The filing of a criminal complaint by the U.S. government against a National Security Agency (NSA) contractor has once again raised the harrowing possibility that for the second time in three years, an insider has allegedly stolen highly classified and damaging secret information.
The FBI secretly arrested Harold T. Martin, a contractor with Booz Allen, in August and is investigating whether he stole a highly classified computer code, which had been developed to hack into foreign government’s networks. The arrest is also an embarrassment for Booz Allen, which had also hired NSA leaker, Edward Snowden.
The Cipher Brief ‘s Fionnuala Sweeney spoke to Steven Bay, Snowden’s former boss at Booz Allen at the time Snowden disappeared, and asked him about the latest news and what it might mean.
The Cipher Brief: What’s your first reaction to the news of another breach at Booz Allen?
Steven Bay: I’m surprised. I feel bad for Booz Allen. I know a lot of the people who run those projects and manage those contracts, and I can only imagine what they’re dealing with and what the potential ramifications are.
How does this happen again? An individual was apparently able to take classified material out of the National Security Agency (NSA), and from what I’ve read, some of the allegations include information that was stored on various devices, on removable digital media. How is it still possible to remove digital media out of the Agency off of a classified network? You would think that that would have been something under much tighter control since the Snowden situation three years ago.
TCB: You say you know what the folks at Booz Allen are dealing with – what specifically are they dealing with?
SB: A lot of uncertainty. What does this mean for their jobs or for the long term viability of Booz Allen’s contracts with the NSA? I think internally, they will be thinking, ‘We had Snowden, now we have this – what are we doing wrong?’
I think a lot of it is the nature of the work and the contracts they have with the Agency. We endured a lot with Snowden, but it helped that he was only there a month and a half. Now this is a completely different situation.
Did this gentlemen, Harold Martin, already have a full security clearance before he joined the NSA? If he didn’t, then that might open up a whole can of worms internally.
TCB: You raise the question whether Martin had a full security clearance before he was hired by NSA? Who conducted security clearances when you were at Booz Allen?
SB: The security clearances are done by the government; the government contracts with private companies to do the background checks, but the government actually grants the security clearances, not Booz Allen. Snowden already had a security clearance when he was hired at Booz Allen; he was already working in the Agency, he already had access. All we did was switch him from a Dell contract to a Booz Allen contract.
Part of the reason why contractors prefer to hire people who already have the access is that they (the contractors) don’t have to spend more money paying the government to have to do this. Ultimately the government provides the security clearance.
TCB: Many people have said insider threats are most concerning. Is it the relationship between the NSA and private contractors that’s at issue?
SB: I believe it is. Many people have made the argument that it could just have easily been a government employee, but one of things to look at with regards to the difference between a contractor relationship versus an internal employee is that when you’re employed by the government, when you get a job with NSA, you are hired for your skill set, and they, the government, will look at you and your skill set and decide where they’re going to put you. It’s much more difficult for someone with malicious intent to target a specific government position they want access to. Whereas on the contractor side, generally there are specific positions that are being advertised; the particulars might not be specifically advertised in the job description but you can narrow it down a lot to know what it is you will be doing and what you will have access to, based upon those job descriptions. So it can be easier to target a specific position.
For example, I think Snowden would have done what he did regardless if he came to us (Booz Allen) or not, but according to an article I read, he did admit in 2013 that he targeted our contract, he knew what we did, and he targeted it because he knew once he got the job, he would be placed into a specific position that would give him the access.
TCB: Does this raise questions about the NSA reforms put in place after Snowden, assuming this theft happened after the Snowden reforms? Presumably there are reforms on an ongoing basis.
SB: I don’t think there’s much you can do to stop every insider threat; I think you have to do your due diligence from a security perspective. What surprises me is that the IT or technical controls weren’t able to detect or respond to this quick enough. If he (Martin)—and obviously I am not party to the details— was pulling out removable media, how is it that removable media is still permitted or allowed in the Agency? How did he still have that access? It may have obviously depended on the nature of his job but for the most part, the removal of media should be disabled completely across the Agency. If you have a legitimate business need for removal of media, you need to have strict auditing and monitoring of those drives to ensure that access controls are in place.
For me, it becomes an issue of IT and a security question. If they were fixed after Snowden, why are they still ineffective?
TCB: Is this always going to be a threat? Is there any full proof way of protecting intelligence? How can employers best protect from the insider threat?
SB: There’s no full proof way to prevent an insider threat. I don’t think it’s possible. I think an employer, whether it’s a private company or a defense contractor or the government, there’s always risk. You try to do your due diligence on who you’re actually hiring, and then you need to do your due diligence of protecting yourself, technologically, and procedure-wise. The NSA has around 30,000 employees; that’s a needle in a haystack, and it can be very challenging to make sure that every person in there, is there, with the correct intent, with the desire to do right, and not to be malicious.
Fionnuala Sweeney is Vice President and Executive Editor at The Cipher Brief.
