Each character on the ball had a unique position such that tilting and rotating the ball a precise amount would bring a particular character into the correct position for typing. Thus, the typewriter sensed, or selected (ergo the name Selectric), which key had been struck, then rotated and tilted the ball exactly the amount that would bring that character into the typing position. In total, each ball had eighty-eight possible characters.
An elaborate linkage mechanically encodes 7 bits of information that uniquely define 128 possible ball positions (40 more than needed to specify 88 unique characters, but 6 bits would only have defined 64 unique characters, 24 too few for the full character set on each ball).
Six of these bits were for character selection, while the seventh bit was used for sensing shift and special characters. Thus, when each key was pressed, seven mechanical latch interposers would move into one of a total of 128 possible combinations of positions, which controlled the amount of movement on two pulleys that tilted and rotated the type ball: a tilt pulley that moved into one of four possible positions, and a rotation pulley that moved the type ball into one of twenty-two possible columns.
The entire assembly built upon design concepts for mechanical calculators that preceded the first fully digital calculators of the late 1960s (remember, IBM stands for International Business Machines, which originally were mechanical calculators).
Looking at one of the IBM machines on his workbench, Gandy remembered the cleverness of the horseshoe magnets and other concealments and wondered how many other hides he would find. (In the business that Gandy was in, the clever masking of the presence of a bug was sometimes called a hide.)
Six years earlier, while listening through the chimney antenna in Moscow, he had encountered another hide: the placement of the exfiltration signal (which turned out to have been from transmitters embedded in the Selectrics’ aluminum bars) in the intermodulation region of two Moscow TV stations, such that a TSCM receiver would interpret any signal coming from the typewriter bug as a normal artifact.
In all, R9 ultimately discovered that the GUNMAN typewriter implants had eighteen different hides, some of which have been revealed while others remain classified.
In addition to the insulated lug and cored-out attachment screw, the grease, the spanner cover, the snug fit that hid the seam in the aluminum bar, the horseshoe magnet, and intermodulation hides, the modified typewriters included these other hides:
• The machines had to be disassembled before x-rays could be used to detect the implants. Jon LeChevet did x-ray one of the bugged typewriters in 1978 (his own) but did not detect the implant because he did not first take it apart.
• The springs that connected the on-off switch to the on-off button on the keyboard, in addition to being power conductors, were actually disguised induction coils that “loaded” the bug’s transmitter and receive antenna to operate at the desired frequency (30, 60, or 90 MHz). The electrical conduction path from the modified power switch to the transmitter/receiver in the aluminum bar actually served four functions: spring, delivering power, acting as an RF transmit antenna, and serving as a receive antenna for remote controls (to command burst transmissions). To make the antenna portion of the spring linkage function properly, each spring had to be cut to extremely accurate dimensions. Gandy’s team discovered that the springs in each IBM machine had been custom cut, or tuned, to account for slight variations in the antenna properties of the spring linkage system from machine to machine.
• The RF signals themselves frequency-hopped, making them harder to detect and decode by U.S. TSCM receivers.
• The captured keystrokes were stored in a memory chip, then transmitted in ultrashort bursts that were also very difficult for TSCM gear to differentiate from normal click artifacts from light switches and even toilets flushing. These were the clicks that Gandy originally heard through the chimney antenna in 1978.
• The transmissions were further protected via encryption so that even if TSCM receivers did manage to intercept them, code-breaking technology would be needed to read them. (Gandy speculated that the KGB had encrypted transmissions from the bugs mainly to protect them from their rival intelligence agency, the GRU—Soviet military intelligence—so that the KGB could get full credit for the take from the keystroke loggers. The Soviets, it turned out, had their own version of the who-hates-whom chart, pitting one directorate of the KGB against another, Communist party apparatchiks against the military, and the KGB writ large against archrival GRU.)
• As an added protection, the bugs did not sense all seven bits of information so that uppercase and special characters had to be reconstructed. In addition, the KGB had reduced six bits to four bits, decreasing the power that transmittal needed (making the signals harder to detect) and requiring sophisticated computer algorithms to reconstruct the text.
The stealthiness of these hides—and others—meant that the security scans that were performed at U.S. diplomatic facilities in the Soviet Union and its allies in the Warsaw Pact had not only missed the typewriters but might also be missing other types of bugs with equal sophistication.
Lieutenant General Lincoln Faurer, NSA director when the GUNMAN implants were discovered, commented on the sophistication of Soviet tradecraft after Gandy described R9’s conclusions from studying the Selectrics:
I think people tend to fall into the trap of being disdainful too often of their adversaries. Recently, we tended to think that in technical matters we were ahead of the Soviet Union—for example in computers, aircraft engines, cars. In recent years, we have encountered surprise after surprise and are more respectful. Most folks would now concede that they have enormously narrowed the gap and have caught us in a number of places.1
Aside from the scary prospect that the Soviets were collecting invaluable intelligence from other “undetectable” bugs, the GUNMAN project had other deeply troubling results.
Although the bug in the IBM machine taken from the ambassador’s office had gotten power from the typewriter’s normal AC power (and down-converted it via a transformer hidden in the power switch), other, earlier versions of the bug (there turned out to be five different configurations that had been inserted into the U.S. embassy over a period of eight years between 1976 and early 1984) used batteries. These batteries were connected to an external connection that would allow a KGB employee at the embassy to quickly test battery status and to replace the battery if needed.
For this battery test-and-replace feature to make any sense, the KGB had to have believed they could get easy and repeated access to the machines, some of which were in sensitive locations, such as Jon LeChevet’s security office and the ambassador’s office.
Gandy was disappointed and worried by this development, but not surprised. The buxom honey trap and her escort, along with the KGB watchers who had left their cigarettes in neat rows on the staircase landings, had certainly had no trouble getting around the embassy.
The presence of batteries in early versions of the typewriter bug answered a question that had been bothering Gandy ever since Jon LeChevet’s team had discovered the chimney antenna six years earlier: Why did the KGB need to put a receive antenna so close to the ambassador’s office? The amount of data transmitted from the bug was relatively low, so that an entire payload of stored text could be packaged in a low-power signal that could be easily sensed by antennas in KGB listening posts across the street from the embassy. Taking the risk of placing an antenna in U.S. territory, where it could be discovered and removed, seemed unnecessary.
Unless, Gandy realized, the KGB had to set the transmit power of the bug to a very, very low level in order to preserve battery life. With extremely low transmit power coming out of the bug, the KGB would need to place an antenna as close as possible to the bug’s transmitter—ergo the chimney placement.
Two other questions troubled Gandy. How had the KGB gotten their hands on the typewriters to modify them in the first place, and how had the Soviets known in advance that they co
uld easily get their hands on them? The GUNMAN implant design was so clever, so thoroughly engineered, that it must have taken the KGB a lot of time and money to design, test, and manufacture the implant devices. It was inconceivable to Gandy that the KGB would have spent all that time and money—probably a few years before the first bugged typewriter went into the embassy (in late 1976, a records search discovered)—if they had not been extremely confident that they could intercept the IBM machines and modify them.
Although NSA, CIA, and State never learned exactly how the IBM Selectric intercept was accomplished, Victor Sheymov, a KGB defector, said that inasmuch as the machines were not shipped by diplomatic pouch because they were not deemed that important, during supposed customs inspections at Sheremetyevo International Airport, the KGB probably shipped the machines to a special KGB factory in Moscow, where they were modified prior to being returned to the Americans.
Burton Gerber of CIA, who served as both Moscow COS and later as head of the DO’s SE division, asserted that the typewriter shipments had probably been intercepted not in Moscow but in Helsinki, Finland.
However the typewriters had been intercepted, ultimately, R9 discovered that a total of 16 out of the 250 IBM Selectrics at the embassy and at the U.S. consulate in Leningrad had been bugged.
R9’s investigation took over fourteen weeks, but Gandy felt that the discoveries were so important to evangelize around the IC that he issued highly classified weekly reports summarizing each week’s findings and conclusions. On several occasions, the KGB had so thoroughly masked what the GUNMAN bug was doing that Gandy and his team reached erroneous conclusions about how the bug worked because the typewriters had so many hides layered inside other hides.
The errors in R9’s reporting caused by the KGB’s sophisticated misdirections had to be corrected in subsequent news releases to the small group of security experts read into GUNMAN, causing some embarrassment to NSA, but Gandy believed embarrassment was a small price to pay for helping others in the IC—and the State Department—look for similar exploits that might be sending classified information to Moscow Center.
When R9 was finished, they collected all their findings and forwarded them to Walt Deeley’s organization, who in turn put together NSA’s complete, official summary of the GUNMAN investigation.
In a typical in-your-face move, Deeley had two crossed .45-caliber pistols printed on the cover of the report, with smoke rising from each of the pistols’ barrels.
All by itself, the cover Deeley had designed proclaimed loudly to NSA’s doubters—most prominently George Shultz, who had demanded to see a smoking gun from the Moscow embassy—“You wanted a smoking gun? Here’s your fucking smoking gun!”
12. Putting the Smoke Back in the Gun
According to Jon LeChevet, as soon as George Shultz received the in-your-face GUNMAN report, he summoned his top security officers, including LeChevet, up to a conference room near his office.
LeChevet said,
We went into the meeting room, and Shultz was standing on the other side of the table with the Blue Report with the crossed .45s in front of him. There were no preliminaries—Shultz just stood there and asked if any of us knew anything about the report or if we had ever seen it before. He picked it up and slammed it down, and I think there may have been a profanity or near profanity uttered. It was a very short meeting and we were dismissed. I did not get to see the report until a couple of weeks later.
(In late 2017, when directly asked about this account, George Shultz did not recall the meeting that LeChevet referred to but said it would not have been like him to utter a profanity.)
Although it’s not clear what Shultz was thinking right after he left the meeting LeChevet described (Shultz said he has very little recollection of the entire typewriter incident), later official statements from the State Department suggest that the KGB bugs had done no damage whatsoever.
The level of concern was apparently so low that there is no evidence that an official damage assessment from the typewriter bugs was ever done. Shultz, LeChevet, and other State security officers reached for comment did not recall seeing such a report.
FBI did try to reconstruct which typewriters had been used, when, and by whom, but the Moscow embassy routinely destroyed such records and did not keep close tabs on the machines in the first place. So both FBI and NSA concluded that a rigorous damage assessment was impossible.1
The State Department said that it did modify its embassy equipment shipping, maintenance, and inventory procedures after the GUNMAN discoveries and also asked Admiral Inman in 1985, who was chairing a panel on embassy security convened after the Beirut embassy bombing, to add electronic espionage to his list of study subjects.2
But an official State Department comment on the typewriter bugs,3 issued after CBS News broke the story in 1985, said that there was “no evidence that the Soviets ever acted on information obtained from monitoring the compromised typewriters.”
Senior State Department officials also claimed that none of the bugged typewriters were ever used in the ambassador’s or DCM’s offices. Asked to comment on this assertion, a senior member of the PFIAB who reviewed the GUNMAN finds in 1985 said, “Well, they’re just big fat liars, aren’t they?” For his part, Gandy thought the State Department’s claim that no GUNMAN implants were ever near the ambassador’s office didn’t square with the placement and orientation of the chimney antenna. “Why else would they go to all the bother of hiding an antenna where they did, and use the roof as a perfect waveguide from the chief’s office, et cetera?”
Ambassador Arthur Hartman, who famously issued a memo to the State Department titled “Counterproductive Counterintelligence,” complaining about Gandy’s activities and those of other countermeasures experts in Moscow, was especially unconcerned, according to a diplomat who worked with Hartman.4
“He [Hartman] wanted the Soviets to hear 95 percent of what he had to say—when he briefed a congressman, for example,” the diplomat said. “This was one way he had of getting his ideas across to the Soviets. For the other 5 percent, you had the secure rooms.” (Virtually all the GUNMAN-implanted typewriters were not in secure, RF-shielded rooms that protected the “other 5 percent,” so presumably Hartman regarded information typed on them as either relatively unimportant or also worthy of sharing with the Soviets.)
When asked about whether Hartman and other diplomats actually wanted the Soviets to learn what was typed—as well as spoken—in nonsecure areas of the embassy, Jon LeChevet said,
I am an old Cold War warrior and don’t see how you can make State look good if the bottom line is that they would be willing to let the Soviets read our mail to achieve a big-picture goal, but this is the culture of State. The attitude among many black dragons [career diplomats] was that the job of diplomacy was paramount and intelligence was a sideline that should not be a function of an embassy (grudgingly tolerated at best).
The bottom-line result from the GUNMAN discovery was that State Department diplomats (but not security officers, such as LeChevet) regarded it largely as a nonevent.
Deeley, Gandy, and the rest of NSA may have thought they’d discovered a smoking gun, but the State Department had done their best to put the smoke right back in the barrel.
Many at CIA were equally unconcerned about the GUNMAN discovery. According to Burton Gerber, Moscow COS from 1980 to 1982 and later head of DO’s SE Division, no CIA assets were ever compromised through the GUNMAN implants for the simple reason that all of the GUNMAN typewriters belonged to the State Department, and State diplomats, almost without exception, never learned of CIA’s assets’ identities.
Gerber and other former CIA officers who served in Moscow also wryly observed that State Department security in areas under their control was so lax—with heavy dependence on FSNs—that the KGB had redundant access to information typed on IBMs and may not have gotten that much extra value from the GUNMAN implants. One CIA officer observed, “Heck, why would they need GUNMAN when KGB
officers or informers were doing a lot of the typing in the first place!”
In belated recognition of this problem, George Shultz made an announcement, a full four years after the GUNMAN discovery: “In Eastern Europe, we are establishing core areas of the embassies where no one but cleared Americans are allowed. Our aim is to ensure that classified material is processed in areas free from all foreign nationals or other uncleared personnel.”5
Another CIA officer, a DS&T employee who went to NSA to look over the GUNMAN implants, went much further discounting GUNMAN. “I think that Gandy faked the whole thing to look like a hero,” the DS&T officer told an NSA staffer. “The only reason the so-called discovery took three months was in order to allow time for Gandy to hire a U.S. contractor to design and build the bug, so that Gandy’s crew could then ‘discover it’ to justify their wild claims and get bigger budgets.” (This is an ironic theory given that Arneson briefly considered the possibility that CIA had installed the GUNMAN bugs to “fuck with NSA.”)
Just how many others at CIA shared this view is unclear, but CIA’s view of the GUNMAN incident seemed to range from “Yes, there was a smoking gun, but who cares?” to “There was no smoking gun in the first place.”
* * *
So in the end, did the GUNMAN typewriter implants do any real damage to U.S. interests? Did Gandy’s six-year odyssey to find and plug leaks in the Moscow embassy, which culminated in the discovery of the GUNMAN implants, make America securer? And did the GUNMAN discovery achieve the most important goal of all, according to Gandy, of saving the lives of Soviet citizens who risked everything to gather intelligence for the United States?
Let’s start by looking at what was actually typed on the GUNMAN implanted machines.
The History of the Diplomatic Security Service addressed this question:
Security Engineering Officer George Herrmann recalled that the news [of the typewriter bugs] was “terrifying,” because nearly every telegram generated by the Department was prepared as a machine readable document on an IBM typewriter, and then carried to the post communications center.6
The Spy in Moscow Station Page 22