The US National Security Agency's (NSA) latest alleged leaker apparently raised no red flags despite a history of abnormal behaviour. The New York Times reported on 29 October that Harold T. Martin III, who is accused of stealing 50 terabytes of data from the NSA, apparently dealt with divorces, unpaid taxes, legal charges and drinking problems and was still allowed access to top secret information.
In a detention hearing on 28 October, Judge Richard D. Bennett noted that Martin had a history of drinking problems. In 2006, he faced a drunk driving charge. Martin is known to have been called up for unpaid taxes in 2000, which he did not pay off for over a decade. Martin's other run ins with the law include a computer harassment charge and an incident where he pretended to be a police officer during a traffic dispute.
Martin's house would eventually be raided by the Federal Bureau of Investigation in August 2016. He was arrested when investigators found thousands of pages of classified material on several storage devices, apparently taken from a variety of jobs he held as an NSA contractor, most recently for Booz Allen. It is not clear whether Martin was merely hoarding this information, or intended to leak it. His lawyers have stated that “there is no evidence that he intended to betray his country”.
One might think that Martin's erratic behaviour may have raised flags as a security risk, but if it did, it did not do so to the extent that he was forbidden from accessing sensitive documents from a secretive state security agency.
This might appear strange after the leaks from Private Bradley Manning and Snowden. US government agencies brought in a variety of measures to stop the same kind of thing happening again. Not only did intelligence agencies undergo review but measures were put in place to help spot and deal with insider threats as well as crack down on removable storage devices, which Martin used to store the stolen data.
Brian Chappell director of technical services EMEAI & APAC at BeyondTrust told SCMagazineUK.com that “Martin's role may have required access to the data stolen though it's hard to imagine any scenario where bringing in or removing mass storage devices would be appropriate given the scope of work. His personal history appears to be public record so wouldn't offer a lot of leverage but may indicate poor judgement.”
Chappell added, “at the base level this looks like a failure in process. The process failed to prevent the removal of the data, it failed to highlight the risk that Martin posed and, in essence, it failed to understand Martin and his motivations.”
One former intelligence official told the NYT that because Martin was assigned to a cyber-offence unit within the NSA, he may not have been subject to the same oversight that others would. He told the NYT that this unit tends to work on a separate network to the rest of the NSA, without the same measures that would detect insiders.
Which is not to say that the security clearance measures already in place shouldn't have stopped leakers like Snowden, Manning or allegedly, Martin. The variety of abnormal incidents Martin is said to be involved, such as his dealings with law enforcement, would likely throw up a number of concerns for those overseeing his security clearance.
According to the Office of the Director of National Intelligence, there are around 1.3 million people with top security clearance in the US, 400,000 of which are contractors, many of which undergo five year reviews to renew their clearances.
The NSA alone has 35,000 employees. If Martin's history did appear on this periodic security check, they did not stop him from working with some of the most sensitive information within the NSA.
A former US intelligence official, who worked on both the Snowden and Manning cases told SC that procedures for vetting candidates are flawed and have a hard time predicting future behaviour. Keith Lowry, now a senior vice president at Nuix, said that while background checks serve a valuable purpose “they are a look into the current and past life but in no way are they useful in predicting future behaviours.”
“If a person becomes dissatisfied, recruited by another to provide information, sees an opportunity to gain wealth or influence, or any other reason, a background check performed last year will not hinder that person's current choices.”
The insider threat does not just weigh heavily on the minds of the national security community but businesses, too. The threat of the insider, malicious or otherwise, is regularly touted as one of the deadliest threats any security team has to face. Moreover, it's not something that can be entirely avoided with a technical solution, however effective.
Graham Mann, MD, Encode Group UK told SC that “determined individuals will always find a way around security systems and procedures. What's important is detection.”The NSA, Mann added, will likely now review and update their data exfiltration detection systems, to prevent another such case from happening. However, “what should concern us more perhaps is that if such a breach can happen at the NSA, what is the situation in other less protected organisations? It's high time we recognised that data is a critical asset for us all and yet our security systems simply do not reflect this.”