Sysadmin spy left digital trail

The FBI investigation that lead to last week's arrest of a former Air Force sergeant on espionage charges had more in common with a modern Internet hacker hunt than a John le Carre novel, court records show.

Brian P. Regan, 38, was arrested Thursday at Washington Dulles International Airport while boarding a Lufthansa flight to Zurich, Switzerland. He's charged with conspiracy to commit espionage for allegedly passing classified satellite photos and secret documents to an unnamed foreign government, called 'County A' in court filings, identified in a Washington Post report as Libya.

Regan had been posted at the super-secret National Reconnaissance Office (NRO) in Virginia, the Defense Department organization responsible for building and controlling the United States' network of orbiting reconnaissance satellites.

According to a 19-page FBI affidavit filed in the case last week, which relies much on unidentified "reliable source information", Regan began his abortive espionage career in August 2000, shortly after retiring from military service.

Regan allegedly introduced himself to 'Country A' by passing it a set of overhead satellite photos, as well as a CIA intelligence report, two pages from a classified CIA newsletter, and other documents.

At the same time, Regan, a former system administrator, gave his would-be handlers a number of encrypted messages, and a plaintext message written in English. "The initial, unencrypted message appears to be an introductory letter containing instructions to prevent detection of the messages by the US government," reads the affidavit.

While the court records don't indicate what encryption system Regan favored, it evidently didn't pose an insurmountable obstacle to the FBI. "The encrypted messages, which were decrypted by the US government, set forth contact instructions, establish bona fides, and offered to provide additional classified information," the affidavit reads.

Regan's alleged contact instructions had a decidedly information age twist.

Rather than arrange a rendezvous in a dark alley or a smoke-filled bar, Regan allegedly referred 'Country A' to a free Internet email account he established under the alias Steven Jacobs. When FBI agents obtained logs from the email provider, they found that the account had been used nine times, all of them from Internet terminals at public libraries near Regan's home or office. One of them, in Crofton, Maryland, was five miles from Regan's home.

"Physical surveillance of Regan during May through August 2001 indicated that Regan regularly utilized the public internet access located in the Crofton library," reads the affidavit.

While the free email provider's records incriminated Regan on one end, computer forensics and government network logs fingered him on the other.

Suspect surfed secret Web

According to the affidavit, most of the images and documents Regan is accused of passing came from Intelink, a classified global intranet that links the thirteen US intelligence agencies to each other, and to their 'customers' in the White House, Congress, the Pentagon and other government agencies.

Developed in the mid-90s, Intelink is estimated to have over 50,000 users with access to 'special compartmentalized information' housed on some 200 servers at over 100 physical sites. Another 265,000 users have access at the lower 'secret' level.

Intelink addresses take the form http://www.nro.ic.gov or http://www.cia.ic.gov. The resemblance to Internet URLs is not coincidental-- the classified network is isolated from public access, but uses the same protocols and software as the public Internet. Intelligence analysts and operatives surf its secrets with the ease of an Internet user shopping for books online. And like the Internet, Intelink has seen an explosion of growth in recent years -- albeit behind closed doors.

"Just as the Web as taken off in the real world, the Intelink web has taken off in the intelligence community," says Fredrick Thomas Martin, a former NSA official and author of Top Secret Intranet --- How US Intelligence Built INTELINK, The World's Largest, Most Secure Network. "Anything that is Web enabled and uses Web technology, the intelligence community has latched onto on Intelink," Martin says.

Martin, whose Web site includes an Intelink simulation, says that the network's unbridled expansion troubled some in the intelligence community, who were long accustomed to handling knowledge on a 'need to know' basis. "They finally realized that they have big security problem here... People might access things that they shouldn't have access to," Martin says. "They nearly shut it down."

Instead, Intelink restricts which Web sites legitimate users can browse. "You have to have a digital certificate to access certain things," says Martin. "You have to be cleared for whatever you see."

Those access control mechanisms may have played a critical role in the FBI's investigation of Regan.

According to the affidavit, when FBI agents scoured the hard drive of Regan's former office computer in April 2001 they found that "someone using Regan's password" had surfed to an Intelink URL for one of the overhead photos offered to 'Country A', and visited four URLs for other documents that were passed at the same time.

Server logs from Intelink web sites tied Regan's machine to three more documents, and "Intelink audit records indicate that the URL for the CIA intelligence report....was accessed from the computer in Regan's former office at 8:52 p.m." on the day that the copy passed to the 'Country A' was printed out.

A few months after retiring from the Air Force in August 2000, Regan went back to work at NRO as a employee of defense contractor TRW. His security clearance was reinstated in July, one month before his arrest.

Regan isn't the first accused spy with computer expertise. Computer logs provided damning evidence against FBI mole Robert Hanssen, who pleaded guilty last month to selling the United States' most precious counter-intelligence secrets to Russia.

Hanssen, an experienced computer programmer, passed information to his Russian handlers on encrypted floppy disks, kept reminders of his clandestine appointments in his Palm organizer, and routinely searched FBI computers for hints that his co-workers might be on to him.

© 2001 SecurityFocus.com, all rights reserved.