Arrested NSA Contractor 'Doesn't Fit the Profile'

The FBI has arrested NSA contractor Harold Martin, who is suspected of stealing highly classified source code developed by the agency to hack the computer networks of adversaries like Russia, China, Iran and North Korea. Apparently though, the suspect did not fit any of the usual profiles of an “insider threat.”

The arrest was made in August, but the court documents were unsealed yesterday. They reveal that Martin was a contractor for consulting company Booz Allen Hamilton working at the NSA—just like Edward Snowden was. He also worked at the Department of Defense.

He was allegedly found in possession of thousands of pages of documents and dozens of computers or other electronic devices at his home and in his car—much of it classified, and some of which has been leaked online.

Officials said that they weren’t sure to what extent Martin had malicious intent—did he himself leak the information? Did he pass the information on to a third party? Or did he simply download them?

One administration official told the New York Times that he didn’t fit the assumed profile, and that he was “not like a Snowden or someone who believes that what we were doing was illegal and wanted to publicize that.”

A Navy veteran working on a Ph.D. in computer science, Martin may have simply been collecting files for his own edification—much like other senior officials across Washington take classified documents home with them. It’s a known shadow practice, but not a malicious one.

In any event, he has been charged with theft of government property and the unauthorized removal or retention of classified documents—and it looks like a black eye for the NSA to have yet another contractor pilfering state secrets.

“While this may be seen by many as a failure on the part of the NSA's efforts to better secure their information after the Edward Snowden fiasco, I see this as a poignant reminder that information security is not an absolute goal which can be achieved conclusively, but rather it is an ever-evolving process that requires constant vigilance and refinement,” said Nathan Wenzler, principal security architect at AsTech Consulting, via email. “The key will be in how it is handled and how the NSA responds overall.”

CEO of ThinAir, Tony Gauda, said that the situation brings to light a need to rethink how organizations secure network access.

“The fact that a second NSA contractor was able to steal mission critical information from the agency is a stark reminder that you don’t need to be hacked to be breached,” he said in a note. “Instead of focusing on who is accessing sensitive data, we need to invest in technologies capable of generating insights based on how those users are acting on the information. Authentication will continue to be one part of an organization's security strategy, but it can no longer be relied on as the sole means of determining whether user behavior is, or is not, acceptable.”

Brian White, COO of RedOwl, said that, for instance, little-considered behavioral aspects could be tracked, like what people print.

“A big red flag in this latest insider threat incident: printers. They remain a significant blind spot for enterprises hoping to mitigate insiders,” he told us. “Enterprises often don’t track who’s printing what or how frequently. While many track USB downloads, many enterprises can’t stop employees from printing and stuffing documents in a briefcase or their socks.”

He added, “Today, behavior analytics can alert to whether anyone in the workforce might be printing things that are out of scope. For example, analytics can flag if a developer printed financial information that could trigger an alert or if an employee went from printing an average of five pages-per-week to all of the sudden printing 500 pages-per-day.”

Photo © Semmick Photo

What’s Hot on Infosecurity Magazine?