The arrest of a National Security Agency contractor charged with stealing highly classified material is yet the latest example of a trend that officials say can be every bit as dangerous as an outside hacker: the insider threat.
The federal government has been increasingly concerned about the ability of its own employees and contractors to use their positions to walk away with troves of sensitive information. And it has tried to implement new safeguards to not only better secure important data but also monitor the people with access to it.
Fears over insider threats intensified after the breach by former Army Pfc Chelsea Manning and Edward Snowden, an NSA contractor working for Booz Allen Hamilton. But with the revelation that Harold Thomas Martin III was arrested in August and charged with theft of government property and unauthorized removal and retention of classified materials, there will be even greater scrutiny of how the nation protects its secrets, officials said.
The allegations against Martin, 51, of Glen Burnie, Md., suggest “that our counterintelligence abilities are still inadequate,” said Steven Aftergood, the director of the Project on Government Secrecy for the Federation of American Scientists. “And that the kinds of precautions that would be necessary to prevent removal of highly classified material are not in place . . . It simply should not be possible to remove information from a classified system without supervision by somebody else. And evidently that kind of supervision was lacking here.”
Martin’s federal public defenders said in a statement that the charges against him were “mere allegations.” “There is no evidence that Hal Martin intended to betray his country,” the attorneys said.
Rep. Adam B. Schiff (Calif.), the ranking Democrat on the House Intelligence Committee, said in a statement that the case makes it “painfully clear that the intelligence community still has much to do to institutionalize reforms designed to protect in advance the nation’s sources and methods from insider threats.”
In response to the Manning WikiLeaks leak, President Obama in 2011 issued an executive order that established a National Insider Threat Task Force and required all federal agencies that handle classified material to institute programs to seek out saboteurs and spies.
Agencies began monitoring their computer networks with renewed scrutiny and tracking employee behavior for signs of problems. Even workers with the highest clearances face additional surveillance.
The Pentagon’s Defense Security Service announced this year that contractors will be required to implement programs that are designed “to detect, deter and mitigate insider threats.” Contractors will be required to designate a senior insider threat official to oversee the program and provide training on how best to implement it.
While many details of the Martin case are not yet known, it is clear that it is not good for Booz Allen to have a second employee charged with stealing secrets from one of its most important customers, officials said.
“When a government employee does something like this, it is a scandal of one sort or another,” said Loren Thompson, a defense industry consultant who also serves at the Lexington Institute. “But when a contractor is involved, it’s potentially a business-threatening situation.”
Booz Allen’s share price dropped nearly 5 percent on the news Wednesday.
In an SEC filing, Booz Allen said that “we immediately reached out to the authorities to offer our total cooperation in their investigation, and we fired the employee. We continue to cooperate fully with the government on its investigation into this serious matter.”
It added that there have “been no material changes to our client engagements as a result of this matter.”
After the Snowden scandal, Booz Allen vowed to strengthen its security procedures. And critics have blasted the nation’s intelligence community for loose controls, especially over contractors. But contractors remain a vital component to the United States’ national security and intelligence establishments, so much so that “the system would not function without them,” Aftergood said.
Chris Taylor, a longtime defense industry executive who teaches a class on the business of national security at Georgetown University, said that the threats the country faces are very complex and moving so fast that it makes sense to tap outside expertise.
“Any bureaucracy has an optimum speed at which they can operate,” he said. “And if they’re wise enough to realize those constraints keep them behind the power curve, they look outside for capacity to help them get ahead.”
Several top defense firms have developed technologies designed to root out insider threats for government agencies and corporations. Lockheed Martin provides a service called Wisdom, which it says acts as your “eyes and ears on the Web.” On its website, the company says that “insider threat losses are escalating at an alarming rate, with trade secrets and [intellectual property] theft projected to double in 2017.”
Booz Allen, which came under intense scrutiny after Snowden walked off with some of the NSA’s most closely guarded secrets, also helps organizations root out rogue employees. Last year, it announced a partnership with Raytheon, which offers a service that can give organizations the ability to digitally record the activity on their employees’ computer screens and play it back — even in slow motion.
“Organizations are paying more attention to protecting their enterprises against the growing cyberthreats, and as a result, they are putting more personnel, IT and consulting resources toward managing this risk,” Brad Medairy, a Booz Allen senior vice president, said at the time. “While managing the outside risk is critical, equally as important is the threat from within.”
The detection programs use artificial intelligence and machine learning to create profiles of employees based on their activity, vacuuming up reams of data: every time an employee swipes their badge to get into the building, every time they log on to their computer, the phone calls they make, the amount of email sent and received, the files they access, the data they upload.
“All these things generate a breadcrumb trail of your activities,” said Chris Kauffman, the chief executive of Personam, a Northern Virginia company that focuses on insider threats. “Then it’s up to the machine learning algorithms to sift through the data to establish patterns.”
It tracks “anomalies” such as off-hour entries into the building or when large files are downloaded. Kauffman said his company’s system caught rogue attorneys who were surreptitiously making electronic copies of case files.
Even so, insider threats pose a delicate and difficult challenge and can be hard to detect, especially since large amounts of data can be downloaded quickly and stored on tiny devices.
“The problem with insider threats is that they’re not trying to infiltrate the place,” Thompson said. “They are already there, and they know most of the procedures guarding information. When you know those procedures, you can develop better ways of working around them.”