The leak of documents allegedly describing secret CIA hacking techniques has shined a light on the intelligence agency’s use of contractors and its efforts to tackle the insider threat problem.
WikiLeaks published the documents on Tuesday, and the CIA has not confirmed the authenticity of the files. Little is known about the nature of the breach, but officials have told Reuters that intelligence agencies have known of it since late last year and that it is currently suspected to be the work of agency contractors. If that is the case, it would raise increased scrutiny on the Intelligence Community’s efforts to stop leaks like those of former government contractors and leakers Edward Snowden and Harold Martin, who removed classified information without authorization. The Cipher Brief spoke with its network experts to assess the alleged leak and its potential impact on contracting and insider threats.
Zeroing in on Insider Threats
This incident could potentially add to the list of major public cases where someone, who is not a permanent intelligence agency staffer, foiled the IC’s efforts to stem the insider threat problem.
“In the aftermath of Snowden and similar things happening at NSA, which had its own breach recently of their cyber tools, you would think CIA would have studied — and perhaps they did, but clearly not effectively enough – what happened at NSA,” former Acting Director of the CIA Michael Morell said. “They should ask how do we make sure it doesn’t happen here and put in place extra safeguards to make sure that it couldn’t happen at CIA.”
If an insider threat investigation needs to be conducted, it would likely have to focus on questions in three key areas of physical, technical and personnel security, according to former Acting Director of the CIA John McLaughlin.
“I cannot comment at all on whether any of the programs alleged by WikiLeaks actually exist. However, if there needs to be a counterintelligence investigation, meaning how could such a thing have happened. It would have to involve at least three things: an examination of physical security at facilities housing programs; an examination of technical security, that is, could there have been a hack into the programs; and third, personnel security, meaning could someone with knowledge of the program have compromised it,” McLaughlin told The Cipher Brief.
Rhea Siers, former Deputy Associate Director for Policy at the NSA, noted that there is a “specific protocol to these investigations; they are not haphazard.” On the strategic level, trend data about insider threats must be closely analyzed, and the security process must be transparent to the IC leadership and “accountable for demonstrating its effectiveness,” she said.
“Sometimes it is necessary to reevaluate an entire personnel security process to ensure there are no gaps. I would hope that has already occurred in the recent cases, before this latest WikiLeaks case,” Siers wrote in an e-mail to The Cipher Brief.
Chris Inglis, former NSA deputy director, said that in the immediate aftermath there will likely be “some amount of triage” as the agency tries to make sure “that you’re going to close this barn door.”
“Not that you can recover the horse that’s escaped, but you don’t want this to be a continued problem,” he said. “But beyond that, you need to think about what you do to prevent a recurrence and it’s never going to happen this way again.”
Overall, “an insider program need not be kind of a big, bright light that shines on an employee like 1984. It must be a part of protecting the resiliency of the company,” he said.
“This is well beyond what the Intelligence Community needs. The private sector needs this as much or more because they have information that is extremely valuable to their corporate proposition or those who have allowed them to collect that information in the first place,” he added.
But for the IC, beyond an initial incident, this could offer an opportunity to strategically “reframe what we do, how we do it, and who we share that with,” according to Inglis.
“The questions that are naturally being asked by potential counterparts or partners of the CIA, are can I trust that you’re going to protect my information, can I trust that you’re pursuing the right things using my information. So this is an opportunity to revisit that and say, we’re going to get this right tactically in the mid-term, and in the long-term. In so doing, it’s an opportunity to take advantage of what’s otherwise a difficult situation,” Inglis said.
Questioning the Use of Contractors
There are “literally thousands” of contractors at the CIA, according to Sen. Dianne Feinstein (D-CA), ranking member of the Senate Judiciary Committee and a longtime member of the Senate Intelligence Committee.
In 2007, under CIA Director Michael Hayden, the CIA decided to cut its contractor staffing by 10 percent. Feinstein noted that since the beginning of CIA Director Leon Panetta’s tenure in 2009, the CIA has cut back on contract employees “at least 5 percent a year, and that has continued on and that is still continuing on.”
“But the fact of the matter is there are so many that I think this is highly problematic. There are literally thousands,” Feinstein said on Thursday.
The examples of Snowden, Martin and now potentially this “being dumped by a contractor” should “cause us concern and the need to look at what we’re doing,” the senator said.
Inglis told The Cipher Brief that the issue with contractors should not be if the U.S. government should use them, but instead “whether you can, in some way, shape or form, achieve the same confidence that they’ll follow the same procedures, have the same view of what’s to be protected, and actually protect it.”
“I don’t think that this should call into question whether we should use contractors because they are quite important for two reasons,” he said. “One, you can leverage expertise that is not naturally found inside the government. Two, it’s a sort of augmentation as your needs wax and wane.”
Siers said that “this really should not be focused primarily on the use of contractors but rather about the security processes and risk assessments surrounding contractors.”
“However, the government has become increasingly reliant on contractors since 9/11,” she said. “Contractors rely on recruiting employees who already have clearances, like Snowden, to cut costs. Some people have called contractors ‘the shadow workforce,’ and as part of the IC workforce, we shouldn’t focus on whether there should be contractors, but instead on how best to utilize them.”
It is key to recognize that “to some degree, contractors are often treated differently, as perhaps commodities in the workplace in the worst situation,” Inglis said.
Tackling the insider threat issue with contractors means also undertaking a cultural shift in how these staffers are treated. Officials should be concerned with how to make sure contractors “feel the same attachment to the mission and the purpose” as government employees, he said, so they are “therefore less likely to betray that.”
Steven Bay, who served as Snowden’s boss when he worked as a NSA contractor with Booz Allen Hamilton, previously wrote in The Cipher Brief that “there is no perfect solution” to the issue of using government contractors.
“There will always be people who want to ban contractors from access to classified programs and others who will view contractors as necessary or even beneficial,” he wrote. “The solution is somewhere in the middle. It may be smart for the government to more tightly control access to highly sensitive programs by only allowing government employees access, and preventing contractors from essentially being long-term staff-augmentation. But it would be folly to ban contractors all together.”
WikiLeaks founder Julian Assange held an online press conference on Thursday to claim he would provide technology companies with exclusive access to the tools he purportedly has. He also said this incident is “a historic act of devastating incompetence” and that WikiLeaks had “discovered the material as a result of it being passed around.”
Assange said “there's absolutely nothing to stop a random CIA officer” or a contractor from using the hacking tools. “The technology is designed to be unaccountable, untraceable,” according to Assange, who has been holed up in Ecuador’s embassy in London since 2012 to avoid extradition to Sweden over rape allegations.
In response to Assange’s press conference, CIA spokesperson Jonathan Liu said in a statement that “as we’ve said previously, Julian Assange is not exactly a bastion of truth and integrity.”
The CIA previously released a statement this week, saying, “the American public should be deeply troubled by any WikiLeaks disclosure designed to damage the Intelligence Community’s ability to protect America against terrorists and other adversaries. Such disclosures not only jeopardize U.S. personnel and operations, but also equip our adversaries with tools and information to do us harm.”
This is undoubtedly a tough situation for the IC, Siers noted, but it should not spark a rush to make unnecessary, burdensome changes.
“This is a difficult situation for many reasons — and IC agencies have to be careful not to overreact and make security processes even more onerous for the 99.99 percent of their employees and contractors who are not threats,” she said. “Balancing risk against what we need to accomplish is a tough calculus.”
Mackenzie Weinger is a national security reporter at The Cipher Brief. Follow her on Twitter @mweinger.
Pam Benson contributed to this report.
