There is a good news, bad news insider risk management story involving espionage percolating out of Foggy Bottom, at the State Department. It was revealed yesterday, that Abraham Teklu Lemma, 50, a naturalized U.S. citizen of Ethiopian descent who was working within the Bureau of Intelligence and Research was charged with espionage.
Good news
Following the arrest and revelation of the how easily Massachusetts Air National Guard Airman Jack Teixeira was able to disclose classified information in an unauthorized manner, the Intelligence Community has been conducting a bit of introspection. State Department Spokesperson Matthew Miller said in a statement, “in mid-April 2023, the Bureau of Intelligence and Research (INR) undertook a self-initiated 60-day Internal Security Review of the Department of State’s Top Secret/Sensitive Compartmented Information (TS/SCI) network, systems, and applications to identify opportunities to strengthen how we safeguard data in the TS/SCI environment. During this review, information was uncovered indicating that a Department of State information technology contractor may have removed, retained, and transmitted classified national defense information without authorization.”
That’s the good news, INR’s review unearthed an insider with natural access, exceeding their brief, accessing information to which they had no need to know and providing it to a foreign power, Ethiopia. The individual acted in a covert manner, did not declare his foreign contacts, and was paid by the foreign power for his efforts and the U.S. secrets.
Bad News
The insider risk management program at the Department of State did not detect the anomalous behavior of Lemma. According to the Department of Justice (DoJ) affidavit.
Lemma had authorized capability to move information in and out of classified systems to unclassified systems at INR. In addition, he had the capability to download information to media (CD/DVD/USB) in accordance with the parameters of his employment at the Department, the help desk within INR. Lemma worked evenings at the Department and during the day at the Department of Justice (we don’t know what, if any, classified materials were pilfered from DOJ).
Indeed, the ensuing investigation discovered Lemma started work with INR in July 2022 and has been engaged, in subterfuge from December 2022 through August 2023 (Teixeira was arrested April 13, 2023) engaged in data mining across the various classified portals to which he had natural access. During his forays, which took place in a SCIF, the affidavit tells us he captured the classified data by doing a simple copy and paste into a Word document. He successfully took information from 133 intelligence reports which he had no need to know. Additionally, he printed and downloaded numerous Secret and Top Secret classified information from intelligence reports while using the Department’s system. No fool, Lemma, cleverly, would remove the classified markings from the data he stole.
He engage with his Ethiopian government contact via an unidentified “encrypted messaging application.” In addition, the affidavit indicates that he provided to this contact direct access to Lemma’s electronic accounts (personal) and that this was suspected to be a surreptitious means by which the two used the “draft message” function to pass information (I.e. two individuals log into the same account and have access to drafts that are never transmitted, thus not showing up on email systems.).
He was paid for his efforts, accumulating more than $55,000 over the course of his period of engagement, to include one deposit more than $10,000 which required Lemma to file a Currency Transaction Report with his bank, an act which caused a good deal of perturbance for Lemma.
In August 2023, it appears from the affidavit that Lemma was placed under surveillance as part of the espionage investigation, and he was observed accessing non-Department classified portals and making notes about what he was writing numerous times. He also was observed creating unclassified CD’s (green labels) on which he had placed Top Secret information he had copied. Those observing Lemma noted that he took the notes and CD’s to his residence in Maryland.
Changes in handling of classified information at State Department
Lemma has been neutralized, and Ethiopia’s pipeline of information from the U.S. intelligence community halted. The concept of least privileged access failed.
What is clear and repeatedly highlighted throughout the affidavit is that Lemma was accessing and capturing information from both the Department’s classified network, as well as the classified networks of other members of the intelligence community, for sharing to an unauthorized individual/entity and if it set off an alarm, it wasn’t acted upon.
In addition, Lemma held a Top Secret/SCI clearance; he would have been required to file travel reports. The question hanging, “Was he debriefed on his foreign contacts following his foreign travel.” Was there a demeanor hit following the debrief that may have warranted a peak at his internal online access?
As noted by Miller in his statement, the Department has some adjustments to make, “Moving forward, the Department will continue to implement recommendations from the Internal Security Review to strengthen how we provide access to TS/SCI information, enhance continuous security monitoring, and protect sensitive information to minimize the risk of similar incidents in the future.”
