Sometimes being able to say I told you so just isn’t that satisfying. Sometimes it’s downright depressing.
An article by myself and Dr. David Charney appeared over two years ago in the 25 March, 2014 issue of POLITICO Magazine titled “Stopping the Next Snowden.” It argued that the US government’s tendency toward seeking technological solutions to what are more fundamentally issues of human psychology would inevitably result in future cases of the sort of “insider threat” that Edward Snowden so dramatically personified.
We now know that at the same time the article appeared, and for about another two years after that, federal contractor Harold T. Martin, who, like Snowden, was employed by the private firm Booz Allen Hamilton and worked at the US National Security Agency, was allegedly squirreling away top secret documents at his home in Glen Burnie, Maryland. In that same year the internet research company Gartner estimated that global information security spending would increase by 8.2 percent in 2015 to reach a total of $76.9 billion.
Martin was arrested by the FBI on 27 August, 2016. It would appear that all the effort and expense dedicated to creating complex, machine-learning algorithms, using data analytics to detect “anomalous behavior,” and the emergence of an ever-increasing array of new information security software solutions offered by an ever-increasing stable of new IT companies still failed at “stopping the next Snowden.”
Why? An explanation lies in the subtitle of the original article – “The problem isn’t that he could. It’s that he wanted to.”
To be fair, the analogy between Snowden and Martin may be only superficial. Law enforcement and the intelligence community are still investigating Martin’s actions and possible motives, but it would appear at least at this time that Martin’s case may have been more one of ill-conceived and illegal hoarding rather than deliberate leaking of classified information. Time will tell.
Regardless of the deeper motivation, however, the basic scenario was similar. Both men wanted to take classified information out of NSA and both took advantage of their legitimate access to do just that. In the case of Martin, it appears that his activities were not only concurrent with Snowden’s, but continued even after all the post-Snowden “fixes” were put in place. In time we will have a better idea of whether the much-vaunted technological solutions had any effect whatsoever on Martin’s thievery. For now at least, the answer seems to be – not much.
This isn’t to say that plugging the technical and systemic holes that allowed Snowden and Martin to walk away with enormous amounts of information with such apparent ease isn’t necessary. Making an insider thief’s work harder is a worthy effort. Still, whether it’s a burglar, an embezzling company employee, or an insider spy working in government, making a behavior more difficult is not the same as preventing it.
Building higher walls, thicker doors, or more secure systems might reduce the undesirable behavior, but it does nothing toward actually preventing it. Prevention can only come from addressing root causes. In the case of the so-called insider threat, the root cause isn’t the technology itself. The problem lies in the psychology of the person using the technology. Understanding how a person might abuse a system is useful in making it harder for them to do so. To prevent that behavior, though, means making a serious effort to understand why they do.
Our current approach to information security is analogous to going to the doctor with a cold and having him or her tell you, “Your problem is that you have a runny nose and you’re sneezing.” Those are just overt symptoms. The real problem is the virus doing its insidious work deep inside and out of view. Software that monitors overt behaviors, such as anomalous on-line activity or accessing databases without authorization, address the symptoms. However, treating the symptoms is not the same as curing the disease.
Technological solutions can’t prevent the behavior because they don’t address the root cause, which is a mindset that makes the ostensibly trustworthy employee believe that thievery is a plausible, even a desirable option. In the individual’s profoundly subjective view, he or she may view it as the only option. Add to that mindset our remarkable human capacity to rationalize almost any of our beliefs and behaviors, including betrayal of trust, and you have the root cause.
There was a relatively brief time in the mid-1980s when the US government took the issue of spy psychology seriously, dedicating significant resources to research, and creating the Personnel Security Research Center (PERSEREC) in Monterey, California, and the Community Research Center in in Newington, Virginia (aka “Project Slammer”). These efforts focused, respectively, on researching the psychosocial factors involved in actual espionage cases and interviewing incarcerated spies.
Unfortunately, after achieving significant success, these efforts appear to have fallen by the wayside. There are several likely reasons why. They were largely the result of a string of high-profile and very damaging Cold War spy cases, to include Navy Chief Warrant Officer John Anthony Walker and his ring of spies. With the end of the Cold War in the early 1990s, the threat of foreign espionage also seemed to disappear. As recent events suggest, this proved to be a dangerous illusion.
The current focus on cyber espionage and the inside threat to computer systems is also a factor in relegating psychology to a subordinate role. The last time the US government focused on what might be going on in the heads of insider spies, Apple has just introduced the Macintosh and ARPA’s Internet Protocols (TCP/IP) was a dark horse contender for the development of a “global network of networks.” It was easier to focus on the psychology of the insider threat before the technology began to dominate our lives, before the means became more important than the motivation.
Finally, we as Americans simply tend to seek out technical solutions to our most vexing problems. It’s a cultural trait that has often served us well, but we do lose something in the process. Technology is tangible, replicable, and regardless of how mindbogglingly complex, can be reduced to easily explained and objectively verifiable processes. While psychology does offer general concepts that apply to all humans, at the individual level it is subjective, emotional rather than rational, and driven by processes that are invisible to the outside observer and largely obscure to the individual him- or herself.
In other words, delving into the psychology of the insider spy is messy. It doesn’t lend itself to the clear-cut goals and timelines of a government project. It is the antithesis of impersonal, bureaucratic process. Despite the cost, it’s still easier for the government to hire a contractor to develop an item of information security software than to figure out how people think. Still, with all of the advances in cognitive research since the last effort at understanding the mindset of the insider spy, it would seem a worthwhile effort to at least try.
The point of the article two years ago was that technological means of dealing with the insider threat were necessary but certainly not sufficient. Without addressing the mindset of the insider spy – the individual worldview that generates the thought that brings about the behavior that results in acts of espionage – more Snowden-like cases would inevitably arise. No real effort seems to have been taken since that time, and now we have the case of Harold Martin.
It’s depressing to have to say I told you so.