Joshua A. Schulte is a former employee of the Central Intelligence Agency’s Center for Cyber Intelligence where he was employed as a programmer, who specialized in offensive cyber operations. He was sentenced on February 1 by Federal Judge Jesse M. Furman to 40 years in prison. Schulte’s crimes included espionage, computer hacking, contempt of court, making false statements to the FBI, and child pornography. Schulte’s theft of classified information is the largest data breach in the history of the CIA, and his transmission of that stolen information to WikiLeaks is one of the largest unauthorized disclosures of classified information in the history of the U.S.
Court commentary
Judge Jesse M. Furman noted Schulte’s complete lack of remorse, indeed he highlighted his combative nature throughout the entire trial process, and his demonstrated desire to inflict harm upon those he believed to do him wrong. Schulte’s motivation for leaking the offensive cyber capabilities of the United States was revenge. He believed himself to have been treated unfairly and decided that secrets he had access to were fair game. Like Snowden, he too used the credentials of others to expand his ability to gain access to secrets beyond his remit. In addition, when granted administrator status, he was found abusing those privileges.
In April 2016, the court tells us, “On April 20, 2016, after other developers had left the CCI office, SCHULTE used his secret server administrator session to execute a series of cyber-maneuvers on the CIA network to restore his revoked privileges, break in to the backups, steal copies of the entire CCI tool development archives (the “Stolen CIA Files”), revert the network back to its prior state, and delete hundreds of log files in an attempt to cover his tracks. SCHULTE’s theft of the Stolen CIA Files is the largest data breach in CIA history.”
In addition to espionage, there were the gigabytes of illegal images of children (pornography) which Schulte maintained on his personal computer at his residence. Indeed during discovery, when he was ordered not to manipulate the computer, he created a 15 gigabyte hard drive and loaded more images to it.
There were letters of support provided to the court and the CIA provided a classified document and an unclassified letter to the court describing the depth of the damage which occurred at Schulte’s hand. The classified letter, according to the Judge, placed the cost of Schulte’s compromise at more than $300 million. In addition, to revealing the classified capabilities of the United States in the cyber domain, Schulte’s revelations “profoundly damaged the CIA’s ability to collect foreign intelligence against America’s adversaries; placed CIA personnel, programs, and assets directly at risk.”
Judge Furman acknowledge the family’s letters of support, and noted that they spoke of him as a patriot, yet ignored what Schulte did. Clearance Jobs has reviewed the letters from family, they were indeed poignant and heartfelt. Judge Furman noted that there is a lot the family was unaware of concerning Joshua Schulte. Judge Furman , then reminded all, that the public must be protected from Schulte. While the judge opted not to impose the life sentence which had been requested by the prosecutors and instead acknowledged the six years of Special Administrative Measures were harsh and justified the decision.
U.S. Attorney for SDNY
USA Williams commented at the sentencing, “Joshua Schulte betrayed his country by committing some of the most brazen, heinous crimes of espionage in American history. He caused untold damage to our national security in his quest for revenge against the CIA for its response to Schulte’s security breaches while employed there. When the FBI caught him, Schulte doubled down and tried to cause even more harm to this nation by waging what he described as an ‘information war’ of publishing top secret information from behind bars. And all the while, Schulte collected thousands upon thousands of videos and images of children being subjected to sickening abuse for his own personal gratification. The outstanding investigative work of the FBI and the career prosecutors in this Office unmasked Schulte for the traitor and predator that he is and made sure that he will spend 40 years behind bars – right where he belongs.”
Lessons from the Schulte case
There are two immediate teachable moments which come from the Schulte saga, with respect to how insider risk management has evolved and must continue to evolve.
- Continuous vetting: The court records and testimony detail how Schulte had continuous run-ins, where he pushed the boundaries of the internal rules and regulations designed to keep the CIA’s secrets, secret. These events, including those which resulted in reprimands to Schulte, may in hindsight, have been the missed opportunity to remove Schulte’s access.
- Least privileged access: Schulte manipulated devices and access, was caught, but wasn’t shut down. His ability to acquire the digital files which comprised the “largest data breach in CIA history” required his access be greater than he was authorized. Clearly some 8 years later, process and procedures have changed and the move to zero trust mindset will make a repeat of the Schulte theft by another difficult. Yet, if individuals are allowed access to information for which they don’t have authority for the sake of convenience, we should not be surprised if history repeats itself.
