The NSA’s Retroactive Discovery of Tamerlan Tsarnaev

In the days after the Boston Marathon attack last year, NSA made some noise about expanding its domestic surveillance so as to prevent a similar attack.

But in recent days, we’ve gotten a lot of hints that NSA may have just missed Tamerlan Tsarnaev.

Consider the following data points.

First, in a hearing on Wednesday, Intelligence Community Inspector General Charles McCullough suggested that the forensic evidence found after the bombing might have alerted authorities to Tamerlan Tsarnaev’s radicalization.

Senator Tom Carper: If the Russians had not shared their initial tip, would we have had any way to detect Tamerlan’s radicalization?

[McCullough looks lost.]

Carper: If they had not shared their original tip to us, would we have had any way to have detected Tamerlan’s radicalization? What I’m getting at here is just homegrown terrorists and our ability to ferret them out, to understand what’s going on if someone’s being radicalized and what its implications might be for us.

McCullough: Well, the Bureau’s actions stemmed from the memo from the FSB, so that led to everything else in this chain of events here. You’re saying if that memo didn’t exist, would he have turned up some other way? I don’t know. I think, in the classified session, we can talk about some of the post-bombing forensics. What was found, and that sort of thing. And you can see when that radicalization was happening. So I would think that this would have come up, yes, at some point, it would have presented itself to law enforcement and the intelligence community. Possibly not as early as the FSB memo. It didn’t. But I think it would have come up at some point noting what we found post-bombing.

Earlier in the hearing (around 11:50), McCullough described reviewing evidence “that was within the US government’s reach before the bombing, but had not been obtained, accessed, or reviewed until after the bombing” as part of the IG Report on the attack. So some of this evidence was already in government hands (or accessible to it as, for example, GCHQ data might be).

We know some of this evidence not accessed until after the bombing was at NSA, because the IG Report says so. (See page 20)

Screen Shot 2014-04-12 at 12.37.13 PM

That may or may not be the same as the jihadist material Tamerlan posted to YouTube in 2012, which some agency claims could have been identified as Tamerlan even though he used a pseudonym for some of the time he had the account.

The FBI’s analysis was based in part on other government agency information showing that Tsarnaev created a YouTube account on August 17, 2012, and began posting the first of several jihadi-themed videos in approximately October 2012. The FBI’s analysis was based in part on open source research and analysis conducted by other U.S. government agencies shortly after the bombings showing that Tsarnaev’s YouTube account was created with the profile name “Tamerlan Tsarnaev.” After reviewing a draft of this report, the FBI commented that Tsarnaev’s YouTube display name changed from “muazseyfullah” to “Tamerlan Tsarnaev” on or about February 12, 2013, and suggested that therefore Tsarnaev’s YouTube account could not be located using the search term “Tamerlan Tsarnaaev” before that date.20 The DOJ OIG concluded that because another government agency was able to locate Tsarnaev’s YouTube account through open source research shortly after the bombings, the FBI likely would have been able to locate this information through open source research between February 12 and April 15, 2013. The DOJ OIG could not determine whether open source queries prior to that date would have revealed Tsarnaev to be the individual who posted this material.

20 In response to a DOJ OIG request for information supporting this statement, the FBI produced a heavily redacted 3-page excerpt from an unclassified March 19, 2014, EC analyzing information that included information about Tsarnaev’s YouTube account. The unredacted portion of the EC stated that YouTube e-mail messages sent to Tsarnaev’s Google e-mail account were addressed to “muazseyfullah” prior to February 12, 2013, and to “Tamerlan Tsarnaev” beginning on February 14, 2013. The FBI redacted other information in the EC about Tsarnaev’s YouTube and Google e-mail accounts.

The FBI may not have been able to connect “muazseyfullah” with Tamerlan, but that’s precisely what the NSA does with its correlations process; it has a database that does just that (though it’s unclear whether it would have collected this information, especially given that it postdated the domestic Internet dragnet being shut down).

Finally, there’s the matter of the Anwar al-Awlaki propaganda.

An FBI analysis of electronic media showed that the computers used by Tsarnaev contained a substantial amount of jihadist articles and videos, including material written by or associated with U.S.-born radical Islamic cleric Anwar al-Aulaqi. On one such computer, the FBI found at least seven issues of Inspire, an on-line English language magazine created by al-Aulaqi. One issue of this magazine contained an article entitled, “Make a Bomb in the Kitchen of your Mom,” which included instructions for building the explosive devices used in the Boston Marathon bombings.

Information learned through the exploitation of the Tsarnaev’s computers was obtained through a method that may only be used in the course of a full investigation, which the FBI did not open until after the bombings.

The FBI claims they could only find the stuff on Tamerlan’s computer using methods available in full investigations (this makes me wonder whether the FBI uses FISA physical search warrants to remotely search computer hard drives).

But that says nothing about what NSA (or even FBI, back in the day when they had the full time tap on Awlaki, though it’s unclear what kind of monitoring of his content they’ve done since the government killed him) might have gotten via a range of means, including, potentially, upstream searches on the encryption code for Inspire.

In other words, there’s good reason to believe — and the IC IG seems to claim — that the government had the evidence to know that Tamerlan was engaging in a bunch of reprehensible speech before he attacked the Boston Marathon, but they may not have reviewed it.

Let me be clear: it’s one thing to know a young man is engaging in reprehensible but purportedly protected speech, and another to know he’s going to attack a sporting event.

Except that this purportedly protected speech is precisely — almost exactly — the kind of behavior that has led FBI to sic multiple informants and/or undercover officers on other young men, including Adel Daoud and Mohamed Osman Mohamud, even in the absence of a warning from a foreign government.

And they didn’t here.

Part of the issue likely stems from communication failures between FBI and NSA. The IG report notes that “the relationship between the FBI and the NSA” was one of the most relevant relationships for this investigation. Did FBI (and CIA) never tell the NSA of the Russian warning? And clearly they never told NSA of his travel to Russia.

But part of the problem likely stems from the way NSA identifies leads — precisely the triaging process I examined here. That is, NSA is going to do more analysis on someone who communicates with people who are already targeted. Obviously, the ghost of Anwar al-Awlaki is one of the people targeted (though the numbers of young men who have Awlaki’s propaganda is likely huge, making that a rather weak identifier). The more interesting potential target would be William Plotnikov, the Canadian-Russian boxer turned extremist whom Tamerlan allegedly contacted in 2012 (and it may be this communication attempt is what NSA had in its possession but did not access until after the attacks). But I do wonder whether the NSA didn’t prioritize similar targets in countries of greater focus, like Yemen and Somalia.

It’d be nice to know the answer to these questions. It ought to be a central part of the debate over the NSA and its efficacy or lack thereof. But remember, in this case, the NSA was specifically scoped out of the heightened review (as happened after 9/11, which ended up hiding the good deal of warning the NSA had before the attack).

We’ve got a system that triggers on precisely the same kind of speech that Tamerlan Tsarnaev engaged in before he attacked the Marathon. But it didn’t trigger here.

Why not?

17 replies
  1. emptywheel says:

    Note: there’s one other reason they might not have given Tamerlan the same treatment they gave Adel Daoud. They appear to have the ability to put individuals (I’ve always suspected, people like members of Congress) on defeat lists. There were allegations the government reached out to Tamerlan as an informant. If so, it might explain why he didn’t come up on review.

    • orionATL says:

      and that would be exactly my guess – tamarlan was well-known to the fbi and may have been working for them.

      nothing he did – “inspire” being accessed multiple times but not being noted, meeting with canadian, you tube videos, etc – could not be explained if he were an fbi agent (or a cia not “working” within u.s.).

      that might explain why todachev was murdered, to keep him from talking.

      having an uncle connected to cia who publicly, loudly disowned tamarlan post boom.

      whenever fbi/cia/or others of the secret brotherhood come out with a pat excuse for failure, it warrants scepticism from us polloi.

  2. TarheelDem says:

    Missing Tamerlan Tsarnaev because he was considered “friendly” to the FBI or other government agencies, whether as an informant or in another capacity is a reasonable hypothesis for the Homeland Security apparatus’s failure to prevent the bombing, despite its monumental budgets and powers.

    Retroactive discoveries often have a CYA purpose and not infrequently involve invented or tarted up data. The suspicion of malfeasance by authorities increases in proportion to the redacted area on the page. Who benefits by letting one bomber through?

  3. bloopie2 says:

    You state, “We’ve got a system that triggers on precisely the same kind of speech that Tamerlan Tsarnaev engaged in before he attacked the Marathon.”

    Is that the system you refer to earlier, as follows? “… that’s precisely what the NSA does with its correlations process; it has a database that does just that (though it’s unclear whether it would have collected this information, especially given that it postdated the domestic Internet dragnet being shut down).”

    If that is the same system, then is this NSA correlations process/database, “Good” because it might have helped to prevent the bombings ? Or is it one of those “Bad” ones that many of us have attacked previously for being too invasive and/or uncontrolled? It can’t be both, can it?

    • TarheelDem says:

      If that process of adding to the noise in the database was so good, why did it miss Tsarnaev (if indeed Tsarnaev did perform the bombing) and why has it picked up youth whose sole use to the FBI is as informants, not suspects. If a suspect is out to do damage, the worst thing to do is to turn them into an informant.

      So the way NSA is going about things is bad on both scores; too many false positives, too many false negatives, and being incapable of doing exactly what it was sold to the public and Congress as doing. There is no trade-off here. It’s an effed-up boondoggle.

    • emptywheel says:

      It is bad when used as an excuse to throw 3 FBI Agents at a kid to entrap him in a crime. It’s also bad when used to coerce someone to turn informant.

      I have questions about some of the correlations used, and the equity of targeting stuff Muslims might read but not white supremacists. And it’s not clear it has ever worked to prevent an attack.

      So while many aspects, as applied, are bad, the jury is still out whether or not there is some good.

      • bloopie2 says:

        Thanks. In retrospect I see that my question was not clear. I meant to ask whether the program that might have captured him (which capture would have been a Good Thing) is arguably being claimed to be unconstitutional (which would make said program a Bad Thing). That, regardless of whether it is being used appropriately or not. I ask this because your post did not address the legality/constitutionality of the program, only addressing its possible effectiveness. Is there a corresponding value judgment as to its possible constitutionality? That is, should we disband it even though it might have saved the day in Boston?

        • emptywheel says:

          I think the biggest constitutional question is the upstream search I suspect–though can’t confirm yet–they do on Inspire. FISC has approved it, but I don’t think it would hold up under scrutiny (though I think the cyber application is even worse).

          The rest of what we know about is open source.

  4. Saul Tannenbaum says:

    Lisa Monaco was in Cambridge on the anniversary of the bombing to tell the (Muslim) community that “radicalization” happen out of view of the government and that the (Muslim) community needs to keep an eye on its own. It was one of those speeches that you have to go back and read the prepared text to make sure that, yeah, she really was talking about making teenage rebelliousness into thought pre-crime:

    That’s one of the way this train of thought leads: With all this surveillance we’ve built, we still can’t find guys like this, so not only do we need to double down on the dragnet and turn the world into the haystack, we need you good folks to find the needles for us.

  5. Ben Franklin says:

    The pressure-cooker bomb was highlighted in Awlaki’s purported online magazine Inspire.

    However there is some doubt as to the publication’s authenticity.

    ” Still, wrote Ambinder, “It is possible, although not likely, that the magazine is a fabrication.” Indeed, here are some reasons to question the authenticity of this document:

  6. this is why they pay Lisi the big bucks says:

    Instructive flurry of ass-covering here: NCS inklings, and now a CIA warning!

    Tragically ignored. Sigh.

    The choreographed congressional tizzy over government agencies’ failure to communicate is a lame attempt to divert attention from the kinds of questions a real independent reviewer would ask about a bombing that smells. The kind of questions Hans Köchler asked about Lockerbie, for example. A bog standard CIA-run show trial for Jokar won’t be able to hide all the Gladio fingerprints. Jokar will be made to plead out or he will eat his socks and die.

    But here’s where it gets interesting. US state treatment of an alien raises questions that could be litigated in an actual independent court. Imagine this case teed up for a real court like ICJ. Considering the devastating OPSEC lapses that have only begun to come out, the case would be uncontainable. Considering the indications that US officials exploited the bombing to stoke illegal great-power confrontation – the case could be a bombshell. Russia has not yet gone to the ICJ like other US punching bags, but it has accepted ICJ jurisdiction. Think what Russia could do with a case like this: an armed attack on the US population. Objective whodunit could blow huge holes in the US government’s legitimacy, abroad and at home.

    This is how you know that the US will back down over Ukraine.

  7. Jeff A. Taylor says:

    The thing that keeps getting dropped is that the feds would’ve had eyes on the family long before the FSB “tip” in 2011. That tip may well have brought the FBI into the loop — not so other federal entities who dealt with the family’s asylum claims. Plus Jahir’s citizenship application — which was approved right after Tamerlan returned from Dagestan — creates another distinct “trigger” for the Snowden doc programs completely apart from the Tamerlan FSB route. Bottomline, it seems exceedingly unlikely to me that the NSA failed to ID/monitor the family for SOME federal entity, if not the FBI.

    A common-sense reading of the known timeline suggests that Tamerlan was promised his and Jahir’s US citizenship by federal entities as yet unknown in exchange for undertaking the trip to Dagestan (recall it was lack of citizenship that was cited as the reason for the sudden end to Tamerlan’s moderately successful amateur boxing career) — but perhaps because the FSB kept killing everyone Tamerlan tried to meet with in Dagestan (perhaps embarrassing these federal operators) the deal was modified upon Tamerlan’s return and another overseas excursion was proposed.

    A sense of betrayal by the national security state then becomes a plausible motive for the bombings.

  8. john francis lee says:

    ‘ We’ve got a system that triggers on precisely the same kind of speech that Tamerlan Tsarnaev engaged in before he attacked the Marathon. But it didn’t trigger here.
    ‘ Why not? ‘
    Because he was one of the CIA’s ‘good’ terrorists. That’s why not.

  9. Les says:

    Didn’t he get kicked out of a mosque several times for the kind of speech that triggers suspicions…except that they suspected he was an undercover FBI informant?

    With all the stings the FBI is running at any given time, there has to be a considerable amount of noise out there drowning out the real threats.

    • P J Evans says:

      I seem to remember hearing about that – and a mosque that ignores that kind of speech would end up on a list that would get it far more attention.

Comments are closed.