Edward Snowden “The Ultimate Insider Threat” Snowden... · Who is Edward Snowden? •w/m age 29 •Grew up in Maryland •High school drop-out, later earned GED •Associates

Edward Snowden

“The Ultimate Insider Threat”

James Kiely

Director of Security

March 18, 2014

Overview • Who is Edward Snowden?

• What was his objective?

• Snowden Timeline

• How did he gain access?

• NSA Damage Assessment

• Pursuit of political asylum

• Amnesty consideration

• Whistle-Blower or Traitor?

• Insider Threat lessons learned

• Cleared Defense Contractor Consequences

• Obama restructuring of NSA Collection Program

• Insider Threat Awareness Review 2

Who is Edward Snowden?

• w/m age 29

• Grew up in Maryland

• High school drop-out, later earned GED

• Associates viewed him as a “reticent man”

Quiet and reserved

• Described himself as an “ascetic” A person who renounces comforts and pleasures in

order to lead a life of rigid self denial

3

Who is Edward Snowden?

Personality Traits

• Organizational Citizen Strong sense of justice in what he believes

Feels his view is correct and no room for negotiating

• Narcissist

Views himself as much more

important than he actually is

Access

• Held TS-SCI clearance based on IT positions with CIA and NSA

4

What was Snowden’s objective?

• Obtain BAH IT System Administrator contractor

job with NSA to gain access to their domestic

surveillance collection program

5


Felt public needed to know and draw their own conclusions

Responsibility to expose what

he viewed as NSA wrong doing

Claimed to be a whistleblower

acting against the threat NSA

posed to civil liberties

Indicated exposure of NSA secret

programs didn’t make him a hero

or a traitor, just an American

6


• Realized NSA, Hawaii facility lacked

software to trace his unauthorized access

to classified computer files

Necessary security software was in place at

most other NSA locations

• Convinced over 20 NSA, Hawaii

employees to share their logins and PWs

Allowed him to access/ download tens of

thousands of classified docs

7


• Claims hasn’t revealed any classified NSA

information re “legitimate military targets”

Only NSA efforts against civilian infrastructure

• Feels decision to expose NSA surveillance

programs was vindicated by a federal judge’s

12/16/2013 ruling

Mass NSA collection of US phone data may be

unconstitutional

Case will eventually be heard by Supreme Court

Based on above a small portion of the public view

Snowden as a hero 8


• December 2013 Snowden interview with the

Washington Post

Snowden claimed he exceeded initial expectations

NSA was now facing scrutiny it had not endured since

the 1970s or actually ever from Congress, federal

courts, the public and world leaders

“I am not trying to bring down NSA, I’m working to

improve NSA.”

I have no relationship with the Russian or Chinese

government and haven’t directly provided them with

NSA information

9

Snowden Timeline 2013 January • Starts to identify journalists for leaking of NSA classified

February

• Contacts Glenn Greenwald, reporter, The Guardian and Laura Poitras, a documentary film maker re NSA story

March

• Greenwald/Poitras meet in NYC re Snowden emails

May

• Snowden sends Greenwald sample classified NSA docs

• Snowden flees to Hong Kong for meetings/interviews with Greenwald/Poitras Reveals details of classified NSA Prism Program to track

suspected terrorists

Also possible interaction with Russian Intelligence Service

10

Snowden Timeline 2013 June

• The Guardian publishes a highly classified court

order demanding Verizon produce phone

records

• The Guardian and Washington Post disclose

existence of Prism Program

• While in Hong Kong Snowden reveals

himself as NSA leaker

• He initiates requests for political asylum in

several South American countries

• Vladimir Putin allows Snowden to enter Russia 11

Snowden Timeline 2013

July-September

• Leaks a steady stream of classified NSA

documents

British GCHQ intercepted communications of foreign

politicians participating in the April and September

2009 G20 Summit

NSA bugged European Union offices in NYC/ WDC

NSA ongoing targeting of 38 foreign embassies for

communication intercept

NSA intercepted United Nations communications

12


July-September

• Snowden granted temporary political asylum in

Russia

13


October

• Snowden’s father visits him in Moscow

• Snowden claims he took no classified NSA files

to Russia and hasn’t shared any information with

Russian Intelligence Service (SVR)

• Claims he has access to every active NSA

operation against China

November

• Releases “A Manifesto for Truth” claiming NSA

and GCHQ are the worst offenders of mass

communication surveillance w/o oversight 14


November

• British Intelligence officials indicate the Snowden

leaks have seriously damaged their ability to

keep Britain safe

December

• President Obama advises there will be no

amnesty in return for Snowden’s cooperation

• Snowden provides Washington Post with a two

day interview

Claims to have accomplished his objective

15


January

• Washington Post releases lengthy update

interview with Snowden

• New York Times Editorial Board recommends a

plea bargain or clemency for Snowden

“Based on enormous value of information he provided

and abuses he exposed”

• House and Senate Intelligence Committee

leaders opine leak was supported by Russia

No proof provided

16


January

• Obama announces NSA Collection Program

reforms

• Snowden claims NSA conducting industrial

espionage against major German companies

Intent is for US economic gain vs. national security

Failed to provide any proof

• Snowden claims impossible to receive fair trial in

US and USG officials want him killed

17


January

• Russian officials advise Snowden’s asylum

protection will be extended beyond 8/2014

• NSA and GCHQ capable of collecting data from

smart phone apps

Without knowledge of companies that distribute them

• Snowden nominated for Nobel Peace Prize

Winners will be announced in October 2014

18


February

• Initially kept quiet while Russia hosted the

Winter Olympics in Sochi

• Leaked documents indicating GCHQ intercepted

webcam images from millions of Yahoo users

around the world (2008-2010)

19


March

• Claimed NSA’s “mass surveillance” approach

caused them to miss critical terrorist

communications

Possible clues prior to 2013 Boston Marathon

bombing

• Indicated NSA disguised itself as Facebook

servers to gain access to computers of individual

intelligence targets

20

How did Snowden gain access?

Flawed USIS Reinvestigation for TS Clearance

• Largest security background check contractor

DOJ civil complaint -USIS filed 660,000 flawed BIs

and obtained $12 million in bonuses

Failed to properly vet Snowden’s 2011 reinvestigation

• Practice known as “Dumping” or “Flushing”

Aimed at pumping up revenue for expeditious BIs

USIS paid $1900 for BIs submitted before next to last

day of the month, but only 75% after that deadline

21


Flawed USIS Reinvestigation for TS Clearance

• Failed to verify Snowden’s account of a previous security violation while employed at CIA

• Didn’t address fact that he failed to report a trip to India

• Failed to interview anyone other than his mother and girlfriend

22


• CIA never provided NSA with derogatory report

from Snowden’s supervisor

Noted concerning changes in behavior and work

habits just prior to leaving CIA for NSA

CIA suspected he attempted to breach classified

computer files prior to his departure

23


• NSA IT System Administrator position provided

the perfect cover for accessing classified docs

Maintained in a file-sharing location on NSA’s intranet

portal

Classified docs kept on portal so analysts and other

officials could review and discuss online

His authorized access provided the opportunity to

identify and move classified docs to a more secure

location w/o raising red flags

He also used social engineering to persuade his

colleagues to share their passwords 24

NSA Damage Assessment

Has been conducting an ongoing Snowden

Damage Assessment since June 2013

• Downloaded 1.7 million classified documents

Still has access to 1.5 million unleaked after sharing

200,000

Only released 1% to date!

• As IT System Administrator had PWs to

circumvent system security measures

Part of job to maintain NSA computers and move

large data sets between systems

25


• Used available tools to “scrape” tons of

classified from NSA websites and move to a

location for downloading

• He succeeded in obscuring some electronic

traces of how he accessed classified

• Believe he has enough classified for at least two

years of additional news stories

US Intelligence officials feel the worst is yet to come!

26


Most Critical Information Taken or Exposed

• Topics of interest to NSA and associated gaps

(31,000 classified docs)

Includes US, China, Russia and Iran country specific

capabilities and gaps

These reports would be a “gold mine” for our

adversaries if leaked

Provides a road map of what the US knows and

doesn’t know about its enemies

• Names of all IC agents and undercover assets

worldwide 27


• NSA’s greatest concern focuses on whether

Russia or China managed to download the

archive from Snowden’s computer

US officials have acknowledged there is no evidence

to that affect

Snowden has repeatedly denied directly furnishing

Russia or China with any classified documents

28


• Massive fallout for US foreign relations based on

Snowden release of monitoring/eavesdropping

of foreign nations and allies

In reality most countries spy and collect on each

other, but it wasn’t previously public knowledge

• To date thousands of NSA man hours and tens

of millions of dollars have been spent trying to

reconstruct what Snowden took

Remains a work in progress and may never be clear

29


• Exploring possibility Snowden may have left a virus behind in NSA’s system (a time bomb)

As a result all computers he accessed were removed from NSA’s classified network

Also all computers and actual cables with access to unclassified network

• Intelligence officials fear Snowden created a heavily encrypted data cloud

Access limited to him and three others via ever changing PWs

Snowden views this cache as his “insurance policy”

30


• Snowden’s disclosures will result in grave harm

to existing intelligence gathering techniques

Exposing methods that adversaries will learn to avoid

Already see Al Qaeda adjusting the way they

communicate

31

Snowden Mitigation Task Force

• General Martin Dempsey, Chairman, Joint

Chiefs of Staff is heading Snowden Mitigation

Task Force, to investigate extent of theft and

determine how to overcome it

Vast majority of documents taken relate to military

capabilities, operations, tactics, techniques and

procedures

It will take the US at least two years and possibly

billions of dollars to overcome harm done

32


FBI leading Criminal investigation

• Snowden methodically downloaded massive

amounts of NSA classified files while working in

Hawaii

Believed to have acted alone

• Indicted by a FGJ-June 2014

Charged with Espionage and

Theft of Government Property

Russia rejected US request to extradite Snowden

during July 2013

33

Pursuit of Political Asylum • Snowden initially granted temporary political asylum in

Russia until August 2014

• He continues to pursue political asylum in Brazil, Bolivia,

Ecuador, Venezuela, Nicaraqua and Iceland

• Snowden stated ”Until a country grants me permanent

political asylum the USG will continue to interfere with

my ability to speak out”

34

Pursuit of Political Asylum

Did Snowden have help from the Russians?

• US House Intelligence Committee Chairman Mike

Rodgers believes Snowden ended up in Russia for a

reason

Cooperating with Russian Federal Security Service (FSB)

Stolen NSA information had more to do with US overseas

operations than US citizens’ privacy

Snowden not skilled enough to pull off the leak alone

Recent disclosures are too sophisticated in there content and

timing for Snowden

• Senator Dianne Feinstein, Chairman of the Select

Committee on Intelligence and Mike Morell, former

Deputy Director, CIA concur, but no actual proof so far

35

Amnesty Consideration

Snowden indicated that he would return to the

US if given amnesty

• Some high level NSA executives think that

option warrants further discussion (12/2013)

Considering the potential for more damage to

national security

Requires assurance that all remaining classified

documents would be returned and secured

36

Amnesty Consideration • General Keith Alexander, Director, NSA feels amnesty

for Snowden is a bad idea (12/2013)

Needs to be held accountable for his actions

Is not trustworthy of returning all NSA data

• President Obama advised

“there will be no amnesty

for Snowden” (12/2013)

Recommended Snowden voluntarily

return to the US to face felony

charges and receive full due

process and protections within

the legal system

37

Whistle-Blower or Traitor?

Intelligence Community and national security

establishment widely view Snowden as a

traitor

• Recently released classified Pentagon report reflects

Leaks have endangered US troops by providing terrorists with a

copy of our country’s playbook

Damaged US allies efforts to combat terrorism, cybercrime and

WMD proliferation

• Warrants federal prosecution for compromising

classified information to the benefit of US adversaries

• Caused irreparable damage via the largest classified

data dump in US history 38


• Severely damaged foreign relations with US allies

• Several members of Congress strongly support federal

prosecution of Snowden and oppose any plea bargaining

or amnesty considerations

• Broke his oath of secrecy

to protect classified (SF-312)

39


Some elements outside the Intelligence

Community view Snowden as a hero

• Provided the public with details on how NSA exceeded

and abused its authority

• Revelations prompted two out of three federal judges to

accuse NSA of violating the Constitution

• A panel appointed by President Obama cited NSA’s

invasion of privacy and called for a major overhaul of its

operations

40


• Some members of Congress have expressed their

outrage over NSA’s collection practices involving US

citizens

41

Lessons Learned

What is NSA doing to avoid future Insider Threats?

• NSA and IC revamping network security Installing software to spot/track employee attempts to

access/download classified w/o prior authorization

Senate Intelligence Committee to fund $100 million security upgrade

• NSA and IC implementation of “two person handling rule” When accessing or moving classified database

information

Must remove anonymity for those accessing classified systems

42

Lessons Learned

What is NSA doing to avoid future Insider

Threats?

• Tagging classified documents to ensure only

staff with “need to know” can access a given

document

Tagging rule also allows security auditors to see how

individuals with authorized access are actually using it

• New guidance to never provide your password,

even to an IT System Administrator

Especially as pertains to classified document access

43

Lessons Learned


• Need for timely, through and competent initial BIs and clearance reinvestigations

• Recognition that contractors, IT personnel and disgruntled employees pose the greatest Insider Threat

• Impossible to fully protect against an Insider Threat Key is to initially hire quality employees

Responsibility of all employees to recognize and report suspicious Insider Threat activity

44

Lessons Learned


• Establishing an Insider Threat Working Group Provide staff with ongoing training and awareness

Key is to root out/identify and neutralize Insider Threats before they inflict extensive damage

• Enforce Security ban on removable media in classified work areas

• Recognition that the Snowden incident could have happened to any of the IC agencies

45

Cleared Defense Contractor

(CDC) Consequences

• Office of Personnel Management (OPM), who

conducts CDC security clearance investigations

proposed

Changing TS re-investigations from 5 years to annually

Secret re-investigations from10 years to 5 years

• DIA subjecting its contractors with TS-SCI

clearances to security interview and CI polygraph

• Effective 1/2015 DSS requiring all CDC to have a

viable Insider Threat Program

46

Obama Restructuring of NSA

Surveillance Program (1/17/14)

• Data collection program remains a critical tool for IC to identify and deter terrorist plots

• No more eavesdropping on foreign leaders and governments who are allies

• Requires IC to obtain FISA Court permission before accessing US citizens’ telephone records

• AG Eric Holder tasked to design a plan moving control of phone records away from USG

47

Insider Threat Awareness Review

• It’s essential for CDC facilities to establish

an Insider Threat Program

Assists in mitigating the risk

Trains staff to observe, recognize and report

suspicious activity

Must have a specific reporting process in

place

48


• Key is to identify and neutralize Insider Threat

before they inflict extensive damage

Watch for behavioral changes

Identify and report personality traits of concern

Employee observations are one of the best ways to

identify an Insider Threat

Awareness that most Insider Threats occur a month

before an employee plans to leave the company

Security is every employee’s responsibility!!!

49


Insider Motives

• Ego based

• To exact revenge

• Financial gain

• Anti-US sentiment

• Foreign National ties

• To expose what they view as

hypocrisy or wrong doing

50


Factors Creating an Insider Threat

• Employee experiencing financial difficulties

• Company’s deteriorating financial condition

• Company decision to furlough employees or

reduce salaries

• Philosophical differences

• Perceived moral obligation

51


How to spot an Insider Threat?

• Failure to report overseas travel or contact with foreign

nationals (Snowden)

• Efforts to gain higher security clearance access outside

normal work scope (Snowden)

• Working odd hours inconsistent with responsibilities or

insisting on working alone

• Attempting to enter limited access areas outside their

“need to know” (Snowden)

52


How to spot an Insider Threat?

• Living beyond one’s means

• Exhibiting exploitable behaviors

Drug or alcohol issues

Financial difficulties

Complaints about pay or work conditions

Anti-USG comments

Loyalty to foreign interests

53


Snowden isn’t a typical Insider Threat

• Most Insiders betray their employer after

becoming disgruntled or developing financial

problems

Then become vulnerable for recruitment by a FIS

• He obtained BAH IT System Administrator

position with the sole intent of accessing and

leaking NSA classified docs

54

QUESTIONS???????

55

Documents

Edward Snowden “The Ultimate Insider Threat” Snowden... · Who is Edward Snowden? •w/m age 29 •Grew up in Maryland •High school drop-out, later earned GED •Associates