Tuesday, September 24, 2013

Investigation Update

***Long post, executive summary below!***

Ron Machen, the US Attorney who became famous for pulling 40 AP phone lines in the investigation of the Yemeni spy leak while also going after Fox's James Rosen in a North Korean leak by classifying him as a "co-conspirator", has announced a bust in the Yemen leak case:
Donald Sachtleben, a 55-year-old from Carmel, Ind., was an FBI agent for 25 years and worked on major cases, including the Oklahoma City bombing and the hunt for the Unabomber. According to paperwork filed in federal court, Sachtleben provided the national security information to the AP just nine days before he was arrested on the child porn charges, in a separate investigation.
Here's the charge sheet. Notice there is only a disclosure to the AP reporter on the existence of a bomb, which occurred via telephone on May 2, 2012.  He did not give up the existence of an agent on the 'inside', nor did the AP story, which first appeared on May 7 (after being cleared by the Obama administration after a five day delay, likely to allow us to drone al-Quso, one of the wanted USS Cole bombers).  Eric Holder has called this leak one of the worst ever in the history of the United States, which begs the question of why this man is getting more time for child porn than for leaking such a dangerous secret.

To set some backstory,  once the AP story was published John Brennan, at the time an intelligence advisor to the president, called a telecon for a bunch of talking head generals and former spies to coordinate messaging before they went on TV to discuss the AP story. Why?  Because he claims that they had to push back on the idea that the AP story made earlier stories saying there were no credible threats of any attacks during the one year anniversary of the bin Laden takedown look like fables, so they had to push back.

Here's Brennan explaining it during his confirmation hearing:

While it's true the Obama folks were not talking about credible threats they were talking about possible threats--mainly due to the reemergence of AQAP bombmaker Ibrahim al-Asiri. Here's one such story that appeared on April 29th, 2012, before the leak:
While the intelligence community sees no credible or specific threat related to the one-year anniversary of Osama bin Laden's death, counterterrorism officials remain anxious about the Yemen group plotting attacks and aren't taking any chances.
Even Brennan himself had been building up the threat from AQAP in the weeks prior.  While it's feasible to think that once the story got out it might make Brennan and his boss look like liars the bottom line is whether that political hit was worse than losing a valued asset inside the terror group.

In other words, the leak was bad (and it didn't come from an Obama insider as speculated) but the decision to burn the agent DID come from the Obama administration.  Senator Coats even asked Brennan if divulging that information, ie, we have inside control, itself amounted to a leak, to which Brennan replied that it's not a leak if it has been declassified (which means POTUS wanted it out there).

But there's potentially more to this story.
For instance, was this lone wolf contractor AP's only source or did they cross check his info with other sources before going to get confirmation from the White House? From the charge sheet, here's an explanation of what the reporter did after hearing from Mr. Sachtleben about a bomb in custody:
Approximately two and-a-half hours later, Reporter A and another reporter from Reporter A's news organization contacted multiple United States Government officials and said that they knew the following facts:
So there were two reporters (Matt Apuzzo and Adam Goldman).  The charge sheet only mentions 'Reporter A' communicating with Sachtelben.  AP told someone at the White House they knew there was a bomb and FBI was analyzing it, but didn't know for sure whether it came from AQAP or not.  Interestingly enough, in an earlier conversation with Sachtleben (April 30) Reporter A speculated in a text message that the FBI might have a bomb. This would be BEFORE Mr. Sachtleben had confirmed one:
...SACHTLEBEN and Reporter A exchanged text messages about al-Asiri and Reporter A's speculation about the FBI's recovery of a surgically implanted body bomb (also known as a "cavity bomb").
It goes on to say it wasn't the bomb recovered from the airplane plot and uses paragraph 7 to suggest that ABC's World News Tonight had set up the mention of cavity bombs, leading readers to believe that's where Reporter A got his curiosity, but this begs the question of why the AP reporter would be asking about a "recovered" bomb, which was not mentioned by ABC.  Had Reporter A been talking with other people and hearing things, then trying to get Sachtleben to confirm?

Indeed, the text message string shows the initial question asked about a recovered cavity bomb, followed by a vague comic reply by Sachtleben, then "not totally sure though" back from the AP guy. One normally doesn't say 'not totally sure' unless they've already heard something.

Yes, it could be a way to fish for information by making it appear he'd heard something, but Mr. Sachtelben surely doesn't seem to know as he says he thinks a 10am news conference by the FBI might be about the bomb.  When the press conference turned out to be about the Occupy Wall St bridge terrorists in Cleveland Sachtleben texts back that he 'got that one wrong' but that there still might be something up and he would get back.  So it sounds like he was trying to be a good source and confirm what the AP reporter had asked.  His trip to the FBI lab was previously scheduled, so he wasn't going there on an intel mission. 
Since no reputable reporter would go to press with only one source it's unlikely they would take a sole-sourced story to the White House for confirmation.  The White House could simply deny it.  The text says after Sachtleben got off the phone the two AP reporters were calling around to administration and/or government officials, telling them what they knew.  Or were they trying to get confirmation?  The charge sheet makes it sound like they were telling the White House they knew something and were going to report. Consider this line from the AP story eventually released:
The would-be suicide bomber, based in Yemen, had not yet picked a target or bought a plane ticket when the CIA stepped in and seized the bomb, officials said. It's not immediately clear what happened to the alleged bomber.
White House spokeswoman Caitlin Hayden said President Barack Obama learned about the plot in April and was assured the device posed no threat to the public.
Funny, the charge sheet says the bomb plot was 'disrupted', with the bomb for a 'US bound airliner'. But notice the rest--the White House added information to their story via a spokeswoman.  And when you tell reporters the bomb was 'no threat to the public' and that the 'CIA stepped in' and got it without any further clarification that only leads to more questions, questions the administration knew would still need to be answered.  One might ask whether the White House added the information when initially confronted or later.

We're left to wonder whether the AP had other sources, whether anyone in the White House saw fit to add to the AP's story and if so, when, and whether the asset really needed to be burned.  The irony here is that Machen later dragnetted the AP's phone lines without notification, which smacks of punishment.  Yes, right, nobody will care about any of it.

MORE  9/24/13

The indispensable Tom Maguire looks at the story and sees a few more questions:
So in the world being presented by the Justice Department and the Times, government officials became aware of an important leak when reporters began calling on May 2 2012 but only tracked the initial leak back to Schachtleben a year later.
But in the world I have been reading about lately the NSA has pretty much real-time access to all sorts of phone record metadata. So in a slightly different world from the one described by the Times, worried intelligence officials found out almost immediately who the AP reporter had recently spoken with that might have compromised the Yemen probe (which involved British and Saudi intelligence in an operation that was ongoing as of May 2, so the US leak was a potential international embarrassment).
And the next day the improbable kiddie porn raid shuts the guy up. Seriously - a guy with 25 years with the FBI was trading kiddie porn under the crafty account of "pedodave69@yahoo.com"? Hide in plain sight has been done.
In other words, the NSA could have potentially known immediately whose phone line connected with Apuzzo or Goldman at AP, perhaps by later in the day of May 2 when it became known the bomb story had been leaked, but since it was a domestic call they couldn't admit they knew.  The charge sheet makes it clear they got the electronic data off Sachtleben's computer (ie, it didn't come from the NSA).  That leaves the question of why it took so long to finally bust the guy, but obvious answers might be 'the election' or 'had to make it look good', or 'we had to enact punishment on the AP for going to press before we could make the announcement on May 8'.  But other possibilities are possible.  

In early reports Mr. Sachtleben seems overly contrite and apologetic for his crimes. That may be heartfelt, let's hope so, but with all the coincidences and questions left dangling it may be something else.  Again, will anyone care?


This is a long and wordy post that contains a lot of material that must be followed closely, so for those with little time or patience here's an executive summary:

The FBI had the computer and phone of the AP leaker a week after he leaked.  They had the PC due to a separate investigation into child porn, but they only looked for child porn on the PC, not national security leaks.  They are diligent.   Then it took one year to plod along and do the interviews and tap the AP phone lines--not that it was any kind of punishment for releasing their story before the White House could take credit, mind you--and realize the Mr. Sachtleben on the records was the same one they were trying to bust for child porn, an investigation that had apparently been put on hold for some strange reason.

So they busted him, but he didn't leak about the 'inside control' of the Yemeni AQ cell, John Brennan did.  But Brennan didn't leak because according to him that information--that we had inside control--was not classified.  The only way it wouldn't be of course is if the president had declassified it so they could tell the media.  So it was.  Now they are perp-walking Mr. Sachtleben as closing the case, yet we don't know if there were others the AP used to confirm their story or whether it was appropriate for the AQ insider story to be leaked, burning a spy, just to explain some talking points.

MORE  9/24/13

Here's the Politico's story, which contains this interesting segment:
”The phone records were necessary to identifying [Sachtleben] as the suspect,” said a federal law enforcement official. However, the official acknowledged that the FBI already had in its possession evidence linking him to the leak. Investigators in the separate child porn probe had his computer, which contained classified information.
But they didn’t search it for national security secrets because that wasn’t relevant to that inquiry, the official said. Only after the AP phone records pointed to Sachtleben as a suspect in the leak was the computer checked for classified information, setting in motion the leak charges, the official added.
This begs a couple of general questions. First, the above states that it was the AP call logs, which they claim occurred early in 2013, that nailed Mr. Sachtleben.  But the above quote says, "However, the official acknowledged that the FBI already had in its possession evidence linking him to the leak." That seems to go against what other outlets are reporting, such as the Guardian:
The justice department said in a statement that its pursuit of Sachtleben was made easier by the child pornography investigation, but that Sachtleben was not identified as a suspect in the leaks case until after investigators had analysed the AP phone records and compared them with other evidence in their possession.
So what was this other evidence they had? The computer?  Are they saying they didn't know what they had until they clandestinely studied the call logs?  Strange way of framing it, unless there are technical things we don't know about.

Also, when they are looking over a PC for something like child porn how do they avoid seeing things like pictures of grandma, financial statements, passwords and bank statements and copies of national security information? Once an agent has seen them can he somehow un-see them?  Or does it become a whisper to the boss--hey check this and they go out and get admissible evidence in a standard fashion?  

Anyway, here's a final thought on this from the Emptywheel.


Here's a story of Sachteben's initial arrest in May 2012 for child porn.  Notice the potential time he was facing:
If convicted, Donald Sachtleben could face 20 years in prison on the distribution charge and 10 years for possession.
So he was facing 30 years on the child porn by itself, with a serious espionage charge on top of that, but will be serving only 11?  Sounds like a pretty good plea deal.

No comments: