You have private for-profit companies doing inherently governmental work like targeted espionage, surveillance, compromising foreign systems. And there’s very little oversight, there’s very little review.
—EDWARD SNOWDEN, Moscow, 2014
PRIOR TO SNOWDEN’S THEFT of NSA documents, the single most shattering blow to the confidence of the U.S. intelligence community was the 1994 exposure of Aldrich Ames as a long-serving Russian mole in the CIA. Ames, it will be recalled, had been a high-ranking CIA officer, working at the CIA’s Counterintelligence Center Analysis Group, before he was arrested by the FBI. He had also worked as a mole for Russian intelligence.
In a plea bargain to avoid a death sentence (he was sentenced to life imprisonment), he admitted that he had successfully burrowed into the CIA and had worked there for over nine years on behalf of the KGB. His description of his sub-rosa activities as a mole was part of the plea bargain. This stunning revelation shook the CIA leadership to its core. Until then, CIA executives steadfastly denied that it was possible that the KGB could sustain a mole in American intelligence. The Ames arrest also led the NSA to reassess its own vulnerability to penetration. Could there be an Ames inside the NSA?
The question was considered by the NSA’s National Threat Operations Center, the same unit from which Edward Snowden later stole a huge trove of secret documents. According to a report in 1996 titled “Out of Control” (later released by the NSA), the danger of an Ames-type penetration could not be excluded. Even though the “threat officer” who wrote this report was not identified by name, his analysis proved incredibly prescient. He said that the NSA’s drive to enhance its performance by networking its computers would result in the intelligence services’ putting “all their classified information ‘eggs’ into one very precarious basket.” The basket was the computer networks run by technicians called system administrators. He pointed out that the NSA was becoming increasingly dependent on such networked computer systems, and he predicted that the NSA’s “Aldrich Ames,” as he put it, would be a “system administrator,” which was the position that Edward Snowden held nearly two decades later at Dell when he began stealing secrets.
The NSA’s system administrators were, as the threat officer pointed out, very different from the traditional military employees at the NSA. They were usually civilians who effectively served as repairmen for complex computer systems. Moreover, many of them had not been directly hired by the NSA. Instead, their recruitment had been privatized to outside contractors.
This outsourcing had deep roots tracing back to World War II. Ed Booz and Jim Allen, the founders of Booz Allen Hamilton, obtained contracts to help manage ship construction from the U.S. Navy. After the war ended, they sought contracts for their firm in classified work. These contracts grew in size as the NSA needed more and more system administrators and other information technologists to manage the computer networks. These system administrators needed to be given special privileges to do their service job. One such privilege allowed them to bypass password protection. Another privilege allowed then to temporarily transfer data to an external storage device while they repaired computers. These two privileges greatly increased the risk of a massive breach. Seeing them as the weak link in the chain, the threat officer wrote in the report that “system administrators are likely to be increasingly targeted by foreign intelligence services because of their special access to information.”
Before the computerization of the NSA, the threat officer noted, code clerks and other low-level NSA communicators had been the targets of adversary intelligence services. But the increasing reliance on computer technicians presented foreign intelligence services with much richer targets. He predicted that they would adapt their recruiting to this new reality. Specifically, he argued that adversary intelligence services would now focus their attention on system administrators. “With system administrators,” he said, “the situation is potentially much worse than it has ever been with communicators.” The reason, he explained, was that “system administrators can so easily, and quickly, steal vast quantities of information.”
He further suggested that because system administrators are often drawn from the counterculture of hacking, they are more likely to be vulnerable to an adversary service using a fake identity for its approach, or a “false flag.” A “false flag” was a term originally applied to a pirate ship that temporarily hoisted any flag that would allow it to gain proximity to its intended prey, but in modern times it describes a technique employed by espionage services to surreptitiously lure a prospect. False flags were a staple used by the KGB in espionage recruitment during the Cold War. They were usually employed when a target for recruitment was not ideologically disposed to assisting the intelligence service. To overcome that problem, recruiters hide their true identities and adopt a more sympathetic, bogus one.
In 1973, the KGB, working through one of its agents in the U.S. Navy, used the false flag of Israel to recruit Jerry Alfred Whitworth, who served as a communications officer with a top secret clearance for the navy. Like many other KGB recruits, Whitworth came from a broken family, dropped out of high school, took technical courses, and got a job as a communications officer. He was not disposed to working for Russia. But he was willing to steal enciphered and plain text cables to help in the defense of Israel. After he was thoroughly compromised by his espionage work, he was told by the KGB recruiter that he was actually working for Russia, but by this time he was too deeply compromised to quit. He continued his espionage work for another eight years. (Whitworth, who was arrested by the FBI in 1985, was convicted of espionage and sentenced to 365 years in prison.)
The Internet provided an almost ideal environment for false flags because its users commonly adopt aliases, screen names, and other avatars. The threat officer explained how easy it would be for the KGB to adapt such a false flag when dealing with a dissident system administrator working for U.S. intelligence. As the threat officer pointed out in his report, the KGB had used false flags in the late 1980s to surreptitiously recruit members of the “German Hanover Hackers,” a community of anarchistic hackers who breached computer networks for fun and profit. Until then, these hacktivists stole corporate and private passwords, credit card information, and other privileged documents as a form of freelance espionage. Because of their fervent anti-authority ideology, the KGB disguised its recruiters as fellow hacktivists. The KGB succeeded in getting the Hanover hackers to steal log-in account identifications, source codes, and other information from U.S. government computer networks.
The weak link of system administrators became increasingly relevant as the NSA moved further into the digital age. By the beginning of this century, its growing networks of computers were largely operated by civilian technicians, including system administrators, infrastructure analysts, and information technologists, who were needed to keep the system running. Despite the warning by the threat officer, the NSA became more and more reliant on these outsiders as it reorganized to meet its new mandates for surveillance of the Internet in the war on terrorism.
The NSA had to compete with technology companies, such as Google, Apple, and Facebook, for the services of experienced IT workers. Though Booz Allen had been providing technically trained specialists to the government since the 1940s and ’50s, congressionally imposed salary caps put the NSA at a disadvantage to private firms in its recruitment efforts. As a result, it increasingly contracted with private firms to find talent, especially in the rush for data-based intelligence following 9/11. Booz Allen, to meet increased demand, recruited civilian technicians from many unconventional areas, including the hacking culture. Ex-hackers who lacked (or shunned) employment opportunities in the corporate sector were suitable candidates for the system administrator jobs that these firms had contracted to supply the NSA. In the rush to expand, little heed was paid to the 1996 warning that this hacking culture might provide a portal to anti-government hacktivist groups. The NSA became so enamored with this new computer technology that it neglected the security implications of employing outsiders to service it. “All of us just fell in love with the ease and convenience and scale [of electronic storage],” General Hayden, who headed the NSA at the time, said to The Wall Street Journal in 2015. “So we decided to take things we used to keep if not in a safe, at least in our desk drawer, and put it up here [in a computer network], where it’s by definition more vulnerable.” Making matters even worse, as has previously been discussed, the NSA stripped away much of the so-called stovepiping that insulated highly sensitive data from the NSA’s other computer networks. FBI Director Mueller, in his “Statement Before the Senate Committee on Homeland Security and Governmental Affairs,”described a decade of post–9/11 intelligence reorganization thus: “One of the first steps was to centralize control and management of counterterrorism operations at headquarters to avoid the ‘stove-piping’ of information on terrorism cases in the 56 individual field offices across the country.” Here the NSA was merely following the recommendations of the 9/11 Commission to make their data more accessible to other agencies concerned with potential terrorist attacks, but as a result, the inner sanctum of the NSA became more open to its new army of civilian technicians.
By 2013, much of the job of managing the NSA’s classified computers had been handed over to a handful of private companies: Booz Allen Hamilton, which handled the most highly secret work; Dell SecureWorks; Microsoft; Raytheon; and IBM. In many respects, these five companies acted less like management consultants and more like temporary employment agencies in finding for the NSA the computer specialists who had the necessary security clearances.
The NSA found that the universe of independent contractors was governed by very different considerations from that of intelligence services. Unlike intelligence services, their fate depended on turning profits. Because the value of their contracts was largely limited by competitive bidding, their business plans were predicated on their ability to minimize the costs of fulfilling these contracts. Their principal cost was the salaries they paid their independent contractors. Their business plans therefore depended on finding large numbers of computer technicians in the private realm willing to work at an NSA base at relatively low wages. This task became more difficult as many potential recruits could find higher-paying employment with more of a future in the burgeoning private sphere. But the companies could also increase their revenue streams by getting additional contracts, which, in turn, meant recruiting even more workers.
Such a business plan could hardly afford to give the highest priority to the low probability of a security risk. In the private sector, there is usually an unambiguous external measure of failure. An automobile company such as General Motors can measure the performance of its executives by reckoning its change in net income. With secret intelligence work, the metrics for failure are far less clear. This curious aspect of secret work was part of the advice given to a White House lawyer in the Obama administration seeking a position with the NSA in 2012, who was told that among the advantages of working for a super-secret agency was that if one errs or has a failure, “it stays secret.” The Snowden case showed that not all failures stay secret.
The NSA can certainly quantify the amount of data it is intercepting, but it obviously cannot count the intelligence that it misses. The a priori proposition in the intelligence game is that “what is successfully hidden is never found.” But one failure that cannot be hidden is a security breach in which a perpetrator uses NSA data to publicly expose the NSA’s sources.
Until the Snowden breach in 2013, the NSA had experienced only one such public failure. It was the capture by North Korea in 1968 of the USS Pueblo, which had been carrying out highly sensitive electronic communications interception for the NSA. The Pueblo crew failed to destroy the NSA’s encoding machines, which were flown to Russia several days later. It was a horrible, costly breach. The Snowden breach was much worse because, among the thousands of documents he stole, he selected lists of the NSA’s secret sources in adversary nations.
The Snowden breach was a failure that directly traced back to the NSA’s largest and most trusted contractor, Booz Allen Hamilton, calling into question the vexing issue of privatizing secret intelligence. Booz Allen, like other private firms that did work for the government, was in the business to make money. Indeed, it had found government contracts so much more profitable than its work in the private sector that it sold its private sector unit to PricewaterhouseCoopers. The profitability of government work led the Carlyle Group’s private equity fund to acquire a controlling stake in Booz Allen in July 2008. By 2013, it had increased its revenue by more than $1.3 billion by expanding its government contracts. Even more impressive, its operating profit on these contracts had doubled. It did not need to increase its core internal staff to achieve these profits; it just had to hire outside contractors. In 2008, Booz Allen claimed 20,000 employees on its internal staff; in 2013, it claimed fewer than 5,000. The resulting “reduced headcount,” according to its January 30, 2013, quarterly report, greatly decreased its costs for incentive pay. It mainly accomplished this reduction by expanding the number of outside contractors it employed, 8,000 in these five years, by one Wall Street analyst’s calculation. They were employed as system administrators, infrastructure analysts, computer security specialists, and other “geek squad” jobs at the NSA and other government agencies. Their main qualification was their prior security clearances (which as mentioned earlier saved Booz Allen the expense of vetting them and also the loss of income while waiting many months for a clearance).
Snowden therefore was highly desirable for Booz Allen from an economic point of view. Even though he had no prior experience as an infrastructure analyst, and he had been detected being untruthful about his degree in computer sciences, he not only had a SCI security clearance but was willing to take a cut in pay. In keeping with the Booz Allen business plan, such a recruit provided another cog in its profit machine.
Not only had the NSA outsourced much of its computer operations to private companies, but the Clinton administration in 1996 had privatized background checks for government employees requiring security clearances. The idea, backed by Vice President Al Gore, was to reduce the size of the federal government by outsourcing investigating the backgrounds of millions of government applicants for jobs. The task had previously been performed by the FBI, but it was assumed that a profit-making business could do it faster and more efficiently. The private company named U.S. Investigations Services was purchased in 2007 for $1.5 billion by Providence Equity Partners, a rapidly expanding investment firm founded in 1989 by graduates of Duke, Brown University, and the Harvard Business School. So like Booz Allen, USIS was backed by a hedge fund determined to make money by systematically cutting the cost of a service previously carried out by the government.
But such outsourcing had drawbacks. For one thing, unlike the FBI, USIS lacked the investigative clout to gain entry to certain government agencies. A Congressional review found that the privacy act permits disclosure of government agency records to the private firm if they are part of a “routine use of the records,” but intelligence agencies did not consider all such requests to be “routine.” For example, when it did the background check on Snowden in 2011, it could not get access to his CIA file. The “derog” in his file might have set off alarm bells, as might the fear that he had been threatened by an internal investigation over his alleged computer tampering in 2009. The FBI might have learned this about Snowden if it had done his background check.
The lack of adequate oversight was another problem. USIS closed cases and cleared applicants without completing an adequate investigation. According to a U.S. government suit filed in 2014, USIS had prematurely closed over 665,000 investigations in order to get paid for them more quickly. Because the more cases it completed each month, the more money it received from the government, the lawsuit alleged that USIS employees often “flushed” or ended cases before completing a full investigation to meet corporate-imposed quotas for getting bonuses. One employee, in an e-mail cited in the government’s complaint, said they “flushed everything like a dead goldfish.” As a result, some information specialists entering the NSA through the back door of outside contractors were not fully vetted. (On August 20, 2015, USIS agreed to forfeit $30 million in fees to settle the lawsuit.)
USIS was also open to sophisticated hacking attacks by outsiders. In August 2014, the Department of Homeland Security’s counterintelligence unit discovered such a massive and persistent breach in USIS that it shut down its entire exchange of data with it. The intrusion into USIS records in this case was attributed to hackers in China most likely linked to the Chinese intelligence service. Such massive intrusions dated back to 2011. USIS’s lack of security in its website left a gaping hole through which outside parties, including Chinese and Russian hackers, could learn both the identity and the background information of specialists applying for jobs at the NSA.
These private companies also did not sufficiently protect the personal data of their independent contractors working at the NSA. The hackers’ group Anonymous took credit for the successful 2011 attack on the Booz Allen Hamilton servers. It also cracked the algorithms used to protect employees. It next injected so-called Trojan horse viruses and other malicious codes into Booz Allen servers that allowed it future entry. If amateur hackers such as Anonymous could break into the computers of the NSA’s largest contractor, so could adversaries’ state espionage services with far more advanced hacking tools. From these sites, China or Russia could obtain all the job applications and personal résumés submitted to contractors such as Booz Allen. It could then compile a list of the best candidates to do its bidding.
These deficiencies in the private sector were compounded by the failure of security in the government’s own Office of Personnel Management. It used a computer system called e-QIP in which intelligence employees, including outside contractors, updated their computerized records to maintain or upgrade their security clearances. For example, Snowden updated his clearance in 2011. To do so, these employees constantly updated their financial and personal information. As it turned out, there was a major hole in the e-QIP system. It has repeatedly been hacked by unknown parties since 2010. In 2015, the U.S. government told Congress that China was most likely responsible, but Russia and other nations with sophisticated cyber services could have also participated in the hacking. In any case, the records of over nineteen million employees, including intelligence workers, became available to a hostile intelligence service. This breach would allow hostile services to obtain a great deal of information about independent contractors working at the NSA. They could then use this data to follow the movements of any of these intelligence workers they deemed of interest.
Despite all the potential flaws in it, the outsourcing system continued in place. It even featured a revolving door through which Booz Allen hired retiring executives from the intelligence services, such as the former NSA director Michael McConnell; James Woolsey, a former director of the CIA; and the retired general James Clapper, who later served as director of national intelligence.
The cozy relationship between the private firms and the NSA notwithstanding, the NSA leadership operated as if it were unaware that outsourcing could create a security problem. As far back as 2005 General Hayden, then the departing head of the NSA, had been warned of one such vulnerability in a memorandum written by a counterintelligence officer at the NSA. Like the earlier 1996 report by the threat officer, this memorandum noted the NSA had ceded responsibility for managing its secret systems to outsiders and warned that the NSA’s reliance on them to manage its computers had opened a back door into the NSA. In addition, it warned that once an outside contractor managed to slip in through this back door, he could easily jump from one outsourcer to another. This was what Snowden did when he moved from Dell to Booz Allen Hamilton in 2013.
Despite its security flaws, outsourcing seemed to provide a number of advantages to the NSA. For one thing, it provided a means for circumventing the budget restrictions imposed by Congress on hiring new employees. In addition, because private companies had less rigid hiring standards, it greatly expanded the pool of young system administrators by tapping into computer cultures that would be antagonistic to working directly for the government. Finally, it drew less on NSA resources. Because these information technologists were only temporary employees, they were not entitled to military pensions, paid medical leave, and other benefits. It was a system that effectively replaced military careerists with freelancers.
The irony of the situation was that the NSA had surrounded its front doors with rings of barbed wire, closed-circuit cameras, and armed guards, but for reasons of economy, bureaucratic restrictions, and convenience it had left the back door of outsourcing open to temporary employees of private companies, even though it might take some time for them to gain entry to its inner sanctum.
“It was not a question of if but when one of the contractors would go rogue,” the former NSA executive who wrote the 2015 memorandum told me. Snowden answered that question in 2013. Even more extraordinary than the theft itself was the reaction to it by the NSA. It turned out that there was no cost of failure levied against the outside contractor Booz Allen, which had employed Snowden when he bypassed its security regime to steal the keys to the kingdom. Booz Allen had not reported “red flags” concerning Snowden’s attempt to get secrets to which he was not privy and his absence from work for six days. Nor was Snowden the last Booz Allen contractor to compromise NSA secrets. On August 27, 2016, the FBI arrested Harold Thomas Martin, who worked on a Booz Allen contract at an NSA facility, for stealing secret NSA documents. Even so, the NSA did not penalize Booz Allen. Instead, its revenues and profits from government contracts markedly increased between 2013 and 2016.
Despite these breaches the NSA did not alter its reliance on private contractors. The back door to the NSA remained wide open. Outsourcing to private companies has become an all but irreplaceable part of the intelligence system in America, Snowden’s actions, and the risk of future similar actions, notwithstanding.