9 February 2017

Insider Threat Special Report: Contracting at the NSA


The latest allegations against former National Security Agency contractor Harold Martin have increased the concern about contractor access at NSA and in other highly sensitive classified environments. These are very valid concerns, and what to do about it is complicated, as there are legitimate cases for and against contractor access. Assuming the government continues to use contractors in the intelligence sector, there needs to be a consideration of how the government maintains oversight and control of the contractors.
To some extent, the haranguing about contractors at NSA is a bit of red herring. It can be argued that what Harold Martin has allegedly done, and what NSA leaker Edward Snowden did, had nothing to do with their contractor status and could have just as easily been done by government employees. For example, Pfc. Bradley Manning (convicted WikiLeaks leaker), CIA officer Aldrich Ames (convicted spy), and FBI agent Robert Hanssen (convicted spy) were all government employees. Frustration with government policies or actions, money problems, blackmail, extortion, greed, or any other number of motivations that drive people to steal classified data are not exclusive to contractors. Controversies around such events should focus more on the individual, the affected organization, and the damage done rather than arguing over whether the perpetrator was a contractor.

However, there do appear to be significant risks associated with contractors today. With the boom of instantaneous information provided worldwide by the Internet, individuals with ill intent and foreign intelligence services are able to hone in on specific companies through a company’s business filings, marketing efforts, or even just loose talk by employees in public areas. Additionally, they can target specific jobs that may provide the access they want based on job board postings that are specific to a government mission or role, even if the government agency or department where the person would work is not identified.

While it is no secret what the NSA or CIA does in general, their job postings are more generic. An individual applying to be an intelligence analyst at NSA, for example, does not generally know which specific team or mission he or she will be assigned to. The person could end up targeting terrorists or hackers, researching emerging technologies, or working in the training directorate. While many positions grant access to classified information, the value of that information varies. As such, the return benefit for a malicious actor is less certain. It is also more difficult for a person outside the government to pinpoint which government employee should be targeted and exploited.

As a result, despite the fact that background checks, security clearances, and access for contractors are granted by the government and not the contracting firm, it does appear that it is easier to get access to sensitive programs and systems by targeting a contractor than the government directly, simply because it is easier to figure out what jobs are the most likely to provide the access they are looking for.

Despite that risk, there are significant benefits for using contractors. As I’ve seen first-hand, there are many technical and hard-to-find skills needed at our intelligence agencies. There are other exciting and better paying jobs in private industry, there is a major skills gap, and competition for talent is fierce. Often, there are not enough qualified people interested in working directly for the government. Contractors help fill that void and can often attract talent that the government can not.

Contractors are also a smart option for the government when the work needed to be done is a project. The government can bring in the skills needed, have the project worked on for a period of time, and then terminate the contract once it is completed. Contractors provide the government an often simpler solution for staffing. Like any business, there are employees at NSA who do not pull their weight and are largely unqualified for the jobs they do. It is virtually impossible to fire or lay-off a government employee. Instead, such employees jump from office to office and basically just collect a paycheck. Certainly this is the exception rather than the rule, but it is frustrating for managers at the NSA. Contractors on the other hand can be pushed out and contracts cancelled or not-renewed. Furthermore, there is less long-term overhead for the Agency with things such as pensions, healthcare costs, etc.

Another area of concern to many outside the industry involves oversight of contractors once they are in. Generally, each contractor is overseen by the direct team it is supporting, a Contracting Officer, a Contracting Officer Representative (COR), and their respective company’s management.

Using Edward Snowden as an example, the NSA team he was assigned to while employed with Booz Allen included a government employed team lead and division leadership that provided direct and indirect management of his work. He worked side-by-side with government employees. While he was Booz Allen’s only employee on that team, there were other contractors also supporting it.

Outside of this immediate team management, our contract had a local COR to oversee our work in Hawaii and an overall contract COR back in Maryland. These individuals were well integrated into our work and processes. As the lead of our NSA-Hawaii work, I met regularly with our local COR to report on our activities and discuss any potential issues. The COR in Maryland oversaw the entire contract and ensured that Booz Allen was fulfilling its contractual terms, and work was being performed at a high quality. He also addressed the concerns of the leadership of the government client or Booz Allen employees. Furthermore, each year, a review of the contract was done across all the government teams supported by the contract. This helped determine whether the contract would continue and what percentage of the award fee the company would receive.

In addition to the government overview, contractors are also overseen by their own company. No company that I know of wants to fail or wants to take the government for a ride (though that may well happen). More typically, they want to do great work and fulfill the terms of the contract so that they can then win additional contracts. Unfortunately, circumstances do not always work out that way due to poor governance, unethical behavior, or general incompetence.

Internally, contractors who are integrated, as Harold Martin and Edward Snowden apparently were, are subject to the same oversight and compliance rules as government employees. Often times, contractors are even further restricted. There were multiple instances where I could not access intelligence derived from a particular program, because I was a contractor, and contractors were not cleared to see that information.

Ultimately, it is evident that Edward Snowden and Harold Martin still would have found a way to do what they did whether or not they were contractors. Allegedly, Snowden had applied multiple times to the Agency’s Tailored Access Operations unit to gain access to their more sensitive, secret operations and intelligence. As one government official told me the day after Snowden revealed himself to the world, “you got caught holding the Hot Potato when time ran out.” Had Snowden been successful landing the government position he sought, he would have likely still done what he did and ended up in Russia.

It is also evident that it is far easier for malicious actors to gain access to programs they are interested in through contractors than through government personnel. Contractors do, unfortunately, pose an increased risk to highly sensitive programs, even if they are often legitimately necessary.

There is no perfect solution. There will always be people who want to ban contractors from access to classified programs and others who will view contractors as necessary or even beneficial. The solution is somewhere in the middle. It may be smart for the government to more tightly control access to highly sensitive programs by only allowing government employees access and preventing contractors from essentially being long-term staff-augmentation, but it would be folly to ban contractors all together.

No comments: