19 October 2016

The Spy We Forgot

YUDHIJIT BHATTACHARJEE
October 13, 2016

Over the past six years, the United States intelligence community has taken two powerful punches from insiders — the first from Pfc. Bradley Manning of the Army (now Chelsea Manning) and the second from the National Security Agency contractor Edward J. Snowden, both of whom leaked thousands of classified documents. The news this month that another N.S.A. contract employee, Harold Martin III, removed a large volume of classified information from the agency shows that the government is still struggling to keep its secrets safe.

These security breaches may have caught the government by surprise, but intelligence officials have no excuse for being shocked. They were forewarned about the vulnerability of digital secrets a full 16 years ago by the actions of a little-known traitor named Brian Regan. A signals analyst at the National Reconnaissance Office — an agency responsible for managing the country’s spy satellites — Mr. Regan pulled off a heist of more than 20,000 documents containing top-secret satellite images and reports, which he tried to sell to Iraq and Libya.

Because Mr. Regan was caught before he could transfer secrets to an enemy, his case ended up as a mere footnote in the annals of American intelligence. To this day, his name remains unknown even to many in the intelligence community. But had the lessons of Mr. Regan’s case been heeded, the United States’s secret information would be far more secure.

Mr. Regan was a signals analyst in the Air Force who received praise for his work during the 1991 Persian Gulf war before being assigned to the satellite agency in 1995. In the late ’90s, faced with a mountain of credit card debt, he formed a plan to commit espionage. He had a top-secret security clearance and access to Intelink, a classified network of servers that functions as the intelligence community’s own internet.


Mr. Regan began browsing content that went far beyond his assigned responsibilities. Through 1999 and early 2000, he looked at a diverse selection of images and intelligence reports — a profile of a Libyan general, the United States ability to destroy military sites hidden deep underground, an adversary’s handbook for conducting biological warfare.

His surfing sessions became longer and more frequent, but they went unnoticed by security officials at the agency. He made numerous visits to the printer and copier rooms, using his badge to enter and leaving a suspicious electronic record, but nobody bothered to look. By the summer of 2000, he had smuggled thousands of pages of classified information out of the agency’s building.

Mr. Regan sent coded letters to the governments of Libya and Iraq, offering the secrets for $13 million, but he found no takers. Despite the precautions he took to remain anonymous, the F.B.I. discovered one of his letters, which was riddled with spelling errors later linked to Mr. Regan’s dyslexia. F.B.I. agents identified Mr. Regan as a suspect by the spring of 2001 and arrested him two weeks before 9/11.

Since there was ultimately no damage done to national security, and because Mr. Regan’s arrest and conviction happened at a time when the United States was intensely focused on counterterrorism, not domestic espionage, the government appears to have overlooked the lessons that should have been learned from the partial success of his plot.

The satellite agency, for its part, did take the episode to heart: It made improvements to the security of its systems, tailoring employees’ access to Intelink in accordance with the requirements of their specific jobs and strengthening the overall monitoring and auditing of Intelink activity. But from what Ms. Manning and Mr. Snowden were able to do at other agencies, it is evident that the broader intelligence community failed to put adequate safeguards in place.

If anything, Ms. Manning and Mr. Snowden had it easier: They didn’t have to print anything out. Ms. Manning copied files onto a disc. Mr. Snowden is believed to have downloaded information onto thumb drives. The N.S.A.’s intranet proved to be even more vulnerable than Intelink, because Mr. Snowden was able to erase or alter the log files tracking his access, pilfering data without leaving a signature that could be traced back to him. The N.S.A. still doesn’t know for certain the entire scope of information that Mr. Snowden may have taken. Yet the technology to prevent the kind of tampering he did to cover his tracks has been around for some time.

Why wasn’t such technology used? It’s hard to know for sure, but the fact that the intelligence community is less publicly accountable than other government agencies, as well as the pride the community takes in its vetting of potential employees, presumably played a role.

Many Americans may be glad that the intelligence community didn’t have adequate security measures in place to prevent the Manning and Snowden disclosures, which may have been necessary for lifting the veil on questionable government policies and surveillance programs. But the loopholes that Ms. Manning and Mr. Snowden exploited can be just as easily exploited for committing traditional espionage, as Mr. Regan showed.

Plugging the gaps that have been already discovered won’t be enough. New chinks are sure to appear in our continually advancing digital age. A recently emerging concern, for example, is that Bluetooth devices could be used to snag and transmit information from an otherwise secure network. The agencies entrusted with collecting and storing secrets that help protect the United States can outmaneuver those future threats only if they look back more closely at failures of the past.

Yudhijit Bhattacharjee is the author of the forthcoming “The Spy Who Couldn’t Spell: A Dyslexic Traitor, an Unbreakable Code and the F.B.I.’s Hunt for America’s Stolen Secrets.”

No comments: