Spy saga exposes screening gaps
The Pittsburgh Tribune-Review
Several times during 2009 and 2010, Pfc. Bradley Manning opened the Secret Internet Protocol Router Network on a computer in the Army's Contingency Operation Station Hammer in Iraq.
Within seconds, he downloaded gigabytes of classified documents culled from the military and State Department. He later shipped the data across the Internet to WikiLeaks, a loose confederation of transparency advocates.
Manning, 25, pleaded guilty on Feb. 28 to 10 charges of violating military law by taking the information off SIPRNet and giving it to people who were not supposed to access it. Millions of readers worldwide consumed the secret diplomatic cables, military action reports and even recorded war footage, courtesy of Wiki-Leaks. Manning contests espionage charges.
Stung by the scope of that data breach, President Obama issued Executive Order 13587 on Oct. 7, 2011. Binding on the military and intelligence agencies, it sought “policies and minimum standards” to keep classified information secure, classified personnel secret and systems free from tampering.
The measure was designed to shore up vulnerabilities that allowed Manning to walk away with troves of classified data, and it extended the requirements to “contractors and others who operate or access classified computer networks.”
The rules appear to have worked until sometime before June 6. That's when The Guardian began publishing scoops based on documents leaked to the London newspaper by Edward Snowden, 30, a hacker who broke into National Security Agency computer networks while working for Booz Hamilton, a government contractor.
Snowden reportedly inserted a thumb drive in a government computer and downloaded thousands of classified documents. As a result, people worldwide know that the NSA:
• Compiled call and location data from American telephone subscribers suspected of committing no crimes, along with vast stores of global electronic information;
• Bugged encrypted fax machines at the European Union and tapped calls and data of ordinary citizens flowing across fiber-optic lines in Europe;
• Spied on Asian telephone and data traffic, the European Union's delegations in the United States and Brussels, and millions of Brazilian emails and phone calls.
Manning was one of more than 800,000 federal workers whose security clearance gave him access to secret files — caches of data that following the 9/11 attacks were distributed widely to ensure vital information was not “stovepiped” within one agency.
Snowden was one of more than 500,000 private contractors with the same privileges.
Though most of these workers never will violate laws protecting classified material, experts told the Tribune-Review that little can be done to prevent breaches. Stolen data is easily downloaded to the Internet, even though federal offices with secret missions increasingly banned disk drives and other concealable portable memory devices.
In addition, the employee vetting process provides a snapshot at the time of hire, not a continuous picture of how a person's allegiances might shift.
Ultimately, experts say, it comes down to whether agencies and contractors trust those with government secrets at their fingertips and, increasingly, whether intelligence workers trust their agencies.
Daniel Schwartz, general counsel for the NSA from 1979-80, said the traditional way to vet NSA and CIA employees is “perfectly sufficient” for contractors. Documents by the NSA's Central Security Service show that citizens trying to land a job at the agency face a gantlet of medical screenings, drug testing, lie detector interviews and a background investigation that lasts up to a year.
The process is designed to reveal where applicants lived or traveled abroad, the identities of foreign friends and colleagues, credit histories, job performance and, most importantly, a potential employee's loyalty to the United States.
Snowden passed a similar vetting process when he worked under diplomatic cover in Geneva for the CIA. But screening for contractors often is more lax, and it's not continuously updated, Schwartz said.
The outsourcing trend began in the 1990s and accelerated since 9/11 to meet a “surge” in demand for federal workers and contractors with security clearances while keeping control of costs that could skyrocket if all were government employees.
Now three out of four background checks are handled by the private sector. The biggest player is U.S. Investigations Services, a Virginia firm that vetted Snowden for Booz Hamilton.
“These investigations are confidential, and USIS does not comment on them,” said Ray Howell, company spokesman, in a written statement to the Trib.
Proponents say private companies finish investigations faster and cheaper than federal agencies. Critics contend those firms need to adopt intense background checks.
“After 10 years, this isn't a ‘surge.' It's an increase that's long-term and must be addressed in the same manner,” said Schwartz, a partner at Bryan Cave LLP, a national law firm. Otherwise, he said, “we end up with more Snowdens.”
Contractors should mandate routine polygraph interviews and work with federal agencies to monitor employees' statements and acquaintances on social media networks, Schwartz and other experts say. Firms should look for signs like those Snowden put out, showing he went from an anti-Manning stance — suggesting leakers should be shot — to a more sympathetic view of online mavericks such as WikiLeaks or the loose affiliation of activist hackers known as Anonymous.
“You don't ask how they use their social media; you investigate,” Schwartz said. “You see with whom they're sharing information. You start to ask contractors like Snowden different sorts of questions than we did with earlier generations, such as, ‘Do you think states should hold secrets?' Or, ‘Do you believe in a world that's transparent, with no secrets?' ”
Schwartz calls this federal counterespionage capability “understaffed and under-resourced” and wants Congress and the White House to hire enough in-house snoops “to do a full background investigation” before giving someone access to classified information. He said spot checks should happen throughout employment.
‘Like a Chinese finger trap'
Internet security expert Joshua Corman thinks background checks are fine, but he's more concerned about an intelligence community backlash against “anyone who appears ‘hackerish.' ” He said a 21st-century “digital McCarthyism” could hurt national security by blacklisting many intellectually important computer experts on the suspicion that they might become a leaker.
Greater censorship of internal dissent, secrecy and “stovepiping” of information within the agencies could spark “whistle-blowers everywhere,” he said.
“It's like a Chinese finger trap,” Corman said. “You have two sides in opposition to each other, and they're stuck in the trap, feeding off each other.”
Corman thinks spy agencies and contractors need to better understand the diverse IT specialists. These specialists are connected to each other globally but strive to find a communally accepted moral compass in using digital powers with humility, wisdom and restraint.
Many of their leading voices, Corman said, seek a utopian world with “no secrets” while advocating for absolute privacy from state snooping into social networks.
“So you have this continuing struggle for balance between absolute privacy and absolute transparency,” Corman said. “And the two can never meet.”
Whistle-blowers are important for a democracy because they inform people about what secretive agencies do — sometimes in disregard of constitutional rights. But whistle-blowers are dangerous because they can expose classified materials that could harm American security or get informants killed.
Corman wants agencies to develop in-house means for dissidents to express ethical, legal or pragmatic concerns about projects, and he wants hackers to form a social contract with governments.
Alan Willett, an Ithaca, N.Y-based consultant at Oxseeker, said spy agencies and contractors need to reform how they interact with employees.
“Today's generation of IT workers absolutely can keep secrets. They do so all the time, and they have deep-seated ethics to go alongside great tech skills,” Willett said. “But they also see themselves as global denizens who are connected to many people beyond our borders.”
That sense of “purpose and ethics,” he said, makes whistle-blowers.
“We live in an age of transparency, where life happens in social networks online. We have to confront that reality. But we also have to ask hard questions,” Willett said. “Was NSA pushing the envelope of the law? Was the agency hiding important programs from the American people? People notice that, which is why the agency must continually engage with them.”