Just when you thought it was safe to be bored with cybersecurity, comes an arrest in the case of those pesky Russians hacking at U.S. national secrets.
Except it wasn’t the Russians. It’s a retired Navy lieutenant working for Booz Allen Hamilton at the National Security Agency. The guy whom authorities arrested and charged with unauthorized and illegal taking of highly classified materials found in his car and at his home.
He didn’t live in Grozny or Moscow, but rather in prosaic Glen Burnie, Maryland, in the landing pattern of BWI. The published reports say Harold Thomas Martin III — affectionately called “Hal” by his lawyer — is suspected of a role in the case of NSA hacking tools ending up for sale by the Shadow Brokers. He’d been in custody for a month before the Justice Department revealed what’s going on.
From what we know now, Martin doesn’t appear to be another Snowden, motivated as that uber-thief was by a desire to expose pieces of national security apparatus. We don’t yet know much about Martin’s motivations or why he removed the materials he did. Maybe he just wanted to telework. But the incident is fresh proof that no impermeability of firewall, strength of authentication or level of big data pattern analysis can ever totally protect an organization from those it trusts.
Tough as the security regime is, when it come of NSA staff, no let-up is permissible.
I mentioned bored. Just this week, the National Institute of Standards and Technology completed a survey showing the emergence of a security fatigue phenomenon. People get worn down by the constant attention to passwords, constant adoption to security threats, mistrust of most email, fear of being hacked. For organizations, I’m betting the fatigue extends to worrying about the oft-mentioned insider threat. Without trust at some level, no organization short of Stalin’s Kremlin can really function.
Martin had top secret security clearance. Some half million people are waiting for their clearances while the Office of Personnel Management stands up yet another organization to try and whittle it down. Let’s face it. In a cleared population of several million, someone is going to screw up, whether with nefarious intent or simple carelessness.
Lightning has struck twice in the same spot now — NSA and Booz Allen Hamilton. The company has a large presence in the intelligence community, so it has more potential lightning rods. Cyber incidents have this in common with airline crashes: The obvious causes are well known and have been mostly fixed. The technology rarely suffers catastrophic failure. New causes are more subtle, deeper in the systems and involve human error or wrongdoing like suicidal pilots.
What does a disgruntled millennial with a messianic sense of self-importance have in common with a middle-aged, former Navy officer pursuing a PhD? Who the heck knows. For the NSA, figuring it out is never boring.