources and labor-intensive analysis. The center had high-level champions, including Lt. Gen. Keith Alexander, who from 2000 to 2003 directed the Intelligence and Security Command, the IDC's parent. Alexander now heads the National Security Agency, which operates the most-sophisticated electronic eavesdropping devices in the world.
Alexander also worked closely with James Heath, who headed the IDC in the late 1990s and whom former employees recall as a mix of driven genius and mad scientist. According to one such former employee of the center, Heath saw the IDC as "an experimentation table" on which to try out all kinds of new tools, depending on what the Army wanted at the time. Analysts and technicians worked together, "speaking the same language" and building useful data-mining tools. This dynamic didn't exist in other intelligence agencies, the former employee noted.
The IDC earned a reputation for innovation, but it also stepped over the bounds of traditional military intelligence. One of its first outside fans was Curt Weldon. Rep. Weldon had been advocating a "national collaborative center" to fuse law enforcement and intelligence units, and their information, from across the government.
In 1997, as the U.S. intervened in the Balkan War, senior Russian officials wanted Weldon (who had had good and long-standing contacts with the Russians) to meet in Belgrade with Yugoslavia's then-president, Slobodan Milosevic, to negotiate a peace settlement.
As Weldon stated on the House floor in 2002, the Russians offered to arrange a meeting between Weldon and Dragomir Karic, a rich Serb closely tied to Milosevic. Perhaps, the Russians said, Karic could act as a go-between with the Serbian president. But according to Weldon, State Department officials said they'd never heard of Karic, and thought the meeting was a ploy to manipulate the congressman.
Weldon met with Karic on neutral territory, in Vienna. But before leaving the States, he asked then-CIA Director George Tenet for background on the Serb. Tenet "called me back the next day and gave me two or three sentences ... and said they thought he was tied in with the corruption in Russia, but did not know much else about him," Weldon said.
Unsatisfied, Weldon contacted his "friends at the Information Dominance Center," which he considered a model for his own intelligence collaboration venture. The IDC "came back to me with eight pages about this man," who the analysts said "was very close to Milosevic personally." Former IDC employees confirmed that they provided Weldon with detailed information on Karic.
The talks with Karic bore no fruit. But when Weldon returned to Washington, he said, the FBI and CIA asked to debrief him on what he knew about Karic. Weldon delivered a thorough dossier.
"I told them that there were four Karic brothers; that they were the owners of the largest banking system in the former Yugoslavia; that they employed some 60,000 people; that their bank had tried to finance the sale of an SA-10 [missile system] from Russia to Milosevic; that their bank had been involved in a $4 billion German bond scam; that one of the brothers had financed Milosevic's election; that the house Milosevic lived in was really their house; that, in fact, the Karic brothers' wives were best of friends with Milosevic's wife; and that they were the closest people to this leader."
Surprised to hear such details on a man they barely knew of, the agents presumed Weldon got the information from the Russians. When he told them that the facts came from the Army's Information Dominance Center, Weldon recalls, the agents replied, "What ... is the Information Dominance Center?"
The event convinced Weldon that the CIA and the FBI didn't "get it," and that the IDC was the wave of the future. He became its biggest proponent in Congress, and sang its praises to the highest levels of the Defense Department.
After Weldon submitted the Karic dossier, word of the IDC's work spread outside the Army realm, Kleinsmith said. He had put just two analysts on the Weldon project, and they had taken only a day to generate the Karic profile. It "shocked me that we were outdoing these other organizations," namely the CIA, Kleinsmith said.
The China Problem
Intrigued with the Karic work, senior Pentagon officials decided to see if the tiny band of analysts could prove their mettle on a bigger problem. Officials were concerned about the possible leakage of U.S. military technology abroad, through unauthorized exports or through espionage. In the spring of 1999, the Pentagon "initiated a onetime project, to use data-correlation tools to decide if we could use those methods as a superior approach for counterintelligence," said John Hamre, the deputy Defense secretary at the time. "It was an experiment."
The people involved said the experiment looked specifically at technology transfers to China, whose military posed the gravest post-Cold War threat to the United States. Kleinsmith says the particular technology the IDC researched was arbitrary. "I think we flipped a coin" to decide. The point was to show the Pentagon that data mining could identify front companies, potential leaks of technology, and other vulnerabilities. "What we found was absolutely enormous," Kleinsmith said.
Former IDC employees and others familiar with the work say the China research exposed a variety of avenues through which military technology designs could end up in Chinese government hands. The IDC created a diagram showing how organizations and people in the United States were connected to the Chinese. Hamre had visited the center, and according to Weldon, reported back, "It is amazing what they are doing there."
The experiment "went well," the former IDC employee said. "Unfortunately, it went too well." During construction of those link diagrams, the names of a number of U.S. citizens popped up, including some very prominent figures. Condoleezza Rice, then the provost at Stanford University, appeared in one of the harvests, the by-product of a presumably innocuous connection between other subjects and the university, which hosts notable Chinese scholars.
William Cohen, then the secretary of Defense, also appeared. As one former senior Defense official explained, the IDC's results "raised eyebrows," and leaders in the Pentagon grew nervous about the political implications of turning up such high-profile names, or those of any American citizens who were not the subject of a legally authorized intelligence investigation. Rumors still abound about other notable figures caught up in the IDC's harvest. "I heard they turned up Hillary Clinton," the official said. The experiment was not continued.
"We determined that there were significant methodological problems," Hamre said of the IDC's techniques. Data-correlation analyses on raw information "produce impossibly large numbers of potential correlations. The numbers are too large to be operationally helpful."
But it appears not everyone in the military establishment agreed. Over the next several months, Kleinsmith estimated he gave more than 200 briefings on the IDC to members of Congress, generals, and senior government officials. "I could tell in three to four minutes if someone 'got it,' " Kleinsmith said. Hamre got it, he noted. And so, it seems, did officials with the Army's Special Operations Command, who, despite the unease over the China experiment, came to the IDC asking for information about a then-shadowy organization called Al Qaeda.
Able Danger
In the fall of 1999, top officials in the Special Operations Command were looking for a way to take the nascent fight on terrorism to its source. Al Qaeda had recently destroyed the U.S. embassies in Kenya and Tanzania. Special Operations' top officers, including the commander, Gen. Peter Schoomaker, "wanted the mission of 'putting boots on the ground' to get at [Osama] bin Laden and Al Qaeda," according to the 9/11 commission report.
But the military leadership believed that without concrete intelligence about Al Qaeda, a strike on the group was doomed to fail. President Clinton told the 9/11 commission, "If we had really good intelligence about ... where [bin Laden] was, I would have done it." Plans were already under way to attack Al Qaeda using AC-130 gunships. What was lacking was actionable intelligence to tell the military whom to hit and where.
Kleinsmith said that a pair of Special Operations officials visited him at the IDC in December 1999. At the instruction of the Joint Chiefs of Staff, the officials wanted as much intelligence on Al Qaeda and other transnational terrorists that could be mustered. They called the project Able Danger. (The word "able" has been commonly used for military exercises for more than two decades.)
The officials asked Kleinsmith about the technologies the IDC was using. "They didn't talk specifics," Kleinsmith said, but it was clear that "we had something they could really use." Later, he offered to "run some data" and produce a preliminary analysis. Within 90 minutes, Kleinsmith said, his analysts found evidence that Al Qaeda had a "worldwide footprint," including "a surprising presence in the U.S. That's when we started losing sleep."
In January 2000, Special Operations gave Kleinsmith and his team the green light to find as much information as they could. "They told us, 'Start with the words "Al Qaeda," and go,' " he said. A month later, the IDC conducted the first Able Danger harvest. The initial results, while impressive, were hardly what Special Operations forces needed to put boots on the ground.
The harvest "was a mile wide and an inch deep," Kleinsmith said. It included more than two terabytes of information, too vast an amount to provide specific targets. The IDC analysts could see the broad outlines of Al Qaeda, particularly its transformation from an idealistic movement into an operational network that could possibly inflict damage. Names, locations, and capabilities, and even the group's financial sources, were "coming together," Kleinsmith said. But the data set was still too big.
That didn't stop the analysts from trying to pare the information down. The former IDC employee said analysts played what they called "the Kevin Bacon game," referring to the popular notion that the prolific film actor can be linked to any other actor through no more than five people. (The game is based on the "six degrees of separation" theory that anyone on Earth can be linked to anyone else through five intermediaries.)
"Let's say you had a bad guy at each end of a string," the employee said. The analysts looked for the people between them, and then those people's ties to each other and to still others, asking whether any of the links came back to the initial bad guys. The analysts played this game routinely to firm up the connections in the large data sets. Eventually, they were able to isolate some 20 people about whom Special Operations wanted further, deeper analysis, Kleinsmith said.
The team developed charts to serve as "simplified explanations" of what they found. But those charts, now famously alluded to by Weldon and others as having named Mohamed Atta, sometimes measured 20 feet in length and were covered with small type, the former IDC employee said. The charts were so big, in fact, that analysts had to hang them on walls just to read them. The former employee doesn't remember seeing Atta's picture.
The IDC might have followed Atta's trail if it had been told to do so, the former employee said. But just pulling names at random from the chart was pointless. And a simple connection between two people on a chart was not evidence of any criminality or pending attack. "Do you have any idea how many people on the planet would go to jail just because they knew somebody bad?" the former employee asked.
The IDC produced an impressive array of intelligence, but it also came dangerously close to an important legal line. The basic harvesting methodology guaranteed that the names of U.S. citizens would appear. "You'll pull in 16,000 people in a harvest," Kleinsmith said. It's "100 percent likely" that an American will be there. And sometimes the names themselves seemed meaningless.
If an analyst found "Clinton," Kleinsmith noted, that could mean George Clinton, the funk musician, or the town of Clinton, Md. Was the collection accidental or intentional? Regulations that restrict domestic surveillance of U.S. citizens don't necessarily apply to names that are swept up inadvertently in a data harvest. The IDC team pulled in hundreds of names every hour, Kleinsmith said. When asked which prominent Americans were included, he replied, "Everybody was coming up."
Data Destruction
As quickly as the IDC garnered powerful fans, it also earned some enemies. The center was not a chartered member of the formal intelligence community -- the 14 agencies that in 1999 officially constituted the country's spy apparatus. For a support organization, buried several layers deep in the Army, to tread on territory normally reserved for big-name agencies like the CIA and the Defense Intelligence Agency, and to present intelligence gleaned from the Internet, of all places, was simply anathema to people steeped in decades of intelligence rules and culture. The IDC analysts were mavericks.
In particular, the Defense Intelligence Agency questioned the analysts' results on a number of projects, not just Able Danger, the former IDC employee said. "We'd show them our stuff, and they'd say, 'Show us the math.' " But the answers didn't always add up so neatly. The combination of data mining and hunches sometimes produced results that the bigger intelligence agencies viewed as murky, even if military commanders found them compelling.
At a Pentagon briefing on Able Danger in September of this year, Thomas Gandy, the Army's director of counterintelligence and human intelligence, cautioned reporters about inferring too much information from the "links" the IDC established, particularly because its data-mining tools were far less sophisticated than the ones used today. "Just that there are links established doesn't really mean anything," Gandy said. "In the primacy of this technology, you get some very goofy links that require research."
Kleinsmith and the former employee, as well as others who worked tangentially to the IDC over the years, insisted that the IDC analysts were senior and seasoned, and that they recognized the fact that simple links required further investigation. Yet the analysts' enthusiasm for a less tidy sort of inquiry, which often raised more questions than answers, divided intelligence professionals. Some former government officials, who declined to be named, derided the IDC analysts as "zealots" and said their work never produced the eureka-like results that some, particularly former Able Danger members, now claim.
One senior IDC analyst, Eileen Preisser, who worked with Kleinsmith on Able Danger and other projects, was characterized by a former Defense official as "an uncontrolled flake." Kleinsmith, who called Preisser an "analytical genius," admitted that she "has constant trouble in working with others in the community." Preisser has worked in several intelligence jobs, inside and outside the government, and those who know her see her as the prototypical IDC believer.
She "is especially critical of those folks who she feels did not, or do not, 'get' the technology," Kleinsmith said. "Instead of working within the system, maneuvering around the tough spots, negotiating and dealing, she tends to burn her way through an issue to get where she needs to go." Preisser now works for the National Geospatial Intelligence Agency. A spokeswoman there said Preisser declined all requests for interviews.
In early 2000, in the midst of Able Danger, a lawyer with the Army's general counsel visited Kleinsmith. As Kleinsmith testified before the Senate Judiciary Committee in September, the lawyer reminded him that under Army regulations, any data the IDC collected on U.S. persons -- even inadvertently -- had to be destroyed within 90 days. If analysts could establish a legitimate reason to investigate a person further, they could keep the corresponding data.
But with potentially tens of thousands of names, checking each one would have been impossible, Kleinsmith said. In the Pentagon briefing, Gandy concurred: "I don't think they had the capability to scrub it in the fashion that the oversight rules could live with."
By the spring of 2000, Kleinsmith said, the IDC had the list of 20 individuals whom Special Operations wanted investigated further under Able Danger. But in March, Kleinsmith was ordered to cease all work on the project. He believes the order came from outside the IDC's command. From May to June, Kleinsmith and his team destroyed the information, and possibly the linkages between Mohamed Atta, Al Qaeda, and convicted terrorists already sitting in U.S. prisons.
"It was terrible," Kleinsmith said.
'So It Begins'
After the data purge, the heartbeat of the IDC slowed. In late September 2000, the center was authorized to begin new work on Able Danger, Kleinsmith said. A data harvest would take no time to replicate, but the analysis on people and locations was much harder to reproduce.
But Able Danger never ramped up a second time. On October 12, while the USS Cole was docked in Yemen's port city of Aden, Al Qaeda suicide bombers rammed the destroyer with a small explosive-laden boat, killing 17 U.S. sailors and wounding 39. From then on, U.S. Central Command, responsible for the Middle East, became the IDC's primary customer, Kleinsmith said. Special Operations Command, unhappy because the IDC's attention had shifted, moved Able Danger to a private intelligence research center run by Raytheon in Garland, Texas, Kleinsmith said.
A Raytheon spokesman did not respond to a request for comment. But Eileen Preisser, the IDC analyst who had worked on Able Danger with Kleinsmith, was working for Raytheon after the September 11 attacks. In a 2001 interview with National Journal, she spoke of projects she was involved with that were essentially the same as those at the IDC.
After the Cole bombing, the IDC concentrated on projects not related to Al Qaeda. "We went on to do some other things, other projects," the former IDC employee said. Less than a year later, the 9/11 attackers struck. Looking back, Kleinsmith doesn't claim that he saw the attacks coming. Rather, he felt resigned. "I wasn't surprised," he said. He had studied Al Qaeda's evolution and believed he knew its capabilities. "I thought, 'So it begins.'
Total Information Awareness
The 9/11 attacks breathed some new life into the Information Dominance Center. In late 2001, retired Navy Adm. John Poindexter, who had served as President Reagan's national security adviser, met with the director of the Defense Advanced Research Projects Agency, where Poindexter was soon to be employed. Poindexter was looking for a site to test new technologies under his Total Information Awareness program, which, not unlike the IDC, aimed to use open-source data and government information to understand terrorism.
TIA also looked at tools to examine commercial databases containing information on U.S. citizens, within the context of privacy regulations.
Poindexter wanted a proving ground staffed by seasoned, technology-inclined analysts, a "Manhattan Project" for counterterrorism, he said. The DARPA director, Tony Tether, told him to consider the IDC. After meeting with Gen. Alexander, the Army commander overseeing the center, Poindexter agreed to test some of the TIA tools at the IDC.
"TIA was a very good concept," the former IDC employee said. The center offered TIA "a high-speed testing bed" for its new technologies. "Some of the tools sucked, and some of them were good ideas," the employee said. The frustration came from officials' reluctance to use the tools for active intelligence projects. Poindexter emphasized that TIA was a research project and wasn't using data mining as part of any real intelligence operations. TIA was an experiment.
But the experiment was short-lived. In late 2002, Poindexter's role in TIA was revealed in the press. The controversial retired admiral's past caught up with him -- Poindexter was the central figure in the Iran-Contra scandal, which diverted the profits from covert arms sales to Iran to anti-Communist rebels in Nicaragua.
Members of Congress derided TIA as an Orwellian excess of the post-9/11 era. The funding was pulled. Kleinsmith, who had left the Army by the time TIA arrived, seemed perplexed by lawmakers' concerns. "We've had this capability for years," he remembered thinking. "Who cares?"
TIA's detractors declared a victory for privacy protection when they killed the project. Poindexter was forced to resign in August 2003. But research on TIA tools has hardly ceased.
Rather, it has moved into the intelligence agencies, where the work and the budgets for it are classified, Poindexter said, noting that now Congress has more-limited oversight and should be more concerned about privacy infringements. The former IDC employee concurred, saying "The [TIA] concept hasn't died off. It continues. And it continues elsewhere now, and I can't talk about that. The tools are continuing to be developed."
What-Ifs
Five years after Able Danger, Erik Kleinsmith seems oddly at ease for a key figure in a brewing political controversy. Inevitably, Kleinsmith would be a major witness in any investigation of the project. No one has suggested he did anything other than follow Army regulations in destroying the Able Danger documents.
Kleinsmith remains unconvinced that, despite the IDC's innovations, the 9/11 attacks were foreseeable. But "I do go to bed every night ... [thinking] that if we had not been shut down, we would have at least been able to prevent something or assist the United States in some way," Kleinsmith told the Senate Judiciary Committee during September's hearing. "Could we have prevented 9/11?" He paused, and then said: "I don't think I can ever speculate to that extent, that we could have done that."
Today, Kleinsmith is an employee with Lockheed Martin, working as a contractor to the Army's Information Operations Center, an IDC spin-off that is chartered to support the global war on terrorism. He oversees an intelligence training team of about 28 instructors, five of whom are working in Iraq to train U.S. analysts in data mining.
"One of the most amazing aspects of the Able Danger team is that, for a time, you had what I believe was the perfect combination of technology, data, and expert analysts that combined to create analysis that was above and beyond what the intelligence community was producing," Kleinsmith said. The results of the China experiment brought Special Operations Command to the IDC. That's proof enough for Kleinsmith that his group was providing what no one else could.
"I have been asked by several folks on Capitol Hill, members and staffers alike, whether the capability still exists to do what we did," Kleinsmith said. "My answer is, 'yes and no.' " Paradoxically, analysts are being trained to rely on the technological tools -- what Kleinsmith called "buttonology" -- too much, instead of thinking creatively on their own, he explained.
The technology is powerful, but needs to augment the analyst's work, he said. "There are still those who want to train analysts on how the engine of the car works instead of how to drive the car."
Kleinsmith recognized that the IDC's methods caused some consternation, but he takes pride in his former work and looks at the controversy pragmatically. "We understood that [there were objections], but we also understood that a lot of our customers didn't care."
Today, Kleinsmith is still struggling with the same puzzles. And, to hear him tell it, apart from the advancements in technology, little has changed. So much is still unknown, and undone, about the terrorist threat to the United States, he said. He can simply watch television to know that law enforcement isn't rounding up the terrorist cells he believes his team identified in the United States five years ago.
Ultimately, Kleinsmith sounds less like a man burdened by his past than one nervous about the future. No one seems to be acting on the information the IDC found that terrorists had taken up residence in the United States, far from New York, he said. And, as if they were listening, waiting for him to tip his hand, Kleinsmith cautiously added, "I'd just prefer not to say where they are."
Published in National Journal
Friday, December 02, 2005
In the spring of 2000, a year and a half before the 9/11 attacks, Erik Kleinsmith made a decision that history may judge as a colossal mistake.
Then a 35-year-old Army major assigned to a little-known intelligence organization at Fort Belvoir in Virginia, Kleinsmith had compiled an enormous cache of information -- most of it electronically stored -- about the Al Qaeda terrorist network. It described the group's presence in countries around the world, including the United States.
It was of great interest to military planners eager to strike the terrorists' weak spots. And it may have contained the names of some of the 9/11 hijackers, including the ringleader, Mohamed Atta.
The intelligence data totaled 2.5 terabytes, equal to about 12 percent of all printed pages held by the Library of Congress. Neither the FBI nor the CIA had ever seen the information. And that spring, Kleinsmith destroyed every bit of it.
Why did he do that? And how did a midlevel officer in a minor intelligence outfit obtain that information in the first place? Those questions lie behind the latest phase of a simmering controversy in Washington: whether something could have been done to prevent the terror attacks of September 11.
Kleinsmith worked for an Army project code-named "Able Danger." This past summer, a number of former project members -- none of whom had worked for Kleinsmith -- came forward to say that Able Danger had identified Atta and linked him to a convicted terrorist who is still serving time in federal prison for his role in the 1993 bombing of the World Trade Center.
The Able Danger members recalled charts showing names and pictures of suspects, and their links to each other. Rep. Curt Weldon, an outspoken Pennsylvania Republican and longtime supporter of intelligence reform, has demanded to know why the charts were never shared with an agency positioned to halt the attacks.
He also points out that the 9/11 commission failed to include any mention of Able Danger in its final report, which is regarded as an authoritative history of the attacks. The Pentagon searched more than 80,000 documents and found no chart with the name "Mohamed Atta." Weldon has accused the government of a cover-up and called for a criminal investigation.
But Able Danger, for all its intrigue, is just one piece of the unusual intelligence practices that Kleinsmith was engaged in, years before 9/11. In the late 1990s, Kleinsmith was the chief of intelligence for the Army's Land Information Warfare Activity, a support unit assigned to the Intelligence and Security Command. LIWA had broad authority to assist the Army and all military commands in conducting "information operations," a broad discipline that includes information warfare, public deception in combat, and intelligence analysis.
The Army's hub in this effort was the aptly named Information Dominance Center, based at Fort Belvoir. Since the late 1990s, the IDC has been home to some of the most innovative, unconventional, and controversial minds in the intelligence business. In its futuristic-style building -- its interior spaces designed by a Hollywood set artist to mimic the bridge of the starship Enterprise, complete with a large captain's chair in the center of the main room -- the IDC covered a range of topics.
Analysts tracked computer hackers who were targeting military networks, watched for potential avenues of Chinese government espionage, and charted the working relationships among foreign terrorists. To do this, the IDC relied heavily on a novel technique called "data mining."
On a recent afternoon at a coffee shop in Springfield, Va., not far from the IDC, Kleinsmith explained how data mining works. Putting pen to paper, Kleinsmith sketched clumps of circles, then surrounded some with concentric, wavy perimeters, until he'd drawn a crude version of a topographical map.
In data mining, he explained, a powerful search engine is used to "harvest" tens of thousands of Web pages that contain key words of interest -- "Al Qaeda" and "bin Laden," for instance. Another tool, called a data visualization program, then creates a three-dimensional map showing which words appear most often and how they relate.
The features and contours of the map tell an analyst about the underlying information's significance, Kleinsmith said. High peaks represent words that appear frequently. Peaks close together signal words that share some context. The analysts can click on a peak and pull up the information that helped create it. With data mining, analysts don't just read information, they "see" it. Kleinsmith called this kind of data mining "intelligence on steroids," and it was the IDC's hallmark.
Data mining works best with large sets of information, so it's particularly useful for Internet searches. At the IDC, Kleinsmith and three colleagues mapped Al Qaeda for Able Danger by mining open sources and fusing their results with classified government intelligence. But in addition to the mass of information they returned on suspected terrorists, they collected thousands of names of U.S. citizens.
People's names and personal information litter the Internet. Data harvesting, by its very nature, is indiscriminate and sweeping. Unavoidably, along with "Osama Bin Laden," an often-mentioned name like "Bill Clinton" will be harvested. That says a lot about the power, and the limits, of data mining, and why Kleinsmith destroyed what he had; the military is not supposed to be gathering information on U.S. citizens.
A First Test
From its earliest days, the IDC was a haven for renegades who wanted to use technology to step outside traditional intelligence-gathering, which relies heavily on classified sources and labor-intensive analysis. The center had high-level champions, including Lt. Gen. Keith Alexander, who from 2000 to 2003 directed the Intelligence and Security Command, the IDC's parent. Alexander now heads the National Security Agency, which operates the most-sophisticated electronic eavesdropping devices in the world.
Alexander also worked closely with James Heath, who headed the IDC in the late 1990s and whom former employees recall as a mix of driven genius and mad scientist. According to one such former employee of the center, Heath saw the IDC as "an experimentation table" on which to try out all kinds of new tools, depending on what the Army wanted at the time. Analysts and technicians worked together, "speaking the same language" and building useful data-mining tools. This dynamic didn't exist in other intelligence agencies, the former employee noted.
The IDC earned a reputation for innovation, but it also stepped over the bounds of traditional military intelligence. One of its first outside fans was Curt Weldon. Rep. Weldon had been advocating a "national collaborative center" to fuse law enforcement and intelligence units, and their information, from across the government.
In 1997, as the U.S. intervened in the Balkan War, senior Russian officials wanted Weldon (who had had good and long-standing contacts with the Russians) to meet in Belgrade with Yugoslavia's then-president, Slobodan Milosevic, to negotiate a peace settlement.
As Weldon stated on the House floor in 2002, the Russians offered to arrange a meeting between Weldon and Dragomir Karic, a rich Serb closely tied to Milosevic. Perhaps, the Russians said, Karic could act as a go-between with the Serbian president. But according to Weldon, State Department officials said they'd never heard of Karic, and thought the meeting was a ploy to manipulate the congressman.
Weldon met with Karic on neutral territory, in Vienna. But before leaving the States, he asked then-CIA Director George Tenet for background on the Serb. Tenet "called me back the next day and gave me two or three sentences ... and said they thought he was tied in with the corruption in Russia, but did not know much else about him," Weldon said.
Unsatisfied, Weldon contacted his "friends at the Information Dominance Center," which he considered a model for his own intelligence collaboration venture. The IDC "came back to me with eight pages about this man," who the analysts said "was very close to Milosevic personally." Former IDC employees confirmed that they provided Weldon with detailed information on Karic.
The talks with Karic bore no fruit. But when Weldon returned to Washington, he said, the FBI and CIA asked to debrief him on what he knew about Karic. Weldon delivered a thorough dossier.
"I told them that there were four Karic brothers; that they were the owners of the largest banking system in the former Yugoslavia; that they employed some 60,000 people; that their bank had tried to finance the sale of an SA-10 [missile system] from Russia to Milosevic; that their bank had been involved in a $4 billion German bond scam; that one of the brothers had financed Milosevic's election; that the house Milosevic lived in was really their house; that, in fact, the Karic brothers' wives were best of friends with Milosevic's wife; and that they were the closest people to this leader."
Surprised to hear such details on a man they barely knew of, the agents presumed Weldon got the information from the Russians. When he told them that the facts came from the Army's Information Dominance Center, Weldon recalls, the agents replied, "What ... is the Information Dominance Center?"
The event convinced Weldon that the CIA and the FBI didn't "get it," and that the IDC was the wave of the future. He became its biggest proponent in Congress, and sang its praises to the highest levels of the Defense Department.
After Weldon submitted the Karic dossier, word of the IDC's work spread outside the Army realm, Kleinsmith said. He had put just two analysts on the Weldon project, and they had taken only a day to generate the Karic profile. It "shocked me that we were outdoing these other organizations," namely the CIA, Kleinsmith said.
The China Problem
Intrigued with the Karic work, senior Pentagon officials decided to see if the tiny band of analysts could prove their mettle on a bigger problem. Officials were concerned about the possible leakage of U.S. military technology abroad, through unauthorized exports or through espionage. In the spring of 1999, the Pentagon "initiated a onetime project, to use data-correlation tools to decide if we could use those methods as a superior approach for counterintelligence," said John Hamre, the deputy Defense secretary at the time. "It was an experiment."
The people involved said the experiment looked specifically at technology transfers to China, whose military posed the gravest post-Cold War threat to the United States. Kleinsmith says the particular technology the IDC researched was arbitrary. "I think we flipped a coin" to decide. The point was to show the Pentagon that data mining could identify front companies, potential leaks of technology, and other vulnerabilities. "What we found was absolutely enormous," Kleinsmith said.
Former IDC employees and others familiar with the work say the China research exposed a variety of avenues through which military technology designs could end up in Chinese government hands. The IDC created a diagram showing how organizations and people in the United States were connected to the Chinese. Hamre had visited the center, and according to Weldon, reported back, "It is amazing what they are doing there."
The experiment "went well," the former IDC employee said. "Unfortunately, it went too well." During construction of those link diagrams, the names of a number of U.S. citizens popped up, including some very prominent figures. Condoleezza Rice, then the provost at Stanford University, appeared in one of the harvests, the by-product of a presumably innocuous connection between other subjects and the university, which hosts notable Chinese scholars.
William Cohen, then the secretary of Defense, also appeared. As one former senior Defense official explained, the IDC's results "raised eyebrows," and leaders in the Pentagon grew nervous about the political implications of turning up such high-profile names, or those of any American citizens who were not the subject of a legally authorized intelligence investigation. Rumors still abound about other notable figures caught up in the IDC's harvest. "I heard they turned up Hillary Clinton," the official said. The experiment was not continued.
"We determined that there were significant methodological problems," Hamre said of the IDC's techniques. Data-correlation analyses on raw information "produce impossibly large numbers of potential correlations. The numbers are too large to be operationally helpful."
But it appears not everyone in the military establishment agreed. Over the next several months, Kleinsmith estimated he gave more than 200 briefings on the IDC to members of Congress, generals, and senior government officials. "I could tell in three to four minutes if someone 'got it,' " Kleinsmith said. Hamre got it, he noted. And so, it seems, did officials with the Army's Special Operations Command, who, despite the unease over the China experiment, came to the IDC asking for information about a then-shadowy organization called Al Qaeda.
Able Danger
In the fall of 1999, top officials in the Special Operations Command were looking for a way to take the nascent fight on terrorism to its source. Al Qaeda had recently destroyed the U.S. embassies in Kenya and Tanzania. Special Operations' top officers, including the commander, Gen. Peter Schoomaker, "wanted the mission of 'putting boots on the ground' to get at [Osama] bin Laden and Al Qaeda," according to the 9/11 commission report.
But the military leadership believed that without concrete intelligence about Al Qaeda, a strike on the group was doomed to fail. President Clinton told the 9/11 commission, "If we had really good intelligence about ... where [bin Laden] was, I would have done it." Plans were already under way to attack Al Qaeda using AC-130 gunships. What was lacking was actionable intelligence to tell the military whom to hit and where.
Kleinsmith said that a pair of Special Operations officials visited him at the IDC in December 1999. At the instruction of the Joint Chiefs of Staff, the officials wanted as much intelligence on Al Qaeda and other transnational terrorists that could be mustered. They called the project Able Danger. (The word "able" has been commonly used for military exercises for more than two decades.)
The officials asked Kleinsmith about the technologies the IDC was using. "They didn't talk specifics," Kleinsmith said, but it was clear that "we had something they could really use." Later, he offered to "run some data" and produce a preliminary analysis. Within 90 minutes, Kleinsmith said, his analysts found evidence that Al Qaeda had a "worldwide footprint," including "a surprising presence in the U.S. That's when we started losing sleep."
In January 2000, Special Operations gave Kleinsmith and his team the green light to find as much information as they could. "They told us, 'Start with the words "Al Qaeda," and go,' " he said. A month later, the IDC conducted the first Able Danger harvest. The initial results, while impressive, were hardly what Special Operations forces needed to put boots on the ground.
The harvest "was a mile wide and an inch deep," Kleinsmith said. It included more than two terabytes of information, too vast an amount to provide specific targets. The IDC analysts could see the broad outlines of Al Qaeda, particularly its transformation from an idealistic movement into an operational network that could possibly inflict damage. Names, locations, and capabilities, and even the group's financial sources, were "coming together," Kleinsmith said. But the data set was still too big.
That didn't stop the analysts from trying to pare the information down. The former IDC employee said analysts played what they called "the Kevin Bacon game," referring to the popular notion that the prolific film actor can be linked to any other actor through no more than five people. (The game is based on the "six degrees of separation" theory that anyone on Earth can be linked to anyone else through five intermediaries.)
"Let's say you had a bad guy at each end of a string," the employee said. The analysts looked for the people between them, and then those people's ties to each other and to still others, asking whether any of the links came back to the initial bad guys. The analysts played this game routinely to firm up the connections in the large data sets. Eventually, they were able to isolate some 20 people about whom Special Operations wanted further, deeper analysis, Kleinsmith said.
The team developed charts to serve as "simplified explanations" of what they found. But those charts, now famously alluded to by Weldon and others as having named Mohamed Atta, sometimes measured 20 feet in length and were covered with small type, the former IDC employee said. The charts were so big, in fact, that analysts had to hang them on walls just to read them. The former employee doesn't remember seeing Atta's picture.
The IDC might have followed Atta's trail if it had been told to do so, the former employee said. But just pulling names at random from the chart was pointless. And a simple connection between two people on a chart was not evidence of any criminality or pending attack. "Do you have any idea how many people on the planet would go to jail just because they knew somebody bad?" the former employee asked.
The IDC produced an impressive array of intelligence, but it also came dangerously close to an important legal line. The basic harvesting methodology guaranteed that the names of U.S. citizens would appear. "You'll pull in 16,000 people in a harvest," Kleinsmith said. It's "100 percent likely" that an American will be there. And sometimes the names themselves seemed meaningless.
If an analyst found "Clinton," Kleinsmith noted, that could mean George Clinton, the funk musician, or the town of Clinton, Md. Was the collection accidental or intentional? Regulations that restrict domestic surveillance of U.S. citizens don't necessarily apply to names that are swept up inadvertently in a data harvest. The IDC team pulled in hundreds of names every hour, Kleinsmith said. When asked which prominent Americans were included, he replied, "Everybody was coming up."
Data Destruction
As quickly as the IDC garnered powerful fans, it also earned some enemies. The center was not a chartered member of the formal intelligence community -- the 14 agencies that in 1999 officially constituted the country's spy apparatus. For a support organization, buried several layers deep in the Army, to tread on territory normally reserved for big-name agencies like the CIA and the Defense Intelligence Agency, and to present intelligence gleaned from the Internet, of all places, was simply anathema to people steeped in decades of intelligence rules and culture. The IDC analysts were mavericks.
In particular, the Defense Intelligence Agency questioned the analysts' results on a number of projects, not just Able Danger, the former IDC employee said. "We'd show them our stuff, and they'd say, 'Show us the math.' " But the answers didn't always add up so neatly. The combination of data mining and hunches sometimes produced results that the bigger intelligence agencies viewed as murky, even if military commanders found them compelling.
At a Pentagon briefing on Able Danger in September of this year, Thomas Gandy, the Army's director of counterintelligence and human intelligence, cautioned reporters about inferring too much information from the "links" the IDC established, particularly because its data-mining tools were far less sophisticated than the ones used today. "Just that there are links established doesn't really mean anything," Gandy said. "In the primacy of this technology, you get some very goofy links that require research."
Kleinsmith and the former employee, as well as others who worked tangentially to the IDC over the years, insisted that the IDC analysts were senior and seasoned, and that they recognized the fact that simple links required further investigation. Yet the analysts' enthusiasm for a less tidy sort of inquiry, which often raised more questions than answers, divided intelligence professionals. Some former government officials, who declined to be named, derided the IDC analysts as "zealots" and said their work never produced the eureka-like results that some, particularly former Able Danger members, now claim.
One senior IDC analyst, Eileen Preisser, who worked with Kleinsmith on Able Danger and other projects, was characterized by a former Defense official as "an uncontrolled flake." Kleinsmith, who called Preisser an "analytical genius," admitted that she "has constant trouble in working with others in the community." Preisser has worked in several intelligence jobs, inside and outside the government, and those who know her see her as the prototypical IDC believer.
She "is especially critical of those folks who she feels did not, or do not, 'get' the technology," Kleinsmith said. "Instead of working within the system, maneuvering around the tough spots, negotiating and dealing, she tends to burn her way through an issue to get where she needs to go." Preisser now works for the National Geospatial Intelligence Agency. A spokeswoman there said Preisser declined all requests for interviews.
In early 2000, in the midst of Able Danger, a lawyer with the Army's general counsel visited Kleinsmith. As Kleinsmith testified before the Senate Judiciary Committee in September, the lawyer reminded him that under Army regulations, any data the IDC collected on U.S. persons -- even inadvertently -- had to be destroyed within 90 days. If analysts could establish a legitimate reason to investigate a person further, they could keep the corresponding data.
But with potentially tens of thousands of names, checking each one would have been impossible, Kleinsmith said. In the Pentagon briefing, Gandy concurred: "I don't think they had the capability to scrub it in the fashion that the oversight rules could live with."
By the spring of 2000, Kleinsmith said, the IDC had the list of 20 individuals whom Special Operations wanted investigated further under Able Danger. But in March, Kleinsmith was ordered to cease all work on the project. He believes the order came from outside the IDC's command. From May to June, Kleinsmith and his team destroyed the information, and possibly the linkages between Mohamed Atta, Al Qaeda, and convicted terrorists already sitting in U.S. prisons.
"It was terrible," Kleinsmith said.
'So It Begins'
After the data purge, the heartbeat of the IDC slowed. In late September 2000, the center was authorized to begin new work on Able Danger, Kleinsmith said. A data harvest would take no time to replicate, but the analysis on people and locations was much harder to reproduce.
But Able Danger never ramped up a second time. On October 12, while the USS Cole was docked in Yemen's port city of Aden, Al Qaeda suicide bombers rammed the destroyer with a small explosive-laden boat, killing 17 U.S. sailors and wounding 39. From then on, U.S. Central Command, responsible for the Middle East, became the IDC's primary customer, Kleinsmith said. Special Operations Command, unhappy because the IDC's attention had shifted, moved Able Danger to a private intelligence research center run by Raytheon in Garland, Texas, Kleinsmith said.
A Raytheon spokesman did not respond to a request for comment. But Eileen Preisser, the IDC analyst who had worked on Able Danger with Kleinsmith, was working for Raytheon after the September 11 attacks. In a 2001 interview with National Journal, she spoke of projects she was involved with that were essentially the same as those at the IDC.
After the Cole bombing, the IDC concentrated on projects not related to Al Qaeda. "We went on to do some other things, other projects," the former IDC employee said. Less than a year later, the 9/11 attackers struck. Looking back, Kleinsmith doesn't claim that he saw the attacks coming. Rather, he felt resigned. "I wasn't surprised," he said. He had studied Al Qaeda's evolution and believed he knew its capabilities. "I thought, 'So it begins.'
Total Information Awareness
The 9/11 attacks breathed some new life into the Information Dominance Center. In late 2001, retired Navy Adm. John Poindexter, who had served as President Reagan's national security adviser, met with the director of the Defense Advanced Research Projects Agency, where Poindexter was soon to be employed. Poindexter was looking for a site to test new technologies under his Total Information Awareness program, which, not unlike the IDC, aimed to use open-source data and government information to understand terrorism.
TIA also looked at tools to examine commercial databases containing information on U.S. citizens, within the context of privacy regulations.
Poindexter wanted a proving ground staffed by seasoned, technology-inclined analysts, a "Manhattan Project" for counterterrorism, he said. The DARPA director, Tony Tether, told him to consider the IDC. After meeting with Gen. Alexander, the Army commander overseeing the center, Poindexter agreed to test some of the TIA tools at the IDC.
"TIA was a very good concept," the former IDC employee said. The center offered TIA "a high-speed testing bed" for its new technologies. "Some of the tools sucked, and some of them were good ideas," the employee said. The frustration came from officials' reluctance to use the tools for active intelligence projects. Poindexter emphasized that TIA was a research project and wasn't using data mining as part of any real intelligence operations. TIA was an experiment.
But the experiment was short-lived. In late 2002, Poindexter's role in TIA was revealed in the press. The controversial retired admiral's past caught up with him -- Poindexter was the central figure in the Iran-Contra scandal, which diverted the profits from covert arms sales to Iran to anti-Communist rebels in Nicaragua.
Members of Congress derided TIA as an Orwellian excess of the post-9/11 era. The funding was pulled. Kleinsmith, who had left the Army by the time TIA arrived, seemed perplexed by lawmakers' concerns. "We've had this capability for years," he remembered thinking. "Who cares?"
TIA's detractors declared a victory for privacy protection when they killed the project. Poindexter was forced to resign in August 2003. But research on TIA tools has hardly ceased.
Rather, it has moved into the intelligence agencies, where the work and the budgets for it are classified, Poindexter said, noting that now Congress has more-limited oversight and should be more concerned about privacy infringements. The former IDC employee concurred, saying "The [TIA] concept hasn't died off. It continues. And it continues elsewhere now, and I can't talk about that. The tools are continuing to be developed."
What-Ifs
Five years after Able Danger, Erik Kleinsmith seems oddly at ease for a key figure in a brewing political controversy. Inevitably, Kleinsmith would be a major witness in any investigation of the project. No one has suggested he did anything other than follow Army regulations in destroying the Able Danger documents.
Kleinsmith remains unconvinced that, despite the IDC's innovations, the 9/11 attacks were foreseeable. But "I do go to bed every night ... [thinking] that if we had not been shut down, we would have at least been able to prevent something or assist the United States in some way," Kleinsmith told the Senate Judiciary Committee during September's hearing. "Could we have prevented 9/11?" He paused, and then said: "I don't think I can ever speculate to that extent, that we could have done that."
Today, Kleinsmith is an employee with Lockheed Martin, working as a contractor to the Army's Information Operations Center, an IDC spin-off that is chartered to support the global war on terrorism. He oversees an intelligence training team of about 28 instructors, five of whom are working in Iraq to train U.S. analysts in data mining.
"One of the most amazing aspects of the Able Danger team is that, for a time, you had what I believe was the perfect combination of technology, data, and expert analysts that combined to create analysis that was above and beyond what the intelligence community was producing," Kleinsmith said. The results of the China experiment brought Special Operations Command to the IDC. That's proof enough for Kleinsmith that his group was providing what no one else could.
"I have been asked by several folks on Capitol Hill, members and staffers alike, whether the capability still exists to do what we did," Kleinsmith said. "My answer is, 'yes and no.' " Paradoxically, analysts are being trained to rely on the technological tools -- what Kleinsmith called "buttonology" -- too much, instead of thinking creatively on their own, he explained.
The technology is powerful, but needs to augment the analyst's work, he said. "There are still those who want to train analysts on how the engine of the car works instead of how to drive the car."
Kleinsmith recognized that the IDC's methods caused some consternation, but he takes pride in his former work and looks at the controversy pragmatically. "We understood that [there were objections], but we also understood that a lot of our customers didn't care."
Today, Kleinsmith is still struggling with the same puzzles. And, to hear him tell it, apart from the advancements in technology, little has changed. So much is still unknown, and undone, about the terrorist threat to the United States, he said. He can simply watch television to know that law enforcement isn't rounding up the terrorist cells he believes his team identified in the United States five years ago.
Ultimately, Kleinsmith sounds less like a man burdened by his past than one nervous about the future. No one seems to be acting on the information the IDC found that terrorists had taken up residence in the United States, far from New York, he said. And, as if they were listening, waiting for him to tip his hand, Kleinsmith cautiously added, "I'd just prefer not to say where they are."
Published in National Journal
Labels: Homeland Security, Intelligence, Technology, Terrorism
Full Article
The Private Spy Among Us
Thursday, November 10, 2005
To help the government track suspected terrorists and spies who may be visiting or residing in this country, the FBI and the Defense Department for the past three years have been paying a Georgia-based company for access to its vast databases that contain billions of personal records about nearly every person -- citizens and noncitizens alike -- in the United States.
According to federal documents obtained by National Journal and Government Executive, among the services that ChoicePoint provides to the government is access to a previously undisclosed, and vaguely described, "exclusive" data-searching system. This system in effect gives law enforcement and intelligence agents the ability to use the private data broker to do something that they legally can't -- keep tabs on nearly every American citizen and foreigner in the United States.
ChoicePoint is famous for being the largest and most sophisticated aggregator of public records on U.S. citizens and residents. The company has built an enormous electronic cache of more than 19 billion records -- all of which are legally obtained -- that it mines to locate criminals and suspects, their family members and known associates, and their hidden financial assets.
Most of ChoicePoint's customers are other companies -- insurance providers trying to spot potential scam artists applying for policies, for instance. But the company's work for the government is significant and growing. Using its DNA analysis lab, ChoicePoint helped identify victims of the September 11 attacks. And the following year, the company helped locate the Washington-area snipers by leading investigators to the blue Chevrolet Caprice that the two killers used in their spree. (ChoicePoint compiles hundreds of millions of motor vehicle registrations.)
Although it has generally been known that the FBI and intelligence agencies use ChoicePoint's people-tracking skills, federal and company officials have refused to discuss the particulars of their arrangements. ChoicePoint declined a request for an interview about its work for the FBI and the Defense Department. But a set of contract documents, obtained under the Freedom of Information Act, and which the government sought to withhold for almost two years, reveals details not previously reported about ChoicePoint's work for the FBI's Foreign Terrorist Tracking Task Force, called FTTTF or "F tre F." This task force was set up soon after the 9/11 attacks to assist law enforcement and intelligence agencies in locating foreign terrorists and their supporters in the United States. Because the task force can't maintain records on U.S. persons without opening an official investigation, it relies on ChoicePoint to augment the intelligence that the government collects through legal channels.
The documents show that ChoicePoint has provided an arsenal of data and analysis to the task force and its partner group, the Defense Department's Assessments and Technology Directorate, which in turn is part of a counterintelligence unit that identifies covert threats -- namely spies and terrorists -- to Defense Department personnel and property. The FBI task force and the Defense directorate share an office and have helped to identify more than 200 terrorist suspects in the United States, FBI officials say. The partnership has also helped track suspected suicide bombers; the FBI component, among other things, vets all foreigners attending U.S. flight schools.
According to the contract documents, which have been heavily redacted, in 2002 the FBI task force had an "urgent need to acquire high-volume public record data" to help locate and track "foreign terrorists and related activities." At that point, the task force purchased some of the company's most popular services.
In the beginning, ChoicePoint performed search work at its own facilities, taking "input criteria" -- a name or other identifying data supplied by the government -- and returning useful information, such as a subject's address or any disparity between his name and Social Security number (a signal that the person may have purchased a stolen number to shield his true identity).
A year later, the government's appetite for data apparently became more sophisticated. In early 2003, the agencies ordered a set of Internet-based services from ChoicePoint. These services, the documents show, effectively put the power of the company's databases at government agents' fingertips on their desktop computers. The agencies also bought the company's AutoTrack product, which creates "easy-to-read reports" and gives users the "ability to locate people and assets faster ... and solve more crimes," according to marketing materials on ChoicePoint's Web site. And the agencies purchased ChoicePoint's "national comprehensive reports with associates," a service that lists the names, Social Security numbers, addresses, properties, and even pilot licenses to which someone is connected, directly or through known associates and relatives. FBI officials have said that such services are an invaluable complement to traditional criminal investigations.
But the documents indicate that ChoicePoint may have gone beyond simply offering its commercially available products to the government. In 2003, ChoicePoint agreed to provide access to an "exclusive" system used to help identify terrorism suspects. Although much of the description of the system has been redacted from the documents -- on the grounds that it would reveal law enforcement tactics and operations -- the portions that were released indicate that ChoicePoint's work involves continuously tracking a "subject of interest" and notifying the government when new information has surfaced on that person.
After a string of redacted text about this exclusive service, the document states, "When this new information is added and identified as relevant new data for a subject of interest, the FTTTF will receive electronic notification.... Additional information beyond the identity and address data can be provided to the FTTTF with a subpoena." In releasing the contract documents, the government said it could not elaborate on the system, because doing so "could certainly assist ... terrorists in circumventing detection." The government also redacted the dollar amount of the contracts, making it harder to assess costs and scope.
According to an outside expert on ChoicePoint who reviewed the documents for National Journal, the exclusive service looks like something ChoicePoint built specifically for federal agencies, and the arrangement raises questions about whether the company is effectively becoming an arm of the federal government.
"The language [of the contract], and ChoicePoint making their full system available to the government and [performing] custom-tailored searches for the government, show a high degree of cooperation," says Chris Hoofnagle, a researcher with the Electronic Privacy Information Center, who has obtained ChoicePoint contracts and corporate documents through other legal filings.
FBI officials have stated publicly that they don't use ChoicePoint for "fishing expeditions," that they tap its services only in the course of an official investigation. But the threshold for what constitutes a "subject of interest" is unclear. So are the restrictions, if any, that the government faces when it searches private databases for information on U.S. citizens. And it's unclear whether these restrictions differ from the rules for investigating foreigners.
Even though existing laws strictly limit the government's ability to conduct surveillance on U.S. citizens, those limitations don't apply to corporations. And so, the more ChoicePoint takes on exclusive work for the government that the government is prohibited from doing on its own, "the more it looks like a government actor," Hoofnagle says.
ChoicePoint collects a dizzying variety of newly filed public records from sources as varied as courthouses and motor vehicle departments, any of which could be a key data point in building a profile about a person being investigated. Standard ChoicePoint fare includes concealed-weapons permits; marriage and death certificates; registrations for boats, aircraft, and automobiles; eviction notices; credit card information; hazardous-materials-handling permits; and employment histories.
Without question, ChoicePoint provides services that the government feels it can't live without. "The enormous number of visitors to the U.S. and avenues of entry and exit makes it inordinately difficult, if not impossible, to accurately account for each entrant," the FBI task force director, Mark Tanner, told House lawmakers in 2003. He was describing how agents use private data brokers' information to help find people who've overstayed their visas, a class the government deems a security risk. FBI agents privately also sing the company's praises and say that if they couldn't get public records from ChoicePoint, they'd have to dispatch investigators to courthouses and clerks' offices across the country, greatly slowing the pace of their work.
But as ChoicePoint's databases grow, Hoofnagle asks, "at what point do [the company's] records become the equivalent of a 'system of records,' " an official collection that is subject to government regulation and oversight and that must be publicly announced? Writing in the George Washington Law Review last November, two members of the Center for Democracy and Technology wondered whether government's use of private databases renders useless the federal Privacy Act, which is supposed to protect private information. "If the government is simply accessing databases created by commercial entities for their own reasons, there may be no system of records subject to Privacy Act requirements," the members wrote.
U.S. citizens have few avenues to monitor how the government is using their personal data when it resides outside government hands. "We have the legal authority to collect certain types of information," says Ed Cogswell, an FBI spokesman. ChoicePoint is "a commercial database, and we purchase a lot of different commercial databases.... They have collated information that we legitimately have the authority to obtain."
But because the FBI is so reluctant to discuss how it uses the data, and what its own guidelines are for monitoring agents' access to it, a cloak is cast over the government's work. "From the perspective of an American citizen, this is another example where a company that's built a massive personal-information database is being used regularly by the government to track citizens," says Hoofnagle, who supports using ChoicePoint for terrorism investigations but wants more public assurances that the information isn't being misused.
Congress wants similar assurances. In the wake of several security breaches this year, at ChoicePoint and other firms, in which identity thieves accessed people's financial records, lawmakers have proposed several bills that would rein in the private data brokers and monitor more closely how the government uses them. One bill, the Personal Data Privacy and Security Act, introduced by Sens. Arlen Specter, R-Pa., and Patrick Leahy, D-Vt., would require the government to establish rules protecting privacy and security when it hires data brokers, and to conduct regular audits of those contracts.
Privacy advocates following the bills say that they're weaker than legislation being pushed through in state legislatures, and that no single congressional bill fully addresses all their concerns. But the legislation has data brokers' attention. Hoofnagle says that lobbying expenditures by private data collectors are up across the industry. And this year, ChoicePoint has hired a number of lobby shops specializing in the executive branch. One hired last month is none other than the Ashcroft Group, founded by former Attorney General John Ashcroft, who oversaw the establishment of the FBI task force in 2002.
Steven Aftergood, who directs the Project on Government Secrecy at the Federation of American Scientists, says, however, that it is always hard to monitor what private contractors do in the intelligence field.
"Using contractors to perform sensitive intelligence or counterintelligence work, whether it's prisoner interrogation in Iraq or data mining in D.C., is always problematic, because their activities are much harder to oversee," Aftergood says. "Unlike government agencies, contractors are not answerable to Congress. And the secrecy of most intelligence work makes them all but impervious to independent oversight. If they broke or bent the law, we might never find out."
Thursday, November 10, 2005
To help the government track suspected terrorists and spies who may be visiting or residing in this country, the FBI and the Defense Department for the past three years have been paying a Georgia-based company for access to its vast databases that contain billions of personal records about nearly every person -- citizens and noncitizens alike -- in the United States.
According to federal documents obtained by National Journal and Government Executive, among the services that ChoicePoint provides to the government is access to a previously undisclosed, and vaguely described, "exclusive" data-searching system. This system in effect gives law enforcement and intelligence agents the ability to use the private data broker to do something that they legally can't -- keep tabs on nearly every American citizen and foreigner in the United States.
ChoicePoint is famous for being the largest and most sophisticated aggregator of public records on U.S. citizens and residents. The company has built an enormous electronic cache of more than 19 billion records -- all of which are legally obtained -- that it mines to locate criminals and suspects, their family members and known associates, and their hidden financial assets.
Most of ChoicePoint's customers are other companies -- insurance providers trying to spot potential scam artists applying for policies, for instance. But the company's work for the government is significant and growing. Using its DNA analysis lab, ChoicePoint helped identify victims of the September 11 attacks. And the following year, the company helped locate the Washington-area snipers by leading investigators to the blue Chevrolet Caprice that the two killers used in their spree. (ChoicePoint compiles hundreds of millions of motor vehicle registrations.)
Although it has generally been known that the FBI and intelligence agencies use ChoicePoint's people-tracking skills, federal and company officials have refused to discuss the particulars of their arrangements. ChoicePoint declined a request for an interview about its work for the FBI and the Defense Department. But a set of contract documents, obtained under the Freedom of Information Act, and which the government sought to withhold for almost two years, reveals details not previously reported about ChoicePoint's work for the FBI's Foreign Terrorist Tracking Task Force, called FTTTF or "F tre F." This task force was set up soon after the 9/11 attacks to assist law enforcement and intelligence agencies in locating foreign terrorists and their supporters in the United States. Because the task force can't maintain records on U.S. persons without opening an official investigation, it relies on ChoicePoint to augment the intelligence that the government collects through legal channels.
The documents show that ChoicePoint has provided an arsenal of data and analysis to the task force and its partner group, the Defense Department's Assessments and Technology Directorate, which in turn is part of a counterintelligence unit that identifies covert threats -- namely spies and terrorists -- to Defense Department personnel and property. The FBI task force and the Defense directorate share an office and have helped to identify more than 200 terrorist suspects in the United States, FBI officials say. The partnership has also helped track suspected suicide bombers; the FBI component, among other things, vets all foreigners attending U.S. flight schools.
According to the contract documents, which have been heavily redacted, in 2002 the FBI task force had an "urgent need to acquire high-volume public record data" to help locate and track "foreign terrorists and related activities." At that point, the task force purchased some of the company's most popular services.
In the beginning, ChoicePoint performed search work at its own facilities, taking "input criteria" -- a name or other identifying data supplied by the government -- and returning useful information, such as a subject's address or any disparity between his name and Social Security number (a signal that the person may have purchased a stolen number to shield his true identity).
A year later, the government's appetite for data apparently became more sophisticated. In early 2003, the agencies ordered a set of Internet-based services from ChoicePoint. These services, the documents show, effectively put the power of the company's databases at government agents' fingertips on their desktop computers. The agencies also bought the company's AutoTrack product, which creates "easy-to-read reports" and gives users the "ability to locate people and assets faster ... and solve more crimes," according to marketing materials on ChoicePoint's Web site. And the agencies purchased ChoicePoint's "national comprehensive reports with associates," a service that lists the names, Social Security numbers, addresses, properties, and even pilot licenses to which someone is connected, directly or through known associates and relatives. FBI officials have said that such services are an invaluable complement to traditional criminal investigations.
But the documents indicate that ChoicePoint may have gone beyond simply offering its commercially available products to the government. In 2003, ChoicePoint agreed to provide access to an "exclusive" system used to help identify terrorism suspects. Although much of the description of the system has been redacted from the documents -- on the grounds that it would reveal law enforcement tactics and operations -- the portions that were released indicate that ChoicePoint's work involves continuously tracking a "subject of interest" and notifying the government when new information has surfaced on that person.
After a string of redacted text about this exclusive service, the document states, "When this new information is added and identified as relevant new data for a subject of interest, the FTTTF will receive electronic notification.... Additional information beyond the identity and address data can be provided to the FTTTF with a subpoena." In releasing the contract documents, the government said it could not elaborate on the system, because doing so "could certainly assist ... terrorists in circumventing detection." The government also redacted the dollar amount of the contracts, making it harder to assess costs and scope.
According to an outside expert on ChoicePoint who reviewed the documents for National Journal, the exclusive service looks like something ChoicePoint built specifically for federal agencies, and the arrangement raises questions about whether the company is effectively becoming an arm of the federal government.
"The language [of the contract], and ChoicePoint making their full system available to the government and [performing] custom-tailored searches for the government, show a high degree of cooperation," says Chris Hoofnagle, a researcher with the Electronic Privacy Information Center, who has obtained ChoicePoint contracts and corporate documents through other legal filings.
FBI officials have stated publicly that they don't use ChoicePoint for "fishing expeditions," that they tap its services only in the course of an official investigation. But the threshold for what constitutes a "subject of interest" is unclear. So are the restrictions, if any, that the government faces when it searches private databases for information on U.S. citizens. And it's unclear whether these restrictions differ from the rules for investigating foreigners.
Even though existing laws strictly limit the government's ability to conduct surveillance on U.S. citizens, those limitations don't apply to corporations. And so, the more ChoicePoint takes on exclusive work for the government that the government is prohibited from doing on its own, "the more it looks like a government actor," Hoofnagle says.
ChoicePoint collects a dizzying variety of newly filed public records from sources as varied as courthouses and motor vehicle departments, any of which could be a key data point in building a profile about a person being investigated. Standard ChoicePoint fare includes concealed-weapons permits; marriage and death certificates; registrations for boats, aircraft, and automobiles; eviction notices; credit card information; hazardous-materials-handling permits; and employment histories.
Without question, ChoicePoint provides services that the government feels it can't live without. "The enormous number of visitors to the U.S. and avenues of entry and exit makes it inordinately difficult, if not impossible, to accurately account for each entrant," the FBI task force director, Mark Tanner, told House lawmakers in 2003. He was describing how agents use private data brokers' information to help find people who've overstayed their visas, a class the government deems a security risk. FBI agents privately also sing the company's praises and say that if they couldn't get public records from ChoicePoint, they'd have to dispatch investigators to courthouses and clerks' offices across the country, greatly slowing the pace of their work.
But as ChoicePoint's databases grow, Hoofnagle asks, "at what point do [the company's] records become the equivalent of a 'system of records,' " an official collection that is subject to government regulation and oversight and that must be publicly announced? Writing in the George Washington Law Review last November, two members of the Center for Democracy and Technology wondered whether government's use of private databases renders useless the federal Privacy Act, which is supposed to protect private information. "If the government is simply accessing databases created by commercial entities for their own reasons, there may be no system of records subject to Privacy Act requirements," the members wrote.
U.S. citizens have few avenues to monitor how the government is using their personal data when it resides outside government hands. "We have the legal authority to collect certain types of information," says Ed Cogswell, an FBI spokesman. ChoicePoint is "a commercial database, and we purchase a lot of different commercial databases.... They have collated information that we legitimately have the authority to obtain."
But because the FBI is so reluctant to discuss how it uses the data, and what its own guidelines are for monitoring agents' access to it, a cloak is cast over the government's work. "From the perspective of an American citizen, this is another example where a company that's built a massive personal-information database is being used regularly by the government to track citizens," says Hoofnagle, who supports using ChoicePoint for terrorism investigations but wants more public assurances that the information isn't being misused.
Congress wants similar assurances. In the wake of several security breaches this year, at ChoicePoint and other firms, in which identity thieves accessed people's financial records, lawmakers have proposed several bills that would rein in the private data brokers and monitor more closely how the government uses them. One bill, the Personal Data Privacy and Security Act, introduced by Sens. Arlen Specter, R-Pa., and Patrick Leahy, D-Vt., would require the government to establish rules protecting privacy and security when it hires data brokers, and to conduct regular audits of those contracts.
Privacy advocates following the bills say that they're weaker than legislation being pushed through in state legislatures, and that no single congressional bill fully addresses all their concerns. But the legislation has data brokers' attention. Hoofnagle says that lobbying expenditures by private data collectors are up across the industry. And this year, ChoicePoint has hired a number of lobby shops specializing in the executive branch. One hired last month is none other than the Ashcroft Group, founded by former Attorney General John Ashcroft, who oversaw the establishment of the FBI task force in 2002.
Steven Aftergood, who directs the Project on Government Secrecy at the Federation of American Scientists, says, however, that it is always hard to monitor what private contractors do in the intelligence field.
"Using contractors to perform sensitive intelligence or counterintelligence work, whether it's prisoner interrogation in Iraq or data mining in D.C., is always problematic, because their activities are much harder to oversee," Aftergood says. "Unlike government agencies, contractors are not answerable to Congress. And the secrecy of most intelligence work makes them all but impervious to independent oversight. If they broke or bent the law, we might never find out."
Published in National Journal
Labels: Homeland Security, Intelligence, Law, Technology, Terrorism
Full Article
The Worm that Turned
Saturday, February 15, 2003
The federal government's fight against one cyber villain changed its response to online attacks.
Wednesday, June 20, 2001
6:30 a.m.
FBI Headquarters,
Washington
After 23 years as a CIA analyst, having briefed the president and his team on every conceivable threat to national security, Bob Gerber was scared. More scared than he'd been in a long time.
Holed up in his cramped, 11th floor office on a stark, colorless hallway at FBI headquarters in Washington, Gerber's stomach turned as he took his first look at a new enemy.
Gerber was a hunter, one of the government's best. These days, he was hunting worms, malicious computer programs let loose into the wild of the Internet by some of computerdom's most brilliant hackers. Two months earlier Gerber, 56, had left his job at the CIA, where he helped write the president's daily intelligence briefing, to head the analysis and warning division at the FBI's National Infrastructure Protection Center. There, he and his crew of more than 60 tracked worms, viruses and other computer evils, as well as the hackers who create them. Both threatened daily to shut down the engines of modern life - electrical power grids, the banking system, water treatment facilities, the World Wide Web.
Worms were the most vicious new beasts to stalk the Internet. But Gerber had never seen a worm quite like the one he confronted that sweltering Wednesday morning in June.
It was named Leaves after "w32.leave. worm," the poisonous file it implanted in unsuspecting computers. Like all worms, Leaves bored through cyberspace, probing Internet connections for holes in personal computers or Web servers. It slithered inside the machines and spewed venomous strings of data that threw its victims into electronic shock.
Leaves was hardly the first worm to infest the Internet. In fact, the pests became so common in 2001, that security cognoscenti dubbed it the "Year of the Worm." Worms wrought all sorts of damage. They forced computers to delete critical files or erase entire programs. They also allowed hackers to steal personal information from computers' memories. Once they infested their victims, worms made clones, then used their hosts as launching pads for more worms, whose numbers grew exponentially.
In 2000, Gerber and his team began battling a new species of even more virulent super worms. Rather than devour computers' innards, these worms hijacked their victims' controls, rendering them powerless zombies. With a gang of zombies at his command, the creator of a superworm could mob a Web site or computer system, flooding it with bogus electronic transmissions until it drowned in the data torrent.
In the spring of 2000, Gerber's colleagues took on a 15-year-old hacker who called himself Mafiaboy. The teenager turned his zombies loose on World Wide Web giants Amazon.com, eBay and Yahoo!, launching what is called a distributed denial of service attack that shut down business at the sites for five hours. It cost shareholders and the companies billions and shocked the Web world.
But compared with the Leaves worm, Mafiaboy's creation was a larva. Gerber's best analysts had worked late into the night trying to make sense of a sample of Leaves captured by worm watchers at the SANS Institute, a computer research center in Bethesda, Md. They let Leaves infect a computer, and then they watched how it behaved. What Gerber saw fascinated and appalled him.
Leaves was a zombie maker on steroids. It searched out computers already wounded by another Internet scourge called a Trojan, which installs back doors in the machines. Leaves used a Trojan called SubSeven as its entrance. Once transformed, the zombies awaited orders. To communicate with them, Leaves' creator ordered his zombies to rendezvous online through Internet Relay Chat channels. He also told them to visit certain Web sites and download encrypted information to receive instructions on what to do next. No one knew who was controlling the zombies, from where or why.
Reading the guest registries of chat rooms, Gerber discovered that an army of 1,000 Leaves zombies already was on the march. Mafiaboy, by contrast, had a few hundred conscripts and sometimes used only a dozen to attack a Web site.
What's more, Leaves contained an electronic gene enabling its creator to control every zombie at once from any Internet connection in the world.
Gerber never had seen a worm so sophisticated or terrifying.
But to exterminate it, Gerber needed more samples to dissect and more time. Pulling out the lines of computer code that told the worm how to behave might help him shut it down. Or, if he could identify the worm maker's ultimate goal, Gerber might be able to head him off.
The FBI group usually worked alone or with a few select federal officials and private sector consultants. But even Gerber's top-flight team was daunted by Leaves. It was time to call in help. Only a public-private posse of America's best hacker trackers could gut this worm.
By pulling such a group together for the first time and then letting it operate largely unsupervised, Gerber created a new model for federal computer crime fighting.
June 29
FBI Strategic Information
and Operations Center,
Washington
Gerber called the most seasoned and cunning code crackers, worm gurus and cyber soldiers from government and industry to meet at FBI headquarters. On a Friday afternoon, 10 days after Leaves was discovered, the posse gathered in the FBI's crisis headquarters, the Strategic Information Operations Center.
It was the most concentrated arsenal of computer crime-fighting talent the government ever had gathered. They came from leading security companies Symantec and Network Associates, the FBI, the White House and the Defense Department.
But there was a hitch. The private experts were uneasy. Could they trust the G-men? Uncle Sam was a bumbling bureaucrat. His security was notoriously lax. Hackers had been penetrating military and intelligence agency computers for years. What could federal officials possibly know about fighting an enemy as elegant as Leaves?
The two sides eyed each other warily as Gerber laid out what he knew. The evidence seemed to show that Leaves' creator was preparing a massive denial of service attack. Everyone would have to work together to stop it. Mistrust would keep them apart. It took Marcus Sachs, a cyber soldier from a Pentagon unit trained to attack foreign networks, to bridge the suspicion gap.
Sachs dazzled the room with his observations and theories about Leaves. With casual command of hacker lingo and the history of worms and their attacks, he demonstrated both the expertise of the government corps and the urgency of defeating this unique and dangerous foe.
The ice melted. Slowly, a simple sheet of paper passed around the room. First one, and then the next, wrote down his name, e-mail address and phone number. The Leaves posse came to life and it readied for a fight.
Days later
Los Angeles
Jimmy Kuo left the meeting to conduct an electronic autopsy.
Kuo, a research fellow at the security firm Network Associates, took samples of the worm home to Los Angeles. Many in the Leaves posse returned home to operate on their own turf, not from a single base in Washington. "In this line of work, it doesn't matter where you are, as long as you have a laptop computer and a phone," Kuo says.
The Leaves code was a jumbled mess. It was encrypted and compressed - data had been squeezed together to save space. Mr. Leaves, as some in the posse had begun calling the worm's creator, knew his creation would be captured. He ensured the worm wouldn't easily give up its secrets. Kuo ripped apart layers of code with powerful programs to reveal the deeper truths Leaves was hiding.
Other members of the posse were ripping Leaves, too, untying its knotted innards. One wrote a program to mimic the Trojan that Leaves used as a back door. The posse laid the trap across the Internet.
Sharing their discoveries by phone and e-mail, the code crackers found eight variants, or mutations, of the worm. Mr. Leaves was tweaking his weapon, finding new ways to deliver it. And he was moving faster than the posse.
While Kuo ripped in Los Angeles, a posse member watched for abnormal Internet traffic from SANS in Bethesda. Still others huddled at the FBI. The group worked smoothly because nobody was in charge, Sachs says. "Egos didn't get in the way of progress." They worked fast, but as days passed, their analysis yielded fewer new results. They learned much about the worm's attributes, but little about its purpose.
Mr. Leaves had directed the zombies to synchronize their clocks with the Naval Observatory clock on the Web. The army was prepared to attack in unison. No doubt, Mr. Leaves soon would begin his onslaught.
Unless someone could find him first.
Early July
FBI headquarters,
National Infrastructure Protection Center
computer investigation unit
FBI Special Agent Michelle Jupina wanted two things: to find Mr. Leaves and to lock him up. The bureau sought Leaves' creator on criminal charges of unlawfully entering a computer. Jupina was at the first posse meeting in June, but she kept a low profile. Assigned to the infrastructure protection center, Jupina, 36, was well-versed in cyber jargon. She understood how hackers thought and maneuvered.
The posse saw Leaves as a marvel of engineering. But to Jupina, the worm and its maker were just garbage to clean up. Short, quiet and hidden under a mane of frosty blonde hair, Jupina didn't seem capable of bursting through a hacker's door and yanking him off his keyboard. She was so unobtrusive that a posse member recalls he didn't even know she was a cop until she got up from her seat one day and "I saw a cannon strapped to her side."
But as the posse ripped Leaves apart, Jupina was a constant eavesdropper, digging for evidence in the pile of Leaves' secrets the posse unearthed. Even as new revelations slowed, Jupina and the agents under her command feverishly followed leads. Steadily, they shut down the Web sites Leaves' zombies used to receive instructions. They planted tracking devices to pick up the hacker's footprints.
Second week of July
FBI Strategic
Information
Operations Center
Weeks passed. The zombies remained quiet.
Gerber had issued a public warning about Leaves on June 23. The private sector posse members had warned their customers. News that Leaves was on the loose circulated through the computer security trade press. But still no attack.
Ripping continued. The zombie army grew. By July, at least 20,000 computers were encamped in chat rooms or patiently waiting for their orders. "That scared the hell out of us," Gerber says.
Mr. Leaves was getting wily. Whenever the team shut down one Leaves chat room the worm automatically created a new one. Mr. Leaves tried new methods, too. On July 9, one of the companies in the posse found an e-mail claiming to be a security bulletin from Microsoft Corp. The bulletin warned of a new virus, and told users to download a file to protect their computers. In the file was Leaves.
The bogus warning was badly written and eerily self-congratulatory:
"Yesterday the Internet has seen one of the first of it's downfalls. A virus has been released. One with the complexity to destroy data like none seen before."
Today, hackers often mask their worms as official security warnings, but this was the first use of the tactic. Like many outlaws, Mr. Leaves inspired a certain grudging admiration within the posse chasing him. "I had a feeling I was dealing with an artisan," Gerber says.
Or possibly a common crook.
Perplexed by the lack of attack, someone in the posse posed a new theory: Perhaps instead of damage, Mr. Leaves sought money.
The posse knew that some companies paid Web surfers to click on advertisements on their sites in order to inflate estimates of the success of the ads. With 20,000 zombies to click for him, Mr. Leaves could make a killing. Some of the sites the zombies visited contained these ads. If the FBI could find an account where Mr. Leaves put the funds, trace it to a physical address and tie it to him, the case might be solved.
Convinced Leaves had to have been created for a denial of service attack, the posse scorned this theory. Pulling off one of the biggest attacks ever was the only glory befitting such a brilliant worm.
But something didn't make sense. Mr. Leaves was taking an awful risk by not attacking. Every time he logged on to communicate with his zombies, the FBI had another chance to trace him. Why expose himself? Why not just preprogram the zombies to act on their own? The scam began to seem more believable.
But before the posse could prove its theory, an attack began. It wasn't the work of Leaves.
On July 17, a new worm appeared - Code Red. It was named after Mountain Dew Code Red soda, the only thing that kept two private sector analysts awake as they tracked it day and night.
Leaves propagated like a rare illness, targeting only victims with weakened immunity. But Code Red spread like smallpox. The worm exploited a ubiquitous hole in one of the most popular brands of Microsoft Web servers. In a few hours, Code Red had eaten into more than 100,000 servers worldwide. The swarm of worms leaping from machine to machine caused an electronic traffic jam, slowing all Internet traffic. In the aftermath of the attack, companies would spend billions of dollars plugging the holes that let Code Red enter.
Able as it was, the posse didn't have the strength to fight both Code Red and Leaves at once. The choice was clear: Code Red took precedence.
The Leaves posse had built a new model for chasing Internet outlaws. They honed it battling Code Red. But fighting the new menace left Leaves on the back burner. All they could do was hope that Leaves was no more than an Internet heist or pray that Jupina and her crew could track down and nab Mr. Leaves before he, too, unleashed his zombie brigades.
For weeks, Jupina and her technicians had laid traps and tracers across the Internet. She wanted the hacker's Internet protocol address, the digits that identify anyone who sends information online. Hackers cover their tracks by erasing those addresses from the servers they use. But Mr. Leaves had slipped.
In a cache of addresses Jupina had pulled off a server in Oklahoma at the end of June, she found one used by Mr. Leaves. It was a hot lead.
But chasing the address could take Jupina around the world. And she could nab Mr. Leaves only if he lived in a country that considered hacking a crime. If he did, the company that provided his Internet service would have to cough up his home address and Jupina would have her man. Luckily, after some tracking, Jupina hit gold: Mr. Leaves' address originated in the United Kingdom, home to some of the toughest computer crime statutes in the world.
Jupina rang the Scotland Yard computer crime unit. Within days they traced the Internet address and attached it to a name and a place. The hacker was a 24-year-old man living in one of the seedier sections of London. Scotland Yard set up a stakeout at his digs.
July 23
FBI headquarters and
South London, England
Back at FBI headquarters, Jupina kept watch on a computer monitoring the Oklahoma Web server. When Mr. Leaves logged on again, Jupina would know. Jupina waited with Scotland Yard's phone number at the ready. Officers in South London sat tight outside the hacker's residence.
Nothing.
And then, there he was.
Jupina watched as the hacker connected to the Oklahoma server. She gave the word to Scotland Yard: Go. The officers arrested the creator of one of the most ingenious worms ever known.
Epilogue
The Leaves posse proved itself during the Code Red attack. Code Red made headline news. The FBI, the White House and security companies launched a coordinated campaign to track it, warn the public and take steps to protect vulnerable systems. Crippling of the White House Web site was narrowly avoided; Pentagon Internet connections were temporarily shut off. Damage was significant - estimates are in the billions of dollars - but it would have been worse had the response not been as fast and well organized. No perpetrator has been identified.
Mr. Leaves caused no major damage before the posse rounded him up. And the same team remains on guard against new worms or other cyber threats. When one appears, the posse comes alive. E-mails fly, home telephones ring as the members swing into action, sharing what they know, tracking, dissecting, devising traps and passing evidence to the FBI.
In November 2002, shortly before leaving the FBI and returning to the CIA, Bob Gerber sat in a new office at FBI headquarters. Next to a bookcase full of hacker treatises, with a can of Mountain Dew Code Red displayed prominently on a shelf, Gerber pondered Mr. Leaves' motive. The FBI never found evidence the hacker had stolen money using the worm. Gerber and Jupina had brought the case all the way to a collar, yet they might never know Mr. Leaves' ultimate goal. "As far as I know, no one ever asked Mr. Leaves why he did what he did," Gerber says.
And no one ever may get the chance. In November 2001, the man who confessed to British authorities that he'd created the Leaves worm received a "formal caution," a legal warning usually reserved for juvenile crimes and minor drug offenses.
The lead officer on the case insists the agency has information about the hacker's motives that the FBI hasn't heard. But Scotland Yard refuses to divulge what it knows. Citing British law, officials refuse even to reveal the hacker's name.
Tens of thousands of computers containing now-dormant Leaves worms await instructions from their master. Should they ever again awaken, a posse will be waiting.
Published in Government Executive
Saturday, February 15, 2003
The federal government's fight against one cyber villain changed its response to online attacks.
Wednesday, June 20, 2001
6:30 a.m.
FBI Headquarters,
Washington
After 23 years as a CIA analyst, having briefed the president and his team on every conceivable threat to national security, Bob Gerber was scared. More scared than he'd been in a long time.
Holed up in his cramped, 11th floor office on a stark, colorless hallway at FBI headquarters in Washington, Gerber's stomach turned as he took his first look at a new enemy.
Gerber was a hunter, one of the government's best. These days, he was hunting worms, malicious computer programs let loose into the wild of the Internet by some of computerdom's most brilliant hackers. Two months earlier Gerber, 56, had left his job at the CIA, where he helped write the president's daily intelligence briefing, to head the analysis and warning division at the FBI's National Infrastructure Protection Center. There, he and his crew of more than 60 tracked worms, viruses and other computer evils, as well as the hackers who create them. Both threatened daily to shut down the engines of modern life - electrical power grids, the banking system, water treatment facilities, the World Wide Web.
Worms were the most vicious new beasts to stalk the Internet. But Gerber had never seen a worm quite like the one he confronted that sweltering Wednesday morning in June.
It was named Leaves after "w32.leave. worm," the poisonous file it implanted in unsuspecting computers. Like all worms, Leaves bored through cyberspace, probing Internet connections for holes in personal computers or Web servers. It slithered inside the machines and spewed venomous strings of data that threw its victims into electronic shock.
Leaves was hardly the first worm to infest the Internet. In fact, the pests became so common in 2001, that security cognoscenti dubbed it the "Year of the Worm." Worms wrought all sorts of damage. They forced computers to delete critical files or erase entire programs. They also allowed hackers to steal personal information from computers' memories. Once they infested their victims, worms made clones, then used their hosts as launching pads for more worms, whose numbers grew exponentially.
In 2000, Gerber and his team began battling a new species of even more virulent super worms. Rather than devour computers' innards, these worms hijacked their victims' controls, rendering them powerless zombies. With a gang of zombies at his command, the creator of a superworm could mob a Web site or computer system, flooding it with bogus electronic transmissions until it drowned in the data torrent.
In the spring of 2000, Gerber's colleagues took on a 15-year-old hacker who called himself Mafiaboy. The teenager turned his zombies loose on World Wide Web giants Amazon.com, eBay and Yahoo!, launching what is called a distributed denial of service attack that shut down business at the sites for five hours. It cost shareholders and the companies billions and shocked the Web world.
But compared with the Leaves worm, Mafiaboy's creation was a larva. Gerber's best analysts had worked late into the night trying to make sense of a sample of Leaves captured by worm watchers at the SANS Institute, a computer research center in Bethesda, Md. They let Leaves infect a computer, and then they watched how it behaved. What Gerber saw fascinated and appalled him.
Leaves was a zombie maker on steroids. It searched out computers already wounded by another Internet scourge called a Trojan, which installs back doors in the machines. Leaves used a Trojan called SubSeven as its entrance. Once transformed, the zombies awaited orders. To communicate with them, Leaves' creator ordered his zombies to rendezvous online through Internet Relay Chat channels. He also told them to visit certain Web sites and download encrypted information to receive instructions on what to do next. No one knew who was controlling the zombies, from where or why.
Reading the guest registries of chat rooms, Gerber discovered that an army of 1,000 Leaves zombies already was on the march. Mafiaboy, by contrast, had a few hundred conscripts and sometimes used only a dozen to attack a Web site.
What's more, Leaves contained an electronic gene enabling its creator to control every zombie at once from any Internet connection in the world.
Gerber never had seen a worm so sophisticated or terrifying.
But to exterminate it, Gerber needed more samples to dissect and more time. Pulling out the lines of computer code that told the worm how to behave might help him shut it down. Or, if he could identify the worm maker's ultimate goal, Gerber might be able to head him off.
The FBI group usually worked alone or with a few select federal officials and private sector consultants. But even Gerber's top-flight team was daunted by Leaves. It was time to call in help. Only a public-private posse of America's best hacker trackers could gut this worm.
By pulling such a group together for the first time and then letting it operate largely unsupervised, Gerber created a new model for federal computer crime fighting.
June 29
FBI Strategic Information
and Operations Center,
Washington
Gerber called the most seasoned and cunning code crackers, worm gurus and cyber soldiers from government and industry to meet at FBI headquarters. On a Friday afternoon, 10 days after Leaves was discovered, the posse gathered in the FBI's crisis headquarters, the Strategic Information Operations Center.
It was the most concentrated arsenal of computer crime-fighting talent the government ever had gathered. They came from leading security companies Symantec and Network Associates, the FBI, the White House and the Defense Department.
But there was a hitch. The private experts were uneasy. Could they trust the G-men? Uncle Sam was a bumbling bureaucrat. His security was notoriously lax. Hackers had been penetrating military and intelligence agency computers for years. What could federal officials possibly know about fighting an enemy as elegant as Leaves?
The two sides eyed each other warily as Gerber laid out what he knew. The evidence seemed to show that Leaves' creator was preparing a massive denial of service attack. Everyone would have to work together to stop it. Mistrust would keep them apart. It took Marcus Sachs, a cyber soldier from a Pentagon unit trained to attack foreign networks, to bridge the suspicion gap.
Sachs dazzled the room with his observations and theories about Leaves. With casual command of hacker lingo and the history of worms and their attacks, he demonstrated both the expertise of the government corps and the urgency of defeating this unique and dangerous foe.
The ice melted. Slowly, a simple sheet of paper passed around the room. First one, and then the next, wrote down his name, e-mail address and phone number. The Leaves posse came to life and it readied for a fight.
Days later
Los Angeles
Jimmy Kuo left the meeting to conduct an electronic autopsy.
Kuo, a research fellow at the security firm Network Associates, took samples of the worm home to Los Angeles. Many in the Leaves posse returned home to operate on their own turf, not from a single base in Washington. "In this line of work, it doesn't matter where you are, as long as you have a laptop computer and a phone," Kuo says.
The Leaves code was a jumbled mess. It was encrypted and compressed - data had been squeezed together to save space. Mr. Leaves, as some in the posse had begun calling the worm's creator, knew his creation would be captured. He ensured the worm wouldn't easily give up its secrets. Kuo ripped apart layers of code with powerful programs to reveal the deeper truths Leaves was hiding.
Other members of the posse were ripping Leaves, too, untying its knotted innards. One wrote a program to mimic the Trojan that Leaves used as a back door. The posse laid the trap across the Internet.
Sharing their discoveries by phone and e-mail, the code crackers found eight variants, or mutations, of the worm. Mr. Leaves was tweaking his weapon, finding new ways to deliver it. And he was moving faster than the posse.
While Kuo ripped in Los Angeles, a posse member watched for abnormal Internet traffic from SANS in Bethesda. Still others huddled at the FBI. The group worked smoothly because nobody was in charge, Sachs says. "Egos didn't get in the way of progress." They worked fast, but as days passed, their analysis yielded fewer new results. They learned much about the worm's attributes, but little about its purpose.
Mr. Leaves had directed the zombies to synchronize their clocks with the Naval Observatory clock on the Web. The army was prepared to attack in unison. No doubt, Mr. Leaves soon would begin his onslaught.
Unless someone could find him first.
Early July
FBI headquarters,
National Infrastructure Protection Center
computer investigation unit
FBI Special Agent Michelle Jupina wanted two things: to find Mr. Leaves and to lock him up. The bureau sought Leaves' creator on criminal charges of unlawfully entering a computer. Jupina was at the first posse meeting in June, but she kept a low profile. Assigned to the infrastructure protection center, Jupina, 36, was well-versed in cyber jargon. She understood how hackers thought and maneuvered.
The posse saw Leaves as a marvel of engineering. But to Jupina, the worm and its maker were just garbage to clean up. Short, quiet and hidden under a mane of frosty blonde hair, Jupina didn't seem capable of bursting through a hacker's door and yanking him off his keyboard. She was so unobtrusive that a posse member recalls he didn't even know she was a cop until she got up from her seat one day and "I saw a cannon strapped to her side."
But as the posse ripped Leaves apart, Jupina was a constant eavesdropper, digging for evidence in the pile of Leaves' secrets the posse unearthed. Even as new revelations slowed, Jupina and the agents under her command feverishly followed leads. Steadily, they shut down the Web sites Leaves' zombies used to receive instructions. They planted tracking devices to pick up the hacker's footprints.
Second week of July
FBI Strategic
Information
Operations Center
Weeks passed. The zombies remained quiet.
Gerber had issued a public warning about Leaves on June 23. The private sector posse members had warned their customers. News that Leaves was on the loose circulated through the computer security trade press. But still no attack.
Ripping continued. The zombie army grew. By July, at least 20,000 computers were encamped in chat rooms or patiently waiting for their orders. "That scared the hell out of us," Gerber says.
Mr. Leaves was getting wily. Whenever the team shut down one Leaves chat room the worm automatically created a new one. Mr. Leaves tried new methods, too. On July 9, one of the companies in the posse found an e-mail claiming to be a security bulletin from Microsoft Corp. The bulletin warned of a new virus, and told users to download a file to protect their computers. In the file was Leaves.
The bogus warning was badly written and eerily self-congratulatory:
"Yesterday the Internet has seen one of the first of it's downfalls. A virus has been released. One with the complexity to destroy data like none seen before."
Today, hackers often mask their worms as official security warnings, but this was the first use of the tactic. Like many outlaws, Mr. Leaves inspired a certain grudging admiration within the posse chasing him. "I had a feeling I was dealing with an artisan," Gerber says.
Or possibly a common crook.
Perplexed by the lack of attack, someone in the posse posed a new theory: Perhaps instead of damage, Mr. Leaves sought money.
The posse knew that some companies paid Web surfers to click on advertisements on their sites in order to inflate estimates of the success of the ads. With 20,000 zombies to click for him, Mr. Leaves could make a killing. Some of the sites the zombies visited contained these ads. If the FBI could find an account where Mr. Leaves put the funds, trace it to a physical address and tie it to him, the case might be solved.
Convinced Leaves had to have been created for a denial of service attack, the posse scorned this theory. Pulling off one of the biggest attacks ever was the only glory befitting such a brilliant worm.
But something didn't make sense. Mr. Leaves was taking an awful risk by not attacking. Every time he logged on to communicate with his zombies, the FBI had another chance to trace him. Why expose himself? Why not just preprogram the zombies to act on their own? The scam began to seem more believable.
But before the posse could prove its theory, an attack began. It wasn't the work of Leaves.
On July 17, a new worm appeared - Code Red. It was named after Mountain Dew Code Red soda, the only thing that kept two private sector analysts awake as they tracked it day and night.
Leaves propagated like a rare illness, targeting only victims with weakened immunity. But Code Red spread like smallpox. The worm exploited a ubiquitous hole in one of the most popular brands of Microsoft Web servers. In a few hours, Code Red had eaten into more than 100,000 servers worldwide. The swarm of worms leaping from machine to machine caused an electronic traffic jam, slowing all Internet traffic. In the aftermath of the attack, companies would spend billions of dollars plugging the holes that let Code Red enter.
Able as it was, the posse didn't have the strength to fight both Code Red and Leaves at once. The choice was clear: Code Red took precedence.
The Leaves posse had built a new model for chasing Internet outlaws. They honed it battling Code Red. But fighting the new menace left Leaves on the back burner. All they could do was hope that Leaves was no more than an Internet heist or pray that Jupina and her crew could track down and nab Mr. Leaves before he, too, unleashed his zombie brigades.
For weeks, Jupina and her technicians had laid traps and tracers across the Internet. She wanted the hacker's Internet protocol address, the digits that identify anyone who sends information online. Hackers cover their tracks by erasing those addresses from the servers they use. But Mr. Leaves had slipped.
In a cache of addresses Jupina had pulled off a server in Oklahoma at the end of June, she found one used by Mr. Leaves. It was a hot lead.
But chasing the address could take Jupina around the world. And she could nab Mr. Leaves only if he lived in a country that considered hacking a crime. If he did, the company that provided his Internet service would have to cough up his home address and Jupina would have her man. Luckily, after some tracking, Jupina hit gold: Mr. Leaves' address originated in the United Kingdom, home to some of the toughest computer crime statutes in the world.
Jupina rang the Scotland Yard computer crime unit. Within days they traced the Internet address and attached it to a name and a place. The hacker was a 24-year-old man living in one of the seedier sections of London. Scotland Yard set up a stakeout at his digs.
July 23
FBI headquarters and
South London, England
Back at FBI headquarters, Jupina kept watch on a computer monitoring the Oklahoma Web server. When Mr. Leaves logged on again, Jupina would know. Jupina waited with Scotland Yard's phone number at the ready. Officers in South London sat tight outside the hacker's residence.
Nothing.
And then, there he was.
Jupina watched as the hacker connected to the Oklahoma server. She gave the word to Scotland Yard: Go. The officers arrested the creator of one of the most ingenious worms ever known.
Epilogue
The Leaves posse proved itself during the Code Red attack. Code Red made headline news. The FBI, the White House and security companies launched a coordinated campaign to track it, warn the public and take steps to protect vulnerable systems. Crippling of the White House Web site was narrowly avoided; Pentagon Internet connections were temporarily shut off. Damage was significant - estimates are in the billions of dollars - but it would have been worse had the response not been as fast and well organized. No perpetrator has been identified.
Mr. Leaves caused no major damage before the posse rounded him up. And the same team remains on guard against new worms or other cyber threats. When one appears, the posse comes alive. E-mails fly, home telephones ring as the members swing into action, sharing what they know, tracking, dissecting, devising traps and passing evidence to the FBI.
In November 2002, shortly before leaving the FBI and returning to the CIA, Bob Gerber sat in a new office at FBI headquarters. Next to a bookcase full of hacker treatises, with a can of Mountain Dew Code Red displayed prominently on a shelf, Gerber pondered Mr. Leaves' motive. The FBI never found evidence the hacker had stolen money using the worm. Gerber and Jupina had brought the case all the way to a collar, yet they might never know Mr. Leaves' ultimate goal. "As far as I know, no one ever asked Mr. Leaves why he did what he did," Gerber says.
And no one ever may get the chance. In November 2001, the man who confessed to British authorities that he'd created the Leaves worm received a "formal caution," a legal warning usually reserved for juvenile crimes and minor drug offenses.
The lead officer on the case insists the agency has information about the hacker's motives that the FBI hasn't heard. But Scotland Yard refuses to divulge what it knows. Citing British law, officials refuse even to reveal the hacker's name.
Tens of thousands of computers containing now-dormant Leaves worms await instructions from their master. Should they ever again awaken, a posse will be waiting.
Published in Government Executive
Labels: Cyber War, Intelligence, Technology, Terrorism
Full Article