The Unheeded Warning | 189 ton had pointed out to me that “the business of intelligence services requires understanding precisely the relationship of their opposi- tion to them.” His view, though his opponents inside the CIA would call it with some justification an obsession, was that an intelligence service had to focus on the moves of its rivals. To accomplish this “business” in the first decade of the twenty-first century, the CIA had to establish why its new opposition, the SVR, was laying the foundation for an espionage operation. What were its priorities in the resumption of the intelligence war? Its inside man in the SVR, Poteyev, provided it with a tremendous advantage in this relation- ship. He knew the links in a sleeper network that the SVR believed was safely hidden from surveillance. If they were followed, when they were activated, they could expose whatever recruits the SVR had in the American government. The CIA duly shared this infor- mation about the sleeper ring with the FBI, which had the respon- sibility for the surveillance of foreign agents in the United States. The FBI, for its part, kept the Russian sleeper agents under tight surveillance—an operation that grew in complexity and expense as @ more SVR agents arrived in the United States. @ Meanwhile, in Moscow, Poteyev was following the unfolding operation. Part of his SVR job was to continue preparing these “Americans,” as they were called by the SVR, for their assignments. Some had been sent as couples, others as singles. One of the sin- gles that Poteyev personally handled was Anna Kushchyenko. She was a strikingly beautiful Russian student who changed her name to Anna Chapman by briefly marrying a British citizen she met at a rave party. After taking his name, she left him. After completing her training in Russia, she was sent by the SVR to New York City to establish herself as an international real estate specialist. Other “Americans” under Poteyev’s watch became travel agents, students, and financial advisers. In all, Poteyev identified to the CIA twelve such sleeper agents. The cost of FBI surveillance of them over the years became sizable. According to a former FBI agent, around-the- clock surveillance on the movements and communications of a sin- gle individual can cost over $10,000 a day. When the CIA received Poteyev’s message in 2010 warning that Russian military intelligence had asked the SVR to activate some of | | Epst_9780451494566_2p_all_r1.z.indd 189 @ 9/29/16 5:51 Pa | | HOUSE_OVERSIGHT_019677

190 | HOW AMERICA LOST ITS SECRETS its sleeper agents for a highly sensitive assignment, that suggested Russian intelligence had found a possible source who could supply it with valuable information. According to a former CIA intelli- gence official who later became involved in the case, the assignment involved preparing these agents to service a potential source in the NSA at Fort Meade, Maryland. If true, it suggested that Russian intelligence either had found or was working on a means of pen- etrating the NSA. In 2010, the NSA division that handled such security and espio- nage threats reportedly initiated a counterespionage probe at the NSA’s Fort Meade headquarters. According to a former NSA official, “They [were] looking for one or more Russian spies that NSA [was] convinced resided at Fort Meade and possibly other DoD Intel offices, like DIA.” Because the NSA’s cryptological service had in 2010 thirty-five thousand military and civilian contractor employees, the search for a possible leak was no easy matter. According to a subse- quent note in the NSA’s secret budget report to Congress, it would require “a minimum of 4,000 periodic investigations of employees @ in position to compromise sensitive information” to safely guard @ against “insider threats by trusted insiders who seek to exploit their authorized access to sensitive information to harm U.S. interests.” According to a former executive in the intelligence community, that amount of investigation far exceeded the budgetary capabili- ties of the NSA. So while the investigation found no evidence of SVR recruitment, it remained possible that Russian intelligence had found a candidate in the NSA. Meanwhile, in June 2010, to preempt such a leak in U.S. intelli- gence and avoid any potential embarrassment that could result, the FBI decided it could no longer engage in this sort of an intelligence game with the sleeper network. It arrested all twelve sleeper agents identified by Poteyev. After receiving a great deal of public atten- tion (which led to their inspiring the FX series The Americans), the sleeper agents were deported to Russia. This move had both advan- tages and disadvantages. The main advantage was that it severed any communication link between the putative person of interest in the NSA and Russian intelligence via the sleeper agents. The main dis- advantage was that it eliminated the possibility that FBI surveillance | | Epst_9780451494566_2p_all_r1.z.indd 190 @ 9/29/16 5:51 Pa | | HOUSE_OVERSIGHT_019678

The Unheeded Warning | 191 of the illegals might lead the FBI to a possible recruit in the NSA or elsewhere. The preemptive arrests also had an unforeseen consequence. They resulted in accidently compromising Poteyev. When Chap- man returned to Moscow after a spy exchange, she was taken to a well-publicized dinner with Putin. Afterward, she informed her debriefer at the SVR that only Poteyev had been in a position to know the password that an FBI agent had used to try to deceive her into believing she was speaking to an SVR officer. This brought Poteyev under immediate suspicion. Tipped off by the CIA to the FBI's error, Poteyev managed to escape by taking a train from Mos- cow to Belarus, where the CIA exfiltrated him to the United States. Poteyev had been saved from prison—or worse—but he was no lon- ger useful to the CIA as a mole. Without the services of Poteyev in the SVR in Moscow, U.S. intelligence was unable to find out further details about the mission to which Poteyev’s sleeper agents were to be assigned. All it had discovered was the history of the prepara- tions for a major espionage revival. It now knew that the SVR had @ installed plumbing in America and that one or more agents in this @ network had been activated to handle a possible recruit in the NSA. But without anyone left in the sleeper network to follow and with- out an inside source in the SVR, it had no further avenues to fruit- fully pursue. The revelation of the sleeper agents had little if any other intelligence value. The NSA’s own security investigation turned up no evidence of a leak at Fort Meade in 2010. That of course doesn’t mean there hadn’t been one. The Russian intelligence service had demonstrated in the past that it was well schooled in covering its tracks in operations against U.S. communications intelligence. For example, CIA coun- terintelligence had learned from a KGB defector in the early 1960s that Russian intelligence had penetrated the cipher room at the U.S. embassy in Moscow and, because of this operation, the KGB was able to decipher crucial communications. Even so, it failed to find either the perpetrator or any evidence of his existence for more than half a century. The operation was only definitively revealed by the Rus- sian spymaster Sergey Kondrashev in 2007. Tennent Bagley, who headed the CIA’s Soviet bloc counterintelligence at the time, lately | | Epst_9780451494566_2p_all_r1.z.indd 191 @ 9/29/16 5:51 Pa | | HOUSE_OVERSIGHT_019679

192 | HOW AMERICA LOST ITS SECRETS wrote in his book that the ability of Russian intelligence to conceal this penetration for more than half a century “broke the record for secret keeping.” This Russian ability to penetrate U.S. intelligence was not entirely defeated by America’s implementation of more sophisticated secu- rity procedures, such as the polygraph examination and extensive background checks. In 1995, eleven years before Snowden joined it, the CIA’s inspector general completed a study of the KGB’s use of false defectors to mislead the U.S. government from the end of the Cold War in the late 1980s through the mid-1g990s. It found Rus- sia had dispatched at least half a dozen double agents who provided misleading information to their CIA case officers. Because the KGB operation went undetected for nearly a decade, the disinformation prepared in Moscow had been incorporated into reports (which had a distinctive blue stripe to signify their impor- tance) that had been provided to Ronald Reagan, George H. W. Bush, and Bill Clinton. Even more shocking, in tracing the path of this disinformation, the inspector general found that the “senior CIA @ officers responsible for these reports had known that some of their @ sources for this information were controlled by Russian intelli- gence,” yet they did not inform the president and officials receiving the blue-striped reports that they included Russian misinformation. What the CIA director John Deutch called “an inexcusable lapse” also reflected a form of institutional willful blindness in U.S. intel- ligence, borne out of a bureaucratic fear of career embarrassment so well described in Le Carré’s spy novels. Detecting intelligence fail- ures has, if anything, become even more difficult in the age of the anonymous Internet. The Snowden breach demonstrated the NSA had few if any fail- safe defenses against would-be leakers of communications intelli- gence. In the new domain of cyber warfare, conventional defensive rules do not apply. “There are no rivers or hills up here. It’s all flat. All advantage goes to the attacker,” General Hayden said in an inter- view in 2015 with the publisher of The Wall Street Journal. His point was that because there are no defensive positions, the United States in cyber warfare must rely on an aggressive offensive. If fully suc- cessful, such an offensive would so deeply penetrate the defenses of | | Epst_9780451494566_2p_all_r1.z.indd 192 @ 9/29/16 5:51 Pa | | HOUSE_OVERSIGHT_019680

The Unheeded Warning | 193 an adversary’s intelligence organization that it could not mount any of its own surprise cyber attacks. It would also make it difficult if not impossible for adversary services to recruit a spy in the NSA. For example, the CIA penetration of the SVR in 2010 prevented it from using its sleeper network against U.S. targets. “The best defense in this game may be an overwhelming offensive,” a former intel- ligence official said to me. “But that strategy only works if we can keep secret sensitive sources.” Central to this offensive strategy was the NSA’s National Threat Operations Center in Oahu. It employed threat analysts to surrep- titiously monitor the secret activities of potential enemies, mainly China, Russia, and North Korea. A large part of their job was to make transparent to the United States the hostile activities of the Russian and Chinese services so that they posed little if any intel- ligence threat to America. This strategy worked so long as the NSA guarded itself, but it also raised the issue, as the Roman Juvenal famously warned, “Quis custodiet ipsos custodes?” (Who will guard the guards themselves?) @ Less than three years after the NSA had received the Poteyev @ warning, instead of guarding secrets, Snowden stole them. Despite all the measures the NSA had taken to protect its vital secrets, a lowly civilian employee had walked away with the lists of secret NSA sources in China and Russia and then gone first to China and then to Russia. In the hands of their intelligence services, these stolen lists had the potential to totally upend the NSA’s offensive strategy. Because Russia and China have an intelligence treaty for sharing such spoils between them when it is to their mutual advantage, it had to be assumed that if either country had acquired the secrets from Snowden, they would be shared between them, altering the balance of power between the communications intelligence services of the United States and its adversaries. Following the Snowden breach, both China and Russia had immense successes in breaking through the defenses of U.S. govern- ment networks, including the reported breaches in 2014 and 2015 of U.S. personnel files and background checks. When I asked General Hayden in June 2015 if these successes were made easier by those documents compromised by Snowden, he replied, “Even though I | | Epst_9780451494566_2p_all_r1.z.indd 193 @ 9/29/16 5:51 Pa | | HOUSE_OVERSIGHT_019681

194 | HOW AMERICA LOST ITS SECRETS cannot make a direct correlation here, unarguably our adversaries know far more about how we collect signals intelligence than they ever did before [Snowden].” If Snowden could cause such massive damage, so could other civil- ian trainees at the NSA. Someone in the chain of command had to take responsibility. General Alexander tendered his resignation on June 30, 2013. “I’m the director,” he said, falling on his sword. “Ulti- mately, I’m accountable.” Because President Obama did not want the head of the NSA resigning in the midst of the Snowden crisis, he asked him to stay on for another six months. He then appointed Rogers to be his replacement. Meanwhile, it had become undeni- ably clear to the review committee appointed by President Obama in 2013 that the NSA’s own defenses had catastrophically failed. If so, this change was the equivalent of rearranging the deck chairs on the Titanic after it hit the iceberg. | | Epst_9780451494566_2p_all_r1.z.indd 194 @ 9/29/16 5:51 Pa | | HOUSE_OVERSIGHT_019682

PART THREE THE GAME OF NATIONS I learned that just beneath the surface there’s another world, and still different worlds as you dig deeper. —DAVID LYNCH, on his 1986 film, Blue Velvet | | Epst_9780451494566_2p_all_r1.indd 195 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019683

| | Epst_9780451494566_2p_all_r1.indd 196 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019684

CHAPTER 19 The Rise of the NSA There are many things we do in intelligence that, if revealed, would have the potential for all kinds of blowback. —JAMES CLAPPER, director of national intelligence, 2013 [ THE GAME OF NATIONS, which often is not visible to public scrutiny, the great prize is state secrets that reveal the hidden weaknesses of a nation’s potential adversaries. The most impor- tant of these in peacetime is communication intercepts. It was just such state secrets that Edward Snowden took from the NSA in the spring of 2013. Before that breach, America’s paramount advantage in this subterranean competition was its undisputed dominance in the business of obtaining and deciphering the communications of other nations. The NSA was the instrument by which the United States both protected its own secret communications and stole the secrets of foreign nations. The NSA, however, has an Achilles’s heel: It is dependent on civilian computer technicians who do not neces- sarily share its values to operate its complex system. Because of this dependence, it was not able in 2013, as it turned out, to protect its crucial sources and methods. Snowden exposed this vulnerability when he walked away with the aforementioned descriptions of the gaps in America’s coverage | | Epst_9780451494566_2p_all_r1.indd 197 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019685

198 | HOW AMERICA LOST ITS SECRETS of the communications of its adversaries. Even though the Cold War had been declared over after the collapse of the Soviet Union a quar- ter of a century earlier, the age-old enterprise of espionage did not end with it. Russia and China still sought to blunt the edge that the NSA gave the United States. The Snowden breach therefore needs to be considered in the context of the once and future intelligence war. The modern enterprise of reading the communications of other nations traces back in the United States to military code-breaking efforts preceding America’s entry into World War I. The invention of the radio at the end of the nineteenth century soon provided the means of rapidly sending and getting messages from ships, subma- rines, ground forces, spies, and embassies. These over-the-air mes- sages could also be intercepted from the ether by adversaries. If they were to remain secret, they could not be sent in plain text. They had to be sent in either code, in which letters are substituted for one another, or, more effectively, a cipher, in which numbers are sub- stituted for letters. Making and breaking codes and ciphers became a crucial enterprise for nations. By 1914, the U.S. Army and Navy @ had set up units, staffed by mathematicians, linguists, and crossword @ puzzle solvers, to intercept and decode enemy messages. After the war had ended in 1918, these units were fused into a cover corpora- tion called the Code Compilation Company, which moved to new offices on Thirty-Seventh Street and Madison Avenue in New York City. Under the supervision of the famous cryptographer Herbert O. Yardley, a team of twenty code breakers was employed in what was called the Black Chamber. Yardley arranged for Western Union, which had the telegraph monopoly in America, to provide the Black Chamber with all the telegrams coming into the United States. “Its far-seeking eyes penetrate the secret conference chambers at Wash- ington, Tokyo, London, Paris, Geneva, Rome,” Yardley wrote about the Black Chamber. “Its sensitive ears catch the faintest whispering in the foreign capitals of the world.” But in 1929, at the instructions of President Herbert Hoover, Secretary of State Henry Stimson closed the Black Chamber, saying famously, “Gentlemen should not read each other’s mail.” The moratorium did not last long. With war looming in Asia and | | Epst_9780451494566_2p_all_r1.indd 198 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019686

The Rise of the NSA | 199 Europe, President Franklin D. Roosevelt reactivated the operation as the Signal Security Agency. It proved its value in breaking the Japanese machine-generated cipher “Purple.” In June 1942, using deciphered Japanese messages to pinpoint the location of the Japa- nese fleet at Midway, America won a decisive naval victory in the Pacific. Germany’s Enigma encoding machines, with three encoding wheels, proved more of a challenge. Initially, British cryptanalysts led by the brilliant mathematician Alan Turing succeeded in build- ing a rudimentary computer to decipher Germany’s messages to its submarines and bombers, but in 1942 Germany added a fourth set of encoding wheels, escalating what was essentially a battle of machine intelligence. The U.S. Navy then contracted with the National Cash Register Company to build a computing machine capable of break- ing the improved Enigma, and in May 1943 it succeeded. By the time the war ended in 1945, the United States had over one hundred giant decryption machines in operation. This unrivaled capability to read the communications of foreign nations, which remained one of America’s most closely guarded secrets, was trans- @ ferred to the Army Security Agency based at Fort Meade, Mary- @ land. Then, on October 24, 1952, President Harry S. Truman greatly expanded its purview and changed its name to the National Security Agency. The NSA was given two missions. The first one was protecting the communications of the U.S. government. The main risk was that the Soviets would find a way of breaching U.S. government chan- nels of communications. The second mission was intercepting all the relevant communications and signals of foreign governments. This latter mandate included the governments of allies as well as enemies. The president, the other intelligence services, and the Department of Defense deemed what was relevant for national security. Even though the NSA remained part of the Department of Defense, its job went far beyond providing military intelligence. It also acted as a service agency to other American intelligence services. They pre- pared shopping lists of foreign communications intelligence targets for the NSA to pursue. As the Cold War heated up in the 1960s, the NSA provided intel- ligence not only to the Pentagon but to the Department of State, the | | Epst_9780451494566_2p_all_r1.indd 199 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019687

200 | HOW AMERICA LOST ITS SECRETS Central Intelligence Agency, the Treasury Department, the Atomic Energy Commission, and the FBI. With a multibillion-dollar “black budget” hidden from public scrutiny, the NSA’s technology director- ate invested in state-of-the-art equipment, including supercomputers that could break almost any cipher, antennas mounted on geosyn- chronous satellites that vacuumed in billions of foreign telephone calls, and other exotic capabilities. It also devised stealthy means of breaking into channels that its adversaries believed were secure. This enterprise required not only an army of technical specialists capable of remotely intercepting even the faintest traces of electromagnetic signals, hacking into computers, and eavesdropping on distant con- versations but also special units called “tailored access operations,” to plant listening devices in embassies and diplomatic pouches. The NSA also organized elaborate expeditions to give access to or even penetrate physical cables in enemy territory. In 1971, for example, the NSA sent a specially equipped submarine into Russia’s Sea of Okhotsk in Asia to tap through Arctic ice. The target was a Russian cable four hundred feet below the surface that connected the Rus- @ sian naval headquarters in Vladivostok with a missile testing range. @ In 1980, President Ronald Reagan gave the NSA a clear mandate to expand its interception of foreign communications. In Executive Order 12333, he told the NSA that “all means, consistent with appli- cable Federal law and this [Executive] order, and with full consider- ation of the rights of United States persons, shall be used to obtain reliable intelligence information to protect the United States and its interests.” It did not restrict any foreign country, either an adversary or an ally, from its surveillance. The NSA’s target soon became nothing short of the entire elec- tromagnetic spectrum. “We are approaching a time when we will be able to survey almost any point on the earth’s surface with some sensor,” Admiral Stansfield Turner, the former director of central intelligence, wrote in 1985. “We should soon be able to keep track of most of the activities on the surface of the earth.” Bobby Ray Inman, a former director of the NSA and deputy director of the CIA, argued that the “vastness of the [American] intelligence ‘take’ from the Soviet Union, and the pattern of continuity going back years, | | Epst_9780451494566_2p_all_r1.indd 200 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019688

The Rise of the NSA | 201 even decades,” greatly diminished the possibility of Soviet deception so long as the NSA kept secret its sources. The NSA did not rely entirely on its own sensors for this global surveillance. It also formed intelligence-sharing alliances with key allies. The most important was with the British code-breaking ser- vice, GCHQ, which had achieved enormous success in World War II in using computers to crack the German Enigma cipher. This alliance expanded to include Canada, Australia, and New Zealand in the so- called Five Eyes Alliance. Because over 80 percent of international phone calls and Internet traffic passed through fiber-optic cables in these five countries, the alliance had the capability of monitoring almost all phone and Internet communications. The NSA also established fruitful liaisons with the cyber services of Germany, France, Spain, Italy, the Netherlands, Portugal, Israel, Japan, and South Korea, which were often willing to provide the NSA with access to telecommunications links in their countries. These long-term allies greatly strengthened the NSA’s hand in other ways in the intelligence war. For example, the so-called James Bond @ provision of the British Intelligence Services Act of 1994 allowed @ officers of the GCHQ to commit illegal acts outside Britain, includ- ing planting devices to intercept data from computer servers, cell phones, and other electronic targets. And, as Snowden’s release of documents revealed in 2013 and 2014, these foreign allies fully shared their information with the NSA. Of course, the liaison between the NSA and its allies was a two- way street. In 2013, none of these other countries had a global net- work of geosynchronous sensors in outer space and under the ocean that could monitor signals from missile launching, submarines, military deployments, nuclear tests, and other matters of strategic importance to them. Nor did these allies have the cipher-breaking capabilities of the array of NSA supercomputers. The NSA had assiduously built these means at a cost of over half a trillion dol- lars and employed tens of thousands of linguists who could translate almost any dialect or language of interest. Even though these allies had their own cipher services and local capabilities, they depended on the NSA to provide them with a large | | Epst_9780451494566_2p_all_r1.indd 201 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019689

202 | HOW AMERICA LOST ITS SECRETS share of their signals intelligence. From the perspective of defending themselves from potential threats, the deal that these allies had with the NSA was mutually advantageous. The NSA‘s overseas intelligence gathering was not limited to adversary nations. With the exception of the Five Eyes allies, it gathered data that was deemed important by the president and the Defense Department in friendly countries. These operations had been approved by every American president and funded by every American Congress since 1941. After all, even in the realm of allies, activities take place that run counter to American interests. The 9/11 conspiracy, for example, was hatched in Hamburg, Germany, and financed in Dubai and Saudi Arabia. Nor were American allies unaware of the reach of the NSA. “Yes, my continental European friends, we have spied on you. And it is true we use computers to sort through data by using keywords,” the former CIA director James Woolsey wrote in The Wall Street Journal in 2000. “Have you stopped to ask yourselves what we are looking for?” Whether or not it was appreciated by other countries, @ the global harvesting of communications intelligence by the NSA @ was hardly a secret. As the NSA expanded further, it delegated part of its work to regional bases, including ones in Utah, Texas, Hawaii, and Japan. The paramount task of the NSA remained monitoring the channels of communications that an adversary might use. The vast prolifera- tion of these channels in cyberspace, which included e-mail, social media, document sharing, and other innovations of the Internet age, greatly complicated this task. Even so, this challenge was not insur- mountable, because most of the Internet actually traveled through fiberglass landline cables that crossed the territories of the United States, Britain, and Australia. So the NSA found the technical means, including voluntarily gaining access to major Internet companies, to “harvest” vast amounts of this Internet data. America’s other intel- ligence agencies quickly recognized the value of the communica- tions intelligence gleaned from foreign telecommunications. John E. McLaughlin, who was the CIA’s acting director in 2004, described the NSA as nothing less than the “very foundation of U.S. intel- ligence.” It served as a “foundation” for the CIA because intercepted | | Epst_9780451494566_2p_all_r1.indd 202 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019690

The Rise of the NSA | 203 communications intelligence allowed the CIA (and other U.S. intelli- gence services) to test and verify the reports of their human sources in foreign countries. Moreover, because of the immense amount of foreign data that the NSA vacuumed in through its global sensors, it provided the CIA with an effective means for discovering new targets in adversary nations. By the first decade of this century, the NSA’s surreptitious efforts to render the Internet transparent to U.S. intelligence had earned it a new set of enemies. They were the previously mentioned hacktiv- ists who were attempting to shield the activities of Internet users from the intrusions of government surveillance. They employed both encryption and Tor software to defeat that surveillance. But the NSA did not conceal that it was intent on countering any attempt to interfere with its surveillance of the Internet. It built back doors into encryption and worked to unravel the Tor scrambling of IP addresses. It made leading hacktivists targets. Brian Hale, the spokesman for the director of national intelligence, disclosed that the United States routinely intercepted the cyber signatures of parties suspected of @ hacking into U.S. government networks. @ Following the 9/11 attacks on the Pentagon and the World Trade Center, the surveillance of the Internet became an integral part of the Bush administration’s war on terrorism. In October 2001, Con- gress expanded the NSA’s mandate by passing the USA Patriot Act. As I described earlier, Section 215 of the act directly authorized the NSA, with the approval of the FISA court, to collect and store domestic telephone billing records. The idea was to better coordinate domestic and foreign intelligence about al-Qaeda and other jihad- ist groups. This put the NSA directly in the anti-terrorist business. It also necessitated the NSA vastly increasing its coverage of the Internet. The mantra in government in this post-9/11 intelligence world became “connect the dots.” Congress through this act essentially demolished the wall between domestic and foreign intelligence when any NSA activity related to foreign-directed terrorism. It fur- ther made the NSA a partner with the FBI in tracking phone calls | | Epst_9780451494566_2p_all_r1.indd 203 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019691

204 | HOW AMERICA LOST ITS SECRETS made from phones originating outside the United States by known foreign jihadists. If these calls were made to individuals inside, the NSA was now authorized to retrieve the billing records of the per- son called and those people whom he or she called. These traces were then supplied to the FBI. The new duties also increased the NSA’s need to create new bureaucratic mechanisms to monitor its compli- ance with FISA court orders. Rajesh De, the NSA’s general counsel at the time of the Snowden breach, described the NSA as becoming by 2013 “one of the most regulated enterprises in the world.” Grafted onto its intelligence activities were layers of mandated reporting to oversight officials. Not only did the NSA have its own chief compli- ance officer, chief privacy and civil liberties officer, and independent inspector general, but the NSA also had to report to a different set of compliance officers at the Department of Defense, the Office of the Director of National Intelligence, and the Department of Justice. Additionally, the Department of Justice dispatched a team of lawyers every sixty days to review the results of “every single tasking deci- sion” approved by the FISA court. @ According to De, just assembling these reports involved thousands @ of hours of manpower. In addition, the president’s Oversight Board required that the NSA’s Office of the General Counsel and inspec- tor general supply it every ninety days with a list of every single error and deviation from procedure made by every NSA employee anywhere in the world, including even minor typing errors. These requirements, according to De, inundated a large part of the NSA legal and executive staff in a sea of red tape. Yet this regulation could not undo surveillance programs such as the one Snowden revealed of Verizon’s turning over the billing records of its customers to the NSA, because the NSA was in compliance with the FISA court order (even though, as it turned out in 2015, the FISA court might have erred in interpreting the law). The NSA’s focus on surveillance might have led to the neglect of its other mission: protecting the integrity of the channels through which the White House, government agencies, and military units send information. This task had been made vastly more difficult by the proliferation of computer networks, texting, and e-mails. To protect government networks from cyber attacks, the Penta- | | Epst_9780451494566_2p_all_r1.indd 204 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019692

The Rise of the NSA | 205 gon belatedly created the U.S. Cyber Command in 2009. In it, the cyber-defense units of the army, navy, marines, and air force cyber forces were merged together and put under the command of the NSA director. General Keith Alexander became the first director of this new command. One problem for the Cyber Command was separating attacks by civilians, including criminals, hacktivists, and anarchists, from cyber warfare sponsored and supported by adver- sary states. Because foreign intelligence services often closely imi- tated the tools of civilian hackers, and were even known to provide them with hacking tools, it was not easy for the Cyber Command to unambiguously determine if the ultimate perpetrator of a cyber attack was state sponsored. For example, the identification of North Korea as the principal actor behind the attack on Sony in December 2014 appeared to be a rare success, but many cyber-security experts believed that it might be a false trail used to hide the real attacker. Clues could be fabricated in cyberspace to point to the wrong party. The job of the Cyber Command was to prevent such an attack. To this end, it planted viruses on hundreds of thousands of computers @ in private hands to act as sentinels to spot other suspicious viruses @ that could mount such an attack. Private computers had become a new battleground in the cyber wars. It also built a capability to retaliate. Still, cyber attacks, which were launched through layers of other countries’ computers, could not be unambiguously traced back to the true perpetrator. This escalation by the Cyber Command set the stage for expanded forms of warfare in cyberspace. “The Chinese are viewed as the source of a great many attacks on western infrastructure and just recently, the U.S. electrical grid,” General Alexander said in explain- ing the need for this consolidation. “If that is determined to be an organized attack, I would want to go and take down the source of those attacks.” The same retaliation would presumably be used against Russia, Iran, or any other adversary. Dominance of cyber- space itself now became part of the NSA’s mandate. Even so, the most important job of the NSA remained intercept- ing secret information from Russia, China, Iran, and North Korea. To this end, it had an annual budget of $12.3 billion and some thirty- five thousand military and civilian employees. In 2013, James Clap- | | Epst_9780451494566_2p_all_r1.indd 205 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019693

206 | HOW AMERICA LOST ITS SECRETS per, director of national intelligence, justified the secret intelligence budget by saying in an open session of Congress, “We are bolstering our support for clandestine SIGINT [signals intelligence] capabilities to collect against high priority targets, including foreign leadership targets,” and to develop “groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit Internet traffic.” It was no secret to Congress, even before Snowden, that the NSA was attempting to monitor the Internet. What was a closely held secret before Snowden revealed it was that the NSA had found a way in 2007 to intercept Internet traffic before it was encrypted. Through all this tumult, the heart of the NSA’s activity remained its five-thousand-acre base at Fort Meade, Maryland. It commanded the most powerful mechanism for intercepting communications that the world had ever seen. No other country came close to its tech- nology for intercepting information. The NSA not only was able to intercept secret information from potential adversaries but also—at least until the Snowden breach—managed to conceal these means from them. As long as these adversaries remained blind to the ways @ in which their communications were being intercepted, deciphered, @ and read by the NSA, they could not take effective countermeasures. Consequently, the NSA had the capability to provide the president and his advisers with continuous insights into the thinking and planning of potential enemies. Keeping its sources and methods secret was no easy task. The NSA’s technicians had to deal with continuous technical challenges to provide a seamless harvesting of data from a wide range of com- munication devices, including telephones, computers, and the Inter- net. It required continuous intra-agency communications between the NSA’s own intelligence officers and a growing number of civilian technicians. It even had its own “ Wiki-style” network through which they could discuss problems, called the NSANet. Because it could not tightly control access to this technical network, it expunged any mention of the sources and methods from the material circulated on the classified NSA network. Instead, it stored them in discrete com- puters, called compartments, which were disconnected from other computers at the NSA. These compartments could only be accessed by a limited number of analysts and NSA executives who had a need | | Epst_9780451494566_2p_all_r1.indd 206 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019694

The Rise of the NSA | 207 to know about the data they contained. These compartments were the final line of defense against an inside intruder. In 2009, Snowden, as we know, found his way into the NSA through a temporary job with an outside contractor that was work- ing for the NSA’s Technology Directorate to repair and update its backup system. Four years later, by maneuvering to get hired by another outside contractor with access to the NSA’s sources and methods, he was able to steal secrets stored in isolated computers bearing directly on the ongoing intelligence war. Snowden also copied from these compartments in a matter of weeks, as has been previously mentioned, the NSA’s Level 3 sources and methods used against Russia, Iran, and China. The Snowden breach demonstrated that the NSA’s envelope of secrecy was at best illusory. After this immense loss, the NSA’s sources inside these adversary countries were largely compromised, even if they were not closed down. Once these adversaries were in a position to know what chan- nels the NSA was intercepting, they could use these same channels to mislead U.S. intelligence. A former top intelligence official told @ me, “The queen on our chessboard had been taken.” @ The NSA moved to mitigate the damage and find new ways of obtaining unexpected intelligence. In June 2014, the new NSA direc- tor, Rogers, had to confront flagging morale that, according to Gen- eral Hayden, was near paralyzing the intelligence service. Rogers recognized that as a direct result of the Snowden breach, “the nation has lost capabilities against adversaries right now who are attempt- ing to actively undermine us.” But even with that loss, he observed, “the sky has not fallen.” As in the Chicken Little fable he cited, the world had not ended for the NSA. Nor had it ended for the multibillion-dollar outsourc- ing enterprise it superintended. The NSA might have lost many of its sources, or “capabilities,” but Rogers held out hope that new sources could eventually be found to replace them. Compromised codes, after all, could be changed. New technological methods could be devised. New vulnerabilities could also be targeted in enemy ter- ritories. Although repairing the damage might take many “decades,” according to Michael McConnell, the vice-chairman of Booz Allen, the new director had to get on with that task. McConnell, a for- | | Epst_9780451494566_2p_all_r1.indd 207 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019695

208 | HOW AMERICA LOST ITS SECRETS mer NSA director himself, pointed out that the NSA director's “first responsibility is to be the chief cheerleader.” Rebuilding the NSA capabilities assumed, however, that there would not be another Snowden-sized breach. The question remained: How could the NSA’s vaunted secrecy have been so deeply penetrated by a mere analyst in training at a regional base in Oahu? The perpetrator himself could not be asked if he was in Moscow pointing to the “incompetence” of the NSA in his Moscow interviews. What was known, though, was that the young man who had taken the “queen” from the board had gained entry to the NSA’s secret chambers through the back door, a portal opened to him by the NSA‘ reliance on outside contractors. | | Epst_9780451494566_2p_all_r1.indd 208 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019696

CHAPTER 20 The NSA’s Back Door You have private for-profit companies doing inherently govern- mental work like targeted espionage, surveillance, compromising foreign systems. And there’s very little oversight, there’s very little review. —EDWARD SNOWDEN, Moscow, 2014 Px: TO SNOWDEN’S THEFT of NSA documents, the single most shattering blow to the confidence of the U.S. intelligence com- munity was the 1994 exposure of Aldrich Ames as a long-serving Russian mole in the CIA. Ames, it will be recalled, had been a high- ranking CIA officer, working at the CIA’s Counterintelligence Cen- ter Analysis Group, before he was arrested by the FBI. He had also worked as a mole for Russian intelligence. In a plea bargain to avoid a death sentence (he was sentenced to life imprisonment), he admitted that he had successfully burrowed into the CIA and had worked there for over nine years on behalf of the KGB. His description of his sub-rosa activities as a mole was part of the plea bargain. This stunning revelation shook the CIA leader- ship to its core. Until then, CIA executives steadfastly denied that it was possible that the KGB could sustain a mole in American intel- ligence. The Ames arrest also led the NSA to reassess its own vul- nerability to penetration. Could there be an Ames inside the NSA? | | Epst_9780451494566_2p_all_r1.indd 209 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019697

210 | HOW AMERICA LOST ITS SECRETS The question was considered by the NSA’s National Threat Oper- ations Center, the same unit from which Edward Snowden later stole a huge trove of secret documents. According to a report in 1996 titled “Out of Control” (later released by the NSA), the danger of an Ames-type penetration could not be excluded. Even though the “threat officer” who wrote this report was not identified by name, his analysis proved incredibly prescient. He said that the NSA’s drive to enhance its performance by networking its computers would result in the intelligence services’ putting “all their classified infor- mation ‘eggs’ into one very precarious basket.” The basket was the computer networks run by technicians called system administrators. He pointed out that the NSA was becoming increasingly dependent on such networked computer systems, and he predicted that the NSA’s “Aldrich Ames,” as he put it, would be a “system administra- tor,” which was the position that Edward Snowden held nearly two decades later at Dell when he began stealing secrets. The NSA‘s system administrators were, as the threat officer pointed out, very different from the traditional military employees @ at the NSA. They were usually civilians who effectively served as @ repairmen for complex computer systems. Moreover, many of them had not been directly hired by the NSA. Instead, their recruitment had been privatized to outside contractors. This outsourcing had deep roots tracing back to World War II. Ed Booz and Jim Allen, the founders of Booz Allen Hamilton, obtained contracts to help manage ship construction from the U.S. Navy. After the war ended, they sought contracts for their firm in clas- sified work. These contracts grew in size as the NSA needed more and more system administrators and other information technolo- gists to manage the computer networks. These system administra- tors needed to be given special privileges to do their service job. One such privilege allowed them to bypass password protection. Another privilege allowed then to temporarily transfer data to an external storage device while they repaired computers. These two privileges greatly increased the risk of a massive breach. Seeing them as the weak link in the chain, the threat officer wrote in the report that “system administrators are likely to be increasingly targeted by for- | | Epst_9780451494566_2p_all_r1.indd 210 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019698

The NSA‘s Back Door | 211 eign intelligence services because of their special access to informa- tion.” Before the computerization of the NSA, the threat officer noted, code clerks and other low-level NSA communicators had been the targets of adversary intelligence services. But the increasing reli- ance on computer technicians presented foreign intelligence services with much richer targets. He predicted that they would adapt their recruiting to this new reality. Specifically, he argued that adversary intelligence services would now focus their attention on system administrators. “With system administrators,” he said, “the situa- tion is potentially much worse than it has ever been with communi- cators.” The reason, he explained, was that “system administrators can so easily, and quickly, steal vast quantities of information.” He further suggested that because system administrators are often drawn from the counterculture of hacking, they are more likely to be vulnerable to an adversary service using a fake identity for its approach, or a “false flag.” A “false flag” was a term originally applied to a pirate ship that temporarily hoisted any flag that would @ allow it to gain proximity to its intended prey, but in modern times @ it describes a technique employed by espionage services to surrepti- tiously lure a prospect. False flags were a staple used by the KGB in espionage recruitment during the Cold War. They were usually employed when a target for recruitment was not ideologically dis- posed to assisting the intelligence service. To overcome that problem, recruiters hide their true identities and adopt a more sympathetic, bogus one. In 1973, the KGB, working through one of its agents in the U.S. Navy, used the false flag of Israel to recruit Jerry Alfred Whitworth, who served as a communications officer with a top secret clearance for the navy. Like many other KGB recruits, Whitworth came from a broken family, dropped out of high school, took technical courses, and got a job as a communications officer. He was not disposed to working for Russia. But he was willing to steal enciphered and plain text cables to help in the defense of Israel. After he was thor- oughly compromised by his espionage work, he was told by the KGB recruiter that he was actually working for Russia, but by this time | | Epst_9780451494566_2p_all_r1.indd 211 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019699

202 | HOW AMERICA LOST ITS SECRETS he was too deeply compromised to quit. He continued his espionage work for another eight years. (Whitworth, who was arrested by the FBI in 1985, was convicted of espionage and sentenced to 365 years in prison. ) The Internet provided an almost ideal environment for false flags because its users commonly adopt aliases, screen names, and other avatars. The threat officer explained how easy it would be for the KGB to adapt such a false flag when dealing with a dissident sys- tem administrator working for U.S. intelligence. As the threat officer pointed out in his report, the KGB had used false flags in the late 1980s to surreptitiously recruit members of the “German Hanover Hackers,” a community of anarchistic hackers who breached com- puter networks for fun and profit. Until then, these hacktivists stole corporate and private passwords, credit card information, and other privileged documents as a form of freelance espionage. Because of their fervent anti-authority ideology, the KGB disguised its recruit- ers as fellow hacktivists. The KGB succeeded in getting the Hanover hackers to steal log-in account identifications, source codes, and other @ information from U.S. government computer networks, @ The weak link of system administrators became increasingly rel- evant as the NSA moved further into the digital age. By the begin- ning of this century, its growing networks of computers were largely operated by civilian technicians, including system administrators, infrastructure analysts, and information technologists, who were needed to keep the system running. Despite the warning by the threat officer, the NSA became more and more reliant on these out- siders as it reorganized to meet its new mandates for surveillance of the Internet in the war on terrorism. The NSA had to compete with technology companies, such as Google, Apple, and Facebook, for the services of experienced IT workers. Though Booz Allen had been providing technically trained specialists to the government since the 1940s and ’50s, congressio- nally imposed salary caps put the NSA at a disadvantage to private firms in its recruitment efforts. As a result, it increasingly contracted with private firms to find talent, especially in the rush for data-based intelligence following 9/11. Booz Allen, to meet increased demand, recruited civilian technicians from many unconventional areas, | | Epst_9780451494566_2p_all_r.indd 212 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019700

The NSA‘s Back Door | 213 including the hacking culture. Ex-hackers who lacked (or shunned) employment opportunities in the corporate sector were suitable candidates for the system administrator jobs that these firms had contracted to supply the NSA. In the rush to expand, little heed was paid to the 1996 warning that this hacking culture might provide a portal to anti-government hacktivist groups. The NSA became so enamored with this new computer technology that it neglected the security implications of employing outsiders to service it. “All of us just fell in love with the ease and convenience and scale [of electronic storage],” General Hayden, who headed the NSA at the time, said to The Wall Street Journal in 2015. “So we decided to take things we used to keep if not in a safe, at least in our desk drawer, and put it up here [in a computer network], where it’s by definition more vulnerable.” Making matters even worse, as has previously been discussed, the NSA stripped away much of the so-called stove- piping that insulated highly sensitive data from the NSA’s other computer networks. FBI Director Mueller, in his “Statement Before the Senate Committee on Homeland Security and Governmental @ Affairs,”described a decade of post—9/11 intelligence reorganization @ thus: “One of the first steps was to centralize control and manage- ment of counterterrorism operations at headquarters to avoid the ‘stove-piping’ of information on terrorism cases in the 56 individual field offices across the country.” Here the NSA was merely following the recommendations of the 9/11 Commission to make their data more accessible to other agencies concerned with potential terrorist attacks, but as a result, the inner sanctum of the NSA became more open to its new army of civilian technicians. By 2013, much of the job of managing the NSA’s classified com- puters had been handed over to a handful of private companies: Booz Allen Hamilton, which handled the most highly secret work; Dell SecureWorks; Microsoft; Raytheon; and IBM. In many respects, these five companies acted less like management consultants and more like temporary employment agencies in finding for the NSA the computer specialists who had the necessary security clearances. The NSA found that the universe of independent contractors was governed by very different considerations from that of intelligence services. Unlike intelligence services, their fate depended on turning | | Epst_9780451494566_2p_all_r.indd 213 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019701

214 | HOW AMERICA LOST ITS SECRETS profits. Because the value of their contracts was largely limited by competitive bidding, their business plans were predicated on their ability to minimize the costs of fulfilling these contracts. Their prin- cipal cost was the salaries they paid their independent contractors. Their business plans therefore depended on finding large numbers of computer technicians in the private realm willing to work at an NSA base at relatively low wages. This task became more difficult as many potential recruits could find higher-paying employment with more of a future in the burgeoning private sphere. But the compa- nies could also increase their revenue streams by getting additional contracts, which, in turn, meant recruiting even more workers. Such a business plan could hardly afford to give the highest pri- ority to the low probability of a security risk. In the private sector, there is usually an unambiguous external measure of failure. An automobile company such as General Motors can measure the per- formance of its executives by reckoning its change in net income. With secret intelligence work, the metrics for failure are far less clear. This curious aspect of secret work was part of the advice given @ to a White House lawyer in the Obama administration seeking a @ position with the NSA in 2012, who was told that among the advan- tages of working for a super-secret agency was that if one errs or has a failure, “it stays secret.” The Snowden case showed that not all failures stay secret. The NSA can certainly quantify the amount of data it is intercept- ing, but it obviously cannot count the intelligence that it misses. The a priori proposition in the intelligence game is that “what is success- fully hidden is never found.” But one failure that cannot be hidden is a security breach in which a perpetrator uses NSA data to publicly expose the NSA’s sources. Until the Snowden breach in 2013, the NSA had experienced only one such public failure. It was the capture by North Korea in 1968 of the USS Pueblo, which had been carrying out highly sensitive elec- tronic communications interception for the NSA. The Pueblo crew failed to destroy the NSA‘s encoding machines, which were flown to Russia several days later. It was a horrible, costly breach. The Snowden breach was much worse because, among the thousands of | | Epst_9780451494566_2p_all_r.indd 214 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019702

The NSA‘s Back Door | 215 documents he stole, he selected lists of the NSA’s secret sources in adversary nations. The Snowden breach was a failure that directly traced back to the NSA’s largest and most trusted contractor, Booz Allen Hamilton, calling into question the vexing issue of privatizing secret intelli- gence. Booz Allen, like other private firms that did work for the gov- ernment, was in the business to make money. Indeed, it had found government contracts so much more profitable than its work in the private sector that it sold its private sector unit to Price Water- house. The profitability of government work led the Carlyle Group’s private equity fund to acquire a controlling stake in Booz Allen in July 2008. By 2013, it had increased its revenue by more than $1.3 billion by expanding its government contracts. Even more impres- sive, its operating profit on these contracts had doubled. It did not need to increase its core internal staff to achieve these profits, it just had to hire outside contractors. In 2008, Booz Allen claimed 20,000 employees on its internal staff; in 2013, it claimed fewer than 5,000. The resulting “reduced headcount,” according to its January 30, @ 2013, quarterly report, greatly decreased its costs for incentive pay. @ It mainly accomplished this reduction by expanding the number of outside contractors it employed, 8,000 in these five years, by one Wall Street analyst’s calculation. They were employed as system administrators, infrastructure analysts, computer security special- ists, and other “geek squad” jobs at the NSA and other government agencies. Their main qualification was their prior security clearances (which as mentioned earlier saved Booz Allen the expense of vetting them and also the loss of income while waiting many months for a clearance). Snowden therefore was highly desirable for Booz Allen from an economic point of view. Even though he had no prior experience as an infrastructure analyst, and he had been detected being untruthful about his degree in computer sciences, he not only had a SCI secu- rity clearance but was willing to take a cut in pay. In keeping with the Booz Allen business plan, such a recruit provided another cog in its profit machine. Not only had the NSA outsourced much of its computer opera- | | Epst_9780451494566_2p_all_r.indd 215 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019703

216 | HOW AMERICA LOST ITS SECRETS tions to private companies, but the Clinton administration in 1996 had privatized background checks for government employees requiring security clearances. The idea, backed by Vice President Al Gore, was to reduce the size of the federal government by out- sourcing investigating the backgrounds of millions of government applicants for jobs. The task had previously been performed by the FBI, but it was assumed that a profit-making business could do it faster and more efficiently. The private company named U.S. Inves- tigations Services was purchased in 2007 for $1.5 billion by Provi- dence Equity Partners, a rapidly expanding investment firm founded in 1989 by graduates of Duke, Brown University, and the Harvard Business School. So like Booz Allen, USIS was backed by a hedge fund determined to make money by systematically cutting the cost of a service previously carried out by the government. But such outsourcing had drawbacks. For one thing, unlike the FBI, USIS lacked the investigative clout to gain entry to certain gov- ernment agencies. A Congressional review found that the privacy act permits disclosure of government agency records to the private @ firm if they are part of a “routine use of the records,” but intelligence @ agencies did not consider all such requests to be “routine. For exam- ple, when it did the background check on Snowden in 2011, it could not get access to his CIA file. The “derog” in his file might have set off alarm bells, as might the fear that he had been threatened by an internal investigation over his alleged computer tampering in 2009. The FBI might have learned this about Snowden if it had done his background check. The lack of adequate oversight was another problem. USIS closed cases and cleared applicants without completing an adequate inves- tigation. According to a U.S. government suit filed in 2014, USIS had prematurely closed over 665,000 investigations in order to get paid for them more quickly. Because the more cases it completed each month, the more money it received from the government, the lawsuit alleged that USIS employees often “flushed” or ended cases before completing a full investigation to meet corporate-imposed quotas for getting bonuses. One employee, in an e-mail cited in the government’s complaint, said they “flushed everything like a dead goldfish.” As a result, some information specialists entering the NSA | | Epst_9780451494566_2p_all_r.indd 216 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019704

The NSA‘s Back Door | 217 through the back door of outside contractors were not fully vetted. (On August 20, 2015, USIS agreed to forfeit $30 million in fees to settle the lawsuit.) USIS was also open to sophisticated hacking attacks by outsid- ers. In August 2014, the Department of Homeland Security’s coun- terintelligence unit discovered such a massive and persistent breach in USIS that it shut down its entire exchange of data with it. The intrusion into USIS records in this case was attributed to hackers in China most likely linked to the Chinese intelligence service. Such massive intrusions dated back to 2011. USIS’s lack of security in its website left a gaping hole through which outside parties, including Chinese and Russian hackers, could learn both the identity and the background information of specialists applying for jobs at the NSA. These private companies also did not sufficiently protect the per- sonal data of their independent contractors working at the NSA. The hackers’ group Anonymous took credit for the successful 2011 attack on the Booz Allen Hamilton servers. It also cracked the algo- rithms used to protect employees. It next injected so-called Trojan @ horse viruses and other malicious codes into Booz Allen servers @ that allowed it future entry. If amateur hackers such as Anonymous could break into the computers of the NSA’s largest contractor, so could adversaries’ state espionage services with far more advanced hacking tools. From these sites, China or Russia could obtain all the job applications and personal résumés submitted to contractors such as Booz Allen. It could then compile a list of the best candidates to do its bidding. These deficiencies in the private sector were compounded by the failure of security in the government’s own Office of Person- nel Management. It used a computer system called e-QIP in which intelligence employees, including outside contractors, updated their computerized records to maintain or upgrade their security clear- ances. For example, Snowden updated his clearance in 2011. To do so, these employees constantly updated their financial and personal information. As it turned out, there was a major hole in the e-QIP system. It has repeatedly been hacked by unknown parties since 2010. In 2015, the U.S. government told Congress that China was most likely responsible, but Russia and other nations with sophis- | | Epst_9780451494566_2p_all_r.indd 217 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019705

218 | HOW AMERICA LOST ITS SECRETS ticated cyber services could have also participated in the hacking. In any case, the records of over nineteen million employees, including intelligence workers, became available to a hostile intelligence ser- vice. This breach would allow hostile services to obtain a great deal of information about independent contractors working at the NSA. They could then use this data to follow the movements of any of these intelligence workers they deemed of interest. Despite all the potential flaws in it, the outsourcing system contin- ued in place. It even featured a revolving door through which Booz Allen hired retiring executives from the intelligence services, such as the former NSA director Michael McConnell; James Woolsey, a former director of the CIA; and the retired general James Clapper, who later served as director of national intelligence. The cozy relationship between the private firms and the NSA notwithstanding, the NSA leadership operated as if it were unaware that outsourcing could create a security problem. As far back as 2005 General Hayden, then the departing head of the NSA, had been warned of one such vulnerability in a memorandum written @ by a counterintelligence officer at the NSA. Like the earlier 1996 @ report by the threat officer, this memorandum noted the NSA had ceded responsibility for managing its secret systems to outsiders and warned that the NSA’s reliance on them to manage its computers had opened a back door into the NSA. In addition, it warned that once an outside contractor managed to slip in through this back door, he could easily jump from one outsourcer to another. This was what Snowden did when he moved from Dell to Booz Allen Hamilton in 2013. Despite its security flaws, outsourcing seemed to provide a num- ber of advantages to the NSA. For one thing, it provided a means for circumventing the budget restrictions imposed by Congress on hir- ing new employees. In addition, because private companies had less rigid hiring standards, it greatly expanded the pool of young sys- tem administrators by tapping into computer cultures that would be antagonistic to working directly for the government. Finally, it drew less on NSA resources. Because these information technologists were only temporary employees, they were not entitled to military | | Epst_9780451494566_2p_all_r.indd 218 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019706

The NSA‘s Back Door | 219 pensions, paid medical leave, and other benefits. It was a system that effectively replaced military careerists with freelancers. The irony of the situation was that the NSA had surrounded its front doors with rings of barbed wire, closed-circuit cameras, and armed guards, but for reasons of economy, bureaucratic restrictions, and convenience it had left the back door of outsourcing open to temporary employees of private companies, even though it might take some time for them to gain entry to its inner sanctum. “Tt was not a question of if but when one of the contractors would go rogue,” the former NSA executive who wrote the 2015 memoran- dum told me. Snowden answered that question in 2013. Even more extraordinary than the theft itself was the reaction to it by the NSA. It turned out that there was no cost of failure levied against the out- side contractor Booz Allen, which had employed Snowden when he bypassed its security regime to steal the keys to the kingdom. Even though the counterintelligence investigation showed Snowden stole documents from compartments to which he did not have access, the NSA did not penalize Booz Allen. Instead, its revenues and profits @ from government contracts markedly increased between 2013 and @ 2015. Nor did the NSA alter its reliance on private contractors. The back door to the NSA remained wide open. Outsourcing to private com- panies has become an all but irreplaceable part of the intelligence system in America, Snowden’s actions, and the risk of future similar actions, notwithstanding. | | Epst_9780451494566_2p_all_r.indd 219 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019707

CHAPTER 21 The Russians Are Coming The collapse of the Soviet Union was a major geopolitical disaster of the century. —VLADIMIR PUTIN I THE FIRST INVASION of a European country since the end of the Cold War, Russian military forces moved into the Crimea and other parts of eastern Ukraine in February and March 2014. Unlike with previous Russian troop movements, such as those into Poland, Hungary, Czechoslovakia, and East Germany during the Cold War, the weeklong massing of Russian elite troops and sophisticated equipment for the move into Ukraine almost totally evaded detection by the NSA’s surveillance. Never before had the NSA’s multibillion- dollar armada of sensors and other apparatus for intercepting signals missed such a massive military operation. According to a report in The Wall Street Journal that cited Pentagon sources, Russian units had managed to hide all electronic traces of their elaborate prepara- tions. If so, after more than half a century of attempted penetrations, Russia had apparently found a means of stymieing the interception capabilities of the NSA. Putin had firm ideas about restoring Russia’s power in the post— Cold War era. A formidable KGB officer before he became president | | Epst_9780451494566_2p_all_r1.indd 220 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019708

The Russians Are Coming | 221 of the Russian Federation in 2000, he made no secret that his goal was to prevent the United States from obtaining what he termed “global hegemony.” His logic was clear. He judged the breakup of the Soviet Union in 1991 to be, as he put it, “a geopolitical disaster.” He argued that the breakup had provided the United States with the means to become the singular dominant power in the world. He sought to prevent that outcome by moving aggressively to redress this loss of Russian power. He upgraded Russia’s nuclear force, modernized Russia’s elite military units, and greatly strength- ened Russia’s relations with China. The last measure was essential because China was Russia’s principal ally in opposing the extension of American dominance. Yet there was still an immense gap between them and the United States in communications intelligence. Since the breakup of the Soviet Union, the NSA had continued to build up its technological capabilities, while Russia teetered on the edge of collapse in the early 1990s. But as previously mentioned, the NSA’‘s legal mandate had been limited by Congress to foreign interceptions (at least prior to 9/11). As a result, it was required to @ separate out domestic from foreign surveillance, a massive process @ that not only was time-consuming but could generate dissidence within the ranks of American intelligence. It also could not legally use its surveillance machinery to monitor the telephones and Inter- net activities of the tens of thousands of civilian contractors who ran its computer networks—at least not unless the FBI began an inves- tigation into them. Here the Russian intelligence services had a clear advantage. They had a lawful mandate to intercept any and all domestic communica- tions. In fact, a compulsory surveillance system called by its Russian acronym SORM had been incorporated into Russian law in 1995. It requires the FSB and seven other Russian security agencies to monitor all forms of domestic communications including telephones (SORM-1), e-mails and other Internet activity (SORM-z2), and com- puter data storage of billing information (SORM-3). Not only did Russia run a nationwide system of Internet filtering in 2013, but it required its telecommunication companies to furnish it with world- wide data. The NSA also had to deal with many peripheral issues other than | | Epst_9780451494566_2p_all_r1.indd 221 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019709

222 | HOW AMERICA LOST ITS SECRETS the activities of Russia and China. It was charged with monitoring nuclear proliferation in Iran, Pakistan, and North Korea, poten- tial jihadist threats everywhere in the world, and much else. The Russian foreign intelligence service, the SVR, could put its limited resources to work on redressing the gap with its main enemy: the United States. Nevertheless, Putin had to reckon with the reality in 2013 that Russia could not compete with the NSA in the business of inter- cepting communications. And if the NSA could listen in on all the internal activities of its spy agencies and security regime, the ability of Putin to use covert means to achieve his other global ambitions would be impaired. In the cold peace that replaced the Cold War, Russia had little hope of realizing these ambitions unless it could weaken the NSA’‘s iron-tight grip on global communications intel- ligence. One way to remedy the imbalance between Russian intel- ligence and the NSA was via espionage. Here the SVR would be the instrument, and the immediate objective would be to acquire the NSA’s lists of its sources in Russia. If successful, it would be a game @ changer. @ Such an ambitious penetration of the NSA, to be sure, was a tall order for Russian intelligence. Most of its moles recruited in the NSA by the KGB had been code clerks, guards, translators, and low- level analysts. They provided documents about the NSA‘s cipher breaking, but they lacked access to the lists of the NSA’s sources and methods. These meager results did not inhibit Russian efforts. For six decades, ever since the inception of the NSA in 1952, the Russian intelligence service had engaged in a covert war with the NSA. The Russian intelligence service is, as far as is known, the only intelligence service in the world that ever succeeded in penetrating the NSA. A number of NSA employees also defected to Moscow. The history of this venerable enterprise is instructive. The first two defectors in the NSA’s history were William Mar- tin and Bernon Mitchell. They were mathematicians working on the NSA’s decryption machines who went to Moscow via Cuba in 1960. The Russian intelligence service, then called the KGB, went to great lengths to get propaganda value from their defections. It even orga- nized a ninety-minute press conference for them on September 6, | | Epst_9780451494566_2p_all_r.indd 222 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019710

The Russians Are Coming | 223 1960, at the Hall of Journalists and invited all the foreign correspon- dents in Moscow. Before television cameras, the defectors denounced the NSA’s activities. Martin told how the NSA breached interna- tional laws by spying on Germany, Britain, and other NATO allies. Mitchell, for his part, suggested that the NSA’s practice of break- ing international laws could ignite a nuclear war. Indeed, he justi- fied their joint defection to Russia in heroic whistle-blowing terms, saying, “We would attempt to crawl to the moon if we thought it would lessen the threat of an atomic war.” The NSA review of the case, however, assessed that little damage had been done, because the NSA quickly changed the codes they had compromised. It noted, “The Communist spymasters would undoubtedly have preferred Martin and Mitchell to remain in place as moles, since their infor- mation was dated as of the moment they left NSA.” The next NSA defector was Victor Norris Hamilton, a translator and analyst at the NSA. He arrived in Moscow in 1962, and like Mitchell and Martin he claimed the status of a whistle-blower. This time, the KGB provided a newspaper platform. Writing in the Rus- @ sian newspaper Izvestia, Hamilton revealed the extent of U.S. spying @ on its allies in the Middle East. None of these three 1960s defectors revealed what, if any, NSA secret documents they had compromised. Nor did any of them ever return to the United States. Martin changed his name to Vladimir Sokolodsky, married a Russian woman, and died in Mexico City on January 17, 1987. Mitchell vanished from sight and was reported to have died in St. Petersburg on November 12, 2001. Hamilton, after telling Russian authorities stories about hearing voices in his head because of an NSA device implanted in his brain, was consigned to Special Psychiatric Hospital No. 5 outside Moscow. There were also KGB spies in the NSA who were caught or died before they could defect. One of them was Sergeant Jack Dunlap. He was found dead of carbon monoxide poisoning in his garage on July 23, 1963. Although there was no suicide note, his death was ruled an apparent suicide. NSA classified documents were later dis- covered in his house. After that, NSA investigators unraveled his decade-long career as a KGB mole. Dunlap had been recruited by the KGB in Turkey in 1952. The standard KGB tool kit for recruitment | | Epst_9780451494566_2p_all_r.indd 223 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019711

224 | HOW AMERICA LOST ITS SECRETS was called MICE. It stood for Money, Ideology, Compromise, and Ego. The KGB used the first element, money, to compromise Dunlap. After he was compromised, it exploited him by getting him to steal NSA secrets. He had access to such secrets because he became the personal driver to Major General Garrison Coverdale, the chief of staff of the NSA. After Coverdale retired, he became the driver for his successor, General Thomas Watlington. These positions afforded him a security clearance and, even more important, a “no inspec- tion” status for the commanding general's cars that he drove. This perk allowed him to leave the base with secret documents, have them photocopied by his KGB case officer, and then return them to the files at the NSA base before anyone else knew they were missing. He also used, likely at the suggestion of the KGB case officers, his “no inspec- tion” perk to offer other NSA employees a way of earning money. He would smuggle off the base any items of government property that they took. Once he had compromised them through thefts, he was in a position to ask them for intelligence favors. This NSA ring could not be fully investigated because of his untimely death. Other @ than the packets of undelivered NSA documents found in his home, @ the investigation was never able to assess the total extent of the KGB penetration of NSA secrets. (Angleton suspected Dunlap was mur- dered by the KGB in what he termed a surreptitiously assisted death, to prevent Dunlap from talking to investigators.) The Russian intelligence services continued recruiting mercenary spies in the NSA for the duration of the Cold War. The KGB suc- cesses included Robert Lipka, a clerk at the NSA in the mid-1960s, who was caught in a sting operation by the FBI and sentenced to eighteen years in a federal prison. Ronald Pelton, an NSA analyst, was recruited after he retired from the NSA. After he was betrayed by a KGB double agent in 1985, he was sentenced to life imprison- ment. Finally, there was David Sheldon Boone, an NSA code clerk, who between 1988 and 1992 provided the KGB with NSA docu- ments in return for $60,000. Boone, sentenced to twenty-four years in prison, was the last known KGB recruitment of the Cold War. During the Cold War, Russian intelligence service officers oper- ated mainly under the cover of the embassies, consulates, United Nations delegations, and other diplomatic missions of the Soviet | | Epst_9780451494566_2p_all_r.indd 224 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019712

The Russians Are Coming | 225 Union. As “diplomats,” they were protected from arrest by the terms of the 1961 Treaty of Vienna Convention on Diplomatic Relations. Their diplomatic cover, however, greatly limited their field for find- ing potential recruits outside their universe of international meet- ings, diplomatic receptions, UN organizations, scientific conferences, and cultural exchanges. They therefore tended to recruit their coun- terparts in adversary services. In this regard, the successful entrapment of Harold Nicholson in the 1990s is highly instructive. From his impressive record, he seemed an unlikely candidate for recruitment. He had been a super- patriotic American who had served as a captain in army intelligence before joining the CIA in 1980. In the CIA, he had an unblem- ished record as a career officer, serving as a station chief in Eastern Europe and then the deputy chief of operations in Malaysia in 1992. Even though his career was on the rise and he was a dedicated anti- Communist, he became a target for the SVR when he was assigned to the CIA’%s elite Russian division. Because the job of this division was to recruit Russian officials working abroad as diplomats, engi- @ neers, and military officers, its operations brought its officers in close @ contact with SVR officers. Nicholson therefore was required to meet with Russian intelligence officers in Manila, Bucharest, Tokyo, and Bangkok and “dangle” himself to the SVR by feigning disloyalty to the CIA. As part of these deception operations, Nicholson supplied the Russians with tidbits of CIA secrets, or “chickenfeed,” that had been approved by his superiors at the CIA. What his CIA superiors did not fully take into account in this spy-versus-spy game was the SVR’s ability to manipulate, compromise, and convert a “dangle” to its own ends. As it turned out, Russian intelligence had been assem- bling a psychological profile on Nicholson since the late 1980s and found vulnerability: his resentment at the failure of his superiors to recognize his achievements in intelligence. The Russians played on this vulnerability to compromise him and then converted him to becoming its mole inside the CIA. Nicholson worked for the SVR first in Asia; then he was given a management position at CIA headquarters, which is located in Lang- ley, Virginia. Among other secret documents, he provided the SVR | | Epst_9780451494566_2p_all_r.indd 225 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019713

226 | HOW AMERICA LOST ITS SECRETS with the identities of CIA officers sent to the CIA’s special training school at Fort Peary, Virginia, which opened the door for the SVR to make other potential recruitments. Meanwhile, it paid him $300,000 before he was finally arrested by the FBI in November 1996. (After his conviction for espionage, he was sentenced to twenty-three years in federal prison.) The CIA postmortem on Nicholson, who was the highest-ranking CIA officer ever recruited (as far as is known), made clear that even a loyal American, with no intention of betraying the United States, could be entrapped in the spy game. When it comes to recruiting moles in a larger universe, intelli- gence services operate much like highly specialized corporate “head- hunters,” as James Jesus Angleton described the process to me during the Cold War era. He was referring to the similar approach that cor- porate human resource divisions had with espionage agencies. Both headhunt by searching through a database of candidates for possible recruits to fill specific positions. Both types of organizations have researchers at their disposal to draw up rosters of potential recruits. Both sort through available databases to determine which of the @ names on the list have attributes that might qualify or disqualify @ them for a recruitment pitch. Both also collect personal data on each qualified candidate, including any indication of his or her ideological leaning, political affiliations, financial standing, ambitions, and vani- ties, to help them make a tempting offer. But there are two important differences. First, unlike their coun- terparts in the private sector, espionage headhunters ask their candidates not only to take on a new job but also to keep their employment secret from their present employer. Second, they ask them to surreptitiously steal documents from him. Because they are asking candidates to break the law, espionage services, unlike their corporate counterparts in headhunting, obviously need to initially hide from the candidates the dangerous nature of the work they will do. Depending on the targeted recruit, they might disguise the task as a heroic act, such as righting an injustice, exposing an illegal gov- ernment activity, or countering a regime of tyranny. This disguise is called in the parlance of the trade a false flag, as mentioned earlier, By using such a false flag, the SVR did not need to find a candi- date who was sympathetic to Russia or the Putin regime. In its long | | Epst_9780451494566_2p_all_r.indd 226 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019714

The Russians Are Coming | 227 history dating back to the era of the czars, Russian intelligence had perfected the technique of false flag recruitment, through which it assumes an identity to fit the ideological bent of a potential recruit. Russian intelligence was well experienced with false flags. It first used this technique following the Bolshevik revolution in 1917 to control dissidents both at home and abroad. The centerpiece, as later analyzed by the CIA, was known as the “Trust” deception. It began in August 1921 when a high-ranking official of the Communist regime in Russia named Aleksandr Yakushev slipped away from a Soviet trade delegation in Estonia and sought out a leading anti- Communist exile he had known before the revolution in Russia. He then told him that he represented a group of disillusioned officials in Russia that included key members of the secret police, the army, and the Interior Ministry. Yakushev said that they all had come to the same conclusion: the Communist experiment in Russia had totally failed and needed to be replaced. To effect this regime change, they had formed an underground organization code-named the Trust, because the cover for their conspiratorial activities was the Moscow @ headquarters of the Municipal Credit Association, which was a trust @ company. According to Yakushev’s account, it had become the equiv- alent of a de facto government by 1921. The exiled leader in Estonia reported this astonishing news to British intelligence, which, along with French and American intel- ligence, helped fund this newly emerged anti-Communist group. Initially, British intelligence had doubts about the bona fides of the Trust, as did other Western intelligence services sponsoring exile groups. But they gradually accepted it after they received intelli- gence reports confirming its operations from many other sources, including Russian officials, diplomats, and military officers who claimed to have defected from the Soviet government. Because these reports all dovetailed, they recognized the Trust as a legitimately underground organization. Once the Trust had been established in the minds of the West- ern intelligence services, it offered them as well as exile groups the services of its network of collaborators. These services included smuggling out dissidents, stealing secret documents, and disbursing money inside Russia to sympathizers. Within a year, exile groups in | | Epst_9780451494566_2p_all_r.indd 227 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019715

228 | HOW AMERICA LOST ITS SECRETS Paris, Berlin, Vienna, and Helsinki were using the Trust to deliver arms and supplies to their partisans inside Russia. The Trust also furnished spies’ and exiled leaders’ fake passports, which allowed them to sneak back into Russia to participate in clandestine mis- sions. It even undertook sabotage and assassination missions paid for by Western intelligence services. As they learned of police stations being blown up and political prisoners escaped from prisons, these agents and dissidents came to further believe in the power of the ‘Trust. By the mid-1920s, no fewer than eleven Western intelligence services had become almost completely dependent on the Trust for information about Russia. They also sent millions of dollars into Russia via couriers to finance its activities. But suddenly exiled leaders working in Russia under the aegis of the Trust began to vanish. Then top Western intelligence agents, including Sidney Reilly and Boris Savinkov, were arrested, and their networks were eliminated. Instead of the Communist regime col- lapsing, as the Trust had predicted, it consolidated its power and @ wiped out all the dissident groups. Finally, in 1929, the Trust was @ revealed by a defector to be a long-term false flag operation run by the Russian intelligence service. Even the Trust building, rather than being the cover for a subversive conspiracy, was the headquarters for the Russian secret police during this eight-year operation. The secret police had provided the documents fed to Western intelligence, briefed the agents who pretended to defect, published the dissident newspapers the Trust distributed, fabricated the passports it supplied exiles, blew up Russian buildings, and staged jail breaks to make the deception more credible. It also collected the money sent in by West- ern intelligence services, which more than paid for the entire decep- tion. Because it was running the show, it could offer those lured into the trap an opportunity to work for it as double agents. The alterna- tive, if they refused, was to face a firing squad. Even after the Trust itself had been fully exposed, the Russian intel- ligence service continued to succeed with other false flag deceptions. During the Cold War, it set up a fake underground in Poland called WIN, modeled on the Trust. It set up false flag groups in Ukraine, Georgia, Lithuania, Albania, and Hungary. It also had agents mas- | | Epst_9780451494566_2p_all_r1.indd 228 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019716

The Russians Are Coming | 229 querade as members of the security services of Israel, South Africa, Germany, France, and the United States to recruit unwitting agents. These deceptions became an integral part of the recruitments of the Russian intelligence services. Penetrating the NSA and getting access to files from its stove- piped computers was a far more difficult challenge for the SVR. Approaching CIA officers, such as Nicholson, was relatively easy because it was part of the CIA officers’ jobs to meet with their adver- saries. NSA officers, on the other hand, did not engage in “dangles” or even attend diplomatic receptions. They had no reason, other than a sinister one, to meet with a member of the Russian intelligence service. Furthermore, unlike CIA officers, who, like Nicholson, are often posted in neutral countries where they can be approached in a social context, NSA officers work at well-guarded regional bases and are not part of the diplomatic life. Because a known employee of a foreign diplomatic mission could not even approach an NSA officer without arousing suspicion, the SVR would need to use an inter- mediary, called an access agent, whose affiliations were not known @ to the FBI. Such an operation would require establishing a network @ of illegals in America, as the SVR did after Putin became president. Even then, the intermediary would have to find a plausible pretext to approach the target without revealing his actual interest. Such complex operations at the NSA, as far as is known, only yielded a few low-level recruits. The emergence of computer networks in the 1990s greatly expanded the SVR’s recruiting horizon. It offered a new penetration opportunity at the NSA: civilian technologists working under con- tract for the U.S. government. Many of these civilians at the NSA, especially the younger ones, as we know, had been drawn from the hacking and game-playing culture; some had even taken courses on hacking techniques. They presented the SVR with inviting targets for recruitment. As was previously mentioned, Russian intelligence had considerable experience in Germany with hacktivists, who tended to be anarchists. There were also supporters of the libertar- ian movement. The common denominator was often their resent- ment, expressed in their postings, of the United States and its allies attempting to limit the downloading of copyrighted music, movies, | | Epst_9780451494566_2p_all_r1.indd 229 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019717

230 | HOW AMERICA LOST ITS SECRETS and software on the Internet, all of which fell under the rubric of “freedom of the Internet.” They also vocally objected to the NSA’s using built-in back doors in its software to read their encrypted messages. Such people were not difficult to find on the Internet. The donors to Ron Paul’s libertarian election campaign (including Snowden) were a matter of public record. Even if there was no shortage of hacktivists who believed the sur- veillance of the Internet by the NSA was an evil worth fighting, the SVR still had to find a plausible way of approaching members of this counterculture without offending them. Clearly, the SVR could no longer use out-of-date Communist and anti-capitalist ideology as a lure. Russia was far more authoritarian than the United States when it came to the Internet. One viable alternative for the SVR was custom-tailoring false flags to appeal to hacktivists. For this purpose, the Internet provided a near-perfect realm. Because it is a place where true identities cannot easily be veri- fied, intelligence services could employ a protean kit of disguises to assume false identities to entice potential dissidents into communi- @ cating with them. The KGB’s earlier efforts to use hacktivist groups @ in Germany had produced little if any intelligence about the NSA because of the stovepiping it used to isolate its computers from net- works that could be hacked into from the outside. It will be recalled that the NSA threat officer had cited these failures in his 1996 report on NSA vulnerability. He also said that efforts of the Russian intel- ligence services to use false flag recruitments provided the KGB with “a learning experience.” The KGB had learned that hacking by itself could not breach the NSA’s protective stovepiping. He predicted that its next logical move would be to “target insider computer person- nel.” This false flag recruitment would aim at, in his view, system administrators, computer engineers, and cyber-service workers who either were already inside the NSA or had a security clearance that would facilitate getting jobs with NSA contractors. Even with an appropriate false flag, the task of finding such a “Prometheus” required obtaining a database of those working at the NSA. There were some five thousand civilian technicians at the NSA of all political stripes. Hacking into the personnel records of the intelligence workers seeking to renew their security clearance | | Epst_9780451494566_2p_all_r1.indd 230 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019718

The Russians Are Coming | 231 was a place to begin. The Internet provided the SVR with just this opportunity. As you will recall, holes in the security of the com- puter networks of the U.S. Office of Personnel Management and USIS and the websites of the companies supplying the NSA with independent contractors had made the background checks on Ameri- can intelligence workers available to the Chinese, and presumably other adversary intelligence service hackers, since 2011. If the SVR had access to this personnel data, the research for a candidate would be greatly facilitated. From the 127-page Standard Form 86, which each applicant for a security clearance submits, the SVR could filter out intelligence workers employed by the NSA by their educational background, employment history, affiliations, and foreign contacts. It could then search this data for candidates with a possible hacktiv- ist profile. This data could next be crossed with a list of individuals the SVR knew were in contact with high-profile activists who were part of the anti-surveillance movements. This would include core participants in the Tor Project, WikiLeaks, Noisebridge, CryptoParties, the Free- @ dom of the Press Foundation, and the Electronic Frontier Founda- @ tion. (Snowden, for example, had been in touch with members of all these groups in 2012 and 2013.) The SVR would have little problem monitoring even encrypted communications with leading figures in the anti-surveillance world. These activists, despite secrecy rituals such as putting their cell phones in refrigerators, remain visible to a sophisticated intelligence service such as the SVR. All the defensive tactics of Laura Poitras, including PGP encryption, Tor software, and air-gapped computers (computers that have never been connected to the Internet), did not keep secrets about her sources entirely to herself. Snowden, at a time when he was stealing NSA secrets in February 2013, went to great lengths to impress on Poitras the need for operational security about his contacts with her, but that injunction did not prevent her from telling at least five people about her source, including Micah Lee, the Berkeley-based technology operative for the Freedom of the Press Foundation; Jacob Appelbaum, the Tor proselytizer; Ben Wizner, the ACLU lawyer; Barton Gellman; and Glenn Greenwald. “It is not me that can’t keep a secret,” Abraham Lincoln joked. “It’s the people I | | Epst_9780451494566_2p_all_r1.indd 231 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019719

232 | HOW AMERICA LOST ITS SECRETS tell it to that can’t.” In the same vein, Poitras could hardly rely on these five confidants not to tell her secrets (and Snowden’s) to others. Hours after he was told, Greenwald told his lover, David Miranda, about the source in great detail. He even asked him to evaluate the source’s bona fides for him. Gellman, for his part, raised the matter with a former high official at the Justice Department. Moreover, as the intelligence world knew, Poitras was herself a veritable lightning rod for attracting ex-NSA employees who objected to some of its surveillance programs. In 2012, her previ- ously mentioned filming in Berlin of NSA insiders could make her communications of interest to intelligence services that wanted to keep tabs on possible NSA dissidents. Nor was Snowden himself overly discreet. It will be recalled that he had also advertised his Tor-sponsored CryptoParty activities over the Internet and supplied Runa Sandvik, who worked with Appel- baum, his true name and address in Hawaii. Sandvik had no reason not to share the identity of her co-presenter with others in the Tor movement. Snowden, of course, had his girlfriend make a video of @ his presentation as well. He also bragged about operating the largest @ Tor outlets in Hawaii. Even if his Tor software provided him with a measure of anonymity, it was not beyond the ability of the world- class cyber services to crack it. Under Putin, Russia had built one of the leading cyber-espionage services in the world. According to a 2009 NSA analysis of Russian capabilities, which was obtained by The New York Times in 2013, Russia’s highly sophisticated tools for cyber espionage were superior to those of China or any other adversary nation. For example, inves- tigators from FireEye, a well-regarded Silicon Valley security firm, found that in 2007 Russian hackers had developed a highly sophis- ticated virus that could bypass the security measures of the servers of both the U.S. government and its private contractors. According to one computer security expert, the virus had made protected Inter- net websites “sitting ducks” for these sophisticated Russian hackers. The cryptographer Bruce Schneier, a leading specialist in computer security, explained, “It is next to impossible to maintain privacy and anonymity against a well-funded government adversary.” Nor has the Russian cyber service made a secret out of the fact that | | Epst_9780451494566_2p_all_r1.indd 232 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019720

The Russians Are Coming | 233 it targets Tor software. It even offered a cash prize to anyone in the hacking community who could break Tor. Prior to 2013, according to cyber-security experts, it spent over a decade building cyber tools aimed at unraveling the Tor networks used by hacktivists, criminal enterprises, political dissidents, and rival intelligence operatives. To this end, it reportedly attempted to map out computers that served as major Tor exit nodes (such as the one Snowden operated in 2012 near an NSA regional base in Hawaii). It also reportedly attached the equivalent of “electronic ink” to messages, which would allow it to trace the path of messages that passed through them. Through this technology, it could tag and follow Tor users as their commu- nications traveled across the Internet. It could even borrow their Internet identities. To be sure, the NSA also had such a capability. The Silk Road founder, Ross Ulbricht, discovered to his distress that his Tor software did not make his computer server in Iceland invis- ible. According to a former top official in the Justice Department, the NSA was able to locate it by cracking the Tor software (Ulbricht is currently serving a life sentence for his activities). Unlike adversary @ services, however, the NSA needs a warrant to investigate U.S. citi- @ zens who use Tor. The NSA is hardly immune from an attack on its own computers. As the former CIA deputy director Morell wrote in his 2015 book, The Great War of Our Time, many financial institutions have “better cyber security than the NSA.” The Internet certainly helped make the activities of U.S. intelligence workers visible to the SVR. But to achieve its goals, the SVR still had to find at least one dis- gruntled civilian contractor inside the NSA who had access to the sealed-off computer networks. Did it find its man? If so, was it before or after Snowden arrived in Hong Kong with the Level 3 NSA files? | | Epst_9780451494566_2p_all_r1.indd 233 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019721

CHAPTER 22 The Chinese Puzzle The first [false assumption] is that China is an enemy of the United States. It’s not. —EDWARD SNOWDEN, Hong Kong, 2013 OC N AUGUST 11, 2014, in the Atlantic Ocean, an event took place of enormous concern to U.S. intelligence. A Chinese Jin-class submarine launched an intercontinental ballistic missile. The missile released twelve independently targeted reentry vehicles, each simu- lating a nuclear warhead. Some forty-four hundred miles away, in China’s test range in the Xinjiang desert, each of the twelve simu- lated nuclear warheads hit its target within a twelve-inch radius. The test firing, which was closely monitored by the NSA, was a strategic game changer. It meant that a single Jin-class submarine, which carried twelve such missiles and 144 nuclear warheads, could destroy every city of strategic importance in the United States. U.S. intelligence further reported that China would soon use stealth technology to make it more difficult to detect newer submarines and give “China its first credible sea-based nuclear deterrent” against an American attack. By 2015, as its test in the Atlantic had foreshadowed, China had armed its land-based as well as sea-based missiles with multiple | | Epst_9780451494566_2p_all_r1.indd 234 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019722

The Chinese Puzzle | 235 independently targeted warheads. Combined with the state-of-the- art technology it had licensed from Russia, its systematic use of espionage even made it possible for China to build its own stealth fighters. Unlike the United States, China did not achieve this remarkable capability to launch independently targeted miniaturized nuclear weapons and stealth them by investing hundreds of billions of dol- lars in developing them. It obtained this technology mainly through espionage. The Chinese intelligence service stole a large part, if not all, of America’s secret technology for weaponizing nuclear bombs during the 1980s and 1990s. The theft was so massive that in 1998 the House of Representatives set up a special bipartisan investiga- tive unit called the Select Committee on U.S. National Security and Military/Commercial Concerns with the People’s Republic of China. Based on the intelligence amassed by the NSA, the CIA, and other intelligence services, it concluded in its report that the Chinese intel- ligence service had obtained both by electronic and by conventional spying the warhead design of America’s seven most advanced ther- @ monuclear weapons. Moreover, it found that espionage successes @ allowed China to so accelerate the design, development, and test- ing of its own nuclear weapons that the new generation of Chinese weapons would be “comparable in effectiveness to the weapons used by the United States.” Further, the committee reported that these thefts were the “results of decades of intelligence operations against U.S. weapons laboratories.” The Chinese intelligence service further obtained from private U.S. defense contractors through cyber espio- nage important elements of the stealth technology used in advanced planes and submarines. China shared (or exchanged) the fruits of its espionage on nuclear warhead design with North Korea, Pakistan, Iran, and Russia. Despite its formidable intelligence coups in the United States, the Chinese intelligence service managed to remain among the most elusive of America’s intelligence adversaries. Its espionage organi- zations are hidden behind layers of bureaucracy in the Ministry of State Security, Chinese Communist Party structures, and the second, third, and fourth department of the General Staff of the People’s Liberation Army. Much of its cyber-espionage units are concealed | | Epst_9780451494566_2p_all_r1.indd 235 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019723

236 | HOW AMERICA LOST ITS SECRETS on the campuses of its universities. Its hierarchy is also obscure. Few traces have been uncovered of any conventional espionage net- works in the United States, and no major Chinese spy has ever been arrested. Part of the reason that Chinese espionage has proved so elu- sive to the eyes of Western counterintelligence is that, unlike Russia, it did not ordinarily rely on intelligence officers in its embassies to recruit penetration agents to steal secrets. It did not even have an embassy in the United States during most of the Cold War. Instead, its services specialize in mosaics of intelligence assembled from a wide variety of sources, including nonclassified documents, return- ing graduate students, scientific conferences, exchanges with allies, and a vast operation of hacking into computers, or cyber espionage. Such espionage is indeed a vast enterprise in China. Graduating over 150,000 computer science engineers in the 1990s, it had no shortage of personnel. It had also developed the cyber tool kit to gain access to the computer networks of U.S. government contractors and consultants in the private sector and government agencies, planting “sleeper” bugs in networked computers. Like human sleeper agents, @ these hidden programs can be activated when needed for operational @ purposes. Chinese controllers can often retrieve e-mails and docu- ments and can turn on the cameras and microphones of personal computers, tablets, and smart phones. By 2007, Paul Strassmann, a top U.S. defense expert on cyber espionage, reported that China had inserted “zombie” programs in some 700,000 computers in the United States, which could be used to mount cyber attacks to retrieve e-mails from other computers. The Chinese service also reportedly penetrated companies that provide Internet services, including Google, Yahoo!, Symantec, and Adobe, which allowed it to track e-mails and enclosures of individuals. With such an invisible army of zombie computers, it is not entirely sur- prising that China finds little need to employ human sleeper agents. Chinese cyber specialists used this capability to hack into the computers of outside contractors, including Booz Allen and other companies that supplied technologists to the NSA. It also had nota- ble successes in obtaining the dossiers of U.S. employees and inde- pendent contractors at the NSA, the CIA, and other intelligence services. Its intrusions, as previously noted, into computer networks | | Epst_9780451494566_2p_all_r1.indd 236 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019724

The Chinese Puzzle | 237 at the Office of Personnel Management traced back to 2009. Even- tually, by 2015, according to U.S. estimates, the cyber attack had harvested over twenty million personnel files of past and present federal government employees. In addition, it reaped over fourteen million background checks of intelligence workers done by the Fed- eral Investigative Services. All intelligence workers with a sensitive compartmented informa- tion clearance, such as Snowden, were required to provide informa- tion on these forms about all their foreign acquaintances, including any non-U.S. officials whom the applicant knew or had had rela- tionships with in the past. They also had to list their foreign travel, family members, police encounters, mental health issues, and credit history. For good measure, Chinese hackers obtained the confiden- tial medical histories of government employees by hacking into the computers of Anthem and other giant health-care companies. If China’s intelligence services consolidated the fruits of these hack- ing attacks, it would have a searchable database of almost everyone working in the American defense and intelligence complex. From @ this database, it could track individuals with high security clearances @ vulnerable to being bribed, blackmailed, or tricked into cooperating. No one doubted that the Chinese would use their cyber capabilities to take advantage of opportunities presented in foreign computer systems. General Hayden said of the massive theft of intelligence person- nel records, “Those records are a legitimate foreign intelligence tar- get.” He added, “If I, as director of the NSA or CIA, would have had the opportunity to grab the equivalent in the Chinese system, I would not have thought twice.” If that opportunity did not arise for the NSA or the CIA during Hayden’s tenure, it might have been because no insider in the Chinese intelligence services provided U.S. intelligence with a road map to it. Cyber espionage was not the Chinese intelligence service’s only powerful resource in the intelligence war. To get both electronic intelligence and human intelligence about the United States, China also had a highly productive intelligence-sharing treaty with Russia. It was signed in 1992 after the Soviet Union was dissolved. Although the terms of this exchange remain secret, defectors from the Rus- | | Epst_9780451494566_2p_all_r.indd 237 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019725

238 | HOW AMERICA LOST ITS SECRETS sian KGB and SVR reported that Chinese intelligence received from Russia a continuous stream of communications intelligence about the United States in the late twentieth and early twenty-first cen- turies. Russia’s intelligence resources during this period were for- midable. They included geosynchronous satellites, listening stations in Cuba, sleeper agents, and embassy-based spy networks. Presum- ably, this relationship further deepened under President Putin’s regime. Putin asserted in speeches in 2014 that Russia and China continued to share a key strategic objective: countering the United States’ domination of international relations, or what Putin terms “a unipolar world order.” China’s president, Xi Jinping, expressed a very similar view, saying in 2014 in a thinly veiled reference to the United States that any attempt to “monopolize” international affairs will not succeed. Since the end of the Cold War, Russia has been the major supplier of almost all of China’s modern weaponry. It licenses for manufac- ture in China avionics, air defense systems, missile launchers, stealth technology, and submarine warfare equipment. To make these arms @ effective, it also provides China with up-to-date intelligence about @ the ability of the United States and its allies to counter them. While such intelligence cooperation may be limited by the reality that China and Russia still compete in many areas, they still have reason to share much of the fruits of their cyber and conventional espio- nage against the NSA in accordance with their intelligence. After all, the NSA works to intercept the military and political secrets of both these allies. Moreover, as the CIA’s former deputy director Morell points out in his book, NSA secrets are a form of currency for adver- saries in the global intelligence war, saying that part of Snowden’s cache could be traded by a country that acquired it to the intelligence services of Iran and North Korea. Snowden’s stay in Hong Kong from May 20 to June 23 in 2013 made the Chinese intelligence service, willy-nilly, a potential player in whatever game he was involved in. China’s full responsibility for Hong Kong’s national security and foreign affairs includes moni- toring foreign intelligence operatives. Chinese intelligence main- | | Epst_9780451494566_2p_all_r.indd 238 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019726

The Chinese Puzzle | 239 tains there its largest intelligence base outside mainland China. A large contingent of its officers are stationed officially in the Prince of Wales skyscraper in central Hong Kong and unofficially main- tain informers in Hong Kong’s police, governing authority, airport administration, and other levers of power. It checks the computer- ized visitors entering Hong Kong and has the capability to ferret names that match those in the immense database its global cyber espionage has amassed. When it detects the entry of any person of possible intelligence interest, it can use its sophisticated array of cyber tools to attempt to remotely steal data from that individual. Such remote surveillance was so effective in 2013 that the U.S. State Department had instructed all its personnel in Hong Kong to avoid using their iPhones, Androids, BlackBerry phones, and other smart phones when traveling to Hong Kong or China. Instead, it supplied them with specially altered phones that disable location tracking and have a remotely activated switch to completely cut off power to its circuitry. No one in the intelligence community doubts the prudence of taking such precautions in China, and it is nearly incon- @ ceivable that Snowden, whose prior position at the NSA included @ teaching military personnel about Chinese capacities, could himself be unaware of Chinese intelligence service capabilities to acquire travelers’ data in Hong Kong. Once Hong Kong had served as a window into China for West- ern intelligence, but in the first decade of this century the Chinese intelligence service had achieved such a pervasive presence in Hong Kong, and such ubiquitous electronic coverage of diplomats and other foreigners even suspected of involvement in foreign intelli- gence work, that the CIA and British intelligence found it almost as difficult to operate in Hong Kong as in mainland China. Even though the CIA kept officers there in 2013, it was considered “hos- tile territory,” according to the former CIA officer Tyler Drumheller. Snowden apparently knew the limits of CIA operations in Hong Kong, which provided him with an envelope of protection. He told Greenwald that he was counting on the Chinese presence in Hong Kong to deter the CIA from intruding on their meetings. When he flew to Hong Kong in May 2013, he took with him NSA secrets, which he knew would be of great interest to China. | | Epst_9780451494566_2p_all_r1.indd 239 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019727

240 | HOW AMERICA LOST ITS SECRETS In fact, he advertised that he had such secrets in his interview with the South China Morning Post. Whatever he might have assumed about the inability of the CIA to stop him in Hong Kong, he could not assume that Chinese intelligence services would relegate them- selves to a purely passive role when secret NSA documents were in a hotel room in Hong Kong. Snowden might have esteemed himself to be an independent actor playing Prometheus on a global stage provided by YouTube, but the Chinese might have viewed him very differently indeed. | | Epst_9780451494566_2p_all_r1.indd 240 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019728

CHAPTER 23 A Single Point of Failure A single point of failure (SPOF) is a part of a system that, if it fails, will stop the entire system from working. —Wikipedia Grower DESCRIBED anyone who was the sole repository of secrets that could undo the NSA’s intelligence gathering as “the single point of failure.” While still shielding his own identity in May 2013, he wrote to Gellman that U.S. intelligence “will most certainly kill you if they think you are the single point of failure that could stop this disclosure and make them the sole owner of this informa- tion.” Such a person of course would be of even greater interest to adversary intelligence services if they were aware of the payload of secrets that person was carrying because they could use it to unravel the NSA’s sources and methods. Snowden saw himself as that “single point of failure.” We know that while still in Hong Kong he said he had obtained access to com- puters that the NSA had penetrated throughout the world and in Moscow he added that he had had “access to every [NSA] target, every [NSA] active operation,” against the Chinese. “Full lists of them,” which, if he chose to share them, could make China “go dark.” To be sure, he did not refer to Russian intelligence activity in | | Epst_9780451494566_2p_all_r1.indd 241 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019729

242 | HOW AMERICA LOST ITS SECRETS any interview that he ever gave in Moscow under Russian protec- tion, but he had similar access to NSA operations against Russia in his job at the NSA’s Threat Operations Center. The enormous power of the NSA rested in its ability to keep its sources and methods secret from its foes. A queen on the chess- board could be captured by a lowly pawn if it was well-placed. In this case, the person who had it in his power to expose the NSA’s critical sources and methods would no doubt be considered fair game by America’s adversaries, including the Chinese and Russian cyber services. Indeed, how could they resist such a prize? Snowden might have believed that he was in control, but the CIA believed that confidence was misinformed. “Snowden thinks he is smart,” Morell said, after reviewing the case on a panel appointed by President Obama, “but he was never in a position in his previous jobs to fully understand the immense capabilities of our Russian and Chinese counterparts.” He could adopt a cocky tone in his postmor- tem conversations with journalists in Moscow, but in truth he had no means to block the efforts of the Chinese or Russian services in @ Hong Kong. Even before Snowden contacted its diplomats in Hong @ Kong, the Russian intelligence service would swing into action to determine his intelligence value. How many days he planned to be in Hong Kong depended on how speedily he could arrange a meeting with journalists. “The purpose of my [Hong Kong] mission was to get the information to journalists,” he told the editor of The Guardian after he was safely ensconced in Moscow. He indicates that he was working under a tight clock. The time pressure resulted in his e-mailing an ultimatum to Gellman on May 24: either Gellman would publish the selected documents in The Washington Post within seventy-two hours, or he would lose the exclusive scoop. Snowden wanted the story to break on May 27, without his true identity (which Gellman did not know) attached to it. His identity would be known to a foreign mission in Hong Kong if Gellman acceded to his demands, because, as previously mentioned, Gellman’s story would enclose an encoded signal he planned to use as proof of his bona fides. So even before the Guardian reporters had agreed to come to Hong Kong, Snowden had plans to deal with a foreign mission. If the Post had accepted his terms, Snowden would | | Epst_9780451494566_2p_all_r.indd 242 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019730

A Single Point of Failure | 243 have been in a very different position. The story would have broken before Poitras or Greenwald even knew about Snowden’s presence in Hong Kong, and his identity would be secret except for whatever foreign mission he had contacted. But, as we know, the Post turned down his ultimatum. Time was running out if he was to break the story and leave Hong Kong before the NSA realized he was missing. At best, he was safe until June 3, when he was supposed to return from his medical leave. If he failed to show up in Hawaii on June 3, alarm bells at the NSA would go off, and it would not take long to find him. Airline records would show that he had flown to Hong Kong. Snowden told Poi- tras that NSA security would ask, “This guy isn’t where he says he’s supposed to be. He’s supposed to be getting medical treatment. Why the hell is he in Hong Kong?” It would not take long to deter- mine that he had lied about his medical treatment, and then the hunt would begin. He had, remember, already sent Poitras an enciphered file and told her she would get the key once she followed his instructions. Green- @ wald had still not committed himself to meeting Snowden. Green- @ wald was, however, willing to publish the documents once Snowden provided them. That Snowden remained in Hong Kong suggests that his reason for going to and remaining in Hong Kong went beyond just delivering documents to journalists, which he could have done over the Internet. What he could not do in America, without risking arrest, was to make and release a video. In any event, after his attempt to pressure the Post, Snowden asked Greenwald to fly immediately to Hong Kong. Presumably, he still wanted Greenwald’s story and the video done in Hong Kong before he became a suspect. If Greenwald and Poitras had immedi- ately flown to Hong Kong, it still might have left Snowden an escape window. But of course things do not always go as planned. Greenwald, although agreeing to come to Hong Kong, waited in New York for two days while the Guardian editors completed their due dili- gence. Poitras waited with him. As a result of this delay, as we know, Greenwald and Poitras did not arrive at his hotel in Hong Kong until June 3, only hours before Snowden became suspect at the NSA. “It | | Epst_9780451494566_2p_all_r1.indd 243 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019731

244 | HOW AMERICA LOST ITS SECRETS was a nervous period,” Snowden recalled. Although he bravely told The Guardian “there was no risk” that the information he carried had been compromised by other parties in Hong Kong, that claim was, at best, wishful thinking on his part. By this time, he had registered at the hotel under his true name and provided his credit card; he was in contact with three high- profile journalists, two well-known hacktivists, and, as he suggested to Gellman, a foreign diplomatic mission. The mission’s interest would likely be piqued when the news- paper published its first story on June 6. Greenwald then went on TV in Hong Kong, revealing to every interested intelligence service that a defector from the NSA was in Hong Kong providing secret documents. Poitras released the famous video showing Snowden and secret NSA documents three days later. At this point, Snowden shone brightly as a beacon to NSA secrets to every player in the intelli- gence game, even if they did not know the extent of the damage he could inflict on American intelligence. @ Snowden fogged over his travel plans to the media by telling @ reporters that he intended to remain in Hong Kong and fight extra- dition, but certainly the Russian officials whom he contacted became aware that he had other plans, having relayed his request to go to Russia to their superiors in Moscow. And, unlike the media, any sophisticated intelligence service was well aware of his movements. In Hong Kong, cell phones emit their GPS location every three sec- onds; even if Snowden disabled his own phone, lawyers and helpers could be tracked with ease. China’s president, Xi Jinping, who was meeting President Obama for the first time in Rancho Mirage, California, on June 8, would have been keenly interested in the unfolding Snowden affair. Obama had publicly called Xi to task for Chinese cyber espionage, and now that charge was undermined by Snowden’s accusation that the United States was engaged in massive cyber espionage. U.S. intel- ligence verified that China instituted a full-court press of Snowden in Hong Kong immediately after the release of the video. From that moment on, any communication or movement Snowden made | | Epst_9780451494566_2p_all_r.indd 244 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019732

A Single Point of Failure | 245 during his next fifteen days in Hong Kong would not likely escape China’s scrutiny. The United States had the ability to also follow Snowden’s move- ments via the cell phones of his lawyers and other confederates after he surfaced. All tracking could be done by the NSA. What the United States lacked was any practical means to capture a high- profile intelligence defector in a city that was part of China. By this time, U.S. intelligence had established that Chinese and Hong Kong security services were monitoring Snowden’s every move. This left few options in the game for the United States. “I’m not going to be scrambling jets to get a twenty-nine-year-old hacker,” President Obama said on June 27. The real prize, in any case, was not Snowden but the NSA’s secret documents that he had with him. When Snowden was observed entering the Russian consulate, the game was all but over. U.S. dip- lomats could protest over back channels to Moscow, as they did, but with a trove of NSA secrets at stake there was little expectation that would stop the Russians. Two days later, the “single point of failure,” @ as Snowden described himself, was on his way to Russia, where his @ hosts would be calling the shots. When a victory is obtained in a major sports event, it is cause for public celebrations. The opposite is true in espionage. An intelligence victory involving secret documents, even if it cannot be entirely hidden, is kept veiled, as far as is possible, to increase the value of the coup. “The final move in any sophisticated intelligence game,” Angleton told me in relation to espionage intelligence, is “obscuring a success.” Following Angleton’s precept, the Russian or Chinese intelli- gence services, if they had a role in acquiring the product of the self- described “single point of failure,” would work to cover their tracks in the affair even before the Aeroflot plane carrying Snowden touched down at Sheremetyevo International Airport on June 23. If any false flag operations had been used to trick, mislead, or otherwise induce Snowden to come to Hong Kong, they would be disbanded. If any safe house had been used to quarter Snowden in his first eleven days in Hong Kong, it would be shut down. If any operatives had been | | Epst_9780451494566_2p_all_r1.indd 245 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019733

246 | HOW AMERICA LOST ITS SECRETS used in Hawaii to guide or assist Snowden, they would be put back into sleeper mode. If any telltale traces had been left in chat rooms or social media, they would be systematically deleted. Even more important to the ultimate success of such a communications intel- ligence coup, measures would be taken to conceal the extent of the damage done by the “single point of failure” by not precipitously closing down compromised sources. Snowden might believe that the power of the information he held was so great that if disclosed by him, all the NSA’s sources would immediately go dark in Russia and China, but Russia might not wish to provide such clarity to its adversaries. An intelligence service need not close down channels it discovers are compromised by an adversary. Instead, it can elect to continue to use them and furnish through them bits of sensitive or misleading information to advance its own national interest. The real danger here was not that the NSA’s “lights” would dramati- cally be extinguished but that all the future messages illuminated by those lights would be less reliable sources of intelligence. The game of nations is, after all, merely a competition among adversaries to @ gain advantages by the surreptitious exchange of both twisted and @ straight information. To review: When the NSA asserted in the summer of 2013 that over one million documents had been compromised, it was recog- nizing the most massive failure in its sixty-year history. Not only were NSA secrets taken, but secret files from the CIA, the British GCHQ, and America’s cyber military commands had been compro- mised. It was, as Sir David Omand, the former head of the British GCHQ, described it, a “huge strategic setback” for the West. The genie could not be put back into the bottle. There is not a reset but- ton in this game. The best that the NSA could do now was damage control while its adversaries took full advantage of the setback. Sev- eral hundred U.S. and British intelligence officers worked around the clock in Washington, D.C., Fort Meade, Maryland, and Cheltenham, England, for months on end to determine which parts of the most powerful communications intelligence system in the world could be salvaged from what had been the Snowden breach. Adding insult to injury, Snowden, speaking from his new perch in Moscow, told applauding audiences that the entire purpose of | | Epst_9780451494566_2p_all_r.indd 246 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019734

A Single Point of Failure | 247 the U.S. exercise, including deliberately “trapping” him in Moscow, was to “demonize” him. “There was no question that I was going to be subject to a demonization campaign.” Snowden said in Mos- cow, “They [Greenwald and Poitras] actually recorded me on camera saying this before I revealed my identity.” Snowden asserted this “demonization” was to divert attention from the government’s own crimes. By providing Snowden with this platform to rail against the putative machinations of the United States, Putin laid claim to the moral high ground. Snowden’s motive in requesting documents from other foreign intelligence services, such as the GCHQ, and copying lists of NSA sources remains unexplained. It is difficult to believe that his motive was whistle-blowing, because these documents were not among those he gave to journalists in Hong Kong. Indeed, he did not pro- vide the journalists with the lists of sources that were particularly relevant to the NSA’s surveillance of Russia. His legal represen- tative in Moscow, Kucherena, confirmed that Snowden had taken secret “material” to Russia and had access to NSA documents that @ he had not given to journalists. Those unrevealed documents would @ be prized by many an adversary service. Did he use those documents as leverage in his transformation? The role that Moscow might have played in Snowden’s defection clearly requires a closer examination of the machinations that brought Snowden to Russia. That is why I visited Moscow in October 2015. | | Epst_9780451494566_2p_all_r1.indd 247 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019735

| | Epst_9780451494566_2p_all_r1.indd 248 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019736

PART FOUR MOSCOW CALLING Deception is a state of mind—and the mind of the state. —JAMES JESUS ANGLETON | | Epst_9780451494566_2p_all_r1.indd 249 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019737

| | Epst_9780451494566_2p_all_r1.indd 250 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019738

CHAPTER 24 Off to Moscow They talk about Russia like it’s the worst place on earth. Russia’s great. —EDWARD SNOWDEN, Moscow, 2015 EFORE FLYING TO Moscow, I arranged to have dinner with Oliver Stone at an Italian restaurant on the Upper East Side of New York. I had greatly respected Stone’s ability as a film director after watching him work on Wall Street: Money Never Sleeps, a film in which I had a cameo role. I had also debated Stone about the his- torical accuracy of his 1991 movie JFK at Town Hall in New York. When we dined, he had just written, produced, and directed Snowden, an independently financed film depicting Snowden, as Stone put it, as “one of the great heroes of the twenty-first century.” In preparing for it, Stone had seen Snowden in 2013 and 2014 and had had a six-hour meeting with Putin. I wanted to talk to Stone not to learn about the film but to learn how he had gained access to Snowden in Moscow. I knew from the documents taken from Sony Pictures Entertainment—allegedly by North Korea—that Stone had paid The Guardian $700,000 for the film rights to The Snowden Files, a book written by Luke Harding. | | Epst_9780451494566_2p_all_r1.indd 251 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019739

252 | HOW AMERICA LOST ITS SECRETS These documents also revealed that Stone had paid Anatoly Kucher- ena, Snowden’s legal representative in Moscow, $1 million, sup- posedly for the rights to his novel, Time of the Octopus. Even by Hollywood standards, $1 million was an extraordinary sum to pay for a yet-to-be-published work of Russian fiction, and it was espe- cially striking because Stone was making a fact-based movie using the actual names of the characters, and he had already bought the rights to The Snowden Files. “Is your script based on Kucherena’s Time of the Octopus?” I asked. “No,” Stone replied. “I haven’t used it.” He said that the payment was for what he termed “total access.” He explained that Barbara Broccoli and Michael G. Wilson, the pro- ducers of the James Bond franchise, had optioned Greenwald’s book No Place to Hide to make into a movie about Snowden for Sony. Stone said that the million-dollar deal with Kucherena effectively guaranteed that any competing project would not have access to Snowden. Sony consequently put the competing film on hold. @ Lawyers often negotiate deals on behalf of a client, but blocking a @ competing film requires considerably more influence with the pow- ers that be in Russia. Kucherena, though, was no ordinary lawyer. Among other influential positions, I noted earlier, he was on the pub- lic board of the Russian federal security bureau, which had assumed the domestic operations of the defunct KGB in April 1995. In light of such connections, Stone said Kucherena might be acting as an intermediary for other parties who controlled access to Snowden in Russia. In any case, his concern was making a movie, and Kucherena delivered the exclusive access to Snowden. Aside from being a skilled director, Stone is a shrewd producer who knows how to close a deal. He assessed, correctly as it turned out, that his project coupled with the payment to Kucherena would effectively block Sony’s competing project. Where the money went was far less clear. Toward the end of our dinner, Stone told me that he did not know I was writing a book about Snowden until a few weeks earlier. He learned of my book from Snowden himself. He said Snowden had | | Epst_9780451494566_2p_all_r.indd 252 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019740

Off to Moscow | 253 expressed concern to him about the direction of the book I was writ- ing. “What is it about?” Stone asked me. I was taken aback. I had no idea that Snowden was aware of my book. (I had not tried to contact him.) I told Stone that I considered Snowden an extraordinary man who had changed history and was intentionally vague in my description of my book’s contents. Stone seemed to be reassured, so I asked him about the possibility of my seeing Snowden in Moscow. He said that I “might want to speak to Anatoly [Kucherena].” Kucherena, it seemed to me, was clearly Snowden’s gatekeeper. In Snowden’s two years in Moscow, he, or his handlers, had granted only a handful of face-to-face press interviews. Most of these were with the journalists who had published his story, but one was with James Bamford for his 2014 Wired piece. According to Bamford, it took nearly nine months to arrange the meeting. “I have been try- ing to set up an interview with him [Snowden]—traveling to Ber- lin, Rio de Janeiro twice, and New York multiple times to talk with the handful of his confidants who can arrange a meeting,” Bamford @ recounted in Wired. After my dinner with Stone, I hoped to find a @ quicker route. I was advised by a Moscow-based journalist that I needed a “fixer,” the curious term that journalists commonly use to describe a local intermediary who arranges appointments in foreign countries. I retained Zamir Gotta, a highly respected TV producer in Mos- cow, who I was told had helped “fix” the Bamford interview with Snowden. “There is only one door to Snowden,” Zamir wrote to me. “His name is Kucherena.” Zamir said Kucherena rarely saw journal- ists, but he had a contact in his office. He further told me Kucher- ena required any journalist seeking an interview with Snowden to submit his questions to the lawyer two weeks in advance and, if approved, to sign a document stating he would not deviate from the questions. Next, my questions had to be translated from English to Russian (even though Snowden does not speak Russian) and then vetted by Kucherena’s staff. Zamir also suggested I stay at the Hotel National in Red Square because Snowden had gone there for pre- | | Epst_9780451494566_2p_all_r1.indd 253 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019741

254 | HOW AMERICA LOST ITS SECRETS vious meetings with Bamford. So I sent Kucherena, via Zamir, ten questions that I wanted to ask Snowden. I next obtained a multi-entry Russian visa from the Russian con- sulate in New York and booked myself a room in the Hotel National. My night flight from New York to Moscow took just less than eight hours and landed at Terminal D of Sheremetyevo Interna- tional Airport at 7:40 a.m. on October 29, 2015. I did not immedi- ately proceed through passport control, in part because I wanted to explore the transit zone in which Snowden was supposedly trapped for six weeks. Sheremetyevo Two, where all international flights land, was built in the waning days of the Cold War for international passengers arriving for the Moscow 1980 Summer Olympics. It was modern- ized in 2010, including opening a walkway that connects Terminals D, E, and F for transit passengers. Snowden had vanished, at least from public view, in this com- plex of terminals for nearly six weeks in the summer of 2013. His explanation to journalists, as will be recalled, was two part. First, he @ said he had planned to board the next fight to Cuba and from there @ proceed to Ecuador. He said that he was unable to board this flight because his passport had been invalidated by the U.S. government while he was flying to Russia. Second, after discovering his passport had been revoked, he stayed in a capsule hotel in the transit zone for the next thirty-nine days. To better understand the plausibility of his version of those events, I proceeded through the transit passage to Terminal F, where Snowden’s plane from Hong Kong had landed at 5:15 p.m. Moscow time on June 23, 2013. Snowden did not go through passport control upon arrival. Before any of the other passengers were allowed to disembark from the plane, Russian plainclothes officers from the special services boarded the plane and asked both Snowden and Sarah Harrison, his WikiLeaks-supplied “ninja,” to accompany them to a waiting car that whisked them away. According to the account in Izvestia, “A special operation was conducted for his reception and evacuation.” It further said, “Snowden’s flight to Moscow was coordinated with the Russian authorities and intelligence services.” If not for the “special operation,” he could have easily gone by foot | | Epst_9780451494566_2p_all_r.indd 254 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019742

Off to Moscow | 255 to Terminal E. It is a nine-minute walk through the transit passage- way. Snowden, though, had one good reason for not going to Ecua- dor, even if Russia had permitted it. He believed that he would be vulnerable to rendition by the U.S. government in Ecuador. “If they [the U.S. government] really wanted to capture me, they would’ve allowed me to travel to Latin America, because the CIA can oper- ate with impunity down there,” he explained in the previously cited interview with Katrina vanden Heuvel, the editor of The Nation, in 2014. He had already discussed the likelihood of his being captured in Ecuador with Assange before his departure for Moscow. He later told Alan Rusbridger, the editor of The Guardian, that he considered himself at risk in Latin America. So why would Snowden, who told Greenwald that his “first priority” was his own “physical safety,” leave the comparative safety of Russia to put himself in jeopardy in Ecuador? He had not obtained a visa to Ecuador at its consulate in Hong Kong, as Kucherena confirmed. The Ecuador destination was, as we have seen, a cover story put out by Assange and his associates, and it @ worked with the press. @ Over a hundred reporters and photographers scrambled aboard Aeroflot Flight SU150 to Cuba the next morning in response to this anonymous tip on a website, but Snowden was not aboard that flight and was not seen in Terminal E. By the time the plane landed in Cuba, Aeroflot denied that anyone named Snowden had ever been booked on any of its flights to Cuba, a denial it continued to repeat to every reporter who queried the airline for the next six weeks. The first news that Snowden was still in Russia came on July 1, 2013. A statement posted on the WikiLeaks website—and signed “Edward Snowden”—after thanking “friends new and old” for his “continued liberty,” accused President Obama of pressuring “leaders of nations from which I have requested protection to deny my asy- lum petitions.” It added, “This kind of deception from a world leader is not justice, and neither is the extralegal penalty of exile. These are the old, bad tools of political aggression.” In fact, Snowden had not suffered a “penalty of exile,” because his passport was still valid for returning to the United States, but that was not an option for him as the statement made clear. | | Epst_9780451494566_2p_all_r1.indd 255 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019743

256 | HOW AMERICA LOST ITS SECRETS Because the Aeroflot flight to Cuba was the only means of get- ting directly from Moscow to Latin America, Russian reporters, encouraged by WikiLeaks posts, continued taking the daily eleven- hour flight to Cuba until August 1. The charade only ended when Kucherena said in a press conference at the airport that Snowden would be taking up residency at an undisclosed location in Moscow and walked out of the airport with Snowden. Sarah Harrison, Snowden’s companion on the plane to Moscow, told Vogue that she and Snowden for thirty-nine days had shared a windowless room in the transit zone of the airport where they watched TV, washed their clothes in a sink basin, and ate meals from the nearby Burger King. The only hotel with windowless rooms in the transit zone in 2013 was the Vozdushny V-Express Capsule Hotel, located next to a newly opened Burger King. The polite V-Express desk clerk, who spoke English, showed me the standard windowless double room. It was approximately twenty- four square feet in area. Most of the floor space was taken up by twin beds. Across from the bed, behind a plastic curtain, was a stall with @ a shower, a toilet, and a sink. It would be very cramped quarters for @ two people to share for such an extended period. It cost 850 rubles an hour (about $18 in 2013). For thirty-nine days, that hourly charge would have added up to $16,600. Snowden claimed to the BBC that he brought a large cache of cash to Russia, which he could have used to pay the hotel. But such a long stay was not allowed, according to the desk clerk. The maximum stay allowed by the hotel was twenty- four hours. So either the rule was waived for Snowden, or Harrison did not tell the full truth. I learned from a former KGB officer that there are VIP quarters beyond the confines of the airport, including suites at the four- hundred-room Novotel hotel, which is located about seven miles away, that are used for debriefing and other purposes by the security services. According to him, the security services are not restricted from entering and leaving the transit zone. The possibility that Snowden was staying elsewhere would help explain the futile search for him by a large number of reporters over those thirty-nine days. When they learned from tweets that Snowden was not aboard the plane to Havana on June 24, for weeks | | Epst_9780451494566_2p_all_r1.indd 256 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019744

Off to Moscow | 257 they aggressively questioned all the restaurant employees, security guards, and airport personnel they could find. They also bought business-class tickets on flights just to gain access to VIP lounges in the transit zones. Despite this intensive search, none of them found a single person who had seen Snowden, although his image was con- stantly shown on airport TV screens. Egor Piskunov, a reporter for RT television, even rented a room in the V-Express Capsule Hotel and “tipped” hotel employees, trying, without success, to get infor- mation. Piskunov told me, “It was a total vanishing act.” | | Epst_9780451494566_2p_all_r.indd 257 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019745

CHAPTER 25 Through the Looking Glass There’s definitely a deep state. Trust me, I’ve been there. —EDWARD SNOWDEN, Moscow, 2014 Wa WAITING to hear back from Kucherena’s office, I arranged to meet with Victor Cherkashin, who had been one of the most successful KGB spy handlers in the Cold War. Cher- kashin, born in 1932, had served in the KGB’s espionage branch from 1952 until 1991 and now operated a private security firm in Moscow. I was particularly interested in his recruitment of three top American intelligence officers: Aldrich Ames of the CIA, Robert Hanssen of the FBI, and Ronald Pelton of the NSA. I hoped that see- ing these intelligence coups through the eyes, and mind-set, of their KGB handler might provide some historical context for the Snowden defection. So I invited Cherkashin to lunch at Gusto, a quiet Italian restaurant, located near the Chekhov Theater in Moscow. Cherkashin, a tall thin man with silver hair, showed up promptly at 1:00 p.m., wearing an elegant gray suit and dark tie. He walked with a spry step. Because he had served in counterintelligence in the Soviet embassy in Washington, D.C., for nearly a decade, he spoke flawless English. | | Epst_9780451494566_2p_all_r1.indd 258 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019746

Through the Looking Glass | 259 I began by asking him about one of the more celebrated cases he had handled for the KGB, that of Ames, who had acted as a Russian mole in the CIA between April 1985 and January 1994. In those nine years, he rose, or was maneuvered by the KGB, into a top position in the CIA’s highly sensitive Counterintelligence Center Analysis Group, which allowed him to deliver hundreds of top secrets to the KGB. In return, according to Cherkashin, Ames received between $20,000 and $50,000 in cash for each delivery, which amounted to $4.6 million over the nine years. Tasked Cherkashin about the weakness the KGB looked for in an American intelligence worker that might lead him to copy and steal top secret documents. How did he spot a potential Ames? Was it a financial problem? Was it a sexual vulnerability? Was it an ideologi- cal leaning? “Nothing so dramatic,” he answered. When assessing Ames’s biographical data, Cherkashin said he was looking for a well-placed intelligence officer who was both dissatisfied with and antagonistic to the service for which he worked. @ “The classic disgruntled employee,” I interjected. @ “Any intelligence officer who strongly feels that his superiors are not listening to him, and that they are doing stupid things, is a can- didate,” he continued. He said he had found that the flaw in a pros- pect that could be most dependably exploited was not his greed, lust, or deviant behavior but his resentment over the way he was being treated. “Is that how you spotted Ames?” “Actually, he approached us, not vice versa.” It was his job in the CIA to approach opposition KGB officers. “But, yes, we saw the potential,” he said. Because Ames had been paid $50,000 in cash by Cherkashin for his first delivery, I asked whether he fit into the category of a dis- gruntled employee. “Wasn't he just a mercenary?” I asked. “I knew from our intelligence reports that he needed money for debts stemming from his divorce,” he answered. “But he was also angry at the stupidity and paranoia of those running the CIA. Ames told me at our first secret meeting that they were misleading | | Epst_9780451494566_2p_all_r1.indd 259 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019747

260 | HOW AMERICA LOST ITS SECRETS Congress by exaggerating the Soviet threat.” Cherkashin evaluated Ames as a man who felt not only slighted by his superiors but “help- less to do anything about it” within the bureaucracy of the CIA. “The money we gave, even if he could spend only a small portion of it, gave him a sense of worth.” He explained that the KGB had an entire team of psychologists in Moscow that worked on further exploiting Ames’s resentment against his superiors. The search for an adversary intelligence officer who resents his service was not limited to KGB recruiters. It was also the “classic attitude” that the CIA sought to exploit in its adversaries, accord- ing to a former deputy director. “ You find someone working for the other side and tell him that he is not receiving the proper recogni- tion, pay, and honors due him,” Morell said, pointing out that the same “psychological dynamic” could be used to motivate someone to “act alone” in gathering espionage material. I next turned to an even more important KGB coup with Cher- kashin: the Robert Hanssen case. From the KGB’s perspective, Hans- sen was an extraordinary espionage source. He was a walk-in who @ never entered the Soviet embassy or met with KGB case officers, but @ in working as a KGB mole between 1979 and 2001, he had deliv- ered even more documents to the Russian intelligence services than Ames. Cherkashin learned of this potential spy when he received an anonymous letter from him identifying an FBI source in the Soviet embassy. When that tip proved to be accurate, Cherkashin got the resources he needed from the KGB to develop this source. From the start of his work for the KGB, Hanssen laid down his own rules. The KGB would deliver cash from which all the fingerprints were removed to locations, or “dead drops,” he specified. He would deliver documents exposing FBI, CIA, and NSA sources and methods in another dead drop. The KGB would precisely follow his instructions. Cherkashin told me that Hanssen’s “astounding self-recruitment” was executed in such a way that the KGB never actually controlled him. “He was our most important mole and we didn’t ever know his identity, where he worked, or how he had access to FBI, CIA, and NSA files.” Even so, the KGB (and later the SVR) paid him $600,000 in cash. In return, the anonymous spy delivered twenty-seven com- | | Epst_9780451494566_2p_all_r1.indd 260 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019748

Through the Looking Glass | 261 puter disks containing hundreds of secret documents revealing the sources and methods of American intelligence. According to Cher- kashin, it was the largest haul of top secret documents ever obtained by the KGB (although it was only a small fraction of the number of top secret NSA, Department of Defense, and CIA documents taken by Snowden in 2013). Cherkashin told me the price paid by Moscow was a great bargain because it helped compromise “the NSA’s most advanced electronic interception technology,” including a tunnel under the Soviet embassy. Yet it was only after newspapers reported that Hanssen had been arrested by the FBI in February 2001 that Cherkashin learned the name and position of the spy he had recruited. Cherkashin told me that what mattered to the KGB was not “control” of an agent but the value of the secrets he or she delivered. “Control is not necessary in espionage as long as we manage to obtain the documents.” So in the eyes of the KGB, anyone who elected to provide it with U.S. secrets was a spy. “All we knew was that he delivered valuable documents to us and @ asked for cash in return,” he said. “We didn’t control him; he con- @ trolled us.” An uncontrolled mole who provided secrets to the KGB and the SVR for twenty-two years was very different from fictional moles in the spy movies. I asked whether it would have been better if the KGB had him under its control. “Possibly,” Cherkashin answered. “But as it turned out, Hanssen was by far our most valuable penetration in the Cold War.” “Could Hanssen really be called a mole?” I asked. “A ‘mole’ is a term used in spy fiction,” he said. “We prefer the more general term ‘espionage source.’ ” “So anyone who delivers state secrets to the KGB, for whatever reason, is an espionage source?” I asked. “Certainly, if the information is valuable to us,” Cherkashin answered. “If some unknown person simply delivered a trove of top secret communications secrets to the doorstep of Russia, would it be accepted?” I asked with Snowden in mind. | | Epst_9780451494566_2p_all_r1.indd 261 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019749

262 | HOW AMERICA LOST ITS SECRETS “T can’t say what the SVR would do today. I am long retired,” he said, with a nostalgic shake of his head. “But in my day, we needed some reason to believe the gift was genuine.” “Would you need to vet the person delivering it?” “With Hanssen we did not have that opportunity,” he said. “If we believed the documents were genuine, we would of course grab them.” The final recruitment I asked Cherkashin about was that of Ronald Pelton, the civilian employee of the NSA who had retired in 1979. Pelton had left the NSA without taking any classified documents with him. After retiring, he had financial difficulties, and he sought to get money from the KGB. On January 14, 1980, he walked into the Soviet embassy in Washington, D.C., and asked to see an intelli- gence officer. After he was ushered into a secure debriefing room, he said that he had information that Russia would find interesting, but he wanted money in return. What interested me about the Pelton case was that Cherkashin proceeded to recruit Pelton, even though he was no longer working at the NSA and no longer had access to @ the NSA. In addition, because the FBI had twenty-four-hour sur- @ veillance on the embassy, Pelton had almost certainly been photo- graphed entering it and had also possibly been recorded asking for an intelligence officer by electronic bugs that the KGB suspected the NSA had planted there. What did the KGB do in a situation in which a former civilian employee at the NSA possessed no documents? Despite the risks involved, Cherkashin decided Pelton had to be debriefed by communications intelligence specialists. So he had him disguised as a utility worker and smuggled out in a van to the resi- dential compound of the ambassador in Georgetown. A few days later, he was dropped off at a shopping mall. “Why did you go to such effort if Pelton had neither documents nor access to the NSA?” J asked. “Tt was the information in his head that we wanted.” Cherkashin said that because the KGB rarely got access to any NSA officer, it was worth the risk. So Pelton was given $5,000 in cash and a plane ticket to Vienna, where he was domiciled at the residence of the Soviet ambassador to Austria. A KGB electronic communications expert, Anatoly Slavnov, was then sent to Vienna to supervise the | | Epst_9780451494566_2p_all_r1.indd 262 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019750

Through the Looking Glass | 263 Pelton debriefings. The debriefing sessions, which went on for fifteen days, were from 8:00 a.m. to 6:00 p.m. In them, Pelton managed to recall Project A, a joint NSA-CIA-navy operation in which subma- rines surreptitiously tapped into Soviet undersea cables in the Sea of Okhotsk, which connected to the Soviet Pacific Fleet’s mainland headquarters at Vladivostok. Pelton received another $30,000 from the KGB. “Did the information in his head prove valuable?” I asked. “As long as the NSA didn’t know the tap was compromised by Pelton, we could use the cable to send the NSA the information we wanted it to intercept.” He said that while actual NSA documents would have proved more useful than someone’s memories, “Our job is to take advantage of whatever we can get.” Two years later, Pelton was again flown to Vienna for another debriefing to see if he could recall any further details. According to Cherkashin, the KGB’s job was to leave no stone unturned when it came to the NSA’s sources. In 1985, the KGB’s task ended when Pelton was arrested by the FBI. Like Ames and Hanssen, Pelton was @ sentenced to life imprisonment. @ Looking at his watch, Cherkashin politely excused himself. I subsequently spoke to Colonel Oleg Nechiporenko, who had been a foreign intelligence officer in the KGB between 1958 and 1985 and continued his intelligence work until recently as chief counterterrorism expert of the Russian-led Collective Security Treaty Organization. Over a leisurely coffee in the bar of the Hotel National, he told me that many “walk-ins” who contacted Soviet officials in his time were emotionally disturbed, but all of them had to be assessed for possible intelligence value. “Our job was to find espionage sources,” he said with a twinkle in his eye. “The Internet has changed the espionage business since secret documents can be massively downloaded by an unhappy employee,” he said, “but they still need to be assessed by a professional.” Through the eyes of the KGB, a penetration of American intel- ligence was clearly opportunistic. If these practices continued, they put Snowden’s situation in a new light for me. If Russian intelli- gence considered it worthwhile to send a former civilian worker at the NSA, such as Ronald Pelton, two thousand miles from Washing- | | Epst_9780451494566_2p_all_r1.indd 263 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019751

264 | HOW AMERICA LOST ITS SECRETS ton, D.C., to Austria so that its specialists could debrief him on the secrets he held in his head, it would have an even greater interest in exfiltrating Snowden from Hong Kong to get, aside from his docu- ments, whatever secrets he held in his head. If Russian intelligence were willing to opportunistically accept the delivery of U.S. secrets from an unknown espionage source that it neither recruited nor controlled, such as Hanssen, it would obviously have little hesitancy in acquiring the secrets that Snowden had stolen of his own volition, even if Snowden had acted for idealistic reasons. If Russian intelligence focused its search pattern on disgruntled American intelligence workers, such as Ames, it is plausible that it spotted Snowden through his Internet rants against U.S. surveil- lance. Even if it had missed Snowden in Hawaii, a disgruntled former civilian employee at the NSA would have received its full attention after he contacted Russian officials in Hong Kong. While the tactics of the SVR might have changed since Cherkashin retired, its objec- tives remained the same. And the NSA remained its principal target. Nor is there any reason to doubt that it still measures success in its @ ability to obtain, by whatever means, the secret sources and methods @ of its adversaries. Snowden was in a position, with both the docu- ments he had taken and the knowledge he had in his head, to deliver the KGB such a coup. | | Epst_9780451494566_2p_all_r.indd 264 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019752

CHAPTER 26 The Handler As for [Snowden’s] communication with the outside world, yes, I am his main contact. —ANATOLY KUCHERENA, Moscow, 2013 N NOVEMBER 1, I still had not been able to make contact with Anatoly Kucherena, and my flight back to New York was in five days. My fixer, Zamir, had been trying to arrange an appointment for three weeks, but he had only received one callback from Kucher- ena’s assistant, Valentina Kvirvova. She wanted to know how I knew Oliver Stone. Zamir told her of my part in Stone’s movie. That was the last he had heard from her. Meanwhile, a Moscow-based journal- ist told me that she had waited eighteen months to hear back from Kucherena before giving up. I also learned from a Russian researcher that Kucherena had not given a single interview since his television interview with Sophie Shevardnadze on September 23, 2013. And no Russian journalist, or ary Moscow-based foreign journalist, had ever obtained an interview with Snowden. At this point, Zamir was becoming increasingly doubtful about my getting access to either Kucherena or Snowden. I turned to another contact in Moscow. When I had been inves- tigating the 2006 polonium poisoning of the former KGB officer | | Epst_9780451494566_2p_all_r1.indd 265 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019753

266 | HOW AMERICA LOST ITS SECRETS Alexander Litvinenko, I had interviewed Andrei Lugovoy. A former KGB officer assigned to protecting the Kremlin’s top members in the 1990s, Lugovoy later opened his own security company. In 2005, he became a business associate of Litvinenko’s in gathering informa- tion and made regular trips to London to meet with him. Because he had tea with Litvinenko at the Pine Bar of the Millennium Hotel in London on November 1, 2006, the day Litvinenko was poisoned, he became the main suspect in the British investigation. He could not be extradited, however. After reconstructing the chronology of the crime, I established that Litvinenko had been contaminated with polonium at a Japanese restaurant some four hours before his tea with Lugovoy. I therefore wrote that the crime scene might not have been at the Pine Bar, a finding that he said he greatly appreciated. Lugovoy was elected to the Duma in 2007 and also hosted a twenty-four-part television series on espionage for which Putin per- sonally decorated him. He was also now reputed to be in the inner circle of power in Moscow. So I called him. We arranged to meet in the bar of the Hotel National. A short @ but well-built man with a bullet-style haircut, Lugovoy showed @ up promptly at 1:00 p.m. After discussing some of the subsequent developments in the still-lingering polonium investigation, I asked him if he knew Kucherena. “T don’t know him, but I know someone who does,” he answered. “Why are you interested in seeing Kucherena?” I told him that I wanted to speak to him about Snowden but I had been unable to arrange a meeting. “That’s no problem,” he said, raising his cell phone (which never left his hand). He hit a number on the speed dial and spoke rapidly in Russian (which I do not understand). He cupped his hand over the phone and asked how long I would be in Moscow. After I told him that I was leaving that Friday, he spoke again in Russian to the per- son on the other end. “You will have an appointment on Thursday,” he said. Later that afternoon, Valentina, Kucherena’s assistant, called to say that Kucherena would be happy to see me at his office at 6:00 p.m. on Thursday. I didn’t ask Lugovoy whom he had called. Whomever Lugovoy called obviously had the power to arrange the meeting. | | Epst_9780451494566_2p_all_r1.indd 266 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019754

The Handler | 267 When I arrived at Kucherena’s office, I was with my translator Zamir. (Kucherena did not speak English.) I arrived ten minutes early, and a receptionist showed me into a well-lit square room with an elegant table in the center. There was a sumptuous basket of exotic fruits on the table and large portraits of racehorses on the walls. Another door opened, and a tall, graceful woman came into the room and introduced herself as Valentina. She was wearing a well- fitting black dress, a striking jade necklace, and high heels. When she asked whether we would like anything to drink, it seemed more like the prelude to an elegant dinner party than an interview about Snowden. Valentina spoke very good English. She apologized for the delay in responding to my requests, explaining that she received “thou- sands of requests” for interviews and did not have time to answer them. When I asked how many were answered, she shrugged and said, “Not many.” At that moment, Kucherena entered with a jaunty step, a cherubic face, and untamed white hair. He was wearing gray slacks, a partially @ buttoned cashmere polo sweater, and a fully engaging smile. @ As I had learned from his entry in Wikipedia, he was born in a small village in the Soviet Socialist Republic of Moldavia in 1960 and had obtained his law degree from the All-Union Correspon- dence Law Institute in 1991. He opened his own law firm in Mos- cow in 1995. Kucherena’s well-known friendship with Putin had evidently not hurt his law practice. His clients had included such well-connected defendants as Viktor Yanukovych, the president of Ukraine overthrown in 2014; Grigory Leps, a Russian singer black- listed by the United States for allegedly acting as a money courier for a Eurasian criminal organization; Valentine Kovalev, a former Russian minister of justice charged with corruption; and Suleyman Kerimoy, a civil servant from Dagestan who had amassed an esti- mated fortune of $7.1 billion. Kerimov had recently been charged for manipulating the price of potash in Belarus. Most of these clients were reputed to be part of Putin’s inner circle. To break the ice, I asked Kucherena about Oliver Stone. I knew he had a small role in Stone’s forthcoming movie, in which he plays Snowden’s lawyer in Moscow. | | Epst_9780451494566_2p_all_r1.indd 267 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019755

268 | HOW AMERICA LOST ITS SECRETS “T was impressed by how few takes he needed to shoot my scene,” he answered. “How did you come to be Snowden’s lawyer?” I asked. “Snowden picked me from a roster of fifteen lawyers with which he had been provided.” Because Snowden did not speak or read Russian, I asked Kucher- ena about how Snowden had come to pick him from the roster. Could he have known about his connections? “I suppose it was because of my record in defending human rights,” Kucherena replied with a broad smile. Kucherena went to Sheremetyevo International Airport to meet his new client on the morning of Friday, July 12, 2013. At that point, he said that Snowden had been held virtually incommunicado for twenty days. Other than Russian officials, the only person he had been allowed to see during this period was Assange’s aide, Sarah Harrison. “Where in the airport did you meet him?” I asked. “Was it in a VIP lounge?” @ “Tt was in the transit zone,” he replied coyly. “That is all I can say.” @ They spoke through a translator. By this time, Harrison had sent twenty-one countries petitions for asylum that were signed by Snowden. Whatever their purpose, Kucherena did not consider them helpful. “T told him that if he wanted to get sanctuary in Russia, he would have to immediately withdraw all the petitions in which he had asked other countries for asylum.” Kucherena said that otherwise he could not represent him. Snowden agreed to that condition. Shortly before 5:00 p.m., Kucherena accompanied Snowden, who was wearing an open-neck blue shirt and a badly creased jacket, to area Gg in the transit zone, where they emerged from a door marked “Authorized Personnel Only.” A number of officials in dark suits, who Kucherena assumed were from the “special services” to protect Snowden, were already in the room. Snowden and Harrison seated themselves at a table. A Russian translator was also seated at the table. At this point, thirteen invitees were ushered into the room to witness Snowden’s first public appearance in Russia. It was rare | | Epst_9780451494566_2p_all_r1.indd 268 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019756

The Handler | 269 if not unprecedented for an American intelligence worker to seek asylum in Russia. These invitees included some of Putin’s close associates, pro- government activists, and representatives of both Amnesty Inter- national and Human Rights Watch. “It was totally bizarre,” said Tanya Lokshina, the deputy director of Human Rights Watch, who attended. “Although it was billed as a press conference,” she recalled, “there was no press or photographers allowed in the room.” Nor was anyone allowed to photograph or record the event. Snowden read from a prepared statement accusing the U.S. gov- ernment of violating the Universal Declaration of Human Rights, saying he was a victim of political persecution, and concluding, “1 will be submitting my request to Russia today [for asylum], and hope it will be accepted favorably.” After answering a few questions posed by the audience, he left the room with Kucherena and Har- rison by the same door they had entered. In discussing this meeting, Kucherena told me that Snowden had not intended to seek asylum in Russia when he arrived on June 23. @ Because he also said he had not met Snowden prior to the day of the @ conference, I asked how he knew Snowden’s intentions. “When I accepted the case, I received Snowden’s dossier,” he answered. “I was able to see all his interviews.” Presumably, Snowden’s dossier included his interviews with the FSB, the SVR, and other Russian security services. If so, it would explain how Kucherena could be so certain that Snowden had brought “material” with him to Russia that he had not provided to journalists in Hong Kong. Before meeting with Kucherena, I had met with Sophie Shevardnadze, who told me that Kucherena had personally approved the translation of their interview into English. So I asked Kucherena about the interview. It will be recalled that in response to a question about whether Snowden had secret mate- rial with him in Russia, Kucherena had said “certainly.” Was this exchange accurate? “It was accurate,” he answered. Snowden, as we know, had said in Hong Kong that he had only given journalists some of the state secrets he had stolen and that he | | Epst_9780451494566_2p_all_r1.indd 269 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019757

270 | HOW AMERICA LOST ITS SECRETS deemed others too sensitive for journalists. So I wanted to find out from Kucherena which documents Snowden had taken to Russia. I went about it in a roundabout way. When Shevardnadze asked him about the secret material Snowden might reveal in Russia, Kucher- ena pointedly called her attention to Snowden’s CIA service, suggest- ing that he might possess CIA files. I also knew that in Kucherena’s roman 4 clef, he had Joshua Frost, the thinly veiled Snowden-based character, steal a vast number of CIA documents that could do great damage to U.S. intelligence. By retaining them, Frost made himself a prime target of the CIA. So I asked, “Is Joshua Frost fact or fiction?” “T can’t tell you that,” he said. “If I said he was Snowden, it would violate the attorney-client privilege.” “T understand,” I said. “But did Snowden do what Frost did in your book?” “That is for you to decide,” he answered with a sly smile. “It’s my first novel.” When I asked if he could arrange for me to see Snowden, he @ said that first I would have to submit my questions to Ben Wizner, @ Snowden’s American lawyer at the ACLU. He made it clear to me that the exposure of Snowden to journalists, or at least the vetting of journalists, had been outsourced to Wizner. Kucherena was handling Snowden’s liaisons with the Russian authorities while Wizner was handling the Snowden narrative, including selecting the media out- lets. Presumably, Wizner had handpicked Snowden’s past interview- ers in Moscow, including Barton Gellmna, James Bamford, Brian Williams, John Oliver, Alan Rusbridger, and Katrina vanden Heuvel. “After that, the final decision is up to Snowden,” he said. That seemed to conclude the interview, but as I got up to leave, he added, “His legal defense is fairly expensive.” Snowden had said in a BBC interview in 2015, as previously men- tioned, that he had brought enough cash to Hong Kong and Russia to cover all of his expenses. So I asked Kucherena if Snowden had brought his own funds. “He was penniless when he arrived,” he replied. I found that answer plausible because the FBI reportedly had not found a large cash withdrawal from his account before his departure and it seemed | | Epst_9780451494566_2p_all_r1.indd 270 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019758

The Handler | 271 to me too risky for him to carry a large sum of undeclared cash through three airports. Because large sums of cash must be declared, the detection of the money could compromise his plan to deliver his NSA documents. Snowden might have told the BBC he had brought cash to allay suspicions about who was financing his stay in Moscow, I was intrigued by this remark. Snowden, as far as I knew, didn’t need a legal defense, because he was not charged with a crime in Russia and the United States had no extradition treaty with Russia. While Kucherena unfortunately did not arrange an interview with Snowden, he did something I considered more important. He con- firmed the accuracy of his September 2013 assertion that Snowden had brought secret material to Russia, material he had not given to journalists in Hong Kong. After what I had learned from Cherkashin about the lengths that Russian intelligence would go to obtain U.S. communications intelligence secrets, | viewed Snowden’s access to this material to be a crucially important part of the mystery. That day, I immediately sent my questions to Ben Wizner, and I offered to fly back to Moscow if Snowden would grant me an inter- @ view. In March 2016, Wizner answered that Snowden had “respect- @ fully declined.” | | Epst_9780451494566_2p_all_r1.indd 271 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019759

| | Epst_9780451494566_2p_all_r.indd 272 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019760

PART FIVE CONCLUSIONS: WALKING THE CAT BACK In solving a problem of this sort, the grand thing is to be able to reason backward. @ —SHERLOCK HOLMES, A Study in Scarlet @ | | Epst_9780451494566_2p_all_r.indd 273 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019761

| | Epst_9780451494566_2p_all_r.indd 274 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019762

CHAPTER 27 Snowden’s Choices It is the choices we make that show who we truly are. —J. K. ROWLING, Harry Potter and the Sorcerer's Stone USSIAN AUTHORITIES had the opportunity to thoroughly debrief Snowden as to his motive for stealing state secrets, whereas U.S. authorities did not. It cannot be assumed that he had a single consistent motive in 2013. Snowden has shown, if nothing else, that he was adaptable to changing circumstances. He might have begun taking documents for one reason and found other reasons as he proceeded in his quest. Many of the reported circumstances of his activities, including his probes, contacts, theft, and escape, are dis- puted by his supporters. Many of his other activities are shrouded by the secrecy of the NSA. We do know, though, that Snowden made four extraordinary choices during the nine-month period in 2013. If, as is said, actions speak louder than words, Snowden’s four choices illuminate the underlying concerns guiding his acts. In the case of a classified intelligence breach, as in the post-action analysis of a mas- terful chess game, the sequence of moves a player makes provides an important clue to his strategy. Let us review what we have already learned about these decisions. | | Epst_9780451494566_2p_all_r.indd 275 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019763

276 | HOW AMERICA LOST ITS SECRETS The First Decision The initial move that Snowden made in preparation for the Level 3 breach was switching jobs on March 15. Snowden chose to leave his job as a system administrator at Dell to take one at Booz Allen as an analyst in training. His motive could not have been money, because it was a lower-paying position. At the time he made this choice, he had already set up an encrypted channel with Laura Poitras for the purpose of sending her secret material. But he did not have to change jobs to send her important secrets. So what was his purpose in mak- ing this fateful choice? The job change was not necessary to expose NSA domestic activi- ties. If he had only wanted to be a whistle-blower, there were ample documents about the NSA’s activities already available to him on the NSANet. He also had access at Dell to the administrative file that contained the FISA court orders issued every three months to Verizon. In addition, as the NSA’s damage assessment established, before switching jobs, Snowden had already taken most of the docu- @ ments pertaining to the NSA’s domestic operations that he could @ have supplied to Poitras and Greenwald for whistle-blowing pur- poses. Indeed, while still at Dell, he had told Poitras he had a copy of Presidential Policy Directive 20, a document in which President Obama authorized the NSA to tap into fiber cables crossing the United States. Snowden described it to her as “a kind of martial law for cyber operations, created by the White House.” True, he took a more recently issued FISA order and PRISM presentation in April after switching jobs, but he could just as easily have taken the Janu- ary 2013 version of the FISA order from the administrative file of Dell. It would have had the same explosive effect in the media. Nor did he switch jobs to lessen the risk of getting caught. Actu- ally, the change put him in far greater jeopardy. At Dell, he was rel- atively safe from apprehension because he could take documents, such as the Presidential Policy Directive 20, from access points at the NSA shared by many of his peers, making it difficult to trace the theft. Indeed, if he just wanted to expose the NSA’s domestic opera- tions, he could have done the entire operation at Dell. He could even | | Epst_9780451494566_2p_all_r.indd 276 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019764

Snowden’s Choices | 277 have sent Poitras documents anonymously over his own Tor soft- ware and server. And he could have remained in his self-described “paradise” in Hawaii with his girlfriend. When he chose to move to Booz Allen, the risk of exposure greatly increased because of its auditing system. Any documents he took without authorization could be traced back to him (though not in real time). As he later told Greenwald and Poitras, he knew that stealing documents at the Booz Allen job meant that he would either go to prison or escape from America. He didn’t want to face prison time, so the job change required an escape plan. As part of that plan, soon after he started work at the Booz Allen—managed facility, he submitted a request for a medical leave of absence. We can safely assume that the reason he made this risky switch in employment was that he wanted something beyond the whistle- blowing documents. He wanted documents that were not avail- able at the Dell job. One such document he took was the top secret Congressional Budget Justification book for fiscal year 2013. This “black budget,” as it is called in Congress, contained the entire intel- @ ligence community’s priorities for, among other things, monitoring @ the activities of potential adversaries and terrorist organizations. It specified the money requested not only by the NSA but by the CIA, the DIA, the National Reconnaissance Office, and other intel- ligence services. Snowden could not have objected to the budget’s being somehow secret or illegitimate, because it was duly approved by both houses of Congress and the president. If it was not for pur- poses of whistle-blowing, presumably he had another purpose for taking such a document. It certainly held value to other actors. “For our enemies, having it [the black budget] is like having the playbook of the opposing NFL team,” said the former CIA deputy director Morell in 2015. “I guarantee you that the SVR, the Russian foreign intelligence service, would have paid millions of dollars for such a document.” If unlike Ames, Hanssen, and Pelton, Snowden was not after acquiring money, he must have seen another value in taking it. The documents he stole at Booz Allen certainly increased his value to adversary nations, because they included lists revealing the NSA’s sources in Russia, China, and other foreign countries. | | Epst_9780451494566_2p_all_r.indd 277 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019765

278 | HOW AMERICA LOST ITS SECRETS Snowden wanted more than just NSA secrets. He used his new position and widened access at Booz Allen to go after secret docu- ments from the intelligence services of Britain, Australia, New Zealand, and Israel. He revealed this operation only after receiving sanctuary in Russia. He told an interviewer that by moving to his new Booz Allen job as an infrastructure analyst, he gained the abil- ity to pry secrets out of the allies of the NSA. “I had a special level of clearance, called ‘Priv Ac” he said. This “priv ac” status did not allow him to bypass the password protection at sealed-off compart- ments at the NSA, but it did allow him to request files from foreign services cooperating with U.S. intelligence. By way of example, he described one file from the British GCHQ cipher service that he copied, stole, and provided to other parties. It exposed a legally authorized British operation to collect electronic data on terrorist matters in Pakistan by tapping into Cisco rout- ers used by telecom companies in Asia. This GCHQ operation, as Snowden knew, violated neither British nor American law. He told a BBC interviewer in regard to that file, “What’s scariest is not what @ the government is doing that’s unlawful, but what they’re doing @ that is completely lawful.” So his criteria for taking such documents were not their illegality. In his five weeks at this Booz Allen job, he also used this same newly acquired “priv ac” at the NSA to steal files from the Israeli, Canadian, and Australian intelligence services. Jumping from one outside contracting firm to another for the purpose of penetrating other Western intelligence services is not the conventional mission of a whistle-blower. In the parlance of CIA counterintelligence, the actions of an employee of an intelligence service who changes his jobs solely to steal the more valuable secrets of this service is called an “expanding penetration.” It is not possible to believe that Snowden did not know the immense damage that the highly sensitive documents he was taking from the NSA and its allies could cause. His choice to switch jobs did not come out of the blue. It was not based on serendipitously discovering the documents after he began working at Booz Allen. As he told Lana Lam, he knew in advance that by switching to the job at Booz Allen, he would gain the oppor- tunity to take the lists of NSA sources. He knew that the NSA’s | | Epst_9780451494566_2p_all_r.indd 278 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019766

Snowden’s Choices | 279 secretive National Threat Operations Center’s chief business was, as its name suggests, countering direct threats from China, Russia, and other adversary states and that to deal with these threats, the NSA had used sophisticated methods to hack into the computers of adver- saries. The NSA was even able to remotely gain entry to adversary computers that were not hooked into a network. “It’s no secret that we hack China very aggressively,” Snowden later said from Moscow. He had a planned target: getting the lists of the enemy computers that the NSA had hacked into. He also knew he was undertaking a dangerous enterprise. He even mentioned the possibility that he would be “in an orange jump- suit, super-max prison in isolation or Guantanamo,” perhaps even assassinated, He knowingly chose this course presumably because he believed the value of the secrets he would obtain by switching jobs out- weighed the risk of imprisonment. Or worse. Part of his calculus might have been the belief that the NSA lists, GCHQ documents, and other material in his possession could give him great leverage, if @ he chose to exert it, in his future dealings with intelligence services @ (including the NSA). His choice to widen his access was made, if not to get rich, to empower himself. The Second Decision The second choice of consequence that Snowden made was to make Hong Kong his first stop. He had many other options. He could have remained in America, as almost all previous whistle-blowers had chosen to do. If he did that, he would have to make his case in court (and, in that case, the Level 3 documents he took might have been retrieved before they fell into unauthorized hands). He could have also chosen to make an escape to a country that did not have an active extradition treaty with the United States. He could have, for exam- ple, taken a direct flight to Brazil, which has no extradition treaty with the United States. Brazil also had the advantage of being the home country of Glenn Greenwald, whose cooperation he sought. Snowden could have gone to many other countries without extradi- | | Epst_9780451494566_2p_all_r.indd 279 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019767

280 | HOW AMERICA LOST ITS SECRETS tion treaties with the United States. Yet, instead, he flew to Hong Kong, which had an extradition agreement that had been enforced throughout the past decade with Hong Kong courts ordering the arrest of almost every fugitive charged by U.S. authorities. He could expect that when the United States filed a criminal complaint, Hong Kong authorities would seize him and the alleged stolen property of the U.S. government in his possession. Even if he were released on bail and successfully defeated extradition in a Hong Kong court, the Hong Kong authorities would almost certainly retain all the NSA and GCHQ files he had gone to such lengths to steal. His reason, as he told Greenwald, was that China could provide him with physical protection from any countermeasures by U.S. intelligence agencies such as “American agents... breaking down the door” of the hotel room and seizing him. China also had sway over Hong Kong’s security activities. Hong Kong was therefore merely a protected stopover en route to his next destination. If he had gone directly to Moscow and provided the same journalists with the same documents at a press conference @ in Moscow, his status as a whistle-blower might have been viewed @ with less sympathy in the media. Even The Guardian, for example, might have been reluctant to publish a Moscow-based story reveal- ing British and American communications intelligence secrets. The Third Decision The third choice Snowden made, and the choice that most effectively defined him to the public, was to reveal himself as the man behind the leak in a video in Hong Kong. He not only identified himself as the person who stole the government documents published by The Guardian and The Washington Post but also incriminated himself further on camera by allowing Poitras to film him actually disclosing the NSA’s secret operations to Greenwald. By disclosing classified data to Greenwald, an unauthorized person, he intentionally burned his bridges. What makes this choice intriguing is that there was no evident | | Epst_9780451494566_2p_all_r1.indd 280 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019768

Snowden’s Choices | 281 need for him to expose himself in this way. If he merely wanted to be a whistle-blower, he could have, as Bradley Manning did, anony- mously sent the documents to journalists as “Citizen Four.” In fact, in late May 2013, that was exactly what he did. He anonymously sent Gellman the PRISM scoop, which the Post published on June 6. He also sent Greenwald and Poitras documents while he was still the anonymous Citizen Four. Neither Gellman nor Greenwald had suggested the need for a face-to-face meeting with Snowden. Even after he had revealed his true identity to Poitras and Greenwald on June 3, the Guardian editor Ewen MacAskill offered him the option of remaining an unnamed source for the stories. He said, as he later told Vanity Fair, “You should remain anonymous; the stories are just as good without you.” However, anonymity was not part of Snowden’s long game. The reason he gave Greenwald in Hong Kong for going public in this way was to avoid having any suspicion fall on his co-workers at the NSA. Yet in the initial stories published by Greenwald, Poitras, and Gellman, Snowden had not allowed the reporters to identify him @ by either name or position. If he did not act to deflect suspicion from @ his co-workers for the initial investigation, why do it a week later? In the intervening week, the FBI had already launched its criminal investigation. In any case, he did not need to be the subject of a docu- mentary film to take sole responsibility for stealing state secrets. He could have simply allowed Greenwald to identify him by name as the source in the stories. One thing that Snowden could not accomplish by anonymously transferring the documents to journalists was a starring role in the drama. If he had appeared digitally masked in Poitras’s video with an altered voice, he would not achieve fame. To do that, he needed to allow Poitras to film him committing the crime of turning over NSA documents to Greenwald. This video was also part of his advance planning. Indeed, one reason he chose Poitras was that she was a prizewinning documentary filmmaker. Snowden, while he was still working at the NSA in March 2013, made it clear how he intended to use Poitras’s filmmaking skills. He told her, “My personal desire is that you paint the target directly on my back.” Making himself the | | Epst_9780451494566_2p_all_r1.indd 281 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019769

282 | HOW AMERICA LOST ITS SECRETS on-camera star of a twenty-hour-long reality show, edited first into a video and then a full-length documentary, transformed him in the public’s mind into a hero. It would be a mistake to assume that the central role he gave himself was simply an exercise in narcissism. After the video was released, he was no longer a near nonentity servicing a computer system at a backwater NSA base in Hawaii. He had emerged from the shadowy world of electronic intelligence to become one of the most famous whistle-blowers in modern history. It was a mantle that would allow him to also become a leading advocate of privacy and encryption rights, as well as the leading opponent of NSA spy- ing. While this remarkable transformation might not have been his entire motive, it was certainly the result of the choice he made to go public. The Fourth Decision @ The final choice he made was to board a nonstop flight to Moscow @ on June 23. Once the U.S. criminal complaint was unsealed on June 21, he needed to leave Hong Kong; his continued presence would have been a complication for the Chinese president, Xi, scheduled soon to meet President Obama. His only route out of Hong Kong went through two adversaries of the United States: China and Rus- sia. China, as far as is known, did not offer him sanctuary. According to one U.S. diplomat cited by The New York Times, China might have already obtained copies of Snowden’s NSA files and did not want the problem of having Snowden defect to Beijing. In any case, if it had not already acquired the files, it could assume it would receive that intelligence data from its Russian ally in the intelligence war. What- ever its reason, China did not use its considerable power in Hong Kong to block Snowden’s exit. Nor did Snowden obtain a visa to any country in Latin America or elsewhere during his monthlong stay in Hong Kong. As in the oft- cited Sherlock Holmes clue of the dog that did not bark, Snowden’s lack of any visas in his passport strongly suggests that he had not made plans to go anyplace but where he actually went: Moscow. His | | Epst_9780451494566_2p_all_r1.indd 282 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019770

Snowden’s Choices | 283 actions here, including his contacts with Russian officials in Hong Kong, speak louder than his words. Just as he believed the Chinese intelligence service could protect him in Hong Kong from a physical attack by agents of the United States, he could assume that the FSB could protect him from them in Moscow. He was not entirely naive about its capabilities. During his service in the CIA, he had taken a monthlong training course at the CIA’s “farm” at Fort Peary, in which counterintelligence offi- cers taught about the capabilities of the Russian security services. He couldn’t have believed that Russia would allow a defector from the NSA who claimed to have had access to the NSA’s sources in Russia and China to leave Moscow before its security services obtained that information. It is not uncommon for a defector to change sides in order to find a better life for himself in another country. Some defectors flee to escape a repressive government or to find one in which they believe they are more closely attuned to its values. Russia, however, is ordi- narily not the country of choice for someone such as Snowden seek- @ ing greater civil liberties and personal freedom. So why did Snowden @ choose Russia for his new life? The four choices just discussed that Snowden made, taken to- gether, show that Snowden was determined to succeed where others before him had failed. He not only wanted to take full credit for stealing files from the NSA but also wanted to escape any American retribution for his act. His decision suggests to me a highly intelli- gent, carefully calculating man who was hell-bent on finding a new life for himself in a foreign country. A common thread that runs through these four choices is a willingness to do whatever was nec- essary to achieve this new life, including disregarding his oath to protect secrets and instead transporting them on thumb drives to a foreign country. To protect himself, he was also willing to rely on the influence of adversary intelligence services in Hong Kong and put himself in the hands of Russian authorities in Moscow. He was also willing to use some of his classified documents as a medium of exchange, if not bait, with journalists to get the public attention he sought. These choices paid off for Snowden, the new hero of millions. In | | Epst_9780451494566_2p_all_r1.indd 283 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019771

284 | HOW AMERICA LOST ITS SECRETS Moscow, he could enjoy a safe life, free from the threats of a CIA rendition team dropping from the sky or extradition proceedings. He was now under the protection of Putin’s Russia. The press had a field day with the domestic surveillance documents that he gave them. As far as Snowden was concerned, as he told Gellman on December 21, 2013, in Moscow, “The mission’s already accomplished.” | | Epst_9780451494566_2p_all_r1.indd 284 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019772

CHAPTER 28 The Espionage Source The government's investigation failed. [It] didn’t know what was taken. —EDWARD SNOWDEN, Moscow, 2014 IS moscow, I had learned that Russian intelligence services use the broad, umbrella term “espionage source” to describe moles, volunteers, and anyone else who delivers another state’s secrets to it. It applies not only to documents but to the secret knowledge that such a source is able to recall and includes both controlled and uncontrolled bearers of secrets. It is also a job description that fit Edward Snowden in June 2013. Unless one is willing to believe that the Putin regime acted out of purely altruistic motives in exfiltrating this American intelligence worker to Moscow, the only plausible explanation for its actions in Hong Kong was that it recognized Snowden’s potential as an espionage source. Snowden’s open disillusionment with the NSA presented the very situation that the Russian intelligence services specialized in exploiting. He had also revealed to reporters in Hong Kong that he had deliberately gained access to the NSA’s sources and methods and that he had taken highly classified documents to Hong Kong. He further disclosed that before leaving the NSA, he | | Epst_9780451494566_2p_all_r1.indd 285 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019773

286 | HOW AMERICA LOST ITS SECRETS had gained access to the lists of computers that the NSA had pen- etrated in foreign countries. He even went so far as to describe to these journalists the secrets that he had taken as a “single point of failure” for the NSA. And aside from the documents he had copied, he claimed that the secret knowledge in his head, if he disclosed it, would wreak havoc on U.S. intelligence. “If I were providing infor- mation that I know, that’s in my head, to some foreign government, the US intelligence community would ...see sources go dark that were previously productive,” he told the editor of The Guardian in Moscow. In short, he advertised possessing priceless data that the Rus- sian intelligence services had been seeking, with little success, for the past six decades. These electronic files could provide it with the keys to unlock the NSA’s entire kingdom of electronic spying. Could any world-class intelligence service ignore such a prize? To miss the opportunity to get its hands on such a potential espionage source would be nothing short of gross negligence. In fact, this golden opportunity was not missed in Hong Kong. @ Even if the Russian intelligence service had not previously had @ him in its sights—which, as discussed earlier, appears to me to be extremely unlikely—he made contact with Russian officials in Hong Kong, and Putin personally approved allowing Snowden to come to Russia. This decision made it possible for Snowden, without an entry visa to Russia, or, for that matter, any other country, to check in and board an Aeroflot flight to Moscow. We also know that a special operation was mounted to take Snowden off the plane once it landed in Moscow. Such an operation could not have been executed without advance planning. Nor would he be removed from the plane without a plan for his stay in Russia. Once Putin approved it, there is little reason to doubt that the plans to get Snowden to Moscow, and what- ever cover stories were deemed necessary to obscure them, had been carried out professionally by Russia’s special services. When an intelligence service makes such elaborate preparations for extracting a foreign intelligence worker, it presumably also expects to debrief him or her on arrival. Pelton, for example, who had access to far less valuable information than had Snowden, was | | Epst_9780451494566_2p_all_r1.indd 286 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019774

The Espionage Source | 287 held incommunicado in Vienna for two weeks during his debrief- ing. It would be inconceivable for an intelligence service to bring a potential espionage source such as Snowden to Russia and allow him to catch the next plane to Latin America. The false report pro- vided to the press that Snowden was flying there was likely nothing more than a smoke screen to confuse foreign observers while he was receiving his initial debriefing and evaluation. When it comes to the esoteric enterprise of reconstructing the work of U.S. communications intelligence, military as well as civilian experts in cryptology, computer sciences, and communications are necessary. Unlike in the case of Pelton, Snowden, according to Ana- toly Kucherena, had secret material in his possession. Even if Rus- sian intelligence had already acquired copies of the electronic files prior to Snowden’s arrival in Moscow, Snowden’s interpretation of them would be part of the debriefing because intelligence data needs to be put in context. “This debriefing could not be done overnight,” according to a for- mer high-ranking officer in the GRU, the Russian military intel- @ ligence service. “There is no way that Snowden would not be fully @ debriefed,” he said. He also said GRU specialists in signals intelli- gence would be called in. Putin’s approval of the Snowden operation was not without con- sequences. Not only did Obama make good on his threat to can- cel the pre-Olympics summit with Putin, but also, as it turned out, the Snowden exfiltration proved a turning point in the “reset” of U.S.-Russian relations. Having to accept the onus of declining rela- tions with the Obama administration, Putin, it seems safe to assume, attempted to get the bonus of the NSA’s communications intelli- gence from Snowden. The GRU, the SVR, and other Russian intel- ligence services would not stop questioning Snowden, even if it took years, until they had squeezed out of him whatever state secrets he had. Because Snowden was rewarded with sanctuary, a residence, and bodyguards, there is no reason to doubt that he refused to accommo- date his hosts. While he might continue to see himself as a whistle- blower on a supranational scale, as far as Russian intelligence was concerned, he was an espionage source. For an intelligence service, the game is not over when it obtains | | Epst_9780451494566_2p_all_r1.indd 287 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019775

288 | HOW AMERICA LOST ITS SECRETS state secrets. It still needs to fog over the extent of its coup, as said earlier, to prolong the value of the espionage. Hence it is likely that the story that Snowden had thoroughly destroyed all the stolen data in the month prior to departing for Russia, as well as the story that he had turned down all requests to be questioned by the FSB and other Russian intelligence officials, was part of the legend con- structed for him. The repetitions of these uncorroborated claims in his press interviews might also have enhanced his public image for the ACLU effort to get clemency for him. Even so, in view of the importance of such communications intelligence to Russia, it would be the height of naiveté for U.S. or British intelligence to accept such claims as anything more than camouflage. As for Snowden’s motive, I see no reason to doubt his explana- tion that he stole NSA documents to expose its surveillance because he believed that it was an illicit intrusion into the privacy of indi- viduals. Such disaffection is not a unique situation in the intelligence business. Many of Russia’s worldwide espionage sources before Snowden were also dissatisfied employees who had access to classi- @ fied secrets. Like some of them, Snowden used his privileged access @ to reveal what he considered the improper activities of the organiza- tion for which he worked. In that sense, I fully accept that he began as a whistle-blower, not as a spy. It was also as a whistle-blower that he contacted Laura Poitras, Glenn Greenwald, and Barton Gellman, who published the scoops he provided in Der Spiegel, The Guardian, and The Washington Post. Snowden’s penetration went beyond whistle-blowing, however. In the vast number of files he copied were documents that contained the NSA‘s most sensitive sources and methods that had little if any- thing to do with domestic surveillance or whistle-blowing. Snowden could not have acted entirely alone. It will be recalled that the deepest part of his penetration was during the five weeks he worked at the National Threat Operations Center in Hawaii as a contract employee of Booz Allen Hamilton. It was there that he copied Level 3 files, including the so-called road map to the gaps in American intelligence. During this period, Snowden had neither the passwords nor the system administrator’s privileges that would | | Epst_9780451494566_2p_all_r1.indd 288 @ 9/30/16 8:13AM | | HOUSE_OVERSIGHT_019776