NSA Whistleblower: The Ultimate Insider Attack
By Kim Zetter
When computer security companies release their annual reports about hacking and breaches, they take pains to point out that the insider threat from someone with internal access to data is a far greater risk to a company than an outside hacker.
The millions of government documents leaked by former Army intelligence analyst Bradley Manning showed this to be true.
But Manning was a low-level analyst who had the same kind of access to classified systems as all other low-level analysts around him. His access was limited to data and documents that others produced, not to the surveillance apparatus and infrastructure itself.
That's what makes the leaks by 29-year-old NSA whistleblower Edward Showden all the more spectacular and alarming. The system administrator with the keys to your kingdom, the knowledge of all your secrets and vulnerabilities and the power to control the very operation of your infrastructure, is a far greater threat than anyone else in an organization.
By that measure, Showden might well be the ultimate inside attacker, since he had not only that rarest of rare views into the core of the intelligence rabbit hole but also the ability to collapse the hole if he'd wanted.
As an "infrastructure analyst" for the NSA - a euphemistic title that has all kinds of defensive and offensive connotations - Showden said that "I, sitting at my desk, certainly had the authorities to wiretap anyone, from you or your accountant, to a federal judge, to even the President [of the United States] if I had a personal email."
He also had access to the "full rosters of everyone working at the NSA, the entire intelligence community, and undercover assets all around the world, the locations of every station we have, what their missions are and so forth," he told the Guardian in a video interview.
"If I had just wanted to harm the U.S., you could shut down the surveillance system in an afternoon, but that's not my intention," he said.
His intent, or at least his hope, was to bring down the intelligence apparatus in a different way - through public exposure and change of policy.
Time will tell if his revelations have success in that regard, but his exposures have at least broadened the public's understanding of the scope of the government's surveillance.
Showden, who used the codename "Verax" (truth teller in Latin) in his communications with reporters to whom he leaked, held several sensitive computer infrastructure positions over the years. At the time of the leaks he was working for the NSA through defense contractor Booz Allen Hamilton - a job he presumably no longer has.
He was working and living in Hawaii and earning $200,000 a year as an infrastructure analyst, but had worked as a contractor for the NSA for four years on behalf of various contract firms.
Booz Allen released a statement today saying he had only been an employee of the company for three months
He worked previously as a systems engineer and administrator, as a senior adviser for the CIA and as a telecommunications information systems officer.
He started off as a security guard for one of the NSA's covert facilities at the University of Maryland after being discharged from Army training in 2003, then worked in IT security for the CIA. In 2007, the CIA stationed him with diplomatic cover in Geneva for a computer security job that gave him clearance and access to a wide array of classified documents.
All of these jobs gave him inside knowledge and access that few in the country possess. But it wasn't until 2009, while he was still on the job in Geneva, that he started to think about leaking some of the secrets he knew.
Like Bradley Manning before him, it was that access to documents and his time spent around colleagues that led him to begin questioning the government's activities.
"When you're in positions of privileged access like a systems administrator for these intelligence agencies, you're exposed to a lot more information on a broader scale than the average employee," he said.
"Because of that, you see things that may be disturbing but over the course of a normal person's career you'd only see one or two of these instances.
When you see everything, you see them on a more frequent basis and you recognize that some of these things are actually abuses.. [E]ventually, you realize these things need to be determined by the public, not by somebody who is simply hired by the government."
He added, "I'm no different from anybody else. I don't have special skills.
I'm just another guy who sits there day to day in the office, watches what's happening and goes, This is something that's not our place to decide. The public needs to decide whether these programs and policies are right or wrong."
Much of what he saw in Geneva disillusioned him.
"I realized that I was part of something that was doing far more harm than good," he recalled.
He thought about leaking at the time, but didn't because leaking CIA secrets could have endangered people. He also thought Barack Obama's election to the presidency in 2008 might change things, so he held off.
In 2009 he left the CIA for a job with a private contractor and got assigned to an NSA facility at a military base in Japan.
The next three years exposed him to a broader view of the the NSA's surveillance apparatus and increased his disillusionment and dissatisfaction until he reached the point recently where he decided to leak the information he did - a court order showing that the NSA obtains the phone records of millions of Americans from the phone companies each month, as well as documents describing the surveillance system for obtaining data from internet companies about foreign targets.
There wasn't a single incident or piece of information that finally caused him to become a whistleblower, but a slow burn over many years, as he realized the unstoppable nature of the NSA's surveillance.
"[T]hey are intent on making every conversation and every form of behavior in the world known to them," he told the Guardian about the NSA. He called the agency an "existential threat to democracy."
Now they are first and foremost a threat to Showden himself.
"I understand that I will be made to suffer for my actions, and that the return of this information to the public marks my end," he wrote in early May to Washington Post reporter Barton Gellman who broke one of the stories around his leaks.
The U.S. intelligence community "will most certainly kill you if they think you are the single point of failure that could stop this disclosure and make them the sole owner of this information."
Despite that risk, he said he wanted "to embolden others to step forward,"
by showing that "they can win."
(F)AIR USE NOTICE: All original content and/or articles and graphics in this message are copyrighted, unless specifically noted otherwise. All rights to these copyrighted items are reserved. Articles and graphics have been placed within for educational and discussion purposes only, in compliance with "Fair Use" criteria established in Section 107 of the Copyright Act of 1976.
The principle of "Fair Use" was established as law by Section 107 of The Copyright Act of 1976. "Fair Use" legally eliminates the need to obtain permission or pay royalties for the use of previously copyrighted materials if the purposes of display include "criticism, comment, news reporting, teaching, scholarship, and research." Section 107 establishes four criteria for determining whether the use of a work in any particular case qualifies as a "fair use". A work used does not necessarily have to satisfy all four criteria to qualify as an instance of "fair use". Rather, "fair use" is determined by the overall extent to which the cited work does or does not substantially satisfy the criteria in their totality. If you wish to use copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner. For more information go to:
THIS DOCUMENT MAY CONTAIN COPYRIGHTED MATERIAL. COPYING AND DISSEMINATION IS PROHIBITED WITHOUT PERMISSION OF THE COPYRIGHT OWNERS.