Two controversial counter-terror programs share parallels
On the morning of September 11, 2001, John Poindexter, a 65-year-old retired rear admiral and President Reagan's onetime national security adviser, was driving to his office at a technology firm in Arlington, Va. He was 5 miles north of the Pentagon.
Poindexter's wife, Linda, rang his cellphone. Airplanes had flown into the twin towers in New York City, and one just crashed into the Pentagon, she said. "But Mark is OK. He wasn't in the building." Mark, one of the Poindexters' five sons, was a commander on the chief of naval operations' staff. His offices sat where the plane crashed, but most of the staff had cleared out earlier to accommodate Pentagon renovations.
"First, I was relieved that Mark was not in the building," Poindexter recalled in interviews in 2004. "Next, I realized this was a well-coordinated attack of the type that we had been working to prevent."
Poindexter was the senior vice president at Syntek Technologies. Under contract with the Defense Advanced Research Projects Agency (DARPA), the Pentagon's renowned innovation center, he helped to design early-warning systems for countering terrorism and other security crises. The technologies would sift through huge, disconnected databases for useful intelligence -- telltale events, names, or places that hinted at malicious intentions -- and then connect the pieces to predict an attack.
"I wondered if the intelligence community had ever considered the use of commercial airplanes as weapons by terrorists," Poindexter said. The signals were there, hiding in a sea of noise. At least 19 hijackers had crossed the border, used credit cards to buy plane tickets, made phone calls to associates, taken pilot training. They left digital footprints every step of the way.
Poindexter arrived at Syntek and found his co-workers huddled around a television. "The first tower had collapsed before I got there, and I watched as the second one came crashing down, in what seemed like slow motion," Poindexter said.
"I was discouraged," he continued. "We had not been able to gain acceptance by the intelligence community of the technologies and concepts that we had developed. It had been a long, slow process over the past six years." Poindexter's staff left for home. "I stayed most of the day, thinking about what needed to be done."
Some 30 miles away, at the headquarters of the National Security Agency in Fort Meade, Md., Michael Hayden, a 56-year-old Air Force lieutenant general and the agency's director, had been working for two hours when the first plane pierced the World Trade Center's North Tower. Almost immediately, submachine-gun-toting guards and bomb-sniffing dogs fanned out across the NSA campus, the nerve center of the most sophisticated electronic spying network ever devised.
As the planes struck their targets, Hayden ordered all non-essential workers to evacuate. He called his wife, Jeanine, asked her to find their three children and headed to the counter-terrorism center.
The agency's "CT shop" housed the experts and linguists who tracked terrorists' foreign communications. Lately, they had intercepted more than usual. The center's offices were located near the top floor of a high-rise.
On 9/11, "for obvious reasons, we had tried to move as many folks as possible into our adjacent lower buildings, but we really couldn't afford to move the counter-terrorism shop," Hayden told a 9/11 congressional inquiry in October 2002. Hayden found the CT staff "emotionally shattered" and crying, but "defiantly tacking up blackout curtains on their windows to mask their location."
Domestic terrorist attacks, though a surprise, were not altogether unanticipated after the 1993 bombing of the World Trade Center. But Hayden knew that on the all-important home front, the NSA was deaf. "Sadly, NSA had no [signals] suggesting that Al Qaeda was specifically targeting New York and Washington, D.C., or even that it was planning an attack on U.S. soil," Hayden told the inquiry. "Indeed, NSA had no knowledge before September 11 that any of the attackers were in the United States."
To avoid charges of domestic spying, the NSA could not monitor Americans inside the country and some foreigners here -- absent a court order. They didn't constitute "foreign-intelligence value," in agency parlance. As Hayden explained in January at the National Press Club, even if the NSA had known of the hijackers' presence, "[they] would have been presumed to have been protected persons, U.S. persons," and therefore of no foreign-intelligence value, he said, his voice tensing. The agency also struggled to keep up with the overwhelming amount of raw intelligence it received every day, most of which was not related to terrorism.
Hayden understood that the terrorists had hatched their plans in this country. They had communicated here, moved about publicly, and left signals. If other terrorists were here, Hayden wanted to find them. "The standard by which we decided ... what [information] was relevant and valuable, and therefore, what was reasonable [to collect], would understandably change, I think, as smoke billowed from two American cities and a Pennsylvania farm field. And we acted accordingly."
Poindexter and Hayden knew that the signals of a future attack dwelled in a sea of noise full of mostly innocent activities. To find the enemies among us, they'd have to look, and listen, everywhere. Over the next two years, Poindexter and Hayden would hunt for signals on the sea. Sometimes they crossed paths.
While Poindexter's and Hayden's journeys were ostensibly separate, they hoped to arrive at the same destination -- knowing what terrorists would do before they acted.
Hayden left the NSA in 2005, to become the second-in-command of all intelligence agencies, but his successor continued his efforts. Some thought Poindexter's trek was finished when, three years ago, Congress eliminated funding for his early-warning research, amid fierce criticism from privacy-rights groups and civil libertarians. But Poindexter's brainchild lives on, in pursuit of the same elusive goal, and one of its biggest patrons is none other than Hayden's old harbor, the NSA. Today, the two men's visions appear more intertwined than ever.
On the morning of September 12, Poindexter called his friend Brian Sharkey, with whom he had worked on the early-warning systems. They lamented that they hadn't achieved their ultimate vision -- "total information awareness" of terrorist planning.
They decided to urge DARPA to back a full-fledged "TIA" system, as Poindexter called it, comprising the data-mining and analysis tools they had been designing, along with new ones. TIA would train its eyes not only on government databases but also on those caches of valuable, and presumably private, information where terrorists left their footprints, such as credit card purchases, e-mails, and plane and car rental reservations.
"We knew we must work fast and build a convincing case," Poindexter said in an interview. On October 15, 2001, he pitched his plan to DARPA's director, Tony Tether, comparing TIA to another pursuit of a war-ending weapon. Poindexter titled his presentation "A Manhattan Project for Counter-Terrorism."
The government had once harnessed the brightest minds to build the atom bomb. Now Poindexter wanted the sharpest computer scientists and terrorist experts to build an information weapon. He even suggested ensconcing TIA team members at a secret government facility, surrounded by high fences and concertina wire, to remind them of the seriousness, urgency, and sensitivity of their work.
Tether was impressed, and he said that if Poindexter returned to government and ran TIA, DARPA would fund it. Two months later, Poindexter became the director of the agency's Information Awareness Office and kicked off a slew of multimillion-dollar research projects. One of them was designed to create privacy protections so that TIA wouldn't ensnare anyone who wasn't a terrorist. Poindexter's original plan to make TIA classified was changed; making the program public helped to attract new ideas.
While Poindexter pitched DARPA, Hayden met with Bush administration officials about the NSA's role in a future war. The agency was monitoring communications among known or suspected terrorists, regardless of geographic location, under existing authority that allowed domestic surveillance as part of a terrorism investigation. But that authority would eventually expire.
Shortly after the 9/11 attacks, then-CIA Director George Tenet asked Hayden, "Is there anything more you can do?" In response, Hayden said at his recent nomination hearing to be CIA director, "I said, 'Not within my current authorities.' And [Tenet] invited me to come down and talk to the administration about what more could be done."
Hayden proposed monitoring terrorists' communications into and out of the United States indefinitely. Such a program would have to have specific boundaries, he testified. It would have to be "technologically possible," "operationally relevant" to the mission -- foiling or catching terrorists -- and "lawful."
The NSA "would work ... where all three of those [requirements] intersected," Hayden said. It wasn't the surveillance envisioned under the 1978 Foreign Intelligence Surveillance Act, Hayden conceded. This was "hot pursuit" of communications, a distinction that still isn't well understood, but one that Hayden said gave the NSA a faster way to find terrorist signals.
President Bush was impressed. Hayden "showed me the plans.... I said, 'That makes a lot of sense to me,' " Bush said in a speech in February. "I remember some of those phone calls coming out of California," where some of the 9/11 hijackers were living, "just thinking, maybe if we'd have listened to those on a quick-response basis, you know, it might have helped prevent the attacks." On October 4, 2001, the president issued an order "that laid out the underpinnings for what I described," Hayden said at his confirmation hearing. "The math was pretty straightforward. I could not not do this."
Unbeknownst to each other, Poindexter and Hayden started rigging up separate efforts. In February 2002, Poindexter established a secure, classified computer network for testing analysis software and tools that might be worked into TIA. As the system came together, this experimental network would be the engineers' Bonneville Salt Flats, a place to test-drive the state of the art. If tools passed muster there, they might end up in the design Poindexter had in mind.
"If there was a vendor with some great gizmo, they'd have to go through an arduous one- or two-year process to get that accredited by an intelligence agency," said Robert Popp, who was the No. 2 TIA official and Poindexter's deputy. "That didn't fit our parameters. We wanted to kick around these various technologies to see their utility. The network could put it through that whole two-year process in a few months."
Since intelligence agencies would be some of the ultimate users of TIA, Poindexter wanted them involved. He already had good contacts from his earlier work as a contractor on early-warning systems. He invited agencies to participate in TIA experiments by establishing "nodes," desktop computers connected directly to the network and housed in the agencies' offices. No agency collected more raw, noisy intelligence than the NSA, which was desperate to find ways to interpret the signals. It would be a natural TIA user, and so in late 2002, Poindexter met with NSA officials, including Hayden, and encouraged them to consider his approach.
The NSA agreed to participate in the experiments, and started installing nodes on the TIA network in early 2003. Poindexter also invited the Defense Intelligence Agency, the CIA, and several military combatant commands and intelligence brigades. All of the agencies used real data in the experiments. And the network was designed to let them share their intelligence. They could merge and cross-check, all in a closed environment. In that sense, the network was more than a test bed. It was also an information exchange.
Hayden seemed reticent about TIA, according to people who were privy to the early experiments. He was loathe to be seen publicly supporting the program. That may have been because the NSA was pursuing its own Holy Grail of analysis, apart from Poindexter's work. Indeed, the NSA's effort went back some years but had largely failed.
In the late 1990s, the NSA considered a novel approach to intercepting huge amounts of e-mail and phone traffic as part of a project called ThinThread. According to The Baltimore Sun, which revealed the program's existence last month, "ThinThread's information-sorting system was viewed by some in the agency as a competitor to Trailblazer, a $1.2 billion program that was being developed with similar goals.
The NSA was committed to Trailblazer, which later ran into trouble and has been essentially abandoned." A component of ThinThread exists today and is part of the domestic surveillance program, but it is less sophisticated and has created "a subpar tool for sniffing out information," The Sun reported.
In September 2002, just before the NSA joined Poindexter's laboratory, the agency's primary research unit began another TIA-like quest. The Advanced Research and Development Activity (ARDA), housed at NSA headquarters, awarded $64 million in contracts for the Novel Intelligence From Massive Data program, which was, according to former government officials, a spin-off of work that Poindexter and his team had begun almost a year earlier. At least six of the contractors who worked on TIA also worked on the NSA's version. Hayden's ship, it seems, was watching Poindexter's closely.
Rise and Fall
By mid-2002, the NSA was already secretly collecting huge amounts of phone and Internet data, as part of the terrorism program that Bush authorized. The agency was keen on finding a way to manage it all, but had found no technologies that could meet its dual needs -- sustaining a massive influx of information, in real time, and locating meaningful signals in it -- said sources who knew of the problem.
According to two former government officials, the NSA tried using the data-sorting and analysis tools developed under TIA. The early results, however, were unspectacular. When NSA researchers matched their data against those experimental computer programs, the tools crashed under the strain, one of the former officials said. The researchers did not conduct the tests on the network itself, sources said, suggesting that the NSA took tools that the network developed and used them on its own, without the knowledge of Poindexter's staff.
Documents show that the TIA network participants have tested at least four dozen tools using real intelligence data. The documents don't indicate which tools the NSA or any other agency specifically examined, but they do show that the NSA tested its own, homegrown versions on the TIA network as well.
The NSA was one of biggest players on the TIA network, but not the only one. As months passed, more agencies joined, and some began using TIA for real intelligence operations.
For instance, in 2003 the Pentagon's Criminal Investigation Task Force, which was established to fuse law enforcement and intelligence techniques in fighting terrorism, was interrogating detainees at the U.S. military facility at Guantanamo Bay, Cuba. Stacks of interrogation reports piled up, and the interrogators struggled to make sense of the information they contained. Some detainees frequently mentioned the same names or places. Some detainees claimed to know each other. Others didn't. The interrogators turned to the TIA network to help sort out the hundreds of reports and potential leads.
"They provided the interrogation reports to analysts, and [the analysts], using several link-analysis tools provided by TIA, tried to discover interesting nonobvious relationships," Popp said. Link analysis detects connections between people through common associates or backgrounds, and creates web-like diagrams of the connections.
"The link-analysis tools showed the interrogators things that were not apparent to them -- very valuable, useful information that they could then use in follow-up interrogations." Popp said that the investigators also knew after they concluded their interrogations that some detainees were not terrorists, so those reports were used to create a sort of baseline for what a nonterrorist looked like. The tools could then be calibrated to disregard certain attributes and search for others that were salient, Popp said.
TIA made more data available to the network members. Poindexter's team built a database of simulated intelligence reports about terrorists, including fake accounts of their daily activities that left transactional footprints, so that members could see how well the tools worked on information that mirrored their own.
The TIA researchers nicknamed the database "Ali Baba," a former official said, after the fictional Arabian Nights character who opens a cave hiding fabulous treasures by uttering the words "Open Sesame." Today, troops in Iraq use "Ali Baba" as a slang catchall for insurgents and suspected terrorists.
The TIA network also added real databases of known or suspected terrorists, as well as the people, places, and activities that had been linked to them. These caches, known as "entity databases," were highly classified and were open to other agencies with nodes on the network, according to former TIA officials and documents on the program.
As critics were chastising intelligence agencies for not sharing enough information about terrorism before 9/11, the TIA network partners were actively swapping leads and finding ways to give one another access to their highly classified intelligence.
Poindexter set out an ambitious schedule to enlarge the network and build an eventual TIA system. Every three months, an experiment was aimed at a specific milestone, such as creating an entity database, finding new ways for analysts to collaborate, or testing tools that uncovered terrorist aliases and hidden links between groups. Each experiment period had a code name -- "Mistral," "Sirocco," "Rafale," "Noreaster." The nomenclature paid homage to Poindexter's passion: sailing. Each name is a type of wind.
The TIA network was quickly becoming the most active experiment of its kind. In the network's first year, the number of individual users at agencies increased more than 35 times, from seven to 250. By August 2003, the network had 23 nodes and 320 users.
And then, the bottom fell out.
TIA had come under intense scrutiny from lawmakers and privacy advocates in late 2002, when a series of news articles brought the program to the attention of national policy makers. One piece, by New York Times columnist William Safire, assailed the program as a "far-out Orwellian scenario." It seized on Poindexter's plan to look at databases of personal information as a potential intelligence source. Safire derided TIA as the ultimate snooping machine.
TIA's existence was never a secret, and technology journalists had written about the program. But the national media attention raised questions about just how far the Bush administration was willing to go in the war on terrorism.
Safire also reminded readers that Poindexter was the central figure in the Reagan administration's greatest scandal. Poindexter oversaw the secret sale of missiles to Iran, in exchange for American hostages, and then funneled the proceeds to the anti-communist Contras in Nicaragua. In 1990, he was convicted on multiple felony counts stemming from the affair; an appeals court overturned the convictions a year later. "This ring-knocking master of deceit is back again with a plan even more scandalous than Iran-Contra," Safire wrote.
Poindexter had feared his past would catch up with him and tar TIA, he said in interviews. After Safire's column ran, Defense Secretary Donald Rumsfeld barred Poindexter from speaking publicly. Lawmakers were outraged that the government had even proposed TIA, much less put a once-convicted felon in charge.
Poindexter continued his work, but late in July 2003, The Times revealed that his group was studying a futures market that would let terrorism analysts place bets on likely attacks. Although academics and economists praised the idea -- futures markets can accurately predict commodities prices, housing sales, and sometimes even elections -- it looked perverse when it was attached to Poindexter's shop. The Pentagon forced Poindexter to resign less than two weeks later.
Aggrieved lawmakers and civil libertarians declared victory in September, when Congress eliminated funding in the Defense Department budget for TIA. But they might have missed the fine print. Lawmakers allowed classified intelligence funds to be spent on a "program ... for processing, analysis, and collaboration tools for counter-terrorism foreign intelligence." The program was TIA. And it was about to move to a new home, at the headquarters of the NSA.
Inherit the Winds
As National Journal revealed in February, the NSA's Advanced Research and Development Activity took over TIA and carried on the experimental network in late 2003. ARDA continued vetting new tools and even kept the aggressive experiment schedule, still named after different winds, documents show.
But it discontinued some programs, most notably a multimillion-dollar effort to build privacy-protection technologies. ARDA also abandoned the effort to build audit trails in TIA, which would have permanently recorded any abuse by users.
The experimental network's name was changed from TIA, to erase any connection to its past. Today it's called the Research Development and Experimental Collaboration (RDEC, pronounced ARdeck). The NSA is the biggest player, with at least 15 nodes as of December 2004, according to official documents. "I think it's considerably more today," said a former government official knowledgeable about RDEC. A spokesman for the NSA said he had no information to provide about the network.
Popp, the former TIA deputy director, emphasized that he didn't know if the NSA is using RDEC directly for the domestic surveillance program. "NSA is a big place," he said.
However, some of the tools that TIA developed and experimented with, Popp said, "no question, are the same sorts of tools that the NSA eavesdropping program could possibly use -- meaningfully -- for analytical purposes, based on what's publicly known about it. This certainly seems plausible to me." Popp has recently co-edited a book on technologies for counter-terrorism, and legal and policy structures for implementing them.
"I would bet that the tools NSA is using today [as part of the domestic program] are not the ones they started out with," said a former government official who was close to TIA and the NSA.
RDEC could enhance the domestic surveillance program if the NSA used it as an information-sharing device, to cross-check names and events with other agencies and firm up links, former officials said. In January, The Washington Post reported that the NSA shared information obtained from the domestic program with other agencies, including the Defense Intelligence Agency and the Counterintelligence Field Activity, a Pentagon counter-terrorism group that has collected information about war protesters near military facilities. Both agencies have nodes on RDEC.
The Defense Intelligence Agency, which like the NSA is overseen by the Pentagon, is one of the largest RDEC users. In an interview, Lewis Shepherd, the chief of the agency's Requirements and Research Group, said that RDEC is "the most successful attempt at bringing together a wide variety of analysts and agencies to work and think outside of the box collaboratively," specifically on counter-terrorism. "[It] opens access to a variety of data sources to different tools that haven't been able to access that data."
For example, RDEC lets analysts conduct repeated keyword searches on many different data streams, Shepherd said. It "sparks out-of-the-box innovation in how we do information-sharing."
Asked to elaborate on that innovation, Shepherd said, "It's all classified." But he offered the NSA as a general example. The agency's analysts are well trained in working with electronic signals, but they don't have much history in using other sources, such as satellite photos. RDEC lets NSA analysts, and others, "refine" the way they do their work, Shepherd said.
The former government official who was close to TIA and the NSA said it was "conceivable" that the NSA would use the RDEC to share information from the domestic program with other agencies. "It's a very good forum for doing that," the former official said.
On October 6, 2001, two days after Bush cleared Hayden to turn the NSA's ears inward, Hayden met with about 80 agency employees in a large conference room. They became the workforce of the secret program, and Hayden told them what they were allowed to do. "I was explaining what the president had authorized," Hayden recalled at his CIA nomination hearing. "And I ended up by saying, 'And we're going to do exactly what he said and not one photon or one electron more.' And I think that's what we've done."
Hayden had set boundaries -- what was technologically possible, relevant, and lawful. But he has vowed that the NSA will live on the edge of those boundaries. A great fan of sports analogies, Hayden has said in private and public gatherings that for years the NSA played defense against its adversaries. A legal line of scrimmage kept the agency from tackling terrorists inside the country.
But after 9/11, the lines of play were redrawn. The NSA would go right up to the boundaries. "My spikes will have chalk on them," Hayden reportedly told one group when describing the NSA's new game plan. He was clear: "We're pretty aggressive within the law. As a professional, I'm troubled if I'm not using the full authority allowed by law."
Poindexter also thought that 9/11 clarified his purpose. "The attacks brought ... the war to our home," he wrote in his resignation letter in 2003. "After ... 9/11, I felt compelled to do what I could to make sure that never happened again." No one had done enough on 9/10 to stop the next day's horrors. Poindexter and Hayden wouldn't make the same mistake twice.
Poindexter is gone from government, but he still maintains contacts within the intelligence community and exerts a quiet influence. Hayden left the NSA in April 2005 to become the first deputy director of national intelligence. From that office, he oversaw all intelligence activities. Later this year, the office will take over management of the Advanced Research and Development Activity, which runs RDEC. Hayden took over as CIA director in May.
Although they've moved on, Poindexter and Hayden have left a wide wake. Whether or not Poindexter's masterwork has become the centerpiece of Hayden's terrorist hunt, their sails were cut from the same cloth. Their goals were the same. The former official who was close to TIA and the NSA thinks that Hayden didn't want to be associated with Poindexter, either publicly or in government, given his controversial nature.
"I think that Hayden was concerned that [Poindexter's] research was going to call attention, and that would eventually lead people to ask questions about what NSA was doing," the former official said. When TIA was ensnared in controversy, Hayden stayed quiet about the NSA's involvement.
But Hayden was watching, and following the admiral's lead, the former official thinks. Today, what the NSA is known to be doing looks enough like TIA to suggest that Poindexter inspired Hayden and his team. "It's clear to me now, in hindsight, why Hayden really was so unwilling to publicly acknowledge TIA," the former official said. "It's because Hayden was doing many of the things Poindexter did."