WASHINGTON (Reuters) - The disclosure this week of documents describing secret CIA hacking tools shows that intensified U.S. government efforts to prevent leaks by intelligence agency employees and contractors have largely failed, cyber security professionals and intelligence officials say.
If the Central Intelligence Agency disclosures are confirmed to be the work of an intelligence agency contractor, as government investigators currently suspect, it would be at least the third public case in recent years in which special software and human resources programs intended to catch so-called insider threats have not worked.
The anti-secrecy group WikiLeaks, which published the CIA documents Tuesday, said it obtained the archive after it circulated among former U.S. government contractors in “an unauthorized manner.”
Part of the problem in combating leaks is that the number of government employees and contractors with access to highly sensitive information has exploded in recent years, due in part to greater information-sharing across the government that was mandated in the wake of the Sept. 11, 2001, attacks.
Budget constraints that force agencies to rely on contractors rather than permanent staff have also contributed to the problem, intelligence officials say. Government estimates of how many people have been granted Top Secret clearances range from the high hundreds of thousands to more than a million across thousands of public agencies and private companies.
Government agencies estimate that there is one insider threat for every 6,000 to 8,000 employees, an intelligence agency contractor said, speaking on condition of anonymity for fear of upsetting his employer. The contractor said there is too much sharing of information internally, with many workers having access to material they do not need.
Recognizing the dangers, former President Barack Obama signed an executive order creating the National Insider Threat Task Force in 2011, following the disclosures of hundreds of thousands of State Department cables that were stolen by former Army private Chelsea Manning and provided to WikiLeaks.
The order covered virtually every federal department and agency, including the Department of Education, the Peace Corps and other offices not directly involved in national security.
The program requires federal employees to monitor co-workers for suspicious actions based on behavioral profiling. Those who fail to report high-risk people or behaviors could face penalties, including criminal charges.
Insider threat investigations can also be launched when computer network monitoring detects “suspicious user behavior,” according to government documents.
Monitoring of prospective and current government employees has only increased in recent years. Under a directive issued in May 2016 by James Clapper, the former director of national intelligence, U.S. officials evaluating whether employees should continue to have access to classified information can collect publicly available social media posts of those workers.
Despite the new initiatives and a raft of innovative employee monitoring technologies developed by the NSA and private-sector tech companies, insider threats remain “the greatest worry across government and industry,” said Curtis Dukes, the former head of cyber defense at the National Security Agency who now works at the Center for Internet Security, a non-profit organization committed to protecting against cyber threats.
Tuesday’s leaks came at a time when U.S. intelligence agencies were already reeling from the discovery that former contractor Harold Martin had allegedly spent 20 years stealing secrets from the NSA and three other intelligence agencies before finally being caught last summer.
Martin worked for Booz Allen Hamilton, the same consulting firm that employed Edward Snowden, who in 2013 exposed details about U.S. spying programs.
This week’s dump of CIA files is especially alarming because the spy agency is considered the “gold standard” for monitoring and tracking insiders, according to Larry Pfeiffer, chief of staff to then-CIA director Michael Hayden.
Leo Taddeo, chief security officer at Cryptzone and a former special agent with the Federal Bureau of Investigation’s cyber crime division in New York, said the Sept. 11 attacks prompted a significant expansion in the number of facilities and government contractors who had access to sensitive information. A 2003 report on the attacks concluded the plot could have been disrupted if not for lapses of communication between the CIA and FBI.
That finding and others forced a restructuring of how U.S. intelligence agencies share information, overcoming resistance by some officials who worried the new arrangement could create new problems.
“We need for the right people to see the right dots, so they can connect them, but the counter argument is you increase the insider risk and that compromise has a greater impact,” Taddeo said.
Chris Inglis, former deputy director of the NSA, gave a presentation entitled “How to Catch a Snowden” to a jam-packed room last month at the RSA cyber security conference in San Francisco. The talk was so popular that conference organizers had Inglis present twice.
Inglis said companies, as well as governments, need to embrace continuous monitoring of employees and the use of behavioral analytics to spot potential leakers, and to directly involve human resources departments in detection efforts.
Some companies have been hesitant to adopt such strategies, Inglis said, but a raft of breaches in recent years has led to a growing embrace of more aggressive approaches.
“The unfortunate truth is you’re only going to suffer this one in a million times, but that one in a million can kill you,” he said.
Reporting by Dustin Volz and Jonathan Landay; Additional reporting by Joseph Menn in San Francisco and Warren Strobel, John Walcott and Mark Hosenball in Washington; Editing by Jonathan Weber and Leslie Adler