In Carr’s view of the world, Jack’s presence near his cubicle at precisely the moment when Carr had been squinting at the illegible string on the CIA document wasn’t a mere coincidence. As Carr would come to see it in the months ahead, it was yet another example of divine providence.
“Hey, Jack, come here, check this out,” Carr called out. He’d worked with Jack in the past and knew that Jack’s expertise went beyond making covert entries.
He showed Jack the document, drawing his attention to the line at the top. “I thought maybe it was a copier error or something, but I think this is a string of text,” Carr said. “Do you think you could recover it?”
“Absolutely,” Jack said. “Give me a copy of it and I’ll run down to the lab.”
He left shortly after and, about three hours later, e-mailed Carr with the results. Using a combination of guesswork and digital technology, he had built out the sliced-off portion of the text, completing each partial character. Carr now had a legible header.
The URL of the report wasn’t what he was after; he already knew that. What the header also included was the date the document had been printed on: July 8, 1999.
Carr knew at once the utility of this information. It meant that investigators could now attempt a focused search for computers that had accessed the CIA report on a specific day, rather than over a two-year period, assuming that the spy had looked up the document on the same day that he had printed it.
And so, while IT administrators at various intel agencies were discovering hundreds of accesses to the six documents that the FBI had asked them to check for in their network traffic, Carr requested that the National Security Agency lead an Intelink audit aimed at identifying computers that had accessed the CIA report on July 8, 1999. Right before March, Carr got the audit results back from the NSA. The document had been accessed on that particular day by eleven IP addresses. Six of them stemmed from contractors on the West Coast, which Carr ruled out since the spy had to be somewhere in the D.C. area. Of the remaining accesses, two had stemmed from the NSA and one from inside the CIA. The other two computers to have accessed the document belonged to the National Reconnaissance Office.
• • •
At the NRO, Gary Walker dug deeper into the backgrounds of the nearly thirty employees he had identified through his file reviews as persons of interest. The closer he looked, the more interested he became in the Air Force master sergeant who had retired in August 2000.
The serviceman’s training and postings as a signals analyst told Walker that he likely had in-depth knowledge of satellite reconnaissance. There was something else that caught Walker’s eye. It was a rebuttal the analyst had written in 1988 in response to a less-than-stellar performance appraisal. What struck Walker was that it was filled with misspellings.
Written on a typewriter, the three-page letter was titled “Rebutal.” The missing t was no anomaly, nor had it been skipped over in a fit of frenzied typing. As Walker read on, he encountered wrong spellings in almost every line; even the word “the” was scrambled into “teh” in some places. He was also surprised by the strident tone of the letter. It seemed disproportionately severe compared to the mild criticisms in the appraisal. The writer had gone on at great length about how exceptional his work was and how his supervisor—a woman—did not deserve to be a manager.
Walker shared the rebuttal with Krofcheck, the psychiatrist. The two compared it with the letter the spy had written to the embassy. It wasn’t just that both texts were riddled with misspellings. Krofcheck saw similarities between the two in the way that certain words had been misspelled. The analyst and the spy both seemed to have a tendency to transpose letters, for example, spelling “proceed” as “procede”—an error frequently made by those with dyslexia.
Krofcheck pointed out a deeper similarity between the rebuttal and the letter to the embassy. In both, Krofcheck heard the angry voice of grievance, of somebody who felt the world hadn’t given him his due.
In early March, Walker learned the results of the Intelink audit, showing that the CIA report printed on July 8, 1999, had been accessed by five IP addresses from the CIA, NSA, and NRO. Investigators had not been able to trace the two accesses from the NRO all the way to the specific computers that had downloaded the document, but to nodal points in the NRO’s internal network, each of which fed into a work suite consisting of a handful of computers. Walker compiled a list of NRO employees who had worked at these two suites: one at the headquarters in Chantilly, the other at an NRO office located thirty miles away, near I-295 in Maryland.
The Air Force master sergeant had worked at both locations. Walker picked up the phone and called the FBI’s Washington Field Office.
Bill Lace took the call.
“Hi, Bill,” Walker said. “This is Gary.”
The two men had discussed the investigation a few times during the prior weeks. But from the tone of Walker’s voice, Lace could tell that this was more than a routine update.
Walker told him about the master sergeant. He listed all the reasons that made the man a strong suspect in his eyes: the position of signals analyst, the cryptology training, the misspellings in the rebuttal letter, the date of his retirement relative to when the envelopes had been mailed to the embassy. And finally, most compellingly, the fact that the master sergeant had worked at the two NRO work suites from which the top secret CIA assessment of Muammar Gaddhafi had been accessed in July 1999.
“I think this is our guy,” Walker told Lace.
Lace asked where the master sergeant lived. Walker read out the retiree’s home address. It was in Bowie, in Prince George’s County, Maryland, in close proximity to the libraries that the jacobscall e-mail address had been accessed from. To Lace, that was further confirmation that Walker had identified a strong candidate.
In the weeks leading up to March, the squad had opened preliminary investigations into a handful of other suspects who had been identified through file reviews at the NSA and the CIA. The FBI had given these individuals code names that reflected the overarching case: one suspect, who worked at the CIA, was referred to as Cast-A-Line; another, from the NSA, was labeled Cast Short; a third, also from the NSA, was given the name Cast Arrow.
Some of these preliminary investigations had already reached their logical end, eliminating certain suspects from the running. For instance, when investigators matched up Cast-A-Line’s absences from the CIA with the times when the jacobscall e-mail account had been checked, they were convinced he wasn’t their man. In one instance, the analysis showed, the person would have had to drive out of the CIA in Langley, Virginia, over to a library in Oxon Hill, Maryland, log in and out of the e-mail account, and return to the CIA all in a matter of twenty minutes. “He probably stepped out to get a sandwich,” Carr had concluded.
After the phone call from Walker, Lace poked his head into Carr’s cubicle and told him what he had learned. The FBI launched a preliminary investigation on the master sergeant on March 15, 2001, assigning him the code name Cast Led.
Like Lace and Walker, Carr thought the serviceman looked promising, but he wasn’t willing to bet on Cast Led just yet. He had seen from close range the folly of locking onto a target prematurely in a counterespionage investigation. Just a few months earlier, the FBI had discovered that its agents had made a grave error in pursuing the CIA’s Brian Kelly for years on the suspicion that he had been passing secrets to the Russians when the mole they should have gone after was the FBI’s own Robert Hanssen. To be certain about Cast Led, Carr needed more evidence.
• • •
Late in the evening on March 28, Carr parked his car in front of a Dunkin’ Donuts in Chantilly, Virginia, and walked inside. If Carr had been a cop on neighborhood patrol, stepping into a doughnut shop for a cup of coffee would have been a cliché. As it was, though, Carr was at the store to meet up with other federal agents in preparation for a key mission. Their
task for the night was to conduct a secret search of an office at the NRO headquarters. To catch a spy, Carr liked to say, it was sometimes necessary to hide in the weeds and move only at night.
The men leading the operation were the FBI’s covert entry specialists. Among them was Carr’s friend Jack, who had helped the hunt previously by reconstituting the header of the CIA report in the spy’s bona fides. Jack and his flaps-and-seals colleagues had broken into dozens of homes and cars and buildings over the years to assist with investigations of every manner at the FBI. To carry out these break-ins, always authorized by a court order, the specialists often had to prepare for weeks, watching the comings and goings of residents in the immediate vicinity of a targeted house, for instance, to find the right time to enter without alerting neighbors. They were used to walking around furniture in dark rooms in the dead of night, sometimes aided by nothing more than a flashlight covered with a red filter to soften the beam so that people driving by wouldn’t notice any activity through the windows. The aim was to execute a ghostlike entry and exit, leaving no trace behind that might alert the target of the investigation.
Tonight’s mission was a bit different from most break-ins. It was unusual for Jack and his colleagues to facilitate a clandestine entry at another government agency. The plan wasn’t entirely secret to the NRO; the FBI had briefed counterintelligence officials at the NRO about the plan, which was to examine all the computers in the suite at NRO headquarters that the Intelink audit had pointed to. Gary Walker was accompanying the search team, and NRO managers had already given the FBI the keys to enter the main building where the suite was located. Yet the operation had to be done covertly, because if any of the NRO employees working in the suite were to find out, the spy could be alerted.
Carr had done his own share of planning for the night. He knew that the suite had four computers—the machine from which the CIA report had been accessed could have been any one of them. But copying the hard drives of four computers—to allow each to be combed through later—wasn’t going to be easy all in one night with the limited amount of equipment Carr’s squad had available to deploy. And so, Carr had asked computer forensics experts from the NSA to help.
Shortly after eleven p.m., the FBI agents and other members of the team exited Dunkin’ Donuts and drove to the NRO, a cavalcade of cars speeding through the night. After they had driven around the NRO building and verified that nobody was inside, the men parked in a lower-level garage. They took an elevator down to the basement and walked down a hallway to get to the suite.
Carr stepped in and surveyed the space. It had four large cubicles, each with its own desktop. Jack and his colleagues began taking Polaroid pictures, recording the position of every object in the room, from how paperweights and staplers lay on the desks to how the wheels at the bottoms of the chairs were turned. The computer forensics team set up two plastic folding tables in an adjacent room. Agents carefully unplugged the four computers and lugged them over to the makeshift workstation, where the forensics experts hooked each of them up to disk-imaging hardware to copy the contents of each hard drive.
As the imaging got under way, Carr sprawled out on the floor and caught up on some sleep, with the computers whirring in the background. In the early hours of the morning, the flaps-and-seals agents nudged him awake. The men put the computers back where they belonged, folded up the tables, and got ready to leave. Using the Polaroid shots as a reference, they ensured that the suite looked exactly as it had when they had walked in. Carr gathered up the photographs, all of which had been numbered, to make sure they weren’t leaving any of them behind.
He couldn’t account for all the pictures. One, number 26, appeared to be missing.
“Oh, crap,” he said.
Jack looked at him sternly.
Carr went over the pictures again. The men looked around on the desks and the floor but couldn’t find any photographs lying around.
“I think I misnumbered the pictures,” Carr said finally. He had skipped 26 when writing down numbers on the backs of the pictures in serial order.
Jack was furious. “How could you have done that?” he asked. For a flaps-and-seals operation, a slip like that was a cardinal sin.
Carr apologized. He had been working eighteen-hour days since the spy hunt began. The grind of the investigation was fraying his nerves.
Jack didn’t talk to him for the remainder of the operation. It was dawn when the men drove out of the building with the hard drive images. Carr went home and sank into bed, exhausted.
• • •
It was past noon when Carr woke up and left for work. While he was on his way, he got a phone call from the computer forensics team at the NSA. While Carr slept, they had examined the four hard drives imaged from the NRO.
“We found some stuff,” the caller said.
“I’ll call you back from a secure phone,” Carr said. He hung up and drove as fast as he could to get to the Washington Field Office. He bounded up the stairs and dialed the NSA on a special landline that government agencies use for calls that need to be especially protected from eavesdropping.
On one of the four hard drives, the forensics team had found URLs of what they believed to be some of the Intelink documents in the bona fides package. Lace went to the NSA that afternoon to look at the URLs himself, since he was the one who had located each of those sites on Intelink previously. He called Carr shortly after to give him the report.
Twelve of the hundreds of URLs cached on the hard drive matched the nineteen that Lace had on his list. Among them was the CIA report printed on July 8, 1999. The last person who had used the computer was Cast Led. Nobody had logged in to it since Cast Led had retired in August 2000.
“Are you kidding me?” Carr asked excitedly. “Oh my God, we actually have a primary suspect.”
On the night of April 2, Carr went back to the NRO for a second entry into the suite, this time accompanied by experts from the FBI’s Computer Analysis and Response Team. Unlike the previous night, the CART personnel focused on the desktop that Cast Led had worked on until a few months before. While they imaged the hard drive, following special protocols for preserving digital evidence, Carr and other agents looked around the suite.
On an overhead shelf in the cubicle where Cast Led had worked, an agent found the manual Joint Tactical Exploitation of National Systems, a handbook containing descriptions of U.S. spy satellites and other intelligence-gathering equipment. The spy had included the manual’s table of contents in the bona fides package and had offered to sell information contained in it. The agent picked up the manual and showed it to Carr.
Carr opened it. Inside, on the cover page, written in block letters with a marker pen, was the name of the retired master sergeant.
Brian Patrick Regan.
• • •
The worst nightmare for officials in charge of security and counterintelligence at an intelligence agency is to find out that the safeguards they have had in place to protect against insider threats were simply not good enough. For weeks, NRO’s managers had hoped against hope that the spy would turn out to be from the ranks of a different organization. But with the discovery of the URLs of the bona fide documents on the computer in the NRO suite, the agency’s fears had been realized.
The aerial pictures of Gaddhafi’s yacht had provided additional confirmation that the sender of the package was none other than Regan. Analysts had determined that the photographs, taken by a foreign intelligence agency, were among materials that were given out at an intelligence course that Regan had attended at Colorado Springs in the summer of 1997. Only one other individual from the NRO had attended the course.
From everything that investigators had learned about Regan, he seemed like an unlikely spy. Six feet four inches tall, he towered over most colleagues, although only by virtue of his height, not on account of personality or apparent intellect. If anything, his lu
mbering, giantlike frame and his halting style of conversation gave him the appearance of a man who could never be swift in action or in thought. The impression was solidified by Regan’s social awkwardness, which his coworkers took to be the reason behind his reclusive nature.
Yet, despite the doltish persona and the muddled spelling, Regan had evidently masterminded a sophisticated espionage plot, one that might have been impossible to discover if it hadn’t been for the lucky break the FBI got from its informant. It was all the more stunning that Regan had been able to give effect to his conspiracy without raising any suspicions at what was perhaps the most secretive and security-conscious of U.S. intelligence agencies.
But what was the extent of the man’s plot? What had Regan gotten away with so far, and what was he planning to do next?
The first step toward answering those questions was to assemble a full picture of Regan’s activities on Intelink. During much of the twentieth century, spies looking for information to pass on to their masters had to steal dossiers from cabinet lockers, pilfer blueprints stored on microfiche, and snap hurried photographs of military plans left on a general’s desk. But times had changed. All that Regan would have needed to do to find sellable secrets, investigators realized, was sit in his cubicle and surf the intelligence community’s classified intranet.
NRO’s counterintelligence chief, Debra Donahoo, asked the agency’s IT administrators to examine what Regan had accessed on Intelink in the two years before he retired. The job required forensics expertise that the NRO didn’t have in-house. Donahoo called the Air Force Office of Special Investigations for help, and AFOSI sent over a young digital forensics investigator named Bret Padres.
The Spy Who Couldn't Spell Page 4