In the wake of the arrest of Central Intelligence Agency (CIA) officer Aldrich Ames as a spy, then-CIA Chief of Counterintelligence Paul Redmond commented, “There is an actuarial certainty that there are other spies in U.S. national security agencies, and there always will be.” I recalled that statement when considering the recent arrest by the Federal Bureau of Investigation (FBI) of National Security Agency (NSA) contractor Harold Martin for the theft of highly classified documents and digital files. While we know very little as yet about Martin’s actions and motivations, his case serves as a chilling answer to a question posed in the title of a recent article in The Atlantic, “Can NSA Stop the Next Snowden?” The simple answer to that question—if what is meant by “stop” is to prevent another malicious insider case akin to that of Edward Snowden from occurring—is no. Nor can any other government agency give such a categorical assurance.
At the same time, Martin’s detection and arrest lends support to the qualified judgment of the Director of the National Counterintelligence and Security Center (NCSC), William Evanina, that he was “pretty confident” the Intelligence Community (IC) could detect malicious activity on the scale carried out by Snowden. Immediately after Snowden’s 2013 flight to the embrace of our adversaries, the IC moved to improve its insider threat defenses. Great progress has since been made in hardening IC defenses. A central component of that upgrade is the somewhat ominously titled “continuous evaluation.”
Continuous evaluation is the monitoring of employee activities and data use while at work, and a more limited checking of employee life outside the work-place, to include looking at publicly available documents (e.g. arrest and bankruptcy records) and social media postings. Pejorative use of the word spying to describe legal and proper monitoring aside, The Atlantic’s assertion that the IC “has begun spying on itself more effectively,” with the goal of detecting activity by IC personnel and contractors that raises concerns, is also surely right. To use a somewhat hackneyed phrase, the intent is to move insider threat detection as far to “the left of bang” as possible. This is all to the good.
But the history of espionage tells us that no defenses, however well-conceived, are proof against all threats. As Redmond warned, there are almost certainly other Ames’ and other Snowdens operating today. We need only look at recent leak and espionage cases involving IC personnel to affirm the truth of this statement. Snowden and Martin aside, contemporary cases have included: NSA staffer Thomas Drake; CIA officers Jeffrey Sterling and John Kiriakou; and FBI officers Donald J. Sachtleben and Kun Shan Chun. There is no reason to think the varied motivations that have heretofore driven such people to leak or spy will not drive others yet unknown to do the same in the future.
The imperative is not only to detect would-be Snowdens before they inflict great damage, but also to ensure to the maximum degree possible that whatever harm they cause prior to detection will be limited. This is hard enough when dealing with a rogue insider acting with limited or no outside support, and perhaps using spurious claims of whistleblower status as a means of covering or justifying his actions. But it is particularly difficult when one is talking about a spy directed and supported by a capable, adaptive intelligence service. The case of Cuban spy Anna Belen Montes is instructive in this regard.
Montes, a Defense Intelligence Agency (DIA) analyst, was highly disciplined in the conduct of her spying, taking care not to attempt unauthorized access to classified databases. Instead, she committed to memory sensitive information to which she had legitimate access, later copying it down for her Cuban handlers. Of equal import, the Cuban service handling her was, for the most part, patient in not pressing Montes to take risks for immediate gain at the expense of her security over the longer term. The measure of their success is that Montes operated undetected for 15 years, inflicting immense damage on U.S. national security before being identified based upon a lead from a CIA Cuban source and concerns about her expressed by a fellow DIA employee.
Cases like that of Montes are the reason why U.S. intelligence agencies should be operating on the well-founded assumption that there may be spies in their midst, crafting their activities and insider threat detection efforts accordingly. The Montes case shows that much more than data-centric defenses are needed to detect insider spies and to limit the damage they might inflict. In addition to a “need-to-know” culture that limits unnecessary sharing of sensitive information, more comprehensive insider threat defenses involving work-force education; access controls; periodic security reinvestigation (to include both polygraph examinations and the interview of co-workers and contacts); and compartmentation of sensitive information are also necessary to effectively confront insider threat within the IC. Even with such measures, however, spies and leakers operating within the IC will remain a real threat to national security. Redmond’s cautionary words will almost certainly bear out as one can deny neither history nor human nature.
“Example,” President George Washington said, “whether it be good or bad, has a powerful influence.” With that thought in mind, it bears asking what lessons potential future malicious insiders within U.S. national security agencies and industries, as well as the intelligence organizations that would support the spies among them, might draw from recent leak and espionage cases? The fact that malefactors, such as Manning and Martin have been caught, is surely a deterrent to some, but Snowden’s case provides quite another paradigm.
While Snowden’s life in Moscow is (one would hope) a type of punishment, he remains at relative liberty and has an ability to give voice to his views, albeit in a manner that is circumscribed or dictated by his hosts. Moreover, as evidenced by reaction to Oliver Stone’s recent biopic, Snowden, a not inconsiderable percentage of our citizenry continues to support his claims, facts, and Stone’s agitprop notwithstanding. Such glorification of dishonorable acts will likely appeal to others predisposed to follow his lead.
It will likewise not have been lost on potential future hostile insiders and foreign intelligence services that assertions of whistleblower status, however unjustified in fact, can serve to grant an undeserved veneer of legitimacy to illegal actions, such as the theft of classified information. Further, nothing undermines the credibility of a program, institution, or chain of command more surely than perceived hypocrisy, and recent events will fuel the belief amongst many that standards regarding the handling of classified information are inequitably applied. Consequently, claims that junior personnel are held to tougher standards than seniors will continue to be cited by offenders in an effort to justify their actions. Finally, the possible vulnerabilities inherent in the broad access to classified information akin to that granted Snowden and Martin will not have been lost on hostile intelligence services in particular.
If the task of confronting an insider threat within the IC is considerable, improving insider threat detection programs within the Department of Defense (DoD) is, as The Atlantic article notes, “a much larger challenge.” That phraseology is particularly apt when considering the most vulnerable element of the U.S. national security community: the 13,000 or so companies that make up the Defense Industrial Base sector. Not surprisingly given the crucial nature of the work they do in assuring U.S. military superiority, those firms have long been seen as important espionage targets by foreign intelligence services. Indeed, since 1945, 52 percent of U.S. insider threat cases have involved the diversion of military technology and/or economic espionage, resulting in the compromise of national defense information. The bulk of those insider attacks have occurred over the past decade, with most of them linked to China.
Further, it is certain the potential intelligence gains to be had by targeting a contractor like Snowden have not been lost on our adversaries, who now surely see the Defense Industrial Base sector as a softer target than the DoD or IC agencies. Indeed, given the inherent interconnectivity of national security agencies and industry, as well as IC and DoD dependence on contractors, it is highly likely that U.S. adversaries, such as China, Russia, and Iran will continue to increase the pace of their directed insider attacks on the U.S. Defense Industrial Base with an eye towards developing and capitalizing upon the next Snowden.
That grim probability speaks to the import of steps being taken by the NCSC and the Defense Security Service (DSS) to help the firms that make up that crucial sector to counter insider threat. The most important of those initiatives is a requirement that each firm contracting to the DoD must have a plan in place by 30 November 2016 to establish an insider threat program designed to detect, deter, and mitigate insider threats. These programs must be able to “gather, integrate and report relevant and credible information…indicative of a potential or actual insider threat; to deter cleared employees from becoming insider threats; detect insiders who pose a risk to classified information; and mitigate the risk of an insider threat.”
Mandated measures include the appointment of a senior official to oversee the program; the stand-up of a capacity to gather relevant insider threat information from across a contractor’s enterprise; development of systems for reporting and maintaining records on potential or actual incidents of insider threat; implementation of insider threat training programs; and the establishment of a capability to review the performance of the program. These basic elements will serve as a starting point for further hardening of the insider threat programs of a sector that to date has been a relatively soft target for foreign intelligence services. In addition to the ever-present question of resourcing, the key hurdle for sector firms in the build-up of their insider threat efforts will be to ensure they take a programmatic rather than an episodic approach to it.
The necessary prerequisite for such an approach is a cohesive, end-to-end plan for the creation of an effective insider threat program with the capacity to deter, detect, and mitigate insider threat attacks. That program should begin by establishing a core structure that is in compliance with the forthcoming DSS mandated requirements. But it should envision not only a program that is compliant in the short term, but also one that can serve as the basis for the development of a more capable insider threat defense thereafter. That build-out plan should take account of both the inevitable evolution of the threat and likely subsequent DSS mandates for follow-on improvements intended to lift the overall insider threat capabilities of Defense Industrial Base firm beyond the mandated basic level.
The relative strength of an individual firm’s insider threat program will surely, either by design or default, impact its attractiveness as a business or contracting partner for DoD. In other words, when given a choice between firms with comparable offerings, the firm with the more capable insider threat program is likely to be awarded a given contract. This should serve as an incentive for companies in the Defense Industrial Base sector in particular to put in place insider threat programs capable of deterring, detecting, and mitigating this growing menace to a key component of U.S. national security.
Such defenses will be necessary for, as Redmond warned, there will always be another Snowden. That harsh and sobering assessment underscores the considerable challenge ahead of us. Maximizing the potential for catching those future Snowdens, as well as limiting the damage they can inflict before being caught, is something we must do if we are to be able to defend our country in the years to come.
Follow @TheCipherBrief on Twitter for exclusive #InsiderThreat coverage.