The NSA is one of the world’s most notoriously secretive and powerful government agencies, guarding its powerful hacking tools and massive caches of collected data under layers of security clearances and world-class technical protections. But it turns out that three times in three years, that expensive security has been undone by one of its own contract employees simply carrying those secrets out the door.
In 2013, an NSA contractor named Edward Snowden walked out of the agency’s building in Oahu, Hawaii, carrying a USB drive full of thousands of top-secret documents. Last year, a 53-year-old Booz Allen contractor for the NSA named Hal Martin was arrested last year for taking 50 terabytes out of the agency over a period as long two decades. And Thursday, the Wall Street Journal reported that in 2015, a third contract employee of the NSA in as many years took home a trove of classified materials that included both software code and other information that the agency uses in its offensive hacking operations, as well as details of how it protects US systems from hacker adversaries.
That classified data, which wasn’t authorized to be removed from the perimeter of the facility where that contractor worked, was then stolen from the contractor’s home computer by Russian spies, who exploited the unnamed employee’s installation of antivirus software from Kaspersky, a Russian company. And while that revelation has raised yet another round of serious concerns and unanswered questions about Kremlin spying and the role of Kaspersky’s widely used commercial software, it also points to a more fundamental security problem for the NSA: The own-goals it has committed, as a series of its paid employees spill some of its most sensitive secrets—including its intensely guarded and dangerous hacking techniques.
While Kaspersky is one major—though possibly unintentional—culprit in this latest theft of secrets, the root cause of the breach is the deep negligence of the NSA employee who violated his security clearance by taking incredibly sensitive materials home, says Dave Aitel, a former NSA staffer who now runs the security firm Immunity Inc.
“What are the hell are these people thinking?” asks Aitel. “Leaving the NSA with top-secret documents and putting them on your home machine is the very first thing they tell you not to do. Why it keeps happening is a mystery to me, and probably to the management at NSA.”
The revelation of the latest unidentified contractor, whose employer also hasn’t been publicly named, comes a year after Martin was caught leaving sensitive data on hard drives in his home and car, a collection that included 75 percent percent of the hacking tools used by the NSA’s elite hacking team, known as Tailored Access Operations, according to the Washington Post. Prosecutors in Martin’s case have said the data also contained the highly secret identities of undercover agents.
It’s not yet clear if either Martin or the most recent contractor to breach the agency’s secrecy rules had any intention of selling or exploiting the documents they took. The latest incident in particular seems to be a case of carelessness, rather than profit or malice, according to the Wall Street Journal‘s reporting. Both of those leaks contrast with the whistleblowing-motivated data thefts of Edward Snowden—another Booz Allen contractor—who stole his thousands of top secret files with the intention of giving them to media.
‘What are the hell are these people thinking?’
Former NSA analyst Dave Aitel
But in the wake of the leaks carried out by Snowden, this third contractor breach points to a continuing problem with the NSA’s operational security and contractor management, one serious enough that NSA director Admiral Michael Rogers was officially reprimanded by his superiors, and some high-ranking officials suggested to President Obama he be removed from his position, according to some reports last year. Rogers nonetheless maintained control of the NSA under the Trump administration. An NSA spokesperson declined to comment on “personnel issues or ongoing investigations,” but did defend the agency’s security posture.
“Admiral Rogers has made security of information a top priority during his tenure. The NSA operates in one of the most complicated IT environments in the world,” the spokesperson says. “Over the past several years, we have continued to build on internal security improvements while carrying out our mission to defend the nation and our allies around the clock. We are not relying only on one initiative. Instead we have undertaken a comprehensive and layered set of enterprise defensive measures to further safeguard operations and advance best practices across the intelligence community.”
The NSA press office declined to elaborate on those measures, or provide more detail.
The NSA’s two most recent leaks may in fact have already had massively damaging, observable consequences: Many in the security community speculate—but have not confirmed—that the Shadow Brokers, a group of unidentified hackers who released a series of stolen NSA hacking tools over the last year, obtained that hacking arsenal from one of the two post-Snowden insider leaks. Those tools have already been reused by malicious criminal and state-sponsored hackers to spread the WannaCry ransomware worm as well as the NotPetya malware, to install crypto-currency mining malware on victims’ machines, and to harvest usernames and passwords from high-value spying targets via hotel Wi-Fi.
And yet the leaks continue. That’s possibly because as dangerous as the “insider threat” problem may be, it has no easy solution, says Susan Hennessey, a former NSA attorney who now serves as a fellow at the Brookings Institution. If someone wants to ferret secrets out of their own office, there are simply too many ways to do it, perhaps most straightforwardly on a USB drive in their pocket.
“You can’t run a large federal agency like an airport, where every single person is patted down and screened coming in and out,” Hennessey says. “Hiring practices and clearance investigations and computer security can address some concerns, but at the end of the day intelligence agencies necessarily have to vest a lot of trust in their employees. So effective insider threat measures have to begin with a recognition that some risks can’t be eliminated, only managed.”
But the NSA’s cozy relationship with contractors bears much of the blame, too, says Tim Shorrock, the author of the book Spies for Hire, which focuses on corruption in the intelligence-contractor industry. He notes that contractors account for close to 30 percent of agency staff, and 60 percent of their budgets. He sees the three recent breaches as evidence that those massive payouts aren’t accompanied by proper oversight. “They’re leaving way too much authority to the contractors to police themselves and it’s clear that system is failing,” Shorrock says. “There needs to be some kind of mechanism to police the contractors.”
‘Effective insider threat measures have to begin with a recognition that some risks can’t be eliminated, only managed.’
Former NSA Lawyer Susan Hennessey
Shorrock also points to a lack of consequences for the companies who supplied the contractors behind the recent breaches. He argues that stems in part from the revolving door of officials between the intelligence agencies and the private sector; both the directors of national intelligence under Presidents Obama and George W. Bush had previously worked for Booz Allen, for instance.
But former NSA analyst Aitel believes the cultural issues at the NSA run deeper than contractors alone. He says it was common during his time at the agency to see core NSA staffers do work at home, too—albeit not with actual classified documents—reading news stories and public sources of information security reports, digging up technical information, and even talking on the phone with each other in vague or coded terms, which he considers especially unwise.
Aitel argues that the NSA’s recent leaks stem from a more fundamental problem: The agency’s sheer scale, and a structure that doesn’t restrict its staffers often enough to information on a “need-to-know” basis. “There’s something structurally wrong here,” Aitel says. “This is about scale and segmentation. It’s very hard to have a really big team where everyone’s read in on everything and not have it leak.”