Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations

Inside Job: NSA Fails to Stop Another Leaker

Reality Winner Allegedly Used Her Top-Secret Clearance to Search for Russian Intelligence Document
Inside Job: NSA Fails to Stop Another Leaker
Accused leaker Reality Leigh Winner

For at least the third time in four years, the U.S. National Security Agency has failed to stop a leak of classified material from its network. What's gone wrong, again?

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

The latest alleged leaker, Reality Leigh Winner of Augusta, Georgia, on the surface fits the profile of the kind of insider threat that U.S. intelligence agencies fear the most: young and, according to her public comments on social media accounts, disaffected with the course of government under U.S. President Donald Trump.

Winner, 25, who worked for a government contractor, is believed to have leaked a five-page document to The Intercept. It published a story Monday describing how the NSA had detected spear-phishing attempts against two voting systems vendors and 122 local election officials. Shortly after publication, the Justice Department announced her arrest, which occurred on Friday. She has been charged under the Espionage Act (see US Contractor Arrested in Leak of NSA Top-Secret File).

Security Clearances

The U.S. intelligence community is sprawling, with 17 agencies and thousands of contractors. It's one of the most powerful surveillance networks in the world, but it's long been realized - especially since the leaks of former NSA contractor Edward Snowden in 2013 - that its girth makes it vulnerable.

Following Snowden's leaks, the U.S. government vowed to tighten controls around sensitive information. It also undertook an extensive review of security clearances, with an aim to ensure employees and contractors did not have access to material unrelated to their jobs.

Still, those efforts are the equivalent of turning an aircraft carrier. According to a report published in April 2015 by the Office of the Director of National Intelligence, the number of contractors and employees with security clearances was still 4.5 million in fiscal 2014, down from 5.1 million a year prior.

'Need to Know'

Winner, formerly an Air Force linguist, worked for Pluribus International Corp. at a facility in Augusta, Georgia. Ironically, the company lists "counterintelligence analysis" as one of its specialties. Winner maintained a top-secret security clearance since January 2013, according to a 15-page affidavit that's part of her federal court file. She'd only been with Pluribus since Feb. 13.

Her security clearance gave her wide access to material. The affidavit goes on to say that the NSA confirmed Winner "had the required access to search for and view the intelligence reporting but that "the information contained in the intelligence reporting is unrelated to her job duties, and Winner therefore does not possess a 'need to know'."

"Need to know" is a tenet that intelligence analysts are supposed to abide by, but apparently in Winner's case, is tough to enforce. The affidavit says that four days after the report was written, Winner "conducted searches on the U.S. government agency's classified systems for certain search terms, which led Winner to identify the intelligence reporting."

Stopping Leakers

Bruce Schneier, CTO of IBM's Resilient, says leakers are tough to thwart.

"Classified information has to be available to people with clearances so they can do their job," he says. "There's no alternative to that. Once you understand that, you cannot prevent such an individual from revealing that information."

But there were clear, public signs that Winner could potentially be a leaker. Since her arrest, her Facebook and Twitter accounts have been scoured. And it appears that she was not a fan of Trump, according to CNN's analysis of her social media postings. After his election in November, she wrote on Twitter: "Well, people suck. #ElectionNight."

After Trump tweeted about hosting Japan's prime minister and his wife at Mar-A-Lago on Feb. 11, she replied directly to him: "The most dangerous entry to this country was the orange fascist we let into the white house."

But her strong opinions would likely be difficult to pick out given the maelstrom inside the U.S intelligence community vis-à-vis Trump.

Trump didn't ingratiate himself to the intelligence community after he questioned its conclusion that Russia intelligence sought to influence the U.S. election. The president has sought to repeatedly tamp down the Russia controversy, terming it a "fake news" story. But a special counsel - along with House and Senate committees - are conducting investigations.

Poor Opsec

Although some have accused The Intercept of making it easier for investigators to identify Winner, the affidavit shows that she practiced very poor operational security.

Investigators found that she had emailed The Intercept around March 30 from her personal email address on her work computer asking for a podcast. Prior to her arrest, she allegedly admitted mailing the document to the publication.

The Intercept shared the document with the government to confirm it, but apparently inadvertently failed to obscure clues that helped the investigation. The document had been creased or folded, which investigators believe indicated it may have been hand carried out of a secured space.

The NSA has internal controls that make it possible to figure out who has printed out material. Investigators found Winner was one of six people who printed the document, and she was the only one who had previously emailed The Intercept.

The Intercept also published the document in full, which several clever observers noticed still had the fair yellow dot forensic tracking matrix. That reveals the date, time and serial number of the printer used to print material.

Schneier says the NSA uses many technologies to detect people accessing or copying material unrelated to their jobs. But no system is perfect.

"Look how many people have security clearances," he says. "It's many millions. That there are just a small handful of leakers demonstrates how good the whole process really is."

Govinfosecurity Executive Editor Eric Chabrow contributed to this report.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.