Why does Wik­iLeaks keep get­ting our se­crets? Con­trac­tors.

Jour­nal­ist Tim Shor­rock says pri­vate com­pa­nies aren’t held ac­count­able when their work­ers dis­close clas­si­fied in­for­ma­tion

The Washington Post Sunday - - OUTLOOK - Twit­ter: @Ti­mothyS Tim Shor­rock is the au­thor of “Spies for Hire: The Se­cret World of In­tel­li­gence Out­sourc­ing.”

When Wik­iLeaks re­leased more than 8,000 files about the CIA’s global hack­ing pro­grams this month, it dropped a tan­ta­liz­ing clue: The leak came from pri­vate con­trac­tors. Fed­eral in­ves­ti­ga­tors quickly con­firmed this, call­ing con­trac­tors the like­li­est sources. As a result of the breach, Wik­iLeaks edi­tor Ju­lian As­sange said, the CIA had “lost con­trol of its en­tire cy­ber­weapons arse­nal.”

In­tel­li­gence in­sid­ers were dis­mayed. Agen­cies “take a chance with con­trac­tors” be­cause “they may not have the same loy­alty” as of­fi­cers em­ployed by the gov­ern­ment, former CIA direc­tor Leon Panetta lamented to NBC.

But this is a li­a­bil­ity built into our sys­tem that in­tel­li­gence of­fi­cials have long known about and done noth­ing to cor­rect. As I first re­ported in 2007, some 70 cents of ev­ery in­tel­li­gence dol­lar is al­lo­cated to the pri­vate sec­tor. And the re­lent­less pace of merg­ers and ac­qui­si­tions in the spies-for-hire busi­ness has left five cor­po­ra­tions in con­trol of about 80 per­cent of the 45,000 con­trac­tors em­ployed in U.S. in­tel­li­gence. The threat from un­re­li­able em­ploy­ees in this multi­bil­lion-dol­lar in­dus­try is only get­ting worse.

The five mar­ket lead­ers are Booz Allen Hamil­ton, CSRA, SAIC, CACI In­ter­na­tional and Lei­dos. All of them are based in Vir­ginia and are deeply in­volved in de­vel­op­ing cy­ber and hack­ing tools. Other play­ers in the cy­ber realm in­clude Ac­cen­ture, Raytheon and Northrop Grum­man. The CIA, which has his­tor­i­cally hired re­tired agents for its clan­des­tine con­trac­tor force, has in­creas­ingly turned to cor­po­ra­tions for its hack­ing teams.

De­spite the trust placed in them by the gov­ern­ment and the pub­lic, pri­vate con­trac­tors — in­clud­ing the big ones — con­tinue to make cat­a­strophic mis­takes in over­see­ing their em­ploy­ees. The most high-pro­file con­trac­tor leak was from Ed­ward Snow­den, who worked for Booz Allen at the Na­tional Se­cu­rity Agency. But the prob­lems have per­sisted well af­ter he ab­sconded in 2013 with tens of thou­sands of clas­si­fied doc­u­ments about the NSA’s global sur­veil­lance pro­grams and the Pen­tagon’s topse­cret oper­a­tions.

Last month, a fed­eral grand jury in­dicted Harold T. Martin III, a Mary­land con­trac­tor with Booz Allen, in the theft of a mas­sive cache of clas­si­fied ma­te­rial from the NSA and other spy agen­cies over 18 years. Prose­cu­tors called the theft “breath­tak­ing in its longevity and scale.” Martin pleaded not guilty.

Also last month, Wil­liam Evan­ina, the na­tion’s top coun­ter­in­tel­li­gence of­fi­cer, dis­closed that U.S. of­fi­cials had re­cently dis­cov­ered two more pri­vate-sec­tor breaches. In one in­ci­dent, a con­trac­tor stole more than 200 gi­ga­bytes of clas­si­fied in­for­ma­tion from an un­spec­i­fied agency and sold it to a for­eign coun­try, Evan­ina said in a pub­lic talk at the Na­tional Press Club. And in De­cem­ber, he added, gov­ern­ment in­ves­ti­ga­tors learned that a con­trac­tor work­ing for a com­pany mak­ing en­gines for stealth fighter planes had stolen un­clas­si­fied data that could al­low “ad­ver­saries” of the United States to “re­verse-en­gi­neer” the en­gines to un­der­stand U.S. ca­pa­bil­i­ties.

So con­trac­tors have been re­spon­si­ble for at least five ma­jor se­cu­rity lapses in four years. Even if some of th­ese leaks re­vealed gov­ern­ment wrong­do­ing (as some of the Snow­den and Wik­iLeaks doc­u­ments clearly did), shouldn’t the com­pa­nies be held re­spon­si­ble when se­crets are dis­closed?

I put the ques­tion to Evan­ina, the direc­tor of the Na­tional Coun­ter­in­tel­li­gence and Se­cu­rity Cen­ter in the Of­fice of the Direc­tor of Na­tional In­tel­li­gence (ODNI). “We’re all ac­count­able,” he re­sponded. Nei­ther the Martin nor the Snow­den case, he said, should make Booz Allen or any other con­trac­tor sub­ject to spe­cial over­sight. “This could hap­pen to any­one,” he said. In­stead of fo­cus­ing on con­trac­tors, Evan­ina said, “we need to find com­mon so­lu­tions” to fer­ret­ing out “in­side threats” that are ap­pli­ca­ble to all play­ers in U.S. in­tel­li­gence.

And it’s true that leaks come from in­side as well: Chelsea Manning was a U.S. Army sol­dier when she pro­vided Wik­iLeaks with nearly 1 mil­lion mil­i­tary doc­u­ments in 2010. And just this month, a gov­ern­ment im­agery sci­en­tist was sen­tenced to fed­eral prison for ex­fil­trat­ing clas­si­fied doc­u­ments to his home in Mary­land.

Evan­ina was once the CIA’s top coun­ter­in­tel­li­gence of­fi­cer. He de­scribed the re­cent leaks as an in­evitable result of a spy cul­ture in which, he pointed out, con­trac­tors em­ploy 800,000 of the 4 mil­lion U.S. cit­i­zens hold­ing se­cu­rity clear­ances. “When we’re in the shop, we’re all ag­nos­tic,” he said. “We look at con­trac­tors as co-work­ers, not green-bad­gers.” He was re­fer­ring to the iden­ti­fi­ca­tion cards that dis­tin­guish con­trac­tors from gov­ern­ment em­ploy­ees.

That rosy view of U.S. in­tel­li­gence as one big, happy fam­ily is part of the prob­lem. In 2015, a year be­fore Martin was ar­rested, Evan­ina shared a podium at a high-level in­tel­li­gence con­fer­ence in Washington with Art Davis, Booz Allen’s direc­tor of cor­po­rate se­cu­rity. In his pre­sen­ta­tion, which I ob­served as a re­porter, Davis boasted that his com­pany had un­der­gone a “meta­mor­pho­sis of se­cu­rity” as a result of the Snow­den leaks in 2013.

Booz, he said, had dou­bled its spend­ing on se­cu­rity and adopted a “full-scale coun­ter­in­tel­li­gence pro­gram” fo­cused on 2,500 em­ploy­ees with “ac­cess to the king­dom” — a ref­er­ence to the highly clas­si­fied doc­u­ments that Snow­den and Martin rou­tinely han­dled. Such em­ploy­ees are sub­ject to “con­tin­u­ous eval­u­a­tion,” he said. “If they don’t pass, they leave their jobs.” Evan­ina then took the mi­cro­phone. He praised Booz’s se­cu­rity plan and noted that he had met with Davis “a lot” about th­ese is­sues.

Clearly, that joint plan failed. Yet af­ter Martin’s ar­rest, Evan­ina explained that the gov­ern­ment had done all it could to pre­vent leaks. “I don’t be­lieve there’s any­thing new that we have to in­cor­po­rate” in gov­ern­ment over­sight, he told The Washington Post. With the lat­est leak at the CIA, that sounds hol­low, if not down­right risky.

The crux of the prob­lem may be pri­va­tized in­tel­li­gence it­self. That’s the view of vet­eran in­tel­li­gence re­porter Ed­ward Ep­stein in his con­tentious but in­for­ma­tive new book, “How Amer­ica Lost Its Se­crets.” Snow­den chose Booz Allen specif­i­cally for its vul­ner­a­bil­ity, Ep­stein said at a re­cent talk. “He switched jobs to get ac­cess to the list of com­put­ers NSA had pen­e­trated” and even took a pay cut to do so. Booz over­looked the fact that Snow­den lied about ed­u­ca­tion cour­ses he was sup­pos­edly tak­ing when he ap­plied for his po­si­tion at the NSA’s Na­tional Threat Oper­a­tions Cen­ter, Ep­stein said.

But Booz Allen didn’t try to ver­ify Snow­den’s claim and didn’t change its mind on Snow­den’s job “even af­ter it found out about the sub­terfuge,” Ep­stein said. As the holder of an NSA con­tract, he ar­gued, the com­pany had a fi­nan­cial in­cen­tive to “hire peo­ple as cheaply as pos­si­ble,” so its per­son­nel and clear­ance sys­tem broke down. For ex­am­ple, Snow­den fraud­u­lently ob­tained pass­words from fel­low Booz em­ploy­ees to gain ac­cess to 24 sep­a­rate, highly clas­si­fied NSA com­part­ments. (Snow­den has not de­nied th­ese spe­cific charges, but on his Twit­ter feed, he has hotly dis­puted other ma­te­rial from Ep­stein’s book. Booz has said lit­tle more than an as­ser­tion that “Snow­den did not share our val­ues.” Lately it has been silent as it awaits the re­sults of an ex­ter­nal re­view of its se­cu­rity prac­tices by former FBI direc­tor Robert Mueller, whom it hired for the probe.)

The case of Martin, a hoarder who al­legedly snatched more than 75 per­cent of the NSA’s soft­ware tools to hack for­eign com­put­ers, may be even worse. Ac­cord­ing to his 20-count in­dict­ment, eight of his thefts took place while he was em­ployed by Booz Allen from 2009 to 2016. Be­fore that, he worked for Tenac­ity So­lu­tions, a Vir­ginia com­pany founded by former CIA of­fi­cers that spe­cial­izes — iron­i­cally — in train­ing in­tel­li­gence agen­cies and con­trac­tors in op­er­a­tional se­cu­rity. While work­ing for Tenac­ity in the ODNI, which over­sees the en­tire in­tel­li­gence bu­reau­cracy, he com­mit­ted seven ma­jor thefts, the in­dict­ment says, in­clud­ing a doc­u­ment from the se­cre­tive Na­tional Re­con­nais­sance Of­fice that in­cluded de­tails of “an un­ac­knowl­edged ground sta­tion” for in­tel­li­gence col­lec­tion. He worked for seven com­pa­nies dur­ing the al­leged 18-year crime spree, in­clud­ing CSC, an im­por­tant NSA con­trac­tor that is now part of CSRA.

Dur­ing that time, his em­ploy­ers and their agency over­seers missed nu­mer­ous red flags, in­clud­ing se­ri­ous drink­ing prob­lems, un­paid taxes, pub­lic ac­cu­sa­tions of com­puter ha­rass­ment and other episodes. “Un­der clear­ance rules, such events should have trig­gered closer scru­tiny by the se­cu­rity agen­cies where he worked as a con­trac­tor,” the New York Times con­cluded af­ter an in­ves­ti­ga­tion. Martin’s em­ploy­ers, too, are sworn to pro­tect na­tional se­cu­rity se­crets as part of their highly prof­itable work for the gov­ern­ment.

Any­body with a se­cu­rity clear­ance, in­clud­ing gov­ern­ment em­ploy­ees, is a po­ten­tial risk. But gov­ern­ment su­per­vi­sors’ first loy­alty is to the gov­ern­ment they serve, not the com­pa­nies that em­ploy con­trac­tors — and, there­fore, they are ul­ti­mately re­spon­si­ble for man­ag­ing se­cu­rity risks.

Surely the time has come to make pri­vate con­trac­tors di­rectly ac­count­able for leaks of clas­si­fied ma­te­rial by can­cel­ing con­tracts or charg­ing ex­ec­u­tives with neg­li­gence when leaks hap­pen. Un­til the gov­ern­ment and its in­tel­li­gence lead­ers are will­ing to use their over­sight pow­ers to patch se­cu­rity holes in this man­ner and en­force greater sepa­ra­tion be­tween spy agen­cies and their con­trac­tors, pri­va­tized work­ers will never be a re­li­able way to ac­com­plish the coun­try’s in­tel­li­gence goals. With­out le­gal and fi­nan­cial ac­count­abil­ity, the only way to strengthen se­cu­rity is to re­strict high-level na­tional se­cu­rity work to civil ser­vants sworn to pro­tect the Con­sti­tu­tion.

That may be dis­rup­tive to in­tel­li­gence-ser­vices com­pa­nies such as Booz Allen and would un­doubt­edly re­quire a huge in­fu­sion of gov­ern­ment work­ers. But it may be the safest op­tion if the CIA wants to keep its se­crets. Sim­ply put, the out­sourc­ing of U.S. in­tel­li­gence oper­a­tions has gone far enough.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.