Thursday, May 06, 2010

Catching Shahzad (Ears in the Sky Edition)

An RC-135 Rivet Joint SIGINT aircraft. Did an airborne intelligence platform--like this one--participate in the search for Times Square bombing suspect Faisal Shahzad? (Wikipedia photo)

Shortly after Times Square bombing suspect Faisal Shahzad was apprehended, various accounts began to circulate about how the authorities managed to track him down. One of the most intriguging appeared on the WCBS-TV website (and has since been removed). It suggested that intelligence assets were involved in tracing Shahzad's cell phone conversations. We instantly regretted not saving a copy of the story, but The Talkmaster saw the same item, and offered this summary:

They knew he had one of those throw-away cell phones, and they knew the number. It was the number he used to call the lady who sold him the SUV. So, as I understand it, our intelligence people had some "assets" in the air over New York City that were intercepting cell phone calls and sifting through them looking for this one number. Finally they caught this guy making a phone call to the reservations number for Emirates Airlines. Like I said, pretty scary, and impressive.

If we recall correctly, WCBS originally reported that "Army" intelligence aircraft were used in tracking the suspect's cell phone conversations. If that's the case (and no one has actually confirmed the original report by Channel 2), the most likely candidate is the RC-12 Guardrail, a Corps-level Army SIGINT asset that collects communications and electronic intelligence. Operating in groups of three, Guardrail aircraft can collect over a wide area and transmit their "haul" to ground collection stations.

However, Guardrail is somewhat unique among manned intel platforms because there is no on-board capability to analyze the signals it collects--that's why the ground station is so critical. Open-source information indicates the only Guardrail processing vans on the east coast are located at Hunter Army Airfield near Savannah, Georgia. If a ground station was deployed, then someone had to make a fast decision, and the van (and its team of analysts) was likely airlifted to a location in the northeast. Interestingly, the Army finished initial testing of its latest Guardrail aircraft in January of this year; the processor vans were upgraded several years ago.

But to accomplish the kind of signal search/processing used in locating Shahzad, you need a little more horsepower, for lack of a better term. If military assets were used--and that's a mighty big "if" (Posse Comitatus, anyone?)--then a more likely candidate would be the RC-135 Rivet Joint aircraft, or possibly, Senior Scout, a compartmentalized SIGINT package that can fit in the cargo bay of a C-130 aircraft with only minor modifications. The linked ANG press release indicates that Scout has worked with law enforcement in the past.

Did we also mention that these platforms (most notably, the RC-135) can beam their collection directly to the National Security Agency for further analysis and dissemination? If you're looking for a single cell phone--in a sea of millions--it's quite helpful to have NSA and its massive collection and identification capabilities on your side.

Still, using an organization like NSA to assist in the hunt for a terrorist (who happens to be an American citizen and is inside our borders to boot) puts the government on shaky legal ground. In most operations of this type, the Justice Department would have to go to the FISA court for a warrant, authorizing electronic surveillance for Mr. Shahzad. But, as we've learned in recent years, it sometimes takes two or three weeks to obtain that type of warrant--too slow to nab a suspected terrorist who may be trying to flee the country.

How would the feds overcome that legal obstacle? This is pure conjecture on our part, but in this type of scenario, something called Echelon would be quite useful. To be sure, the existence of the program (an information collection and sharing agreement between NSA and its British, Canadian and Australian partners) has been widely debated. Officially, NSA has refused to confirm that the program was established and remains operational.

So, for argument's sake, let's say the program exists, and provides significant collection and analysis for the western SIGINT agencies. We'll also speculate that this arrangement is largely transparent, with data being collected and exchanged almost instantaneously. With those capabilities in place, it would be possible for Britain's GCHQ (their version of NSA) to run collection against Faisal Shahzad, then tip U.S. authorities when he made that call to Emirates Air. That would give the feds actionable intelligence, allowing them to converge on JFK Airport, and remove the suspect from the Dubai-bound flight.

We should also mention that the "seamless" relationship allows organizations like GCHQ to receive and analyze information collected from U.S. platforms, like the RC-135. While the raw data was gathered by an American aircraft, the analysis is done by British specialists, who can then pass it on to their U.S. counterparts. It may sound like an unnecessary "extra" step, but if you're under enormous pressure to find an American suspect on U.S. soil--and you don't have the time to dot every "i" and cross every "t" in FISA court, this arrangement can provide an effective work-around?

Did this sort of operation transpire on Monday evening? We may never know, and that's probably just as well. As Mr. Boortz says, such capabilities are amazing, and a little scary, too.

ADDENDUM: Which brings us back to the original item reported by WCBS-TV. Either the story was completely off-base (a distinct possibility), or a federal official spoke a little too freely and the station was asked to spike the story. Additionally, we later managed to find a copy of the station's original report at the left-wing website FireDogLake:

Shahzad, 30, a Pakistan-born U.S. citizen, has been in custody since shortly after midnight. He was hauled off a plane in the nick of time as it was about to fly to the Middle East. CBS 2 obtained air traffic control recording intended to stop the pilots from taking off. The controller alerts pilots to "immediately" return to the gate.

In the end, it was secret Army intelligence planes that did him in. Armed with his cell phone number, they circled the skies over the New York area, intercepting a call to Emirates Airlines reservations, before scrambling to catch him at John F. Kennedy International Airport.

We don't often agree with the folks at FireDogLake, but they got it right in noting that the original WCBS report raises some rather interesting questions. We won't hold our breath waiting for answers.


tfhr said...

Guardrails over NYC?!

Not likely but I did like the FISA issues.

Marc said...

Please read this piece I did:

and contact me:

There's more to the story.

Corky Boyd said...

I doubt the intercept was from an aircraft, more likely it was from Echelon. But your observation that the Brits and the US exchange this information to get around FISA and UK legalities is probably correct. In essence it appears we are keeping tabs on their terrorist threats. And they ours.

If you will recall, when the multi-plane terrorist bomb plot was broken up several years ago, Michael Chertoff announced he had notified his counterpart in the UK of the threat. My first question was why we were informing the Brits of an internal threat. But we did.

A previous revelation that such sharing was going on, came when a Canadian who had worked for their security service did a tell all (well, tell a lot) about the Echelon program on CBS's "60 Minutes." In it he told of an incident where two mothers were discussing their kids' school work and one said "my son bombed on the test." He said the woman was put under observation because of that keyword. Now the term, "bombing on a test" is fairly unique to the US and it is likely the Canadians were likely keeping tabs on our terrorist threats.

I suspect a number of tips on terrorist activities we have given to Spain and other EU countries of plots come from sanitized versions of the same source.

Christopher said...
This comment has been removed by a blog administrator.
tfhr said...

Corky Boyd,

What about a "test" as it applies to cricket?

Just saying.

John said...

Kurt said...

There is no requirement whatsoever that the cell signals were intercepted as RF emissions. It is far more likely that the cell phone calls were traced forensically using NarusInsight or a similar NSA monitoring system. The existence of these systems, coupled with the outrage that would erupt if it leaked that the US Government were ignoring Posse Comitatus lead me to believe that the cell calls were intercepted and analyzed after the fact, once the RF entered the switched telephone network.

This may be even more scary than the ideal of a Guardrail or an RJ on station over NYC, quite frankly. If the analysis was done forensically, that means that all call data, at least in the NYC area, was (and is) being recorded and stored. Since the US Government clearly wasn't expecting this attack, one can presume that all call data is recorded and stored for this purpose for some period of time. If I were a betting man, the call to Emirates Air is what gave the suspect away and allowed the Feds to track him down. This may also imply that systems such as NarusInsight have pre-programmed filters in place which highlight certain activities or organizations called.

I'm sure many in the US Government will tout this use of NarusInsight as a triumph of the broader intelligence community and use it as a justification for continued un-Constitutional monitoring; however, for me it's a frightening insight into just how much disregard the Government has for the restrictions of the 4th Amendment.