01:06 - Source: CNN
FBI agent: I'd never seen anything like this spy letter

Editor’s Note: Yudhijit Bhattacharjee is an award-winning writer who covers espionage, cybercrime, science and medicine. To learn more about this story, watch “Declassified” on CNNgo.

(CNN) —  

Before Edward Snowden’s infamous data breach, the largest theft of government secrets was committed by a man whose intricate espionage scheme and coded messages were made even more complex by his dyslexia.

His name was Brian Regan, and he would become known as “the spy who couldn’t spell.”

Regan foreshadowed Snowden in exploiting digital access to defense secrets on a massive scale, devising a meticulous strategy to download, copy and bury hundreds of pages of classified documents. He deployed a multi-layered encryption system to mask his messages to foreign governments and the location of burial sites.

Although he muddled the execution through a series of mistakes, Regan came dangerously close to succeeding. His heist revealed how vulnerable government secrets had become in the digital age.

Regan’s plot might never have been uncovered but for an informant who passed on a series of coded letters to the FBI in the fall of 2000. Those letters sent FBI Special Agent Steven Carr on a hunt to identify the sender, and authorities eventually tracked down and arrested Regan two weeks before September 11, 2001. Carr would spend the next two years hunting down and retrieving the cache of stolen secrets that Regan hid.

Below is the moment Carr began to unravel Regan’s extraordinary plot, adapted from my book, “The Spy Who Couldn’t Spell.”

Brian Regan was arrested in August, 2001 for stealing classified materials from the National Reconnaissance Office.
Brian Regan was arrested in August, 2001 for stealing classified materials from the National Reconnaissance Office.

On the morning of December 4, 2000, FBI Special Agent Steven Carr hurried out of his cubicle at the bureau’s Washington, D.C. field office and bounded down two flights of stairs to pick up a package that had just arrived by FedEX from FBI New York.

Carr, 38, was thoughtful, intense and meticulous in his work. Because of his aptitude for deduction and his intellectual doggedness, he’d been assigned to counterintelligence within a year after coming to the FBI in 1995. In his time at the bureau – all of it spent in the nation’s capital – he had played a supporting role in a series of high-profile espionage cases, helping to investigate spies such as Jim Nicholson, the flamboyant CIA agent who sold U.S. secrets to the Russians.

But like most agents starting out in their careers, Carr was keen to lead a high stakes investigation himself. That’s why he had responded with such alacrity when his squad supervisor, Lydia Jechorek, had asked him to pick up the package that morning. “Whatever it is, it’s yours,” she had said.

Carr raced back to his desk and laid out the contents of the package: a sheaf of papers running into a few dozen pages. They were from three envelopes that had been handed to FBI New York by a confidential informant at the Libyan consulate. The envelopes had been individually mailed to the consulate by an unknown sender.

Breathlessly, Carr thumbed through the sheets. In the first envelope was a four-page letter with 149 lines of typed text consisting of alphabets and numbers. The second envelope included instructions on how to decode the letter. The third envelope included two sets of code sheets: one that contained a list of ciphers, and another that listed dozens of words along with their encoded abbreviations, a system known as brevity codes. Together, the two sets were meant to serve as the key for decryption.

Carr flipped through the letter, skimming the alphanumeric sequence. It looked like gibberish, like text you might get if you left a curious monkey in front of a keyboard. There was no way to make sense of it without the code sheets and the decoding instructions. By mailing the three separately, the sender had sought to secure the communication against the possibility that one envelope might get intercepted by a U.S. intelligence agency. The sender had not anticipated that all three envelopes could fall into the FBI’s hands.

The New York office had already decoded a few lines of the letter. Carr’s pulse quickened further as he read the deciphered text:

“I am a Middle East North African analyst for the Central Intelligence Agency. I am willing to commit espionage against the U.S. by providing your country with highly classified information. I have a top secret clearance and have access to documents of all of the U.S. intelligence agencies, National Security Agency (NSA), Defense Intelligence Agency (DIA), Central Command (CENTCOM) as well as smaller agencies.”

To prove that this wasn’t a bluff, the sender had included in all three envelopes an identical set of government documents, 23 pages in all, some marked “CLASSIFIED SECRET,” some “CLASSIFIED TOP SECRET.” Most of them were aerial images taken by U.S. spy satellites, showing military sites in the Middle East and other parts of the world. Some of the documents were intelligence reports about regimes and militaries in the Middle East. It was evident from the markings on these images and reports that they had been printed after being downloaded from Intel Link, a classified network of servers that constituted the intelligence community’s Internet.

Brian Regan was seen on FBI surveillance cameras accessing classified information.
Brian Regan was seen on FBI surveillance cameras accessing classified information.

Carr studied the pages in stunned silence, oblivious to the comings and goings of colleagues around him. He had never seen anything like this before. Since joining the squad, he had followed up on dozens of letters tipping the FBI off to potential espionage. Most came from anonymous sources at U.S. intelligence agencies accusing a co-worker or colleague of being a spy. Rarely did such letters lead to the discovery of a real threat: more often than not, they turned out to be a case of erroneous judgment by the tipster, or a case of bitter workplace jealousy.

What Carr had in front of him seemed anything but a false alarm. The sender of the envelopes was no doubt a bona fide member of the U.S. intelligence community, with access to “top secret” documents, intent on establishing a clandestine relationship with a foreign intelligence service. The person had, in fact, already committed espionage by giving classified information to an enemy country. Carr might as well have been looking at a warning sign for a national security threat flashing in neon red. He filed the sheets neatly into a binder before stepping into his supervisor’s office.

“Lydia,” he said, sliding the binder across her desk. “You have to look at this.”

Carr showed her a matrix of clues he’d built from his gleaning of the pages. The system of brevity codes the sender had used – along with the concern for operational security – pointed to somebody with a military background. Before the FBI, Carr had spent 11 years in the U.S. Army and the National Guard, where he had used brevity codes in training exercises to communicate with fellow troops.

In Carr’s estimation, the sender of the envelopes likely had a more sophisticated knowledge of cryptology than just brevity codes. He had a “top secret” security clearance, which was marginally helpful, since it reduced the potential suspect pool from a few hundred thousand workers in the U.S. intelligence community who have a “secret” security clearance to a more limited population, on the order of tens of thousands. He also had access to Intel Link. And he was likely married, with children, as evidenced by a line in the letter, stating: “If I commit espionage, I will be putting myself and family at great risk.”

There was one other thing: the man was a terrible speller.

Scanning the six pages of brevity codes, Carr spotted one misspelled word after another. The sender had evidently put this codebook together by first printing out the typed letter in plaintext, then cutting out individual words and pasting them alongside abbreviations that he’d printed out separately on other sheets. Carr could deduce that because the words didn’t line up perfectly with the individual abbreviations. But the disorderliness in alignment was hardly as glaring as the misspellings, though.

AP: Anonmus

NH: Alligations

GR: Reveil

16: Precausion

CN: Negotianalable

DZ: Airbourn

KJ: Assocation

MY: Netralize

YF: Confrimed

The list went on and on. Here was a person who had gone to great lengths to accomplish “op sec,” but failed to run a basic spellcheck.

For the moment, though, Carr was focused on another set of clues. In the portion of the coded letter that the New York agents had deciphered, they’d found an e‑mail address the sender wanted to use for further communication.

With special permission from the U.S. attorney general, the agents asked the e‑mail service provider to let them pry into the account. They discovered that the account had been created four months earlier, on August 3, using Internet access from a public library in Prince George’s County, Maryland.

00:51 - Source: CNN
FBI watched potential spy doing 'odd stuff' in wooded area

The account had been accessed half a dozen times from public libraries around Washington, D.C., and the New York agents were certain that the individual lived somewhere in the greater Washington, D.C., metropolitan area.

Carr had marked the locations of the libraries with pins on a large map of the D.C. metro area. The pins were clustered in and around the towns of Bowie and Crofton in Maryland. The intelligence agency in closest proximity was the National Security Agency.

Located in Fort Meade, Maryland, the NSA has thousands of military employees, many with a background in cryptology, many with homes in the towns of Bowie and Crofton. Carr’s hunch was that the mole was likely from within the NSA’s ranks, even though he’d introduced himself as a CIA analyst. That line was possibly a red herring.

“What are we going to do?” Jechorek asked, the urgency in her tone mirroring Carr’s.

It was imperative that the FBI find this person as quickly as possible. Perhaps it was already too late.