Playing to the Edge: American Intelligence in the Age of Terror (4 page)

The best summary I got from my best technical minds was that aspects of Thin Thread were elegant, but it just wouldn’t scale. NSA has many weaknesses, but rejecting smart technical solutions is not one of them. In the end, parts of Thin Thread were merged with parts of Trailblazer to create new systems that were indeed quite successful and were used for years.

But the developers of Thin Thread, Bill Binney, Kirk Wiebe, and Ed Loomis, were messianic in their approach, and they had an ally in Diane Roark, a staffer from HPSCI (House Permanent Select Committee on Intelligence) who monitored the NSA account. They were later joined by Tom Drake, a senior outside hire who entered the agency almost as the twin towers were crumbling.

The alliance with HPSCI staffer Roark created some unusual dynamics. I essentially had several of the agency’s technicians going outside the chain of command to aggressively lobby a congressional staffer to overturn programmatic and budget decisions that had gone against them internally. That ran counter to my military experience—to put it mildly.

In April 2000 I sent a message to the workforce that laid out my thoughts. I was simultaneously angry and careful. “Some individuals, in a session with our congressional overseers,” I began, “took a position in direct opposition to one that we had corporately decided to follow. This misleads the Congress regarding our agency’s direction and resolve. The corporate decision was made after much data gathering, analysis, debate,
and thought. Actions contrary to our decisions will have a serious adverse effect on our efforts to transform NSA and I cannot tolerate them.”

After endorsing full participation in our internal decision-making process, I went on to say that “once a corporate decision has been reached, I expect everyone to execute the decision to the best of their ability. I do not expect sheepish acquiescence, but I do expect the problems necessitating course corrections will be handled within these walls.”

I then reminded everyone that “openness and candor are critical to our future success and I do not want anyone dealing other than with total honesty with our congressional monitors. Further, anyone suspecting that any activities at NSA constitute a violation of law, regulation, or ethics must notify proper authorities. However, when policy, resource, or operational decisions are properly arrived at and promulgated by agency authorities I expect each of us to carry out their part of the program.”

The note was unclassified, so the Hill was certainly aware. Surprisingly, the phone didn’t ring. They had their responsibilities. I had mine.

Most never saw the whole Thin Thread dispute as anything other than a technical argument; I never encountered any other senior who seemed to think or act otherwise. But the small group of passionate Thin Thread supporters have elevated this into a sort of digital age morality play.

First of all, they claimed a kind of operational equivalency and then compared their program’s relatively modest price tag with Trailblazer’s substantial costs. Even if it had been able to scale, Thin Thread was addressing a fraction of the issues that Trailblazer was designed to take on. The comparison is specious.

Since then, they have also argued fraud, waste, and abuse, pointing not only to Trailblazer’s troubled procurement history, but to the fact that SAIC, where Bill Black had worked while away from the agency, was the prime contractor on Trailblazer’s technology demonstration platform. SAIC is indeed where Bill worked—and where he left when I asked him to come back to serve—but that had nothing to do with the contracting process.

Finally, Binney, Roark, Wiebe, Drake, and Loomis have claimed an ethical and legal superiority. Binney has flatly accused NSA of lying. In 2012 he charged that “George Bush, Dick Cheney, Tenet, and Hayden combined to subvert the Constitution, the constitutional process, and any number of laws.”

Such comments gained steam and a larger audience after NSA’s retention of American metadata was made public by Edward Snowden. Thin Thread would have made all of that unnecessary, they argued.

I don’t see how, even setting aside the operational issues. They argued that Thin Thread would have collected the data but would have immediately encrypted it and would have made it accessible only through strict protocols. But the issue with NSA’s retention of massive amounts of American metadata was
not
that NSA had misused it, but rather that NSA
had
it, a condition that would not be ameliorated by encrypting it.

Sometime before 9/11, the Thin Thread advocates approached NSA’s lawyers. The lawyers told them that no system could
legally
do with US data what Thin Thread was designed to do. Thin Thread was based on the broad collection of metadata that would of necessity include foreign-to-foreign, foreign-to-US, and US-to-foreign communications. In other words, a lot of US person data swept up in routine NSA collection.

But NSA’s protocols required that US person information be filtered out at every step of the intelligence process. Avoid collecting it if possible; if collected, avoid retaining it, and so on. Thin Thread required collecting, retaining, and then
using
US information for its success.

Binney and company insisted that encrypting and controlling access to the US data solved this problem; they told us that Roark, NSA’s overseer, agreed. NSA’s lawyers didn’t, and when they briefed the House Intelligence Committee’s staff, the lawyers from both sides of the aisle sided with the agency.

It wasn’t that we weren’t trying. As we approached the millennium with 1999 rolling over to 2000, we were all deeply concerned about a potential terrorist attack in the homeland. Our fears were justified; an
alert border agent later detained a terrorist trying to enter the country on a ferry in Puget Sound.

At NSA, we were pulling out all the stops. The operations folks were proposing a new course of action. Like all of us, they were concerned about terrorists entering or already inside the homeland. The head of operations wanted to try the Thin Thread approach, retain US metadata that we were collecting in our foreign intelligence activities, encrypt it, limit access to it through a kind of “two key” protocol, and then (when indicated) chain through the metadata to other contacts.

It was operationally sound, but my lawyers remained very suspicious of its legality. They demanded a meeting with me. After a session with both the ops and legal teams present, I decided to force the issue. “Press Justice,” I said. “Tell them we want to do this.”

Let me be clear. This was me arguing for a limited use of the Thin Thread approach prior to 9/11.

The answer from Justice was also clear: “You know you can’t do this.” When that was reported back to the HPSCI staff, Roark accused NSA of just not being forceful enough with Justice, a charge that brought a barely suppressed laugh from a Democratic staffer.

So Thin Thread did not moot the US person issue, as some later claimed when condemning President Bush’s Stellarwind program (chapter 5). The US person issue was mooted only after the president in
that
program specifically authorized NSA to acquire US metadata after the 9/11 attacks. That would indeed prove a controversial decision (controversial even though NSA continued to acquire US metadata through the summer of 2015), but Thin Thread would have required a similar authorization. Inexplicably (at least to me), the Thin Thread team has continued to hold up its approach as a lawful alternative to the president’s “unlawful” Stellarwind.

Put bluntly, prior to President Bush authorizing Stellarwind, Thin Thread’s intricacies and processes did not meet the requirements of US law. After Stellarwind was launched, Thin Thread’s scalability problems simply caused us to choose a different system.

Thin Thread’s advocates filed an IG (inspector general) complaint against Trailblazer in 2002. After I had left NSA, in late 2005, Siobhan Gorman published a series of articles in the
Baltimore Sun
bitterly critical of Trailblazer. They were later sourced to Tom Drake, who had apparently already despaired in 2005 that the new DIRNSA, Keith Alexander, would reverse course on Thin Thread. The subsequent FBI investigation of the leak led to heavy-handed raids on the homes of practically everyone in the Thin Thread group. Drake was later indicted under the Espionage Act, a heavy and blunt instrument, and not surprisingly, the case ultimately collapsed of its own weight.

To be clear, I had nothing to do with that. I didn’t even file the crimes report that precipitated the investigation. Drake overstepped and the rest of them were a pain in the ass, but that’s hardly grounds to ruin lives. This was a matter better handled administratively, like revoking clearances, for example.

The Thin Thread folks weren’t done, though. When a team of Americans went to Moscow in 2013 to present Edward Snowden with the Sam Adams Award for Integrity in Intelligence, Tom Drake was in the group.

Then in the summer of 2014, Drake and Binney showed up in front of the German Bundestag’s commission looking into NSA’s activities there. Binney asserted that “they [NSA] want to have information about everything. This is really a totalitarian approach. The goal is control of the people.” Drake, after claiming that NSA wanted to punish Germany for harboring the 9/11 hijackers, added that NSA’s “monitoring regime has grown into a system that is strangling the world.”

Like I said, they were messianic. I wonder what they would have been like if we had bought their widget.

W
e all remember that Tuesday morning, crystal clear, not a cloud in the sky along the East Coast. September 11, 2001, the end of the world as we knew it. I had stayed up late watching
Monday Night Football
. The game was in Denver, the opening of the Broncos’ new stadium, and I was coming into my office on about six hours’ sleep. I started around 7:00 a.m., as I always did, this day running down to the agency barbershop for a quick haircut. On the way back I stopped at my operations center, the NSOC, for an update. Pretty normal. Nothing special on the horizon.

Back in the office, I was working my way through some routine appointments when my executive assistant, Cindy Farkus, came in and said, “A plane hit the World Trade Center.” Like practically everyone else, I thought it must have been an accident, probably a small plane, and I continued with my meeting. Then Cindy came in again and said, “A plane hit the other tower.”

“OK—get the head of security up here,” I responded as I adjourned
the meeting. Just as Kemp Ensor, the security chief, was coming through my office door, Cindy came in again and said, “There are reports of explosions on the Mall,” a garbled version of the third plane hitting the Pentagon. Ensor still hadn’t said a word. “Tell everyone, all nonessential personnel, to evacuate,” I ordered.

I then directed that those remaining (probably more than five thousand) move out of the two high-rise headquarters buildings and into the original ops building, a long, low-riding three-story structure that would present a tougher target for an aircraft. That’s where my ops center was, so I moved there as well.

My executive assistant came with me. The rest of the office staff evacuated, but before they did, one of them, Cindy Finifter, who religiously kept my calendar, hammered out an entry in her log:

NOTE: ATTACK ON AMERICA—EARLY DISMISSAL—PM MEETINGS WERE CANCELLED

Attack on America. DCI George Tenet called me before the morning was out, asking what we had. Like everyone else in the intelligence community (IC),
*
we knew it was al-Qaeda, but I had the benefit of having real evidence and was able to report that we were getting the communications equivalent of celebratory gunfire on al-Qaeda networks. George responded with a resigned “Yeah.”

One group that we could not move out of the high-rise buildings was our counterterrorism team. Fort Meade is more than just the headquarters of NSA; it’s also its biggest field station, and a significant portion of America’s SIGINT is produced there every day—including its counterterrorism intercepts and reports, and this was one team whose work we could
not
disrupt to move it to a safer location.

It was getting close to dusk when I went up to their offices. Most of the team were Arab American, so the national and professional trauma of the attacks was even more personal for them.

They were hard at work. I didn’t interrupt them. I just walked from station to station, not even pausing for them to take their headsets off, gripping a shoulder, nodding my head, an occasional “hang in there” or words to that effect.

While I was there the maintenance staff was tacking up blackout curtains over the windows. It felt surreal. Blackout curtains in eastern Maryland in the twenty-first century.

When I finally got home that night, my wife was waiting for me and gave me a warm hug. We joined the national mourning as we both broke into tears. I had not spoken to her since a quick call that morning asking her to locate our adult kids. She had taken calls from her mother and from my brother and had assured them that I was not at the Pentagon when the plane hit.

There, in our hallway, Jeanine and I acknowledged that tomorrow was going to be a very different day.

It was, and so were all the days after it during my time at NSA. For one thing, with more people and more money and a relentless focus, we could mass our resources on decisive points. On 9/11 we had about 250 mission areas we were required to cover. Within weeks of the attacks and without objection I had suspended over 10 percent of them and degraded another quarter. Increased resources and focus also allowed us to accelerate the transformation already under way. The week of the attack, I asked our gathered seniors what effect 9/11 should have on our transformation program. Their bottom line was, “Change nothing. Accelerate everything.”

There was anger as well as resolve in our response. Before the week of 9/11 was out, I could see bumper stickers all over CIA with the last known words of Todd Beamer, one of the heroes of Flight 93 over Pennsylvania: “Let’s roll.” Jeanine suggested a similar theme for NSA after we unwound late one night looking at a replay of a national concert
commemorating 9/11 losses. It was Tom Petty’s “I Won’t Back Down.” With Mr. Petty’s generous permission, we plastered NSA facilities around the world with the thought and the music for the next several years.

Operationally, the counterterrorism chiefs at NSA narrowed their work down to three clear tasks: follow the money (terrorist financing); follow the stuff (arms, precursor chemicals, and the like); and, above all, follow the people.

SIGINT was invaluable for this. Time and again the intercept of communications told us what we needed to know. An example: Eliza Manningham-Buller, head of Britain’s MI5, called me in March 2004 after her service and the British police had raided twenty-four locations, made eight arrests, and confiscated half a ton of ammonium nitrate. She thanked me for the NSA SIGINT that was an “absolutely crucial building block for the whole operation.”

I put that out to the entire NSA workforce and got a grateful e-mail in return. It seems that a local Maryland radio station had been waxing eloquent about the British takedown, contrasting it to the bumbling ways of American intelligence. The e-mail writer had been understandably offended and was very heartened to learn of the NSA role. It was a reminder that, in intelligence, you often don’t get to publicly sign your own work.

In pursuit of terrorists, we also mastered geolocation and metadata, a bit different from traditional reporting on the
content
of targeted terrorist, diplomatic, or even military communications. If you had enough metadata—the pattern of how a communications device was used (whom did it call, who called it, when, for how long)—you could pretty much determine what the owner of a device was up to. Some of this would later be the topic of debate when it came to collecting American metadata, but here it enabled NSA to burrow in on a dirty phone and determine its user and his contacts even with limited knowledge of content. Then, using all the tools available, we could precisely fix
where
the phone was.

We had struck pay dirt, almost haphazardly, early on in Afghanistan, killing an al-Qaeda leader and several of his lieutenants as they were fleeing Kabul. The strike was enabled by combining imagery and intercepts
in real time. After I was briefed on the operation, I asked, “Why can’t we do that all the time?” and put some bright minds on figuring out how to institutionalize the approach.

We set up an effort, the Geocell, staffed it with smart young folks, teamed them up with imagery analysts from the National Geospatial-Intelligence Agency (NGA), and then wired them directly to tactical units in the field.

Old SIGINTers will tell you that this was just a version of what they used to call traffic analysis. If it was, it was on a massive dose of steroids.

We put the Geocell in the basement among the heating ducts, forklifts, supplies, and other detritus of our industrial base. When visitors passed through the cypher-locked door and entered the secure work area, though, they could see huge screens with current imagery and watch Fort Meade analysts in multiple chat rooms throughout the war zone, advising combat forces in real time and living up to their self-described role: “We track ’em, you whack ’em.”

In early November, the US government took a shot from a Predator drone at a Taliban compound north of Kabul based on Geocell input. We were under way.

This kind of activity was first confined to the war zone in Afghanistan, but then, beginning in late 2002, NSA SIGINT was married to real-time imagery and other intelligence to support actions against al-Qaeda elsewhere.

Time
magazine was skeptical. In reporting on such strikes,
Time
opined that “the idea of targeting terrorist quarry from the skies far from the open battlefields of Afghanistan is, of course, a different proposition and it’s unlikely to become the norm.”

Wrong.

Around this time, George Tenet and other intelligence luminaries were at Fort Meade to celebrate the fiftieth anniversary of the founding of NSA by President Truman’s (secret) executive order in 1952. A lot was said about the origins and importance of the agency. It put a nice exclamation point on our current successes.

The operational success of SIGINT-imagery cooperation shouted out for more and stronger linkages. Jim Clapper was an old friend and mentor, and now headed NGA, the clumsily labeled National Geospatial-Intelligence Agency. NGA merged imagery intelligence (IMINT) with traditional mapping and tried to live its motto, “Know the earth. Show the way.” Our two disciplines, SIGINT and IMINT, lived parallel lives in terms of their technology and their speed. Both of us were collecting and producing electrons.

Over time we linked our databases and our IT systems and were sharing exploitation techniques. In the fall of 2004 Jim and I were onstage together for an hour in New Orleans, briefing our collaboration to thousands in our contractor base. Anyone who doubts the significance of that scene just doesn’t know enough about the traditional culture of the American intelligence community.

Jim and I were united in the knowledge that this was an intelligence-driven war. All wars are, of course, but this one especially. We had spent most of our professional lives in the Cold War. Intelligence then was hard work, but it was difficult for our adversary to hide the tank armies of Group Soviet Forces Germany or the vast Soviet ICBM fields in Siberia. That enemy was pretty easy to find. Just hard to kill.

This was different. This enemy was relatively easy to kill. He was just very, very hard to find.

Seems simple, but it inverted a lot of conventional thinking. That’s why later, when some intelligence programs became controversial, I argued that restricting our intelligence in the current effort was like unilateral disarmament in the former. You were voluntarily surrendering the key elements of success.

It inverted some concepts of operations too. Intelligence professionals are accustomed to operators demanding information so they can go do something important. I was having dinner at the house of Charlie Holland, the commander of Special Operations Command (SOCOM), early in the war. Charlie was a good friend. We had been together in something called CAPSTONE, DOD’s finishing school for new brigadiers,
and while on that program’s class trip had jogged together through the capitals of several Latin American countries. Over dessert Charlie turned to me, tapped the table, and said, “Mike, I need actionable intelligence.”

I assured him that we were working on it, but then said, “Charlie, let me give you another way of thinking about this. You give me a little action and I’ll give you a lot more intelligence.” In other words, we needed operational moves to poke at the enemy, make him move and communicate, so we could learn more about him. Operations could be designed to generate information. Over time we more and more settled into that pattern.

 • • • 

A
FTER 9/11,
a lot of people wanted to help us, especially our closest friends, what NSA calls second parties—those English-speaking democracies, the members of the Five Eyes community (Australia, Canada, New Zealand, the United Kingdom, and ourselves) whose SIGINT roots go back to Bletchley Park and breaking the German Enigma code in Europe or to similar efforts and locations in the Pacific.

These loyalties run deep. There is a general consensus between British and American SIGINTers that the two countries’ special
political
relationship began in the parlor office of the Bletchley manor house when American cryptologists arrived and were briefed by their British counterparts on what they knew (and did
not
know) of the Enigma code.

On 9/11 a new arrival in the New Zealand liaison section was in his Fort Meade office. He was directed to evacuate. He refused to leave and continued to keep his capital updated. “Friends do not leave friends at moments like this,” he later told me.

Almost within hours of the attack, the heads of Britain’s intelligence services came to the United States. They needed special permission and even a special escort to penetrate American airspace. On landing they went to Langley, where they met with George Tenet and others of us on his team. The instructions to our guests from their prime minister were clear: help the Americans however you can.

There are permanent structures to facilitate this cooperation. Every year, the Five Eyes intelligence services customarily get together; the United States is represented at these meetings by the heads of CIA, NSA, and FBI. Not every partner parallels our structure; we routinely have thirteen agencies there from the five countries. The first meeting after 9/11 was in March 2002 on New Zealand’s South Island. New Zealand’s hosting had been long planned, but the session had been delayed and then stripped of much of its social agenda. We narrowed the staffs who would attend too. Security demands would be high; we didn’t need to make them a nightmare.

We all knew one another. Despite the disparity in budget and size and power among our organizations, personal relationships reflected a professional egalitarianism. There was no superpower strutting. Except at the airport. The heads of CIA and FBI arrived in their own jets, setting off rampant speculation in the local papers about who these guys were and what might be going on.

We quickly dove into the work. How could we best keep our citizens safe? There were operational conversations to be sure, but also something more. All of us were both the defenders
and the products
of democracies. Eliza Manningham-Buller, then deputy head of Britain’s MI5 with extensive experience working against IRA terrorism, struck a chord with her blunt description of our operational and constitutional challenge. How were we to deal with the not-yet-guilty? After all, we were in the business of preventing terror, not just punishing it.