Witness after witness in the Jeffrey Sterling trial made claims about how closely held the program was. “More closely held than any other program,” Walter C, a physicist who worked on the program described. “More closely held,” David Shedd, currently head of the Defense Intelligence Agency and head of Counterproliferation Operations until just after the Merlin op, said.
Of course, Bob S’ admission that — when FBI showed him a list, in 2003, of 90 people cleared into the program, he said it was incomplete — suggests all those claims are overstated.
But the details of just how careless the CIA was with Merlin’s identity raise further questions about claims that the operation — and especially Merlin’s identity — was closely held. Most striking to me is the revelation (Exhibit 17) that for months and months, Merlin was pitching his nuclear experience to Iran on an AOL account shared with his wife and kids. In the cable describing a January 12, 1999 meeting with Merlin (what appears to be the first where the two met alone) Sterling explained that Merlin had just opened a separate Hotmail account to use for his CIA spying.
“[M] also opened another email account through Hotmail. [M] opened the new account so his family, who also utilizes his AOL account, cannot access his email related to the project.”
That means from at least April 15, 1998 (see Exhibit 8, though Exhibit 16 suggests the effort started in November 1997), when Merlin started trying to make contact with Iranians who might be interested in a Russian nuclear scientist, until January 1999, Merlin’s contacts with Iran were completely accessible to his wife (who, given the evidence — as opposed to the sworn claims — presented in the trial, almost certainly knew anyway) and his kids (who may not have).
The AOL to Hotmail account switch appears to have been Merlin’s idea, but Sterling’s performance review for this period (Exhibit 60; note, it uses the name Samuel Crawford to protect Sterling’s identity) seems to reflect Sterling’s effort to train Merlin out of bad security habits. It says Sterling, “maintained a strong [counterintelligence]/security posture in all that he did during the reporting period, particularly a high interest sensitive case … and is constantly seeking to improve the security of his cases.” Indeed, the same cable covering the January 12, 1999 meeting in which Merlin and Sterling alone took part — which revealed Merlin had finally gotten a dedicated email account for his CIA work — also described Sterling walking Merlin through changes to his handling approach, including apparently meeting in hotel rooms rather than primarily restaurants all in the same neighborhood. Sterling also appears to have had to prompt Merlin to share all his correspondence with the Iranians with him (though Merlin didn’t always do so).
The CIA, it appears, intended for Merlin’s real identity to be readily obvious to the Iranians (and, based on the presumption at the heart of this operation that the Iranians were working closely with Russia, also to the Russians). On several occasions, defense attorneys asked CIA witnesses if they were “dangling” Merlin, a term the witnesses clearly wanted to avoid repeating. Nevertheless, it is clear they intended to dangle him, barely hiding his identity or location. Merlin used his real name in his outreach to Iran. He cited “his true background” in messages to Iranians (Exhibit 16; note that in Exhibit 17 and 18, CIA has actually redacted some of the information on himself Merlin sent to Iranians). He used his home email address in classified ads (and changed it when he got the Hotmail account). His approaches used a PO Box that appears to have been close to his home. (Exhibit 16)
Then there were other issues that raised alarms for me. From roughly October 12, 1998 through December 10, 1998, spanning the period when Merlin went to San Francisco for his “training” on the blueprints, Merlin’s home computer was being repaired (he accessed some email from work). When he got the computer back “it seemed slower.” Shortly after Merlin got the new email (Exhibit 18), he told Sterling he had been blocked out with an “Intrusion detected,” warning, and had been told “evidently at least two people had tried to open the account.” In February 1999 (Exhibit 21), Merlin told Sterling he was having problems with his AOL account (though didn’t explain what sort). Then there’s the period in October and November 1999 when Sterling couldn’t contact Merlin; he said he was visiting his wife in Florida. Admittedly, Sterling was tracking this stuff closely (I wonder whether the government had Merlin on what amounted to a consensual wiretap). Because the government only released cables from the period when Sterling handled Merlin, however, we can’t know whether the earlier, sloppier operational security extended to Merlin’s online life.
And ultimately, this loose operational security — and Merlin’s backlash to it — appears to be one of the things that led Merlin to botch the operation, to (apparently) give Iran what was meant to look like a sales proposal with no way for Iran to contact him. A full year before the delivery (Exhibit 18) Merlin started using initials rather than his name in correspondence with the Iranians. He balked at the CIA’s insistence that he send a (slightly doctored) resume along with his outreach attempts. He started sending related letters via separate envelopes, even sending them from separate states (CIA doesn’t appear to want to hide that Merlin was in a position to send letters from both New Jersey and Connecticut).
It was very clear that Merlin did not want his identity associated with the documents in question and — because CIA had decided to have him finalize the letter on his own in Vienna — he chose not to leave much of it with the package. He left off his PO box from the package, which was how the Iranians were supposed to respond, which was one key to any ongoing intelligence gathering aspect to the operation. The CIA had Merlin leave a sales pitch with no way for interested buyers to act on that sales pitch.
And yet they called this operation a big success.
As the Senate Intelligence Committee’s report (Exhibit 101) on Jeffrey Sterling’s whistleblower complaint describes, “In the end, the entire plan was turned over to the Iranians without any means for further follow up. However, CIA supposedly deemed the operation a success.” The government repeatedly claimed Sterling lied or spun facts to get the SSCI and Jim Risen interested in this story. But on this point — that Merlin left a nuclear blueprint wrapped in newspaper without an address to follow-up with — Sterling was absolutely correct.