Edward Snowden-Insider Threat

Edward Snowden
“The Ultimate Insider Threat”
James Kiely
Director of Security
March 18, 2014
Overview
•
•
•
•
•
•
•
•
•
•
•
•
Who is Edward Snowden?
What was his objective?
Snowden Timeline
How did he gain access?
NSA Damage Assessment
Pursuit of political asylum
Amnesty consideration
Whistle-Blower or Traitor?
Insider Threat lessons learned
Cleared Defense Contractor Consequences
Obama restructuring of NSA Collection Program
Insider Threat Awareness Review
2
Who is Edward Snowden?
•
•
•
•
w/m age 29
Grew up in Maryland
High school drop-out, later earned GED
Associates viewed him as a “reticent man”
 Quiet and reserved
• Described himself as an “ascetic”
 A person who renounces comforts and pleasures in
order to lead a life of rigid self denial
3
Who is Edward Snowden?
Personality Traits
• Organizational Citizen
 Strong sense of justice in what he believes
 Feels his view is correct and no room for negotiating
• Narcissist
 Views himself as much more
important than he actually is
Access
• Held TS-SCI clearance based on IT positions
with CIA and NSA
4
What was Snowden’s objective?
• Obtain BAH IT System Administrator contractor
job with NSA to gain access to their domestic
surveillance collection program
5
What was Snowden’s objective?
 Felt public needed to know and draw their own conclusions
 Responsibility to expose what
he viewed as NSA wrong doing
 Claimed to be a whistleblower
acting against the threat NSA
posed to civil liberties
 Indicated exposure of NSA secret
programs didn’t make him a hero
or a traitor, just an American
6
What was Snowden’s objective?
• Realized NSA, Hawaii facility lacked
software to trace his unauthorized access
to classified computer files
Necessary security software was in place at
most other NSA locations
• Convinced over 20 NSA, Hawaii
employees to share their logins and PWs
Allowed him to access/ download tens of
thousands of classified docs
7
What was Snowden’s objective?
• Claims hasn’t revealed any classified NSA
information re “legitimate military targets”
 Only NSA efforts against civilian infrastructure
• Feels decision to expose NSA surveillance
programs was vindicated by a federal judge’s
12/16/2013 ruling
 Mass NSA collection of US phone data may be
unconstitutional
 Case will eventually be heard by Supreme Court
 Based on above a small portion of the public view
Snowden as a hero
8
What was Snowden’s objective?
• December 2013 Snowden interview with the
Washington Post
 Snowden claimed he exceeded initial expectations
 NSA was now facing scrutiny it had not endured since
the 1970s or actually ever from Congress, federal
courts, the public and world leaders
 “I am not trying to bring down NSA, I’m working to
improve NSA.”
 I have no relationship with the Russian or Chinese
government and haven’t directly provided them with
NSA information
9
Snowden Timeline 2013
January
• Starts to identify journalists for leaking of NSA classified
February
• Contacts Glenn Greenwald, reporter, The Guardian and
Laura Poitras, a documentary film maker re NSA story
March
• Greenwald/Poitras meet in NYC re Snowden emails
May
• Snowden sends Greenwald sample classified NSA docs
• Snowden flees to Hong Kong for
meetings/interviews with Greenwald/Poitras
 Reveals details of classified NSA Prism Program to track
suspected terrorists
 Also possible interaction with Russian Intelligence Service
10
Snowden Timeline 2013
June
• The Guardian publishes a highly classified court
order demanding Verizon produce phone
records
• The Guardian and Washington Post disclose
existence of Prism Program
• While in Hong Kong Snowden reveals
himself as NSA leaker
• He initiates requests for political asylum in
several South American countries
• Vladimir Putin allows Snowden to enter Russia
11
Snowden Timeline 2013
July-September
• Leaks a steady stream of classified NSA
documents
 British GCHQ intercepted communications of foreign
politicians participating in the April and September
2009 G20 Summit
 NSA bugged European Union offices in NYC/ WDC
 NSA ongoing targeting of 38 foreign embassies for
communication intercept
 NSA intercepted United Nations communications
12
Snowden Timeline 2013
July-September
• Snowden granted temporary political asylum in
Russia
13
Snowden Timeline 2013
October
• Snowden’s father visits him in Moscow
• Snowden claims he took no classified NSA files
to Russia and hasn’t shared any information with
Russian Intelligence Service (SVR)
• Claims he has access to every active NSA
operation against China
November
• Releases “A Manifesto for Truth” claiming NSA
and GCHQ are the worst offenders of mass
communication surveillance w/o oversight
14
Snowden Timeline 2013
November
• British Intelligence officials indicate the Snowden
leaks have seriously damaged their ability to
keep Britain safe
December
• President Obama advises there will be no
amnesty in return for Snowden’s cooperation
• Snowden provides Washington Post with a two
day interview
 Claims to have accomplished his objective
15
Snowden Timeline 2014
January
• Washington Post releases lengthy update
interview with Snowden
• New York Times Editorial Board recommends a
plea bargain or clemency for Snowden
 “Based on enormous value of information he provided
and abuses he exposed”
• House and Senate Intelligence Committee
leaders opine leak was supported by Russia
 No proof provided
16
Snowden Timeline 2014
January
• Obama announces NSA Collection Program
reforms
• Snowden claims NSA conducting industrial
espionage against major German companies
 Intent is for US economic gain vs. national security
 Failed to provide any proof
• Snowden claims impossible to receive fair trial in
US and USG officials want him killed
17
Snowden Timeline 2014
January
• Russian officials advise Snowden’s asylum
protection will be extended beyond 8/2014
• NSA and GCHQ capable of collecting data from
smart phone apps
 Without knowledge of companies that distribute them
• Snowden nominated for Nobel Peace Prize
 Winners will be announced in October 2014
18
Snowden Timeline 2014
February
• Initially kept quiet while Russia hosted the
Winter Olympics in Sochi
• Leaked documents indicating GCHQ intercepted
webcam images from millions of Yahoo users
around the world (2008-2010)
19
Snowden Timeline 2014
March
• Claimed NSA’s “mass surveillance” approach
caused them to miss critical terrorist
communications
 Possible clues prior to 2013 Boston Marathon
bombing
• Indicated NSA disguised itself as Facebook
servers to gain access to computers of individual
intelligence targets
20
How did Snowden gain access?
Flawed USIS Reinvestigation for TS Clearance
• Largest security background check contractor
 DOJ civil complaint -USIS filed 660,000 flawed BIs
and obtained $12 million in bonuses
 Failed to properly vet Snowden’s 2011 reinvestigation
• Practice known as “Dumping” or “Flushing”
 Aimed at pumping up revenue for expeditious BIs
 USIS paid $1900 for BIs submitted before next to last
day of the month, but only 75% after that deadline
21
How did Snowden gain access?
Flawed USIS Reinvestigation for TS
Clearance
• Failed to verify Snowden’s account of a
previous security violation while employed
at CIA
• Didn’t address fact that he failed to report a
trip to India
• Failed to interview anyone other than his
mother and girlfriend
22
How did Snowden gain access?
• CIA never provided NSA with derogatory report
from Snowden’s supervisor
 Noted concerning changes in behavior and work
habits just prior to leaving CIA for NSA
 CIA suspected he attempted to breach classified
computer files prior to his departure
23
How did Snowden gain access?
• NSA IT System Administrator position provided
the perfect cover for accessing classified docs
 Maintained in a file-sharing location on NSA’s intranet
portal
 Classified docs kept on portal so analysts and other
officials could review and discuss online
 His authorized access provided the opportunity to
identify and move classified docs to a more secure
location w/o raising red flags
 He also used social engineering to persuade his
colleagues to share their passwords
24
NSA Damage Assessment
Has been conducting an ongoing Snowden
Damage Assessment since June 2013
• Downloaded 1.7 million classified documents
 Still has access to 1.5 million unleaked after sharing
200,000
 Only released 1% to date!
• As IT System Administrator had PWs to
circumvent system security measures
 Part of job to maintain NSA computers and move
large data sets between systems
25
NSA Damage Assessment
• Used available tools to “scrape” tons of
classified from NSA websites and move to a
location for downloading
• He succeeded in obscuring some electronic
traces of how he accessed classified
• Believe he has enough classified for at least two
years of additional news stories
 US Intelligence officials feel the worst is yet to come!
26
NSA Damage Assessment
Most Critical Information Taken or Exposed
• Topics of interest to NSA and associated gaps
(31,000 classified docs)
 Includes US, China, Russia and Iran country specific
capabilities and gaps
 These reports would be a “gold mine” for our
adversaries if leaked
 Provides a road map of what the US knows and
doesn’t know about its enemies
• Names of all IC agents and undercover assets
worldwide
27
NSA Damage Assessment
• NSA’s greatest concern focuses on whether
Russia or China managed to download the
archive from Snowden’s computer
 US officials have acknowledged there is no evidence
to that affect
 Snowden has repeatedly denied directly furnishing
Russia or China with any classified documents
28
NSA Damage Assessment
• Massive fallout for US foreign relations based on
Snowden release of monitoring/eavesdropping
of foreign nations and allies
 In reality most countries spy and collect on each
other, but it wasn’t previously public knowledge
• To date thousands of NSA man hours and tens
of millions of dollars have been spent trying to
reconstruct what Snowden took
 Remains a work in progress and may never be clear
29
NSA Damage Assessment
• Exploring possibility Snowden may have left a
virus behind in NSA’s system (a time bomb)
 As a result all computers he accessed were removed
from NSA’s classified network
 Also all computers and actual cables with access to
unclassified network
• Intelligence officials fear Snowden created a
heavily encrypted data cloud
 Access limited to him and three others via ever
changing PWs
 Snowden views this cache as his “insurance policy”
30
NSA Damage Assessment
• Snowden’s disclosures will result in grave harm
to existing intelligence gathering techniques
 Exposing methods that adversaries will learn to avoid
 Already see Al Qaeda adjusting the way they
communicate
31
Snowden Mitigation Task Force
• General Martin Dempsey, Chairman, Joint
Chiefs of Staff is heading Snowden Mitigation
Task Force, to investigate extent of theft and
determine how to overcome it
 Vast majority of documents taken relate to military
capabilities, operations, tactics, techniques and
procedures
 It will take the US at least two years and possibly
billions of dollars to overcome harm done
32
NSA Damage Assessment
FBI leading Criminal investigation
• Snowden methodically downloaded massive
amounts of NSA classified files while working in
Hawaii
 Believed to have acted alone
• Indicted by a FGJ-June 2014
 Charged with Espionage and
Theft of Government Property
 Russia rejected US request to extradite Snowden
during July 2013
33
Pursuit of Political Asylum
• Snowden initially granted temporary political asylum in
Russia until August 2014
• He continues to pursue political asylum in Brazil, Bolivia,
Ecuador, Venezuela, Nicaraqua and Iceland
• Snowden stated ”Until a country grants me permanent
political asylum the USG will continue to interfere with
my ability to speak out”
34
Pursuit of Political Asylum
Did Snowden have help from the Russians?
• US House Intelligence Committee Chairman Mike
Rodgers believes Snowden ended up in Russia for a
reason
 Cooperating with Russian Federal Security Service (FSB)
 Stolen NSA information had more to do with US overseas
operations than US citizens’ privacy
 Snowden not skilled enough to pull off the leak alone
 Recent disclosures are too sophisticated in there content and
timing for Snowden
• Senator Dianne Feinstein, Chairman of the Select
Committee on Intelligence and Mike Morell, former
Deputy Director, CIA concur, but no actual proof so far
35
Amnesty Consideration
Snowden indicated that he would return to the
US if given amnesty
• Some high level NSA executives think that
option warrants further discussion (12/2013)
 Considering the potential for more damage to
national security
 Requires assurance that all remaining classified
documents would be returned and secured
36
Amnesty Consideration
• General Keith Alexander, Director, NSA feels amnesty
for Snowden is a bad idea (12/2013)
 Needs to be held accountable for his actions
 Is not trustworthy of returning all NSA data
• President Obama advised
“there will be no amnesty
for Snowden” (12/2013)
 Recommended Snowden voluntarily
return to the US to face felony
charges and receive full due
process and protections within
the legal system
37
Whistle-Blower or Traitor?
Intelligence Community and national security
establishment widely view Snowden as a
traitor
• Recently released classified Pentagon report reflects
 Leaks have endangered US troops by providing terrorists with a
copy of our country’s playbook
 Damaged US allies efforts to combat terrorism, cybercrime and
WMD proliferation
• Warrants federal prosecution for compromising
classified information to the benefit of US adversaries
• Caused irreparable damage via the largest classified
data dump in US history
38
Whistle-Blower or Traitor?
• Severely damaged foreign relations with US allies
• Several members of Congress strongly support federal
prosecution of Snowden and oppose any plea bargaining
or amnesty considerations
• Broke his oath of secrecy
to protect classified (SF-312)
39
Whistle-Blower or Traitor?
Some elements outside the Intelligence
Community view Snowden as a hero
• Provided the public with details on how NSA exceeded
and abused its authority
• Revelations prompted two out of three federal judges to
accuse NSA of violating the Constitution
• A panel appointed by President Obama cited NSA’s
invasion of privacy and called for a major overhaul of its
operations
40
Whistle-Blower or Traitor?
• Some members of Congress have expressed their
outrage over NSA’s collection practices involving US
citizens
41
Lessons Learned
What is NSA doing to avoid future Insider
Threats?
• NSA and IC revamping network security
 Installing software to spot/track employee attempts to
access/download classified w/o prior authorization
 Senate Intelligence Committee to fund $100 million
security upgrade
• NSA and IC implementation of “two person handling
rule”
 When accessing or moving classified database
information
 Must remove anonymity for those accessing classified
systems
42
Lessons Learned
What is NSA doing to avoid future Insider
Threats?
• Tagging classified documents to ensure only
staff with “need to know” can access a given
document
 Tagging rule also allows security auditors to see how
individuals with authorized access are actually using it
• New guidance to never provide your password,
even to an IT System Administrator
 Especially as pertains to classified document access
43
Lessons Learned
What is NSA doing to avoid future Insider
Threats?
• Need for timely, through and competent initial BIs
and clearance reinvestigations
• Recognition that contractors, IT personnel and
disgruntled employees pose the greatest Insider
Threat
• Impossible to fully protect against an Insider Threat
 Key is to initially hire quality employees
 Responsibility of all employees to recognize and report
suspicious Insider Threat activity
44
Lessons Learned
What is NSA doing to avoid future Insider
Threats?
• Establishing an Insider Threat Working Group
 Provide staff with ongoing training and awareness
 Key is to root out/identify and neutralize Insider
Threats before they inflict extensive damage
• Enforce Security ban on removable media in
classified work areas
• Recognition that the Snowden incident could
have happened to any of the IC agencies
45
Cleared Defense Contractor
(CDC) Consequences
• Office of Personnel Management (OPM), who
conducts CDC security clearance investigations
proposed
 Changing TS re-investigations from 5 years to annually
 Secret re-investigations from10 years to 5 years
• DIA subjecting its contractors with TS-SCI
clearances to security interview and CI polygraph
• Effective 1/2015 DSS requiring all CDC to have a
viable Insider Threat Program
46
Obama Restructuring of NSA
Surveillance Program (1/17/14)
• Data collection program remains a critical tool
for IC to identify and deter terrorist plots
• No more eavesdropping on foreign leaders and
governments who are allies
• Requires IC to obtain FISA Court permission
before accessing US citizens’ telephone records
• AG Eric Holder tasked to design a plan moving
control of phone records away from USG
47
Insider Threat Awareness Review
• It’s essential for CDC facilities to establish
an Insider Threat Program
Assists in mitigating the risk
Trains staff to observe, recognize and report
suspicious activity
Must have a specific reporting process in
place
48
Insider Threat Awareness Review
• Key is to identify and neutralize Insider Threat
before they inflict extensive damage
Watch for behavioral changes
Identify and report personality traits of concern
Employee observations are one of the best ways to
identify an Insider Threat
Awareness that most Insider Threats occur a month
before an employee plans to leave the company
Security is every employee’s responsibility!!!
49
Insider Threat Awareness Review
Insider Motives
• Ego based
• To exact revenge
• Financial gain
• Anti-US sentiment
• Foreign National ties
• To expose what they view as
hypocrisy or wrong doing
50
Insider Threat Awareness Review
Factors Creating an Insider Threat
• Employee experiencing financial difficulties
• Company’s deteriorating financial condition
• Company decision to furlough employees or
reduce salaries
• Philosophical differences
• Perceived moral obligation
51
Insider Threat Awareness Review
How to spot an Insider Threat?
• Failure to report overseas travel or contact with foreign
nationals (Snowden)
• Efforts to gain higher security clearance access outside
normal work scope (Snowden)
• Working odd hours inconsistent with responsibilities or
insisting on working alone
• Attempting to enter limited access areas outside their
“need to know” (Snowden)
52
Insider Threat Awareness Review
How to spot an Insider Threat?
• Living beyond one’s means
• Exhibiting exploitable behaviors
 Drug or alcohol issues
 Financial difficulties
 Complaints about pay or work conditions
 Anti-USG comments
 Loyalty to foreign interests
53
Insider Threat Awareness Review
Snowden isn’t a typical Insider Threat
• Most Insiders betray their employer after
becoming disgruntled or developing financial
problems
 Then become vulnerable for recruitment by a FIS
• He obtained BAH IT System Administrator
position with the sole intent of accessing and
leaking NSA classified docs
54
QUESTIONS???????
55