Gregory Allen Justice found out when he was arrested for what the Federal Bureau of Investigation called in their filed criminal complaint: probable cause of Economic Espionage, violation of the Arms Export Control Act, and violation of the International Trafficking in Arms Regulations (ITAR).  Justice found out just how adroit the FBI, working with the Air Force Office of Special Investigations (AFOSI), can be when working an espionage case.

Breaking Trust

Justice allegedly broke trust with his employer, a cleared defense contractor (who, according to his father is Boeing Satellite Systems). He is alleged to have reached out to the Russian Embassy in Washington, DC to volunteer his services in late 2015.

His first attempt at contact involved sending a letter, followed by a brief phone call to the Russian Naval Attaché within the Russian Embassy (Military attaches in embassies, are on occasion associated with military intelligence). This letter, according to the criminal complaint filed in the United States District Court, Central District of California, contained a “technical schematic.”

On February 10, 2016, Justice again called the Russian Naval Attache’s office at the Russian Embassy and asked if there was interest in maintaining contact and obtaining similar things. At that point, the FBI does what the FBI does … then stepped in and provided Justice with all the rope he needed to hang himself.

FBI Covertly Engages Justice

Justice was contacted two days later by an undercover FBI special agent (S/A) who posed as a member of the Russian external intelligence service, the SVR. The S/A picked up the conversation and arranged to meet with Justice.  Over the course of the next few months (February – May 2016), Justice would meet the S/A face-to-face on five occasions. On each of the last four occasions, Justice brought information which was either proprietary or in violation of US export regulations, signed a receipt for cash received from the S/A and volunteer to expand his collection efforts in support of what he believed to the Russian SVR.  (NB: It is not revealed if the Russian intelligence apparatus acted upon Justice’s attempt to volunteer, or if they took a pass.)

Justice explained how all of the information he was providing was “ITAR.” And went on to compare his collaboration with the S/A as just like the “spy movies” of Jason Bourne, James Bond and “The Americans.”  Furthermore, Justice claimed to need money to fund his wife’s medical bills. Readers of the entire criminal complaint will see, while his motivation was financial, it was to fund his relationship with a woman other than his wife, and narcotics distribution. Furthermore, he provided information to the S/A on 16-gigabyte USB thumb drives.

Insider Threat Program

The cleared defense contractor had in place a robust insider threat program. The program detected in November 2015, Justice coping a number of files to an external device, and then provided confirmatory information to the FBI/AFOSI on the information which Justice would purloin prior to each meeting with the S/A.

What was at risk

While Justice did not have access to classified programs, he did have access to the following satellite system programs:

  • Wideband Global Satellite Communication (WGS)
  • Global Positioning System (GPS)
  • Geostationary Operational Environmental Satellites (GOES)
  • Tracking and Data Relay Satellite (TDRS)
  • Milstar Communications Satellite (MILSTAR)
  • Tangential access to additional programs
    • INMARSAT
    • MEXSAT
    • GPS IIF

infosec Training

Furthermore, as a cleared defense contractor, one would expect there to be a comprehensive cyber and counterintelligence briefing and training program, and there was.  Justice’s training folio showed he had taken a variety of courses.

  • Information Security 2015 (July 10, 2015)
  • Intellectual Property for Engineers and Technologists (July 10, 2015)
  • Threat Management Training for Employees (July 9, 2015)
  • Trade Secrets and Proprietary Information (July 9, 2015)
  • Enterprise US Export Awareness Overview (July 9, 2015)
  • Information Security 2014 (June 25, 2014)
  • 2014 Ethics Recommitment Training (May 6, 2014)
  • Enterprise US Export Awareness Overview (November 27, 2013)

Controls to prevent a leak

The cleared defense contractor had in place a data loss prevention (DLP) monitoring program and as noted above, found Justice downloading data to a USB device. In addition, the resident DLP monitoring program captures screen shots of Justice’s computer, at a cadence of approximately every six seconds. In addition, when an external medium, such as an USB drive is inserted into a laptop/desktop, the system prompts to encrypt the data.

Physical access procedures were also in place at the cleared defense contractor’s facility.  To enter the building, Justice is required to display a badge to a guard or enter through a badge-controlled gate. In addition, access controls exist at Justice’s specific work area, via a badge swipe.  In order to access his work station, Justice was required to insert his badge and enter a pin (description fits that of a Common Access Card functionality). Access controls on specific data sets required a re-authentication by Justice in order to garner access. Furthermore, within the contractor’s IT system, when entering the collaborative data sets environment, all data is clearly marked and delineated as proprietary and/or requiring compliance with export controls.

Summation – Trust but verify

Justice broke trust. The contractor’s DLP system identified his accessing and copying files to external devices. It is unclear from the criminal complaint if this actionable information was of sufficient caliber to warrant action or if the action occurred only after the FBI/AFOSI arrived on the scene post-Justice’s volunteering his services to the Russian intelligence apparatus.

Entities with insider threat programs are challenged with both the potential for a mountain of false-positives, as well as determination of what level of activity warrants action.  Each program will be different, but having access to the data, for archival review should be mandatory. The rationale, today’s actions may appear mundane and low-risk, but when added to additional pieces of data, which may also appear to be innocuous and of low-risk, creates a more complete picture of the mosaic of the risk being presented by the employee breaking trust.

Related News

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008). He is the founder of securelytravel.com