Missed Calls

On March 20, 2000, as part of a trip to South Asia, U.S. President Bill Clinton was scheduled to land his helicopter in the desperately poor village of Joypura, Bangladesh, and speak to locals under a 150-year-old banyan tree. At the last minute, though, the visit was canceled; U.S. intelligence agencies had discovered an assassination plot. In a lengthy email, London-based members of the International Islamic Front for Jihad Against Jews and Crusaders, a terrorist group established by Osama bin Laden, urged al Qaeda supporters to “Send Clinton Back in a Coffin” by firing a shoulder-launched missile at the president’s chopper.

The same day that Clinton was supposed to visit Joypura, the phone rang at bin Laden’s operations center in Sanaa, Yemen. To counterterrorism specialists at the National Security Agency (NSA) in Fort Meade, Maryland, the Yemeni number—967-1-200-578—was at the pinnacle of their target list. They monitored the line 24/7. But at the time, the agency now claims, it had no technical way of knowing who was placing the call. The culprit, it would later be revealed, was Khalid al-Mihdhar, one of the men bin Laden had picked months earlier to lead the forthcoming 9/11 attacks. He was calling from his apartment in San Diego, California.

The NSA knew about Mihdhar’s connection to bin Laden and had earlier linked his name with the operations center. Had they known he was now reaching out to bin Laden’s switchboard from a U.S. number, on the day an al Qaeda-linked assassination plot was planned, the agency could have legally obtained an order to tap the San Diego phone line. The Foreign Intelligence Surveillance Court, in fact, approves eavesdropping on suspected terrorists and spies in the United States. By monitoring Mihdhar’s domestic calls, the agency certainly would have discovered links to the 9/11 hijackers living on the East Coast, including Mohamed Atta.

It’s likely, in other words, that 9/11 would have been stopped in its tracks.

A decade and a half later, that call and half a dozen others made from the San Diego apartment are at the center of the heated debate over the NSA’s domestic surveillance activities—namely the agency’s collection of the public’s telephone metadata, which George W. Bush’s and Barack Obama’s administrations have claimed was authorized by the 2001 Patriot Act. (That law expired this June and was replaced with the USA Freedom Act, which states that, without a warrant from the Foreign Intelligence Surveillance Court, the NSA will no longer have access to telephone metadata records.)

According to Michael Hayden, the NSA’s director from 1999 to 2005, the failure to realize that the man phoning Sanaa was located in San Diego was evidence that mass surveillance is vital to U.S. national security. “Nothing in the physics of the intercept, nothing in the content of the call, told us they were in San Diego,” Hayden told Frontline in 2014. “If we’d had the metadata program … those numbers in San Diego would have popped up.”

It’s a sentiment shared by a host of national leaders, including President Obama. “One of the 9/11 hijackers, Khalid al-Mihdhar, made a phone call from San Diego to a known al Qaeda safe house in Yemen,” he said in a 2014 speech at the Justice Department. “NSA saw that call, but it could not see that the call was coming from an individual already in the United States. The telephone metadata program under Section 215 [of the Patriot Act] was designed to map the communications of terrorists so we can see who they may be in contact with as quickly as possible.”

But according to some former senior NSA officials, the agency did have the technical capability in 2000 to determine that the calls to bin Laden’s operations center came from California. “They’re trying to cover up the failure of the NSA,” said J. Kirk Wiebe, a former senior analyst who worked at the NSA for 32 years, until October 2001. “And I think they’re embarrassed by that.”

* * *

The coverage of the operations center in Yemen was what NSA veterans describe as “cast iron.” Wiebe explains: “You have a target so important to the system that you don’t ever tune a receiver away from that frequency or off of that target.” And, of course, every phone transmission is automatically accompanied by information required to charge the correct phone companies. “You know the phone numbers involved, who’s making the phone call, and who it’s going to because the billing system has to have that metadata to charge you,” Wiebe notes. All that was required to track a number of interest, in short, was access to phone companies’ records or technology.

During a private lunch in Washington, former NSA Senior Executive Service member William Binney, who was in charge of automating the agency’s worldwide eavesdropping operations, detailed how interception worked. “When you have a [cast-iron] number like that, it’s tasked at multiple sites, so any call coming into or out is hit by multiple sites and recorded, first of all, but also transcribed as soon as [NSA analysts] have a transcriber available,” Binney said. The signal “could go by satellite or cable, or a mix,” he said, adding that the cooperating phone companies then “would pop it right into our recorders.”

Beyond eavesdropping on satellite signals from dishes on the ground, the NSA was also able to get inside satellites themselves, often through covert agreements with personnel of telecommunications companies and occasionally without the knowledge of upper management. With access to satellites, the NSA could pick and choose what country codes, city codes, and specific phone numbers it wanted to intercept and secretly transmit information to an agency facility.

According to another high-ranking NSA veteran who asked not to be named, among the businesses with which the agency had relationships was Inmarsat, a satellite telecom company whose services bin Laden had used to communicate with contacts while in Afghanistan. “It’s Inmarsat for Christ’s sake. We have certain arrangements,” the former NSA staffer said, adding that the setup was similar to Prism, the NSA’s program in which it cooperated with major Internet companies, such as Google and Yahoo, to collect user data.

The NSA, the source said, was also able to covertly eavesdrop on another major satellite system: Thuraya. Based in the United Arab Emirates, Thuraya provides mobile coverage to more than 160 countries throughout Europe, Africa, Asia, and the Middle East. This company, like most others of its ilk, encrypts communications signals as they travel up to a satellite and then down to a ground station; however, the NSA cracked the encryption. “Our secret was that the Thuraya system had been broken for a long time—deep state secret,” the source said. “Routinely, we could intercept [the satellite transmission] at will. We could take any number that was being dialed in or out … [and] listen in literally live on any conversation or after the fact.… One of the things NSA became very good at was breaking satellite communications systems.”

The NSA, in other words, was able to monitor every call going into and out of the al Qaeda operations center in Yemen—including the 221 calls that came in from bin Laden’s phone in Afghanistan.

* * *

After 9/11, Thomas Drake, a member of the NSA’s Senior Executive Service, was assigned to provide an overview of what the agency knew at the time of the attacks to a Senate subcommittee during a closed-door hearing. In his research, Drake discovered the transcripts of the calls from Mihdhar to the Sanaa operations center. “We essentially had cast-iron coverage on that safe house at least since 1996.… People don’t realize how much NSA actually knew about the network,” he told me during a recent dinner. “Some of the best analysts, traditionally trained analysts, had essentially in early ’01 put together a pretty good picture,” Drake added. (He left the agency in 2007 and was later indicted for leaking NSA documents to the

Baltimore Sun. Those charges were eventually dismissed; I was a member of his defense team.)

When Drake heard Hayden’s denial that the NSA had the technical capability to determine that Mihdhar was calling from San Diego, he completely disagreed. “Not true. That’s an absolute lie,” he said. “Every number that comes into that switchboard, if you’re cast-iron coverage on that switchboard, you know exactly what that number is and where it comes from.… You know exactly—otherwise it can’t get there.”

Another problem, according to Drake, was that before the 9/11 attacks, the NSA didn’t share what it knew with other federal intelligence agencies—and it has sought to cover up its negligence after the fact. Drake put this in his report for the subcommittee, he said, but the document was rejected by his boss at the NSA, who subsequently removed him from the hearing’s roster of participants.

Confirmation of what Drake uncovered comes from Michael Scheuer, who ran the bin Laden desk at the CIA prior to 9/11. He knew the NSA had succeeded in developing cast-iron coverage of the al Qaeda operations center in Yemen, but that it refused to share the raw intelligence with his agency. “Inmarsat calls were very important,” he said, “and we knew that because NSA had told us … not only [in] the run-up to 9/11, but to the attacks in East Africa [in 1998] and other places.”

In desperation, according to Scheuer, the CIA constructed its own satellite dish in the Middle East to intercept calls. “Eventually, CIA built its own collection capability, but we could only collect one side of the conversation—I can’t remember if it was the up-going side to the satellite or the down-coming side.” After collecting and translating its part of the intelligence, the CIA would request the remaining intelligence from the NSA “so we could better understand it,” he said. “But we never got it.”

“We sent about 250 electronic messages … and not one of them was ever answered,” he claims. To make matters even worse, nor did the NSA share the information with the FBI, according to the 9/11 Commission.

* * *

In an agency filled with secrets, the NSA’s failure to detect the 9/11 plot or help other agencies do so is probably its deepest and darkest. For years, rather than reveal the true nature of the blunder, the agency has instead propagated the fable that it missed that San Diego call in 2000 for technical reasons. Consequently, the Bush and Obama administrations conducted what amounted to ironclad surveillance of Americans’ phone activity for more than a decade.

The dragnet metadata operation, finally declared illegal by a federal appeals court this year, was likely the largest and most secretive domestic surveillance program ever undertaken. Yet the public only became aware thanks to the information leaked by Edward Snowden. Today, other NSA whistleblowers are claiming that the program was based on a lie. They’re also demanding answers to tough questions: How were certain key phone numbers missed in surveillance—or were they at all? And why did the NSA refuse to share with the CIA and FBI the full details of what it collected from bin Laden’s operations center in Yemen?

Fourteen years after the 9/11 attacks, it seems time for the NSA and the White House to reveal what really happened—and to replace, once and for all, fiction and lies with facts and the truth.

Illustration by Matthew Hollister