Nonetheless, it was still possible that the spy was from within the CIA’s ranks, even if he wasn’t a Middle Eastern–North African analyst. And so the CIA joined the search, along with the NSA.
On December 13, more than a week after he’d seen the coded letter, Carr drove out to the National Reconnaissance Office in Chantilly, Virginia. Responsible for managing the nation’s spy satellites, the NRO was one of the United States’ most secretive organizations. For three decades after it was founded, most Americans didn’t even know that it existed. Despite an annual budget of several billion dollars, the shroud of secrecy surrounding the NRO stayed intact well after its existence was made public in 1993. The organization’s relative obscurity—even to intelligence insiders—was why Carr hadn’t thought of it right away.
But over the course of the week, he had come to realize that the spy could well be a current or former employee of the NRO. Like the NSA, the NRO is heavily staffed by members of the U.S. military. It fitted with Carr’s hypothesis about the traitor being a military man. Another reason was that the jacobscall e-mail address had been accessed not just from libraries in Bowie and Crofton, but also on one occasion from the Tysons-Pimmit Regional Library in Falls Church, Virginia, within fifteen miles of the NRO’s headquarters in Chantilly. It was plausible, Carr thought, that the spy lived close to the NSA and worked at the NRO.
As Carr familiarized himself with the NRO’s mission and operations, he could see the clues in the spy’s letter and bona fides that pointed in the direction of that agency. A lot of the secrets the spy was offering—aerial imagery and signals intelligence—constituted exactly the kind of information that the NRO’s satellites collected on their clandestine orbits around the Earth. Since the NSA, the CIA, and several other agencies access and use these intelligence products routinely, one couldn’t link those secrets exclusively to the NRO. Yet other details in the letter—such as the offer to provide orbits, locations, and schedules of satellites—indicated a familiarity with reconnaissance from space.
The NRO launched an internal investigation to identify potential suspects in its employee pool. The CIA and the NSA had already begun searching within their ranks. In the meantime, investigators visited the different libraries the spy had accessed the jacobscall e-mail account from, in hopes of finding records of who might have been sitting at the libraries’ public computers at those times. Much to the FBI’s dismay—and to the relief of privacy advocates—the library administrations didn’t keep such records. At the Tysons-Pimmit Regional Library, for instance, patrons waiting to use the Internet stations had to write their names on a list that was tossed at the end of the day.
The e-mail account, however, remained pivotal to the investigation. The FBI asked Mail.com if agents could keep tabs on the jacobscall address, and engineers at the company wrote a special program for the e-mail account. It was designed to send an alert to Carr’s pager, as well as pagers held by two surveillance teams, whenever the e-mail account was accessed, providing the IP address for where it had been accessed from.
The idea was to have surveillance attempt to spot the spy as soon as he logged in to his e-mail account. Carr had drawn up an Excel spreadsheet listing the IP addresses for libraries in the greater Washington, D.C., area—where the spy was likely to return to access the account. Some of the libraries had dynamic IP addresses; to make it simple to track any log-ins from there, the FBI requested that the Internet service providers for those libraries assign them fixed IP addresses. The service providers complied, the library administrators cooperated, and after the arrangements were made, the FBI tested the system around mid-January. Carr’s pager flashed as planned. The FBI’s surveillance teams took to camping out by the libraries often, anticipating an alert, but as the weeks passed, Carr wondered if the spy was ever going to log in to the account again.
• • •
Catching spies isn’t always cloak-and-dagger stuff; sometimes it involves endless hours of drudgery. For a couple of weeks that winter, two of Carr’s colleagues spent the bulk of their workdays hunched over a desk at the Library of Congress, combing through used-car ads that had appeared in the Washington Post over the prior two years. They were looking to find out if any country had already established contact with the spy using the instructions provided. The agents didn’t find any ads matching what was described in the letter.
Carr set a plan in motion to draw out the spy, preparing for what’s known in counterintelligence as a false-flag operation. The idea was to respond to the letter as the spy had wanted Libyan intelligence to. As Carr and his fellow agents went about following the instructions in the letter, they discovered just how hard the spy had made it to do business with him. If Libyan officials had taken the spy up on his offer, Carr thought, they would likely have slapped their heads in frustration along the way.
The first complication was getting an 800 number as the letter asked for. Carr’s squad requested that FBI New York set it up. But every 800 number the agents attempted to acquire was taken. Like good domain names, 800 numbers are a prized commodity, as evidenced by the endless stream of commercials on late-night TV that invite viewers to call toll-free to buy everything from golf clubs to cat food.
“The best we can do is get a 1-888 number,” an agent from New York told Carr.
“Let’s buy a 1-800 number from somebody,” Carr said. “I don’t care if it costs $100,000.”
The FBI did care, however, and in the end, the investigators settled for an 888 number. But when Carr read the number New York had gotten, he let out a moan of exasperation. It ended in a 0. The spy had asked that the last seven digits of the number be reversed and presented as a local-area phone number in the used-car ad he was going to look out for. It wouldn’t make sense for the ad to list a phone number starting with 0.
The FBI had to get a different 888 number. Carr called the Washington Post’s classified section to place the ad. He read out the details of the car from the spy’s letter: a 1993 Ford Taurus with 95,000 miles on it. Asking price: $17,000.
There was a moment of silence from the other end.
“Sir, no one’s going to buy your car for seventeen thousand dollars,” the person taking the call said. “That’s a crazy asking price.”
“Yeah, I know,” Carr said. “I still want that in the ad, though.”
“Sir, I can’t in good conscience advise you to post this ad and expect to sell your car,” the person said. “You are wasting your money.”
There are times when FBI agents can flash their badges to get something done. This wasn’t one of them. “I just want to put a classified ad in your paper,” Carr finally said, losing patience. “I’ve got a credit card here and I’m going to pay. I don’t care what your opinion is! So just place the ad, OK?”
He made the payment and hung up.
Next, Carr sent an e-mail to the jacobscall address to inform the spy that he should look out for the ad in a week’s time. In the note, sent from an e-mail account created under the pseudonym “Shawn McGuire,” Carr wrote, “We got your letter. We are definitely interested in your offer. We set up a 1-888 number instead of a 1-800 number but all else remains the same. Please contact us.”
The FBI assigned an Arabic speaker to answer the toll-free number. Then the agents waited, hoping the spy would call.
CHAPTER 2
TRAITOR UNMASKED
On a snowy day in the middle of January 2001, Gary Walker, an agent with the Air Force Office of Special Investigations, sat hunched over a desk in a windowless room at the National Reconnaissance Office headquarters in Chantilly. The room was the size of a walk-in closet, with barely enough space for a couple of chairs and two small rectangular desks. It was cramped further by a cart that Walker had wheeled into the room. On it was a stack of files containing the personnel records of employees at the NRO.
Walker began reading file after file, jotting down notes on a pad. Weeks
earlier, he had entertained the fleeting hope that this weary task wouldn’t need to be undertaken. When Steve Carr had briefed the NRO about the spy’s letter and accompanying bona fides, Walker’s first reaction was to ask if the letter wasn’t part of a clever double-agent operation initiated by some entity within the U.S. government—a dangle to win over Libyan intelligence. Like other countries, the United States routinely conducts such operations, in which somebody from the U.S. ranks reaches out to the enemy, masquerading as a spy. Besides creating opportunities for misinforming the enemy and gleaning enemy secrets, double-agent ops are intended to discourage the enemy from accepting volunteer spies.
But Walker’s hopes of the letter signifying a dummy threat had been dashed soon enough, after the National Counterintelligence Center checked with the Army, Navy, Air Force, and other organizations and confirmed that it wasn’t a double-agent op. Walker, assigned to the NRO from the Air Force Office of Special Investigations, was tasked with conducting personnel reviews to flag potential suspects. The files to be looked at numbered in the thousands, and since they weren’t digitized, the only way to review them was by going through them page by page.
Walker steeled himself to the prospect of spending the next several months holed up in that little room. Along with an employee’s résumé, history of postings, job description, and performance appraisals, each file contained reports of background investigations done for granting the employee a security clearance. Starting out, Walker scanned the files for traditional counterintelligence indicators. Evidence of financial difficulty, including big debt. Alcoholism or drug addiction. Failure to report foreign travel or contact with foreigners—required of employees holding security clearances. A weighty indicator on the list was problems in clearing a polygraph, or lie detector test, which, although founded on disputed science, remains the government’s primary tool for affirming if an employee is answering questions honestly.
In looking for these possible red flags, Walker was following a model built on decades of mole hunts, from which investigators had come up with what they believed were potential signs of an insider’s susceptibility to committing espionage, be it willingly or under threat of blackmail.
About a week into the reviews, Walker heard a knock on his door. He looked up to see an elderly man smiling at him.
“Hi, I’m Joe Krofcheck,” the man said.
A psychiatrist in his late sixties, Krofcheck had worked at the CIA for decades. He had worked on dozens of mole hunts and counterespionage assessments—exercises carried out after catching a spy to gain insights on what precise factors might have led to the treason. The NRO had asked him to see how Walker was faring with the file reviews.
When Walker told him how he’d been going about it, Krofcheck suggested a more targeted approach. “Think about who would want to do this,” Krofcheck said, drawing Walker’s attention to the spy’s statement in the letter about being close to retirement after twenty years of service. That suggested the person was an enlisted service member, Krofcheck said, not an officer or a civilian employee, since only enlisted members face retirement at the end of twenty years. Based on that reasoning, Krofcheck suggested limiting the file reviews to enlisted personnel of grade E-6 or above who had retired within the last two years or were due to retire in the next two years.
Walker’s task suddenly became a lot more manageable. He’d been looking at the whole universe of NRO employees, former and current, numbering in the tens of thousands; now he had to scrutinize only a few hundred files. Studying them one cartload at a time, Walker set aside files that met some of the counterintelligence indicators on his list, from financial issues to murky polygraphs.
His attention was first drawn to an employee who had failed to disclose an extramarital affair with a coworker when stationed in Italy. In the same batch of files, Walker came across another person he found interesting: a signals analyst who had retired a few months earlier, in August 2000, at the rank of master sergeant. The person had reported having financial difficulties in the past, but what made Walker pay closer attention to him was something else. Unlike most employees in the pool Walker was looking at, the master sergeant had received training in cryptology. Walker placed the file on top of his stack of candidate suspects. The rest of the files he loaded back onto the cart and wheeled out of the room, only to return minutes later with the next cartload.
• • •
Like Walker at the NRO, counterintelligence officials at the NSA and the CIA were combing through their agencies’ ranks to find persons of interest. The FBI had named the investigation Cast About, in a reference to the spy’s gambit to market himself to the Libyans. It was clear that a classic counterintelligence review of employee records at the three agencies was going to be a slow, painstaking effort that would take months.
Carr had to think of other investigative avenues to pursue in the meantime. Possibly the strongest clue available to him and his fellow agents was the set of nineteen documents the spy had downloaded from Intelink. Shortly after the hunt began, one of Carr’s colleagues on the squad—an agent named Bill Lace—set about tracing each of the documents to the Intelink sites they had been printed from.
A mild-mannered man of slight build, Lace was a civil engineer by training who had followed in the footsteps of his wife, Andrea Price-Lace, to join the bureau in the late nineties. He had never had any reason to use Intelink before. An analyst in the Washington Field Office helped him get a log-in, and in short order, Lace found himself sitting in front of a computer in a tightly controlled space for the handling and processing of classified information—what’s known as a Sensitive Compartmented Information Facility or SCIF—and surfing an Internet hidden from public view.
Intelink sprang into existence in 1994, as corporations and academic institutions around the world were beginning to harness the power of the World Wide Web. James Woolsey, then director of Central Intelligence—a title that at the time made him head of both the CIA and the broader intelligence community—wanted the government’s large and diverse ensemble of intel agencies to work better with one other. It was common to hear of different entities not wanting to share information, and the DCI’s solution was to link up the digitized databases of these agencies and form a shared network of servers that would allow for exchanging, utilizing, and building on intelligence developed by different players.
Searching on Intelink, Lace soon found the URLs for each of the nineteen documents. The next step was to find out who had accessed all of these sites over the previous two years. It might have been an easy task if all the documents had resided on one central server. But as Lace learned, that wasn’t the case.
Each of the documents was stored on the server of the specific agency where it had been created. Every agency maintained its own log of network traffic stemming from within and outside the agency, and the traffic originating from one entity sometimes went through a number of intermediate servers before arriving at the destination server, where the requested document resided. To complicate matters further, the way logs of network traffic were kept wasn’t uniform across agencies. Tracing accesses to the nineteen documents would require a massive audit of these logs.
Lace reached out to the IT administrators of the NSA, CIA, NRO, and other organizations, requesting that they scrutinize the traffic to and from their servers for six of the nineteen documents. Despite focusing on this subset of URLs, it took more than two weeks for the agencies to start getting back to the FBI with results. What Lace heard from them was disheartening. In the two years prior, the six documents had been accessed by hundreds of people across the intel community. Many had accessed several—if not all—of the documents. There was no way to single out any one person.
• • •
Doing the same thing over and over and expecting a different result is how some define insanity. By that definition, Carr was unquestionably going insane as he developed the investigation thr
ough the first few weeks of 2001. Although he’d already spent hours studying the materials the spy had mailed to the embassy, Carr returned to his binder almost compulsively to look at the letter and the bona fides package again and again.
One morning, as he sat at his desk flipping through those pages, Carr noticed what looked like a smear of telex ink running across the top edge of one of the documents. It was a CIA report titled “Gaddhafi’s Undependable Pragmatism.”
When Carr looked closely, he could see that the line was in fact a string of text. It wasn’t legible, though, because the upper half of the text was cut off. Only the bottom half of the string appeared on the page. Still, Carr could make out that the fragment was from the document’s header, which for a Web page typically indicates the site’s URL along with other information. None of the other documents had anything like it at their top or their bottom, suggesting that the spy had taken care to scrub any headers and footers, either before or after printing them out. Somehow, he seemed to have failed to do so for this CIA report.
When Carr took a moment to look up from his desk, he caught sight of a colleague from another FBI office who happened to be visiting the Washington Field Office that morning. The colleague, a special agent whose first name was Jack, belonged to an FBI unit that specializes in secretly entering buildings and cars—with court authorization—to assist investigations that need to be conducted covertly. In the bureau, these covert entry experts are called the “flaps-and-seals” guys.
The Spy Who Couldn't Spell Page 3