An employee of a government contractor who began work February 13 and received her Top Secret clearance at that time was arrested this week. Around May 9, 2017 Reality Leigh Winner printed and removed a classified intelligence report which had been originated by the NSA.
According to the Department of Justice (DOJ), Winner mailed the classified document to an online news outlet. Coincidentally, on June 5, 2017, an online news outlet, The Intercept, published a classified NSA document which discussed Russian intelligence spearphishing activity associated with the 2016 Presidential election.
How to find a Leak
The discovery of the leaked document was not the result of a robust insider threat program which detected the removal of the classified paper from the facility where Winner worked. No, detection of the removal of the classified materials came about when the news organization contacted the NSA on June 1 to determine authenticity of the document in their possession. The organization provided a copy of the document to the NSA for authenticity.
A quick assessment determined that the document possessed by the news organization was authentic, was classified Top Secret and contained information which “could reasonably result in exceptionally grave damage to national security”. The news organization apparently disagreed, and published the document on June 5, 2017, revealing to the world, and the Russian intelligence apparatus, the U.S. intelligence community’s classified assessment and analysis of the Russian military intelligence organization and the GRU’s role in the presidential election meddling.
How to catch a Leaker
The counterintelligence wheels quickly turned and a review of all of those who may have had access to the May 5 classified report and determined only six individuals had printed the report. Winner was one of those six. A quick forensic review of the computers utilized by the six individuals showed Winner had been in contact with the news organization, and of the six who printed the document, only Winner had such contact.
Winner was arrested by the FBI June 3 following her admission to having broke trust and violating her oath of secrecy. While Winner goes to jail, as she well should, the NSA and other elements of the intelligence community are in damage control.
no, news outlets don’t have declassification authority
The Intercept had the option of being a responsible entity and turning over the Top Secret report to the US government, but instead, opted for their 15-minutes of fame and published the materials. In doing so, they provided to the world the NSA’s classified reporting which confirmed to the GRU the level of knowledge concerning the GRU’s clandestine activities.
The unilateral decision to “declassify” Top Secret information for clicks and views trumped national security and will make detection of the next iteration of Russian intelligence activity that much more difficult to detect.
Lessons learned
The FBI affidavit in support of the request for an arrest warrant, indicates that Winner intentionally printed, exfiltrated the printed report out of her office, and mailed the report onward. The affidavit adds that she was able to access this highly classified materials despite her not having a need to know the information contained in the report.
One is forced to ask a number of questions concerning the access afforded to Winner.
- How was she able to access a sensitive report to which she had no need to know?
- Why wasn’t the printing of the highly classified document by Winner detected and an alert provided to her employer at the time of the printing?
- Does the facility at which Winner worked conduct exit inspections of employees?
Mandatory insider threat training exists precisely because of incidents of this nature. May all who handle classified materials and are responsible for the safeguarding of such material take a lesson from this incident.
