Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Edward Snowden
“The Ultimate Insider Threat”
James Kiely
Director of Security
March 18, 2014
Overview • Who is Edward Snowden?
• What was his objective?
• Snowden Timeline
• How did he gain access?
• NSA Damage Assessment
• Pursuit of political asylum
• Amnesty consideration
• Whistle-Blower or Traitor?
• Insider Threat lessons learned
• Cleared Defense Contractor Consequences
• Obama restructuring of NSA Collection Program
• Insider Threat Awareness Review 2
Who is Edward Snowden?
• w/m age 29
• Grew up in Maryland
• High school drop-out, later earned GED
• Associates viewed him as a “reticent man”
Quiet and reserved
• Described himself as an “ascetic” A person who renounces comforts and pleasures in
order to lead a life of rigid self denial
3
Who is Edward Snowden?
Personality Traits
• Organizational Citizen Strong sense of justice in what he believes
Feels his view is correct and no room for negotiating
• Narcissist
Views himself as much more
important than he actually is
Access
• Held TS-SCI clearance based on IT positions with CIA and NSA
4
What was Snowden’s objective?
• Obtain BAH IT System Administrator contractor
job with NSA to gain access to their domestic
surveillance collection program
5
What was Snowden’s objective?
Felt public needed to know and draw their own conclusions
Responsibility to expose what
he viewed as NSA wrong doing
Claimed to be a whistleblower
acting against the threat NSA
posed to civil liberties
Indicated exposure of NSA secret
programs didn’t make him a hero
or a traitor, just an American
6
What was Snowden’s objective?
• Realized NSA, Hawaii facility lacked
software to trace his unauthorized access
to classified computer files
Necessary security software was in place at
most other NSA locations
• Convinced over 20 NSA, Hawaii
employees to share their logins and PWs
Allowed him to access/ download tens of
thousands of classified docs
7
What was Snowden’s objective?
• Claims hasn’t revealed any classified NSA
information re “legitimate military targets”
Only NSA efforts against civilian infrastructure
• Feels decision to expose NSA surveillance
programs was vindicated by a federal judge’s
12/16/2013 ruling
Mass NSA collection of US phone data may be
unconstitutional
Case will eventually be heard by Supreme Court
Based on above a small portion of the public view
Snowden as a hero 8
What was Snowden’s objective?
• December 2013 Snowden interview with the
Washington Post
Snowden claimed he exceeded initial expectations
NSA was now facing scrutiny it had not endured since
the 1970s or actually ever from Congress, federal
courts, the public and world leaders
“I am not trying to bring down NSA, I’m working to
improve NSA.”
I have no relationship with the Russian or Chinese
government and haven’t directly provided them with
NSA information
9
Snowden Timeline 2013 January • Starts to identify journalists for leaking of NSA classified
February
• Contacts Glenn Greenwald, reporter, The Guardian and Laura Poitras, a documentary film maker re NSA story
March
• Greenwald/Poitras meet in NYC re Snowden emails
May
• Snowden sends Greenwald sample classified NSA docs
• Snowden flees to Hong Kong for meetings/interviews with Greenwald/Poitras Reveals details of classified NSA Prism Program to track
suspected terrorists
Also possible interaction with Russian Intelligence Service
10
Snowden Timeline 2013 June
• The Guardian publishes a highly classified court
order demanding Verizon produce phone
records
• The Guardian and Washington Post disclose
existence of Prism Program
• While in Hong Kong Snowden reveals
himself as NSA leaker
• He initiates requests for political asylum in
several South American countries
• Vladimir Putin allows Snowden to enter Russia 11
Snowden Timeline 2013
July-September
• Leaks a steady stream of classified NSA
documents
British GCHQ intercepted communications of foreign
politicians participating in the April and September
2009 G20 Summit
NSA bugged European Union offices in NYC/ WDC
NSA ongoing targeting of 38 foreign embassies for
communication intercept
NSA intercepted United Nations communications
12
Snowden Timeline 2013
July-September
• Snowden granted temporary political asylum in
Russia
13
Snowden Timeline 2013
October
• Snowden’s father visits him in Moscow
• Snowden claims he took no classified NSA files
to Russia and hasn’t shared any information with
Russian Intelligence Service (SVR)
• Claims he has access to every active NSA
operation against China
November
• Releases “A Manifesto for Truth” claiming NSA
and GCHQ are the worst offenders of mass
communication surveillance w/o oversight 14
Snowden Timeline 2013
November
• British Intelligence officials indicate the Snowden
leaks have seriously damaged their ability to
keep Britain safe
December
• President Obama advises there will be no
amnesty in return for Snowden’s cooperation
• Snowden provides Washington Post with a two
day interview
Claims to have accomplished his objective
15
Snowden Timeline 2014
January
• Washington Post releases lengthy update
interview with Snowden
• New York Times Editorial Board recommends a
plea bargain or clemency for Snowden
“Based on enormous value of information he provided
and abuses he exposed”
• House and Senate Intelligence Committee
leaders opine leak was supported by Russia
No proof provided
16
Snowden Timeline 2014
January
• Obama announces NSA Collection Program
reforms
• Snowden claims NSA conducting industrial
espionage against major German companies
Intent is for US economic gain vs. national security
Failed to provide any proof
• Snowden claims impossible to receive fair trial in
US and USG officials want him killed
17
Snowden Timeline 2014
January
• Russian officials advise Snowden’s asylum
protection will be extended beyond 8/2014
• NSA and GCHQ capable of collecting data from
smart phone apps
Without knowledge of companies that distribute them
• Snowden nominated for Nobel Peace Prize
Winners will be announced in October 2014
18
Snowden Timeline 2014
February
• Initially kept quiet while Russia hosted the
Winter Olympics in Sochi
• Leaked documents indicating GCHQ intercepted
webcam images from millions of Yahoo users
around the world (2008-2010)
19
Snowden Timeline 2014
March
• Claimed NSA’s “mass surveillance” approach
caused them to miss critical terrorist
communications
Possible clues prior to 2013 Boston Marathon
bombing
• Indicated NSA disguised itself as Facebook
servers to gain access to computers of individual
intelligence targets
20
How did Snowden gain access?
Flawed USIS Reinvestigation for TS Clearance
• Largest security background check contractor
DOJ civil complaint -USIS filed 660,000 flawed BIs
and obtained $12 million in bonuses
Failed to properly vet Snowden’s 2011 reinvestigation
• Practice known as “Dumping” or “Flushing”
Aimed at pumping up revenue for expeditious BIs
USIS paid $1900 for BIs submitted before next to last
day of the month, but only 75% after that deadline
21
How did Snowden gain access?
Flawed USIS Reinvestigation for TS Clearance
• Failed to verify Snowden’s account of a previous security violation while employed at CIA
• Didn’t address fact that he failed to report a trip to India
• Failed to interview anyone other than his mother and girlfriend
22
How did Snowden gain access?
• CIA never provided NSA with derogatory report
from Snowden’s supervisor
Noted concerning changes in behavior and work
habits just prior to leaving CIA for NSA
CIA suspected he attempted to breach classified
computer files prior to his departure
23
How did Snowden gain access?
• NSA IT System Administrator position provided
the perfect cover for accessing classified docs
Maintained in a file-sharing location on NSA’s intranet
portal
Classified docs kept on portal so analysts and other
officials could review and discuss online
His authorized access provided the opportunity to
identify and move classified docs to a more secure
location w/o raising red flags
He also used social engineering to persuade his
colleagues to share their passwords 24
NSA Damage Assessment
Has been conducting an ongoing Snowden
Damage Assessment since June 2013
• Downloaded 1.7 million classified documents
Still has access to 1.5 million unleaked after sharing
200,000
Only released 1% to date!
• As IT System Administrator had PWs to
circumvent system security measures
Part of job to maintain NSA computers and move
large data sets between systems
25
NSA Damage Assessment
• Used available tools to “scrape” tons of
classified from NSA websites and move to a
location for downloading
• He succeeded in obscuring some electronic
traces of how he accessed classified
• Believe he has enough classified for at least two
years of additional news stories
US Intelligence officials feel the worst is yet to come!
26
NSA Damage Assessment
Most Critical Information Taken or Exposed
• Topics of interest to NSA and associated gaps
(31,000 classified docs)
Includes US, China, Russia and Iran country specific
capabilities and gaps
These reports would be a “gold mine” for our
adversaries if leaked
Provides a road map of what the US knows and
doesn’t know about its enemies
• Names of all IC agents and undercover assets
worldwide 27
NSA Damage Assessment
• NSA’s greatest concern focuses on whether
Russia or China managed to download the
archive from Snowden’s computer
US officials have acknowledged there is no evidence
to that affect
Snowden has repeatedly denied directly furnishing
Russia or China with any classified documents
28
NSA Damage Assessment
• Massive fallout for US foreign relations based on
Snowden release of monitoring/eavesdropping
of foreign nations and allies
In reality most countries spy and collect on each
other, but it wasn’t previously public knowledge
• To date thousands of NSA man hours and tens
of millions of dollars have been spent trying to
reconstruct what Snowden took
Remains a work in progress and may never be clear
29
NSA Damage Assessment
• Exploring possibility Snowden may have left a virus behind in NSA’s system (a time bomb)
As a result all computers he accessed were removed from NSA’s classified network
Also all computers and actual cables with access to unclassified network
• Intelligence officials fear Snowden created a heavily encrypted data cloud
Access limited to him and three others via ever changing PWs
Snowden views this cache as his “insurance policy”
30
NSA Damage Assessment
• Snowden’s disclosures will result in grave harm
to existing intelligence gathering techniques
Exposing methods that adversaries will learn to avoid
Already see Al Qaeda adjusting the way they
communicate
31
Snowden Mitigation Task Force
• General Martin Dempsey, Chairman, Joint
Chiefs of Staff is heading Snowden Mitigation
Task Force, to investigate extent of theft and
determine how to overcome it
Vast majority of documents taken relate to military
capabilities, operations, tactics, techniques and
procedures
It will take the US at least two years and possibly
billions of dollars to overcome harm done
32
NSA Damage Assessment
FBI leading Criminal investigation
• Snowden methodically downloaded massive
amounts of NSA classified files while working in
Hawaii
Believed to have acted alone
• Indicted by a FGJ-June 2014
Charged with Espionage and
Theft of Government Property
Russia rejected US request to extradite Snowden
during July 2013
33
Pursuit of Political Asylum • Snowden initially granted temporary political asylum in
Russia until August 2014
• He continues to pursue political asylum in Brazil, Bolivia,
Ecuador, Venezuela, Nicaraqua and Iceland
• Snowden stated ”Until a country grants me permanent
political asylum the USG will continue to interfere with
my ability to speak out”
34
Pursuit of Political Asylum
Did Snowden have help from the Russians?
• US House Intelligence Committee Chairman Mike
Rodgers believes Snowden ended up in Russia for a
reason
Cooperating with Russian Federal Security Service (FSB)
Stolen NSA information had more to do with US overseas
operations than US citizens’ privacy
Snowden not skilled enough to pull off the leak alone
Recent disclosures are too sophisticated in there content and
timing for Snowden
• Senator Dianne Feinstein, Chairman of the Select
Committee on Intelligence and Mike Morell, former
Deputy Director, CIA concur, but no actual proof so far
35
Amnesty Consideration
Snowden indicated that he would return to the
US if given amnesty
• Some high level NSA executives think that
option warrants further discussion (12/2013)
Considering the potential for more damage to
national security
Requires assurance that all remaining classified
documents would be returned and secured
36
Amnesty Consideration • General Keith Alexander, Director, NSA feels amnesty
for Snowden is a bad idea (12/2013)
Needs to be held accountable for his actions
Is not trustworthy of returning all NSA data
• President Obama advised
“there will be no amnesty
for Snowden” (12/2013)
Recommended Snowden voluntarily
return to the US to face felony
charges and receive full due
process and protections within
the legal system
37
Whistle-Blower or Traitor?
Intelligence Community and national security
establishment widely view Snowden as a
traitor
• Recently released classified Pentagon report reflects
Leaks have endangered US troops by providing terrorists with a
copy of our country’s playbook
Damaged US allies efforts to combat terrorism, cybercrime and
WMD proliferation
• Warrants federal prosecution for compromising
classified information to the benefit of US adversaries
• Caused irreparable damage via the largest classified
data dump in US history 38
Whistle-Blower or Traitor?
• Severely damaged foreign relations with US allies
• Several members of Congress strongly support federal
prosecution of Snowden and oppose any plea bargaining
or amnesty considerations
• Broke his oath of secrecy
to protect classified (SF-312)
39
Whistle-Blower or Traitor?
Some elements outside the Intelligence
Community view Snowden as a hero
• Provided the public with details on how NSA exceeded
and abused its authority
• Revelations prompted two out of three federal judges to
accuse NSA of violating the Constitution
• A panel appointed by President Obama cited NSA’s
invasion of privacy and called for a major overhaul of its
operations
40
Whistle-Blower or Traitor?
• Some members of Congress have expressed their
outrage over NSA’s collection practices involving US
citizens
41
Lessons Learned
What is NSA doing to avoid future Insider Threats?
• NSA and IC revamping network security Installing software to spot/track employee attempts to
access/download classified w/o prior authorization
Senate Intelligence Committee to fund $100 million security upgrade
• NSA and IC implementation of “two person handling rule” When accessing or moving classified database
information
Must remove anonymity for those accessing classified systems
42
Lessons Learned
What is NSA doing to avoid future Insider
Threats?
• Tagging classified documents to ensure only
staff with “need to know” can access a given
document
Tagging rule also allows security auditors to see how
individuals with authorized access are actually using it
• New guidance to never provide your password,
even to an IT System Administrator
Especially as pertains to classified document access
43
Lessons Learned
What is NSA doing to avoid future Insider Threats?
• Need for timely, through and competent initial BIs and clearance reinvestigations
• Recognition that contractors, IT personnel and disgruntled employees pose the greatest Insider Threat
• Impossible to fully protect against an Insider Threat Key is to initially hire quality employees
Responsibility of all employees to recognize and report suspicious Insider Threat activity
44
Lessons Learned
What is NSA doing to avoid future Insider Threats?
• Establishing an Insider Threat Working Group Provide staff with ongoing training and awareness
Key is to root out/identify and neutralize Insider Threats before they inflict extensive damage
• Enforce Security ban on removable media in classified work areas
• Recognition that the Snowden incident could have happened to any of the IC agencies
45
Cleared Defense Contractor
(CDC) Consequences
• Office of Personnel Management (OPM), who
conducts CDC security clearance investigations
proposed
Changing TS re-investigations from 5 years to annually
Secret re-investigations from10 years to 5 years
• DIA subjecting its contractors with TS-SCI
clearances to security interview and CI polygraph
• Effective 1/2015 DSS requiring all CDC to have a
viable Insider Threat Program
46
Obama Restructuring of NSA
Surveillance Program (1/17/14)
• Data collection program remains a critical tool for IC to identify and deter terrorist plots
• No more eavesdropping on foreign leaders and governments who are allies
• Requires IC to obtain FISA Court permission before accessing US citizens’ telephone records
• AG Eric Holder tasked to design a plan moving control of phone records away from USG
47
Insider Threat Awareness Review
• It’s essential for CDC facilities to establish
an Insider Threat Program
Assists in mitigating the risk
Trains staff to observe, recognize and report
suspicious activity
Must have a specific reporting process in
place
48
Insider Threat Awareness Review
• Key is to identify and neutralize Insider Threat
before they inflict extensive damage
Watch for behavioral changes
Identify and report personality traits of concern
Employee observations are one of the best ways to
identify an Insider Threat
Awareness that most Insider Threats occur a month
before an employee plans to leave the company
Security is every employee’s responsibility!!!
49
Insider Threat Awareness Review
Insider Motives
• Ego based
• To exact revenge
• Financial gain
• Anti-US sentiment
• Foreign National ties
• To expose what they view as
hypocrisy or wrong doing
50
Insider Threat Awareness Review
Factors Creating an Insider Threat
• Employee experiencing financial difficulties
• Company’s deteriorating financial condition
• Company decision to furlough employees or
reduce salaries
• Philosophical differences
• Perceived moral obligation
51
Insider Threat Awareness Review
How to spot an Insider Threat?
• Failure to report overseas travel or contact with foreign
nationals (Snowden)
• Efforts to gain higher security clearance access outside
normal work scope (Snowden)
• Working odd hours inconsistent with responsibilities or
insisting on working alone
• Attempting to enter limited access areas outside their
“need to know” (Snowden)
52
Insider Threat Awareness Review
How to spot an Insider Threat?
• Living beyond one’s means
• Exhibiting exploitable behaviors
Drug or alcohol issues
Financial difficulties
Complaints about pay or work conditions
Anti-USG comments
Loyalty to foreign interests
53
Insider Threat Awareness Review
Snowden isn’t a typical Insider Threat
• Most Insiders betray their employer after
becoming disgruntled or developing financial
problems
Then become vulnerable for recruitment by a FIS
• He obtained BAH IT System Administrator
position with the sole intent of accessing and
leaking NSA classified docs
54
QUESTIONS???????
55