The Fog of Chemical War

After eight months of allegations, why do we know so little about Syria's nerve gas attacks?

Since this story was published, there have been allegations of a major new chemical attack in East Ghouta, not far from Damascus. Hundreds of people are dead, according to the Syrian opposition. If the reports are even remotely accurate, this would be the biggest chemical weapons strike in decades. A preliminary examination of the footage by American intelligence officials and outside experts leads them to believe that chemical weapons were involved in the attack. But piecing together exactly what happened in Ghouta won't be easy; the Assad regime has taken deliberate steps to hide its chemical tracks, as the story below shows.

All of the major players in Syria -- and all of their major backers -- now agree that chemical weapons have been used during the civil war there. But the mysteries surrounding a string of alleged nerve gas assaults over the spring have, in some ways, only grown thicker. The motivations and tactics behind the unconventional strikes continue to puzzle U.S. intelligence analysts. And the arrival in Damascus of United Nations weapons inspectors holds little promise of solving the riddles.

Independent tests of environmental samples by both Russian and American spy services indicate that the deadly nerve agent sarin was used during a March 19 battle in Khan al-Assal, for example. Beyond that basic fact, there's little agreement. The Russians blame the Syrian rebels for launching that unconventional strike on the Aleppo suburb, while the Americans say it was a case of chemical friendly fire.

U.S. intelligence officials tell Foreign Policy that they're continuing to investigate claims of new chemical weapon attacks in Syria, including an alleged strike earlier this month in the town of Adra that left men foaming at the mouth and dogs twitching in the street. They're continuing to see supplies shuffled around some of Syria's biggest chemical weapons arsenals, such as the notorious Khan Abu Shamat depot.

But the number of reports of unconventional attacks has dropped sharply since early June, these same officials say. That's right around the time when forces loyal to dictator Bashar al-Assad took over the strategic town of Qusair and gained the upper hand in Syria's horrific civil war. The decline provides to American spy services another indication that it was Assad's forces who launched the chemical attacks; there's little need to gas people when you're winning.

There was a time when such determinations appeared to hold geopolitical significance. The Obama administration repeatedly called the use of chemical weapons a "red line." But that line has now been crossed repeatedly, with little consequence. And that's led U.S. intelligence officials to confront another question: How massive would the chemical strike have to be in order to prompt America and its allies to intervene in Syria in a major way?

"As long as they keep body count at a certain level, we won't do anything," an American intelligence official admits.

The U.N. inspection team arrived in Damascus on Sunday to test claims by Syria, Britain, France, and the United States that chemical weapons have been used in the country's two and a half year-long civil war. Ake Sellstrom, a Swedish scientist who is leading the U.N. mission, plans to spend at least 14 days in the country and to visit at least three sites where chemical agents have allegedly been used.

The team's arrival will mark the culmination of nearly five months of often-acrimonious negotiations over the U.N team's terms of access. It comes just weeks after Sellstrom and the U.N.'s undersecretary general for disarmament, Angela Kane, struck an agreement with top officials in Damascus on the terms of the inspections.

In advance of the visit, the United Nations has sought to dampen expectations that the team will blame one side or the other for using chemical agents.  The mission's mandate, U.N. officials have repeatedly insisted, is simply to determine whether chemical weapons have been used, not to establish who ordered the attacks.

Rumors of chemical weapons use have been making the rounds since late last December, when reports surfaced indicating that chemical agent may have been used in a government offensive in Homs. But the accusations began to grow more numerous and more believable in March. It was Syria that first asked the United Nations Secretary-General Ban Ki-moon to conduct an investigation into the alleged use of chemical weapons on March 19 in Khan al-Assal, near Aleppo.

Syria's U.N. ambassador, Bashar al-Jaafari, alleged that Syrian rebels had attacked Syrian authorities with chemical weapons. He said the government has compiled medical reports, blood samples, and victim testimony supporting its claim, and invited the U.N. to send a team to Syria to evaluate the evidence. British and French officials believe that Syrian authorities may have indeed been exposed to chemical agent, but that they were the victims of a "friendly fire" attack conducted by Syrian forces.

But Syria balked after Ban agreed to a request by Britain and France to expand the investigation to sites where Syrian rebels claimed the government had used chemical weapons. Today, the U.N. has received a total of 13 allegations of chemical weapons use, mostly claims by the rebels that the Syrian government used chemical weapons.

Back in April, Ban said that a credible investigation would require the inspection team be granted "unfettered" access to all sites where chemical weapons have allegedly been used. But Security Council diplomats say that the U.N. has since backed down. Sellstrom believes that most of the cases of alleged chemical weapons use are too thin, or the evidence too old, to merit full-fledged investigations. He has honed in on three cases where, he believes, the trail is fresher and the evidence stronger. The U.N. has acknowledged that it will investigate the March 19 incident near Aleppo, but it has not revealed the location of the two other sites. 

Syrian opposition leaders have expressed concern about the limited scope of the investigation. On Aug. 1, the Syrian National Coalition wrote Ban, saying the opposition "stand ready to cooperate fully with representatives of the mission and welcome UN investigators into all territories under its control." But the group remains concerned that the United Nations may be walking into a propaganda trap. "If the scope of the mission is restricted to only three sites, the coalition is worried that an important opportunity will be missed to establish authoritatively the extent to which chemical weapons have been used," said Najib Ghadbian, the coalition's U.N. representative. "There is an urgent need for the UN to conduct a comprehensive investigation into all credible allegations of chemical weapons uses."

Ghadbian urged the U.N. to visit all of the sites where such weapons may have been used, including during the latest incidents in Adra and Douma. That's not likely to happen. Not only are these highly contentious war zones. But the chemical claims are often questionable. Take the attack in Adra earlier this month. A YouTube video shows victims complaining of a sulfur smell; the Assad regime's chemical weapon of choice, sarin, is generally odorless. The clip also shows victims foaming at the mouth; sarin doesn't ordinarily produce such an effect.

U.S. analysts speculate that some of these atypical effects may be the result of Assad's military using an atypical mix of chemical arms, so-called "riot control agents," and conventional munitions on the battlefield. In December, one former chemist for the Syrian regime told Al Jazeera that this blending of weapons was done, in part, to create a confusing blend of symptoms -- and mask their source.

Traditionally, militaries launch chemical attacks separately from ordinary ones. Not so in Syria. In a single bombing run near Aleppo last May, for instance, U.S. intelligence believes that a single Syrian warplane dropped bombs loaded with tear gas, sarin, and conventional explosives.

"When we first started hearing about this, we didn't understand. Why one sarin bomb in the middle of a major bombardment?" asks one U.S. intelligence official. Perhaps it's a way to cover up the use of chemical weapons, as the chemist suggested. Perhaps it was to force potential enemies out into the open. Perhaps it's a way to further terrorize the targets of the bombing runs. "We think it's strange, but whatever the Syrians have been doing, it's been very effective," the official adds. After all, the government appears, for now, to be winning the war.

Contributing to confusion is the long-standing suspicion that Assad's forces are brewing up their unconventional weapons in unconventional ways. One of sarin's two main precursors is isopropanol -- rubbing alcohol, basically. But the material used for chemical attacks can't be purchased in any drug store. While the commercial stuff typically is 70 percent water, the weapons-grade isopropanol is highly concentrated, with less than 1 percent water. That makes it extremely hard to obtain. Some outside observers believe the Syrians are using less isopropanol than usual in their sarin in order to preserve their precious stockpile of the precursor. (It would also produce milder-than-normal effects in a victim.) If the dilution theory is true, it could be an indication that Assad intends to hold on to his chemical arsenal for a long, long time -- and unleash it only when his rule is once again under threat.



The NSA's Data Haul Is Bigger Than You Can Possibly Imagine

And so are its mistakes.

Editor's note: Shortly after this story was published, the Washington Post released a series of eye-popping leaked documents showing that the National Security Agency has accidentally intercepted the communications of thousands of people it had no right to spy on. The story below is in many ways the precursor to that blockbuster revelation.

The NSA, as intelligence historian Matthew Aid shows, collects so much information online that even its mistakes are enormous. Every day, it actively analyzes the rough equivalent of what's inside the Library of Congress and "touches," to use the agency's term, another 2,990 Libraries' worth of data. With such a huge haul, even the most infrequent of error rates -- one in a hundred thousand, say -- still produces terabytes and terabytes of improperly-harvested data. It still means thousands and thousands of people are wrongly caught in the surveillance driftnet.

The NSA's defenders will point to the many times the agency's intelligence analysts followed the rules, and got things right. But that misses the point; no one expects these analysts, or the systems they use, to be flawless. The problem is that the surveillance net is so very large that even the most miniscule of imperfections can have outsized impact. And that calls into question whether the NSA's intelligence-collection efforts have grown too big for their own good.

The electronic spies at the National Security Agency have tried lately to play down the amount of Internet traffic they inspect -- and play up how central that monitoring is to stopping terrorist attacks. Neither one of those arguments is entirely true. Yes, the NSA claimed in a recently released white paper that it "touches" only 1.6 percent of the planet's online data, but the agency neglected to note that this is roughly equivalent to the Library of Congress's entire textual collection, inspected 2,990 times every day. And sure, the NSA's Internet surveillance has been instrumental in some counterterrorism operations. But this analysis of online communications has also been central to U.S. spying on places like Syria, Libya, China, and Iran.

The importance of the Internet as an intelligence source for the NSA cannot be underestimated. The NSA may have made its Cold War reputation intercepting phone and radio traffic; these days, it's all about the Net. According to information gathered from interviews with three former or currently serving U.S. intelligence officials conducted over the past month, the NSA is now producing high-grade intelligence information on a multitude of national and transnational targets at levels never before achieved in the agency's history. Here are a few examples of the intelligence reportedly derived from NSA's intercepts of the contents of emails and other Internet-based communications systems:

* According to a recently retired U.S. intelligence analyst, much of what the U.S. intelligence community knows, or thinks it knows, about the Iranian nuclear program is based largely on intercepted online communications.

* Intercepted emails and other Internet communications have been an essential source of information about what has been transpiring in Syria and the countries surrounding it since the Syrian civil war broke out in early 2011.

* The NSA's ability to exploit email traffic, both plaintext and encrypted, has proved to be a critically important tool allowing the U.S. intelligence community to track military activities around the world, particularly in certain key countries in the Middle East, South Asia, and the Far East. For instance, intercepted Internet traffic reportedly played an important role in allowing the U.S. intelligence community to keep close tabs on the activities of military units loyal to Muammar al-Qaddafi during Libya's civil war in 2011.

* Intercepted emails and text messages were also essential to the success of Gen. David Petraeus's Baghdad "surge" operation in Iraq in the spring and summer of 2007. According to an Aug. 9 NSA white paper, "The senior U.S. commander in Iraq credited signals intelligence with being a prime reason for the significant progress made by U.S. troops in the 2008 [actually 2007] surge, directly enabling the removal of almost 4,000 insurgents from the battlefield."

* According to one official, intelligence information derived from Internet signals collection, or SIGINT (for "signals intelligence"), has been responsible, directly or indirectly, for more than 60 percent of the al Qaeda terrorists captured or killed since the 9/11 attacks.

* Since 2008, signals intelligence derived from mobile phone and email intercepts has become the principal intelligence source used by the CIA, the Defense Intelligence Agency, and Joint Special Operations Command to target unmanned drone strikes and commando raids against al Qaeda terrorists and local insurgent targets in northern Pakistan and Yemen. Signals intelligence has become so important to the U.S. intelligence community's counterterrorism effort that it has given birth to a new type of CIA intelligence officer called a human intelligence targeting officer (HTO) who is responsible for fusing real-time signals intelligence concerning the locations of al Qaeda officials with available intelligence received from agents in order to direct CIA Reaper unmanned drones equipped with Hellfire air-to-surface missiles to their targets.

Working in close conjunction with its English-speaking partners in Britain, Canada, Australia, and New Zealand, the NSA is currently engaged in two Internet-related SIGINT collection programs.

The first involves the collection of Internet metadata -- who communicates with whom and how. The domestic component of this program, which started shortly after 9/11, involved AT&T, Verizon, and Sprint providing the NSA with massive volumes of Internet usage data for all their subscribers in the United States and overseas. This program was officially terminated in December 2011 after Sen. Mark Udall and Sen. Ron Wyden questioned whether the program was producing sufficient intelligence to justify continuing to fund it. Whether the NSA still retains the massive database of Internet metadata is unknown. But the agency isn't in the habit of throwing things away.

Either way, the NSA continues to collect the exact same sort of Internet metadata on foreign targets to this very day (though determining who's a foreigner and who's not can be a near-impossible task, as my FP colleague Shane Harris has shown). Every minute of every day of the year, the NSA's vast array of computers sweeps the entire global Internet using almost exactly the same search and sweep techniques as Google, collecting vast amounts of metadata on Internet usage around the world. The metadata that the NSA and its partners collect every day yields vast amounts of information on computer systems and email communications links of particular interest to the agency: Internet protocol (IP) addresses, email accounts, user names, domains, service providers, server locations, ports, blocked sites, browser(s) used, dates and times of logins, length of web sessions, website addresses (URLs) visited, IP addresses contacted, and, for Skype users, all phone numbers called.

The Internet metadata program has been particularly useful for identifying which email links use PGP or other encryption systems, which automatically earns that particular system increased scrutiny by the NSA's computer-hacking organization, the Office of Tailored Access Operations, to determine whether this communications traffic might be of intelligence value.

Separate from the Internet metadata program, the NSA and its overseas partners intercept the content of vast amounts of communications and digital data traffic carried on the Internet, especially email traffic. The NSA and its English-speaking partners are intercepting, machine-reading, and caching millions (if not billions) of emails every day. According to previously published reports, the agency may even be able to read emails that were encrypted with a wide variety of commercially available encryption systems.

Getting at the vast and growing volume of email and related communications traffic being carried over the Internet is, from a purely technical standpoint, a relatively easy proposition for the NSA because, according to industry estimates, roughly 80 percent of the world's Internet traffic either originates in the United States or transits through Internet service providers and/or computer servers in the United States.

And what the NSA cannot access, sources report that the agency's British, Canadian, Australian, and New Zealand SIGINT partners oftentimes can. They do this by covertly collecting all Internet and data traffic being carried on all fiber-optic cables that touch on their territory.

The majority of the Internet traffic entering, leaving, or transiting through the United States travels through one of 32 fiber-optic-cable landing points or terminals: 20 on the U.S. East Coast and 12 on the West Coast. According to the consulting firm TeleGeography in Washington, D.C., 56 global fiber-optic cable systems carrying Internet and digital data traffic to and from Europe, Asia, the Middle East, Africa, Latin America, and the Caribbean are connected to these 32 cable landing points.

The NSA can now access almost all traffic transiting through these fiber-optic cable systems (except those cables connecting the lower U.S. mainland with Alaska) pursuant to a classified program called Upstream. Upstream consists of four subordinate programs called Fairview, Stormbrew, Blarney, and Oakstar. An April 2013 top secret PowerPoint slide leaked by Edward Snowden to the Washington Post indicates that Stormbrew focuses on Internet traffic passing between the United States and Asia, while Blarney appears to cover traffic between the United States and Europe and the Middle East. The precise functions of the Fairview and Oakstar programs are not yet known.

Getting at this traffic is only technically feasible because of the NSA's intimate relationships with the largest American telecommunications companies and Internet service providers. Thanks to a series of secret cooperative agreements with America's three largest telecommunications companies -- AT&T, Verizon, and Sprint -- since 9/11 the NSA has been given access to virtually all foreign Internet traffic carried by these underwater fiber-optic cable systems. These access agreements with the "Big Three" telecommunications companies are legally sanctioned by warrants that are routinely renewed every 90 days by the Foreign Intelligence Surveillance Court in Washington, D.C.

AT&T, Verizon, and Sprint can access most Internet traffic transiting the United States via these fiber-optic cables because at some point the traffic passes through one or more gateway nodes, backbone nodes, remote access routers, Internet exchange points, or network access points in the United States that are operated by the "Big Three." At these points, Internet traffic of interest to the agency is intercepted by NSA equipment (euphemistically referred to as "black boxes" by company personnel) that is operated and maintained by specially cleared personnel on the payroll of the telecommunications companies.

For example, all Internet and data traffic from Latin America and the Caribbean arrives in the United States via eight submarine fiber-optic cables whose terminals are located in Florida at Jacksonville, Vero Beach, West Palm Beach, Spanish River Park, Boca Raton, Hollywood, North Miami Beach, and Miami. All Internet traffic from these eight fiber-optic cables is forwarded to the AT&T backbone node facility in Orlando, Florida, where email and data traffic of interest to the NSA is instantly copied and sent via secure buried fiber-optic cable links to NSA headquarters for processing, analysis, and reporting.

And since September 2007, the NSA has been able to expand and enhance its coverage of global Internet communications traffic through a now-infamous program called PRISM, which uses orders issued by the Foreign Intelligence Surveillance Court that permit the NSA to access emails and other communications traffic held by nine American companies: Microsoft, Google, Yahoo!, Facebook, PalTalk, YouTube, Skype, AOL, and Apple.

Thanks to PRISM, for the past six years the NSA has been exploiting a plethora of other communications systems besides emails that also use the Internet as their platform: voice-over-Internet protocol (VoIP) systems like Skype, instant messaging and text messaging systems, social networking sites, and web chat sites and forums, to name but a few. The NSA is also reading emails and text messages carried on 3G and 4G wireless traffic around the world because many of these systems are made by American companies, such as Verizon Wireless.

No matter how you measure it, the amount of intercepted Internet-based communications traffic that the NSA must process, analyze, and report on is massive and getting larger by the day.

In an unclassified white paper released on Aug. 9, the NSA claimed that it "touches" only 1.6 percent of the 1,826 petabytes of traffic currently being carried by the Internet, which equates to approximately 29.2 petabytes of communications data. To give one a sense of how much raw data this is, the Library of Congress's entire collection, the world's largest, holds an estimated 10 terabytes of data, which is equivalent to 0.009765625 petabytes. In other words, the NSA collects just from intercepted Internet traffic the equivalent of the entire textual collection of the Library of Congress 2,990 times every day.

Of this amount, according to the NSA, only 0.025 percent of the intercepted Internet material is selected for review based on a vast and ever-changing "key word" or "key phrase" alert system. On paper this sounds reasonably manageable until you realize that the daily amount of material in question is the equivalent of 75 percent of the Library of Congress's entire collection.

More and more of the data to be reviewed is Chinese. Although the Internet was invented in the United States, its future is in China, which has seen its online population increase a hundredfold in the last 10 years and now boasts double the number of America's Internet users. That means the NSA's ability to access Chinese communications, which sources confirm is the U.S. intelligence community's top Tier I target after al Qaeda and other foreign terrorist groups, has also increased a hundredfold in just the past decade, and the NSA's access to Chinese communications will only continue to grow incrementally as tens of millions more Chinese people are expected to get online in the next few years.

The same is true about Russia, another increasingly important Tier I high-priority target for the U.S. intelligence community and another place where Internet usage is growing. As Russian President Vladimir Putin's relations with Washington continue to deteriorate, the U.S. intelligence community's prioritization of Russia as an intelligence target has risen significantly in just the past two months.

But if there is one area where Internet-based signals intelligence has played a particularly critical role, it is in the field of counterterrorism. The NSA has confirmed that al Qaeda and other terrorist leaders in the Middle East and South Asia depend on email and other Internet-based communications systems to communicate with one another because, according to a leaked 2009 NSA inspector general's report, "they are ubiquitous, anonymous, and usually free of charge," allowing terrorist leaders to "access Web-based email accounts and similar services from any origination point around the world." Of course U.S. spies are going to try to listen in.

Rainier Ehrhardt/Getty Images