Edward Snowden addresses an international audience remotely on the eve of the debut of "Snowden," September, 2016.

Edward Snowden addresses an international audience remotely on the eve of the debut of "Snowden," September, 2016. PATRICK TUCKER / DEFENSE ONE

Data-Theft Arrest Shows that Insider Threat Remains Despite Post-Snowden Security Improvements

The recent arrest of an NSA contractor shows that the intelligence community has much further to go in stopping insider threats.

Not every insider threat fits the same mold, and that is what makes stopping the theft of data by individuals with clearance so difficult. Harold Martin III, the NSA contractor arrested Aug. 27 for hoarding agency documents, according to a recently released Justice Department complaint, is a case in point.

Martin is accused of stealing Top Secret files, but not of distributing them, or of committing espionage. At least, he’s not been charged with that yet. The authorities are looking into whether Martin might be linked to the Shadow Brokers, a group that attempted to auction off a set of stolen NSA exploits the same month he was arrested, according to the Washington Post. But just last week, Shadow Brokers took to Medium to complain that no one is taking the auction seriously. That suggests that Martin and Shadow Brokers are separate. Moreover, the investigation into the Shadow Brokers theft has shifted toward the possibility that the loss happened after an NSA agent left software tools behind during a tailored access operation. TAOs are attempts to breach a foreign nation’s computer network, sometimes by physically breaking into the target’s facilities. Martin did work in the NSA Tailored Access Operations unit, according to the Daily Beast.

At first glance, Martin appears to be a very different and more subtle sort of insider threat than Edward Snowden, who stole documents and made them public. Instead, Martin appears to have stolen information for personal use. That sort of thing is much harder to detect.

In 2012, the Obama administration created a task force to stop data theft, leaks, and insider threats. The task force began to implement a program of continuous evaluation, whose goal is detect the red flags that could help identify a potential Snowden before that individual gives a bunch of secrets away. Today, almost all intelligence community employees and contractors with Top Secret clearance are subjected to continuous evaluation, according to William Evanina, the National Counterintelligence Executive. But it was not in place in 2014 The material that the FBI found in Martin’s home dates back to that year. And it is not yet fully in place across the Defense Department, where Martin, employed by Booz Allen Hamilton, was working as a contractor.

In 2000, Martin had a $8,997 lien against his home, according to The New York Times. In 2003, he was accused of using a computer for harassment, a charge that was later dismissed. A drunk-driving charge in 2006 was also dropped. Today, these sort of incidents might raise a red flag under continuous evaluation.

Martin was also enrolled in a Ph.D program at the University of Maryland. His dissertation, submitted earlier this year, was on the “exploration of new methods for remote analysis of heterogeneous & cloud computing architectures.” That means he was looking at how to map and analyze a cloud computing network made up of multiple different devices (heterogenous) and do it from a computer that is physically distant from the network (remotely).

That sort of research could be used legitimately by someone looking to map and analyze a cloud network remotely to service it, or by someone looking to map out and analyze a network secretly from a safe, distant location to steal data. But by itself the research is not terrifically provocative.

Last month, Evanina described how the Office of the Director of National Intelligence searches the open web for material like what Martin allegedly took.

While most people rarely see headlines about NSA or intelligence leaks, classified, secret, or sensitive information does make its way into academic research papers with some regularity, Evanina said.

“There's no more shock and awe,” he said, referring to splashy headlines of the sort that appeared on newspaper front pages in 2013. “Now all this stuff is academic...It gets published, maybe in Der Spiegel, but usually in some trade publication and it goes on the internet. Those are just as damaging because the only body with interest in that work are those that really have a stake. For instance, if the article that was done by a consortium of folks is about how does the FBI put out fires, utilizing four fire trucks and an ambulance, how do they get to the fire, what hoses do they us...nobody reading USA Today is going to care about that.”

Evanina warned that even continuous evaluation cannot be guaranteed to prevent an insider intent on stealing data.

“It’s not possible,” said Evanina, “The same way you can’t stop someone from starting a fire who wants to be an arsonist.”

In a recent report, the House Intelligence Committee reached the same conclusions, but then went to disparage the community for not trying hard enough.

“Although it is impossible to reduce the chance of another Snowden to zero, more work can and should be done to improve the security of the people and computer networks that keep America’s most closely held secrets. For instance, a recent DOD Inspector General report directed by the Committee found that NSA has yet to effectively implement its post-Snowden security improvements. The Committee has taken actions to improve IC information security in the Intelligence Authorization Acts for Fiscal Years 2014, 2015, 2016, and 2017, and looks forward to working with the IC to continue to improve security.”