Another NSA Breach Hits Booz Allen. Will Anything Change?
(Bloomberg) -- Booz Allen Hamilton Holding Corp. is once again at the center of a major U.S. intelligence breach. And for the second time in three years, the company known in Washington for its classified contracts and influential alumni will probably face criticism but suffer few consequences.
The disclosure Wednesday that Booz Allen employee Harold Martin, who was contracted to work at the National Security Agency, was arrested for stealing classified data immediately brought up memories of fugitive Edward Snowden. In 2013, Snowden fled his Booz Allen job in Hawaii for Hong Kong and then Russia after stealing and releasing a trove of data on classified U.S. data collection programs.
"Booz Allen is in the incredible position as having offered up the two most unfit contractor employees in recent memory," Charles Tiefer, a law professor at the University of Baltimore, said in an interview.
It’s become “the too-big-to-fail company of the classified secrets world," Tiefer said, supplementing “a hollowed-out government employee workforce” while profiting from “very lucrative taxpayer-funded classified work."
Booz Allen, which drew 97 percent of its $5.4 billion in revenue from government contracts in the last fiscal year, declined 3.7 percent to $29.94 at 1:19 p.m. New York time after Moody’s Investors Service revised its outlook on the company to negative from stable, citing the potential for reputational and financial risk.
It capped a volatile week for the McLean, Virginia-based company, which fell the most in nine months on Wednesday, when news of Martin’s arrest broke, before rebounding on Thursday. As it did at the time of the Snowden breach, Booz Allen said it fired Martin and ‘immediately reached out to the authorities to offer our total cooperation in their investigation.” A government review cleared Booz Allen of any wrongdoing with regard to Snowden.
The company had no additional comment when contacted Friday but pointed to comments made in September 2015 by Art Davis, its director of corporate security.
Speaking at an intelligence conference in Washington, Davis said the company had doubled its spending on security in response to Snowden and adopted a "full-scale counterintelligence program" for employees with access to classified data, according to a report by The Nation. Davis said employees are subject to "continuous evaluation" and if they don’t pass they lose their jobs.
Though the company is sure to review internal procedures to see if it missed any warning signs with Martin, the actual security clearances for contractors handling classified data are typically performed by the government through companies that are supposed to specialize in that task. While Booz Allen received many unflattering mentions in news coverage of Snowden’s massive document leak, scrutiny by the government and Congress quickly focused on the vendor that performed his background check.
Still, Booz Allen “has a separate and distinct duty to vet its employees for fitness, vis-a-vis risks of all kinds, while the government decides on issuing them a clearance," Tiefer said.
So far, there’s no evidence that Booz Allen did anything wrong, and Martin’s attorney has said “there’s no evidence that Hal Martin has betrayed his country.” Martin admitted to investigators that he knowingly took home documents and digital files that contained highly classified
Martin, a Navy veteran who allegedly kept the classified material in his home and car, may have been a hoarder or hobbyist rather than a spy, according to James Lewis, a cybersecurity specialist and senior vice president at the Center for Strategic and International Studies in Washington.
The latest case of purloined classified information is likely to spur a broader review of security for the contractors that intelligence agencies depend on, analysts said.
“Something in the way we treat and mandate information protection needs to be changed,” said Amichai Shulman, co-founder and chief technology officer of cybersecurity company Imperva Inc. “The fact that we have incidents like this in an organization like the NSA just highlights the bigger problem for the entire industry.”
It underscores the need to “enhance employee training, invest in data-loss prevention tools, and implement a formal insider threat incident response plan, among other mitigation measures," said Chuck Alsup, a former intelligence official who’s president of the Intelligence and National Security Alliance, a professional association of current and former national security officials. "Our national security depends upon building, retaining and maintaining a trusted workforce this nation can rely on to carry out this mandate."
White House spokesman Josh Earnest told reporters on Wednesday that the government has taken steps since Snowden’s disclosures to better guard government secrets, including creating a National Insider Threat Task Force to protect against insiders leaking sensitive information and improving background checks. The number of people with access to classified information has been reduced by 17 percent in the last few years, he said.
Booz Allen’s troubles could benefit rivals for government contracts, which include Leidos Holdings Inc., CSRA Inc. and Accenture Plc.
The century-old firm is well-aware its reliance on sensitive government work can be a weakness at times. The required “cautionary note” of risks in its annual filing with the Securities and Exchange Commission cites “any issue that compromises our relationships with the U.S. government or damages our professional reputation, including negative publicity concerning government contractors in general or us in particular.”
While Booz Allen isn’t a household name in most of the U.S., it’s an ingrained part of life in Washington. Contractors are integral to the daily work of intelligence and defense companies, giving agencies the flexibility to bring in extra hands to complete critical work.
Reliance on Contractors
“Many experts believe the federal government’s reliance on contractors is necessary to accomplish its mission, and this is no less true for” intelligence agencies, according to a 2015 report from the nonpartisan Congressional Research Service. “Using contractors is not without risk, however. Depending on the circumstances, an agency could, unknowingly or unintentionally, cede the performance of, or control over, certain agency functions to contractors.”
According to Booz Allen’s regulatory filing, almost 70 percent of the company’s work force of 22,600 hold security clearances. About 30 percent are veterans. James Clapper, the director of national intelligence, is a former Booz Allen executive. The company’s senior executive adviser, Mike McConnell, was President George W. Bush’s director of national intelligence and, before that, director of the NSA.
As the Martin case winds its way through the courts, Booz Allen and its competitors may confront more delays in the already slow process for vetting contractors for intelligence agencies. "This will probably lead to even more backlogs in the clearance process," Lewis said. "What happened to the screening process? Are we doing enough?"
--With assistance from Karen Mielcarek