The recent arrest of a Booz Allen Hamilton employee on charges of stealing top-secret hacking codes from the National Security Agency has cast more light on the vast privatization of US intelligence and the cozy relations between contractors and their government overseers.
As reported last week, Harold Thomas Martin III, a 51-year-old computing expert working for Booz Allen, was arrested on August 27 by the FBI after investigators searched his home in Glen Burnie, Maryland, and discovered a cache of classified material he had stolen. Martin was arrested three years after another Booz Allen contractor, Edward Snowden, leaked thousands of NSA documents revealing details of the agency’s massive global surveillance system.
“Booz has dropped the ball again,” a former Pentagon official who works on security issues and was briefed on the case, told me. “It’s long past time someone brought attention to this company. This is corporate malfeasance and a direct threat to national security.”
He said Martin’s offense—if proven—could be far more serious than Snowden’s, who was acting out of principle and sparked a public debate about government surveillance and the powers of the NSA. In contrast to Snowden, “this guy did not want to do the right thing,” the official said, taking offense at analysts who are calling Martin a “second Snowden.”
Strangely, news of the August arrest didn’t come to light until October 5, when The New York Times broke the story and released the Justice Department’s criminal complaint about the contractor. One reason for the delay, I was told, may have been the government’s desire to focus public attention on a new federal agency responsible for government-wide security, the National Background Investigations Bureau.
“I think the government sat on this news to justify the NBIB,” said a contractor with extensive experience in national security. He added that many high-ranking intelligence officials have been privately critical of the government’s record in unmasking so-called “inside threats,” and may have wanted to show by this arrest that they took the issue seriously.
The NBIB was established inside the Office of Personnel and Management (OPM) on October 1 to conduct background checks and security clearances. It was the Obama administration’s response to the disastrous hack of the OPM in 2014—which wasn’t discovered until last year—that resulted in the theft of personal data of 22 million federal employees and contractors.
Just before NBIB opened its doors, Reuters reported that the bureau had hired a contractor “whose log-in credentials were used” in the hack of the OPM. The contractor, KeyPoint Government Solutions, “is one of four companies hired by the new NBIB to do field interviews for security clearance investigations,” Reuters said.
As privatized intelligence has expanded, the need for security checks on intelligence personnel has grown substantially.
As I reported in September, Booz Allen is one of five corporations that together employ nearly 80 percent of the private-sector employees contracted to work for US spy and surveillance agencies. Booz itself deploys an intelligence workforce of 12,000 personnel with security clearances, a figure I found is equivalent to nearly 27 percent of the 45,000 contractors employed in US civilian and military intelligence.
Martin was one of those 12,000. According to the criminal complaint against him, the documents and digital information he took from his offices “contained highly classified information of the United States including Top Secret and Sensitive Compartmented Information.” The latter, known as SCI, refers to top-secret programs that can only be accessed by intelligence officers with special clearances that usually involve polygraph tests.
In its story on the arrest, the Times revealed that the intelligence Martin stole involved highly classified malware used by the NSA to penetrate computer systems overseas. “Mr. Martin is suspected of taking the highly classified ‘source code’ developed by the agency to break into computer systems of adversaries like Russia, China, Iran and North Korea,” the Times said. The Justice Department’s criminal complaint noted that the materials seized from Martin had been produced in 2014 and “are currently and properly classified at the TOP SECRET level.”
Martin’s attorney, James Wyda, said in a statement that the charges are “mere allegations,” adding that “there is no evidence that Hal Martin intended to betray his country.”
A week into the case, nobody in government was ready to say why Martin had taken the material or if he had sold it to anyone. There was some suspicion that he could be linked to a recent hack of the NSA, as explained by The Washington Post:
The leaked NSA tools included “exploits” that take advantage of unknown flaws in firewalls, for instance, allowing the government to control a network. They were posted by a group calling itself the Shadow Brokers. Current and former federal officials said their disclosure could allow targets of NSA spying to determine they were hacked by the United States, and some foreign spy agencies might be able to repurpose the tools.
Martin’s actions may be particularly damaging because of his access to Special Access Programs where such tools are made. “I think he has exposed multiple SAPs and probably covert action programs like Stuxnet,” the former defense official said. “Martin had access far surpassing Snowden’s.” Stuxnet, a malicious computer worm developed by the NSA and Israeli intelligence to damage Iran’s nuclear power systems, was revealed by the Times in 2010.
Much of the coverage of the arrest cast blame on Booz, which The Wall Street Journal noted is now “facing its second major personnel scandal in three years.” In fact, the company’s malfeasance runs deep. As I previously reported, Art Davis, its director of corporate security, boasted to an intelligence conference in 2015 that his company had undergone a “metamorphosis of security” as a result of the Snowden leaks.
[Davis] said Booz has doubled its spending on security by adopting a “full-scale counterintelligence program” focused on 2,500 employees with “access to the kingdom”—a reference to the highly classified documents that Snowden and Booz’s privatized army routinely handled. Such employees are subject to “continuous evaluation,” Davis said. “If they don’t pass, they leave their jobs.”
But even more damning was the government’s assurances at this conference that Booz’s system was airtight.
After Thomas described his company’s extensive internal security program, William Evanina, the director of the National Counterintelligence and Security Center at the Office of the Director of National Intelligence, noted that he has met with Thomas “a lot” about these issues…. [At the same panel] Carrie Wibben, the director of security policy for the Pentagon’s undersecretary for intelligence, noted that she had reviewed the Booz insider threat plan the day before. “People shouldn’t see this as big brother,” she assured the room, “but necessary for the world we live in.”
Bill Binney, the former high-ranking NSA official who blew the whistle on the agency’s surveillance programs, put the blame squarely on the government and its close ties to Booz and other contractors.
“My main problem with NSA in this area is that they knew these weaknesses existed and made no move to fix them,” he said in a statement released by the Institute for Public Accuracy. “That’s because they needed these weaknesses to be able to look into what people were doing.”
With the latest “compromise,” Binney said he hoped the NSA would move to fix the problems “instead of allowing these vulnerabilities to continue to exist so that hacks can occur and they can fear monger for more money, pointing to the dangers of cyber attacks that they knew could happen. What a swindle.”
Ironically, on the morning Martin’s arrest was made public, the Pentagon announced that Booz had been awarded a $140 million contract from the Defense Intelligence Agency. Under the contract, Booz will support the DIA’s Directorate for Information Management, which protects the agency against “threats to IT systems and information security.”
The company’s ability to win contracts like this despite its record on security seems to have captured the confidence of Wall Street. After news of the arrest spread in the media, Booz Allen’s stock dropped sharply, but it quickly recovered. By the end of last week, stock analysts were sanguine.
Booz Allen’s business “will not be materially impacted,” one analyst told the Associated Press. “Given the increase in security and stricter processes by NSA and Booz Allen following the 2013 Snowden leaks, we think it is likely that Booz Allen was not at fault for its employee’s theft.”