NSA Contractor Arrested in Possible New Theft of Secrets

The New York Times, citing senior law enforcement and intelligence officials, reports today that the FBI secretly arrested a National Security Agency contractor in recent weeks (Editor's note: the link could be paywalled; alternate source). The newspaper adds that the FBI is currently investigating whether the contractor (identified as male) stole and disclosed highly classified computer codes developed to "hack into the networks of foreign governments." From the report: The theft raises the embarrassing prospect that for the second time in three years an insider has managed to steal highly damaging secret information from the N.S.A. In 2013, Edward J. Snowden, who was also a contractor for the agency, took a vast trove of documents that were later passed to journalists, exposing N.S.A. surveillance programs in the United States and abroad. The information believed stolen by this contractor -- who like Mr. Snowden worked for the consulting firm Booz Allen Hamilton, which is responsible for building and operating many of the agency's most sensitive cyberoperations -- appears to be different in nature from Mr. Snowden's theft.

(identified as male)

Whew, for a minute there I was afraid we had a rogue Apache attack helicopter!

This guy sounds like a true patriot assisting the American people.

Will the consulting firm take the heat? and will

[Joe_Dragon]

Will the consulting firm take the heat? and will this force them to move more people in house?

EQGRP?

[CODiNE]

Is this someone being nailed for the Equation Group code leak? Or something else?

via Yahoo?

[dejitaru]

How? Try to email them to himself via Yahoo?

No and No

[HBI]

BAH doesn't do clearance investigations - the USG does through the Defense Security Service (DSS). Blaming the contractor is BS. The contractor cuts paychecks, handles vacation and health benefits, does the hiring and firing based on USG guidance, and sets business hours based on USG guidance. The rest is the USG - the contracting officer is in control, and after that the functional USG lead directing the effort.

This is a useful dodge for the USG appointees (aka civilian employees) to avoid personal responsibility for what is their failure. Having the USG hire the people as civilians would make sure of two things:

a. The best qualified would avoid the jobs like the plague due to low pay.
b. You'd get a lot of transferees and priority placements from elsewhere in the USG with inadequate qualifications, but qualifying for the job due to time in service or veterans preferences.

So that's why both answers are no.

Re:No and No

[Reason58]

For high-level information security experience with the associated clearance it is not that competitive.

Re:No and No

[HBI]

Compared to contractor pay? Yup. It'd be a big pay cut for me.

Re:No and No

[plopez]

It's low for Silly Valley, DC, or NYC. But for those of us who live in the real world it isn't bad in most cases.

Oh noes11!!!!!

Now we cant act all indignant when Russia hacks US!!!

So... here's the thing

[vux984]

Assuming this is a genuine crook -- stealing secrets and selling them or disclosing them to private parties... foreign/domestic/whatever. Then arresting him is pretty much the expected course of action.

The interesting angle to me at least, is that it really skewers the idea that Snowden put us at risk. For me, the biggest counter argument to that has always been 'if Snowden could do it so could others'. The fact that Snowden did it altruistically and gave the information to the public means we know about it; how many others have been doing it, that haven't been caught, that have been disclosing it to foreign governments, selling it, etc.

Now we have some real proof of what really should have been obvious -- that yeah, other people have been doing it too. All the "secrets" Snodwn revealed to the public, and in the process our 'adversaries' ...so what?? They probably already had it from their own pet NSA employees & contractors. It would be foolish to assume they didn't.

Re:So... here's the thing

[Ravaldy]

Assuming this is a genuine crook

He is a crook whether he's doing it for moral or financial reasons. He's not using the legitimate channels available to bring the issue to the surface. I realize it's not as easy as it sounds but it certainly more politically correct and less harmful to government.

IMO Snowden could also have used a different approach. Chopping down the tree when there's 1 bad branch is overkill. That's the ONLY reason I only ever partially agreed with what Snowden did. We expect our government to follow due process, we should to until they don't listen (which allegedly wasn't the case here)

Re:So... here's the thing

[vux984]

He is a crook whether he's doing it for moral or financial reasons.

While I agree that one has committed a criminal act either way, the decision whether justice is served by punishing that act depends a lot on the circumstances around it, including the motive.

My usage of the word 'crook' is to suggest a person with antisocial / selfish motives. Snowden committed a criminal act but I don't think he's crook. This guy... I don't know his motive. But if he's disclosing to private parties... odds are its selfish. Either that or its blackmail... which is a whole other issue.

Re:So... here's the thing

[bfpierce]

"He's not using the legitimate channels available to bring the issue to the surface."

Come on now, this black ops shit. You know just as well as anybody else those channels don't really go anywhere.

Re:So... here's the thing

[ShaunC]

He's not using the legitimate channels available to bring the issue to the surface.

Why don't you go ask William Binney, Thomas Drake, Kirk Wiebe, and Ed Loomis how using the "legitimate channels" works out.

Re:So... here's the thing

[Solandri]

Why does it have to be either/or? Why can't they both be guilty of revealing state secrets? Just because Johnny threw rocks off a freeway overpass, does that mean it's ok for you to throw rocks off an overpass, even if it's for the explicit purpose of demonstrating to the public how easy it is to throw rocks off of overpasses? I remember a couple decades ago a local reporter ran a story where he registered at multiple precincts and voted in each one (tearing up his unmarked ballot on camera before dropping it in each box so they wouldn't be counted), just to demonstrate how easy it was. He still got a few months in jail for voting fraud.

Personally I think Snowden did the morally right thing. But legally, oversight of secret programs is supposed to be done by elected legislators appointed to committees where they're briefed on these secret activities. Snowden's argument was that these committees were ineffective at controlling unconstitutional behavior, and the public needed to be informed that this sort of stuff was going on. But I've seen precious little media and public attention devoted to addressing that problem. Instead most of the focus has been on the symptoms - the actual programs themselves, as well as on Snowden.

The discussion he wanted us to have was: how do we keep such secret programs "honest", if that's even possible? If we're going to operate these secret programs, what sort of checks and balances are needed since obviously the existing ones are insufficient? I haven't seen that discussion. Instead all I've seen is three years of righteous indignation by both sides - either over how terrible these programs were, or how terrible Snowden was for revealing them.

Re:So... here's the thing

[vux984]

I remember a couple decades ago a local reporter ran a story where he registered at multiple precincts and voted in each one (tearing up his unmarked ballot on camera before dropping it in each box so they wouldn't be counted), just to demonstrate how easy it was. He still got a few months in jail for voting fraud.

And you think that was right, and just, and served the ideals of society?

What if instead of a couple months in jail, it was successive life sentences? What if it had just been a few dozen hours community service? Or a suspended sentence?

You want to convict Snowden, and give him a couple months in jail; I'm sure few of his supporters would even raise much of a stink over that.

Just because Johnny threw rocks off a freeway overpass, does that mean it's ok for you to throw rocks off an overpass, even if it's for the explicit purpose of demonstrating to the public how easy it is to throw rocks off of overpasses?

That's a non sequitur.

Does anybody really need an object lesson in how easy it is to throw rocks from overpasses? Is that a secret hidden from the public? Is throwing rocks from an overpass likely to be informative? How egregious and corrupt is the city/state/country's mishandling of the problem? And what steps were taken to mitigate the risks to the public? Was the highway closed off with lookouts, and people retrieving the stones... or was I just throwing boulders into rush hour traffic while holding a camera phone?

Re:So... here's the thing

[AHuxley]

Whistleblowers faced few options within the USA. https://cryptome.org/2013-info...

Re:So... here's the thing

[Ravaldy]

Come on now, this black ops shit

By that standard you're ok with anybody under any circumstance to bypass the system. You are setting a very dangerous precedence.

Until someone can prove the proper channels cannot work the proper channels should at bare minimum looked at. Snowden didn't even look to see what options were available.

Re:So... here's the thing

[Ravaldy]

Why don't you go ask William Binney, Thomas Drake, Kirk Wiebe, and Ed Loomis how using the "legitimate channels" works out.

I'm very familiar with these individuals. Explain to me how they used PROPER channels to limit damage to government and NSA programs.

Not much bias in this article

"Theft."

"Stole."

I can't get out of my mind the fact that these words are being (mis)used in exactly the same way as when the RIAA and its kind lie about lost profits and bribe legislators. A story told with such heavy bias makes it difficult to take it or its authors seriously.

Re:Not much bias in this article

[Reason58]

"Theft of secrets" seems correct to me, as once you divulge the information against their wishes it is no longer a secret. The information may still be there, but its secrecy is not.

Re:Not much bias in this article

[PsychoSlashDot]

"Theft of secrets" seems correct to me, as once you divulge the information against their wishes it is no longer a secret. The information may still be there, but its secrecy is not.

Actually, that's an interesting point. By the same measure, the NSA stole the metadata of American citizens' communications for a few years.

Re:Low Pay my ass

[HBI]

It certainly is low pay compared to what GS-12/13 equivalent contractors get paid. Truth. Each FTE is paid $250k to the company and depending on their negotiating skill, the end result to the contractor could be approaching 150k. Do a 1099 arrangement and it can be even more.

Re:Low Pay my ass

[HBI]

By the way, base pay for a GS-13 is $74k for Band 1...so you're not telling people the truth. Even with the regional adjustments, you can easily make less than $90k as a GS-13. So compare and contrast...of course quality people aren't going to respond to the GS jobs.

Besides which, the GS-13s have to show. That's about the only thing they have to do - just about the only way to get fired is to be a no-show or consistently late. True, they get lots of leave and various excuses for not being present, but that is notwithstanding.

Re:Shadow Brokers

[Mister+Transistor]

I was thinking that too... I guess we'll see in the upcoming days.

Wait

[DarkOx]

the contractor (identified as male) stole

I thought we had to be concerned with how the contract identifies zis self. I am still trying to get with the program here.

Re: Third Time Actually

[jackspenn]

I'm sure the FBI will add an intent clause not included in the law, just like it did with Hillary Clinton. So this contractor has nothing to worry about. It is not like there are different standards for the politically connected and everyone else.

"programs" -- not "codes"

[superwiz]

"codes" is an exclusively Indian usage. And it's fairly harsh on the ears of any non-Indian programmers.

Re:"programs" -- not "codes"

[PPH]

Actually, I've heard the term used in my distant past by some old timers. They referred to programs as codes. And as many of these were highly classified. DoD contractors had not yet begun outsourcing top secret work to India, Russia, and China, so it was an American usage.

Re:"programs" -- not "codes"

[superwiz]

And as many of these were highly classified. DoD contractors had not yet begun outsourcing top secret work to India

The "codes" was part of the article summary by slashdot. It was not part of the quote. In other words, it was written by whoever submitted the story to Slashdot. So this:

it was an American usage.

does not follow from the slashdot submission. Oh, and it's was never used by oldtimes. It is exclusively Indian. And it is very new. I think "Codechef" was the 1st place I saw it. And you don't have to believe it, but it won't change the fact that it sounds very harsh to the ears of all other English speakers.

Re:"programs" -- not "codes"

[superwiz]

Just to follow up, I just looked through the NYTimes article itself, and no "codes" does not appear in it. "Computer code" does. And while "code" is singular, "computer code" is always taken to be plural. So "codes" sounds just as harsh as "maths" to a North American English speaker (even though "maths" has sipped its way into British usage).

Re:Low Pay my ass

Yes, but the contractors have no job security, and will get fired if they fuck off all day. The GS's, on the other hand, have no liability and, in at least in my decades of experience, tend to fuck off most of the day and have the job on the basis of veteran or minority hiring preference.

Re:Low Pay my ass

[HBI]

True statement on the fucking off, though I know of notable exceptions with personal integrity. Those people tend to do well in the system, as screwed up as it is.

how it appears is not always the truth

[Gravis+Zero]

The information believed stolen by this contractor — who like Mr. Snowden worked for the consulting firm Booz Allen Hamilton, which is responsible for building and operating many of the agency’s most sensitive cyberoperations — appears to be different in nature from Mr. Snowden’s theft.

All we really know is that this guy got busted before he could act. It saddens me to write this but the FBI giving their word about the matter doesn't mean it's the truth because Comey has destroyed the FBI's credibility. :(

Re:how it appears is not always the truth

[rahvin112]

You've never been able to believe anything the FBI says, it's not a new thing. Though this case is yet another example that you don't talk to the FBI without lawyers! The guy admitted he knew he wasn't supposed to have the data, that's going to add YEARS to his sentence because his conduct is now willful which is a sentence multiplier in sentencing.

DON'T TALK TO THE FEDS. Say one word, LAWYER.

Tech sucks: We need minimize bloat to fix it

I wish more people and companies were concerned about security so that we could start taking a serious look into solving the problem. Unfortunately everybody jumps on the latest and greatest instead of considering how terribly insecure any of it is. Facebook, Microsoft Widows, and even GNU/Linux are all great examples.

What we need to do is start thinking smaller. Instead of jumping on that quad core 16GB ram system maybe we should think about what we can actually achieve with fewer resources and standardize on a minimal set of components that can be properly audited. Not just at the software level, but hardware too.

I'm glad to see one crowd sourcing campaign and project that aims to do just this even if it has a long way to go (as far as the software is concerned in the way of minimizing bloat, etc) and it has already largely succeeded in part at its core mission thanks to the project's primary sponsor ThinkPenguin (funded the first two housing designs and standard) and a groundswell of support from those crowd funding the first manufacturing run of devices based around the EOMA68 standard.

Basically EOMA68 didn't focus on the 'high end', but is instead a standard around which modular devices can be built. The first computer card based around EOMA68 is a simple (to today's desktop/laptop standards anyway) All Winner A20 dual core CPU with 2GB memory. The standard reduces the cost of designing and manufacturing devices that can be secured (quad core cards are coming that'll support the same housings, ie what the EOMA68 standard is for, one housing is a laptop and another a desktop, but others are to follow). The complete set of source codes available for all the components going into both the housings and computer cards designed around the EOMA68 standard. This includes keyboard controllers, LCD controllers, CPUs, and so on. All the places that we know at least one government has hidden backdoors and a 2nd we're reasonably confident has.

Re: Tech sucks: We need minimize bloat to fix it

[Actually,+I+do+RTFA]

Removing features until hey can be added securely is the opposite of an IoT toaster. Also, why would anyone want an IoT toaster.

Re: Tech sucks: We need minimize bloat to fix it

[Actually,+I+do+RTFA]

I know what an IoT device is. I don't see why anyone would want one. Especially a toaster.

Re:Time to fire Booz Allen Hamilton

[PPH]

Time to bring all the people working with sensitive data or hardware back in house as direct employees. Also, the process of vetting them for clearances. Putting this part of the hiring process in the hands of private enterprise is the first step to contractors like Booz Allen Hamilton skimming the skilled people off the top and sending the knuckle-draggers to work as direct federal employees.

why don't they just add permanent staff?

[swschrad]

for instance, ex-military, which presumably would be copacetic with maintaining operational security. anybody with bingo-number resumes can qualify as a contractor, able to take a higher bid with no remorse.

Re:why don't they just add permanent staff?

[tomhath]

It's very, very difficult to get rid of non-performers who are protected by both civil service laws and their union. Using contractors gives the government more control, not less.

Re:why don't they just add permanent staff?

[plopez]

Not really. You have to negotiate a deal with the contracting house as well. Trying to deal with non-perfomant contractors in my experience is a nightmare. Depending on the contract it could end up with your company having to "buy out" the contract or having the contractor replaced with a, just as bad, replacement contractor. Or go through a long and drawn out remediation process.

It's as bad as dealing with a dysfunctional union contract.

Re:why don't they just add permanent staff?

[AHuxley]

No bid contractors are sold as adding private sector ability and ingenuity to the US gov and mil.
It has become very profitable to get clearance and then sell services back to the US gov at any cost in times of need.
Tools, software, hardware, support, language skills, interrogations skills, medical devices, food, energy, crypto, design.
The other part is the US can then talk about the easy option to ramp up support from the private sector allowing for some very fast results. Most of that action ends up in bank accounts.
If the US gov or mil comments about quality, some states bipartisan political leadership makes a fuss until the private sector from their state is selling to the gov again.
Once proprietary hardware and software is sold/rented into the US gov/mil, self cleared contractors have to follow in for support.
That has really been a big pull between the NSA and GCHQ. To trust and guide up mil/gov only staff over decades on the traditional UK side. Better pay, wages, esprit de corps over decades. Or the US view that any contractor with skills can get clearance and it will all be great because the private sector is always by default good. The US view only works with the best vetting policy and total compartmentalization.
Once the US stopped sending out staff to walk the life of applicants from home to education, interviewed friends the private sector had a free for all within the US gov and mil.
Private sector staff could ensure their digital records matched what the US gov was looking for and security became a digital formality.
Operational security is now about securing profits to the point of making it to no bid.

I thought their job WAS to steal?

[WillAffleckUW]

Wasn't he doing his job to lie, cheat, and steal?

And ignore the US Constitution and spy on American citizens without a specific court order and warrant?

So why keep hiring contractors?

[ErichTheRed]

The government seems to have the same accountants my company does...effectively paying twice for an employee but coming out ahead because OpEx.

Why in the world would the government hire contractors to work in the intelligence agencies? Even if they have their clearances, etc. you exercise less control over a contractor than you would your own employee. I saw a post above saying GS workers can't be fired and the government can't pay talented people enough -- I'd be tempted to take the "can't be fired" with a grain of salt given most /.'er's political leanings, but I could be wrong. Hiring contractors to work on sensitive material doesn't make too much sense to me. In my IT experience, contractors tend to be much more transient than permanent employees and a whole lot less interested in doing a good job (beyond what it takes to keep getting renewed.)

To me, it would make sense to fire all the contractors, hire FTEs to replace them, and bump up a few salary grades so they can be assigned to techies. That's one thing my current company does right -- the first 2 management ranks out of 4 are assignable to technical people as well, which allows smart people to be compensated for being smart rather than having to go into full blown management-only career paths. You're expected to mentor and supervise, but the political crap gets handled by managers. If government workers really do top out at a low salary, the benefits may not make it worth sticking around. However, with the spectre of offshoring and constant downsizing, I could definitely see the attraction of a very stable job in the next 10 years or so...people have different priorities. Some want to make as much as possible, and others want to do the family thing and have a safe income to fall back on.

Re:So why keep hiring contractors?

[organgtool]

Why in the world would the government hire contractors to work in the intelligence agencies?

The government loves contractors because it provides someone else to blame when the shit hits the fan. It's like keeping a scapegoat on retainer.

Re:So why keep hiring contractors?

[AHuxley]

They run the collect it all systems that connect into the private sector. They know the jargon and terms that allow them to pass effortlessly back into the big US brands and telcos undercover or as part of a gov team.
Re "Hiring contractors to work on sensitive material doesn't make too much sense to me."
That policy is driven by political contacts, no bids and legal teams. If access to the private sector is not granted, access is demanded by politics and the need for creating local jobs.
Re "bump up a few salary grades"
The issue is the skills offered by contractors and the skills the gov, political class and mil then think they need for the collect it all missions.
A rush to the private sector to keep skills and get new skills saw a huge flood of rushed digital clearances or past self signed equivalent digital clearances been updated.
That allowed the US gov to be sold on the story that tech skills, language skills, people with skills that only living within a faith, community or the private tech sector could be found by using contractors.
The huge issue is security teams have not interviewed around the life history of a lot of contractors or even gov staff. No long interviews with extended family, questions to very local courts about sealed local paperwork in the past, no interviews with teachers, friends, looked over a home, looked at books around a home. i.e. radicalisation, cult membership, political issues or the value of another nation.
All the classic work that builds a real picture of the person, not just that they exist on a digital file on some computer in some fly over state.
The other aspect is criminal pasts. The need for language skills, cultural insights, having travelled the world, jargon, slang saw a rush to hire anyone.
Finally political aspects as to who can now get into the US gov is changing. Nothing to do with security just yet, but within a generation the US gov will be flooded with people hired on very different priorities, i.e. basic gov security is not even a consideration anymore.
"Obama’s DOJ blames criminal, citizenship checks of job seekers for lack of police diversity" (Sept. 25, 2016)
http://www.washingtontimes.com...
Other nations will ensure trusted generations of their sympathisers, cult members, faith get in and rise up the ranks of the US bureaucracy.
Bulk collection and collect it all will not be able to track insiders as they will never risk any digital device, a distant holiday or religious service will give them time with their handlers.
The fix is so easy, keep it within gov/mil, hire correctly on merit, compartmentalise, walk the real US life story of all US applicants.
Give great rewards, further education and allow for advancement based on merit.
People who have cult, faith or political issues, put their "other" nation first will always be a risk for decades as trusted contractors or staff.
The US always had a great system to hire the best and ensure their pasts showed no sign of working for other interests.
Sadly with political pressure and no bid contractors all that has changed and within a generation a lot of strangers will have total access to mid and low level US secrets daily and without question. How far did they get up the gov and mil system?

Re:So why keep hiring contractors?

[dcw3]

You're full of shit. Nobody gets TS and above access with only a credit check.

Re:So why keep hiring contractors?

[dcw3]

The government has even more control over contractors than it does over it's own employees (who they can never seem to get rid of when there's incompetence)...I've been on both sides for 40 years now...there's no "grain of salt" necessary. Go look up how often, government employees are laid off, or fired, and get back with us. A contractor can be dumped very easily. Contractors are hired to do jobs that the Feds can't, and that's typically because highly skilled employees typically go for better paying jobs, and the Feds simply can't pay as well, so normally don't have enough skilled people. The government also hires contractors who are OEMs to be advisors for the equipment, applications or other products that they've sold to the govt. Contractors who are granted access are subject to the same legal penalties as government employees, so the "transient" issues is a non-starter. Also, people who get clearances, tend to move to other companies/jobs where they'll be able to keep them...there's a little more money & job security as these positions never go off-shore. I've seen the government attempt to replace contractors in several locations, and fail...it rarely ever works.

Almost

Snowden did the right thing because the oversight is not/was not working. I agree that he should be held accountable for his actions, and I'm pretty sure he does also. The concern he had in seeking asylum is that he could not get a fair trial in the US, which I also agree with.

In other words, past where you said "I think Snowden did the morally right thing." there should not have been a "but".

Re: Third Time Actually

Criminal intent is a prerequisite under the due process clause.

Re: Third Time Actually

[AutodidactLabrat]

Sorry, the law REQUIRES intent to distribute as the third test of crime.
Here we thought you knew what you are talking about.

and with the new salary pay laws that must go up

[Joe_Dragon]

and with the new salary pay laws that must go up

Re:contracts

[AHuxley]

Unconstitutional bulk domestic spying is the key to undoing any "Theft of secrets" color of law comments. The US gov/mil cannot hide a from the United States Constitution by invoking a few decades of "secrets".
Whistleblowing and criminal investigation would never work in the US if the gov can just pull "secrets" over any other part of the gov or mil asking legal questions.
So the US is very careful to allow the "secrets" part to drop when discovering legal issues within its gov/mil.
If not US gov/mil/contractors could just quote "security" all day before any US court as a form of total immunity and the US court system would not function.
That is why so much effort is spent hunting whistleblowers and their first contact with the press. "The Most Intriguing Spy Stories From 166 Internal NSA Reports" (May 17 2016)
https://theintercept.com/2016/...
FIRSTFRUIT was the effort to scan the media to find any contact with the press and track whistleblowing efforts.

Re:Should this white male be tortured and then exe

[dcw3]

Well, it was "catch and release" with HRC. I'd personally skin them both.

Would you 3D print a car?

[CmdrTamale]

Come on, guys. It's just copyright infringement, and he hadn't even distributed.
--
I am serious sometimes but I'm not very good at it.