101 Even though Snowden had greatly exaggerated the positions he held with the CIA and DIA, no effort was made to check them by the team of journalists. Instead, MacAskill wrote Janine Gibson in New York “The Guinness is good.” It was a pre-arranged code by which MacAskill certified Snowden’s credibility for the Guardian. Gibson told Greenwald to proceed with the story. Greenwald wrote his first story about NSA transgression based almost entirely on the FISA watrant that Snowden had copied from the administrative file. Before the story could be published, however, the Guardian policy required relevant American government officials be allowed to respond. Gibson made the requisite, if pro forma, call to the White House National Security spokesman, Caitlin Hayden, who arranged a conference call with FBI Deputy Director Sean Joyce, NSA Deputy Director Chris Inglis and Robert Litt, the legal officer for the Office of National Intelligence. After duly taking into account the response of these three officials, which included the admonition by Litt “no serious news organization would publish this,” Gibson gave the green light to publish the story. It was, after all, an incredible scoop. The story finally broke finally on June 5, 2013. “NSA Collecting Phone Records of Millions of Verizon Customers,” proclaimed the Guardian headline. Under Greenwald’s byline, it said: “Exclusive: Top Secret Court Order Requesting Verizon To Hand Over Call Data Shows The Scale of Domestic Surveillance Under Obama.” Along with it was the FISA warrant to Verizon. The PRISM story broke hours later in the Washington Post. Written by Gellman and Poitras, it claimed that the NSA and FBI were tapping directly into the central servers of nine leading U.S, Internet companies which were knowingly participating on the operation. The latter allegation turned out to be not entirely true, since all the Internet companies cited in the story denied that they had knowingly participated. But the damage had been done. The back-to-back publication of these two stories by the Guardian and Washington Post provided the explosive “shock,” at least in the global media, that Snowden had predicted. Snowden’s identity had not been revealed in either the Guardian or Washington Post stories on June 5th. Snowden, however, insisted on outing himself. He explained to Greenwald that he needed to “define himself” before the US Government “demonized” him as a spy. That self- definition would be accomplished by the 12 minute video, entitled “Whistleblower.” For it, Poitras extracted from the 20 hours she had shot much of the material for the video. In the filmed interview, Snowden voiced many of the same statements he had made in his manifesto. So he no longer needed to post the manifesto on the Internet. Instead, he used the video to broadcast his views. When he insisted on the immediate airing of the video, Greenwald told him that by going public in this way he was saying “fuck you” to the American government. Snowden replied, “I want to identify myself as the person behind these disclosures.” On June 9", the video was posted on the Guardian website with the Freedom of the Press Foundation getting an on-screen credit. “My name is Ed Snowden,” the extraordinary disclosure began. He then described how the NSA was watching U.S. citizens. Even though the NSA HOUSE_OVERSIGHT_020253

102 subsequently disputed some his more dramatic claims, such as his assertion that he had the authority at the NSA “to wiretap anyone, even the President,” the press largely accepted his claims as established facts. As for American surveillance, he declared “I don’t want to live in a society that does those sorts of things.” He had succeeded in defining himself for the public. The Guardian story accompanying the video carried the headline, “EDWARD SNOWDEN: THE WHISTLE BLOWER BEHIND THE NSA SURVEILLANCE REVELATIONS.” Snowden’s identity as a whistle-blower was now established in the media. Overnight, Snowden became a global celebrity and, to much of the world, a hero. Snowden, in fact, did not sacrifice him. He vanished from public view after the release of the video. He provided Poitras and Greenwald with thumb drives on which he had loaded the documents he wanted them to use. The next morning he packed his belongings into a backpack and moved, without notifying the front desk, to the room Poitras had rented at the Mira. Complicated schemes, especially when they involve transferring state secrets to unauthorized parties in a foreign country, do not necessarily go as planned. On the morning of June 10", 2013, Snowden’s escape plan apparently ran into a problem. Robert Tibbo and Jonathan Mann, the lawyers who, along with Albert Ho, had been retained for Snowden by an unidentified party, received an emergency phone call early in the morning telling them to help Snowden move to a safe location. Although Tibbo would not identify the person who had called, the message had been relayed to Mann and him through Ho’s office. He told Tibbo over the phone, “I can make myself unrecognizable” Tibbo and Mann immediately proceeded to the mall adjacent to the Mira hotel, where they met Snowden. After he signed a document appointing Ho’s law firm as his “legal adviser,” they slipped out of via the mall exit. As his credit card had been frozen, it is not clear who paid his $3,300 hotel bill. According to hotel records, it was paid by another credit card. Poitras, who taken a room at the hotel may have used her credit card or Snowden may have had another benefactor in Hong Kong. In any case, the lawyers escorted Snowden to a pre-arranged residence. “I am in a safe house for now,” Snowden wrote Greenwald on June 11". The situation may not have been totally under his control, since he added: “But I have no idea how safe it is.” Greenwald flew back to Brazil that day. Soon afterward, he would resign from the Guardian and in February 2014 become the co-founding editor of Zhe Intercept, an online publication dedicated to adversarial journalism which was backed by Internet billionaire Pierre Omidyar. Poitras remained in Hong Kong, where she moved, along with Guardian reporter MacAskill, to the five-star Sheraton Hong Kong Tower, which, like the Mira hotel, was on Nathan Road in Kowloon. Her next task was to set up what was to be Snowden’s final interview in Hong Kong. It was scheduled for June 12th. HOUSE_OVERSIGHT_020254

103 The journalist chosen was Lana Lam, a young Australian reporter working for the South China Morning Post. Tibbo had suggested Lam to Snowden. She had served as Tibbo’s outlet on previous news stories, and, as he told me, he found her to be a totally reliable journalist. He brought her to Poitras’ suite at the Sheraton in Kowloon (about eight blocks down Nathan Road from the Mira.) First, Lam had to agree to the conditions of the interview, which included submitting the story to Poitras for Snowden’s approval. Next, as Lam put it, Poitras “confiscated” her cell phone. Finally, after a ten minute wait, Poitras took her to another room and sat her before a black laptop. The laptop, which had a TOR sticker on it, had on its screen an on-line chat room where she was connected by Poitras to Snowden. “Hi Lana, thanks for coming for this,” Snowden said from his safe house. He told her that the NSA had intercepted data from at least 61,000 different computers in Hong Kong, China, and elsewhere. To expose what he called America’s “hypocrisy” in accusing China of cyber- espionage, he supplied her NSA documents for the South China Morning Post. “Last week the American government happily operated in the shadows with no respect for the consent of the governed, but no longer,” he said. "The United States government has committed a tremendous number of crimes against Hong Kong [and] the People’s Republic of China as well." Under Poitras’ close supervision, Lam was allowed to ask Snowden further questions about the NSA’s interception of communications in Hong Kong and China. He told her “I have had many opportunities to flee Hong Kong, but I would rather stay and fight the US government in the courts.” As mentioned earlier, Greenwald, Poitras and MacAskill did not concern themselves with the issue of the mechanics of the largest theft of top secret documents in the history of the United States. In entire filmed interview at the Mira Hotel, they did not ask their source how he managed to get access to the documents. Unlike those interviews, Lam asked him about how he widened his access. She cut to the core of the matter by asking him a crucial question. “Why he had switched jobs from Dell SecureWorks to Booz Allen Hamilton in March 2013? His answer provided her with a real scoop He replied that, “My position with Booz Allen Hamilton granted me access to lists of machines all over the world the NSA hacked." Snowden told her that he deliberately went to Booz Allen Hamilton to get access to the “lists” revealing the NSA’s sources in foreign countries. This admission could gravely complicate his legal situation in Hong Kong since it suggested that he meant to steal documents even before he had known their content. In fact, to protect himself, he restricted Lam from publishing this part of the interview until affer he had departed Hong Kong. (It was published until June 24, 2013 a day after he arrived in Russia.) This condition indicated to Lam that as early as June 12", if not before that, he was planning on leaving Hong Kong (although he did not tell her his next destination.) His interview with Lam went only so far. He didn’t reveal how he had learned about these “lists” before taking the job. Nor did he reveal to her how he planned to dispose of these lists. He made it clear to her, however, that he had not yet disposed of all his secret documents. “If I have time to go through this information,” he said, “I would like to make it available to HOUSE_OVERSIGHT_020255

104 journalists in each country to make their own assessment, independent of my bias, as to whether or not the knowledge of U.S. network operations against their people should be published.” So as late as June 14", Snowden was still reading and assessing the files he had stolen from the NSA four weeks earlier. Poitras vetted the Lam interview. Soon afterwards she suspected that she was being followed. That was likely since by this June 14th all the intelligence services in Hong Kong knew that she was in contact with Snowden. “I was being tailed,” she recalled in an interview with a Vogue reporter in Berlin in 2014. “The risks became very great,” she said in describing her situation in Hong Kong. So, on June 15", she left Hong Kong and flew back to Berlin, where she began editing her footage of the Snowden interview. Meanwhile, Snowden was organizing his own exit from Hong Kong. He placed a call to Julian Assange. HOUSE_OVERSIGHT_020256

105 CHAPTER THIRTEEN Enter Assange “Thanks to Russia (and thanks to WikiLeaks), Snowden remains free.” — Julian Assange Born on July 3, 1971 in Queensland, Australia, Julian Assange had made a brilliant career of trafficking in state, military and corporate secrets. While still a teen-ager, using the alias “Mendax” (the untruthful one), he had hacked into the computers of the Pentagon, the U.S. Navy, NASA, Citibank, Lockheed-Martin and Australia's Overseas Telecommunications Commission. At the age of 25, pleaded guilty to 25 charges of hacking in Australia, but was released on a good behavior bond. In 2006, with the spread of TOR software, he co-founded Wikileaks, a website in which secret documents could anonymously be sent and posted. The site received little public attention until Bradley Manning sent it several hundred thousand lowly-classified U.S. military and State Department documents in April 2010. With these stolen documents, Wikileaks became a media sensation and Assange, the runner-up for Zime’s Man-of-the Year for 2010, became a leading figure, along with Appelbaum, in the global hacktavist underground. In November 2010, however, he also ran into a legal problem. A judge in Stockholm, Sweden ordered his detention on suspicion of rape, sexual molestation and unlawful coercion. He denied the charges but he was arrested in London on a European arrest warrant for him. In December, he was released on a $312,700 bail deposit (supplied by his supporters) and confined to Ellingham Hall in Norfolk, England. While awaiting the outcome of the extradition proceedings, he lived there with Sarah Harrison, his 28- year deputy at Wikileaks. A graduate of the elite Sevenoaks School in Kent, she also served as Assange’s liaison with the outside world. Although she officially was given the title “investigative editor” of Wikileaks, she worked so closely with Assange during this period that the British press carried stories saying she was his paramour. During this period, Harrison also worked on a Wiki leak’s documentary entitled “Mediastan/” The film concerned Wikileaks’ exposure of US secret operations in Russia and other parts of the former Soviet Union. It was also a project which took her to Russia and provided her with a multi-entry Russian visa. In June 2012, after the extradition order was upheld, he jumped bail and fled to the Ecuador embassy in London. For the next year, his only visible means of income was a weekly program from the embassy. It was sponsored by RT Television, a Moscow-based English-language news channel funded by the Russian government, which would also finance and release “Mediastan.” Snowden telephoned Assange at his refuge at the Ecuador embassy on June 10, 2013. According to Assange, Snowden needed his help for his exit plan. He wanted Assange to use Wikileaks’ “resources” to get him out of Hong Kong. Assange considered it a surprising request since Snowden had not given any of the stolen documents to Wikileaks. In their discussion, HOUSE_OVERSIGHT_020257

106 according to Assange, Snowden claimed that one reason he decided to take the secret NSA documents was the brutal treatment of Bradley Manning after he was arrested in 2010 by the US government. “Snowden told me they had abused Manning in a way that contributed to his decision to become a whistleblower,” Assange said in an interview in 2015. If Manning’s mistreatment was Snowden’s motive, it was a sharp departure from the position that Snowden had taken in his postings on the Ars Technica site in January 2009. He complained in a post on Ars Technica about the detrimental consequences to U.S. intelligence of leakers revealing “classified shit” to the New York Times, and he suggested as punishment “those people should be shot in the balls.” Either he either had a change of heart about punishment or he was telling Assange what he believed he wanted to hear. Assange did not suggest that Snowden go to Ecuador to seek asylum. He counseled him to go directly to Russia. “My advice was that he should take asylum in Russia despite the negative PR consequences,” he told the (London) Times in 2015. He found “Snowden was well aware of the spin that would be put on it if he took asylum in Russia.” Assange had another way for Snowden to defuse the “PR consequences” of Snowden landing in Moscow. A story would be released, coinciding with his departure, asserting that Snowden was “bound for the republic of Ecuador via a safe route.” When Snowden asked how he would carry out the plan, Assange told Snowden that he would immediately dispatch one of his senior staff members to help him engineer his escape to Russia. That senior staff member was Sarah Harrison, After speaking to Snowden, Assange called Harrison, who was in Melbourne, Australia. She had gone there a month earlier to help organize Assange’s somewhat quixotic election campaign for President of Australia, | Assange now told her to forget the campaign and go to Hong Kong. Her mission there was to use Wikileaks resources to save Snowden from “a life time in prison.” Presumably, he also told her that he advised Snowden to proceed to Russia, where Harrison had a visa since part of her work on the Mediastan film was done in Moscow. Harrison did not hesitate in following Assange’s instructions. She later said that she didn’t even bother to pack her clothing. She caught the next plane out of Australia. After an eight hour flight, she arrived in Hong Kong on June 11"—the same day that Snowden texted Greenwald he was in a safe house. Harrison had her own connections in Hong Kong. Both her two younger sisters, Kate and Alexandra Harrison, who had also attended Sevenoaks, lived there and were part of the expatriate community. She also had an older brother, Simon Harrison, who headed Avro, a ship brokerage and commodity trading company. Although headquartered in Singapore, Avro also operated out of Hong Kong, and he frequently travelled there. Like Poitras, Harrison took great care to shield her movements. She did not even have a Twitter, Facebook or any other social media account. She made it a point not to own a cell HOUSE_OVERSIGHT_020258

107 phone for fear of being tracked by an intelligence service. When she travelled, she bought “burner” phones locally and disposed of them before any calls could be traced back to her. A precaution she took that June was not to meet Snowden face-to-face out of concern about the surveillance of American intelligence in Hong Kong. Instead, for her first 13 days in Hong Kong, she worked behind the scenes, through intermediaries. Her task was not only to arrange his escape route but also to create diversions to camouflage his real destination. Under Assange’s tutelage, she had made deceptive ploys an integral parts of her trade craft. “We were working very hard to lay as many false trails as possible,” she later told an interviewer in Berlin. According to Assange, she booked decoy flights for Snowden to Being, China and New Delhi, India. She also used Snowden’s credit card numbers to pay for the flight to India, She knew that since the card was blocked, there was a high probability that it would come to the attention of US intelligence. In all, according to Harrison, she booked no fewer than dozen such decoy tickets to confuse Snowden’s pursuers in US and British intelligence. The only actual tickets she bought for Snowden, according to an Aeroflot official, was a one-way ticket to Moscow. She paid for it at the last minute. She also bought a ticket for self on the same flight leaving on June 23, 2013. The source of the money for the Assange-Harrison operation was unclear. Subsequently, Harrison said she was setting up secret bank accounts to help organize escape, but in Hong Kong in 2013, Assange says she was using “Wikileaks’ resources.” Harrison said the “Wikileaks team” helped fund Snowden’s flight to Russia from Hong Kong, as well as her own flight there. But Wikileaks in June 2013 was not an organization with spare cash. Assange had forfeited his own bail by fleeing the embassy of Ecuador, offending many of his financial supporters in Britain. He also all but exhausted his bank account. Aside from money that dribbled in from Poitras’ five- month old Freedom of the Press Foundation, the only visible source of funds for Wikileaks was the previously-mentioned payments Assange received from RT Television. British intelligence officers who reportedly subsequently examined Wikileaks’ bank finances in London found no transfers to the “Wikileaks team” in Hong Kong. While Harrison was organizing Snowden’s escape, she remained in the deep background. Meanwhile, mounting pressure was brought on the Hong Kong government to take action by the U.S. On June 16th, the U.S. government informed the Hong Kong authorities that it had filed a criminal complaint against Snowden and would be seeking his extradition. Since Hong Kong had a vigorously enforced extradition agreement with the United States, the Hong Kong authority would be expected by the US to take Snowden into custody. But Hong Kong was not entirely independent in national security issues. China had the final say in any extradition decision. In fact, China had explicitly been given the right of vetoing any extraditions for any reason in the formal 1999 agreement between Hong Kong and the U.S. Since its President had just met with President Obama in California, China also had an interest in avoiding embarrassing public demonstrations on behalf of Snowden. After he had held his press event, it wanted him out of Hong Kong. According to a well-placed official in Hong Kong, it told the Hong Kong Authority HOUSE_OVERSIGHT_020259

108 in no uncertain terms that Snowden had to be out of Hong Kong by the end of the week, or June 25 On June 19", Snowden had a meeting with Tibbo, the barrister who would handle the court case, and Mann and Ho, the Hong Kong solicitors who had been retained for him. It took place in a small apartment where, according to Ho, they ate pizza while they discussed Snowden’s options. Tibbo had a strategy for Snowden. It required that Snowden remain in Hong Kong, allow himself to be arrested, seek bail and fight extradition in court. Tibbo said he planned to mount a powerful legal defense against extradition by using a provision in Hong Kong’s extradition treaty with the United States that protects fugitives from persecution on political grounds. After he told Snowden that it would entail a long court battle, Snowden asked him if he could avoid even being arrested. Tibbo explained that Hong Kong courts, which closely follow British law, would certainly issue an arrest warrant for him immediately after the US formally filed charges against him. Those charges could come within hours, he reckoned. Soon afterwards, Snowden would be temporarily jailed and his computers, electronic gear and thumb drives would be seized and placed in the custody of the court. Tibbo would immediately seek his release on bail but could not guarantee an outcome since Snowden, who had fled U.S. jurisdiction, might be considered a flight risk. If so, Snowden could remain incarcerated during the long court battle. Even so, during the litigation, Snowden would have a platform to make his case against US surveillance. Indeed, Tibbo’s strategy involved building massive public support for Snowden’s cause. Once the US government filed charges, he could further expect it would invalidate his passport to go anywhere except for his return to the US and Interpol would issue a red alert to all its members. Since the case involved national security secrets, the Hong Kong court might also deny him any use of the Internet until the case was settled. If Snowden wanted to leave Hong Kong, he had to act swiftly. Tibbo, although evasive on the point when I interviewed him, may not have known about the escape Harrison was planning As far as he could see, Snowden’s other alternatives were not good. He had no money and his credit card had been blocked. He had no visas to go any other country and Interpol would issue its own “red notice” as soon as the US filed formal charges against him. At that point, Hong Kong airport authorities would be officially notified and could prevent him from leaving the city. Even if he somehow got out, he would be an international fugitive. Tibbo counseled Snowden to seek redress in the Hong Kong courts. But Snowden had no intention of allowing himself to be arrested. Despite what he told Lana Lam only one week earlier, at least for publication, about his determination to seek justice in the Hong Kong courts, he had not planned to use Hong Kong as anything more than a temporary stop over on his escape route. Two later months later and safely in Moscow, he made this point HOUSE_OVERSIGHT_020260

109 clear in a lengthily interview with Alan Rusbridger, the editor of the Guardian. He told him that it never had been part of his plan to use Hong Kong to escape the legal consequences of his act. “The purpose of my mission [to Hong Kong] was to get the information to journalists.” If so, he had been merely using Tibbo, Mann and Ho to provide him with temporary cover while, following the instructions of Assange, Harrison laid down the smokescreen for his escape to Moscow. HOUSE_OVERSIGHT_020261

110 CHAPTER FOURTEEN Fugitive “Tf I end up in chains in Guantanamo, I can live with that.” m= —Edward Snowden, Hong Kong During his interview with Poitras and Greenwald, Snowden said stoically “If I am arrested, I am arrested.” His fatalistic words notwithstanding, Snowden had made plans to seek a haven from American justice well before his meeting with journalists in Hong Kong. As early as May 24, 2013, Snowden had suggested to Gellman that he was making arrangements with a foreign government. To that end, he asked Gellman to insert an encrypted key in Internet version of the NSA expose that Snowden proposed he write for the Washington Post. He told him the purpose of the encrypted key was to assist him with a foreign government. Snowden did not identify that foreign government to Gellman so Gellman knew that Snowden wanted to “seek asylum” overseas. He decided against assisting him. “I can’t help him evade U.S. jurisdiction—I don’t want to, and I can’t,” he later explained. “It’s not my job. It’s not the relationship. Iam a journalist.” Although Gellman suspected that Iceland might be the foreign government in question, Snowden, as it turned, had not ever contacted the consulate of Iceland while he was in Hong Kong. “We had heard nothing from Snowden,” an Iceland government official told Vanity Fair. Snowden also did not contact the government of Ecuador in Hong Kong. In late June, while Harrison was laying down false tracks for Snowden in Hong Kong, Assange in London asked Fidel Narvaez, who was a friend of his and the legal attaché in the London embassy of Ecuador, to issue a document that Snowden could use. But this document was not delivered to Snowden in Hong Kong (and later it was invalidated by Ecuador.) If Snowden had really planned to go to Ecuador from Moscow, it would require him first going to Cuba. Cuba did not even require a U.S. passport (as, in 2013, U.S, citizens were not supposed to travel to Cuba.) He did require a Cuban travel document, which he could have obtained from the Cuban consulate any time during his month in Hong Kong. Yet he did not ever obtain it. Nor did he acquire a visa to go to any other country in Latin America or elsewhere. So where was he headed? Whatever foreign government with which Snowden was dealing earlier in May presumably did not have an extradition treaty with the United States. Yet few other foreign governments, which did not have active extradition treaties with the United States, could be directly reached by air. HOUSE_OVERSIGHT_020262

111 With three notable exceptions, the flights to them had stopovers in a country that was an ally of the US, and which could seize Snowden. The three exceptions were China, North Korea (via China) and Russia. The only one of these three countries, or any other country, that Snowden is known to have dealt with directly during his 33 day stay in Hong Kong, was Russia. As previously discussed, he had dealings with Russian “diplomatic representatives “, as Putin called them. Putin did not provide the date of these contacts but he provided an intriguing clue. Snowden was identified to him, according to Putin, not by name but merely as an “agent of special services.” Putin’s description suggests the meeting had taken place before Snowden became a household name on June 9, 2013. For his part, Snowden was evasive when discussing his contacts with Russia while still in Hong Kong. When Lana Lam asked Snowden on June 12, 2013 whether he had already requested asylum from the Russia government, he deferred, saying: “My only comment is that I am glad there are governments that refuse to be intimidated by great power.” As it turned out, Snowden was correct. The Russian government was not intimidated by the threats of reprisals by the United States, as the Obama Administration would learn after his arrival in Russia on June 23, 2013. But the only way that Snowden could not have known that fact on June 12" was by being in contact with Russian officials prior to his interview with Lam. Of course, he may have had multiple contacts on different dates with these officials. The Russian pro-government newspaper Kommersant reported that Snowden had visited the Russian consulate on more than one occasion and had been given a birthday celebration there on June 21, 2013. What we do know about Snowden’s interactions with the Russians in Hong Kong comes partly from Putin’s own description of them. Putin said, it will be recalled, that his decision to facilitate Snowden’s escape to Russia had been kicked all the way up the Russian chain of command for him to personally decide Snowden’s fate. Presumably, this decision-making process began earlier than June 21, 2013, when he reportedly came to the consulate. The question is: how much earlier? Since Snowden had arrived in Hong Kong on May 20", 2013, his contacts with Russian officials could have occurred as long as a month earlier. That would fit in with Snowden telling Gellman on May 24" that he needed his help in dealing with the diplomatic mission of an unnamed country. In any case, Putin tells us he learned an American “agent of the special services” had contacted Russian diplomats because he wanted assistance. And Snowden did need assistance to escape from Hong Kong. As he had no visas, he would require the sort of assistance that could only be provided by a government willing to defy the United States. The assistance came from Russia. Nine days before Snowden boarded Aeroflot flight SU213 to Moscow on June 23", the US had filed a criminal complaint against him. It had also alerted Hong Kong authorities and Interpol when it unsealed the complaint on June 21, 2013. And on June 21st it had invalidated his U.S. passport (although he still had it in his possession at the Hong Kong Airport.) Since by this time HOUSE_OVERSIGHT_020263

Liz he was the most famous visitor in Hong Kong, his passage through passport control may have reflected the acquiescence of the Hong Kong authorities to the reported request of China to be rid of Snowden by June 23rd. All we know for certain is that Hong Kong airport police did not stop Snowden. He was allowed on the Aeroflot flight at Hong Kong International Airport. Aeroflot, a state- owned airline, presumably responds to the Russian government when matters of state security are concerned. According to one Aeroflot official, ordinarily all international passengers are required to have a valid passport as well as a visa to the country of final destination. Snowden had neither a valid passport nor a visa. These boarding requirements were waived so that Snowden was able to board the flight to Moscow. Snowden only met Harrison in person on June 23", the day he was to depart Hong Kong. She was waiting for him in the private car that Jonathan Mann had arranged to take him to the airport that morning. Snowden was dressed in a grey shirt and khaki slacks. Harrison was also casually dressed in jeans and flip-flops. She said she chosen this dress style so that they would blend in at the airport with vacationing tourists. As she had financed the trip, she was apparently now calling the shots. Harrison’s concern was that they might be arrested at the airport, so Mann accompanied them through passport control. He was able to do this because he bought a ticker on a cheap international flight. Harrison also gave Mann a phone number to call if they got arrested. When they finally boarded the flight at 12:45 pm, Harrison effectively became Snowden’s second “carer”—a job that would require her presence in Moscow for the next four months. Once the plane took off, Snowden, who had only said a few words in the car, said to her, as she recalled, the first full sentence she had heard from him. It was “I didn’t expect that WikiLeaks was going to send a ninja to get me out.” Meanwhile, Assange continued creating “distractions,” as he put it. On June 24", a booking was made for Snowden on the Aeroflot flight to Cuba, and this information was relayed to the foreign press organization in Moscow, resulting on over a dozen reporters buying tickets on the flight. But Snowden never showed up for the flight. This ruse resulted in these foreign correspondents flying to Havana. “In some of our communications, we deliberately spoke about that [flight] on open lines to lawyers in the United States,” Assange said. One subsequent piece of his misinformation was that Snowden was flying to Bolivia on the private plane of Bolivian President Evo Morales (who was then in Moscow for a meeting.) That misinformation had the desired effect. US allies in Europe, including France, Spain and Portugal refused to allow that plane to fly through its airspace, forcing the plane to land in Austria. This Assange-inspired distraction caused an international incident but did not change the fact that Snowden was in the custody of Russia. HOUSE_OVERSIGHT_020264

113 Snowden himself came to realize that those assisting him, including Assange and Harrison, were taking serious risks. “Anyone in a three-mile radius [of me] is going to get hammered,” he later explained to a reported from Vogue. (After finally leaving Snowden in Moscow on November 3, 2013, Harrison moved to Berlin, where she set up an organization to provide, as she termed it, “an underground railroad” for other fugitives who have provided documents exposing government secrets.) Snowden meanwhile received sanctuary in Russia. His public statements in Hong Kong that he was willing to go prison so that others could live freely in a democratic society were, as it turned out, mere rhetoric. Instead of risking prison, he had successfully escaped to a country in which he would be treated as a hero for defying the US government. He had not sacrificed himself, he had transformed himself. He had risen from being a lowly technician in Hawaii whose talents went largely unrecognized, to the status of an international media star in Moscow. In his new messianic role, he could make Internet appearances via Skype to prestigious gathering such as the TED conference where he would be roundly applauded as an Internet hero. He could be beamed into dozens of ACLU meetings where he would be celebrated as a defender of American liberty. He could describe to sympathetic audiences in Germany, Norway and France the unfairness of the American legal system, asserting that it was denting him a “far trial.” He could now make front page news by granting interview to the New York Times, Washington Post, Nation and other elite newspapers. He could join Poitras and Greenwald on the Board of Directors of the Freedom of the Press Foundation. He could be the subject of both an Oscar- winning documentary, the hero of the 2016 Hollywood movie “Snowden.” directed by Oliver Stone and a consultant to the 2015 season of the television series “Homeland.” He could also be nominated for the Nobel Peace Prize in 2014. His could also attract over one-half million followers to his tweets on Twitter in 2015. “For me, in terms of personal satisfaction, the mission’s already accomplished. I already won,” he informed the Washington Post in his first live interview in Moscow. It was a mission that involved a very high stakes enterprise: taking America’s state secrets abroad. How he managed to succeed in this extraordinary undertaking is another story and one which may not lend itself to an innocent explanation. Whistle-blowers do not ordinarily steal military secrets. Nor do they flee to the territory of America’s principle adversaries. A fugitive, especially one lacking a Russian visa, does not wind up in Moscow by pure accident. A Russian President, especially one with the KGB background of Putin, does not lightly give his personal sanction to a high-profile exfiltration from Hong Kong without weighing the gain that might proceed from it. Part of that calculus would be that the defector had taken possession of a great number of classified documents from the inner sanctum of the NSA. To be sure, the practical value of this stolen archive would require a lengthily evaluation by its intelligence services. Finally, a defector who put himself in the palm of the hand of the FSB in Moscow would be expected to cooperate with it. Even if such a defector did not carry these files with him to Moscow, intelligence services have the means to recover digital files, even if after they are erased from a computer or if they are HOUSE_OVERSIGHT_020265

114 sent to the cloud. Once secret documents are taken, they are compromised. How Snowden succeeded in this coup cannot simply be pieced together from his statements and interviews. The story also requires a visit to the wilderness of mirrors called counterintelligence. 38 ko HOUSE_OVERSIGHT_020266

115 PART THREE THE COUNTERINTELLIGENCE CONUNDRUM “Scenarios deal with two worlds: the world of facts and the world of perceptions. They explore for facts but they aim at perceptions inside the heads of decision makers. Their purpose is to gather and transform information of strategic significance into fresh perceptions” —Pierre Wack, Harvard Business Review, 1985 HOUSE_OVERSIGHT_020267

116 HOUSE_OVERSIGHT_020268

0 HOUSE_OVERSIGHT_020269

118 CHAPTER FIFTEEN Did Snowden Act Alone? “When you look at the totality of Snowden's actions certainly one hypothesis that jumps out at you, that seems to explain his ability to do all these things, is that he had help and had help from somebody who was very competent in these matters.” --General Michael Hayden, Former Director of the NSA and CIA Snowden describes himself a whistle-blower, and, according to the polls, the vast majority of the American public, accept this definition of him. But the operational distinction between a whistle-blower and a spy is not always clear. A whistle-blower enters the enterprise of stealing state secrets for reasons of conscience, but so do many spies. Such conscience-driven spies are called, in CIA parlance, “ideological agents.” For instance, the British diplomat Donald Maclean, who was one of the most important Russian spies in the Cold War, was an ideological recruit. Maclean stole immensely valuable US nuclear secrets for the Russian intelligence service without receiving any monetary compensation and later defected to Moscow to avoid arrest. As it turns out, the acceptance of money is also necessarily a meaningful distinction when it comes to espionage. To be sure, many spies get paid, but some whistle-blowers also receive paid a rich bounty for their work. Indeed, under federal laws, whistle-blowers can qualify for multi- million dollars bounties for exposing financial malfeasance. The whistle blower Bradley Birkenfeld, for example, after he himself was paroled from prison in 2012, received an award of $104 million for providing data that exposed illicit tax sheltering at the Swiss UBS bank. Assange also offered political whistle-blower six-figure cash bounties from money he raises on the Internet. In 2015, for instance Wikileaks offered S100, 000 bounties to any whistle-blowers who provided the site with secret documents exposing details of the Pacific Trade Agreement. Nor is acting alone necessarily a line that divides whistle blowers from spies. In many cases, whistle-blowers have accomplices that help them carry out their mission. For example, in 1969, the celebrated whistle-blower Daniel Ellsberg, a military analyst at the RAND Corporation, had an accomplice, Anthony Russo, who also had worked at RAND. (Both were indicted by the government.) Acting in concert, they copied secret documents that became famously known as the Pentagon Papers. Whistle-blowers also can, like conventional spies, enter into elaborate conspiracies to carry out a penetration operation, For example, on the night of March 8, 1971, eight whistle-blowers working together with burglary tools, broke into the FBI office in Media, Pennsylvania, and stole HOUSE_OVERSIGHT_020270

119 almost all the FBI files there. The conspirators escaped and kept their identities secret for over 42 years. Self-definitions also do necessarily produce a distinction between whistle-blowers and conventional spies. Consider, for example Philip Agee. Agee left the CIA in 1969 for what he described “reasons of conscience.” Specifically, he said he objected to the CIA’s covert support of Latin America dictators. After contacting the Soviet Embassy in Mexico City, he defected to Cuba, where he leaked information that exposed CIA operations. Although Agee insisted he was a whistle-blower, and he adamantly denied offering any secrets to the Soviet Union, the KGB viewed him as a conventional spy. According to Oleg Kalugin, the top Soviet counterintelligence officer in the KGB in Moscow, who defected to the U.S., Agee offered CIA secrets first to the KGB residency in Mexico City in 1973 and then to Cuban intelligence service. Agee provided the KGB with a “treasure trove” of US secrets, Kalugin revealed. “I then sat in my office in Moscow reading the growing list of revelations coming from Agee.” Despite this disparity, Agee still defined himself to the public as a whistle-blower because he also had exposed CIA operations to the public. The Snowden case blurs the demarcation line even further. Unlike other whistle-blowers who uncovered what they considered government malfeasance by virtue of their job, Snowden, by his own admission, took a new job in 2013 specifically to get access to the SCI files concerning NSA sources that he stole from the Threat Operations Center. Switching jobs in order to widen one’s access to state secrets us an activity usually associated with penetration agents, not whistle- blowers. While the technical distinction between a whistle-blower and a spy may still serve the media in the case of Snowden, it does not help in solving the counterintelligence conundrum. Untangling the strands of the Snowden conundrum is no easy matter. A complex burglary of state secrets had been successfully carried in a supposedly-secure site. The only known witness, Snowden, had escaped to Russia, where he could be of help in reconstructing the crime. The stolen data was kept in the equivalent of sealed “vaults” drives that were not connected to the NSA Network ever there was a locked room mystery, this was it. which were actually computer The perpetrator Snowden pierced these barriers by using passwords that belonged to other people and using credentials that allowed him to masquerade as a system administrator. However it was carried out, it was feat required meticulous planning. As in the earlier example ofa hypothetical diamond theft from locked vaults, what is needed is to explain how a perpetrator, who did not himself have the combinations to open them or the means to remove their content, succeeded in the theft. To address such a mystery, a counterintelligence investigation starts with a tabula rasa, stripping away all the previous assumptions, including that Snowden was the lone perpetrator. Once back at square one, it builds alternative scenarios to test against the known facts. To be HOUSE_OVERSIGHT_020271

120 sure, scenario-building differs from that of a conventional forensic investigation aimed at finding pieces of evidence that can be used to persuade a jury ina courtroom. Unlike a judicial investigation concerned with guilt and innocence, scenario-building looks building looks to develop a story that is, concurrently: intrinsically consistent, humanly plausible and symbolically memorable; and in the process, it also identifies and explores the possible holes in the case. Such scenarios must aim at constituting a limited set of alternatives that are mutually exclusive The point is to assure that any alternative that fits the relevant facts, no matter how implausible it initially may seem to be, is not neglected. One of the most vexing problems that had to be explained by these scenarios is how Snowden got the passwords to up to 24 of these vaults. He could not have obtained these passwords during his previous employment at Dell because Dell technicians did not have access to the Level 3 documents stored in these compartments. Nor, as was discussed earlier, was he given access to them when he transferred to Booz Allen because he had not completed the requisite training. Snowden had also, it will be recalled, relinquished his privileges as a system administrator when he transferred to Booz Allen, so he did not have the privilege to override password protection. In short, his new position as an infrastructure analyst did not give him the ability to enter compartments which he had not yet been read into. There are two possible ways he could have gotten these passwords: Either he had assistance from a party who had access to them or he found flaws in the NSA’s security procedures that left the supposedly-closed vaults effectively unlocked. The Unwitting Accomplice Possibility As for the first alternative, it is possible whatever assistance that Snowden received was entirely unwitting. For example, he could have simply asked other analysts at the Center who had been “read into” compartments for their passwords. But such an approach would be extremely risky for him. Ifan analyst gave him his password, and it was discovered, that analyst could lose his job. Moreover, any analyst was supposed to report any request for a password to a security officer. Nor was Snowden, who had been working at the Threat Operations Center for just a few weeks as a trainee, well known to other analysts. So asking them to break the rules was fairly risky for Snowden. “It is inconceivable to me that his co-workers would divulge their passwords to him,” a former Booz Allen executive, who had also worked at the Defense Intelligence Agency, told me. “If he was a system administrator he might trick a threat analyst into entering his password into his computer under the pretext that he needed it to deal with an urgent hardware issue.” But Snowden was not a system administrator at the Center. Snowden therefore “had no plausible reason for requesting passwords to compartment he had not been read into,” the former executive said. I asked him what the chance was of him obtaining some 24 passwords in 5 weeks. “In my opinion, near zero,” he said. I next asked him whether it was possible that Snowden could have used a device for intercepting another computer’s electronic signals, called by hackers a “key logger.” Such a device, which was obtainable over the Internet, could be used to steal passwords of the analysts who had been “read into” the compartments. My source said that while it was HOUSE_OVERSIGHT_020272

(21 possible that Snowden smuggled in a key logger in his backpack, it could not be operated wirelessly inside the Center because, like all other NSA facilities, the computers had been insulated to lock-out wireless transmission. This precaution was taken to guard against an EMP, or Electro-Magnetic Pulse, attack by an enemy. If so, the only way Snowden could intercept key strokes was to attach a cable from his key logger to each of his fellow workers’ computers. In this scenario, he would have to surreptitiously build his own wired network connecting his hidden key logger to 24 separated computers. Moreover, he would have to do this wiring in an open-plan office where he could not count on these additional wires, even if rigged one by one, not being noticed by either other analysts on the room or the geek squad of system administrators who regularly checked connections. Making the task even more risky, according to my Booz Allen source, there were closed-circuit cameras. The only way he could mitigate the risk of detection was by having someone help him build this network. There was a further security barrier he had to get by. Even after he managed to obtain all the necessary passwords from colleagues, he had to transfer the files to an external storage device. This was not a matter of simply using a thumb drive because, unlike in caper movies such as Mission Impossible, the ports on the computers at the NSA were ordinarily sealed shut. This measure was done specifically to prevent any unauthorized downloading by NSA workers. The only people at the Center who had the authorization, and the means, to open these ports and transfer data were system administrators, according to the former Booz Allen executive. System administrators needed to have this privilege to deal with glitches in the computers. So they were allowed to open up the sealed ports. But Snowden was no longer a system administrator and did not have these privileges. So again, he needed some help. He either would need to borrow another system administrator’s credential or forge his own. The credential he would need is called a public key infrastructure card with its authentication code embedded in a magnetic stripe. When I asked the former Booz Allen executive if Snowden possessed the skill set to forge such a card, he said that he strongly doubted any NSA employee would be capable of such a forgery without special equipment. He could have, however, borrowed this credential from a system administrator who was willing to help him. But just asking such a favor could “set off alarms.” The unwitting accomplice scenario had another stumbling block: time. We know from Poitras that Snowden told her in early April 2013 that he planned to deliver documents to her in six to eight weeks (which he in fact did.) But he had not yet started working for Booz Allen at the Center until that same month. It does not seem plausible (to me) that in making such a commitment he was merely counting on the kindness of strangers to fulfill it The only way he could have known for certain that he would be able to borrow a public key infrastructure card and obtain the passwords, whether by trickery or by a key router, before he had begun working at the Center was that he already knew someone at the Center who would help him. But such a contact leads to a witting accomplice scenario. The Witting Accomplice Possibility HOUSE_OVERSIGHT_020273

[22 The witting-accomplice scenario better fits with the principle in logic called Occam’s razor that suggests that in choosing between alternative explanations, the one that requires the fewest assumptions should be given priority. It would be a relatively easy to gain access to passwords if Snowden had the cooperation of an insider at the center that had been read into the compartments or, even better, if he had the cooperation with a system administrator with the necessary PKI cards and shell keys to bypass the password protection. Such an accomplice could also help explain how Snowden was able to get the job at the Center in the first place; how he knew in advance that he could find there the “lists” of the NSA sources in foreign countries, and how he knew that there were no security traps at the center. Such a witting accomplice might even have prepared in advance the “spiders” that Snowden used to index the files. The witting-accomplice scenario of course requires a somewhat unsettling expansion of the plot. It means Snowden collaborated with one or more insiders at the Center to steal secret documents. It is not difficult to imagine, in light of the lax background checks at outside contractors servicing the NSA, that there were others in the “geek squad” that shared Snowden’s antipathy to NSA surveillance. Certainly, we know that Snowden found other NSA workers who were willing to attend his anti-surveillance Crypto party in December 2012. Anyone of these other potential dissidents could have shared Snowden’s objective of exposing NSA abuses. It would only be a small next step to offer Snowden help if he was willing to go public. Indeed, if the geek culture produced one Snowden, why wouldn’t it produce others? If such an accomplice lacked Snowden’s willingness to flee to another country, he may have limited his participation to supplying technical assistance. For his part, Snowden may have agreed to divert suspicion from his accomplice by taking sole responsibility for the crime when he went public. The problem with this scenario, however, is that no witting accomplices were ever found. The FBI, which was in charge of the domestic part of investigation of the Snowden case, questioned all of Snowden’s co-workers at the Center over the course of six months but it failed to find anyone who knowingly helped Snowden. If the accomplice was an idealistic amateur, it is likely the FBI would have found him. Three co-workers did admit to the FBI that they might have inadvertently given Snowden their passwords but these three slips would not account for Snowden’s breach of all the other compartments. Of course, there may have also been less forthcoming co-workers hid their slips in divulging their passwords to Snowden. This raises the more sinister possibility that the accomplice was not an amateur co-worker but a deep-cover spy who was already in place when Snowden arrived on the scene. Such a penetration agent could have been recruited by an adversary intelligence service before Snowden came on the scene. After Snowden expressed a desire to expose the NSA’s domestic surveillance, it could then have used Snowden as an “umbrella” to hide its own activities. Finding such a means to protect a source while exploiting his or her information is not uncommon in espionage operations, and since Snowden was willing to flee America and go public, he could serve as a near perfect umbrella. “Snowden may have carried out of the NSA many more HOUSE_OVERSIGHT_020274

[23 documents than he knew about,” a former CIA station chief speculated. It could also account for the disparity between the claims of Snowden and the NSA damage assessment as to the number of the documents that were compromised. As farfetched as this mole scenario may seem to the outside world, less than three years before the Snowden breach, the NSA had received a warning from a CIA mole, which will be discussed in greater detail in Chapter 21, that the Russian Intelligence service might have recruited a KGB mole at the Fort Meade headquarters of the NSA. No mole was found in 2010, and, if one existed, it could not have been Snowden, who at that time in 2010 was working for the NSA in Japan. Such a putative mole conceivably could have acquired enough information to later facilitate Snowden’s operation. In this scenario, Snowden would not be difficult to spot as a potential collaborator and possible umbrella. As Snowden acknowledges, he was not a happy worker at the NSA. He complained between 2010 and 2013 about what he considered NSA abuses to coworkers, superiors and in his posts over the Internet. If someone assumed the guise of a reluctant whistle- blower, he would have little difficulty in approaching Snowden. Snowden might not even know his true affiliation beyond that he shared Snowden’s anti-surveillance views. If Snowden then voiced an interest in exposing the NSA’s secrets, this person could supply him with the necessary guidance, steering a still unsuspecting Snowden first to the Booz Allen position and afterwards to his associates in Hong Kong. By taking sole credit for the coup in the video that he made with Poitras and Greenwald in Hong Kong, he acted, as he told Greenwald, to divert suspicion from anyone else. This move could also any collaborator he may have had in Hawaii time to cover his tracks. The astronomer Carl Sagan famously said in regard to searching the universe for signals from other civilizations that the “absence of evidence is not evidence of absence.” That injunction also applies to the spooky universe of espionage. The fact that a mole hunt fails to find a hidden collaborator at the NSA does not necessarily mean such a mole does not exist. Historically, we have many notable cases in which Russian moles eluded intensive investigations for many decades. Robert Hanssen served as a KGB penetration in the FBI for over 20 years without being caught. Similarly, Aldrich Ames, acted as a KGB mole in the CIA for more than ten years, and passed all the CIA’s sophisticated lie detector tests. Both Hanssen and Ames eluded intensive FBI and CIA investigations that lasted over a decade. According to Victor Cherkashin, their KGB case officer, who I interviewed in Moscow in 2015, the KGB was able to hide their existence from investigators for such a long period partly because of the widespread belief in U.S. intelligence that moles were fictional creatures that sprung from the “paranoid mind” of James Jesus Angleton. When I then cited the signature line from the movie Zhe Usual Suspects “The greatest trick the Devil ever pulled was convincing the world he didn't exist.” Cherkashin thinly smiled and said “CIA denial [of moles] certainly helped.” HOUSE_OVERSIGHT_020275

124 In view of such past successes of the Russian intelligence services, it cannot be precluded that there was another person in the NSA working with Snowden who used an enthusiastic as cover to prevent any light from falling on his own surreptitious spying. While it may seem extremely unlikely that Snowden had such assistance, the alternative scenario, that Snowden broke into the sealed compartments and made off with the documents without any assistance, seems equally unlikely. Even if Snowden had been, as he claims, a pure idealist seeking to right a perceived wrong, it does exclude the possibility of his becoming entangled in the plots of others. Intelligence services make it their business to bring about such witting or unwitting entanglements. HOUSE_OVERSIGHT_020276

125 CHAPTER SIXTEEN The Question of When? “The NSA was actually concerned back in the time of the crypto-wars with improving American security. Nowadays, we see that their priority is weakening our security” —Snowden in Moscow In his 1974 novel Tinker Tailor Soldier Spy, John LeCarre helped establish the concept in the public imagination of a mole burrowing unto a rival intelligence service. LeCarre’s now classic mole, code-named by the KGB “Gerald,” managed in the novel to gain access to the inner sanctum of the British intelligence service MI-6. Aided and guided by his controllers in Moscow, he systematically stole British intelligence secrets. As LeCarre wove the plot, the brilliantly- orchestrated operation involved spotting, compromising, and recruiting others to gradually advance Gerald the mole to a position of power. Such well-organized penetrations are not limited to fiction. The career of KGB mole Heinz Felfe, who was advanced through the ranks of German intelligence by an elaborate series of sacrifices by his controllers in Moscow until he actually headed German counterintelligence in 1961, could have served as the non-fiction inspiration for Le Carre’s 1963 novel Zhe Spy Who Came out of the Cold. As US intelligence only found out after the Cold War ended, the KGB also had the ability to sustain moles for decades. The CIA also had its share of long term successes, such as Alexander Poteyev, who fed the CIA secrets for over ten years while burrowing into Russian intelligence. In the choreography of these operations, as in Le Carre’s fiction, rival intelligence services ensnared and sacrificed recruits , as if playing a chess game, to advance their moles. Despite notable successes such as Felfe, and Poteyev, a great number of these elaborate conspiracies fail insinuate moles in their adversaries’ confidence. Intelligence services therefore also take advantage of a more prosaic source: the self-generated spy, or, as they are called in the trade, walk-in. Although they are largely unsung in novels, these walk-ins are an important part of espionage. A counterespionage review done for the Presidential Foreign Intelligence Advisory Board (PFIEB) in 1990 found that most US spies in the Cold War had taken documents on their own volition and only afterwards offered them to an adversary service. Self-generated spies have diverse motives. Some intelligence workers steal secrets for financial gains. Others take them to further an ideological interest. As opportunistic enterprises, intelligence services do not turn walk- ins away if they have valuable intelligence. Indeed, some of the most successful moles were not recruited, or even controlled, by spy agencies. They were self-generated penetrations, or “sources” as the KGB preferred to call them, who first stole secrets and later voluntarily deliver them to an adversary. Consider the case of Robert Hanssen, who successfully penetrated the FBI HOUSE_OVERSIGHT_020277

126 for the Russian intelligence services from 1979 to 2001. He was a “walk-in,” who never entered the Soviet embassy or met with KGB or SVR case officers. Instead, he set his espionage in motion by passing an anonymous letter to Victor Cherkashin, the KGB spy handler working undercover at the Soviet Embassy in Washington D.C. From the start of his work for the KGB, Hanssen laid down his own rules. The KGB would deliver cash from which all the fingerprints were removed to locations, or “dead drops,” he specified. He would deliver documents exposing FBI, CIA and NSA sources and methods in another dead drop. The KGB would precisely follow his instructions. Cherkashin told me that Hanssen’s “astounding self-recruitment” was executed in such a way that the KGB never actually controlled him. “He was our most important mole and we didn’t ever know his identity, where he worked or how he had access to FBI, CIA and NSA files.” Even so, the KGB (and later SVR) paid him $600,000 in cash. In return, the anonymous spy delivered 27 computer discs containing hundreds of secret documents revealing the sources and methods of American intelligence. According to Cherkashin, it was the largest haul of top secrets documents ever obtained by the KGB (although it was only a small fraction of the number of top secret NSA, Department of Defense and CIA documents taken by Snowden in 2013.) Cherkashin told me the price paid by Moscow was a great bargain since it helped compromise “the NSA’s most advanced electronic interception technology,” including a tunnel under the Soviet Embassy. Yet, it was only after newspapers reported that Hanssen had been arrested by the FBI in February 2001 that Cherkashin learned the name and position of the spy that he had recruited. Cherkashin told me that what matters to the KGB was not “control” of an agent but the value of the secrets he or she delivered. “Control is not necessary in espionage as long as we manage to obtain the documents.” So in the eyes of the KGB, anyone who elects to provide it with US secrets is a spy. It is also possible to exploit a walk-in even after he has left his service. For example, KGB Major Anatoli Golitsyn was an ideological self-generated spy who walked into the US embassy in Helsinki, Finland on Christmas Day 1962. He asked to see the CIA officer on duty announce to him he had collected a trove of KGB secrets, including information that could identify its key spies in the West. He offered to defect to the U.S. The CIA accepted his offer, and through this archive of secrets he had previously compiled, he became one of the CIA’s most productive sources in the Cold War. The job of an intelligence service is to take advantage of whatever opportunities comes its way in the form of self-generated spies. If a Russian walk-in had not yet burned his bridges to his own service, US intelligence officers were under instructions to attempt to persuade the walk-in to return to his post in Russia and serve as a “defector-in-place,” or mole. “While defectors can and do provide critical information, a CIA memorandum on walk-ins during the Cold War noted, “There are very few cases in which the same individual may not have been of greater value if he had returned to his post.” Of course if a walk-in believed he was already compromises, as Golitsyn did, a decision would have to be made whether the value of his intelligence merited exfiltrating him to the United States. This required evaluating the bona fides of the walk-in. Not all walk-ins are accepted as defectors. Some walk-ins are deemed “dangles,” or agents dispatched by the KGB to test and HOUSE_OVERSIGHT_020278

(27 confuse the CIA. Others are rejected as political liabilities, as happened to Wang Lijun, a well- connected police chief in China. In February 2012, Wang, walked into at the US consulate in Chengdu asking from asylum. The State Department decided against it. After Wang left US protection, he was arrested for corruption and received a 15 year prison sentence. Such decisions about walk-ins are not made with due consideration, often at the highest level of a government, since exfiltrating a defector can result in diplomatic ruptures and political embarrassments. Conversely, it raises espionage concerns when an adversary government authorizes the exfiltration of a rogue employee of an intelligence service. At minimum, it means that a rival government placed value on what the defector could provide it. The Snowden case is no exception. Whatever Snowden’s prior relations may have been with Russia, it could prudently assumed that after he fled to Moscow, in light of the intelligence value of the stolen documents, he would wind up in the hands of the Russian security services. That assumption was reinforced by subsequent countermeasures that were implemented by Russia to block secret sources of NSA surveillance. “Within weeks of the [Snowden] leaks, communications sources dried up, tactics were changed,” Michael Morell who was at that time the Deputy Director of the CIA, revealed. It indicated that at least part of the US communications intelligence that Snowden had stole was in enemy hands. The CIA and NSA’s monitoring of these countermeasures was itself extremely delicate since revealing what they learned about Russian and Chinese countermeasures risked compromising even more U.S communications sources than had Snowden. General Keith B. Alexander headed both the NSA and Cyber Command at the time these countermeasures were first detected in 2013. He said in his interview with the Australian Business Review: “We absolutely need to know what Russia’s involvement is with Snowden.” He further said, “I think Snowden is now being manipulated by Russian intelligence. I just don't know when that exactly started.". Much turned on the answer to this “when” question. The counterintelligence issue was not if this U.S. intelligence defector in Moscow was under Russian control, but when he came under it. There were three possible time periods when Snowden might have been brought under control by the Russian intelligence service: while he was still working for the NSA; after he arrived in Hong Kong on May 20, 2013; or after he arrived in Russia on June 23, 2013. The NSA Scenario The first scenario could stretch as far back as when Snowden was forced out of the CIA in 2009. It will be recalled that the CIA then had planned to launch a security investigation of Snowden but it was aborted when he resigned. He also had incurred large losses speculating in the financial markets in Geneva, which is an activity which had in the past attracted in interest of foreign intelligence services. So it had to be considered in this scenario that Snowden had been recruited by the Russians after he left the CIA and directed to take jobs at civilian contractors servicing the NSA. Such “career management,” as it is called by the CIA, could explain why Snowden had switched jobs in March 2013 to Booz Allen Hamilton, which, unlike his previous employer Dell, allowed him to gain proximity the super-secrets list of the telecommunication systems that the NSA had penetrated in Russia and China. Even though Snowden himself did not HOUSE_OVERSIGHT_020279

128 have password access to these files, since he was still as a trainee, he managed to acquire the necessary passwords from others working there. It could also account for why the documents he copied that pertained to NSA operations in Russia were not among those he gave to Poitras, Greenwald and other journalists. Since Russia has an active intelligence sharing treaty with China since 1996, it could further explain why his first stop was Hong Kong, a part of China. It was a safe venue for debriefing Snowden, as well as establishing his credentials among journalists as a whistle-blower, before a decision was made to allow him to proceed to Russia. The nearly fatal problem with this early-recruitment scenario is Snowden contacts with journalists. Snowden, it will be recalled, had contacted Greenwald in December 2012. Greenwald was a high-profile blogger in Brazil who did not use encryption or any security safeguards. Next, he contacted Poitras in January 2013 in Berlin who was a magnet for NSA dissidents. Both of these contacts put Snowden’s clandestine downloading at grave risk. As known opponents of US intelligence agencies, these journalists might be, as they themselves suspected they were, under surveillance by American, British, Brazilian or German intelligence services. Greenwald and Poitras might also tell others who were either under surveillance or informers. So no matter what precaution Snowden took, his secret enterprise, or just the fact he was in contact with anti-government activists might be detected. At minimum, he could lose his access to secrets and be of no further use as a source at the NSA. He could also be interrogated and reveal the way he was brought under control. If Snowden actually had been under the control of the Russian intelligence service, the last thing it would allow was for him to take such a risk—or even to contact a single journalist. After all, the purpose of an espionage operation is to steal secrets without alerting anyone, including journalists, to the theft. A former CIA officer told me that while anything could “go haywire: in an intelligence operation, it would be “unthinkable” that the Russian intelligence service would permit a source it controlled in the NSA to expose himself by contacting journalists. It was, as he put it, a “lose-lose move.” Assuming that the operation did not “go haywire,” Snowden’s continued interactions with Poitras and Greenwald made it implausible to me that Snowden was under Russian control before he went to Hong Kong. The Hong Kong Scenario The second possibility is that Snowden was brought under Russian control while he was in Hong Kong. The most compelling support for this scenario comes from Putin himself, His disclosure about the case leaves little doubt that Russian officials engaged Snowden in Hong Kong, that Putin authorized his trip to Moscow while he was in Hong Kong and the Russian government allowed him to fly to Moscow without a Russian visa. We also know that Snowden indicated to Gellman he was in touch with a foreign embassy and that he met with Russian diplomats in Hong Kong. We know from US surveillance of his activities in Hong Kong that he contacted the Russian consulate. And we know that the Russians went to some lengths to facilitate his trip to Moscow. All these pieces in the Hong Kong scenario support the possibility HOUSE_OVERSIGHT_020280

[29 that the Russian intelligence service managed to bring him under its sway during his 33 days in Hong Kong. The Russian intelligence service even might have been aware of Snowden, and his anti-NSA activities, before his arrival on May 20, 2013. Snowden, as discussed earlier, was anything but discrete in his contacts with strangers in the anti-surveillance movement, including such well known activists as Runa Sandvik (who he supplied his true name and address via email), Micah Lee, Jacob Appelbaum, Parker Higgins, and Laura Poitras. “It is not statistically improbable that members of this circle were being watched by a hostile service,” a former NSA counterintelligence officer told me in 2015. When I told him that Poitras and others in her circle had used PGP encryption, aliases and TOR software in their exchanges with Snowden, he said, arching his eyebrows, “That might work against amateurs, but it wouldn’t stop the Russians if they thought they might have a defector in the NSA.” He explained that both the NSA and hostile services have the “means” to bypass such safeguards. I next asked him what the Russian intelligence service would have done if they had indeed spotted Snowden in late 2012 or early 2013. “Maybe just research him,” he replied. As we know now, he pointed out. Russia and China probably had access the 127-page standard form in his personnel file that he updated in 2011. They also had the capability to track his air travel to Hong Kong. “Could someone have steered him to Hong Kong?” I asked. He answered. With a shrug, “That depends on whether Snowden had a confidante who could have influenced him.” Whenever adversaries became aware of Snowden in this scenario, it was not until after Snowden copied the NSA secrets and took them with him to Hong Kong that Russian intelligence officers offered him a deal. So from the Russian point of view, Snowden had already burnt his bridges. Since he had used other people’s passwords to get into computers that he was not authorized to use, illegally moved documents and gave a false reason for his medical leave, it was only a matter of time before NSA investigators would identify him as a possible spy. He could be of no further use to an adversary at the NSA. His intelligence value now lay in the documents he had taken with him or stored in the cloud as well as his ability to help clarify them in debriefing sessions. In addition, he could have a further use to an adversary, especially if he agreed to cooperate. By virtue of his position as a former insider, he could inflict damage on the morale and public standing of the NSA by denouncing its spying in the media. So once in Hong Kong, the Russians would have no reason to restrain him from holding a press event or releasing a video, In fact, in the past the KGB had organized press conferences for all the previous NSA defectors to Moscow. Hong Kong also might be seen as a perfect venue for a well-staged media event since all the major newspapers in the world had bureaus there. And his disclosures about the NSA spying coming under the mantle of whistle-blowing could serve to weaken the NSA’s relations with its allies. The event would also serve to deflect suspicion from any other potential spies in the NSA, if any existed. Snowden’s going public on June 9" 2013 provided that opportunity. HOUSE_OVERSIGHT_020281

130 It is also possible in this Hong Kong scenario that Russian or Chinese intelligence did not become aware of Snowden until after he went public on June 9" 2013 by having the Guardian release his video. At that point, if the Russians or Chinese had any doubts how dissatisfied he was with the NSA, they would be dispelled by the video. Since dissatisfaction is one of the classic means of recruitment in the intelligence business, he certainly would become a prime target for recruitment after he went public. The CIA also considered the possibility that Snowden also may have been reeled in unwittingly. Its Deputy Director, Michael Morell suggested in his book that Snowden may not himself have fully realized “when and how he would be used.” What can be safely assumed is that the decision made by Putin’s intelligence service to allow Snowden to proceed to Russia proceeded from something other than soft-hearted sentiment about his welfare. In addition, this decision was not made on the spur of the moment. After Putin learned that there was an American in Hong Kong from the “special services” seeking to come to Russia, he also learned from Snowden’s own disclosure on the video that he had taken to Hong Kong a large number of NSA documents. After that self-outing by Snowden, Putin had at least 14 days to calculate the advantages and disadvantages of allowing him to come to Moscow. To be sure, we don’t know the precise date of Snowden’s first contact with Russian officials in Hong Kong. Putin reframed from specifying when Snowden first met them. But whenever it was, we know that he was deemed important enough by the Russian intelligence service for it to bring him to the personal attention of Putin. Putin could offer him not only his freedom from arrest but a platform to express his views. The exploitation of an intelligence defector, even after he yields his secrets documents, can also be part of an intelligence operation. General Alexander, who ran the NSA during this period, concluded that Putin was playing a deep game with Snowden by “looking to capitalize on the fact that his [Snowden’s] actions are enormously disruptive and damaging to US interests.” This game, if Alexander’s assessment in correct, might provide Putin with ample reason to have his representatives in Hong Kong offer Snowden an exfiltration deal. Snowden hardly was not in any position to refuse such a deal. After the release of the video release, there was no going back to America without his facing a determined criminal prosecution. If he had researched the issue, he would have known that in every prior case, intelligence workers who had released even a single classified document had gone to prison. As his Internet postings show, he had closely followed the ordeal of Bradley Manning, whose trial was coming to its conclusion while Snowden was in Hong Kong. So he likely knew that even though the documents Manning had sent to Wikileaks were far less damaging than those Snowden had taken. Manning had been kept in solitary confinement under horrific conditions for over a year while awaiting his trial and was facing a long prison sentence. (Manning was subsequently sentenced to 35 years in prison.) There was no reason for Snowden to expect a better outcome for himself if he returned to the US or was arrested in Hong Kong or any other place that had an extradition HOUSE_OVERSIGHT_020282

131 treaty with the US. As the Russian officials in Hong Kong might well have informed him, Russia had no extradition treaty with the US, It was also one of the few places in the world that he could reach from Hong Kong without flying through airspace in which he might be intercepted by a US ally. Moreover, Putin himself had approved his exfiltration, which meant that, even without a valid passport or visa, Snowden could take the direct Aeroflot flight to Moscow. Snowden’s choice was going to Russia or going to prison. The Russians could have used this leverage in the Hong Kong scenario to extract a quid pro quo. The price of admission in that guid pro quo was proving all his documents and putting himself in the hands of Russian intelligence. To be sure, Snowden might have refused this leverage in Hong Kong, and Putin may have decided the terms of the deal could better be negotiated in Moscow. The Moscow Scenario The final possibility is that Snowden did not come under Russian control until after he arrived in Moscow. Certainly, the Russian intelligence service could afford to wait in Hong Kong before tightening the vice on Snowden. It knew that Interpol and the US would be pursuing him throughout the world and that Snowden had no valid travel documents to go anywhere else. It could also have determined that his credit cards had been frozen. So it could afford to wait until his plane landed in Russia. After the Russians took him in a “special operation” from the plane at the airport, he was informed by Russian authorities that he would not be allowed to go to Cuba, Venezuela, Iceland, Ecuador, or any other country without the permission of Russian officials, which would not be immediately forthcoming. So he never even showed up for the flight to Cuba (which Assange had “leaked” to the media he would be aboard.) He was now at the mercy of the Russian authorities. There was good reason for keeping him in a virtual prison in Russia. "He can compromise thousands of intelligence and military officials,” Sergei Alexandrovich Markov, the co-Chairman of the National Strategic Council of Russia and an adviser to Putin, pointed out, “We can't send him back just because America demands it." So Snowden was consigned to the transit zone of the airport, which is a twilight zone neither inside nor outside of Russia, a netherworld that extends beyond the confines of the airport to include safe houses and other facilities maintained by the FSB for the purposes of interrogation and security. Stranded at the Moscow airport, Snowden had no place to go except into the waiting arms of the FSB. No matter what he had believed earlier in Hong Kong, he would quickly realize that he had only one viable option: seeking sanctuary in Russia. Even though the FSB is known by US intelligence to run a strict regime over present and former members of foreign intelligence services, Snowden may not have realized the full extent of the FSB’s interest in him. He naively told the Washington Post in December 2013 in Moscow, “I HOUSE_OVERSIGHT_020283

132 am still working for the NSA right now. They are the only ones who don’t realize it.” While he might have sincerely persuaded himself that he was somehow helping US communications intelligence in a self-appointed role, those familiar with the activities of the Russian security services find it inconceivable that he could escape their control in Russia. At the very minimum, a former US intelligence worker who stole American state secrets, such as Snowden, would be under the FSB’s scrutiny. Andrei Soldatov, the co-author of the 2010 book The New Nobility: the Restoration of Russia's Security State and the Enduring Legacy of the KGB, and who was personal knowledgeable about FSB procedures, explained the FSB would monitor “every facet of Snowden's communications, and his life.” General Oleg Kalugin, who, as previously mentioned, defected from the KGB to the United States in 1995, added that the FSB following the standard operating procedures of the KGB, would be “his hosts and they are taking care of him.” Kalugin further said in 2014 that “Whatever he had access to in his former days at NSA, I believe he shared all of it with the Russians, and they are very grateful” American intelligence officers knowledgeable about the operations of the FSB, agreed with Kalugin’s assessment. General Hayden, for example, who served both as director of the NSA, CIA, and Air Force counterintelligence, told me in an interview that he saw no other possibility than Snowden would be induced to cooperate in this situation, saying “I would lose all respect for the Russian and Chinese security services if they haven’t fully exploited everything Snowden had to give.” They certainly had that opportunity at Sheremetyevo International Airport: He had already, at least in the eyes of the Department of Justice, betrayed US secrets by stealing them and taking them abroad. Snowden was held in limbo in the transit zone. The FSB controlled his access to food, lodgings, the Internet, and whatever else he needed to survive there. It could also return him to the US if he did not cooperate. What recourse did Snowden have? The only party from whom he could seek redress was Putin’s regime. Russia’s leverage now would be even greater than in Hong Kong. If Putin chose to fully apply it, would be all but irresistible over a fugitive who had literally no place else to go. In a word, the FSB held all the cards but one—Snowden’s help with the stolen documents. Even if Snowden disliked the tactics of the Russian security services, his situation left him a powerful inducement now not to decline the requests of the Russian authorities. Two weeks after his arrival, the Russian authorities provided him with a convenient path to full cooperation with Russia. He was put in contact with Anatoly Grigorievich Kucherena, a silver-haired 53-year old lawyer, who was known as a personal friend of Putin. Kucherena also did task for Putin’s party in the Russian parliament or Duma. Most important for Snowden, Kucherena had excellent connections in the Russian security apparatus since he served on the oversight committee of the FSB. He also offered to serve as the lawyer for Snowden pro bono. On July 10, 2013, Snowden officially retained him as his legal representative in Moscow. From that point on, he would act as Snowden’s go-between with the FSB and other Russian agencies. At the outset, Kucherena made it clear to Snowden that he would have to play by Moscow’s tules before the Kremlin would grant him permission to stay in Russia. To begin with, Snowden had to withdraw any and application he had made elsewhere for asylum. He had to put his fate HOUSE_OVERSIGHT_020284

133 entirely in the hands of Putin’s Russia. He would also have to be fully candid with the Russian authorities about what was of great value to Putin: the secret documents he had acquired. Two days later, Snowden made his first public appearance in Russia. It had been, like previous press conferences with US defectors to Russia, carefully managed, First, Snowden arrived by limousine at the international transit lounge of Sheremetyevo airport. He was seated at a table with Harrison. As Snowden spoke no Russian, a Russian translator was provided. The small audience included hand-picked Russian officials, including some Putin’s close associates. They were ushered through passport control by security men to the otherwise cordoned-off lounge. The cameras for RT television and other Russian channels were already in place. When everyone had taken their seats, Snowden announced in a quiet voice that was seeking asylum in Russia. Ten minutes later, Snowden and Harrison were escorted back to the limousine which drove off to an unannounced destination. Snowden received Russian identification papers on August 1, 2013 that allowed him to resettle in Moscow. Not only was he provided with a residence but he was allowed to set up in it a broadcasting studio that could be used for Internet appearance at well-attended events around the world, such as South by Southwest, TED, and other Internet conferences. Snowden was, according to Kucherena, was also furnished with bodyguards. To help earn his keep, he was employed at an unidentified Moscow cyber-security firm. To complete his resettlement, Lindsay Mills, whom he had left behind in Hawaii, was given a 3-month visa and was allowed to temporarily live with him in Moscow. This afforded him a life style which Snowden described in an interview as “great.” Kucherena, although he was acting without compensation from Snowden, later received the stunning sum of one million dollars from Open Road Films, the distributor for Oliver Stone’s “Snowden” movie, for the rights to his not completed novel called “Time of the Octopus,” a story based on his story of Snowden’s stay at the airport. It would strain credibility that such privileges would be awarded to an intelligence defector who had refused to cooperate with Russian authorities. In Snowden’s case, he was even allowed to participate in a Putin’s telethon on state-controlled television. On it, he was called on to ask Putin if the Russian government violated the privacy of Russian citizens in the same way that the American government violated rights of its citizens. Putin, smiling at Snowden’s presumably vetted question, answered in a single word: “No.” In the Moscow scenario, Snowden received sanctuary, support, perks and high-level treatment by Putin himself because he agreed to cooperate. If Snowden had not paid the price of admission, either in Russia or before his arrival, he would not have been accorded this privileged status. HOUSE_OVERSIGHT_020285

134 CHAPTER SEVENTEEN The Keys to the Kingdom Are Missing “There’s a zero percent chance the Russians or Chinese have received any documents.” --Edward Snowden in Moscow The critical missing piece in Snowden enigma is the whereabouts of the NSA documents. Greenwald told the Associated Press that the documents that Snowden had taken from the NSA constituted " the instruction manual for how the NSA is built" and they "would allow somebody who read them to know exactly how the NSA does what it does, which would in turn allow them to evade that surveillance or replicate it." Snowden indeed said on camera in June 2013 that NSA investigators would have “a heart attack” when they discovered the extent the breach. Ledgett, the NSA official who it will be recalled had conducted the damage assessment, while not having a heart attack, confirmed that the files Snowden had taken a massive number of files, which he pout at over one million documents, and, among them, what he deemed the NSA’s “keys to the kingdom.” These so-called “keys to the kingdom” presumably could open up the mechanism through the United States learns about the secret activities of other nations, and, by doing so, bring down the American signals intelligence system that had for 60 years monitored government communications. It had also kept track of adversaries’ missile telemetry, submarine movements, and nuclear proliferation. The Snowden breach was not without precedent at the NSA. There had been two Russian spies at the NSA during the Cold War, Jack Dunlap and David Boone who took a limited number of documents, but no one since the end of the Cold War had taken a single NSA classified document. Now an insider removed, by any count, tens of thousands of NSA’s documents. Moreover, many of these documents were classified “TS/SCI’—Top Secret, Sensitive Compartmentalized Information—which, as NSA secrets went, were the gold standard of espionage. Whatever the assessment of Snowden’s motivation, the single question that needed to be answered was: What happened to these stolen files? To begin with, there is a huge disparity between the number of documents that the NSA calculated that Snowden compromised and the number of documents he is known to have handed over to journalists in Hong Kong on a thumb drive. After the Snowden breach, the House and Senate intelligence committees asked the NSA how many documents were taken by Snowden. Even though the NSA had employed a world class team of computer scientists, cryptanalysts and forensic experts to reconstruct the crime from the logs, it could not come up with a definitive number. What it could say was how many documents had been highlighted or selected, coped and moved to another computer. As the NSA briefed these committees in closed-door sessions, HOUSE_OVERSIGHT_020286

135 1.7 million had been selected in two dozen NSA computers during Snowden’s brief tenure at Booz Allen in 2013. This total included documents from the Department of Defense, NSA and CIA. Of these “touched” documents, some 1.3 million of them had been copied and moved to another computer. The selection of these documents by Snowden could hardly be considered an accident since Snowden had used pre-programmed spiders to find and index these documents. In addition he had stated that he took the job at Booz Allen to get access to data that had been copied. So, as far as the NSA was concerned the 1.3 million documents he copied and moved were considered compromised. On top of this haul, Snowden had copied files while working at Dell in 2012. The total number he stole there is unknown, however, because, as a system administrator there, he could download data without leaving a digital trail. At best, the NSA investigation could only count the documents that were published or referred to in the press and those found on the thumb drive intercepted in London that traced back to his 2012 work at Dell. As previously mentioned, more than half the published documents had been taken during Snowden’s time at Dell. Snowden supporters, to be sure, do not accept that Snowden stole such a large number of documents. According to Greenwald, the NSA vastly exaggerated the magnitude of the theft in order to “demonize” Snowden. Snowden also disputed the 1.7 million number. He told James Bamford of Wired in early 2014, that he took far less than the 1.7 million documents that the NSA reported was compromised. He further claimed in that same interview that he purposely left behind at the NSA base in Hawaii “a trail of digital bread crumbs” so that the NSA could determine which documents he “touched” but did not download. If so, these “bread crumbs” were missed by the NSA according to its statement. It is within the realm of possibility that the NSA Damage Assessment team under Ledgett falsified its finding to inflate the number of documents that Snowden stole. NSA executives also might have lied to Congress to the same end. But why would these officials engage in an orchestrated deception that made them look bad? Ledgett, after all, had been in charge of the National Threat Operations Center from which most of the Level 3 documents were stolen. By exaggerating the magnitude of the theft it would also magnify Ledgett and other NSA’s failure in its mission to protect US secrets. Certainly they had no reason to demonize him for legal reasons. Greenwald and Poitras had already effectively demonized him in this regard. They revealed that Snowden had given them a vast number of NSA classified documents on a thumb drive that revealed, as Greenwald put it, the “blueprints” of the NSA. This drive contained, it will be recalled, no few than 58,000 documents. As was discussed in Chapter I, just revealing the partial content of a single document to a journalist, as in the case of CIA officer Jeffrey Sterling, could result in two years in prison. So in the eyes of the law disclosing the full contents of 58,000 highly-classified documents constituted an unprecedented breach of the laws passed to protect communications intelligence. In any case, safely ensconced in Russia, Snowden was not in any legal jeopardy no matter how many documents it was claimed by the government that he stole. It is also makes little sense that the numbers were falsified by the Department to tarnish Snowden’s HOUSE_OVERSIGHT_020287

136 image. The 35-page Defense Intelligence Agency’s damage assessment, for example, that said that 900,000 Pentagon documents were compromised by Snowden, was not made public. It was only disclosed via a Vice magazine Freedom of Information request in June 2015. What is known is the number of documents that Snowden gave to journalists in Hong Kong. As will be recalled, Poitras and Greenwald were “writing partners.” When Greenwald discovered that his copy of the documents were corrupted, Poitras made a copy of the thumb drive that Snowden gave her in Hong Kong and sent it to her Greenwald in Rio de Janeiro by a courier. That courier was intercepted by British authorities at Heathrow Airport. When examined, the Poitras-Greenwald thumb drive contained some 58,000 documents. This meant that the lion’s share of the 1.3 million documents that the NSA claimed were compromised had not been given to journalists and is unaccounted for. The numbers game is not only misleading nut unenlightening on the issue of the value of the compromised documents. Many of the putative 1.3 million documents that the NSA says were copied and moved were duplicate copies. Others were outdated or otherwise useless routing data. So the quantity does not tell the story. Of far more importance than the quantity of the total haul is the quality of some of the data that Snowden had copied. Just a single one of these documents could cripple not just the NSA but America’s entire multi-billion dollar apparatus for intercepting foreign intelligence. The previously-cited summary of requests by the CIA, FBI, Pentagon and other agencies for communications intelligence, for example, which was 31,000 pages long, listed all the gaps in U.S. coverage of adversaries, including those cited by President Obama’s national security team. As Ledgett warned, this single document, if it fell into enemy hands, would provide out adversaries with “a roadmap of what we know what we don’t know and imp/licitly a way to protect themselves.” The “roadmap” was not found among the files on the thumb drive. Nor were most of the missing level 3 lists concerning NSA activities in Russia and China found on the thumb drive, even though Snowden said he took taken his final job at Booz Allen to get access to these lists. If Snowden had not given these documents to Poitras, Greenwald or other journalists, where were they? The compartment logs showed that Snowden copied and transferred these level 3 documents in his final week at the NSA. He presumably had them in his possession in Hong Kong after he arrived on May 20, 2013. On June 3™, according to Greenwald, he was still sorting through the material to determine which ones were appropriate to give to journalists. On June 12" 2013, he told reporter Lana Lam in Hong Kong that he was going through the documents, country by country, to determine which additional ones he should pass on to journalists. Eleven days later, he departed Hong Kong for Moscow carrying at least one laptop computer. Even after arriving in Moscow, he suggested he still had NSA secrets in his possession. "No intelligence service — not even our own — has the capacity to compromise the secrets I continue to protect, “ he wrote to former Senator Gordon Humphrey, “I cannot be coerced into revealing that information, even under torture." Much of the material he copied while working at Booz Allen remained, as far as the NSA could determine, missing. Had he brought these files under his “protection” to Russia? HOUSE_OVERSIGHT_020288

137 An answer came three months later from his Moscow lawyer, Anatoly Kucherena. On September 23, 2013, Kucherena had an extensive interviewed on the state owned RT channel. The interviewer Sophie Shevardnadze, who had a show on RT Television, called “Sophie & Co,” was well-admired journalist in her own right. She is also the grand-daughter of Edward Shevardnadze, a former foreign minister and Politburo member of the Soviet Union and, after the Soviet Union broke up, the first president of Georgia. Even though she had interviewed many top political figures in Russia, obtaining an hour-long interview with Kucherena was a coup since, up until then, he had not discussed the subject in Snowden in a television interview. About half-way through the interview, she brought up a highly-sensitive subject of the disposition of the NSA documents. She directly asked Kucherena if Snowden given all the documents he had taken from the NSA to journalists in Hong Kong. If anyone was in a position to know about these documents, it was Kucherena. He had acted as an intermediary for Snowden in his negotiations with Russian authorities, including the FSB. As such, he would be privy to the status of the secret material that was of immense concern to the Russian intelligence services. When I interviewed Kucherena in Moscow in 2015, he told me that “all the reports” concerning Snowden had been turned over to him by “Russian authorities” in July 2013. “I had all of Snowden’s statements,” he said. If so, he presumably knew what Snowden had told the Russian security services prior Had Snowden come to Russia with empty hands or bearing gifts? Kucherena answered her question without any evasion. He said that Snowden had only given “some” of the NSA’s documents in his possession to journalists in Hong Kong. He had kept the remaining documents in his possession. That confirmed what Snowden had told Greenwald. Poitras and Lam in Hong Kong. Snowden told them that he had divided the stolen NSA documents into two separate sets of documents. One set he gave to Poitras and Greenwald on thumb drives. The other set, which he told them that he considered too sensitive for these journalists, he retained for himself. As late as July 14, 2013, Greenwald told the Associated Press that Snowden held back documents and “Is in possession of literally thousands of documents ... that would allow somebody who read them to know exactly how the NSA does what it does, which would in turn allow them to evade that surveillance or replicate it." One issue for U.S. investigators at the NSA, CIA and Department of Defense was what Snowden did with the second set afer his meetings with the journalists in Hong Kong. Did he take these documents with him to Russia? Shevardnadze, who makes it a point to drill her interviewees, pressed Kucherena as to whether Snowden still had these NSA files, or “material” in Russia. The dialogue went as follows (from the transcript supplied to me by Shevardnadze.) Shevardnadze: So he [Snowden] does have some materials that haven’t been made public yet? Kucherena: Certainly. HOUSE_OVERSIGHT_020289

138 After establishing some part of Snowden’s “material” was still in his possession, Shevardnadze asked the next logical question: “Why did Russia get involved in this whole thing if it got nothing out of?” In response, Kucherena elliptically hinted that the unreleased material contained CIA secret files. “Snowden spent quite a few years working for the CIA.” He said. "We haven’t fully realized yet the importance of his revelations.” (He was correct that Snowden had stolen a larger number of CIA documents that he had not turned over to journalists, as CIA deputy director Morell confirmed.) Whatever this material might reveal, the FSB was presumably aware of its existence. After all, Kucherena was on the FSB’s public oversight board. If he had kept Snowden’s possessions of these documents secret from the FSB, he would not have divulged it in an interview on television. Kucherena’s answer left little ambiguity to the critical question about the fate of the NSA’s missing documents: Snowden had not destroyed the electronic files of NSA documents that he had not distributed to journalists. He still had them, when Kucherena had reviewed his files in Russia. Kucherena’s disclosure that Snowden retained these crucial documents did not contradict Snowden’s own story at the time of the Shevardnadze interview. Indeed, it was completely consistent with the statement Snowden made three weeks after arriving in Russia in his previously- mentioned email to Senator Humphrey. Snowden subsequently changed his story. In mid-October, Snowden electronically-informed journalists that he had destroyed all the NSA documents in his possession before flying to Moscow. So his new story radically contradicted what his own lawyer had said the previous month on television. To be sure, Kucherena who later confirmed the accuracy of the Shevardnadze interview to me in Moscow in 2015 may have meant to say that Snowden only had access to the NSA documents rather than having the physical files in his possession. It is certainly possible that Snowden transferred the NSA files from his own computers and thumb drives to storage on a remote server in the so-called “cloud” before coming to Russia. The “cloud” is actually not in the sky but a term used for remote storage servers, such as those provided by Drop Box, Microsoft, Google, Amazon and other Internet companies. Anyone who is connected to the Internet can store and retrieved files by entering a user name and a password. For Kucherena to be certain Snowden had access to this data, Snowden must have demonstrated his access either to him or the authorities. The Russians therefore also knew Snowden had the means to retrieve this data. Since the data concerned electronic espionage against Russia, the FSB had every reason to ask him to share his user name and password. If Snowden had encrypted these files, it would also ask for his encryption key. And the FSB is not known to take a no for an answer in issues involving espionage. Even if Snowden refused to furnish his key, it would not present an insurmountable barrier for the FSB. Snowden may have had confidence in the power of his encryption protocols but, HOUSE_OVERSIGHT_020290

139 according to a former National Security Council staffer, the Russian cyber service in 2013 had the means, the time and the incentive to break the encryption. It is unlikely they would have gone to the trouble since they had Snowden in the palm of their hand in Moscow. It doesn’t take a great stretch of the imagination to conclude that, by one way or another, willingly or under duress, Snowden shared his access to his treasure trove of documents with the agencies that were literally in control of his life in Russia. Kucherena’s answer to the question of access also may help to explain Putin’s decision to allow Snowden to come to Moscow. As has been discussed earlier, it was not a minor sacrifice for Putin. His foreign minister, Sergei Lavrov, had spent almost six months negotiating with Hillary Clinton’s State Department a one-on-one summit between President Obama and President Putin. Not only would this summit be a diplomatic coup for Russia but it would add to Putin’s personal credibility in advance of the Olympic Games in Russia. In mid-June, after US intelligence reported to Obama’s National Security adviser that Snowden was in contact with Russian officials in Hong Kong, the State Department explicitly told Lavrov that allowing Snowden to defect to Russia would be viewed by President Obama as a blatantly unfriendly act. As such, it could (and did) lead to the cancellation of the planned summit. So Putin knew the downside of admitting Snowden. But there was also an upside if Snowden had access to the NSA documents. A large archive of files containing the sources of the NSA’s electronic interceptions, as Snowden claimed he had in Hong Kong, had enormous potential intelligence value Putin therefore had to choose between the loss of an Obama summit and the gain of an intelligence coup. That Putin chose the latter suggests that he had calculated that the utility of the intelligence that the NSA archive outweighed the public relations advantages of the Obama summit (which, after Snowden arrived in Moscow, was cancelled by Obama.) Would Putin have made such a sacrifice if Snowden had destroyed or refused to share the stolen data? “No country, not even the United States, would grant sanctuary to an intelligence defector who refused to be cooperative,” answered a former CIA officer who had spent a decade dealing with Russian intelligence defectors. “That’s not how it works.” If so, it seems plausible to me that, as Kucherena said, that Snowden’s documents were accessible to him either on a computer or via storage in the cloud after he arrived in Moscow. It explains why Russia exfiltrated him from Hong Kong and provided him with a safe haven, The Quickly Changing Narrative Just three weeks after Kucherena’s stunning disclosure, Snowden changed the narrative. His first exchange with an American journalist after his arrival in Russia was not until October 1°7, 2013. It was conducted over the Internet with James Risen, a Pulitzer-prize winning New York Times reporter. Essentially Snowden supplied answers to a set of questions. In then, Snowden now asserted he took no documents to Russia. The subsequent front-page story, which carried the headline, “Snowden Says He Took No Secret Files to Russia,” reported that Snowden claimed that he gave all his documents to journalists in Hong Kong and he brought none of them to Russia. He also said that he was “100 percent” certain that no foreign intelligence service had had access to them at any point during his journey from Honolulu to Moscow. HOUSE_OVERSIGHT_020291

140 When I later asked Kucherena in Moscow why Snowden changed his story in direct contradiction of what Kucherena had stated, he said “Wizner.” He was referring to Ben Wizner, a top-drawer ACLU lawyer based in Washington D.C. Wizner had joined the ACLU in August 2001 after graduating NYU law school and clerking for a Federal judge. At the ACLU, he became an effective foe of NSA surveillance. “I had spent ten years before this [Snowden leak] trying to bring lawsuits against the intelligence community,” he explained in an interview with Forbes in 2014. Prior to the Snowden leak, he had been consulted frequently by Poitras on government surveillance issues (and appeared in Poitras’ 2010 documentary “The Oath.”) He had also been engaged in a law suit aimed at exposing the NSA’s subpoenas for Verizon records. He had first learned about Snowden in early 2013, while Snowden was still working for the NSA, from Poitras. At that time, Poitras did not know Snowden’s real name, but she revealed to Wizner that she had found an anonymous source with access to U.S. government surveillance secrets. So he was not completely surprised when Glenn Greenwald, Poitras’ writing partner, asked him in July 2013 to contact Snowden in Russia. Snowden offered an opportunity for Wizner since the ACLU already had been pursuing a suit in Federal court against the government’s seizure of Verizon’s billing records. If he could induce Snowden to retain him and the ACLU, he could claim standing in Federal court to represent Snowden in the case. He also fully believed in the salutary benefit of Snowden’s revelations. They communicated over Skype, according to Kucherena. When they discussed Snowden’s legal situation in America, Snowden expressed an interest in obtaining some form of amnesty from prosecution in America. Wizner was willing to attempt to explore making a possible deal with the Department of Justice, but it would not be an easy task, especially if Snowden had turned over NSA documents to a foreign power. Even to argue that Snowden was merely a NSA whistle-blower presented a serious challenge for Wizner. The ACLU had been involved with three previous NSA whistle-blowers, William E. Binney, Thomas A. Drake, and Russell D. Tice, but Snowden’s case differed from those cases in an important ways. Binney, Drake, and Tice had not intentionally taken any NSA documents. Snowden, on the other hand, had not only taken a large NSA documents but released tens of thousands of these top secret files to journalists based in Germany and Brazil as well as other unauthorized recipients. In addition, the Whistle Blower Protection Act, passed by Congress in 1989, does not exempt an insider who signs a secrecy oath, such as Snowden, from the legal consequences of disclosing classified documents to journalists or other unauthorized persons. Consequently, getting some form of amnesty for Snowden required changing Snowden’s public image from that of a person who had damaged America to an image of a person who had helped America. But if Snowden had taken even a single top secret document to Russia, the case could be made that he had stolen communications intelligence secrets with intent to damage the United States, which under the law could be considered espionage. In this regard, Kucherena’s disclosure was extremely damaging to Snowden’s position. One way to mitigate the damage from it was for Snowden to substitute a new narrative. In it, he would say to say to hand-picked journalists that he had given all his documents to Poitras and Greenwald in Hong Kong and took none of them to Russia, Wizner could then argue that documents such as the FISA warrant were improperly classified secret and that disclosing them HOUSE_OVERSIGHT_020292

141 served the public good. The government might not be able to contest his claim without further revealing NSA sources. Under these circumstances, it might be induced to agree to a plea bargain for Snowden. Changing the narrative would also help enhance his public image as a whistle- blower, Whatever the reasoning that led to it, Snowden’s new narrative was that he had destroyed all the documents he had in his possession before coming to Moscow and had no access to any NSA documents, not even those that he had distributed to journalists. Snowden reinforced this narrative in almost in a series f interviews arranged by Wizner. In December 2013, he met with Barton Gellman of the Washington Post. It was his first face-to- face meeting with a journalist since he had arrived in Russia in June. To advance his narrative , Snowden turned on his laptop to Gellman and, as if proving his point, said to him “there’s nothing on it... my hard drive is completely blank.” That his computer had no files stored on it actually meant very little. The files could have been transferred to another device, or, as was discussed earlier, to a server in the cloud. Gellman probed further by asking the precise whereabouts of the files, but, as he reported, Snowden declined to answer that question. All that he would say was that he was “confident he did not expose them to Chinese intelligence in Hong Kong.” Since that answer did not nail down the issue, Wizner arranged for Vanity Fair, which was preparing an article on Snowden, to submit questions. In his reply to them, Snowden wrote s that he destroyed all his files in Hong Kong because he didn’t want to risk bringing them to Russia. He expanded on this claim in three more interviews arranged by Wizner. These interviews were with three journalists who themselves had opposed NSA surveillance: James Bamford writing for Wired magazine, Alan Rusbridger, the editor of the Guardian and Katrina vanden Heuvel, the editor of The Nation. He also gave a televised interview to Brian Williams of NBC News in which he explained that since he had no access to the NSA documents in Russia, he could not provide access to the Russians even if they “break my fingers.” Snowden did he specify where, when or how the putative destruction of the files occurred, and offered no witnesses or evidence, other than a blank laptop screen to corroborate it. Even though his new narrative was widely accepted by the media, a self-serving claim by a perpetrator that files have been destroyed cannot be accepted at face value in a digital age in which files can be copied to another computer or moved to the “cloud” with the click of a key,. After all Snowden went to considerable risk to select, copy, and steal these Level 3 documents in mid-May before leaving Hawaii for Hong Kong. They were the last medium of value he held in Hong Kong. These secrets were his potential bargaining chips. Why would he simply erase them in June in Hong Kong? It is also difficult for me to accept that he would destroy these documents because he feared the Russians might get them. If he was so concerned about the ability of Russian intelligence, he could have stayed in Hong Kong and fought extradition instead of flying to Russia. Once he made his arrangements to go to Russia, he must have realized that even without the files on his computer, the Russian intelligence service could still obtain the NSA secrets he held in his head. Indeed, as he told the New York Times, the secrets he held in his head would have devastating consequences for NSA operations. In light of Kucherena statement that Snowden had access to NSA documents in Russia, it would require some form of a suspension of disbelief to accept Snowden’s new narrative. But even if one was willing to accept his erasure claim, it still would not mean that the NSA documents had not fallen into the hands of adversaries. If he had destroyed all of the electronic copies of the NSA’s data before boarding his flight to Moscow, he could he be “100 percent” certain, as he claimed that the data had not been accessed HOUSE_OVERSIGHT_020293

142 by others prior to his departure from Hong Kong. His files could have been copied without his knowledge, just as he had copied them without the NSA’s knowledge. As former U.S. intelligence officers pointed out to me, adversary services could not be expected to shirk from employing their full capabilities once they learned that an American “agent of special services,” as Putin called him, had brought stolen NSA documents to Hong Kong. The New York Times reported from Hong Kong that two sources, both of whom worked for major government intelligence agencies, “said they believed that the Chinese government had managed to drain the contents of the four laptops that Mr. Snowden said he brought to Hong Kong.” That China had the capability to obtain Snowden’s data was also the view of former CIA Deputy Director Morell. He said: “Both the Chinese and the Russians would have used everything in their tool kit—from human approaches to technical attacks—to get at Snowden’s stolen data.” Snowden would not have been a particularly difficult target for them, especially after he started disclosing secrets to journalists at the Mira hotel in Hong Kong. Not only could the Chinese service approach the security staff at the Mira Hotel but they could track him after he left the hotel and moved, along with his computers, in and out of several residences arranged by his “carer.” Snowden, after all, had put himself in the hands of people whom he had never met before including three Hong Kong lawyers, a “carer” and three Guardian journalists. Presumably, the efforts of these adversary intelligence services to find him, and the NSA data, would further intensify after Snowden revealed to the South China Morning Post on June 14, 2013 that he had access to NSA lists of computers in China and elsewhere that the NSA had penetrated. It wouldn’t be only the Chinese service on his trail. The Russian intelligence service would also likely be tasked to acquire these NSA documents after Snowden’s meeting with Russian officials in Hong Kong. And while he could get away with giving coy and elusive answers to journalists who asked him about the whereabouts of the NSA data, the Russian and Chinese officials in Hong Kong, who could offer him an escape route from prison, likely would demand more specific answers about the whereabouts of data they had no already obtained by technical means. The Post- Hong Kong Documents The NSA concern about who had access to its missing files deepened further when NSA documents continued to surface in the press after Snowden went to Moscow. If US intelligence needed any further evidence that someone had access to the documents, these additional revelations provided it. The most sensational of them was a purported document attributed to Snowden concerning the NSA hacking the cell phone of German Chancellor Angela Merkel. The story was published on October 23, 2013 on the Der Spiegel website. The co-author of the story was Jacob Appelbaum. Even though Snowden had by now been in Russia for four months, he was cited, along with unnamed “others” as the source for the NSA document. Nor did Snowden deny it. Indeed. He took a measure of credit for the revelation, saying on German TV “What I can say is we know Angela Merkel was monitored by the National Security Agency.” If Snowden’s HOUSE_OVERSIGHT_020294

143 had released this document, it would be consistent with Kucherena’s assertion that Snowden had access to the archive. Adding to the intrigue, Poitras was apparently caught by surprise when the Merkel story broke in Der Spiegel. She urgently texted Snowden on what she called “background” (which ordinarily means that a journalist will not attribute information to a source.) She asked him in the text to explain the NSA’s actions. Snowden explained to her that Merkel was listed by her true name (and not by a codename) in the NSA document because the German chancellor was a NSA “target not an asset.” Presumably, Poitras would have already known that distinction if she had the document referred to in Der Spiegel. If the Merkel document was not among the data given to Poitras in Hong Kong , how did it get to the authors of the Der Spiegel article? One of the authors, Appelbaum, as discussed earlier, had been in contact with Snowden before he went public. He had served as Poitras’ co-interrogator of Snowden while he was still working at the NSA in May 2013. Appelbaum also, was one of the leading supporters of Wikileaks. Since he was famously an advocate of revealing government secrets, it seems unlikely that he would have delayed releasing such a bombshell about Merkel’s phone if Snowden had given him this document before he had left Hong Kong in June 2013. Why would Appelbaum kept it secret for more than four months? The same pressure to publish would also apply to the journalists Snowden had dealt with in Hong Kong. If Snowden had given Poitras, Greenwald, Lam or MacAskill the Merkel document, or even told them about it in their interviews with him in Hong Kong, the Guardian would have certainly rushed out such a scoop. According to source with knowledge of the Snowden investigation, there was no document referencing any spying on Merkel’s phone among the 58,000 documents on the thumb drive that Snowden had given Poitras and Greenwald in Hong Kong. That absence would explain why Poitras had to send a text to Snowden in Moscow to ask for an explanation after the story broke. Further confirmation of the absence of this document in the material Snowden provided journalists in Hong Kong comes from James Bamford, a well-respected expert on the NSA. In the course of researching his 2014 article on Snowden for Wired magazine, he was given access to all the documents Snowden gave to Poitras, Greenwald and Gellman. Bamford used a sophisticated indexing program to search through the database specifically for The Merkel material. , Even so, he did not find any. He reported that no document that even mentioned Merkel given to journalists in Hong Kong mentioned Merkel. It therefore appeared that the Merkel document was provided to Der Spiegel after Snowden went to Moscow in June. If so, some party had access to NSA documents after Snowden arrived in Russia and provided the authors of the Der Spiegel story with the scoop. In that context, it may have not been a pure coincide that Kucherena’s disclosed that Snowden had access to documents which he had not given to journalists in Hong Kong shortly before just such a document was [published in Germany. For his part, Bamford explored the possibility that there might be another mole in the NSA. Was it possible another person in the NSA was stealing documents? He wrote Poitras and asked HOUSE_OVERSIGHT_020295

144 her whether the Merkel document could have come from another person in the NSA. He notes that she declined, via a letter from her lawyer, to answer that question. But since she had not been the author of the Der Spiegel article, and it had not been given the document, there is no reason to she would know its provenance. The post-Hong Kong documents did not stop with the Merkel one. Documents continued to emerge years after Snowden arrived in Moscow. In June 2015, for example, the Wikileaks website released another putative Snowden document two years after he had supposedly wiped his computer clean in Hong Kong. It revealed that the NSA had targeted the telephones of the three consecutive presidents of France-- Jacque Chirac, Nicolas Sarkozy and Francois Hollande, all of whom were allies of the United States. Moreover, according to a former NSA official, this 2015 document, like the 2013 Merkel material, not among the data on the thumb drive given to journalists in Hong Kong. The released on the Wikileaks site came at an embarrassing time since in the midst of NATO war games held near the Russian border, which Putin had vehemently denounced, The accompanying article was co-authored by Julian Assange, who now claimed to have access to Snowden’s NSA material. Since Assange, it will be recalled, had been in telephonic contact with Snowden in Hong Kong and his deputy, Sarah Harrison, had spent five months in Moscow with Snowden in 2013, it is certainly possible Snowden was his source. But it seems difficult to believe that Assange waited two years before publishing since he has made it part of his modus operandi to publish documents immediately. And since Wikileaks receives documents anonymously via its TOR software, any party, with access the Snowden files, could have sent it. Greenwald and Poitras also released belated documents. On July 15, 2015, for example, their web publication Zhe Intercept released a Snowden document that t cited a NSA intercept of Israeli military communications about an Israeli raid in Syria on August 1, 2008. It revealed that in it a group of Israeli commandos killed General Suleiman, a top aide to President Assad who had been working with North Korea to build a nuclear facility in Syria. Israel had destroyed that facility in Operation Orchard nearly a year earlier. Whatever the purpose of this new release of a NSA document (which had little, if anything, to do with any of the NSA’s own operations); it was not among the data that Snowden had given Poitras and Greenwald in Hong Kong in 2013, according to a source with access to the investigation. If so Poitras and Greenwald, like Appelbaum and Assange, were still receiving NSA documents that Snowden had allegedly stolen a long time after he claimed he had destroyed all his files. The NSA reportedly determined that these belated documents, all of which concerned American allies in Germany, France and Israel, had been among the material copied during the Snowden breach. They provided further reason to believe that someone still had access to the documents that were not distributed to journalists in Hong Kong. Kucherena’s disclosure just before the first post-Hong Kong release that Snowden still had access to the NSA files made it appear plausible that Snowden sent these documents to Der Spiegel, Wikileaks and The Intercept. A former high-ranking KGB officer I interviewed had a very different view. He told me that in his experience an intelligence defector to Russia would not be allowed to distribute secret material to journalists without explicit approval by the security service tending him. , and that this injunction would be especially true in the case of Snowden after Putin publicly had forbade HOUSE_OVERSIGHT_020296

145 him from releasing U.S. intelligence data. The alternative is that this material was released at the behest of the Russian intelligence service. The mystery of the post Hong Kong documents also intrigued members in the US intelligence community with whom I discussed it. When I asked a former intelligence executive about the ultimate source for the Merkel story, he responded: “If Snowden didn’t give journalists this document in Hong Kong, we can assume an intermediary fed it to Appelbaum to publish in Der Spiegel?” According to him, the NSA investigation had determined that Snowden indeed had copied a NSA list of cell phone numbers of foreign leaders, including the number of Merkel. This list became the basis of the Der Spiege/ story. It was also clear that Snowden in Moscow gave credence to the release. He made a major point about the hacking of Merkel’s phone in an interview with Wired magazine in 2014. Just about two weeks before the leak, Kucherena said Snowden still had access to the documents. Clearly, someone had access. But whoever was behind it, the release of information about the alleged bugging Merkel’s phone resulted in badly fraying US relations with Germany in the midst of developing troubles in Ukraine. As it later turned, according to the investigation of the German federal prosecutor concluded in 2015, there was no evidence found in this document, or elsewhere, that Merkel’s calls were ever actually intercepted. Although they revealed little, if anything, the intelligence services of Germany, France and Israel were not already aware of, they raised a public outcry in allies against NSA surveillance, and the outcry became the event itself. While these post-Hong Kong documents had little, if any, intelligence value, they provided further evidence that at least part of the stolen NSA documents was in the hands of a party hostile to the United States. Ifso, it wasn’t much of a leap to assume that this party also had access to the far more valuable Level 3 documents revealing the NSA’s sources and methods, such as the one that Ledgett had described as a “road map” to U.S. electronic espionage against Russia and China. Within the intelligence community, this concern was heightened by new counter measure to this espionage employed by Russia and China after Snowden reached Moscow. For example, there were indications that the NSA had lost part of its capabilities to follow Russian troop movements in the Crimea and Eastern Ukraine. U.S. intelligence officials even went so far as to suggest, according to a report in the Wall Street Journal that “ Russian planners might have gotten a jump on the West by evading U.S. eavesdropping.” . Britain also discovered that some of its secret operations had been compromised after Snowden went to Moscow. According to a 2015 story in the Sunday Times of London, British intelligence had determined that Britain’s intelligence- gathering sources had been exposed to adversary services by documents that Snowden had stolen from the NSA in 2013. These documents had been provided to the NSA by the GCHQ, the British cipher service. Unless such intelligence disasters were freak aberrations, it appeared to confirm General Alexander warning in 2014 that the NSA was “losing some of its capabilities, because they’re being disclosed to our adversaries.” HOUSE_OVERSIGHT_020297

146 Snowden’s supporters, to be sure, disputed this view. If only as an act of faith in Snowden’s personal integrity, they continued to believe his avowal to Senator Humphrey that he had acted to protect U.S. secrets by shielding them from adversary intelligence services after he took them abroad. They also continued to take him at his word when he said he had destroyed all the NSA documents before going to Russia. Despite such protestation of Patriotic loyalty, U.S intelligence officials could not so easily dismiss the possibility that the missing documents still existed. After all, a U.S intelligence worker who is dedicated to protecting American secrets from its adversaries does not ordinarily takes them to an adversary country. The NSA, CIA and Department of Defense therefore had little choice but to assume the worst had happened: Russia and China had obtained access to the “keys of the kingdom”. Whatever the extent of the actual damage, it was up to General Alexander’s replacement, Admiral Michael Rogers, both to restore morale and rebuilding the capabilities of America’s electronic intelligence in the wake of the massive breach. According to a National Security staff member in the Obama White House, that job would take more than a decade. Meanwhile, Whoever now held the keys to the kingdom, one thing was certain: the NSA had failed to protect them. This intelligence failure did not happen out of the blue. Meanwhile, Putin added insult to the injury by awarding the alleged perpetrator sanctuary in Russia. HOUSE_OVERSIGHT_020298

147 CHAPTER EIGHTEEN The Unheeded Warning “The NSA—the world’s most capable signals intelligence organization, an agency immensely skilled in stealing digital data—had had its pockets thoroughly picked.” m= --CIA Deputy Director Michael Morell In April 2010, the CIA received a stark reminder of the ongoing nature of Russian espionage. It came in the form of a message from one of its best placed moles in the Russian intelligence service. This surreptitious source was Alexander Poteyev, a 54-year old colonel in the SVR, which was the successor agency to the First Chief Directorate of the KGB. While the FSB took over the KGB’s domestic role in December 1991, the SVR became Russia's Foreign Intelligence Service. Its operation center was in the Yasenevo district of Moscow. The CIA had recruited Poteyev as its mole in the 1990s when he had been stationed at the Russian Embassy in Washington DC. That it could sustain a mole in Moscow for over a decade attested to its capabilities in the espionage business. After he returned to Moscow, still secretly on the CIA’s payroll, he became the deputy chief of the SVR’s “American” section. This unit of Russian intelligence had the primary responsibility for establishing spies in CIA, FBI, NSA and other American intelligence agencies. The SVR’s last known (or caught) mole in US Intelligence was CIA officer Harold Nicholson in 1996. Before it could now expand its espionage capabilities. It needed to build a network of Russian sleeper agents in the United States. For this network, it needed to groom so-called “illegals,” or agents who were not connected to the Russian Embassy. This so-called “illegals” network was necessary since presumably all Russian diplomats, including the so-called “legal” members of Russian intelligence, were under constant surveillance by the FBI. Advances in surveillance technology in the 21“ century had made it increasingly difficult to communicate with recruit through its diplomatic missions. To evade it, the “American” division of the SVR was given the task of placing individuals in the United States disguised as ordinary Americans. Their “legend,” or operational cover, could be thin since they would not be applying for jobs in the government. Their job was simply blend in with their community until they were called upon by the “American” department in Moscow to service a mole that had been planted in US intelligence or other part of the US government. Until there were activated by such a call, they were classified as sleeper agents. Unlike the SVR’s “legal” officers, who were attached to Russian embassies as diplomats and were protected from arrest by the Treaty of Vienna, the SVR’s illegal agents lack diplomatic immunity. According to Pavel Sudoplatov, who defected from the KGB in the Cold War, the sole job of such sleeper agents was to “live under cover in the West awaiting assignments for the Center.” One assignment that justifies the expense of maintaining such agents is to service a penetration, after one is made, in the US intelligence establishment. While HOUSE_OVERSIGHT_020299

148 waiting to be activated for such a job, sleeper agents were instructed to build every detail of their cover identity so as to perfectly blend in with Americans. To build this American network of sleeper agents took the better part of a decade. In 2005, this SVR’s “American” section in Moscow had begun methodically installing “sleeper agents” in the US. Almost all of them were all Russian citizens who had assumed new identities to better blend into their communities. The CIA learned of this sleeper program through Poteyev soon after it began. The issue was how to exploit this knowledge. When I was writing my book on international deception, Angleton had pointed out to me that “the business of intelligence services is understanding precisely the relationship of their opposition to them.” His view, though his opponents inside the CIA would call it with some justification an obsession, was that an intelligence service had focus on the moves of its rivals. To accomplish this “business” in the first decade of the 21“ century, the CIA had to establish why its new opposition, the SVR, was laying the foundation for an espionage operation. What were its priorities in the resumption of the intelligence war? Its inside man, Poteyev, in the SVR, provided it with a tremendous advantage in this relationship. It knew the links in a sleeper network that the SVR believed was safely hidden from surveillance. If they were followed, when they were activated they could expose whatever recruits the SVR had in the American government. The CIA duly shared this information about the sleeper ring with the FBI, which had the responsibility for the surveillance of foreign agents in the United States, The FBI, for its part, kept the Russian sleeper agents under tight surveillance—an operation which grew in complexity and expense as more SVR agents arrived in the US. Meanwhile, in Moscow, Poteyev was following the unfolding operation. Part of his SVR job was to continue preparing these “Americans,” as they were called by the SVR, for their assignments. Some had been sent as couples, other as singletons. One of the singletons that Poteyev personally handled was Anna Kushchyenko. She was a strikingly beautiful Russian student, who changed her name to Anna Chapman by briefly marrying a British citizen she met at arave party. After taking his name, she left him. After completing her training in Russia, the SVR sent her to New York City to establish herself as international real estate specialist. Other “Americans” under Poteyev’s watch became travel agents, students, and financial advisers. In all, Poteyev identified to the CIA twelve such sleeper agents. Since they had been instructed to simply act out their role, while awaiting an intelligence assignment, they presented no real threat. Even so, the cost of FBI surveillance over the years became sizable. Around the clock surveillance on the movements and communications of a single individual can cost, according to a former FBI agent, over $10,000 a day. The situation suddenly changed when the CIA received Poteyev’s message in 2010. It warned that Russian military intelligence had asked the SVR to activate some of its sleeper agents for a highly-sensitive assignment. Such a move suggested that Russian intelligence had found a possible source that could supply it with valuable information. According to a former CIA HOUSE_OVERSIGHT_020300

149 intelligence official who later became involved in the case, the assignment involved preparing these agents to service a potential source in the NSA at Fort Meade, Maryland. If true, it suggested that Russian intelligence either had found or was working on a means of penetrating the NSA. In 2010, the NSA’s “Q” division handled such security and espionage threats. It reportedly initiated a counter-espionage probe at the NSA’s Fort Meade headquarters on receiving the tip. But since the NSA’s cryptological service had in 2010 no fewer than 35,000 military and civilian contractor employees, the search for a possible leak was no easy matter. According to a subsequent note in the NSA’s secret budget report to Congress, it would require “a minimum of 4,000 periodic investigations of employees in position to compromise sensitive information” to safely guard against “insider threats by trusted insiders who seek to exploit their authorized access to sensitive information to harm U.S. interests.” According to a former executive in the intelligence community, that amount of investigations far exceeded the budgetary capabilities of the NSA. So while the investigation found no evidence of SVR recruitment, it remained possible that Russian intelligence had found a candidate in the NSA. Meanwhile, in June 2010, to pre-empt such a leak in US intelligence and avoid any potential embarrassment that could result, the FBI decided it could no longer engage in this sort of an intelligence game with the sleeper network. It arrested all 12 sleeper agents identified by Poteyev. After receiving a great deal of public attention (which led to them inspiring the FX series: The Americans,”’), the sleeper agents were deported back to Russia. This move had both advantages and disadvantages. The main advantage was that it severed any communication link between the putative person-of-interest in the NSA and Russian intelligence via the sleeper agents. The main disadvantage was that it eliminated the possibility that FBI surveillance of the illegals might lead the FBI to a possible recruit in the NSA or elsewhere. The pre-emptive arrests also had an unforeseen consequence. They resulted in accidently compromising the CIA’s own mole, Poteyev. In entrapping Anna Chapman, who was one of the more active of the sleeper agents, the FBI agent had used a password to deceive her into believing she was speaking to a SVR officer (when in fact she was speaking to an FBI agent who was impersonating one.) That unique password had been personally supplied to her by Poteyev. So Chapman had reason to believe Poteyev had betrayed her, When Chapman returned to Moscow after the spy exchange, she was taken to a well- publicized dinner with Putin. Afterwards, she informed her debriefer at the SVR that only Poteyev had been in a position to know the password that the FBI agent used. This brought Poteyev under immediate suspicion. Tipped off by the CIA to the FBI’s error, Poteyev managed to escape by taking a train from Moscow to Minsk in Belarus. The CIA next exfiltrated him out of Belarus and to the United States. Poteyev had been saved from prison—or worse, but he was no longer useful to the CIA as a mole. Without the services of Poteyev in the SVR in Moscow, US intelligence was unable to find out further details about the mission to which Poteyev’s sleeper HOUSE_OVERSIGHT_020301

150 agents were to be assigned. All it had discovered was the history of the preparations for a major espionage revival. It now knew that the SVR had installed plumbing in America that one or more agents in this network had been activated to handle a possible recruit in the NSA. But without anyone left in the sleeper network to follow and without an inside source in the SVR, it had no further avenues to fruitfully pursue. The revelation of the sleeper agents had little, if any, other intelligence value. The NSA’s own security investigation turned up no evidence of a leak at Fort Meade in 2010. The absence of evidence of a penetration in a security investigation is not in itself evidence of the absence of a penetration. The Russian intelligence service had demonstrated in the past it was well-schooled in covering its tracks in operations against US communications intelligence. For example, CIA counterintelligence had learned from a KGB defector in the early 1960s that Russian intelligence had penetrated the cipher room at the US Embassy in Moscow and, because of this operation, the KGB was able to decipher crucial communications. Even so, it failed to find either the perpetrator or any evidence of his existence for more than a half century. The operation was only definitively revealed by Russian spymaster Sergey Kondrashev in 2007. Tennent Bagley, who headed the CIA’s Soviet Bloc counterintelligence at the time, late wrote in his book that the ability of Russian intelligence to conceal this penetration for more than a half century “broke the record for secret keeping.” This Russian ability to penetrate US intelligence was not entirely defeated by America’s implementation of more sophisticated security procedures, such as the polygraph examination and extensive background checks. In 1995, only 10 years before Snowden joined it, the CIA's inspector general completed a study of the KGB’s use of false defectors to mislead the US government from the end of the Cold War in late 1980s through the mid-1990s. It found Russia had dispatched at least half-dozen double agents who provided misleading information to their CIA case officers. Because the KGB operation went undetected for nearly a decade, the disinformation prepared in Moscow had been incorporated into reports, which had a distinctive blue stripe to signify their importance, had been provided to the three American Presidents, Ronald Reagan, George H.W. Bush and Bill Clinton. Even more shocking, in tracing the path of this disinformation, the Inspector General found that the "senior CIA officers responsible for these reports had known that some of their sources for this information were controlled by Russian intelligence,” yet they did not inform the President and officials receiving the blue-striped reports, that they had included Russian misinformation. What CIA Director John Deutch called "an inexcusable lapse" also reflected a form of institutional willful blindness in US intelligence, borne out of bureaucratic fear of career embarrassment so well described in LeCarre's spy novels. Detecting intelligence failures has, if anything, become even more difficult in the age of the anonymous Internet. The NSA’s vulnerability to intelligence lapses, which became all too apparent with Snowden, had departed America with a large selection of its most secret documents. The Snowden breach HOUSE_OVERSIGHT_020302

151 demonstrated the NSA had few, if any, fail-safe defenses against a would-be leakers of communication intelligence. In the new domain of cyber warfare, conventional defensive rules do not apply. “There are no rivers or hills up here. It’s all flat. All advantage goes to the attacker,” Michael Hayden said in an interview in 2015 with the publisher of the Wall Street Journal. His point was that since there are no defensive positions, cyber warfare must rely on an aggressive offensive. If fully successful such attacks would so deeply penetrate the defenses of an adversary intelligence organization that it could not mount any of its own unexpected cyber attacks Such offensive capabilities would make it difficult, if not impossible, for adversary services to recruit a spy in the NSA. .For example, the CIA penetration of the SVR in 2010 prevented it from using its the sleeper network against U.S. targets. “The best defense in this game may be an overwhelming offensive,” a former intelligence official said to me. “but that strategy only works if we can keep secret sensitive sources.” Central to this offensive strategy was the NSA’s National Threat Operations Center in Oahu, Hawaii. It employed threat analysts to surreptitiously monitor the secret activities of potential enemies, mainly China, Russia and North Korea. A large part of their job was to make transparent to the US the hostile activities of the Russian and Chinese services so that they posed little, if any, intelligence threat to America. This strategy worked so far as the NSA guarded itself but it also raised the issue, as the Roman Juvenal famously warned “Quis custodiet ipsos custodes?” Who will guard the guards themselves? Less than three years after the NSA had received the Poteyev warning, a 29-year old civilian trainee at the National Threat Operations Center, demonstrated its glaring vulnerability. Instead of guarding secrets, Snowden stole them. General Hayden described the Snowden breach as the “most serious hemorrhaging of American secrets in the history of American espionage. Among the documents taken in this security breach were lists of secret NSA sources in China and Russia. Despite all the measures the NSA had taken to protect its vital secrets, a lowly civilian employee had walked away with the keys to its kingdom In the hands of their intelligence services, these stolen lists had the potential to totally upend the NSA’s offensive strategy. Since Russia and China have an intelligence treaty for sharing such spoils between them when it is to their mutual advantage, it had to be assumed that if either country had acquired the secrets from Snowden, they would be shared between them altering the balance of power between the communication intelligence services of the US and its adversaries. Following the Snowden breach both China and Russia had immense successes d in breaking through the defenses of US government networks, including the breaches in 2014 and 2015 of U.S. personnel files and background checks. When I asked General Hayden in June 2015 if these successes were made easier by those documents compromised by Snowden, he replied, “Even though I cannot make a direct correlation here, unarguably our adversaries know far more about how we collect signals intelligence than they ever did before [Snowden].” HOUSE_OVERSIGHT_020303

152 If Snowden could cause such massive damage, so could other civilian trainees at the NSA. Someone in the chain of command had to take responsibility, General Alexander tendered his resignation on June 30", 2013. “ I’m the director, “he said, falling on his sword. “Ultimately, I’m accountable. “ As President Obama did not want the head of the NSA resigning in the midst of the Snowden crisis, he asked him to stay on for another six months. He then appointed Admiral Michael Rogers to be his replacement. Meanwhile, it had become undeniable clear to the Review Committee appointed by President Obama in 2013 that the NSA’s own defenses had catastrophically failed. If so, this change was the equivalent of re-arranging the deck chairs on the S.S. Titanic after it hit an iceberg. HOUSE_OVERSIGHT_020304

153 PART FOUR THE GAME OF NATIONS “T learned that just beneath the surface there's another world, and still different worlds as you dig deeper.” --David Lynch on his 1986 film Blue Velvet HOUSE_OVERSIGHT_020305

154 CHAPTER NINETEEN The Rise of the NSA “There are many things we do in intelligence that, if revealed, would have the potential for all kinds of blowback,” -- National Intelligence” — James Clapper, Director of National Intelligence In the Game of Nations, which is played at a level that often is not visible to public scrutiny, the great prize is state secrets that reveal the hidden weaknesses of a nation’s potential adversaries. The most important of these in peacetime is communication intercepts. It was just such state secrets that Edward Snowden took from the NSA in the spring of 2013. Before that breach, America’s paramount advantage in this subterranean competition was its undisputed dominance in business of obtaining and deciphering the communications of other nations. The NSA was the instrument by which the United States both protected its own secret communications and stole the secrets of foreign nations. The NSA, however, has an Achilles’ heel: it is dependent on civilian computer technicians who do not necessarily share its values to operate its complex system. Because of this dependence, it was not able in 2013, as it turned out, to protect its crucial sources and methods. Snowden exposed this vulnerability when he walked away with, among other documents, the 32,000 page-long country by country descriptions of the gaps in America’s coverage of the communications of its adversaries. Even though the Cold War had been declared over after the collapse of the Soviet Union a quarter of a century earlier, the age-old enterprise of espionage did not end with it. Russian and China still sought to blunt the edge that the NSA gave the United States. So the Snowden breach cannot be simply looked as an isolated event. It needs to considered in the context of the once and future intelligence war. The modern enterprise of reading the communications of other nations traces back in the United States to military code-breaking efforts preceding America’s entry into the First World War The invention of the radio at the end of the nineteenth century soon provided the means of rapidly sending and getting messages from ships , submarines, ground forces, spies, and embassies. These over-the-air messages could also be intercepted from the ether by adversaries. If they were to remain secret, they could not be sent in plain text. They had to be sent in either code, in which letters are substituted for one another, or, more effectively, cipher, in which numbers are substituted for letters. Making and breaking codes and ciphers became a crucial enterprise for nations. By 1914, the US Army and Navy had set up units, staffed by mathematicians, linguists and crossword puzzle-solvers to intercept and decode enemy messages. After the war had ended in 1918, these units were fused into a cover corporation called the “Code Compilation Company,” which moved to new offices on 37" Street and Madison Avenue in New York City. Under the supervision of the famous cryptographer Herbert O Yardley, a team of 20 code-breakers was employed in what was called the “Black Chamber.” Yardley arranged for HOUSE_OVERSIGHT_020306

155 Western Union, which has the telegraph monopoly in America, to provide the Black Chamber with all the telegrams coming into the United States. “Its far-seeking eyes penetrate the secret conference chambers at Washington, Tokyo, London, Paris, Geneva, Rome,” Yardley wrote about the Black Chamber. “Its sensitive ears catch the faintest whispering in the foreign capitals of the world.” But in 1929, at the instructions of President Herbert Hoover, Secretary of State Henry Stimson closed the Black Chamber saying famously “Gentlemen should not read each other's mail.” The moratorium did not last long. With war looming in Asia and Europe, President Franklin D. Roosevelt reactivated the operation as the Signals Security Agency. It proved its value in breaking the Japanese machine-generated cipher “purple.” In June 1942, using deciphered Japanese messages to pinpoint the location of the Japanese fleet at Midway; America’s won a decisive naval victory in the Pacific. Germany’s Enigma encoding machines, with three encoding wheels, proved more of a challenge. Initially British cryptanalysts led by the brilliant mathematician Alan Turing succeeded in building a rudimentary computer to decipher German messages to its submarines and bombers, but, in 1942, Germany added a fourth set of encoding wheels, escalation what essentially was a battle of machine intelligence. The US Navy then contracted with the National Cash Register Company to build a computing machine capable of breaking the improved Enigma, and, in May 1943, it succeeded. By the time the war ended in 1945, the US had over one hundred giant decryption machines in operation. This unrivalled capability to read the communications of foreign nations, which remained one of America’s most closely guarded secrets, was transferred to the Army Security Agency based at Fort Meade, Maryland. Then, on October 24, 1952, President Harry S. Truman, greatly expanded its purview and changed its name to the National Security Agency. The NSA was given two missions. The first one was protecting the communications of the US government. The main threat to breaching U.S. government channels of communications was the Soviet. The second one was intercepting all the relevant communications and signals of foreign governments. This latter mandate included the governments of allies as well as enemies. The President, the other intelligence services and the Department of Defense deemed what was relevant for national security. Even though the NSA remained part of the Department of Defense, its job went far beyond providing military intelligence. It also acted as a service agency to other American intelligence services. They prepared shopping lists of foreign communications intelligence and the NSA fulfilled them. As the Cold War heated up in the 1960s, the NSA provided intelligence not only to the Pentagon but to the Department of State, Central Intelligence Agency, the Treasury Department, the Atomic Energy Commission, and the FBI. With a multi-billion dollar “black budget” hidden from public scrutiny, the NSA’s technology directorate invested in state-of-the-art equipment, including super computers that could break almost any cipher, antennae mounted on geosynchronous satellites that vacuumed in billions of foreign telephone calls and other exotic capabilities. It also devised stealthy means of breaking into channels that its adversaries believed were secure. This enterprise required not only an army of technical specialists capable of HOUSE_OVERSIGHT_020307

156 remotely intercepting even the faintest traces of electromagnetic signals, hacking into computers, and eavesdropping on distant conversations, but using special units, called “tailored access operations,” to plant listening devices in embassies and diplomatic pouches. It also organized elaborate expeditions to penetrate cables in enemy territory. In 1971, for example, the NSA had sent a specially-equipped submarine into Russia’s Sea of Okhotsk in Asia to tap through Arctic ice. The target was a Russian cable 400 feet below the surface that connected the Russian naval headquarters in Vladivostok with a missile testing range. In 1980, President Ronald Reagan, gave the NSA a clear mandate to expand its interception of foreign communications. In Executive Order 12333, he told the NSA to use “all means, consistent with applicable Federal law and (this Executive) order, and with full consideration of the rights of United States persons, shall be used to obtain reliable intelligence information to protect the United States and its interests.” It did restrict any foreign country, either an adversary or an ally, from its surveillance. The NSA’s target soon became nothing short of the entire electromagnetic spectrum. “We are approaching a time when we will be able to survey almost any point on the earth’s surface with some sensor,” Admiral Stansfield Turner, the former Director of Central Intelligence wrote in 1985. “We should soon be able to keep track of most of the activities on the surface of the earth.” Bobby Ray Inman, a former director of the NSA and deputy director of the CIA, argued that the “vastness of the [American] intelligence ‘take’ from the Soviet Union, and the pattern of continuity going back years, even decades,” greatly diminished the possibility of Soviet deception so long as the NSA kept secret its sources. The NSA did not rely entirely on its own sensors for this global surveillance. It also formed intelligence-sharing alliances with key allies the most important was with the British code- breaking service, called the Government Communications Headquarters, or GCHQ, which in World War II had achieved enormous success in using computers to crack the German Enigma cipher. This alliance expanded to include Canada, Australia, and New Zealand, in the so-called Five Eyes Alliance. Since over 80 percent of international phone calls and Internet traffic passed through fiber-optic cables in these five countries, the alliance had the capability of monitoring almost all phone and internet communications. .The NSA also established fruitful liaisons with the cyber-services of Germany, France, Spain, Italy, Netherlands, Portugal, Israel, Japan, and South Korea, who often were willing to provide the NSA with access to telecommunications links in their countries. These long-term allies greatly strengthened the NSA’s hand in other ways in the intelligence war. For example, the so called “James Bond” provision of the British Intelligence Services Act 1994 allowed officers of the GCHQ to commit illegal acts outside of Brittan including planting devices to intercept data from computer servers, cell phones, and other electronic targets. And, as Snowden’s release of documents revealed in 2013 and 2014, these foreign allies fully shared their information with the NSA. HOUSE_OVERSIGHT_020308

157 Of course, the liaison between the NSA and its allies was a two way street. In 2013, none of these other countries had a global network of geosynchronous sensors in outer space and under the ocean that could monitor signals from missile launching, submarine, military deployments, nuclear tests and other matters of strategic importance to them. Nor did these allies have the cipher-breaking capabilities of the array of NSA super computers. The NSA had assiduously built these means at a cost of over a half trillion dollars and employed tens of thousands of linguists who could translate almost any dialect or language of interest. Even though these allies had their own ciphers services and local capabilities they depended on NSA to provide them a large share of their signal intelligence. From the perspective of defending themselves from potential threats, the deal that these allies had with NSA was a mutually- advantageous. The NSA’s overseas intelligence gathering was not limited to adversary nations. With the exception of the Five-Eye allies, it gathered data that was deemed of importance by the President and Defense Department in friendly countries. These operations had been approved by every American President, and funded by every American Congress, since 1941. After all, even in the realm of allies, activities take place that run counter to American interests. The 911 conspiracy, for example, was hatched in Hamburg, Germany and financed in Dubai and Saudi Arabia. Nor were American allies unaware of the reach of the NSA. “Yes, my continental European friends, we have spied on you. And it is true we use computers to sort through data by using keywords,” former CIA Director James Woolsey wrote in the Wall Street Journal in 2000, “Have you stopped to ask yourselves what we are looking for?” Whether or not it was appreciated by other countries, the global harvesting of communication intelligence by the NSA was hardly secret. As the NSA expanded further, it delegated part of its work to regional bases, including ones in Utah, Texas, Hawaii and Japan. The paramount task of the NSA remained monitoring the channels of communications that an adversary might use. The vast proliferation of these channels in cyberspace, which included email, social media, document sharing and other innovations of the Internet age, greatly complicated this task. Even so, this challenge was not insurmountable because most of the Internet actually travelled through fiber-glass land-line cables that crossed the territories of the United States, Britain and Australia. So the NSA found the technical means, including voluntary gaining access to major Internet companies, to “harvest” vast amounts of this Internet data. America’s other intelligence agencies quickly recognized the value of the communications intelligence gleaned from foreign telecommunications. John E. McLaughlin, who was the CIA’s Acting Director in 2004, described the NSA as nothing less than the “very foundation of US intelligence.” This service proceeded from the immense amount of foreign data that the NSA vacuumed in through its global sensors. This data allowed the CIA and other US intelligence services a means for verifying the reports of its human sources as well as discovering new targets in adversary nations for further investigation. HOUSE_OVERSIGHT_020309

158 By the first decade of the 21* century, the NSA’s surreptitious efforts to render the Internet transparent to US intelligence had earned it a new set of enemies. They were the previously- mentioned hacktavists who were attempting to shield the activities of Internet users from the intrusions of government surveillance. They employed both encryption and TOR software to defeat that surveillance. The NSA was not about to be defeated by the tactics of amateur privacy advocates. It did not conceal that it was intent on countering any attempt to interfere with its surveillance of the Internet. It built back doors into their encryption and worked to unravel the TOR scrambling of their IP addresses. It made leading hacktavists targets. Brian Hale, the spokesman for the Director of National Intelligence, disclosed that the US routinely intercepted the cyber signatures of parties suspected of hacking into US government networks. Following the 9/11 attack on the Pentagon and World Trade Center, the surveillance of the Internet also became an integral part of Bush’ administration’s war on terrorism. In October 2001, Congress expanded the NSA’s mandate by passing the USA Patriot Act. Section 215 of the act directly authorized the NSA, with the approval of the FISA court, to collect and store domestic telephone billing records. The idea was to better coordinate domestic and foreign intelligence about Al-Qaeda and other jihadist groups. The mantra in government after the 9/11 was to “connect dots.” Congress with this back essentially called for demolishing the wall by domestic and foreign intelligence when it came to foreign-directed terrorism. The act effectively made the NSA a partner with the FBI in tracking phone calls made from the phones origination outside the United States by known foreign jihadists. If these calls were made to individuals inside the NSA was now authorized to retrieve the billing records of the person called and those people who he or she called. These traces were then supplied to the FBI. When a New York Times expose in 2008 revealing that NSA surveillance has been extended to domestic telephone used, Congress passed the FISA Amendments Act of 2008 explicitly allowing the NSA to continue these practices if it obtained a FISA court order. Congress also sanctioned the NSA’s supplying the FBI with the emails and other Internet activity of foreign Jihadists if it was suspected of planning attacks in America. This put the NSA directly in the anti-terrorist business in the United States. It also necessitated the NSA vastly increasing its coverage of the Internet. The new duties also increased the NSA’s need to create new bureaucratic mechanism to monitor its compliance with FISA court orders, Rajesh De, the NSA’s General Counsel at the time of the Snowden breach, described the NSA as becoming by 2013 “one of the most regulated enterprises in the world.” Grafted onto its intelligence activities were layers of mandated reporting to oversight officials. Not only did the NSA have its own chief compliance officer, chief privacy and civil liberties officer, and independent inspector general but the NSA also had to report to a difference set of compliance officers at the Department of Defense the Office of National intelligence and the Department of Justice On top of reporting to those officials, the Department of Justice dispatched a team of lawyers every 60 days to review the results of “every HOUSE_OVERSIGHT_020310

159 single tasking decision” approved by the FISA court. According to Rajesh De, just assembling these reports involved thousands of hours of manpower. In addition, the President’s Oversight Board required that NSA’s Office of the General Counsel and Inspector General supply it every 90 days with a list of every single error made by every NSA employee anywhere in the world deviating from procedures, including even minor typing errors. These requirements, according to De, inundated a large part of the NSA legal and executive staff in a sea of red tape. Yet, this regulation could not undo surveillance programs such as the one Snowden revealed of Verizon turning over the billing records of its custumers to the NSA, because the NSA was in compliance with the FISA court order (even though, as it turned out in 2015, the FISA court may have erred in interpreting the law.) The NSA’s focus on surveillance may have led to the neglect of its second mission: protecting the integrity of the channels through which the White House, government agencies and military units send information. This task had been made vastly more difficult by the proliferation of computer networks, texting and emails in the 21* century. To protect against cyber attacks against government networks, the Pentagon belatedly created the Cyber Command in 2009. In it, the cyber defense units of the Army, Navy, Marines, and Air Force cyber forces, were merged together in this new command put under the command of the NSA director. NSA director Keith Alexander became the first director of this new command. One problem for the Cyber command was separating attacks by civilians, including criminals, hacktavists and anarchists, from cyber warfare sponsored and supported by adversary states. Since foreign intelligence services often closely imitated the tools of civilian hackers, and were even known to provide them with hacking tools. Even for the Cyber Command, it was not easy challenge to unambiguously determine if the ultimate perpetrator of a cyber attacks was state-sponsored. For example, the identification of North Korea as the principal actor behind the attack on Sony in December 2014 appeared to be a rare success, but many cyber-security experts believed that it might be a false trail used to hide the real attacker. The problem here was that clues can be fabricated in cyber space to point to the wrong party. The job of the Cyber command was to prevent such an attack. To this end, it planted viruses on hundreds of thousands of computers in private hands to act as sentinels to spot other suspicious viruses that could mount such an attack. So private computers became a new battleground in the cyber was. It also built a capability to retaliate. The problem was that, unlike incoming missiles, cyber attacks which were launched through layers of other country’s computers could not be unambiguously traced back to the true perpetrator. This escalation by the Cyber Command set the stage for expanded forms of warfare in Cyber space. “The Chinese are viewed as the source of a great many attacks on western infrastructure and just recently, the U.S. electrical grid,” General Alexander said in explaining the need for this consolidation. “If that is determined to be an organized attack, I would want to go and take down the source of those attacks.” The same retaliation would presumably be used against Russia, Iran or any other adversary. Dominance of cyber space itself now became part of the NSA’s mandate. Even so, the most important job of the NSA remained intercepting secret information from Russia, China, Iran, and North Korea. To this end, it had an annual budget of $12.3 billion and some 35,000 military and civilian employees. In 2012, James Clapper, Jr., the Director of HOUSE_OVERSIGHT_020311

160 National Intelligence justified the secret intelligence budget by saying in an open session of Congress, “We are bolstering our support for clandestine SIGINT [signal intelligence] capabilities to collect against high priority targets, including foreign leadership targets,” and to develop “groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit Internet traffic.” It was no secret, even before Snowden, that the NSA was engaged with monitoring the Internet. Through all this tumult the heart of the NSA’s activity remained its 5,000 acre base at Fort George G. Meade, Maryland. It commanded the most powerful mechanism for intercepting communications that the world had ever seen. No other country came close to its technology for intercepting information. The NSA was not only able to intercept secret information from these potential adversaries, but it also, at least not until the Snowden breach, managed to conceal these means from them. As long as these adversaries remained blind to the ways in which its communications were being intercepted, deciphered and read by the NSA, they could not take effective countermeasures. Consequently, he NSA had the capability to provide the President and his advisers with continuous insights into the thinking and planning of potential enemies. Keeping its sources and methods secrets was no easy task. The NSA’s technicians had to deal with continuous technical challenges to provide a seamless harvesting of data from a wide range of communication devices, including telephones, computers and the Internet. It required continuous intra-agency communications between the NSA’s own intelligence officers and a growing number of civilian technicians. It even had its own “Wiki-style” network through which they could discuss problems, called the NSANet. As it could not tightly control access to this technical network, it expunged any mention of the sources and methods from the material circulated on the classified NSA network. Instead, it stored them in discrete computers, called compartments that were disconnected from other computers at the NSA. These compartments could only be accessed by a limited number of analysts and NSA executives who had a need to know about the data they contained. These compartments were the final line of defense against an inside intruder. In 2009, Snowden found his way into the NSA through a temporary job with an outside contractor that had a contract with the NSA’s Technology Directorate to repair and update it back-up system. Four years later, by maneuvering to get hired by another outside contractor with access to the NSA’s sources and methods, he was able to steal secrets stored in isolated computers bearing directly on the ongoing intelligence war. Snowden also copied from these compartments in a matter of weeks, as has been previously mentioned, the NSA’s Level 3 sources and methods used against Russia, Iran and China. The Snowden breach demonstrated that the NSA’s envelope of secrecy was at best illusory. After this immense loss, the NSA’s sources inside these adversary countries were largely compromised even if they were not closed down. Once these adversaries were in a position to know what channels the NSA was intercepting, they could use these same channels to mislead US HOUSE_OVERSIGHT_020312

161 intelligence. A former top intelligence official told me “The queen on our chessboard had been taken.” To be sure, even after the loss of its “queen,” the game was not lost. The NSA moved to mitigate the damage and find new ways of obtaining unexpected intelligence. In June 2014, the new NSA director Admiral Michael Rogers had to confront flagging morale that, according to former director Michael Hayden, was near-paralyzing the intelligence service. Admiral Rogers recognized that as a direct result of the Snowden breach “the nation has lost capabilities against adversaries right now who are attempting to actively undermine us." But even with that loss, he observed “the sky has not fallen.” As in the Chicken Little fable he cited, the world had not ended for the NSA. Nor had it ended for the multi-billion out-sourcing enterprise it superintended. The NSA may have lost many of its sources, or “capabilities,” but Rogers held out hope that new sources could be eventually found to replace them. Compromised codes, after all, could be changed. New technological methods could be devised. New vulnerabilities also could be targeted in enemy territories. Although repairing the damage might take many “decades.” according to Michael McConnell, the Vice Chairman of Booz Allen, the new director had to get on with that task. McConnell, a former NSA director himself, pointed out that the NSA Director’s “first responsibility is to be the chief cheerleader." Rebuilding the NSA capabilities assumed, however, that there would not be another Snowden-size breach. The question remained: how could the NSA’s vaunted secrecy have been so deeply penetrated by a mere analyst-in-training at a regional base in Oahu? The perpetrator himself could not be asked. He was in Moscow, supposedly employed by an unnamed Russian cyber security firm. He was also in his Moscow interviews pointing to the “incompetence” of the NSA. All that was known for certain about the young man who had taken the “queen” from the board was that he had gained entry to the NSA’s secret chambers through the back door, a portal opened to him by the NSA’s reliance on outside contractors. HOUSE_OVERSIGHT_020313

162 CHAPTER TWENTY The NSA’s Back Door “You have private for-profit companies doing inherently governmental work like targeted espionage, surveillance, compromising foreign systems. And there’s very little oversight, there’s very little review.” - Edward Snowden, explaining his access to the NSA in Moscow, 2014 Prior to Snowden’s theft of NSA documents, the single most shattering blow to the confidence of the US intelligence community was the exposure of Aldrich Ames as a long-serving Russian mole in the CIA in 1994. Ames, it will be recalled, had been a high-ranking CIA officer. He had even worked at the CIA’s Counterintelligence Center Analysis Group before he was arrested by the FBI. He had also worked as a mole for Russian intelligence. (His recruitment by the KGB will be further discussed in Chapter twenty-seven.) In a plea bargain to avoid the death sentence, he admitted that he had successfully burrowed into the CIA for over nine years on behalf of the KGB. His description of his sub rosa activities as a mole was part of the plea bargain. He was sentenced to life imprisonment. This stunning revelation shook the CIA leadership to its core. Up until then, as mentioned earlier, CIA executives steadfastly denied that it was possible that the KGB could sustain a mole in American intelligence. The Ames arrest also led the NSA to reassess its own vulnerability to penetration. Could there be an Ames inside the NSA? The question was considered by the NSA’s National Threats Operations Center, the same unit from which Edward Snowden later stole a huge trove of secret documents. According to a report in 1996 entitled “Out of Control” (later released by the NSA), the danger of an Ames-type penetration could not be excluded. Even though the “threat officer” who wrote this report was not identified by name, his analysis proved incredibly prescient. He said that the NSA’s drive to enhance its performance by networking its computers would result in the intelligence services, putting “all their classified information ‘eggs’ into one very precarious basket.” The basket was the computer networks run by technicians called: system administrators.” He pointed out that the NSA was becoming increasingly dependent on such networked computer systems, and he predicted that the NSA’s “Aldrich Ames.” As he put it, would be a “system administrator’ —which was the position that Edward Snowden held nearly two decades later at Dell when he began stealing secrets. HOUSE_OVERSIGHT_020314

163 The NSA’s system administrators were, as the threat officer pointed out, very different from the traditional military employees at the NSA. They were usually civilians, who effectively served as repair-men for complex computer systems at the NSA. Moreover, many of them had not been directly hired by the NSA. Instead, their recruitment had been privatized to outside contractors. This outsourcing had deep roots tracing back to the Second World War Ed Booz, the founder of Booz Allen Hamilton, obtained contracts to help manage ship construction from the US Navy. After the war ended he sought contracts for his firm in classified work. These contracts grew in size as the NSA needed more and more system administrators and other information technologists to manage the computer networks. These system administrators needed to be given special privileges to do their service job. One such privilege allowed them to bypass password protection. Another privilege allowed then to temporarily transfer data to an external storage device while they repaired computers. These two privileges greatly increased the risk of a massive breach. Seeing them as the weak link if the chain, the threat officer wrote in the report that “system administrators are likely to be increasingly targeted by foreign intelligence services because of their special access to information.” Before the computerization of the NSA, the threat officer noted that code clerks and other low- level NSA communicators had been the target of adversary intelligence services. But the increasing reliance on computer technicians presented foreign intelligence services with much richer targets. He predicted that they would adapt their recruiting to this new reality. Specifically, he argued that adversary intelligence services would now focus their attention on system administrators. “With system administrators,” he said, “the situation is potentially much worse than it has ever been with communicators.” The reason: “System administrators can so easily, and quickly, steal vast quantities of information.” He further suggested that since system administrators are often drawn from counterculture of hacking, they are more likely to be vulnerable to an adversary service using a fake identity for its approach, or a “false flag.” A “false flag” was a term originally applied to pirate ship that temporarily hoisted any flag that would allow it to gain close proximity to its intended prey but it modern times describes a technique employed by espionage service to surreptitiously lure a prospect. As will be more fully discussed in the next chapter, false flags were a staple used by the KGB in espionage recruitments during the Cold War. They were usually employed when a target for recruitment was not ideologically disposed to assisting the intelligence service. To overcome that problem, recruiters hide their true identities and adopt a more sympathetic bogus one. In 1973, for example, the KGB, working through one of its agents in the US Navy, used the false flag of Israel, to recruit Jerry Alfred Whitworth, who served as a communications officer with a top secret clearance for the Navy. Like many other KGB recruits, Whitworth came from a broken family, dropped out of a high school, took technical courses and got a job asa communications officer. He was not disposed to working for Russia. But he was willing to steal enciphered and plain text cables to help in the defense of Israel. After he was thoroughly compromised by his espionage work, he was told by the KGB recruiter that he was actually working for Russia, but, by this time, he was too deeply compromised to quit. He continued his HOUSE_OVERSIGHT_020315

164 espionage work for another 8 years. (Whitworth, who was arrested by the FBI in 1985, was convicted of espionage and sentenced to 365 years in prison.) The Internet provided an almost ideal environment for false flags since its users commonly adopt aliases, screen names, and other avatars. The threat officer explained how easy it would be for the KGB to adapt such a false flag when dealing with a dissident system administrator working for US intelligence. As the threat officer pointed out in his report, the KGB had used false flags in the late 1980s to surreptitiously recruit members of the “German Hanover Hackers,” a community of anarchistic hackers who breached computer networks for fun and profit. Up until then, these hacktavists stole corporate and private passwords, credit card information, and other privileged documents as a form of freelance espionage. Because of their fervent anti- authority ideology, the KGB disguised its recruiters as fellow hacktavists. The KGB succeeded in getting the Hanover hackers to steal log-in account identifications, source codes and other information from U.S. government computer networks. The precise vulnerability that this threat officer pointed out in 1996 was system administrators. This weak link became increasingly relevant as the NSA moved further into the digital age. By the beginning of the 21* century, its growing networks of computers were largely run by civilian technicians, including system administrators, infrastructure analysts, and information technologists, who were need to keep the system running. Despite the warning by the threat officer, the NSA became more reliant on these outsiders as it reorganized to meet its new mandates for surveillance of the Internet in the war on terrorism. Since the NSA had to compete with technology companies, such as Google, Apple and Facebook, for the services of experienced IT workers, it used private contractors to find them. They, in turn, recruited civilian technicians from many unconventional areas, including the hacking culture. Ex-hackers, who lacked (or shunned) employment opportunities in the corporate sector, were suitable candidates for the system administrator jobs that these films had contracted to supply the NSA. In the rush to expand, little heed was paid to the 1996 warning that this hacking culture might provide a portal to anti-government hacktavist groups. The NSA became so enamored with this new technology that it neglected the security implications of employing outsiders, “All of us just fell in love with the ease and convenience and scale [of electronic storage]”, Michael Hayden, who headed the NSA at the time, said to the Wall Street Journal in 2015. “So we decided to take things we used to keep if not in a safe, at least in our desk drawer, and put it up here [in a computer network], where it’s by definition more vulnerable.” | Making matters even worse, as has been previously discussed, the NSA stripped away much of the so-called stove-piping that insulated highly- sensitive data from the NSA’s other computer networks. Here they were merely following the recommendations of the 9/11 Commission to make their data more accessible to other agencies concerned with potential terrorist attacks. As a result, the inner sanctum of the NSA became more opened to its new army of civilian technicians. The universe of independent contractors was governed by very different forces than that of intelligence services. By 2013, much of the job of managing the NSA’s classified computers had been handed over to five private companies: Booz Allen Hamilton, which handled the most highly secret work; and Dell SecureWorks, Microsoft, Raytheon, and IBM. In many respects, these five HOUSE_OVERSIGHT_020316

165 companies acted less like management consultants and more like temporary employment agencies in finding for the NSA the computer specialists, who had the necessary security clearances. Unlike intelligence services, their fate depended on turning profits. Since the value of their contracts was largely limited by competitive bidding, their business plans were predicated on their ability to minimize the costs of fulfilling these contracts. Their principal cost was the salaries they paid their independent contractors. Their business plans therefore depended on finding large numbers of computer technicians in the private realm willing to work at a NSA base at relatively- low wages. This task became more difficult as many potential recruits could find higher paying employment with more of a future in the burgeoning private sphere. They could also increase their revenue streams by getting additional contracts which, in turn, meant recruiting even more workers. It was hardly a business plan which could afford to give priority to quality control. In the private sector, there is usually an unambiguous external measure of failure. For example, for an automobile company such as General Motors can measure the performance of its executive by reckoning it change in net income. With secret intelligence work, the metrics for failure are far less clear. This curious aspect of secret work was part of the advice given to White House lawyer in the Obama Administration seeking a position with the NSA in 2012, He was advised that among the advantages of working for a super-secret agency was that if one errs or has a failure. “Tt stays secret.” He later found out in the Snowden case which exploded during his tenure at the NSA, that not all failures stay secret. Even so, the NSA cannot always find convenient metrics to measures its own failures. For example, it can quantify the amount of data it is intercepting, it cannot count the intelligence it misses. There is no getting around the a priori proposition in the intelligence game: “what is successfully hidden is never found.” But there is a failure that cannot be hidden: a security breach in which a perpetrator uses NSA data to publically expose the NSA’s sources. Up until the Snowden breach in 2013, the NSA had had experienced only one such a public failure. It was the capture by North Korea in 1968 of the USS Pueblo, which had been carrying out highly-sensitive electronic communications interception for the NSA. Because the Pueblo crew failed to destroy the NSA’s encoding machines, which several days were flown to Russia. The stakes were so high that the Pentagon even considered using nuclear weapons to limit the damage of the seizure. The Snowden breach was much worse because, among the thousands of documents he stole, he selected lists of the NSA’s secret sources in adversary nations. Making matters worse, the Snowden breach was a failure that directly traced back to Booz Allen Hamilton, the NSA’s largest contractor. Such a failure calls into question the vexing issue of privatizing secret intelligence. Booz Allen, like all other outside contractors, was in the business to make money. Indeed, it had found government contracts so much more profitable than its work in the private sector that it sold its private sector unit to Price Waterhouse. The profitability of government work led the Carlyle group’s hedge fund to acquire a controlling stake in Booz Allen in July 2008. By 2013, it had increased its revenue by $1.3 billion by expanding its government contracts. Even more HOUSE_OVERSIGHT_020317

166 impressive, its operating margin on these contracts had doubled. As it turned out, it did not achieve these profits by increasing its core internal staff. In 2008, it had 22,000 employees on its internal staff, and in 2013, it had roughly the same number on its internal staff. What it expanded was the number of outside contractors it employed. It added in these five years, by one Wall Street analyst’s calculation, some 8,000 new external workers. They were employed as system administrators, infrastructure analysts, computer security specialists and other “geek squad” jobs at the NSA and other government agencies. Their main qualification was their prior secrecy clearances (which saved Booz Allen the expense of vetting them and also the loss income while waiting many months for a clearance.) Snowden therefore was highly-desirable from an economic point of view for Booz Allen. Even though he had no prior experience as an infrastructure analyst, and he had been detected being untruthful about his degree in computer sciences, he not only had a SCI secrecy clearance, but he was willing to take a cut in pay. In keeping with the Booz Allen business plan, such a recruit would provide another cog in its profit machine. Not only had the NSA outsourced much of its computer operations to private companies but the Clinton Administration in 1996 had privatized background checks for government employees requiring security clearances. The idea backed by Vice President Al Gore was to reduce the size of the Federal government by outsourcing investigating the backgrounds of millions of government applicants for jobs. The task had been previously been performed by FBI but it was assumed that a profit-making business could do it faster and more efficiently. The private company named United States Investigative Services (USIS) was purchased in 2007 for $1.5 billion by Providence Equity Partners, a rapidly-expanding investment firm founded only four years earlier by graduates of Brown University and the Harvard Business School. So like Booz Allen, USIS was backed by a hedge-fund determined to make money by systematically cutting the cost of a previously government service. But such outsourcing had drawbacks. For one thing, unlike the FBI, USIS lacked the investigative clout to gain entry to other the CIA and other government agencies. For example, when it did the background check on Snowden in 2011, it could not get access to his CIA file. As will be recalled, there was a "derog” in his file that might have set off alarm bells. But because of its lack of access to the CIA, USIS did not learn about the derogatory reports in Snowden’s CIA file. Nor did it learn that he had been threatened by an internal investigation of his alleged computer tampering in 2009. The FBI, with its long standing liaisons with the CIA, might have learned this about Snowden if it had done his background check. To be sure, the profit calculus might have worked better if it had been coupled with adequate oversight. But without such oversight, it proved to be a barrier to extended investigations of applicants. As it turned out, USIS closed cases and cleared applicants without completing an adequate investigation. According to a US government suit filed in 2014, USIS had prematurely closed over 665,000 investigations in order to get more quickly paid for them. Since the more cases it completes each month, the more money it receives from the government, the law suit HOUSE_OVERSIGHT_020318

167 alleged that USIS employees often “flushed,” or ended cases before completing a full investigation, to meet corporate-imposed quotas for getting bonuses. One employee said in an email cited in the government’s complaint “Flushed everything like a dead goldfish.” As a result, some of information specialists entering the NSA through the back door of outside contractors were not fully vetted. (On August 20, 2015 USIS agreed to forfeit $30 million in fees to settle the law suit.) USIS was also opened to sophisticated hacking attacks by outsiders. For example, in August 2014, the Department of Homeland Security’s counterintelligence unit discovered such a massive and persistent breach in USIS that it shut down its entire exchange of data with USIS. The intrusion into USIS records in this case was attributed to hackers in China most likely linked to the Chinese intelligence service. Such massive intrusions dated back to 2011. USIS’ lack of security in its website left a gaping hole through which outside parties, including Chinese and Russian hackers, could learn both the identity and background of information specialists applying for jobs at the NSA. These private companies had one further security weakness. They did sufficiently protect the personal data of their off-premise employees working at the NSA. Consider, for example, the successful 2011 attack on the Booz Allen Hamilton servers. The previously-mentioned hackers' group “Anonymous” took credit for it. It not only breached the security of Booz Allen servers but cracked the algorithms it used to protect its employees. It next injected so-called Trojan- horse viruses and other malicious codes on Booz Allen servers that allowed it to have future entry. Presumably, if amateur hackers such as Anonymous could break into the computers of the NSA’s largest contractor, so could the state espionage services with far more advanced hacking tools such as those of Russia and China. From these sites, an adversary intelligence service could obtain all the job applications and personal resumes submitted to contractors such as Booz Allen. It could then compile a list of the candidates looking to work at the NSA. These deficiencies in the private sector were compounded by the failure of security in the government’s own Office of Personnel Management. It used a computer system called E-QIP in which intelligence employees with security clearances, including outside contractors, updated their computerized records to maintain or upgrade their security clearances. For example, Snowden updated his clearance in 2011. To do so, these employees constantly updated their financial and personal information. As it turned out, there was a major hole in the E-QIP system. It was repeatedly hacked since 2010 by unknown parties. In 2015, the US government told Congress that China was most likely responsible but Russia and other nations with sophisticated cyber services could have also participated in the hacking. In any case, the records of over 19 million employees, including intelligence workers, became available to a hostile intelligence service. This breach would allow hostile services a great deal of information about independent contractors working at the NSA. They could then use this data to follow the movements of movement of any of these intelligence workers they deemed of interest. HOUSE_OVERSIGHT_020319

168 Despite all the potential flaws in it, the outsourcing system, ii seemed to work until 2013. It even featured a revolving door through which Booz Allen, for example, hired retiring executives from the intelligence services, such as ex-NSA director Michael McConnell, R. James Woolsey, a former director of CIA, and Lieutenant General James Clapper (ret), who later served as Director of National Intelligence. The cozy relationship between the private firms and the NSA notwithstanding, the NSA leadership was unaware that outsourcing could create a security problem. As far back as 2005, Michael Hayden, then the departing head of the NSA, had been warned of one such vulnerability in a memorandum written by a counter-intelligence officer at the NSA. Like the earlier 1995 report by the threat officer, this memorandum noted the NSA had ceded responsibility for managing its secret systems to outsiders, and warned that the NSA’s reliance on them to manage its computers had opened a back-door into the NSA. In addition, it warned that once an outside contractor managed to slip in through this back door, he could easily jump from one outsourcer to another. This was what Snowden did when he moved from Dell to Booz Allen Hamilton in 2013. Despite its security flaws, outsourcing provided a number of advantages to the NSA. For one thing, it provided a means for circumventing the budget restrictions imposed by Congress on hiring new employees. In addition, since private companies had less-rigid hiring standards, it greatly expanded the pool of young system administrators by tapping into computer cultures that would be antagonistic to working directly for the government. Finally, it used less NSA resources. Since these information technologists were only temporary employees, they were not entitled to military pensions, medical leave and other benefits. It was a system which effectively replaced military careerists with free-lancers. The irony of the situation was that the NSA had surrounded its front doors with rings of barbwire, close-circuit cameras, and armed guards, but for reasons of economy, bureaucratic restrictions and convenience, it had left the back door of outsourcing opened to temporary employees of private companies. To be sure, it might take some time for them to gain entry to its inner sanctum. “It was not a question of if but when one of the contractors would go rogue,” the former NSA executive who wrote the memorandum told me. Snowden answered that question in 2013 by stealing a vast number of files while working for both Dell and Booz Allen. Even more extraordinary than the theft itself was the reaction to it by the NSA. It turned out that there was not cost of failure levied against the outside contractor, Booz Allen, which employed Snowden when he bypassed its security regime to steal the keys to the kingdom. Even though the counterintelligence investigation showed Snowden stole documents from compartments to which he did not have access, the NSA did not penalize his employer, Booz Allen, even though the NSA was set back for decades according even to Michael McConnell, the vice chairman of Booz Allen. Instead, its revenues and profits from government contracts markedly increase between 2013 and 2015. HOUSE_OVERSIGHT_020320

169 Nor did the NSA alter its reliance on private contractors. The Snowden breach notwithstanding, the back door to the NSA remained wide opened because by the time of Snowden outsourcing to private companies had become an all but irreplaceable part of the intelligence system in America. HOUSE_OVERSIGHT_020321

170 CHAPTER TWENTY-ONE The Russians Are Coming "The breakup of the Soviet Union was the greatest geopolitical tragedy of the 20th century."—Vladimir Putin In the first invasion of a European country since the end of the Cold War, Russian military forces moved into the Crimea and other parts of Eastern Ukraine in February and March of 2014. Unlike with previous Russian troop movements, such as those into Poland, Hungary, Czechoslovakia and Eastern Germany during the Cold War, the week-long massing of Russian elite troops and sophisticated equipment for the move into Ukraine almost totally evaded detection by the NSA’s surveillance. It failed to pick up tell-tale signs of the impending invasion. Never before had the NSA’s multibillion dollar armada of sensors and other apparatus for intercepting signals missed such a massive military operation. According to a report in the Wall Street Journal that cited Pentagon sources, Russian units had managed to hide all electronic traces of its elaborate preparations. If so, after more than a half-century of attempted penetrations, Russia apparently had found a means of stymieing the interception capabilities of the NSA. While American political scientists wrote optimistically about the end of history, Putin had his own ideas about restoring Russia’s power in the post-Cold War. A formidable KGB officer before he became President of the Russian Federation in 2000, he made no secret that his goal was to prevent the United States from obtaining what he termed “global hegemony.” His logic was clear. He judged the break-up of the Soviet Union in 1991 to be as, as he put it, “a geopolitical tragedy.” He argued that the break-up had provided the United States with the means to become the singular dominant power in the world. He sought to prevent that feared outcome by moving aggressively to redress this loss of Russian power. He upgraded Russia’s nuclear force, modernized Russia’s elite military units and greatly strengthened Russia’s relations with China. The last measure was essential since China was Russia’s principle ally in opposing the extension of American dominance. Yet, there was still an immense gap between it and the United States in communications intelligence. Since the break-up of the Soviet Union, the NSA had continued to build up its technologically capabilities while those of Russia, which teetered on the edge of collapse in the early 1990s. But the NSA also had its problems. As previously mentioned, the NSA’s legal mandate had been limited by Congress to foreign interceptions (at least prior to 9/11 in 2001.) As a result, it was required to separate out domestic from foreign surveillance, a massive process which was not only time- consuming but could generate dissidence within the ranks of American intelligence. It also could not legally use its surveillance machinery to monitor the telephones and Internet activities of the tens of thousands of civilian contractors who ran its computer networks—at least not unless the FBI began an investigation into them. Here the Russian intelligence services had a clear advantage. They had a lawful mandate to intercept any and all domestic communications, In fact, a compulsory surveillance system called by its Russian acronym SORM had been incorporated into Russian law in 1995. It requires the FSB and seven other Russian security agencies to monitor all forms of domestic communications including HOUSE_OVERSIGHT_020322

171 telephones (SORM 1), emails and other Internet activity (SORM-2), and computer data storage of billing information (SORM-3). Not only did Russia run a nationwide system of Internet-filtering in 2013, but it requires their telecommunication companies furnish to it worldwide data. The NSA also had to deal with many peripheral issues other than the activities of Russia and China. It was charged with monitoring everything from nuclear proliferation in Iran, Pakistan, and North Korea, to potential jihadist threats everywhere in the world. The Russian intelligence service, on the other hand, could put its limited resources to work on redressing the gap with its main enemy: the United States. Nevertheless, Putin had to reckon with the reality in 2013 that Russia could not compete with the NSA in the business of intercepting communications. And if the NSA could listen in on all the internal activities of its spy agencies and security regime, the ability of Putin to use covert means to achieve his other global ambitions would be impaired. In the Cold Peace that replaced the Cold War, Russia had little hope of realizing these ambitions unless it could weaken the NSA’s iron-tight grip on global communications intelligence. One way to remedy the imbalance between Russian intelligence and the NSA was via espionage. Here the SVR would be the instrument and the immediate objective would be to acquire the NSA’s lists of its sources in Russia. If successful, it would be a game changer. Such an ambitious penetration of the NSA, to be sure, was a tall order for Russian intelligence. Most of its moles recruited in the NSA by the KGB, had been code clerks, guards, translators, and low-level analysts. They provided documents about the NSA’s cipher-breaking, but they lacked access to these lists of the NSA’s sources and methods These meager results did not inhibit Russian efforts. Yet, for almost seven decades, ever since the inception of the NSA in 1952, the Russian Intelligence service had engaged in a covert war with the NSA. The Russian intelligence service is, as far as is known, the only intelligence service in the world that ever succeeded in penetrating the NSA. A number of NSA employees also defected to Moscow. The history of this venerable enterprise is instructive. The first two defectors in the NSA’s history were William Martin and Bernon Mitchell. They were mathematicians working on the NSA’s decryption machines who went to Moscow via Cuba in 1960. The Russian intelligence service, then called the KGB, went to great lengths to publicize their defections. It even organized a 90-minute long press conference for them on September 6, 1960 at the Hall of Journalists and invited to it all the foreign correspondents in Moscow. Before television cameras, the defectors proceeded to denounce the NSA’s activities. Martin told how the NSA breached international laws by spying on Germany, Britain and other NATO allies. Mitchell, for his part, suggested that the NSA’s practice of breaking international laws could ignite a nuclear war. Indeed, he justified their joint defection to Russia in heroic whistle-blowing terms, saying, "We would attempt to crawl to the moon if we thought it would lessen the threat of an atomic war." The NSA historian assessed little damage had been done since the NSA quickly could change the codes they compromised. He noted: “The Communist spymasters would HOUSE_OVERSIGHT_020323

172 undoubtedly have preferred Martin and Mitchell to remain in place as moles, since their information was dated as of the moment they left NSA.” The next NSA defector was Victor Norris Hamilton. He was a translator and analyst at the NSA. He arrived in Moscow in 1962 and, like Mitchell and Martin, he claimed the status of a whistle-blower. This time KGB provided a newspaper platform. Writing in the Russian newspaper /zvestia, Hamilton revealed the extent of US spying on its allies in the Middle East. None of these three 1960s defectors revealed what, if any, NSA secret documents that they had compromised. Nor did any of them ever return to the United States. Martin changed his name to Vladimir Sokolodsky, married a Russian woman, and died in Mexico City on January 17, 1987. Mitchell vanished from sight and was reported to have died in St. Petersburg on November 12, 2001. Hamilton, after telling Russian authorities stories about hearing voices in his head because of a NSA device implanted in his brain, was consigned to Special Psychiatric Hospital No. 5 outside of Moscow. There were also KGB spies in the NSA who were caught or died before they could defect. One of them was Sgt. Jack Dunlap. He was found dead of carbon monoxide poisoning in his garage on July 23, 1963. Although there was no note, his death was ruled an apparent suicide. NSA classified documents later was discovered in his house. After that, NSA investigators unraveled his decade-long career as a KGB mole. Dunlap had been recruited by the KGB in Turkey in 1952. The standard KGB tool kit for recruitment was called MICE. It stood for Money, Ideology, Compromise and Exploitation. The KGB used the first element, money, to compromise Dunlap. After he was compromised, it exploited him by getting him to steal NSA secrets. He had access to such secrets because he became the personal driver first to Major General Garrison Coverdale, the chief of staff of the NSA. After Coverdale retired, he next became the driver for his successor, General Thomas Wattlington. These positions afforded him a secrecy clearance and, even more important, a "no inspection" status for the commanding General’s cars that he drove. This perk allowed him to leave the base with secret documents, have them photocopied by his KGB case officer, and then return them to the files at the NSA base before anyone else knew they were missing. He also used, likely at the suggestion of the KGB case officers, his “no inspection” perk to offer other NSA employees a way of earning money. He would smuggle off the base any items of government property off the base that they took. Once he had compromised them through thefts, he was in a position ask them for intelligence favors. This NSA ring could not be fully investigated because of his untimely death. Other than the packets of undelivered NSA documents found in his home, the investigation was never able to assess the total extent of the KGB penetration of NSA secrets. (Angleton suspected Dunlap was murdered the KGB, in what he termed a surreptitiously assisted death, to prevent Dunlap from talking to investigators.) The Russian intelligence services continued recruiting mercenary spies in the NSA for the duration of the Cold War. The KGB successes included Robert Lipka, a clerk at the NSA in the HOUSE_OVERSIGHT_020324

173 mid 1960s, who was caught in a sting operation by the FBI and sentenced to 18 years in a federal prison. Ronald Pelton, an NSA analyst, was recruited after he retired from the NSA. After he was betrayed by a KGB double agent in 1985, was sentenced to life imprisonment, Finally, there was David Sheldon Boone, a NSA code clerk, who between 1988 and 1992, provided the KGB with NSA documents in return for $60,000. Boone, sentenced to 24 years in prison, was the last known KGB recruitment of the Cold War. During the Cold War, Russian Intelligence Service officers operated mainly under the cover of the embassies, consulates, United Nations delegations and other diplomatic missions of the Soviet Union. As “diplomats,” they were protected from arrest by the terms of the 1961 Vienna Convention on Diplomatic Relations. Their diplomatic cover greatly limited, however, their universe for finding potential recruits outside of their universe of international meetings, diplomatic receptions, UN organizations, scientific conferences and cultural exchanges. They therefore tended to recruit their counterparts in adversary services. In this regard, the successful entrapment of Harold Nicholson in the 1990s is highly instructive. From his impressive record, he seemed an unlikely candidate for recruitment. He had been a super- patriotic American who had served as a captain in Army intelligence before joining the CIA in 1980. In the CIA, he had an unblemished record as a career officer, serving as a station chief in Eastern Europe and then the deputy chief of operation in Malaysia in 1992. Even though his career was on the rise and he was a dedicated anti-Communist, he became a target for SVR when he was assigned to the CIA’s elite Russian division. Since the job of this division was to recruit Russian officials working abroad as diplomats, engineers and military officers, its operations brought its officers in close contact with SVR officers. Nicholson therefore was required to meet with Russian intelligence officers in Manila, Bucharest, Tokyo and Bangkok and “dangle” himself to the SVR by pretending disloyalty to the CIA. As part of these deception operations, he supplied the Russians with tidbits of CIA secrets, or “chickenfeed,” that had been approved by his superiors at the CIA. What his CIA superiors did not fully take into account in this spy versus spy game was the SVR’s ability to manipulate, compromise, and convert a “dangle” to its own ends. As it turned out, Russian intelligence had been assembling a psychological profile on Nicholson since the late 1980s, and found vulnerability: his resentment at the failure of his superiors to recognize his achievements in intelligence. It played on this vulnerability to compromise him and then converted him to becoming its mole inside the CIA. He worked for the SVR first in Asia then at the CIA headquarters at Langley, where he was given a management position. Among other secret documents, he provided the SVR with the identities of CIA officers sent to the CIA’s special training school at Fort Peary, Virginia, which opened up the door for the SVR to make other potential recruitments. Meanwhile, it paid him $300,000 before he was finally arrested by the FBI in November 1996. (After his conviction for espionage, he was sentenced to 23 years in Federal prison.) The CIA post mortem on Nicholson, who was the highest-ranking CIA officer ever recruited (as far as is known), made clear that even a loyal American, with no intention of betraying the United States, could be entrapped in the spy game. HOUSE_OVERSIGHT_020325

174 When it comes to recruiting moles in a larger universe, intelligence services operate much like highly-specialized corporate “headhunters,” as James Jesus Angleton described the process to me during the Cold War era. He was referring to the similar approach that corporate human resource divisions had with espionage agencies. Both “head hunt” by searching through a database of possible candidates for possible recruits to fill specific positions. Both type organizations have at their disposal researchers to draw up rosters of potential recruits. Both sort through available data bases to determine which of the names on the list have attributes that might qualify, or disqualify, them for a recruitment pitch. Both also collect personal data on each qualified candidate, including any indication of their ideological leaning, political; affiliations, financial standing, ambitions, and vanities, to help them make a tempting offer. But there are two important differences. First, unlike their counterparts in the private sectors, espionage headhunters ask their candidates not only to take on a new job with them but to keep their employment secret from their present employer. Second, they ask them to surreptitiously steal documents from him. Since they are asking candidates to break the law, espionage services, unlike their corporate counterparts in headhunting, obviously need to initially hide from the candidate the dangerous nature of the work they will do. Depending on the preferences of the targeted recruit, they might disguise the task as a heroic act, such as righting an injustice, exposing an illegal government activity, countering a regime of tyranny, or some other noble purpose. This disguise is called in the parlance of the trade a “false flag.” By using such a false flag, the SVR did not need to find candidate who were sympathy to Russia, or the Putin regime. In its long history dating back to the era of the Czars, Russian intelligence had perfected the technique of false flag recruitment through which it assumes an identity to fit the ideological bent of a potential recruit. Russian intelligence was well-experienced with false flags. It first used this technique following the Bolshevik revolution in 1918 to control dissidents both at home and abroad. The centerpiece, as later analyzed by the CIA, was known as the “Trust” deception. It began in August 1921 when a high-ranking official of the Communist regime in Russia named Aleksandr Yakushev, slipped away from a Soviet trade delegation in Estonia and sought out a leading anti- Communist exile he had known before the revolution in Russia. He then told him that he represented a group of disillusioned officials in Russia that included key members of the secret police, army, and interior ministry. Yakushev said that they all had come to the same conclusion: the Communist experiment in Russia had totally failed and needed to be replaced. To effect this regime change, they had formed an underground organization code-named the “Trust” because the cover for their conspiratorial activities was the Moscow headquarters of the Municipal Credit Association, which was a trust company. According to Yakushev’s account, it had had become by 1921 the equivalent of a de facto government, The exile leader in Estonia reported this astonishing news to British intelligence which, along with French and American intelligence, helped fund this newly-emerged anti-Communist group. Initially British intelligence had doubts about the bona fides of the Trust. So did other Western intelligence services sponsoring exile groups. But they gradually accepted it after they received HOUSE_OVERSIGHT_020326

175 intelligence reports confirming its operations from many other sources, including Russian officials, diplomats, and military officers who claimed to have defected from the Soviet government in Moscow. Since these reports all dove-tailed, they recognized the Trust as a real underground organization. Once the Trust had been established in the minds of the Western intelligence services, it offered them as well as exile groups the services of its network of collaborators. These services included smuggling out dissidents, stealing secret documents, and disbursing money inside Russia to sympathizers. Within a year, exile groups in Paris, Berlin, Vienna, and Helsinki were using the “Trust” to deliver arms and supplies to their partisans inside Russia. The Trust also furnished spies and exile leader’s fake passports which allowed them to sneak back into Russia to participate in clandestine missions. It even undertook sabotage and assassination missions paid for by Western intelligence services. As they saw with their own eyes police stations blown up and political prisoners escape from prisons, these agents and dissidents came to further believe in the power of the Trust. By the mid-1920s, no fewer than eleven Western intelligence services had become almost completely dependent on the Trust for information about Russia. They also sent millions of dollars into Russia via couriers to finance its activities. But suddenly exile leaders working in Russia under the aegis of the Trust began to vanish. Then top western intelligence agents, such as Sydney Reilly and Boris Savinkov were arrested, and their networks were eliminated. Instead of the Communist regime collapsing, as the Trust had predicted, it consolidated its power and wiped out all the dissident groups. Finally, in 1929, the Trust was revealed by a defector to be a long-term false flag operation run by the Russian intelligence service. Even the Trust building, rather than being the cover for a subversive conspiracy, was the headquarters for the Russian secret police during this seven-year operation. The secret police had provided the documents fed to Western intelligence, briefed the agents who pretended to defect, published the dissident newspapers the Trust distributed, fabricated the passport it supplied exiles, blew up Russian buildings and staged jail breaks to make the deception more credible. It also collected the money sent in by Western intelligence services, which more than paid for the entire deception. Since it was running the show, it could offer those lured into the trap an opportunity to work for it as double-agents. The alternative, if they refused, was to face a firing squad. Even after the “Trust” itself had been fully exposed, The Russian Intelligence Service continued to succeed with other false-flag deception, During the Cold War, for example, it set up a fake underground in Poland modeled on the Trust. It was called WIN. It also set up other false flag groups in Ukraine, Georgia, Lithuania, Albania, and Hungary. It also had agents masquerade as members of the security services of Israel, South Africa, Germany, France and the US to recruit unwitting agents. These deceptions became an integral part of the recruitments of the Russian intelligence services. HOUSE_OVERSIGHT_020327

176 Penetrating the NSA and getting access to files from its stove-piped computers was a far more difficult challenge for the SVR. Approaching CIA officers, such as Nicholson, was relatively easy because it was part of the CIA officer’s job to meet with their adversaries. NSA officers, on the other hand, did not engage in “dangles” or even attend diplomatic receptions. They had not reason, other than a sinister one, to meet with a member of the Russian intelligence service. Furthermore, unlike CIA officers who, like Nicholson, are often posted in neutral countries where they can be approached in a social context, NSA officers worked at well-guarded regional bases and are not part of the diplomatic life. Since a known employee of a foreign diplomatic mission could not even approach a NSA officer without arousing suspicion, the SVR would need to use an intermediary, called an “access agent,” whose affiliations with it were not known to the FBI. Such an operation would require establishing a network of illegals in the America, as the SVR did after Putin became President. Even them, the intermediary would have to find a plausible pretext to approach the target with revealing his actual interest. The emergence of computer networks in the 1990s greatly expanded the SVR’s recruiting horizon. It offered an opportunity to penetrate a new layer at the NSA employees: civilian technologists working under contract for the US government. Many of these civilians at the NSA, especially the younger ones, had been drawn from the hacking and game-playing culture. Some had even taken courses abroad on hacking techniques. They presented the SVR was inviting targets for recruitment. As was previously mentioned, Russian intelligence had considerable experience in Germany with hacktavists who tended to be anarchists. There were also supporters of the Libertarian movement. The common denominator was often their resentment expressed in their postings s of the United States and its allies attempting to limit the downloading of copy-righted music, movies and software on the Internet, all of which went under the rubric of “freedom of the Internet.” They also vocally objected to the NSA using built-in backdoors in their software to read their encrypted messages. They were not difficult to find on the Internet. The donors to Ron Paul’s Libertarian election campaign (including Snowden) were a matter of public record, for example. Even if there was no shortage of hacktavists who believed the surveillance of the Internet by the NSA was an evil worth fighting, the SVR still had to find a plausible way of approaching members of this counterculture without offending them. Clearly, the SVR could no longer use out- of-date Communist and anti-capitalist ideology as a lure. Russia was far more authoritarian than the U.S, when it came to the Internet. One viable alternative for the SVR was custom- tailoring false flags to appeal to hacktavists. For this purpose the Internet provided a near perfect realm for false flags. Since it is a place where true identities cannot easily be verified, intelligence services could employ a protean kit of disguises to assume false identities to entice potential dissidents into communicating with them. The KGB’s earlier efforts to use hacktavist groups in Germany had produced little, if any, intelligence because of the “stove-piping” the NSA used to isolate its computers from networks HOUSE_OVERSIGHT_020328

177 that could be hacked into from the outside. It will be recalled that the NSA threat officer had cited these failures in his 1996 report on NSA vulnerability. He also said that efforts of the Russian Intelligence Services to use false flag recruitments provided the KGB with “a learning experience.” The KGB had learned that hacking by itself could not breech the NSA’s protective stove-piping. He predicted that its next logical move would be to “target insider computer personnel.” These false flag recruitment would aim at, in his view, system administrators, computer engineers and cyber service workers who were either already inside the NSA or who had a secrecy clearance that would facilitate getting jobs with NSA contractors. Even with an appropriate false flag, the task of finding such a “Prometheus” was daunting. There were some five thousand civilian technicians at the NSA of all political stripes. Finding the one who met its espionage requisites was the equivalent of seeking the sharpest needle in the proverbial giant haystack. For espionage purposes, however, recruiters did not have to find the sharpest needle, or any particular one; they just needed to find any needle in a position to cooperate. They could hone a willing recruit over time to do the job at hand. The size of the haystack could also be reduced to more manageable proportions by hacking into the personnel records of the intelligence workers seeking to renew their security clearance. The Internet provided the SVR with just this opportunity. As discussed in the previous chapter, holes in the security of the computer networks of the US Office of the Office of Personal Management, USIS and the websites of the companies supplying the NSA with independent contractors had made the background checks on American intelligence workers available to the Chinese and presumably other adversary intelligence service hackers since 2011. If the SVR had access to this personnel data, the research for a candidate would be greatly facilitated. From the 127-page standard form 86 each applicant for a security clearance submits, the SVR could filter out intelligence workers employed by the NSA by their educational background, employment history, affiliations and foreign contacts. It could then search this data for candidates with a possible hacktavist profile, This data could next be crossed with a list of individuals SVR in contact with high-profile activists who are part of the anti-surveillance movements. This would include core participants in the TOR project, Wikileaks, Noisebridge, Crypto Parties, and the Freedom of the Press Foundation and the Electronic Freedom Foundation. (Snowden, for example, had been in touch with members all these groups in 2012 and 2013.) The SVR would have little problem monitoring even encrypted communications with leading figures in the Anti-surveillance world. These activists, despite secrecy rituals such as putting their cell phones in refrigerators, remain visible to a sophisticated intelligence service such as the SVR. Consider, for example, the defensive tactics of Laura Poitras, including PGP encryption, TOR software, and air-gapped computers which are computers that have never been connected to the Internet. She also famously changes her tables at restaurants to evade surveillance. With all these precautions, she did not keep secrets about her sources entirely to herself. Snowden, at a HOUSE_OVERSIGHT_020329

178 time when he was stealing NSA secrets in February 2013, went to great lengths to impress on Poitras the need for operational security about his contacts with her, but that injunction did not prevent her from telling at least five people about her source, including Micah Lee, the Berkeley- based technology operative for the Freedom of the Press Foundation; Jacob Appelbaum, the TOR proselytizer; Ben Wizner, the ACLU lawyer; Barton Gellman; and Glenn Greenwald. “It is not me that can’t keep a secret, “Abraham Lincoln joked. “It’s the people I tell it that can’t.” In the same vein, Poitras could hardly rely on these five confidants not to tell her (and Snowden’s) to others. Hours after he was told, Greenwald told his lover David Miranda about the source in great detail. He even asked him to evaluate the source’s bona fides for him. Gellman, for his part, raised the matter with a former high official at the Justice Department. Moreover, as the intelligence world knew, Poitras was herself a veritable lightning rod for attracting ex-NSA employees who objected to some of its surveillance programs. In 2012, her filming of NSA insiders, including Binney and Drake, would make her communications of interest to any intelligence services that wanted to keep tabs on possible NSA dissidents. Nor was Snowden himself overly discreet. It will be recalled that he had also advertised his TOR-sponsored crypto party activities over the Internet, and supplied Runa Sandvik, who worked with Appelbaum, his true name and address in Hawaii. Sandvik had no reason not to share the identity of her co-presenter with others in the TOR movement. Snowden also had his girl friend make a video of his presentation, as will be recalled. He also bragged about operating the largest TOR outlets in Hawaii. Even if his TOR software provided him a measure of anonymity, it was not beyond the ability of the world-class cyber services to crack it. Under Putin, Russia had built one of the leading cyber espionage services in the world. According to a 2009 NSA analysis of Russian capabilities, which was obtained by the New York Times in 2013, Russia’s highly-sophisticated tools for cyber-espionage were superior to those of China or any other adversary nation. For example, investigators from FireEye, a well-regarded Silicon Valley security firm, found that in 2007, Russian hackers had developed a highly- sophisticated virus that could bypass the security measures of the servers of both the US government and its private contractors. According to one computer security expert, the virus had made protected Internet websites “sitting ducks” for these Russian sophisticated hackers. The cryptographer Bruce Schneier, a leading specialist in computer security, explained, “It is next to impossible to maintain privacy and anonymity against a well-funded government adversary.” Nor has the Russian cyber service has made a secret out of the fact that it targets TOR software. It even offered a cash prize to anyone in the hacking community who could break TOR. Prior to 2013, according to cyber security experts, it spent over a decade building cyber tools aimed at unraveling the TOR networks used by hacktavists, criminal enterprises, political dissidents and rival intelligence operatives. To this end, it reportedly attempted to map out computers that served as major TOR exit nodes (such as the one Snowden operated in 2012 near a NSA regional base in Hawaii.) It also reportedly attached the equivalent of “electronic ink” to HOUSE_OVERSIGHT_020330

179 messages which would allow it to trace the path of messages that passed through them. Through this technology, it could tag and follow TOR users as their communications travelled across the Internet. It could even borrow their Internet identities. To be sure, the NSA also had such a capability. The Silk Road founder Ross Ulbricht discovered to his distress that his TOR software did not make his computer server in Iceland invisible. According to a former top official in the Justice Department, the NSA was able to locate it by cracking the TOR software, (Ulbricht is currently serving a life prison sentence for his Silk Road activities.). Unlike adversary services, however, the NSA needs a warrant to investigate US citizens who use TOR. Even the NSA is not immune from an attack of its own computers. CIA deputy director Morell, who served on the committee evaluating the NSA’s vulnerability in the Snowden affair after retiring from the CIA in 2013, wrote in his 2015 book “The Great War of our Times,” that many financial institutions have “better cyber security than the NSA.” If nothing else, the Internet helped make the activities of US intelligence workers visible to the SVR. Even if the SVR theoretically had opportunities, it still had to find at least one disgruntled civilian contractor inside in the NSA who had access to the sealed-off computer networks. Did it find its man? If so, was it before or after Snowden arrived in Hong Kong with the Level 3 NSA files? HOUSE_OVERSIGHT_020331

180 CHAPTER TWENTY-TWO The Chinese Puzzle “The first [false assumption] is that China is an enemy of the United States. It's not.” m Edward Snowden in Hong Kong On August 11, 2014, in the Atlantic Ocean, an even took place of enormous concern to U.S. intelligence. A Chinese Jin Class Submarine launched an Intercontinental ballistic missile. The missile released 12 independently-targeted re-entry vehicles, each simulating a nuclear warhead. Some 4400 miles away, in China’s test range in the Xinjiang desert, each of the 12 simulated nuclear warheads then hit their targets within a 12 inch radius. The test firing, which was closely monitored by the NSA, was a strategic game changer. It meant that a single Jin Class submarine, which carried 12 such missiles and 144 nuclear warheads, could destroy every city of strategic importance in the United States. U.S intelligence further reported at China would soon fully stealth its newer submarines against detection, “giving China its first credible sea-based nuclear deterrent” against an American attack. By 2015, as its test in the Atlantic had foreshadowed, China had armed its land-based as well as sea-based missiles with multiple independently targeted warheads. Combined with the state--of- the-art technology it had licensed from Russia, its systematic use of espionage made it possible for China to even build its own stealth fighters. Unlike the U.S, China did not achieve this remarkable capability to launch independently- targeted miniaturized nuclear weapons and stealth them by investing hundreds of billions of dollars in developing them. It obtained this technology mainly through espionage. The history of this enterprise, though unsung, is stunning. The Chinese intelligence service stole a large part, if not all of America’s secret technology for weaponizing nuclear bombs during the 1980s and 1990s. The theft was so massive that in 1998 the House of Representatives of the US Congress set up a special bipartisan investigative unit called the “Select Committee on National Security and Military and Commercial Concerns with the People's Republic of China.” Based on the intelligence amassed by the NSA, CIA and other intelligence services, it concluded in its report that the Chinese intelligence service had obtained both by electronic and conventional spying the wathead design of America’s seven most advance thermonuclear weapons. Moreover, it found that China’s espionage successes allowed China to so accelerate the design, development and testing of its own nuclear weapons that the new generation of Chinese weapons would be “comparable in effectiveness to the weapons used by the United States.” Further, it found that these thefts of nuclear secrets had not been isolated or opportunistic incidents. The Committee reported to Congress that they were the “results of decades of intelligence operations against U.S. HOUSE_OVERSIGHT_020332

181 weapons laboratories.” The Chinese intelligence service further obtained from private US defense contractors through cyber espionage important elements of the stealth technology used in both advanced planes and submarines. China shared (or exchanged) the fruits of its espionage on nuclear warhead design with North Korea, Pakistan, Iran and Russia. Despite its formidable intelligence coups in the US, the Chinese intelligence service managed to remain among the most elusive of America’s intelligence adversaries. Its espionage organizations are hidden behind layers of bureaucracy in the Ministry of State Security, Chinese Communist party structures, and the second, third and fourth department of the General Staff of the People’s Liberation Army. Much of its cyber espionage units are concealed on the campuses of its universities. Its hierarchy, or order of battle, is also obscure. Few traces have been uncovered of any conventional espionage networks in the United States and no major Chinese spy has ever been arrested. Part of the reason that Chinese espionage has proved so elusive to the eyes of western counter-intelligence, was that, unlike Russia, it did not ordinarily rely on intelligence officers in its embassies to recruit penetration agents to steal secrets. It did not even have an embassy in the United States during most of the Cold War. Instead, its services specialize it assembly mosaics of intelligence assembled from a wide variety of sources including non-classified documents, returning graduate students, scientific conferences, exchanges with allies, and a vast operation of hacking into computers, or cyber- espionage. Cyber-espionage is indeed a vast enterprise in China. Graduating over 150,000 computer science engineers, it had no shortage of personnel. It also had developed the cyber tool kit to gain access to the computer networks of US government contractors and consultants in the private sector and government agencies, planting “sleeper” bugs in net-worked computers. Like human “sleeper” agents, these hidden programs can be activated when needed for operational purposes. Chinese controllers can retrieve emails, documents and turn on the cameras and microphones of personal computers, tablets and smart phones. By 2007, Paul Strassmann, a top US defense expert on cyber-espionage, reported that China had inserted “zombie” programs in some 700,000 computers in the US which could be used to mount cyber attack to retrieve emails from other computers. The Chinese service also reportedly penetrated companies that provide Internet services, including Google Yahoo, Symantec, and Adobe, which allowed it to track emails and enclosures of individuals. With such an invisible army of zombie computers, it is not entirely surprising that China finds little need to employ human: sleeper” agents. Chinese cyber-specialists used this capability to hack into computers of outside contractors, including Booz Allen and other companies that supplied technologists to the NSA. It also had notable successes in obtaining the dossiers of US employees and independent contractors at the NSA, CIA and other intelligence services. Its intrusions, as previously noted, into computer network at the Office of Personnel Management traced back to 2009. Eventually, by 2015, according to US estimates, the cyber attack had harvested over twenty million personnel files of past and present Federal government employees. In addition, it reaped in over 14 million background checks of intelligence workers done by the Federal Investigative Service. All the intelligence workers with a SCI clearance, such as Snowden, were required to provide in these HOUSE_OVERSIGHT_020333

182 forms information about all their foreign acquaintance, including any non-U’S. officials that the applicant knew or had relationships with in the past. They also had to list their foreign travel, family members, police encounters, mental health, and credit history. For good measure, Chinese hackers obtained the confidential medical histories of government employees by hacking into the computers of Anthem and other giant heath care companies. Ifthe Chinese intelligence services consolidated the fruits of these hacking attacks it would have a searchable database of almost everyone working in the American defense and intelligence complex. From this database, it could track individuals with high security clearances vulnerable to being bribed, blackmailed or tricked into cooperating. No one doubted that the Chinese would use their cyber capabilities to take advantage of weaknesses in foreign computer systems. General Hayden said of the massive theft of intelligence personnel records: “those records are a legitimate foreign intelligence target.” He added, “If I, as director of the NSA or CIA would have had the opportunity to grab the equivalent in the Chinese system, I would not have thought twice.” If that opportunity did not arise for the NSA or CIA during Hayden’s tenure, it may have been because no insider in the Chinese intelligence services provided US intelligence with a road map to tt. Cyber espionage was not the Chinese Intelligence Service only powerful resource in the intelligence war. To get both electronic intelligence and human intelligence about the United States, China also had a highly-productive intelligence sharing treaty with Russia. It was signed in 1992 after the Soviet Union was dissolved. Although the terms of this exchange remain secret, defectors from the Russian KGB and SVR reported that Chinese intelligence received from Russia a continuous stream of communication intelligence about the US in the late twentieth and early twenty-first centuries. Russia’s intelligence resources during this period were formidable. They included geo-synchronous satellites, listening stations in Cuba, sleeper agents and embassy- based spy networks. Presumably, this relationship further deepened under President Putin’s regime. Putin asserted in his speeches in 2014 that Russia and China continue to share a key strategic objective: countering the United States’ domination of international relations, or what Putin terms, “a unipolar world order.” China’s President Xi Jinping expressed a very similar view, saying in 2014 in a thinly-veiled reference to the United States, stating that any American attempt to “monopolize” international affairs will not succeed. Since the end of the Cold War, Russia has been the major supplier of almost all of China’s modern weaponry. It licenses for manufacture in China avionics, air defense systems, missile launchers, stealth technology, and submarine warfare equipment. To make these arms effective, it also provides China with up-to-date intelligence about the ability of the United States and its allies to counter them. While such intelligence cooperation may be limited by the reality that China and Russia still compete in some areas, there is no reason to assume that they do not share the fruits of their cyber and conventional espionage against the NSA. After all, the NSA works to intercept the military and political secrets of both these allies. Moreover, NSA secrets might are a form of currency in the global intelligence war. HOUSE_OVERSIGHT_020334

183 Snowden’s trip to Hong Kong in May 2013 made the Chinese intelligence service, willy-nilly, a potential player in game. Hong Kong is a part of China, even if independently administrated, and, as such, China has full responsibility for its national security and foreign affairs. This mandate includes monitoring foreign intelligence operatives. The Chinese intelligence service accordingly runs much of the local intelligence apparatus in Hong Kong. For this purpose, it maintains its largest intelligence base outside of mainland China in Hong Kong. Its officers are stationed officially in the Prince of Wales skyscraper in central Hong Kong and unofficially maintain informers in Hong Kong’s police, governing authority, airport administration and at other levers of power in Hong Kong. It checks the computerized visitors entering Hong Kong, and has the capability to ferret names that match those in the immense date base its global cyber espionage has amassed. When it detects the entry of any person of possible intelligence interest, it has the opportunity of using its sophisticated array of cyber tools to remotely steal data from those individuals. Such remote surveillance was so effective in 2013 that the US State Department had instructed all its personnel in Hong Kong to avoid using their Iphones, Androids, Blackberries and smart phones when travelling to Hong Kong or China. Instead, it has supplied them with specially-altered phones that disable location tracking and have a remotely-activated switch to completely cut off power to it circuitry. No one in the intelligence community doubts the prudence of taking such precautions in the realm of China. Once Hong Kong had served as a window into China for Western intelligence, but in the first decade of the 21* century, the Chinese intelligence service had achieved such a pervasive presence in Hong Kong, and such ubiquitous electronic coverage of diplomats and other foreigners even suspected of involvement in foreign intelligence work, that the CIA and British intelligence found it almost as difficult to operate in Hong Kong as in mainland China. The CIA as well as the DIA kept a few officers there, but, as a former CIA station chief told me in September 2013, that for the purposes of intelligence operations, the CIA “regards Hong Kong as hostile territory.” Snowden apparently knew the limits of CIA operations in Hong Kong. It indeed provided him with an envelope of protection. He told Greenwald, as will be recalled, that he was counting on the Chinese presence in Hong Kong to deter the CIA from intruding on their meetings. Snowden also must have realized that he was entering the Chinese sphere of influence when he flew to Hong Kong in May 2013. Yet, he took with him level 3 NSA secrets which he could assume would be of great interest to China. In fact, he advertised this fact in his interview with the South China Post, a newspaper controlled in 2013 by mainland China. Whatever he may have assumed about the inability of the CIA to stop him in Hong Kong, he had no reason to assume that Chinese intelligence service would relegate itself to purely passive role, especially when secret NSA’s documents were in a hotel room in Hong Kong. Snowden may have esteemed himself to be an independent actor playing Prometheus on a global stage provided by YouTube, but the Chinese may have viewed him as nothing more as another pawn in the Game of Nations. HOUSE_OVERSIGHT_020335

184 CHAPTER TWENTY-THREE The Pawn in the Game “The whole key is, the state department’s the one who put me in Russia.” --Edward Snowden in Moscow, 2014 When Snowden arrived in Hong Kong on May 20, 2013 he became a person on interest to any parties who knew, or later learned, about his coup. How could they not be interested this intelligence defector? He had brought with him enough US government secrets to, as he put it, make NSA “sources go dark that were previously productive”. | Snowden also fully realized the lethal situation that his possession of NSA documents put him. He was after his arrival in Hong Kong, as he put it, the NSA’s “single point” of a potential catastrophic intelligence failure. He also stated the consequences if caught, telling Poitras: “The US Intel community will certainly kill you if they think you are the single point of failure.” The reason that Snowden considered himself of such importance to be the “single point of failure” was the pay load of secrets he was carrying. He possessed thumb drives full of files so critical to the NSA that in the wrong hands they could cause, in his view, many of the key sources of the entire US communication intelligence service to “go dark.” Not only was he carrying these files, but he had willingly bought them inside the territory of China; a place in which America’s main adversaries, China and Russia, could operate freely. Whoever he sought to deal with in Hong Kong, or whatever idealistic axe he intended to grind there, he could not expect his position as a “single point of failure’ —a position he advertised in his email correspondence—would not attract the attention of other players in the game of nations. The enormous power of the NSA rested on a frail thread: its ability to keep secret from its foes its sources and methods. General Alexander could call the NSA’s communication intelligence “the queen on the chessboard,” but, like the queen in a chess game, it could be captured by a well- placed pawn. In this case, the pawn, which had it in his power to expose the NSA’s critical sources and methods, would also be considered fair game for capture by an adversary. And both the Chinese and Russian cyber services, whether working alone or together, had the technological means in China to tap into Snowden’s computer. They also had an interest in learning how the NSA was listening in on their secret communications. If any further incentive was needed, an intelligence service could barter them to other countries whose signals were also intercepted by the NSA. Michael Morell, the CIA’s Deputy Director at the time, said in his book “The Great War of Our Times” that just a few selected parts of Snowden’s cache could be traded to the intelligence services of Iran and North Korea. Snowden, realizing that he now represented that weak link in the architecture of America’s intelligence system, made a move from the U.S. that greatly increased the stakes. He entered what he knew to be hostile intelligence territory with his stash of stolen secrets. He did so, as he explained to Greenwald in Hong Kong, to reduce the possibility of an American countermove against him or his associates in the media. But while succeeding in limiting the reach of the CIA, FBI, NSA and their allies, he willy-nilly put himself under the protection of America’s adversary, the Chinese security services. In light of the counterintelligence training he had received at the CIA, he could not be unaware his move into Chinese-controlled territory would not prevent HOUSE_OVERSIGHT_020336

185 adversary services, which also had the home court advantage, from stepping in. He also gave adversaries an ample, if not wholly irresistible reason, to enter the game by saying that he had access to NSA’s sources in China. How could they resist such a prize? As confidant as Snowden may have been that he was in control, the CIA believed that confidence was misinformed. CIA Deputy Director Morell said, after reviewing the case on a panel appointed by President Obama: “Snowden thinks he is smart, but he was never in a position in his previous jobs to fully understand the immense capabilities of our Russian and Chinese counterparts.” He could adopt a self-confident tone in his post-mortem conversations with journalists in Moscow, but he had no means to block the efforts of the Chinese or Russian services in Hong Kong. These intelligence services had no restrictions on their actions. For example, the Chinese intelligence service could have spotted him on his arrival in Hong Kong simply by cross- checking its aforementioned database of US intelligence workers who had applied for a renewed security clearance in the past three years. It could have pinpointed his whereabouts through its informant network in the Hong Kong Police and the security staffs of hotels. Snowden’s mysterious “carer” would not be immune from detection by that network. Russia, China’s longtime intelligence ally, would not even need to go to such lengths since, as Putin gloatingly confirmed, he contacted its diplomats in Hong Kong. The Russian intelligence service would them swing into action while Russian “diplomats” entered into talks with him. The Russians would also glean from Snowden’s request for asylum that Hong Kong was only a temporary stopover for him, “The purpose of my [Hong Kong} mission was to get the information to journalists,” he would tell the Guardian after he was safely ensconced in Moscow. After that brief mission, he was “done” in Hong Kong. Where he planned to go next, mainland China was only a taxi ride away and there was a direct flight to Moscow. Snowden does not say how many days he planned to be in Hong Kong, but he indicated that he was working under a tight clock. The time pressure resulted in him emailing Gellman at the Washington Post an ultimatum on May 24, 2013: either Gellman publish the selected documents in the Washington Post within 72 hours or he would lose the exclusive scoop. He wanted the story to break on May 27 2013 without his true identity (which Gellman did not know). Hid identity would be known to a foreign mission in Hong Kong if Gellman acceded to his demands. Since as previously mentioned, Gellman’s story would enclose an encoded signal he planned to use as proof of his bona fides. So even before the Guardian reporters had agreed to come to Hong Kong, he had plans to deal with a foreign mission. But he planned to keep his name out of it. Instead, he insisted Gellman include in it a coded signal in it. When the Washington Post turned down his ultimatum, he needed a different plan. Time was running out if he was to break the story and leave Hong Kong before the NSA realized he was missing. At best, he was safe until June 3“. That was when he was supposed to return from his two-week medical leave for getting treatment for epilepsy. But if he failed to show up in Hawaii on June 3, alarm bells at the NSA would go off. It would not take long to find him. Airline record would show that he had flown to Hong Kong. The NSA security staff would ask questions, as Snowden explained from Moscow: “This guy isn’t where he says he’s supposed to be. He’s supposed to be getting medical treatment. Why the hell is he in Hong Kong?” It would then determine he had lied about his medical treatment, and it would immediate go after him with the full power of the U.S. government. HOUSE_OVERSIGHT_020337

186 The day after his attempt to pressure the Washington Post, he asked Greenwald to drop everything he was doing and immediately fly to Hong Kong. He had, it will be recalled, already sent Poitras an enciphered file, and told her she would get the key once she and Greenwald followed his instructions. Presumably, he wanted Greenwald’s story and the video done in Hong Kong before he became a suspect. If they had immediately flown to Hong Kong that May, it still might have left Snowden an escape window. As Snowden found out, when dealing with journalists, things do not always go as planned. Greenwald, although agreeing to come to Hong Kong, waited in New York for two days while the Guardian editors completed their due diligence. Poitras waited with him. As a result of this delay, Snowden’s clock ran out. Greenwald and Poitras did not arrive at his hotel in Hong Kong until June 3° It would be only hours before he became a prime suspect. “It was a nervous period,” Snowden recalled. Although he bravely told the Guardian, “there was no risk of compromise/” That claim was, at best, wishful thinking on his part. By this time, he was no longer invisible. Not only had he registered at the hotel under his true name and provided his credit card, but he was he in contact with three high-profile journalists, two well-known hacktavists and, as he suggested to Gellman, a foreign diplomatic mission. Even if Snowden had failed to persuade the Washington Post to publish a coded identifier, the mission’s interest would likely be piqued when the newspaper published it first story on June 5". Even if adversary intelligence services had missed Snowden and his archive of NSA documents earlier in May, they would not neglect the availability of such a prize after the NSA stories broke in the Guardian and Washington Post on June 5". Greenwald even went on TV in Hong Kong, revealing to every interested intelligence service, in the unlikely event that that they did not already know, that a defector from the NSA was in Hong Kong. Now there was no point in keeping his identity a secret. On June 9" Poitras released the famous video showing Snowden a secret NSA documents, At this point, Snowden shone so brightly as a beacon that every player in the in the intelligence game would realize that Snowden was a pawn to be captured. Snowden still was able to fog over his travel plans, at least in the media, by telling reporters that he intended to remain in Hong Kong and fight extradition in court, but certainly the Russian officials whom he contacted knew he had other plans. They had even relayed his request to go to Russia to Putin. His movements were also no secret to sophisticated intelligence services. In an era in Hong Kong ii which cell phones emit their GPS location every 3 seconds and CCTV cameras scan many street intersections, it is not easy to conceal one’s whereabouts. In Snowden’s case, his photograph was constantly on television, posters and giant billboards. Even if he threw away his own phone, his retinue of lawyers and helpers could be tracked with ease. China, who’s President, Xi Jinping was meeting President Obama for the first time in Rancho Mirage, California on June 9", would have certainly been keenly interested in the unfolding Snowden affair. After all, Obama had publically put on his agenda that week calling Xi to task for Chinese cyber espionage. Such a charge was undermined by Snowden’s globally-publicized accusation that the United States was engaged in massive cyber espionage. In any event, as US intelligence verified, China had, almost immediately after the release of the video, instituted a full court press of Snowden in Hong Kong. Its security apparatus presumably had the means to monitor his room as well as those of Poitras and Greenwald. From that moment on, it is not likely that any communication or movement, Snowden made during his next 18 days in Hong Kong would escape its scrutiny. HOUSE_OVERSIGHT_020338

187 The U.Ss also had the ability to track Snowden’s movements via the cell phones of his lawyers and other confederates after he surfaced. This tracking could all be done by the NSA. What the U.S. lacked was any practical means to capture a high-profile intelligence defector in a city that was part of China. By this time, US intelligence had established that Chinese and Hong Kong security services were monitoring Snowden’s every move. This left few options in the game for the U.S. “I’m not going to be scrambling jets to get a 29-year-old hacker,” President Obama said on June 27, 2013. The real prize, in any case, was not Snowden himself but the NSA’s secrets documents that he had with him in Hong Kong. When Snowden was observed entering the Russian consulate, the game was all but over. US diplomats could protest over back channels to Moscow, as they did, but, with a trove of NSA secrets at stake, there was little expectation that they stop the Russians. Two days later, the ’single point of failure,” as Snowden described himself, was on his way to Russia, where he would be subject to Moscow’s rules. When a victory is obtained in a major sports event, such as the world cup, it is celebrated with victory dances, parties and ticker-tape parades. The opposite is true in the Game of Nation. An intelligence victory involving secret documents, even if it cannot be entirely hidden, is kept veiled, as far as is possible, to increase the value of the coup. “The final move in any sophisticated intelligence game,” Angleton told me in relation to espionage intelligence coup, is “obscuring a success.” Following Angleton’s precept the Russian or Chinese intelligence services, if they had a role in acquiring the product of the self-described “single point of failure,” would work to cover their tracks in the affair even before the Aeroflot plane carrying Snowden touched down at Sheremetyevo International Airport on June 23, 2013. If any false flag operations had been used to trick, mislead, or otherwise induce Snowden to come to Hong Kong, they would be disbanded. If any safe housed had been used to quarter Snowden in his first 11 days in Hong Kong, they would be shut down. If any operatives had been used in Hawaii to guide or assist Snowden, they would be put back into the sleep mode. If any tell-tale traces had been left in chat rooms or social media, they would be systematically deleted. Even more important to the ultimate success of such a communications intelligence coup, measures would be taken to conceal the extent of the damage done by the “single point of failure” by not precipitously closing down compromised sources. Snowden might believe that the power of the information he held was so great that, if disclosed by him, all the NSA’s sources would immediately go dark in Russia and China, but Russia might not wish to provide such clarity to its adversaries. An intelligence service need not close down channels it discovers are compromised by an adversary. Instead it can elect to continue to use them and furnish through them bits of sensitive information to advance its own national interest. The real danger here was not that the NSA’s “lights” would dramatically be extinguished but that all the future messages illuminated by those lights would be less reliable sources of intelligence. The Game of Nations 1s, after all, merely a competition among adversaries to gain advantages by the surreptitious exchange of both twisted and straight information. When the NSA asserted in the summer of 2013 that over one million documents, it was recognizing the most massive failure in its 60 year history. Not only NSA secrets, but secret files from the CIA, the British GCHQ, and America’s cyber military commands, had been compromised. It was, as Sir David Omand, the head of the British GCHQ described it, a "huge, strategic setback" for the West. The genie could not be put back in the bottle as there is not a HOUSE_OVERSIGHT_020339

188 reset button in this game. The best that the NSA could do now was damage control while its adversaries took full advantage of the setback. Several hundred US and British intelligence officers worked around the clock in Washington DC, Fort Meade, Maryland and Cheltenham, England for months on end to determine if which parts could be still salvaged from what had been until the Snowden breach the most powerful communications intelligence system in the world. Adding insult to injury, Snowden, speaking from his new perch in Moscow, told applauding audience that the entire purpose of the U.S. exercise, including deliberately “trapping” him in Moscow, was to “demonize” him. For Russia, it was a textbook move. By providing Snowden with this platform to rail against the surveillance practices of his adversaries, Putin laid claim to the moral high ground in the Game of Nations. What remains missing from this picture is Snowden's motive in requesting documents from other foreign intelligence services, such as the GCHQ, and copying lists of NSA sources. It is difficult to believe that his motive was conventional whistle-blowing since these documents were not among those | he gave to journalists in Hong Kong. It will be recalled that his legal representative in Moscow, Anatoly Kucherena, said that he taken to Russia, and had access to, NSA documents that he had not given to journalists. He had gone effort in his final weeks at the NSA to take documents that any adversary service would prize. Copying them was, as we have seen, part of his well-calculated plan. Did he use them, as he used the documents he gave to Poitras, Greenwald and Gellman, as leverage in his transformation? Since the role that Moscow may have played in Snowden’s remarkable defection, while less visible than that of the movie- makers, journalists and activist, cannot be ignored in this puzzle. Since it requires a closer examination of the machinations that brought Snowden to Russia, I made arrangements to visit Moscow in October 2015. HOUSE_OVERSIGHT_020340

189 PART FIVE WALKING THE CAT BACK Deception is a state of mind—and the mind of the state --James Jesus Angleton HOUSE_OVERSIGHT_020341

190 Chronology 3 Snowden in Russia 2013 June 23 Snowden arrives from Hong Kong at Sheremetyevo International Airport on Aeroflot flight SU213 at 5:15 PM local time. Sarah Harrison arrives from Hong Kong at Sheremetyevo International Airport on Aeroflot flight SU213 at 5:15 PM local time. July 12 Snowden, in his first public appearance in Russia, holds press conference at Sheremetyevo International Airport, July 14 Snowden first meets Anatoly Kucherena, his lawyer-to-be August I Snowden’s application for asylum is granted for one year. September 23 Kucherena states Snowden has access to NSA documents in Russia October 2 Ray McGovern, Thomas Drake, Coleen Rowley and Jesselyn Radack meets with Snowden and Harrison. October 10 | Snowden aided by ACLU legal team put together by Ben Wizner October 16 Snowden interviewed, via Internet, by James Risen (VY Times) November I Snowden joins the board of the Freedom of the Press Foundation November 3 Sarah Harrison departs from Moscow. December 21 Snowden meets with Gellman; his first in person interview in Moscow. 2014 January 2 Snowden meets in Moscow ACLU lawyers Ben Wizner and Anthony Romero August 1 Snowden’s residence permit is renewed for three years HOUSE_OVERSIGHT_020342

eel CHAPTER TWENTY-FOUR Dinner with Oliver Stone “T had to ‘tune to [Snowden’s] wavelength’ and try to balance between the rational and intuitive perception of his world. Having experienced these incredible sensations, I realized that I had to write about them, but only in the form of a novel that would not claim any sophisticated philosophical conclusions." —Anatoly Kucherena Before flying to Moscow, I arranged to have dinner with Oliver Stone at Parma, an Italian restaurant on the upper east side of New York. I had greatly respected Stone ability as a film director after watching him work in Wall Street IT: Money Never Sleeps, a film in which I had a cameo role. I also had debated Stone about the historic accuracy of his 1990 movie JFK at Town Hall in New York. When we dined, he had just written, produced, written and directed “Snowden,” an independently-financed film depicting Snowden, as put, as “one of the great heroes of the 21* century.” In preparing for it, he had not only seen Snowden in 2013 and 2014, but he had had a six-hour meeting with Putin. The reason I wanted to talk to him was not to learn about the film but to find about how he had made to gain access to Snowden in Moscow. I already knew from the documents taken from Sony Pictures Entertainment allegedly by North Korea that Stone had paid the Guardian $700,000 for the film rights to “The Snowden File,” a book written by Luke Harding. This was not a surprising sum since it provided a basis for movie which describes Snowden’s coup. But these documents also revealed that Stone had paid Anatoly Kucherena, Snowden’s legal representative in Moscow, $1 million dollars, supposedly for the rights to his novel Time of the Octopus. Even by Hollywood standards one million dollars was an extraordinary sum to pay for a yet-to-be published work of Russian fiction, and it was especially striking since Stone was making a fact-based movie using the actual names of the characters. “Is your script based on Kucherena’s “Time of the Octopus?” I asked. “No,” Stone replied, “I haven’t used it.” He said that the payment was for what he termed “total access.” He explained that Barbara Broccoli and Michael G. Wilson, the producers of the James Bond franchise, had optioned Greenwald’s book “No Place to Hide” to make into a movie HOUSE_OVERSIGHT_020343

[92 about Snowden for Sony. Stone said that the million dollar deal with Kucherena effectively guaranteed that any competing project would not have access to Snowden. Sony consequently put the competing film on hold. To be sure, it is not unusual for a lawyer to negotiate a deal on behalf of a client, but a lawyer ordinarily does not have the power to block a competing film access to their client. Clearly, Kucherena was no ordinary lawyer. Among other positions, he was on the public board of the FSB security service. In light of such connections, Stone said Kucherena might be acting as an intermediary for other parties who did control access to Snowden in Russia but that were not his concern. Kucherena delivered the exclusive access to Snowden. Aside from being a skilled director, Stone is a shrewd producer who knew how to close a deal. He assessed, correctly as it turned out, that the payment to Kucherena would effectively block Sony’s competing project. Where the money went was far less clear. Towards the end of our dinner, Stone told me that he did not know I was writing a book about until a few weeks earlier. He learned of my book from Snowden. He said Snowden had expressed concern to him about the direction of the book I was writing. “What was it about?” Stone asked me. I was taken aback. I had no idea that Snowden was aware of my book project, as I had not tried to contact him. I told Stone that I considered Snowden to be extraordinary man who had changed history. Although I was intentionally vague in my description, Stone seemed to be reassured. That Snowden was aware that I was investigating him presented an opportunity. I asked Stone about the possibility of my seeing Snowden in Moscow. Stone did not offer to arrange such a meeting. He said only that I “might want to speak to Anatoly [Kucherena].” This conversation suggested to me that Kucherena was Snowden’s gate- keeper. In his two years in Moscow, Snowden, or his handlers, had granted only a handful of face-to face interviews. One was with James Bamford, who was writing an article on Snowden for Wired magazine in 2014. But it took nearly nine months to arrange the meeting. “I have been trying to set up an interview with him [Snowden]—traveling to Berlin, Rio de Janeiro twice, and New York multiple times to talk with the handful of his confidants who can arrange a meeting. “ he recounted in Wired. After my dinner with Stone, I hoped to find a quicker route. First, I was advised that I needed a Moscow “fixer,” the curious term that journalists commonly use to describe a local intermediary who arranges appointments in foreign countries. I retained Zamir Gotta, a highly respected TV producer in Moscow, who I was told had helped “fix” the Bamford interview with Snowden. HOUSE_OVERSIGHT_020344

193 “There is only one door to Snowden,” Zamir wrote me. “His name is Kucherena.” Since Zamir said Kucherena rarely saw journalists he that he had a contact in his office. He further told me Kucherena required that any journalist seeking an interview with Snowden to submit his questions to him two weeks in advance and, if approved, sign a document stating I would not deviate from the questions. Next, my questions had to be translated from English to Russian (even though Snowden does not speak Russian) and then vetted by Kucherena’s staff. Zamir also suggested I stay at the National hotel in Red Square because Snowden has gone there for previous meetings with Bamford. So I sent Kucherena, via Zamir, ten questions that might interest Snowden (if they ever reached him.) I next obtained a multi-entry Russian visa from the Russian consulate in New York, booked myself a room in the National hotel with a view of the Kremlin and used all my remaining frequent travel miles to book a direct flight on Aeroflot to Moscow. HOUSE_OVERSIGHT_020345

194 CHAPTER TWENTY-FIVE Vanishing Act “They talk about Russia like it’s the worst place on earth. Russia’s great.”—Snowden Moscow, 2015 My night flight from New York to Moscow took less than eight hours. It landed at 7:40 AM on October 29, 2015 at terminal D a Sheremetyevo International Airport. I did not immediately proceed through passport control, not just because I wanted to avoid the killer bumper-to-bumper rush hour traffic, but because I wanted to explore the transit zone in which Snowden was supposedly trapped in for six weeks. Sheremetyevo Two, where all international flights land, was built in the waning days of the Cold War for international passengers arriving for the Moscow 1980 Summer Olympics. It was modernized in 2010, including opening a walkway that connects Terminal D, E and F for transit passengers. Snowden had vanished, at least from public view, in this complex of terminals for nearly six weeks in the summer of 2013. His explanation, as will be recalled, was two-part. First, he had planned to board the next fight to Cuba, and from there proceed to Ecuador. But he was unable to board this flight because his passport had been invalidated while he was flying to Russia by the U.S. Government. Second, after discovering his passport had been revoked, he stayed in a capsule hotel in the transit zone for the next 38 days. To better understand the plausibility of his version of those events, I proceeded through the transit passage to Terminal F where Snowden’s plane from Hong Kong had landed at 5:15 PM Moscow time on June 23, 2013. Snowden did not o through passport control on June 23rd. Before any of the other passengers were allowed to disembark from the plane, Russian plainclothes officers from the Special Services boarded the plane and asked both Snowden and Sarah Harrison, his Wiki leak’s supplied “ninja,” to accompany them to a waiting car that whisked them away. Assange and Harrison had organized a number of decoy flights. They may have confused U.S and British intelligence services, as they were intended to do, but they evidently did not fool the Russian intelligence services. According to the account in /zvestia, “a special operation was conducted for his reception and evacuation.” It further said: “Snowden flight to Moscow was coordinated with the Russian authorities and intelligence services.” What was less clear is whether Snowden had voluntarily participated in this “special operation” that effectively took him into custody. Wherever Snowden and Harrison were next taken-- the “transit zone” extends beyond the airport to medical and other facilities— he was not brought to Terminal E, where the next Aeroflot flight to Cuba departed at 1:40 PM on June 24" 2013. HOUSE_OVERSIGHT_020346

193 Yet, if not for the “special operation”, he could have easily gone by foot to Terminal E. It was, as I found, only a nine minute walk through the transit passageway in which one does not have to show a passport. But that raises the question: Was Snowden’s plan really to go to Ecuador? Consider Snowden’s putative motivation in seeking sanctuary in Ecuador: his safety. Yet, Snowden assessed that he would be vulnerable to capture by the U.S. government in Ecuador. “If they [the U.S. Government] really wanted to capture me, they would’ve allowed me to travel to Latin America, because the CIA can operate with impunity down there,” he explained in a recorded interview with Katrina vanden Heuvel, the editor of Zhe Nation, in 2014, He had previously discussed the likelihood of his being captured in Ecuador with Julian Assange in Hong Kong in June 2013 before his departure for Moscow. He also told Alan Rusbridger, the editor of the Guardian, that he considered that he was at risk in Latin America. This vulnerability was no minor matter to Snowden. He told Glenn Greenwald in Hong Kong, before arranging to fly to Moscow, that his “first priority” was his own “physical safety.” Since he did not believe Ecuador was a Safe place for him, why would he leave the comparative safety of Russia and risk being kidnapped by American forces in Latin America? Nor was a U.S. passport a prerequisite for U.S. citizens flying to Havana in 2013. Since the State Department did not sanction travel to Cuba for the general public, the vast majority of Americans going to Cuba obtained a travel document from a Cuban consulate so the Cuban entry stamp would not be marked in their passport.) So Snowden, if he really had intended to fly to Cuba, only needed this document. He had over a month to obtain it from the Cuban consulate in Hong Kong. But he did not. He could also have obtained a visa to Ecuador at its consulate in Hong Kong. But he did not. According to his lawyer Kucherena, who closely examined his passport in July 2013, Snowden had no visas at all. Unlike his words, Snowden’s actions were with any plan to go to any place in Latin America. Shortly after the “special operation,” a tip was placed on a publicly-accessible Russian website saying that Snowden was booked on the Aeroflot flight SU-150 to Cuba on June 24th. In response to this anonymous tip, Russian and foreign news organization in Moscow ordered their reporters to buy tickets on that flight With their tickets, reporters swarmed into the departure area of the airport in such numbers that the police had to set up cordons. They checked all the VIP lounges, restaurants, rest rooms and boarding area for the next seven hours, but Snowden was nowhere to be found. A Russia Today reporter later said “It was a total madhouse. Everyone was screaming ‘Snowden’ at the airport ground staff.” Over a hundred reporters actually boarded the plane. In fact, Snowden had never checked in for that flight and, as far as is known, was never seen in terminal E. Only after the plane took off did the journalists realize Snowden was not aboard it. All they could do was photograph two of the unoccupied seats, 17A and 17 C, which they reported in tweets were Snowden’s and Harrison empty seats. By the time the plane landed in Cuba Aeroflot denied that anyone named Snowden had ever been booked on any of its flight to HOUSE_OVERSIGHT_020347

196 Cuba, a denial it continued to repeat to every reporter who queried the airline for the next six weeks. The first news that Snowden was even in Russia came on July 1, 2013. A statement posted on n the Wikileaks web site and signed “Edward Snowden,” after thanking “friends new and old” for his “continued liberty,” accused President Obama of pressuring “leaders of nations from which I have requested protection to deny my asylum petitions. It added: “This kind of deception from a world leader is not justice, and neither is the extralegal penalty of exile. These are the old, bad tools of political aggression.” Since the Aeroflot flight to Cuba was the only means of getting directly from Moscow to Latin America, Russian reporters, encouraged by the Wikileaks post, continued taking the daily 11 hour flight to Cuba until August 1, 2013, The charade only ended when Kucherena said in a press conference at the airport that Snowden would be taking up residency at an undisclosed location in Moscow, and walked out of the airport with Snowden. The question remained: where had Snowden been staying for those 39 days? Sarah Harrison, his companion on the plane, told Vogue that she and Snowden had shared a windowless room in the transit zone, where they watched TV, washed their clothes in a sink basin and ate meals from the nearby Burger King. The only hotel with windowless rooms in the transit zone in 2013 was the Vozdushny V-Express Capsule Hotel, located next to a newly-opened Burger King restaurant. I next went there. The polite V-express desk clerk, who spoke English, showed me the standard windowless double-room. It was approximately 24 square feet, the size of a large shipping container. Most of the floor space was taken up by twin bed. Across from the bed, behind a plastic curtain, was a stall with a shower, a toilet and sink. Not only was it very cramped quarters for two people to share but it was fairly expensive. It cost 850 rubles an hour (about $18 in 2013.) For 39 days that hourly charge would add up to $16,600. Even though Snowden claimed that he brought a large cache of cash to Russia, such a long stay was not allowed, according to the desk clerk. The maximum stay allowed by the hotel was 24 hours. So either the rule was waived for Snowden or he moved to another facility not available to the public. I learned from a former KGB officer, there are a number of VIP quarters beyond the confines of the airport, including suites at the 400-room Novotel hotel, which is located about seven miles from the airport, that are used for debriefing and other purposes by the security services. According to him, the security services are not restricted from entering and leaving the transit zone. The possibility that he was staying elsewhere would help explain the futile search for him by of a large number of reporters over those 39 days. When they learned from tweets that Snowden was not aboard plane to Havana on June 24", they aggressively questioned every restaurant employees, security guards and airport personnel for weeks they could find. Some reporters even took rooms in the V-Express Capsule Hotel and “tipped” maids and other hotel employees. They also bought business-class tickets on flights to gain access to all the public VIP lounges in the transit zones. Despite this intensive search, none of them found anyone who had seen Snowden HOUSE_OVERSIGHT_020348

roy although his image was constantly shown on airport TV screens. Egor Piscunov, a Russian journalist who checked into the capsule hotel for 4 hours told me, “It was a total vanishing act.” HOUSE_OVERSIGHT_020349

198 CHAPTER TWENTY-SIX Through the Looking Glass “There’s definitely a deep state. Trust me, I’ve been there” —Edward Snowden in Moscow While waiting to hear back from Kucherena’s office, I arranged to meet with Victor Ivanovich Cherkashin, who gad been one of the most successful KGB spy handlers in the Cold War. Cherkashin, born in 1932, had served in the KGB’s espionage branch from 1952 until 1991. He now operated a private security firm in Moscow. I was particularly interested in his recruitment of three top American intelligence officers; Aldrich Ames in the CIA, Robert Hanssen in the FBI and Ronald Pelton in the NSA. I hoped that seeing these intelligence coups through the eyes, and mind-set, of their KGB handler might provide some historical context for the Snowden defection. So I invited Cherkashin to lunch at Gusto, a quiet Italian restaurant, located near the Chekov Theater in central Moscow, Cherkashin, a tall thin man with silver hair, showed up promptly at 1 pm. Wearing an elegant grey suit and dark tie, he walked with a spry step. Since he had served in counterintelligence in the Soviet Embassy in Washington D.C. for nearly a decade, he spoke flawless English, I began the interview with one of the more celebrated cases he handled: the KGB recruitment of Aldrich Ames. Ames, a CIA counterintelligence officer, had worked as a Russian mole between April 1985 and January 1994. In those nine years, he rose, or was maneuvered by the KGB, into a top position in the CIA's highly-sensitive Counterintelligence Center Analysis Group, which allowed him to deliver hundreds of top secrets to the KGB. In return, according to Cherkashin, Ames received in cash between $20,000 and $50,000 for each delivery, which amounted to $4.6 million over the nine years. I asked Cherkashin about the weakness the KGB looked for in an American intelligence worker that might lead him to copy and steal top secret documents. How did he spot a potential Ames? Was it a financial problem? Was it a sexual vulnerability? Was it an ideological leaning? “Nothing so dramatic,” he answered. What he looked for when assessing Ames’s potential was an intelligence officer who is both dissatisfied and antagonistic to the service for which he works.” “The classic disgruntle employee,” I interjected. “Any intelligence officer who strongly feels that his superiors are not listening to him, and that they are doing stupid things, is a candidate,” he continued. He said he had found that the flaw in a prospect that could be most dependably exploited was not his greed, lust, or deviant behavior but his resentment over the way he was being treated. “Ts that how you spotted Ames?” “Actually he approached us, not vice versa.” It was his job in the CIA to approach opposition KGB officers. “But yes we saw the potential,” he said. HOUSE_OVERSIGHT_020350

199 Since Ames had been initially paid by Cherkashin $50,000 in cash for his first delivery, I asked whether he fit into the category of a disgruntled employee. “Wasn’t he a mercenary/” “T knew from our intelligence reports that he needed money for debts stemming from his divorce,” he answered. “But he was also angry at the stupidity and paranoia of those running the CIA. Ames told me at our first secret meeting that they were misleading Congress by exaggerating the Soviet threat.” Cherkashin evaluated Ames as a man who felt not only slighted by his superiors but “helpless to do anything about it” within the bureaucracy of the CIA. “The money we gave, even if he could spend only a small portion of it, gave him a sense of worth.” He explained that the KGB had an entire team of psychologists in Moscow that worked on further exploiting Ames’s resentment at his superiors. The search for an adversary intelligence officer who resents his service was not limited to KGB recruiters. It was also the “classic attitude” that the CIA sought to exploit in its adversaries, according to its former deputy director. “You find someone working for the other side and tell him that he is not receiving the proper recognition, pay and honors due him,” Michael Morell said, pointing out that the same “psychological dynamic” could be used to motivate someone to “act alone” in gathering espionage material. I next turned to an even more important KGB coup: his Robert Hanssen case. Hanssen was the FBI counterintelligence officer who worked as a KGB mole for 22 years between 1979 and 2002 and had delivered even more documents to the Russian intelligence services than Hanssen. “Did Hanssen’s dissatisfaction with the FBI, or his objections to its policies, play a role in his recruitment?” I asked. “T didn’t recruit Hanssen,” Cherkashin replied, “He recruited himself. I never even knew his name or where he worked.” He added: “So I knew nothing about his motivation other than that he wanted cash.” “So he was mercenary,” I suggested. “All we knew was that he delivered valuable documents to us and asked for cash in return.” he said. “We didn’t control him, he controlled us.” An uncontrolled mole that provided secrets to the KGB and SVR for 22 years was very different from fictional moles in the spy movies. I asked whether it would have been better if the KGB had him under its control. “Possibly,” Cherkashin answered, “but as it turned out Hanssen was our most valuable penetration in the Cold War.” Unlike Ames, whose nine-year career as a mole could be managed by the KGB, Hanssen decided what secret documents to steal and when to make contact or a delivery. He refused to even allow the KGB to suggest a site. All the communications with him were by letter or to a HOUSE_OVERSIGHT_020351

200 phone number in a used car ad Except for putting money into a dead drop, the KGB played only a passive role in the espionage. “Could Hanssen really be called a mole?” I asked. “A mole is a term used in spy fiction,” he said. “We prefer to the more general term ‘espionage source.” “So anyone who delivers state secrets to the KGB, for whatever reason, is an espionage source?” I asked. “Certainly, if the information is valuable to us,” Cherkashin answered. “Hanssen delivered secrets exposing American human and electronic operations against Russia. He was our most valuable espionage source. It is the delivery of secrets, not the methods used, that counts.” “Tf some unknown person simply delivered a trove of top-secret communications secrets to the doorstep of Russia would they it be accepted?” I asked with Snowden in mind. “T can’t say what the SVR would do today. I am long retired” he said, with a nostalgic shake of his head. “But in my day, we needed some reason to believe to believe the gift was genuine.” “Would you need to vet the person delivering it?” “With Hanssen we did not have that opportunity,” he said. “If we believed the documents were genuine, we would of course grab them.” The final recruitment I asked Cherkashin about was that of Ronald Pelton, the civilian employee of the NSA who had retired in 1979. Pelton had left the NSA without taking any classified documents with him. After retiring, he had financial difficulties, and he sought to get money from the KGB. On January 14, 1980, he walked into the Soviet embassy in Washington DC and asked to see an intelligence officer. After he was ushered into secure debriefing room, he said that he had information that Russia would find interesting, but he wanted money in return. What interested me about the Pelton case was that Cherkashin proceeded to recruit Pelton even though he was no longer working at the NSA, and Pelton no longer had access to the NSA. In addition, since the FBI had 24 hour surveillance on the embassy, Pelton had almost certainly been photographed entering it and also possibly had been recorded asking for an intelligence officer by electronic bugs that the KGB suspected that NSA had planted in the embassy. What did the KGB do in a situation in which ex-civilian employee at the NSA possessed no documents? Despite the risks involved, Cherkashin decided Pelton had to be debriefed by communications intelligence specialists. So he had him disguised as a utility worker and smuggled out in a van to the residential compound of the Ambassador in Georgetown. A few days later, he was dropped off at a shopping mall, “Why did you go to such effort if Pelton had neither documents nor access to the NSA?” I asked. HOUSE_OVERSIGHT_020352