Tabulating the ICs for the various documents, Olson could see a distinct difference between the two sets. There was a higher degree of randomness in the trinomes recovered from the cell. More important, the randomness for the first, second, and third digits varied widely between the six sheets of prison trinomes. By contrast, not only did the original trinomes exhibit less randomness in their digits; the extent of randomness was nearly identical for all three “letters.”
The three “letters” had been encrypted using a common scheme, Olson concluded from the analysis. He was also convinced that the prison trinomes were dummy codes. They were meaningless. Regan’s purpose behind generating them, investigators realized, was to make the original trinomes look like a game. It was a ploy to alter the evidence by adding noise to the signal.
That insight, however, didn’t bring Olson any closer to cracking the trinomes that mattered. He researched the cryptanalysis literature to determine which encryption systems use three-digit numbers with the characteristics of the nearly three hundred trinomes contained in each of the three documents: Letter M-I134, Letter S-I134, and Letter A-341I. Since every trinome ended in 1 or 2, Olson was drawn to the possibility of a book code, in which the last digit of every number potentially referred to the first or second column of a printed page. The hypothesis seemed all the more plausible, as Regan was carrying a pocket dictionary in his duffel bag when he was arrested. Like most dictionaries, this one was printed in a two-column format.
Book codes—codes based on a book known to both sender and recipient—have been favored by spies in history because they can be nearly impossible to break, unless the book that holds the key has been identified. During the American Revolution, the American traitor Benedict Arnold wrote coded letters to the British Army in which each word was represented by a set of numbers indicating the page, line, and specific position where that very word would be found in an agreed-upon book. The ones Arnold chose were Commentaries on the Laws of England, by William Blackstone, and Nathan Bailey’s Dictionary. During World War II, German agents in Egypt used Daphne du Maurier’s Rebecca, a 1938 novel, as the basis of a code for transmitting intelligence from Cairo to support a campaign by the Axis powers against the Allies in North Africa. The discovery of the book among the possessions of two German radio operators who didn’t read English ultimately led to the breaking of the code, which in turn led to the capture of the German spies in Cairo.
Olson flipped through Regan’s dictionary. On one of the introductory pages, Regan had written “26MM” and “28SS,” which to Olson appeared to be a reference to the letters with the trinomes. Throughout the dictionary, he found words that had been underlined or marked with a dot, most of them words rarely used in everyday conversation, such as “marsupial,” “masochism,” “pestilence,” and “occident.” Olson wondered if Regan had chosen the words as keys for his encryption scheme. But when he tested the idea in different ways, it didn’t unlock any doors. Forensics experts examined the dictionary, as well as a novel that Regan had with him, for possible clues. They looked for Regan’s fingerprints to determine which pages he’d looked at the most. They scanned the pages under a special light to search for anything written in invisible ink.
The scrutiny yielded nothing. After weeks of trying, Olson was out of ideas. For the first time in his career, he was prepared to concede defeat.
Frustrated by the trinomes, Olson focused his attention on another puzzle: the note from Regan’s wallet containing a string of letters and numbers. It began “56NVOAI . . .” He had a hunch that it may have been enciphered using a Caesar shift—a method in which all the characters of a message are shifted by a fixed number of positions along the alphabet. He lined up the text on a slide board and shifted the letters by one place, two places, and so on, checking the other end of the slide board each time to see if he got anything readable.
After twenty-five shifts down the alphabet—it would have taken just one shift in the opposite direction—the first line of the text, “56NVOAIPG . . . ,” resolved to “45 MUNZHOF BANHOF STR,” which sounded like German. Plugging the result into YellowPages.com, Olson found that it was the address for the Swiss bank UBS in Zurich. The second line broke out to Bundesplatz 2 in Bern, the address for another Swiss bank. Both addresses were followed by a string of numbers that resolved to the latitude and longitude of the two locations.
Why Regan was carrying those addresses wasn’t clear, but the fact that he’d concealed them using code could potentially help the prosecution build its case. It was a small consolation to Olson that he’d been able to break one of Regan’s codes, albeit a simple one. But Olson’s work on the case was far from over.
• • •
One day in early February, Regan’s attorney, Nina Ginsberg, stopped by the office of Randy Bellows, the prosecutor in charge of the case. She had a simple question. Was the government planning to use anything from the Gateway laptop seized from Regan’s house as evidence?
There was nothing unusual about the inquiry. It’s common for the defense and the prosecution to consult with each other and define the scope of an impending trial by reaching a consensus on certain aspects of the case before stepping into the courtroom. By settling questions such as whether the prosecution intends to introduce something as evidence, or if the defense plans to challenge the credentials of an opposing witness, both sides can limit unnecessary effort and expense in preparing for trial and focus on the core dispute to be resolved before a jury.
Bellows knew that the FBI had examined the hard disks of a Toshiba and a Gateway found at Regan’s house on the day of his arrest. Agents had learned that both laptops were pilfered from the NRO—Regan had removed the government stickers on them and scratched out their serial numbers—but their hard disks hadn’t yielded anything of evidentiary value. It also became clear in the course of the investigation that Regan had been using primarily the Gateway; the Toshiba was used almost entirely by his kids. So when Ginsberg put her question about the Gateway to Bellows, he replied that the government wasn’t planning to introduce any evidence from either of the laptops.
Following up with Bellows the next day, Ginsberg asked the same question a second time, just to make sure she’d understood him correctly. On Friday, February 8, she stopped by his office once again to raise the matter. This time, she asked if the prosecution could stipulate that the Gateway would be excluded from the case.
Not only was Bellows irritated by Ginsberg’s doggedness; he also found it curious. He declined her request. Although the prosecution currently had no plans to introduce the laptops at trial, he told her, the government wasn’t going to foreclose the option in case investigators found any evidence on them in the future.
As soon as Ginsberg had left, Bellows picked up the phone and called Carr. “Can you come over to my office right now?” he asked.
It was three in the afternoon when Carr drove from the Washington Field Office to the federal courthouse in Alexandria to meet with Bellows and James P. Gillis, who at the time was a senior trial attorney with the internal security section at the Department of Justice.
“Did you find anything on the computers?” Bellows asked.
“No,” Carr said.
“Are you sure about that?” Bellows wanted to know.
“Yes. Why?” Carr asked.
Bellows explained that Ginsberg had been inquiring about the Gateway repeatedly.
To double-check, Carr called Andrea Price-Lace, an agent from the bureau’s Computer Analysis and Response Team—the group responsible for collecting and processing digital evidence.
“Andrea, I’m with Randy Bellows right now,” Carr said. “Tell me something—did you all find anything on the hard disks?”
Price-Lace told him that her team had indeed run searches on the hard disks for a set of “dirty words” provided by the investigators—words like “top secret” and “classified.” However, she ex
plained that it wasn’t CART’s job to go through the results. That was left to the investigators.
Carr was flabbergasted. He’d been under the impression that CART had combed through the hard drives and failed to find anything. The assumption was based on his experience working on the investigation of the CIA traitor Jim Nicholson in the mid-nineties: one of the breakthroughs in that case had come when CART analysts found fragments of classified documents relating to Russia on Nicholson’s notebook computer. However, CART’s operating procedures had changed in the years since. Carr evidently didn’t get the memo.
What this meant was that although six months had passed, Regan’s laptops hadn’t really been examined. Whether it was anybody’s fault was beside the point. What mattered was that there had been a screwup and it needed to be remedied immediately.
On the drive back to his office, Carr called Jechorek, his supervisor. “Who’s still in the bull pen?” he asked anxiously, expecting that many in the squad had left for the day. After all, it was late afternoon on a Friday.
“Everybody’s here,” Jechorek answered, to his relief.
“Don’t let anybody go home,” Carr said.
When he got to the office, he found in his desk drawer the DVDs that CART had made from searching and imaging the laptops. He and the other agents on the squad popped the disks into their desktops and began scrolling through the contents. CART had included the results of the dirty-word searches on the disks, which showed that some of the words had indeed been found. But it was impossible to tell where those words resided, and in what context.
The imaged files added up to more than 120,000 pages of text, the bulk of which was machine language. Pressing the “page down” button, the agents scanned the sea of characters on the screen for anything intelligible. Less than ten minutes after they’d begun, Carr let out a loud exclamation.
“Holy shit!”
The fragment of text that he was looking at read:
dA
The sentence embedded in that string of nonsensical text was one that Carr would have recognize in his sleep. It was the opening of the cover letter Regan had included in the three envelopes he’d mailed to the Libyan embassy.
Excited, the agents kept scrolling through the pages, their eyes glued to their desktop screens. As afternoon rolled into evening, the silence of the bull pen was broken time and again by exultations accompanying new discoveries. Not only did Carr and the others come across more fragments of the cover letter; they also found the entire plaintext and enciphered versions of the letter in which Regan had spelled out his espionage offer to Libyan president Muammar Gaddhafi. There was also a cover letter written to Iran.
Along with that, the agents found an identical offer to the Iraqi president, Saddam Hussein. Carr had long suspected that Regan might have contacted countries other than Libya. Here was proof that the master sergeant had, at the very least, planned on contacting the Iraqi government with the intent of selling secrets.
All of these texts were in the slack space of the Gateway—the unallocated space on a computer’s hard drive that users don’t see on their screens. Regan had clearly used the laptop to type the letters and then deleted them, taking the standard precaution of emptying the recycle bin to satisfy himself that the documents were now completely erased.
What he didn’t realize was that deleting a file on a computer doesn’t necessarily get rid of the data. It remains on the machine, occupying the same space on the hard drive as before, except that the file name disappears from the directory and the data is now no longer sacrosanct. The computer’s operating system now has permission to overwrite the old data with new data. In the case of the documents that Regan had deleted, the data was never overwritten.
At seven p.m., Carr called the prosecuting attorneys to give them the news. The evidence that the investigators had been trying to unearth for months had been lying in his desk drawer all along. Without a prod from the defense, the prosecution may well have remained ignorant about it.
• • •
The discovery of the letters on the Gateway strengthened the government’s case against Regan, eliminating the need to introduce the envelopes mailed to the Libyan embassy as evidence. On February 14, 2002, less than a week after the breakthrough, a grand jury returned a superseding indictment against Regan, charging him with three counts of attempted espionage—on behalf of Libya, Iraq, and China—and one count of gathering national defense information.
Regan’s letters to Gaddhafi and Hussein, disclosed in the indictment, incensed an American public still reeling from the shock of the 9/11 terrorist attacks. To many, his words looked like the very definition of treason. In Farmingdale, Regan’s old friend Brian Wagner—who like many others had missed the news of Regan’s arrest—was shocked when he read about the indictment. He called Bob Florio, the classmate who used to give Regan hell on his paper route, and began reading out the article on the phone in a tone of disbelief. When he got to the end of the article, however, he couldn’t help chuckling. “Here’s the kicker, where you know it’s got to be Regan,” Wagner said, proceeding to read out the part that mentioned that the letters discovered on the computer were filled with spelling errors.
The four-count indictment was bad enough, but things were about to get even more dire for Regan. In his State of the Union address on January 29, 2002, President George W. Bush had identified Iraq—along with Iran and North Korea—as part of an “Axis of Evil” that represented a grave threat to the United States and the rest of the world. The speech would later come to be seen as the first drumbeat of war against the Saddam Hussein regime. In that climate of hostility between the United States and Iraq, Regan’s ploy to extort a lesser sentence for his treason by withholding the secrets he had stolen made officials in the Defense and Justice Departments furious. Here was someone who had not only conspired to commit espionage against the United States, but was now threatening the lives of U.S. servicemen, including pilots engaged in policing the northern no-fly zone in Iraq. By refusing to disclose where he’d stashed top secret national defense information—the extent of which was as yet unknown—he was in effect thumbing his nose at the American flag. If there was anything worse than treason, it was this.
Through the early weeks of spring, with Regan yet to make any offer of disclosure, decision makers in the government hardened their stand. The Department of Justice authorized the prosecutors to pursue the death penalty. It was the first time since the execution of the Rosenbergs in 1953 that the government would be seeking death for an alleged spy. Although such a decision had never been made before in an attempted espionage case, the prosecution was convinced that Regan’s crime met the statutory requirements for a death-penalty trial.
The task of drafting the prosecution’s notice to seek the death penalty fell on Gillis, who had moved from the DOJ to become an assistant U.S. attorney in the Eastern District of Virginia. His wife was vehemently opposed to capital punishment. In the months prior, when Gillis had told her that he had been assigned to work on a spy case, she had asked him pointedly if the case would involve the death penalty. He had never imagined that it might. “No, don’t worry,” he had told her. “It’s attempted espionage.”
Now, much to his discomfort, he found himself laying out the government’s rationale for why death was a suitable punishment for Regan. Besides creating a “grave risk of substantial danger to national security” and a “grave risk of death” to another person—two aggravating factors cited under the death-sentence statute in federal law—Gillis argued that Regan’s betrayal qualified for the death penalty on several nonstatutory counts. Unlike spies who had been convicted of passing one piece or several small
pieces of classified information, Regan had sought to give away a broad sweep of secrets. He’d targeted multiple countries, pioneering what the prosecutors termed “form letter” espionage, in effect multiplying the potential risk to the United States. What made his crime particularly worthy of capital punishment, Gillis noted in the notice, was that Regan had used the death penalty as a marketing tool in his offer letters to demand the price he wanted. “If I am caught,” Regan had written, “I will be enprisoned [sic] for the rest of my life if not executed for this deed.”
Although officials would never admit it, the government’s decision to seek the death penalty was as much a move to give exemplary punishment to a traitor as it was a negotiating tactic. Officials at the NRO were desperately anxious to recover the secrets Regan had stolen. The agency had conveyed to the Justice Department in no uncertain terms that the NRO’s priority was to undo the damage Regan had caused. After Gillis had drafted the notice, he spoke to Regan’s defense attorneys to impress upon them that their client still had the option to plead guilty. The offer on the table was that prosecutors would agree to seek a twenty-five-year prison sentence if Regan returned everything he had taken. It was his last chance, Gillis told the defense. “Once we file the death-penalty notice,” he said, “all bets are off.”
Regan was given a few days to consider the offer, but he refused to budge. He seemed oblivious to the gravity of the situation, which had only worsened after the discovery of the letters on the laptop. He was still insistent that he be given a much shorter sentence. As he would later explain to a government-hired psychiatrist, “I’d take the death-penalty option rather than taking twenty years and missing out on my children.”
The Spy Who Couldn't Spell Page 16