HOUSE_OVERSIGHT_020319.jpg

167

alleged that USIS employees often “flushed,” or ended cases before completing a full
investigation, to meet corporate-imposed quotas for getting bonuses. One employee said in an
email cited in the government’s complaint “Flushed everything like a dead goldfish.” As a result,
some of information specialists entering the NSA through the back door of outside contractors
were not fully vetted. (On August 20, 2015 USIS agreed to forfeit $30 million in fees to settle
the law suit.)

USIS was also opened to sophisticated hacking attacks by outsiders. For example, in August
2014, the Department of Homeland Security’s counterintelligence unit discovered such a massive
and persistent breach in USIS that it shut down its entire exchange of data with USIS. The
intrusion into USIS records in this case was attributed to hackers in China most likely linked to
the Chinese intelligence service. Such massive intrusions dated back to 2011. USIS’ lack of
security in its website left a gaping hole through which outside parties, including Chinese and
Russian hackers, could learn both the identity and background of information specialists applying
for jobs at the NSA.

These private companies had one further security weakness. They did sufficiently protect the
personal data of their off-premise employees working at the NSA. Consider, for example, the
successful 2011 attack on the Booz Allen Hamilton servers. The previously-mentioned hackers'
group “Anonymous” took credit for it. It not only breached the security of Booz Allen servers
but cracked the algorithms it used to protect its employees. It next injected so-called Trojan-
horse viruses and other malicious codes on Booz Allen servers that allowed it to have future
entry. Presumably, if amateur hackers such as Anonymous could break into the computers of the
NSA’s largest contractor, so could the state espionage services with far more advanced hacking
tools such as those of Russia and China. From these sites, an adversary intelligence service
could obtain all the job applications and personal resumes submitted to contractors such as Booz
Allen. It could then compile a list of the candidates looking to work at the NSA.

These deficiencies in the private sector were compounded by the failure of security in the
government’s own Office of Personnel Management. It used a computer system called E-QIP in
which intelligence employees with security clearances, including outside contractors, updated
their computerized records to maintain or upgrade their security clearances. For example,
Snowden updated his clearance in 2011. To do so, these employees constantly updated their
financial and personal information. As it turned out, there was a major hole in the E-QIP system.
It was repeatedly hacked since 2010 by unknown parties. In 2015, the US government told
Congress that China was most likely responsible but Russia and other nations with sophisticated
cyber services could have also participated in the hacking. In any case, the records of over 19
million employees, including intelligence workers, became available to a hostile intelligence
service. This breach would allow hostile services a great deal of information about independent
contractors working at the NSA. They could then use this data to follow the movements of
movement of any of these intelligence workers they deemed of interest.

HOUSE_OVERSIGHT_020319