The cybersecurity expert who hired Edward Snowden for his last job is laying out his lessons learned – but admits it would have been hard to stop the man who spilled some of the National Security Agency’s most closely held secrets.
“Knowing what I knew at the time, l would have hired him again,” Steven Bay, a former cyberintelligence analyst for Booz Allen Hamilton, said today in Seattle at the IEEE Computer Society’s “Rock Stars of Cybersecurity” conference.
“Knowing what I know now, obviously, I wouldn’t,” he added.
Bay said today’s talk marked the first time he discussed his side of the Snowden story in a public forum.
After the story broke, Bay lost his NSA access and had to switch to a different position at Booz Allen Hamilton, which was Snowden’s employer for those crucial few months in the spring of 2013. Bay said he couldn’t talk openly about the case until he left Booz Allen this June. Now he’s the chief information security officer for NuVasive, a medical devices company in San Diego.
‘Nerded out’ at job interview
Snowden’s timeline is well-known by now: After years of working at the CIA, and as a Dell contractor for the NSA, he applied for another NSA contract job in Hawaii with Booz Allen. Bay said he and his office’s technical director interviewed Snowden at a Wendy’s restaurant near the agency’s facilities in Kunia.
“He was a highly technical person,” Bay recalled. “He was very passionate about internet anonymization, as he’s come out and talked about. He claimed to have run two Tor nodes out of his home … and he also claimed to have known a zero day vulnerability within Tor.”
Snowden knew his stuff so thoroughly that Bay said the technical director took over the interview and “basically nerded out for an hour.”
Snowden got the job, and started working as an intelligence analyst at the NSA’s facility in Hawaii at the beginning of April in 2013.
Bay said two red flags came up in the weeks that followed. First, Snowden began asking about a highly classified mass-surveillance program that’s now known to the public as PRISM. Bay had access to the PRISM data, but Snowden didn’t.
Bay didn’t give Snowden access to PRISM, but he did provide him with some data that in retrospect he shouldn’t have. “I shared a little bit too much information,” Bay acknowledged today. He said that’s what caused him to lose NSA access after the Snowden story broke.
A case of epilepsy?
The second red flag popped up when Snowden started coming in late to work, only a few weeks after starting the job. When Bay asked about it, Snowden told him he was suffering from epilepsy.
In response, Bay played the role of a supportive manager. Then, in mid-May, Snowden told him the epilepsy was getting worse and that he’d have to go in for tests on the following Monday and Tuesday. If the results weren’t good, he might have to be out even longer.
Bay said he suggested that Snowden apply for short-term disability, but Snowden told him he didn’t want to bother with the paperwork. “Which made no sense to me … but to each his own. If he wanted to take leave without pay, take leave without pay,” Bay said.
In reality, Snowden wasn’t suffering from epilepsy. Unbeknownst to Bay, Snowden took off for Hong Kong on that Monday, May 20, carrying gigabytes’ worth of NSA data with him.
Bay said he received an email from Snowden the next day, telling him the test results were bad and that he’d have to take more time off work. In a reply email, Bay reminded Snowden to check in with human resources about filing for disability.
“Wednesday night, the next night, he emails me back, and says, ‘OK, sounds good, I’ll get in touch with HR.’ And that was the last I ever heard from him,” Bay said.
Bay tried to check in with Snowden several times afterward, to no avail. At the end of the month, Bay called his boss in Georgia, asking what to do about Snowden’s time sheet. In response, the supervisor alerted NSA’s security team to Snowden’s medical leave and his missing status.
“Thank goodness he did this,” Bay said. “It really protected us at Booz Allen, and myself as well.”
‘I was worried that he was dead’
That was on a Friday. The following Monday, NSA officials told Bay they were on the case. All that week, he and NSA agents went searching for Snowden.
“In my mind, I was worried that he was dead,” Bay said. “I was worried that he had an epileptic seizure of some sort, or a blackout while driving on the island, and he drove off a cliff and killed himself. That’s what I was concerned about. The thought that Ed could be doing any of this didn’t even cross my mind.”
Bay said The Guardian published its first story based on NSA leaks on the Thursday of that week in June. “It was the talk of the agency,” he said. A couple of days later, one of his best friends at work wondered out loud whether Snowden might be involved.
“I thought, ‘No way! There’s not a chance that Ed would do that.’ And I made the comment that that would be my worst nightmare,” Bay said.
The next day – Sunday, June 9 – Bay turned off his phone for a church meeting. When he turned it back on, he faced a torrent of texts. The first text was from his friend, reading: “Sorry, man, it looks like your worst nightmare came true.”
‘Are people going to die over this?’
That’s how Bay found out Snowden was the leaker. Three years afterward, Bay still gets emotional when he remembers the moment.
“I found an empty room at the church, and I broke down,” Bay said. “Every negative thought one could have, I had. There were thoughts of ‘I’m going to lose my job, I’m going to be blamed, I’m going to get fired, I’m going to go to jail, I’m going to be the scapegoat.’ And I started thinking about what this is going to do to NSA, what about all of our undercover agents, what if that sort of information gets out? Are people going to die over this?”
Bay spent most of the rest of the day in meetings with executives at Booz Allen and agents from the FBI. “Surprisingly, the FBI was totally cool,” he recalled. “I was expecting to be in a dark room with a hot light on me. … It was nice to hear, despite all these negative emotions that I felt earlier in the day, that nobody blamed us.”
The days after that were devoted to damage control. Eventually, it came out that Snowden had been planning his moves for several years. The fact that he was skilled in information technology and gained access to classified information made him the ultimate “insider threat,” Bay said.
“I was visiting with the director of NSA Hawaii, and he made the comment that, well, Booz Allen got caught holding the hot potato when the attack went out. That’s pretty accurate,” he said.
“It turns out, as [Snowden] admitted a few weeks later, he targeted our contract directly,” Bay said. “Somehow he figured out that our contract, and what we did on that contract, were the types of gates he needed to get access to.”
American hero or Russian agent?
Today, Snowden is seen as a hero by millions of people opposed to government intrusions and invasions of privacy. An Oliver Stone movie opening this week, titled “Snowden,” casts the whistleblower in a sympathetic light. But as you can imagine, Bay is not a fan.
The fact that Snowden has been given asylum by the Russian government, under the leadership of President Vladimir Putin, leads Bay to say that Snowden is probably colluding with that country’s security services.
“I do believe that Ed has given up the goods to Putin,” Bay said.
Snowden strongly denies making any such deal with Russian intelligence, or handing over any secrets to the Russians. “Everything I had is in the hands of journalists,” Snowden told the BBC last year.
It may take decades for history to render its judgment in the case of Edward Snowden vs. the NSA – but in the meantime, Bay had these pointers to improve cybersecurity:
Remember that insiders are the biggest threat to network security.
Malicious insiders can do the most damage. Some of the countermeasures involve technical controls and on-the-job monitoring – for example, looking for spikes in data traffic leaving the network.
Other countermeasures touch on hiring practices and the principle of “least privilege.” For example, Snowden retained network administrative privileges from a previous position at the NSA, which facilitated his access.
In data-sensitive work environments, removable drives should be disabled if not physically destroyed. (Snowden apparently used his network privileges to get around NSA’s restrictions.)
Most insider breaches are caused inadvertently, and typically involve careless email use and Web browsing at work. Employees should be trained to guard against phishing attacks. Bay recommends conducting drills using fake phishing emails. “Rickroll them, if you will,” he said.
Another potential problem involves unauthorized use of online file-sharing services. Bay recommends blocking access to such sites as Google Drive or Dropbox from corporate networks unless the company specifically uses them for its own purposes.