The National Security Agency is trying to figure out how a 30-year-old high school dropout seemingly leapfrogged his way from the ranks of security guard to that of a well-paid analyst handling the agency’s most sensitive secrets.
“I have grave concerns over that; the access that he had, the process that we did,” NSA Director Gen. Keith Alexander told Senate lawmakers this month, following leaks about NSA’s secret spying program by former Booz Allen Hamilton contractor Edward Snowden. “And those are things I have to look into and fix from my end — and across the intel community, Director [James] Clapper said we’re going to look across that as well.”
Lawmakers and experts are questioning the government’s broader hiring practices for both contractor and in-house technology experts, especially those with access to sensitive data or the ability to disrupt or manipulate internal systems.
“I trusted, and I still do, that we were hiring the very best, trusting them to not only give us their best in terms of knowledge, but also their loyalty to our country,” Sen. Dick Durbin, D-Ill., told Alexander at the hearing. “I’m trying to look at the resume background for this individual who had access to this highly classified information at such a young age, with a limited educational and work experience, part of it as a security guard, and ask you if you’re troubled that he was given that kind of opportunity to be so close to important information that was critical to the security of our nation.”
While Alexander agreed that Snowden’s accesswas an issue NSA would look into, he noted that Snowden had worked as a highly talented information technology systems administrator from 2009 to 2010 and eventually landed a job with Booz Allen Hamilton as an analyst working with NSA.
Snowden told The Guardian newspaper he first thought about exposing government secrets while previously working for the CIA, where he was responsible for maintaining computer networks and had access to classified documents.
“One of the reasons these people slip through the radar is because a typical IT person [is] interviewed based on their skill set, whether or not they are capable of understanding certain machine language or operating system or network,” said Tom Kellermann, vice president of cybersecurity at security firm Trend Micro.
Less emphasis is placed on interpersonal skills because organizations don’t expect these individuals to deal with other human beings very much, which is a mistake, Kellermann said. Agencies need to know if employees are jaded or how they feel about the agency and its mission and try to limit the chances an employee will go rogue.
The problem is magnified when hiring highly skilled cyber hackers, most of whom “choose not to walk the straight and narrow path,” Kellermann said. But these hackers possess the sought-after skills the government wants to bolster its cyber capabilities and defenses. Agencies like NSA and the Department of Homeland Security want people who understand how cyber attacks work, what to look for and how to find evidence of and dissect an attack.
“Some of the most talented people are the ones who are not playing by the rules,” said Jessica Herrera-Flanigan, a partner at consulting firm Monument Policy Group.
And NSA knows it. NSA’s hiring blitz to bring on 3,000 professionals, mostly cyber experts, over the past two years, included recruiting at the annual Defcon hackers convention.
“Now, for those of you who think you’ll never make it through security, here are a few words you need to hear,” NSA said in an online message to conference attendees. “It’s true that you must be a U.S. citizen, and you’ll need a security clearance that requires a background investigation and polygraph. But ... if you have a few, shall we say, indiscretions in your past, don’t be alarmed. You shouldn’t automatically assume you won’t be hired. If you’re really interested, you owe it to yourself to give it a shot.”
When asked how many individuals were recruited at the convention, NSA spokeswoman Vanee Vines said the agency doesn’t provide detailed breakdowns of its workforce.
When it comes to hiring, there is a question of loyalty, Herrera-Flanigan said. Whether one is an intelligence contractor or federal employee, he must believe in the mission. “That’s not to say you have to have blinding loyalty when you see wrongdoing,” but the Snowden case reveals he had questions about how the agency carried out its mission.
Another concern is how much freedom computer experts should have to roam around an agency’s network, especially considering the failure of many organizations to adequately monitor and control who can access what data.
At NSA, there are roughly 1,000 system administrators, mostly contractors, who help operate NSA networks, Alexander told House lawmakers last week at a hearing. But even he isn’t sure of that number. “When one of those persons misuses their authorities, this is a huge problem,” he said.
Alexander said the intelligence community is adopting a new information technology environment it expects will help NSA reduce the number of system administrators and improve security.
“Most organizations do almost nothing to secure against system administrators,” said Eric Chiu, president and co-founder of HyTrust, which provides security solutions for the intelligence community and other agencies.
As agencies shift more data and resources to the cloud, it becomes easier for system administrators to access data remotely or disrupt systems, Chiu said. He recommended that agencies use monitoring solutions to track and restrict network access.
The “NSA PRISM leak should be a wake-up call,” he said. “If it can happen to them, it can happen to anyone.”