Obstruction of Justice Read online

  On January 18, Hina applied for a “financial hardship withdrawal” from her federal retirement account in the amount of $202,000. She lied that it was for “medical expenses.” On the same day, an international wire request form was submitted in Hina’s name to the congressional credit union to send $283,000 to two individuals in Pakistan. The form had Imran’s phone number and email. Later that day, a bank employee called and asked to speak to Hina. Imran pretended to be her. The bank employee asked the purpose of the wire.

  “Funeral arrangements,” Imran said. The bank employee understandably balked at the idea of a nearly $300,000 funeral and said that reason wasn’t acceptable. Imran told the bank teller to hold while he Googled for a reason they’d have to accept. After a long pause, he had a new reason: “Buying property.” The Congressional bank employee dutifully accepted this and put the wire through. Much of the money went to a police officer in Faisalabad, Pakistan.

  The FBI was watching—kind of. It assigned a first-year rookie, Brandon Merriman, to the case. The Bureau did nothing as Imran got on a plane back to Pakistan, a free man, this time with his father’s corpse.

  All of this happened after the House was in possession of evidence that ordinarily would have triggered a dramatic response, and any of these additional facts alone would seem to have been enough push an ambivalent investigator over the edge.

  The House waited until Imran was already gone again before they bothered to do anything about it.

  SIX

  A “THEFT INVESTIGATION”

  What happened in the House soon after the election could only affirm to authorities that the suspects not only knew of the investigation, but were taking elaborate steps to dismantle evidence.

  Then-Representative Xavier Becerra, an outspoken Democrat who is now the attorney general of California, was chairman of the House Democratic Caucus in 2016. When he learned of problems on his servers, he barely took action and concealed it from the public afterwards, even as Democrats talked incessantly about the concurrent hack of the DNC. His staff director, Sean McCluskie, now the deputy attorney general of California, had noticed suspicious behavior by Abid and became worried. Something about the middle brother just didn’t seem right. Ordinarily, the fact that Abid was doing anything involving the office should have been a problem considering he wasn’t employed by the office, his sister-in-law Hina was. But apparently, Becerra didn’t mind that people who weren’t on his payroll had full and unrestricted access to his congressional server. McCluskie responded to his suspicions by asking Imran, who was also not on his payroll, to stop Abid from accessing the caucus’s computers.

  Abid did not stop. The IG could see it in the server logs and noted it in her September presentation to the House leadership. After the inspector general flagged the caucus server as a primary target of unauthorized access, Jamie Fleet, Nancy Pelosi’s operator on the House Administration Committee, told Representative Becerra not to cooperate with the IG probe. When the Capitol Police took over in October, Congressman Becerra agreed to work with them, but as he later acknowledged to the media, he did not proactively approach the police, they approached him.

  In October, Representative Becerra granted Chief Administrative Officer Phil Kiko permission to make a copy of his server for analysis. Working over a weekend so the Awans wouldn’t notice, Chief Information Security Officer John Ramsey made a bit-for-bit clone of the server’s hard drives and recorded identifying information such as its serial number. No one examined this evidence for months—until well after the election. No one could explain the dilly-dallying. What did these House cybersecurity professionals have to do that was possibly more important than this?

  On December 1, Representative Becerra announced that he was resigning from Congress to become the top lawyer for the largest state in the country. With his departure, Sergeant at Arms Paul Irving and Chief Administrative Officer Kiko moved in to collect the Caucus’ computer equipment on Christmas Eve. They immediately documented their findings in the draft of a letter. One finding should not have been surprising: Representative Becerra’s “request,” as the IG report described it, for a criminal suspect to stop meddling with key Democratic servers—without banning his family from the network, changing the locks, or arresting him—had not been effective. “The server in question was still operating under the employee’s control,” they wrote. But there was more. What appeared to be “the server” that December night wasn’t the server at all. It was a decoy, a lookalike machine in place of the one that had been collecting data. “While reviewing the inventory, the CAO discovered that the serial number of the server did not match that of the one imaged in September. The USCP [United States Capitol Police] interviewed relevant staff regarding the missing server.” Officials were in agreement that the Awans had realized the server had caught the eye of the IG and planted false evidence to trick the police, swapping it with something innocuous.

  Nevertheless, the Capitol Police did not seek a warrant to search the Awans’ homes, ban them from the network, or arrest them. Instead, with the memo still unsent, they waited another month before taking the decoy equipment from the Awans’ control. Four days after Trump’s inauguration, on January 24, 2017, “the CAO acquired the server from the control of the employees and transferred that server to the USCP,” the final memo from CAO Kiko and Sergeant At Arms Irving to the Administration Committee said.1

  A week later, the Office of Inspector General got a call from the Capitol Police asking a comically obtuse question for a police force that had supposedly been investigating the situation for four months: “How many members did these guys work for again?” They needed to know because the Awans were finally being banned from the House network and the Capitol Police needed to explain why. The problem was that they didn’t seem to know even the basic details of the case. At a meeting a few days later, the Capitol Police Chief briefed staffers from the congressional leadership on the invoicing scam that had been uncovered nearly a year before; he didn’t mention the cybersecurity breach. Theresa also attended the meeting, and while no questions were permitted, she said, “That seems like the data I gave you four months ago. Are you talking about additional invoices?”

  The chief obfuscated: “It’s very complicated, you have to look at the transactions and trace them to the paper records and it’s a lot of work. I really can’t say anything about it because it’s active.”

  “Why have a briefing then?” Theresa asked. “You all need to understand: I don’t care about them stealing a couple hundred thousand in laptops. This is about cyber insider threats. This is the exact recipe.”

  The chief glared at her, and Sergeant at Arms Paul Irving intervened: “Let’s take this offline and not get in the weeds.” Afterwards, he said sternly: “This is going to be a theft investigation.”

  Irving isn’t a political animal, he’s a pragmatist. He had no interest in a cover-up, per se, but he’d been around the block in Congress enough to know when there was simply no appetite for something, and that fighting it would only make it worse. Perhaps the best he could do is adopt what law enforcement types call a harm reduction strategy and try to contain the damage.

  On February 3, 2017, the Irving-Kiko memo was finally sent under the header: URGENT. “The House OIG and HIR cybersecurity have documented multiple procurement irregularities, IT security violations, and shared employee policy violations by five shared staff employed by multiple House offices,” it began. “Based upon the evidence gathered to this point, we have concluded the employees are an ongoing and serious risk to the House of Representatives, possibly threatening the integrity of our information systems and thereby members’ capacity to serve constituents.”

  That same day, Kiko, Irving, and Jamie summoned the chiefs of staff to a meeting to inform them that the Awans were being banned. No Republicans were allowed to attend. Sean Moran assumed that Jamie told the chiefs of staff about the cybersecurity concerns, which the letter clearly laid out as the cause of the ban
. But members later denied that, saying they were merely told there was some sort of theft. A rare press release sent out by the House Administration Committee, approved by both parties, made that denial possible. The headline read: “Statement on the House Theft Investigation.” It said no other information would be provided until the probe was concluded.2

  SEVEN

  NEWS DUMP

  It was no coincidence that, long after the evidence was clear, the belated ban and cryptic press release went out two weeks after the inauguration of President Donald J. Trump. If authorities had picked that date in advance, it was almost certainly for a different reason: they believed that by that point, Hillary Clinton would firmly be ensconced in the White House. That included her picks for the Department of Justice, who could deal with this breach—or not. But developments happen quickly in politics, and savvy political operatives know how to pivot.

  There’s a dark art practiced in Washington known as the “news dump,” the strategic release of embarrassing or incriminating information at a time when it’s likely to go unnoticed. The classic standby is a Friday afternoon. Another is when reporters are in a feeding frenzy over a different story.

  When the House Administration Committee released its vague “theft investigation” press release on February 3, 2017, virtually every news reporter in Washington was consumed with Trump news. I was one of the only reporters to show even a smidgen of interest in the “theft investigation.” If others had, events might have taken a different turn.

  I had previously worked as a computer programmer, so when a friend sent me a curious little Buzzfeed article about how four House IT guys had been arrested, it caught my attention. The story quoted an anonymous Democratic congressman who feared his data could have been compromised.1

  I looked up at the TV screens mounted on the wall of the Daily Caller newsroom, with chyrons linking Trump in unspecified ways to Russia; a media obsession that began when Democrats blamed the Russians for hacking the emails of the Democratic National Committee.

  During the heat of the presidential campaign, the entire newsroom had gathered to watch FBI Director James Comey give an extraordinary speech faulting, yet declining to charge, Hillary Clinton for her use of a private server to store classified information. That server was discovered only because longtime Clinton confidant Sidney Blumenthal used the comically insecure AOL and had his emails hacked, revealing Clinton’s secret email address. Then, there was the release of Clinton campaign chair John Podesta’s emails, and the DNC’s as well. I’m old enough to remember when cybersecurity in politics was a big deal, I thought.

  I reloaded my browser and saw Buzzfeed begin to walk back the story. Now it said the aides hadn’t been arrested, only banned. It included quotes from the Capitol Police emphasizing that members of Congress were not being investigated. It repeated that the investigation centered upon theft, not cybersecurity, and revealed that the IT aides were related.

  All of this struck me as odd. As an investigative journalist specializing in data analysis, I’d studied how the House spends money on itself, and the truth is that while Congress is good at wasting taxpayer money on executive branch programs, their own office accounts have precious little padding, making it difficult for a sizeable theft scheme to go unnoticed. If so little was known that they couldn’t make an arrest, why had they ruled out investigating members, and why dismiss the possibility of a cybersecurity breach?

  I used my own IT skills to update a database I’d programmed a few years back to monitor the House’s expenditures and ran a query that showed me systems administrators who shared the same last name; a good way to detect nepotism. A short surname flashed on my screen: Awan. Three first names were listed underneath it: Imran, Abid, and Jamal. While most of the other IT aides listed in the spreadsheet made around $55,000, these three made $160,000 or more, almost the same amount as congressmen themselves. While other IT aides only seemed to have time to serve several members, these aides had been hired by eight members each, with each Democrat paying them $20,000 a year.

  House officials refused to confirm their names. I almost forgot about the story and moved on, joining the rest of Washington’s press corps in writing about the latest Trump tweet. But late that night, I couldn’t sleep thinking about how systems administrators could read the emails and files of congressmen, and all the damage we’d seen stem from those materials in the last few years. I opened my laptop to see what I could learn about the Awans through basic public records. I saw some immediate red flags. Abid had three minor misdemeanor convictions. He was arrested for alcohol-related offenses shortly before and immediately after the House hired him, and had filed a one million-dollar bankruptcy while drawing a $165,000 House salary. Massive debts are the number one reason security screenings bounce applicants; people with money problems have an incentive to steal, either directly or through selling data. His brother Jamal had joined the House payroll at age twenty, and he too was making $165,000.

  Then there was Imran Awan. I saw that his wife’s name was Hina Alvi and she was also on the House payroll. That made her the fourth person banned. The family members were linked to a dozen limited liability companies between them—little corporate entities with the stench of shell corporations—even though they were full-time, individual employees of Congress. They hadn’t listed these companies or Abid’s bankruptcy on House ethics disclosure forms, designed to detect security risks and self-dealing.

  I was certain these were the banned employees. I got confirmation by emailing their House addresses and getting bounce-back notices that the accounts had been closed. But there was still a fifth accomplice outstanding. I could see that Imran often appeared on the payroll of a member of Congress for a token amount of money—enough to trigger the creation of logon credentials—before handing the job off to a relative. I coded an algorithm to see if the Awans’ limited liability companies were receiving payments from congressional offices where they were the IT aides. But no, the Awans appeared to buy equipment from big companies like IBM or CDW-G, companies that were unlikely to participate in one family’s scam.

  The algorithm did, however, identify payments to several other individuals: Nataliia Sova, a name I recognized as Abid’s Ukranian wife; Haseeb Rana, whose online resume had him searching for work in the defense industry; and Rao Abbas. Abbas popped up on the House payroll immediately after Abid revealed in bankruptcy documents that he owed Abbas money, as if Abid was using the House payroll to repay a personal debt. The first two departed the House payroll a few years ago, so he was our fifth guy. He was an IT specialist with no IT training, which made me wonder if the theft was putting no-show employees on the House payroll. If so, it was a major heist. Between them, the group had been paid seven million dollars in taxpayer salaries over the last decade or so.

  Their individual salaries alone made them some of the highest-paid employees on the Hill, and the cybersecurity risk was real: their employers included a disproportionate number of members of the House committees on Intelligence, Foreign Affairs, and Homeland Security.

  As the news cycle was dominated by coverage fueled by Democrats suggesting that Trump was an illegitimate president because of a hack on the DNC, I’d learned that a sizeable portion of the highest-level Democrats in the U.S. had for a decade entrusted all their data to one family of Pakistani citizens with deeply troubled backgrounds and few apparent qualifications.

  I wrote a story for the Daily Caller News Foundation revealing the names of the banned systems administrators and delving into their troubled financial backgrounds. I figured that might be the end of it. If the Awans hadn’t frightened and angered so many people on Capitol Hill with their behavior over the years, it might have been.

  * * *

  Rank-and-file legislative staff hated Imran Awan. Of those I could get to talk to me, low-level aides recounted what they described as incompetence and inattentiveness. They also recalled feeling beat down when they sensed that somehow, this random part-time
repairman seemed to have far more influence with their chief of staff and congressman than they did. A legislative aide to Ohio Democrat Tim Ryan, for example, said Imran is the “creepiest guy” he’d ever met. “He had all our passwords, and I came into the office late at night and his sister was logged into my computer. They always had some excuse. Another time, my computer needed more RAM, so I gave it to him and three days later, he gave me back a different laptop. He said, ‘Oh, that wasn’t yours?’ He just played dumb and made me use it. I never found where my laptop and all its data went.”

  Staffers in the House’s central IT, known as House Information Resources, said Imran had for years badgered them to give him extra permissions without leaving any clues. “In order for certain permissions to be granted, a form was required to ensure that there was a paper trail for the requested changes,” one said. “Imran was constantly trying to get people to process his access requests without the proper forms. Some of the permissions he wanted would give him total access to the members’ stuff. Correspondence, emails, confidential files—if it was stored on the member system, they had access to it.” Central tech workers saw that the Awans ran IT for more offices than anyone else on the Hill, yet never attended weekly House-wide IT meetings nor participated in the chatter on a mailing list used by the department. They’d come to believe Imran might be running a kickbacks scheme in which some members paid his relatives for no-show jobs in exchange for getting part of the wages back in cash. No investigators ever bothered to talk to these rank-and-file workers, which they took as a clear sign that they didn’t want to know. The employees knew better than to stick their necks out by proactively taking their testimony to their supervisors or the police.

  The official reaction I got from chiefs of staff, congressmen, and their spokesmen was different, almost uniform and militant in their silence. But a few days after publishing my first story, I got an email from someone named Stephen Taylor, a congressional IT contractor, asking me to call him about Imran Awan.2 Taylor told me detailed stories about Imran and the bizarre influence he seemed to exert over congressmen. “It is so much more than theft. Several members should be kicked off the Hill. Everyone knows that all of this is going to unravel, what they’re hoping is it unravels slowly,” he said.