When defense contractor Harold Martin was charged with the alleged theft of highly classified documents from the National Security Agency (NSA), federal prosecutors deemed the potential crime “breathtaking” in scope.
The documents were said to date back from 1996, when Martin first got security clearance, to his arrest this year.
Martin, a navy veteran, was employed by Booz Allen Hamilton at the time of his arrest. It came just three years after Edward Snowden leaked top secret NSA documents, while also working at Booz Allen.
Booz Allen was quick to implement a series of changes after Snowden’s leaks. Speaking to The Cipher Brief late last year, a spokesperson for Booz said these included “pre-employment screening program and security education and training; a counterintelligence program focused on understanding espionage and other threats; and insider threat program.”
But despite the new layers of safeguards, Martin was able to walk out of the NSA with more classified documents.
For its part, Booz Allen put more plans into place, firing Martin and asking former FBI Director Robert Mueller to conduct an external review of the firm’s security, personnel, and management processes and practices. Mueller’s review began on October 19, and Booz expects “a series of updates over the next 60 to 90 days,” according to the spokesperson, but won’t have “an exact timeframe because we want him to take this review wherever it needs to go.”
Government agencies have stringent checks in place to thwart internal threats, but as more work is outsourced to private contractors, the Martin and Snowden leaks are evidence of the ongoing challenges to monitor them, and get the private sector united in its effort to fight internal threats.
So far, it’s been a difficult task. Snowden’s former boss at Booz Allen, Steven Bay, says part of the problem is a skills gap.
In the aftermath of Snowden’s leaks, Bay has been speaking out on how companies can protect themselves from insider threats. He says that includes recognizing the reasons for outsourcing government work to the private sector.
“You can make an argument that there may be jobs and agreements and compartments in the classified arena that private contractors shouldn’t have access to,” he told The Cipher Brief. “But the reality is there’s a lot of work that needs to be done. There’s a lot of expertise that is needed, and the government doesn’t have that expertise, especially take cyber security… And generally, the private sector can pay better than the government can.”
Creating sufficient incentives, analysts say, is also essential. A 2014 report from the Center for Strategic and International Studies (CSIS) found that cyber attacks, which include “losses of intellectual property, outright cybercrime, unauthorized access to confidential business and stock information, the costs of recovering from cyber-attacks, and the value of reputational damages,” cost the United States up to $120 billion in economic losses a year. And that doesn’t include legal costs.
Despite the prospect of losses, the report said the private sector was reluctant to implement cybersecurity measures, because businesses see government mandates as “undue regulatory burdens on industry;” invoke additional costs; slow innovation; and “consider it unfair and inappropriate for the government to impose on private industries security requirements that businesses consider a public-sector responsibility.”
Speaking in Washington last October, Director of National Intelligence (DNI) James Clapper acknowledged that collaborating with the private sector is a “daunting task” because it’s “as big as all outdoors.”
The “outdoors” includes thousands of people, with access to classified information, who will have to be policed. According to the DNI’s office, 1.3 million people hold top secret clearance. Of those, 400,000 are private contractors.
Clapper admitted it was “a work in progress,” but prioritizing the effort to reach out to the private sector was crucial to protecting national security.
NEW REGULATIONS
To mitigate future internal threats in the private sector, the Department of Defense (DoD) set new standards that came into effect on November 30, 2016. They make it mandatory for any contractors working with them to have an internal threat program in place.
The new regulations are part of the DoD’s National Industrial Security Operating Manual described in a letter released in May. They require companies to:
- gather, integrate, and report relevant and available information indicative of a potential or actual insider threat;
- self-certify to the Defense Security Service (DSS) that a written program plan is implemented and current;
- appoint a senior official to establish and execute the program;
- and train cleared employees about threat awareness.
The requirements are handled by internal staff, but companies can be audited by the DoD to ensure a plan is in place.
Analysts fear the new requirements are too basic and would do little to thwart threats of Snowden’s magnitude, but they are moving in the right direction.
“It’s a step in a longer evolutionary process for raising awareness and ultimately deterring this type of activity,” says Megan Stifel, Non-Resident Senior Fellow at the Atlantic Council. “So getting contractors to take the step of identifying someone within their company who’s in theory is at least thinking about this, gets us further along than we have been in the past.”
Doug Thomas, Lockheed Martin’s Director of Counterintelligence Operations and Corporate Investigations, says he agrees. “The bar is very low,” he says. “It’s low for a reason. It’s low from the standpoint that there are a lot of small and medium sized companies who would have a difficult time for something more mandated.… I think that’s a good start for all companies regardless of size.”
For smaller contractors, like the analytics software company Haystax, the new regulations require “a bit of paperwork” but are “pretty easy to meet, “according to its CEO Bryan Ware. “Clearly the requirements that they’ve imposed to date would not have material impact in any of the insider threat cases that we’ve seen in the news,” he says. “It seems to me that more needs to be done.”
But he adds that more security requirements may come at a cost. “There’s this term in the government business called LPTA, which stands for Lowest, Priced Technically Acceptable. So essentially many procurements in the intelligence community, DoD and elsewhere have been driven to the very lowest price that they can get, the lowest bidder that has a technically acceptable solution,” says Ware. “So we slip the hourly rates down as low as you can. There’s not a lot of room for a security program. That’s a cost… So it has to be paid for in some way, budgeted for by the government.”
Ware says another way to incentivize companies is with “a significant amount of services” or additional contracts. But Thomas argues, “We built a program to protect our brand and reputation, and current and future revenue… Honestly today, I don’t know how a company can afford not to have a program that’s effective.”
That may be true, but even with stringent standards in place, one of the key requirements by the DoD is monitoring and training staff. That proved a challenge for firms as large as Booz Allen.
Ware says this is where smaller companies have an advantage. “We have very close interaction with all of our employees. I see every employee pretty much every week as a CEO and that’s certainly not the case at a large business,” he says. “Those close quarters and close contact enable us to be very hands on and aware of what we’re doing. We also have technical measures that are in place you know in our networks, in the ways that we review the background information of our employees.”
Lockheed Martin has a long-established insider threat plan with multiple levels to monitor employees. Thomas, who established the Lockheed program starting in 2011, admits the size of the company poses a challenge, but he believes they’ve found a solution.
“We have an awful lot of employees, and unless we leverage technology, you’re not going to have an effective insider threat program. One of the things that we did was build a homegrown insider threat detection tool. And all the data in the tool is anonymized,” he says. “The analysts that see the data in the tool don’t see a name, they don’t see gender, they don’t see any of that. All they see is a series of numbers. What we do profile is behavior. What we’re looking at is attributes, actions, and behaviors of every employee in the company.”
Lockheed says the tool went into effect in late 2013. So far, they say the tool has served the company well, and other large firms should also explore technological tools to monitor their staff.
Bay agrees. He says digitally classifying data and tracking its movement; building rules that send alerts when classified data leaves the network; and blocking file-sharing websites that are not approved by the company are three ways to address insider threat challenges in big companies.
“ANTIQUATED” SECURITY CLEARANCES
One issue the new DoD requirements do not address is security clearances. A routine security clearance, typically renewed every five years, contains standard questions about the handling of classified information. The government issues security clearances of which the private sector has no control.
Martin had a top-secret security clearance despite a record of alleged drinking problems and unpaid tax bills. Those should have raised alarms amongst the security agencies where he was working. But he retained his clearance.
Thomas, who chairs the Insider Threat Subcommittee on the Security Policy Reform Council, says security clearance standards need to be reformed. “We need to move closer to continuous evaluation as opposed to doing security clearance re-investigation on a 5-year or 7-year scale,” he says. “I think that’s an antiquated approach.”
Stifel adds that in the context of network monitoring “we've gone from compliance check-the-box to a more risk-based approach,” but much more needs to be done to check “who has access, how much access do they have, and if there are in fact monitoring programs in place.”
That information must then be reviewed, she says, to be effective.
SHARING INFORMATION: CREATING INCENTIVES
Government officials admit that one of the challenges is ensuring companies share information of cyber crime. The November 30th DoD requirements to share information with the government, build upon the Cybersecurity Act of 2015’s voluntary approach of sharing cybersecurity information between the government and the private sector.
A study by McAfee Labs suggests that barriers to information sharing are largely rooted in company policy and lack of understanding.
Companies like Lockheed say it’s in the best interest to share information, but that has to be reciprocated. “There are laws and policies that constrain the government on providing information to companies that may give the view of giving a company an advantage over another company,” says Thomas. “But it should be a partnership. It should be companies to government, and government to companies.”
Stifel says there may also be concerns about privacy. “I don’t want to get ahead of the game but depending on how that [information sharing] is implemented it can raise concerns, essentially making companies agents of the government,” she says. “That can raise a whole host of 4th amendment issues. And then you get into the question of, is liability protection something that can be offered. I think you would see privacy advocates, among others, raising serious protest before that would ever happen.”
Steve Grobman, Chief Technology Officer at Intel Security Group, says the government can encourage information sharing by creating incentives where companies “gain benefit if the collective good is more secure.” He says “one example is pool insurance, where the group of entities that are doing intelligence sharing participate in cyber insurance as well, where the premiums are essentially driven by the overall success of defending the pool.”
In time, analysts talking to The Cipher Brief believe information sharing between both parties will improve, because as one put it, “this problem is so much bigger than just the government.”
Leone Lakhani is executive producer and reporter at The Cipher Brief. Follow her on Twitter @LeoneLakhani.
Follow @TheCipherBrief on Twitter for exclusive #InsiderThreat coverage.
