The vulnerability of the US intelligence community to leaks from private contractors has been exposed once again by the arrest of Reality Winner, the woman charged with sharing classified information about Russian attempts to hack the US election.
It is more than four years since Edward Snowden’s revelations opened up the surveillance secrets of the NSA and triggered what was intended to be an overhaul of the way sensitive material was shared.
Yet official figures suggest that more than 400,000 contractors still have top security clearances and access to information.
Precise statistics on how many private contractors are employed by intelligence agencies, and what percentage of America’s $70bn a year intelligence budget they represent, are hard to come by.
But according to a 2016 report from the office of the director of national intelligence, 428,000 contractors had top secret security clearances in 2015, representing about 35% of the total individuals with top-secret clearances and access to information.
Two years after the Snowden leaks, an executive at Booz Allen Hamilton, the massive firm where he had been a contractor, told an intelligence industry conference that the firm had undergone a “metamorphosis of security” and that employees were now monitored by the company’s own “counterintelligence program” that provided “continuous evaluation”.
A year later, another Booz Allen Hamilton contractor was arrested and charged with stealing classified information.
The new charges against Reality Winner, a government contractor accused of printing a secret NSA document about Russian hacking and sharing it with journalists at the Intercept news organization, have reignited the debate over how much the US government relies on private contractors to carry out top-secret work – and how accountable these contractors are to the public.
Those debates have flared up periodically over the past decade – but then they have subsided, again, without substantive reforms, critics of intelligence contracting say.
“When it’s out of the media eye, things tend to fall back to the way that they were being run, without a lot of oversight,” said Mike German, a fellow at the Brennan Center for Justice’s Liberty and National Security Program.
Intelligence agencies and contractors “keep a lot of information about what they do secret”, German said. “That is often necessary to protect sensitive techniques or sources – but just as often used to hide error and abuse.”
In 2013, after the Snowden leaks, Senator Dianne Feinstein reportedly discussed legislation that would “limit or prevent contractors from handling highly classified technical data”. But industry executives quickly pushed back against the idea.
“I think Americans really don’t realize how dependent we are on for-profit companies doing very serious and high-level intelligence work,” said Tim Shorrock, the author of Spies for Hire: The Secret World of Intelligence Outsourcing. “I am shocked that there has been so little congressional action.”
Pluribus International, where Winner worked, according to the complaint against her, is not one of the intelligence industry’s major players, which include Booz Allen Hamilton, CSRA, SAIC, CACI International and Leidos. Instead, it appears to be one of at least hundreds of smaller contracting firms that work with federal agencies, Shorrock said.
“There’s hundreds of these kinds of smaller companies that you often don’t hear of unless something like this happens,” Shorrock said.
On its website, Pluribus lists 22 locations, including in Korea, and a list of clients that includes the Defense Threat Reduction Agency’s Security and Counterintelligence office and the US Army Intelligence and Security Command.
Executives from Pluribus International, including its owner, Nathan McCarry, did not respond to multiple requests for comment. No one answered the phone at the company’s main line in Alexandria, Virginia.
Revenue data for Pluribus posted on Washington Technology, an industry outlet for small business contractors in the government market, show the company growing rapidly over the past 12 years. Its total revenue was under $1m in 2005, and grew to more than $9m in 2009 and more than $16m in 2012.
The company’s website currently lists 107 job openings.
In October 2016, after employee Harold Martin III was arrested and charged with stealing classified information, Booz Allen Hamilton announced an “external review of the firm’s security, personnel, and management processes and practices” led by the former FBI director Robert Mueller.
“We are determined to learn from this incident and look more broadly at our processes and practices,” the company said in a press release.
“The Mueller review is substantially complete and we expect delivery of the report soon,” spokesman James Fisher wrote. Mueller has since moved on to serving as the special counsel overseeing the justice department’s investigation of Russian meddling in the 2016 election.
Asked for comment on security reforms within intelligence work since the Snowden leak, a spokesman for the office of the director of national intelligence referenced the National Insider Threat Task Force, and efforts to decrease the overall number of people with security clearances.
But Shorrock said this focus on helping companies develop ways to scan for “insider threats” was less crucial than imposing more rigorous public oversight of private intelligence contractors.
“The government could make it very difficult for corporations and contractors when these kinds of breaches happen, that the companies get penalized in some way,” Shorrock said.
Lobbying and the revolving door between government agencies and private companies stand in the way of reform, Shorrock said.
“The closeness of these companies to the government is very troubling,” he said. “People go back and forth and, you know, it’s this buddy-buddy system. They’re all buddies and they all see themselves as part of the same family, and they’re not.”