The case of Harold Martin, a contractor employed at the National Security Agency (NSA) ,continues to provide textbook examples of how an insider threat becomes a reality. We asked earlier this month if Martin’s case was one of hoarding or espionage. It would appear that it is both. He was hoarding for more than two decades and the depth of his activities violate the Espionage Act.
Martin, via his attorney, requested that he be released pending trial. The Department of Justice (DOJ) successfully argued against. The rationale for the DOJ opposing Martin’s release was multifaceted.
The DOJ articulated within their Order of Detention request how Martin had self-admitted mental health issues, including suicidal thoughts. Authorities discovered ten weapons his wife wasn’t aware of. In addition, they noted Martin’s history of alcohol abuse. They characterized Martin as highly intelligent. The knowledge he possesses puts the nation at risk.
Accompanying the standard form was a supporting 12-page document providing further explanation on how over a period of 20 years, from 1996 to 2016, Martin broke the “trust by engaging in wholesale theft of classified government documents and property.” The DOJ calls Martin’s actions, “breathtaking in its longevity and scale.” Furthermore, DOJ indicates the indictment of Martin will include espionage charges.
What did Martin hoard?
Massive amounts of information. In addition to the thousands of pages of documents, the FBI seized dozens of computers and digital storage devices. The conservative estimate is they contain over fifty terabytes of information (50 terabytes = 50,000 gigabytes. One gigabyte is space for approximately 10,000 pages of documents/images). The hard copy documents included six full banker boxes full of documents, with various classifications, including Top Secret with special handling caveats.
Martin not only purloined documents, he also kept handwritten notes on the sources and methods of NSA’s classified operations. Martin’s notes were, according to the government filing, written for an audience outside of the United States’ Intelligence community.
Disturbing to all is how Martin managed to exceed his natural access and acquire documents on classified operations which he did not have a need to know. A specific example is provided in the court filing on a highly compartmented operation. An operation which Martin had no direct involvement and had “no need to know.” More troubling is the fact that Martin’s career has had him employed by multiple companies as a contractor to the NSA.
The Insider Threat
Interestingly, the DOJ pointed the hearing judge’s attention to the Insider Threat training on national security and protection of classified information which Martin received. The filing described how as a trusted insider he was in position to defeat the defenses in place to protect classified information. The DOJ also explained that the release of the criminal complaint would attract new hostile intelligence service interest in Martin. Others under the watchful eye of the FBI have slipped surveillance and made their way to a hostile intelligence service. The escape of Edward Lee Howard to Russia still stings.
Anger or resentment as a motivator
Martin holds advanced degrees and is a PhD candidate in information security management. He was not a happy colleague. In 2007, 11 years into his hoarding activity, he wrote a chilling note to his co-workers about the state of infosec in the workplace and went on to characterized his colleagues as clowns.
Well, for one thing, I’ve seen pretty much all your tech secrets wrt regard to compusec. Thanks. You made me a much better infosec practitioner. In exchange, well, I gave you my time, and you failed to allow me to help you . . . You are missing most of the basics in security practice, while thinking you are the best. It’s the bread and butter stuff that will trip you up. Trust me on this one. Seen it. . . . Dudes/Dudettes, I can’t make this any plainer . . . Listen up . . . ‘They’ are inside the perimeter. . . I’ll leave you with this: if you don’t get obnoxious, obvious, and detrimental to my future, then I will not bring you ‘into the light’, as it were. If you do, well, remember that you did it to yourselves.
One need only look back at the cases of the FBI’s Robert Hannsen or the CIAs Aldrich Ames to see instances of individuals who harbored anger or resentment toward their colleagues and employer. They viewed themselves as unrecognized for their intelligence and professional acumen, and set out to prove the colleagues wrong. One can deduce, based on the above note, that Martin clearly thought himself of superior knowledge to his colleagues.
Insider Threat Program Failures?
As the saga of Harold Martin continues to play out, all who handle sensitive information need to be asking themselves many questions.
- Would our insider threat program have detected Martin’s anger?
- Would his letter of 2007 have been explained away as Harold being cynical? After all, who hasn’t heard a colleague complain?
- Was his alcohol abuse known, yet ignored?
- How did he, while employed by many different entities, exceed his natural access to classified materials without detection?
- How was he able to remove the mountain of materials?
- How was he able to move 50,000 gigabytes of information without a SIEM (security information and event management) or DLP (data loss prevention) or any other insider threat monitoring system detecting the activities of this user?
These are all questions which are germane to the Harold Martin damage assessment, but more importantly, these are all questions every insider threat program must ask themselves. A Martin could be within their ranks today.