Spy Agencies Should Kick the Contractor Habit
Are government cyberoperations safe when they involve people from the private sector? That's the question raised by the indictment of former National Security Agency contractor Harold Martin on 20 counts of obtaining and keeping national defense information.
While Martin held various security clearances — including "top secret" — between 1993 and his arrest in August 2016, he worked for seven different private companies that did contract work for the government. Meanwhile, he was hoarding government documents, lots of them. At some point, he allegedly stole three-quarters of the hacking tools used by the NSA's elite Tailored Access Operations unit. The indictment doesn't say Martin sold or handed the stolen data to anyone, but a group called Shadow Brokers recently offered some of the NSA's top-secret tools for sale — and then "went dark," claiming it hadn't found a buyer.
Bringing talented civilians into cyberintelligence work is tempting, but dangerous. Sure, it avoids some of the rigors of hiring government staffers — in 2014, Federal Bureau of Investigation Director James Comey lamented that his agency couldn't find enough hackers to hire because many of them "want to smoke weed on the way to the interview." It also lowers overhead costs, and allows for more budget flexibility through project-based employment.
But the convergence between the private sector and intelligence services has too often led to costly security breaches, from Edward Snowden to Martin — at least, according to the indictment.
Of course, career officers can steal and leak secret information, too — double agents and moles don't only exist in spy novels. But the fact remains that intelligence professionals haven't been apprehended or faulted in any recent cybersecurity fiascos.
So is there an inherent danger in inducting talented civilians from the private sector into cyberintelligence work?
The community from which many highly-skilled techies spring is by nature anarchic. Disrespect for authority and reverence for technical prowess over traditional intelligence methods are common values. They are also values not shared with agency employees enjoying excellent benefits while building long-term careers and comfortable retirements.
Russia is also learning the dangers of working with freelancers, as we learned from recent arrests of a group of Russian intelligence officers and civilians allegedly involved in running an information-selling scheme.
The Moscow investigations involve a hacking group called Shaltai Boltai, or Humpty Dumpty, which had for years harvested compromising material on Russian officials, some of it by hacking e-mails. It allegedly published some of the stolen information as teasers and sold the rest.
According to a member of the group who is still free and applying for political asylum in Estonia, the group began cooperating recently with members of the FSB, the Russian domestic intelligence service. It's not clear whether the several FSB officers arrested at the same time as most of Shaltai Boltai were working together. At least one of them was a former "black hat" hacker: Dmitry Dokuchaev, who, according to some reports, was blackmailed into working for the FSB after government employees showed him evidence of his exploits under his handle, Forb.
The FSB was clearly playing with fire when it hired a known hacker, something that isn't standard U.S. practice as far as we know. But the lessons are the same.
Steven Bay, the Booz Allen manager working on an NSA project who hired Snowden, addressed the contractor problem in a recent article for The Cipher Brief. He argued that the economic and skill-related benefits of hiring private labor were too big for governments to pass up. But, he wrote:
It may be smart for the government to more tightly control access to highly sensitive programs by only allowing government employees access and preventing contractors from essentially being long-term staff-augmentation.
Snowden, according to Bay, was essentially part of a NSA team, sharing its staff members' access privileges. Apparently that was also the case with Martin; otherwise he wouldn't have gotten to the Tailored Access Operations toolkit. And in Moscow, Dokuchaev was treated as an insider despite his dubious induction history.
According to cybersecurity professionals, insiders present the greatest threat of security breaches. In the case of intelligence agencies, it seems that the biggest danger comes from semi-insiders — those who do not share the organization's ethos and goals but possess rare skills it can use. The special services need to consider the tricky trade-off between those skills and loyalty.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.