Four years ago today, Harold Martin, a former NSA contractor, was sentenced to nine years in prison for his having squirreled away classified materials he purloined from the NSA and other members of the intelligence community over the course of his 20-year contractor career. Imagine the surprise on the face of the FBI special agent who conducted the search for classified materials at the residence of Harold Martin and finding a suitcase full of secrets, and then discovering that that suitcase was but the tip of a 50-terabyte-plus iceberg.
So Much Classified Information Stolen
The air is stolen from the lungs of every insider risk management practitioner at the idea that a trusted insider can exfiltrate over the course of 20-plus years thousands of hard copy documents and more than 50-terabytes of classified information in digital format. That the individual could do so without an alert being generated which would warrant a closer look, is frankly, spine chilling.
Chilling given, one terabyte is equal to 50,000 gigabytes and one gigabyte is approximately 10,000 pages of documents. Add to the mix that it was not a secret that Martin was an unhappy camper.
The Writing on the Wall Was Clear
Reading the court documents and his own diatribes, there is no doubt this was a troubled individual who was not happy with his lot in life and not at all happy with his relationship with the entity which contracted his services, most recently the NSA. This note was sent by Martin in 2007.
“Well, for one thing, I’ve seen pretty much all your tech secrets wrt regard to compusec. Thanks. You made me a much better infosec practitioner. In exchange, well, I gave you my time, and you failed to allow me to help you . . . You are missing most of the basics in security practice, while thinking you are the best. It’s the bread and butter stuff that will trip you up. Trust me on this one. Seen it. . . . Dudes/Dudettes, I can’t make this any plainer . . . Listen up . . . ‘They’ are inside the perimeter. . . I’ll leave you with this: if you don’t get obnoxious, obvious, and detrimental to my future, then I will not bring you ‘into the light’, as it were. If you do, well, remember that you did it to yourselves.
Are these the words of a well situated employee or contractor? Not by a long shot. It would be almost nine years later that Martin was confronted and his hoarding of classified information discovered.
When an individual makes clear that they are angered, resented, and are putting forward ‘plain as day’ challenges, then perhaps a conversation or two is in order. He thought himself smarter than his colleagues, and he set out to prove it.
Questions to Consider
Reviewing the Martin case causes us to ask some pointed questions. ClearanceJobs asked these questions in 2016, they remain apropos in 2023.
- Would our insider threat program have detected Martin’s anger?
- Would his letter of 2007 have been explained away as Harold being cynical? After all, who hasn’t heard a colleague complain?
- Was his alcohol abuse known, yet ignored?
- How did he, while employed by many different entities, exceed his natural access to classified materials without detection?
- How was he able to remove the mountain of materials?
- How was he able to move 50,000 gigabytes of information without a SIEM (security information and event management) or DLP (data loss prevention) or any other insider threat monitoring system detecting the activities of this user?
How are things at your entity?