Snowden’s ex-boss offers tips on stopping insider threats
Steven Bay, a former defense contractor, knows a thing or two about insider threats. For a brief period, he was the boss of Edward Snowden, the famous leaker who stole sensitive files from the U.S. National Security Agency.
Recalling the day he learned Snowden had been behind the NSA leaks back in June 2013, Bay said he received texts about the breaking news while in a leadership meeting at a church. The first text said “Sorry man, looks like your worst nightmare came true.”
Bay was crushed: “I went out into an empty room of the church and I just melted down crying.”
“Every negative thought you can have, I had,” he said. “I thought I was going to get fired. I thought I was going to go to jail. I’m going to lose my family… undercover CIA agents are going to get whacked.”
Fortunately, Bay — who was Snowden’s manager at the time of the NSA hack — wasn’t jailed. But the whole incident did teach him the dangers about insider data theft, and that all companies must take it seriously.
“When we look at Snowden, it’s a very divisive issue,” he said. “But there are also a lot of lessons we can learn here.”
Bay spoke Tuesday at the TechIgnite event, hosted by the IEEE Computer Society, where he explained tips that companies can use to guard against insider threats. He previously worked at the consulting firm Booz Allen Hamilton, which does work for the NSA. In February 2013, Bay interviewed Snowden for a job at the firm.
Snowden has said to the press that he actually sought employment at Booz Allen to gain access to NSA’s surveillance program data.
Bay calls Snowden a “malicious insider” who should be jailed. But stopping someone like him can be tricky.
In an interview, Bay said Snowden didn’t exhibit any blatant red flags that exposed his intentions in the two months he was employed at Booz Allen as an intelligence analyst. But he did show a couple “yellow flags” that in retrospect hinted something was off.
Former defense contractor Steven Bay speaks at TechIgnite on March 21, 2017.
For instance, Snowden had early on asked for access to NSA’s classified PRISM surveillance program. Two weeks later, he asked for it again, explaining that the data would help him in his NSA-related work. After he got access to the information, he ended up leaking it to the press.
Snowden also claimed he had epilepsy and had to take a leave of absence from Booz Allen because of it. Normally, employees will file short-term disability with human resources so they can still receive their wages, Bay said. But Snowden didn’t care to.
“Wanting leave without pay, instead of short-term disability, was weird,” he said. However, none of these actions were unreasonable either.
“I had no reason not to trust him,” said Bay, who recalls being “blown away” by Snowden’s technical knowledge when he interviewed him for the job at Booz Allen.
That’s why it’s important for any organization to have protective measures in place when insiders do strike, he said.
Snowden ended up successfully stealing a massive number of files about NSA programs. But better technological controls, like system alerts that detect when sensitive data is being moved, could have been used to stop that, Bay said.
“Perhaps an alert for when a thumb drive gets plugged in,” he added. “Alerting when a thumb drive gets turned on.”
Or, in a low-tech solution, USB drive ports from the most sensitive computing systems should be removed.
Companies can consider data loss prevention services, which specialize in the monitoring and the protection of sensitive files, Bay said. But another way to guard against insider threats is properly segregating who has access to what.
For example, staffers who leave a company should have their computer access immediately terminated. In addition, a company’s accounting department shouldn’t have access to the R&D team’s research, and vice-versa.
“Unless your insider has the keys to the kingdom, they can do damage, but they’ll be limited to whatever they have access to,” he said.
Following the NSA leaks, Bay was pulled off from his NSA-related work at Booz Allen Hamilton, and he left the firm last year. He now works as an independent cybersecurity consultant, after serving as a CISO at a medical devices maker.
Looking back at his time at Booz Allen, Bay joked in his talk at TechIgnite: “I don’t know why I was the one guy out of billions of people who got stuck being Snowden’s boss. But I was.”
He added that insider hackers like Snowden are rare, so it’s important for companies to focus on more common cybersecurity threats too, like those that come from phishing emails, he said.
But that doesn’t mean companies should ignore the insider risk either.
“These malicious insiders, in my mind, they can do more damage than any other threat you have out there,” he said.