Yesterday, Kenneth Courtney pleaded guilty to defrauding at least 12 companies out of $4.4 million while posing as a deep cover Central Intelligence Agency (CIA) operations officer involved in a highly classified task force, “Alpha214.” In the conduct of his criminal endeavor, Courtney was able to con his way into a number of U.S. government contractors’ classified Sensitive Compartmented Information Facilities (SCIFs), where he held “secret” meetings to discuss the CIA’s ostensible national security needs.
He was able to maneuver himself into the National Institutes of Health (NIH), convincing them that he needed their support to provide cover for his “CIA employment.” Once within the NIH Information Technology Acquisition and Assessment Center (NITAAC), he attempted to manipulate contracts toward his victims and their companies.
Let’s look into Courtney, his motivation, the con itself, Operations Security (OPSEC) lessons learned, and what’s next for Courtney.
Profile of a cia poser
Garrison Courtney (and his plethora of variations and aliases) claimed to the public to be a communications specialist and worked for the Drug Enforcement Agency (DEA) as chief of public affairs (2005-2009) and as the communications director and chief of staff for Rep. Katherine Harris from 2004-2005.
In his LinkedIn profile, he describes himself as an “Experienced Communications Specialist with a demonstrated history of working in the marketing and advertising industry. Skilled in Search Engine Optimization (SEO), Crisis Communications, Corporate Communications, Strategic Media Relations, and Marketing Strategy. Strong media and communication professional with a Bachelor of Arts -BA focused in Broadcast Journalism from University of Montana.”
Interestingly, he also claimed to have been a producer for TMZ following his departure from DEA. Nowhere is there a reference to the CIA; nor would you expect it, given his con. Courtney was never employed by the CIA, though court documents indicate he applied in 2005 and was extended a conditional offer which expired in 2007. He apparently opted to join the DEA.
Motivation for the scam
A deeper dig into Courtney’s life reveals that in March 2014 he was in financial trouble. He owed creditors almost $700,000, while having assets totaling less than $5,000. Among those creditors were his ex-spouse, to whom he owed more than $60,000 in child support; the Internal Revenue Service (IRS) was owed $11,245; a breach of contract civil judgement in the amount of $119,051 to one Virginia lawyer and another $260,000 to another Virginia law firm. In July 2014, he closed out his bankruptcy claim, having settled all debts.
His motivation? Financial insolvency.
Courtney repeatedly tried to be more than he was, and financially augured himself into the ground. He would borrow from Peter to pay Paul, as he borrowed and obtained funds.
The Con – Insider Threat
Beginning in 2012, with apparent success coming mid-2014, Courtney began his con of his friends, acquaintances, and a myriad of defense and intelligence contractors.
His story lassoed the public-private partnership mantra nicely.
He approached companies, and through his use of inside-baseball type jargon of the intelligence community, he duped various companies into believing his story – the need for the company to hire him in support of a special task force.
The mission of the fictitious task force depended upon who was listening. They ran the gamut from supporting special operations operating covertly abroad to providing goods and services to various departments and agencies within the U.S. government.
The hook: he was supposedly working to fix the problem of insiders who publicly disclosed classified information. The man wove his way through companies with promises of future contracts and reimbursements to victims with the funds obtained from other victims – a Ponzi scheme indeed.
Clearly Facility Security Officers (FSO) at some of the victim locales dropped the ball, as Courtney was able to bluff his way into their SCIFs for those classified discussions. The court documents note: “Courtney was using the location of a SCIF to perpetuate the illusion that he was a covert intelligence officer and that the supposed classified program was real, and to prevent his victims, intended victims, and other individuals from speaking openly about and thereby discovering, Courtney’s fraud.”
He would also have a no-device policy when meeting. Searching his victims for electronic devices, a means to both bolster his make-believe intel officer story, while also reducing the odds that there would be a material record of his antics.
He had his victims perform a variety of seemingly counterintelligence/counterespionage countermeasure steps to keep the task force efforts secret. These included conducting surveillance detection runs, using encrypted devices for communications with Courtney, and adjusting their social media cadence and content. All of this was designed to build the credibility of the story behind the con.
When one victim questioned and pushed back on Courtney’s tale, Courtney countered with an allegation that the individual was under suspicion as an Iranian asset and how his cooperation would assuage those looking at the victim with a jaundiced eye. Courtney had one goal and only one goal. He wanted their money.
The court documents identify the victims, the services they provided to various agencies and departments within the U.S. government, and the amounts which they were bilked.
- Company A – Reston, VA – Provides information technology program management services, cybersecurity support, data analytics, and other services. Courtney worked for this company.
- Company B – Herndon, VA – Provides security services – $108,500.
- Company C – Maryland – network services, storage solutions, and enterprise application development – $352,291.
- Company D – Alexandria, VA – application systems development – $348,307.
- Company E – Herndon, VA – systems engineering and integration, cybersecurity, data analytics – $314,826.
- Company F – Gainesville, VA – information technology and intelligence consulting services – $203,422.
- Company G – Alexandria, VA – cyber, information technology, contingency planning and training services – $226,545.
- Company H- Ashburn, VA – security support services, data centers solutions and other services – $37,500.
- Company I – McLean, VA – cloud computing and cybersecurity services – $265,373.
- Company J – Illinois – Valued added reseller – $341,998.
- Company K – Vienna, VA – management, engineering and information technology services – $154,777.
- Company L – Arlington, VA – a not-for-profit organization which provides scientific and engineering research services – $194,828.
- Company M – Herndon, VA – identified in media Capefirst Funding an investment financing firm – $1,933,500.
OPSEC Lessons Learned
Courtney filleted the basic tenets of OPSEC of his victims both on an individual level, as well as, company level.
The public-private partnership coupled with the insider threat remediation was an easy sell within a community whose life’s blood flowed from the former and whose future relied on managing the insider threat to the secrets which they retain and maintain in their classified work. Where the companies failed was in their due diligence.
Courtney was in financial crisis. A ten second review of public records revealed his 2014 bankruptcy filing and then retraction. Who goes from $5,000 in assets to having over $700,000 in assets in three months without winning the Lotto?
Additionally, it would appear that no national security clearance database checks were made by FSOs at various contractor facilities prior to allowing Courtney access – a check which would have made mincemeat of Courtney’s con in minutes.
The victim who was threatened by Courtney with the Iranian spy accusation should have pushed back, while reaching out to the nation’s counterintelligence entity, the FBI, to get the straight story – which didn’t exist.
The Courtney case should be an OPSEC case study for every FSO.
Greed and financial distress continue to serve as prime motivators for individuals to break trust as evidence by Courtney.
What’s Next for Courtney
According to his plea agreement, Courtney is looking at up to 20 years in prison and must make restitution to the aforementioned companies. Sentencing is scheduled for October 23.