When WikiLeaks released more than 8,000 files about the CIA’s global hacking programs this month, it dropped a tantalizing clue: The leak came from private contractors. Federal investigators quickly confirmed this, calling contractors the likeliest sources. As a result of the breach, WikiLeaks editor Julian Assange said, the CIA had “lost control of its entire cyberweapons arsenal.”
Intelligence insiders were dismayed. Agencies “take a chance with contractors” because “they may not have the same loyalty” as officers employed by the government, former CIA director Leon Panetta lamented to NBC.
But this is a liability built into our system that intelligence officials have long known about and done nothing to correct. As I first reported in 2007, some 70 cents of every intelligence dollar is allocated to the private sector. And the relentless pace of mergers and acquisitions in the spies-for-hire business has left five corporations in control of about 80 percent of the 45,000 contractors employed in U.S. intelligence. The threat from unreliable employees in this multibillion-dollar industry is only getting worse.
The five market leaders are Booz Allen Hamilton, CSRA, SAIC, CACI International and Leidos. All of them are based in Virginia and are deeply involved in developing cyber and hacking tools. Other players in the cyber realm include Accenture, Raytheon and Northrop Grumman. The CIA, which has historically hired retired agents for its clandestine contractor force, has increasingly turned to corporations for its hacking teams.
Despite the trust placed in them by the government and the public, private contractors – including the big ones – continue to make catastrophic mistakes in overseeing their employees. The most high-profile contractor leak was from Edward Snowden, who worked for Booz Allen at the National Security Agency. But the problems have persisted well after he absconded in 2013 with tens of thousands of classified documents about the NSA’s global surveillance programs and the Pentagon’s top-secret operations.
Last month, a federal grand jury indicted Harold T. Martin III, a Maryland contractor with Booz Allen, in the theft of a massive cache of classified material from the NSA and other spy agencies over 18 years. Prosecutors called the theft “breathtaking in its longevity and scale.” Martin pleaded not guilty.
Also last month, William Evanina, the nation’s top counterintelligence officer, disclosed that U.S. officials had recently discovered two more private-sector breaches. In one incident, a contractor stole more than 200 gigabytes of classified information from an unspecified agency and sold it to a foreign country, Evanina said in a public talk at the National Press Club. And in December, he added, government investigators learned that a contractor working for a company making engines for stealth fighter planes had stolen unclassified data that could allow “adversaries” of the United States to “reverse-engineer” the engines to understand U.S. capabilities.
So contractors have been responsible for at least five major security lapses in four years. Even if some of these leaks revealed government wrongdoing (as some of the Snowden and WikiLeaks documents clearly did), shouldn’t the companies be held responsible when secrets are disclosed?
I put the question to Evanina, the director of the National Counterintelligence and Security Center in the Office of the Director of National Intelligence (ODNI). “We’re all accountable,” he shot back. Neither the Martin nor the Snowden case, he said, should make Booz Allen or any other contractor subject to special oversight. “This could happen to anyone,” he said. Instead of focusing on contractors, Evanina said, “we need to find common solutions” to ferreting out “inside threats” that are applicable to all players in U.S. intelligence.
And it’s true that leaks come from inside as well: Chelsea Manning was a U.S. Army soldier when she provided WikiLeaks with nearly 1 million military documents in 2010. And just this month, a government imagery scientist was sentenced to federal prison for exfiltrating classified documents to his home in Maryland.
Evanina was once the CIA’s top counterintelligence officer. He described the recent leaks as an inevitable result of a spy culture in which, he pointed out, contractors employ 800,000 of the 4 million U.S. citizens holding security clearances. “When we’re in the shop, we’re all agnostic,” he said. “We look at contractors as co-workers, not green-badgers.” He was referring to the identification cards that distinguish contractors from government employees.
That rosy view of U.S. intelligence as one big, happy family is part of the problem. In 2015, a year before Martin was arrested, Evanina shared a podium at a high-level intelligence conference in Washington with Art Davis, Booz Allen’s director of corporate security. In his presentation, which I observed as a reporter, Davis boasted that his company had undergone a “metamorphosis of security” as a result of the Snowden leaks in 2013.
Booz, he said, had doubled its spending on security and adopted a “full-scale counterintelligence program” focused on 2,500 employees with “access to the kingdom” – a reference to the highly classified documents that Snowden and Martin routinely handled. Such employees are subject to “continuous evaluation,” he said. “If they don’t pass, they leave their jobs.” Evanina then took the microphone. He praised Booz’s security plan and noted that he had met with Thomas “a lot” about these issues.
Clearly, that joint plan failed. Yet after Martin’s arrest, Evanina explained that the government had done all it could to prevent leaks. “I don’t believe there’s anything new that we have to incorporate” in government oversight, he told The Washington Post. With the latest leak at the CIA, that sounds hollow, if not downright risky.
The crux of the problem may be privatized intelligence itself. That’s the view of veteran intelligence reporter Edward Epstein in his contentious but informative new book, “How America Lost Its Secrets.” Snowden chose Booz Allen specifically for its vulnerability, Epstein said at a recent talk. “He switched jobs to get access to the list of computers NSA had penetrated” and even took a pay cut to do so. Booz overlooked the fact that Snowden lied about education courses he was supposedly taking when he applied for his position at the NSA’s National Threat Operations Center, Epstein claims.
But Booz Allen didn’t try to verify that claim and didn’t change its mind on Snowden’s job “even after it found out about the subterfuge,” Epstein said. As the holder of an NSA contract, he argued, the company had a financial incentive to “hire people as cheaply as possible,” so its personnel and clearance system broke down. For example, Snowden fraudulently obtained passwords from fellow Booz employees to gain access to 24 separate, highly classified NSA compartments. (Snowden has not denied these specific charges, but on his Twitter feed, he has hotly disputed other material from Epstein’s book. Booz has said little more than an assertion that “Snowden did not share our values.” Lately it has been silent as it awaits the results of an external review of its security practices by former FBI director Robert Mueller, whom it hired for the probe.)
The case of Martin, a hoarder who allegedly snatched more than 75 percent of the NSA’s software tools to hack foreign computers, may be even worse. According to his 20-count indictment, eight of his thefts took place while he was employed by Booz Allen from 2009 to 2016. Before that, he worked for Tenacity Solutions, a Virginia company founded by former CIA officers that specializes – ironically – in training intelligence agencies and contractors in operational security. While working for Tenacity in the ODNI, which oversees the entire intelligence bureaucracy, he committed seven major thefts, the indictment says, including a document from the secretive National Reconnaissance Office that included details of “an unacknowledged ground station” for intelligence collection. He worked for seven companies during the alleged 18-year crime spree, including CSC, an important NSA contractor that is now part of CSRA.
During that time, his employers and their agency overseers missed numerous red flags, including serious drinking problems, unpaid taxes, public accusations of computer harassment and other episodes. “Under clearance rules, such events should have triggered closer scrutiny by the security agencies where he worked as a contractor,” the New York Times concluded after an investigation. Martin’s employers, too, are sworn to protect national security secrets as part of their highly profitable work for the government.
* * * * * * *
Anybody with a security clearance, including government employees, is a potential risk. But government supervisors’ first loyalty is to the government they serve, not the companies that employ them – and therefore, they are ultimately responsible for managing security risks.
Surely the time has come to make private contractors directly accountable for leaks of classified material by canceling contracts or charging executives with negligence when leaks happen. Until the government and its intelligence leaders are willing to use their oversight powers to patch security holes in this manner and enforce greater separation between spy agencies and their contractors, privatized workers will never be a reliable way to accomplish the country’s intelligence goals. Without legal and financial accountability, the only way to strengthen security is to restrict high-level national security work to civil servants sworn to protect the Constitution.
That may be disruptive to intelligence-services companies such as Booz Allen and would undoubtedly require a huge infusion of government workers. But it may be the safest option if the CIA wants to keep its secrets. Simply put, the outsourcing of U.S. intelligence operations has gone far enough.
(c) 2017, Special to The Washington Post · Tim Shorrock