Leak scandal teaches Booz Allen a hard lesson about cybersecurity
Mike McConnell and his fellow Booz Allen Hamilton executives have a lot of questions to answer, including: Why did the government contractor assign a 29-year-old high-school dropout with scant experience to a sensitive National Security Agency site in Hawaii?
The New York Times
WASHINGTON — When the United Arab Emirates wanted to create its own version of the National Security Agency (NSA), it turned to Booz Allen Hamilton to replicate the world’s largest and most powerful spy agency in the sands of Abu Dhabi.
It was a natural choice: The chief architect of Booz Allen’s cyberstrategy is Mike McConnell, who once led the NSA and pushed the United States into a new era of big-data espionage.
Yet as Booz Allen profits handsomely from its worldwide expansion, McConnell and other executives of the government contractor have a lot of questions to answer. Among them: Why did Booz Allen assign a 29-year-old with scant experience to a sensitive NSA site in Hawaii, where he was left loosely supervised as he downloaded highly classified documents about the government’s monitoring of Internet and telephone communications, apparently loading them onto a portable memory stick barred by the agency?
The results could be disastrous for a company that sells itself as the gold standard in protecting classified computer systems and boasts that half its 25,000 employees have top-secret clearances. Until a week ago, Booz Allen had one of the best business plans in Washington, with more than half its $5.8 billion in annual revenue coming from the military and the intelligence agencies.
Last week, the chairwoman of the Senate Intelligence Committee, Dianne Feinstein, whom McConnell regularly briefed when he was in government, suggested for the first time that companies such as Booz Allen should lose their broad access to the most sensitive intelligence secrets.
“We will certainly have legislation which will limit or prevent contractors from handling highly classified and technical data,” said Feinstein, D-Calif. Senior Obama administration officials said they agreed.
Yet cutting contractors out of classified work is a lot harder in practice than in theory. Booz Allen is one of many companies that make up the digital spine of the intelligence world, designing the software and hardware systems on which the NSA and other military and intelligence agencies depend. McConnell speaks often about the need for the private sector to jolt the government out of its attachment to existing systems, noting, for example, that the Air Force fought the concept of drones for years.
Removing contractors from the classified world would be a wrenching change: Of the 1.4 million people with top-secret clearances, more than one-third are private contractors. (The background checks for those clearances are usually done by other contractors.)
McConnell has been among the most vocal in warning about this risk to contractors. “The defense industrial base needs to address security,” he said in an interview with The New York Times last year, months before Booz Allen hired Edward Snowden, its young systems administrator who has admitted to leaking documents describing secret NSA programs. “It should be a condition for contracts. You cannot be competitive in the cyber era if you don’t have a higher level of security.”
Booz Allen is saying little about Snowden’s actions or the questions they have raised about its practices. McConnell, once among the most accessible intelligence officials in Washington, declined to be interviewed for this article.
“This has to hurt Mike’s relationship with the NSA,” said a business associate of McConnell’s who requested anonymity. “He helped set up those contracts and is heavily engaged there.”
Few top officials in the intelligence world have become greater authorities on cyberconflict than McConnell, 69, who walks with a stoop from a bad back and speaks with the soft accent of his upbringing in Greenville, S.C. He began his career as a Navy intelligence officer on a small boat in the backwaters of the Mekong Delta during the Vietnam War. Years later he helped the U.S. intelligence apparatus make the leap from an analog world of electronic eavesdropping to the new age of cyberweaponry.
President Clinton relied on McConnell as director of the NSA, a post he held from 1992 to 1996. He then moved to Booz Allen as a senior vice president, building its first cyberunits. But with the intelligence community in disarray after its failure to prevent the Sept. 11 terrorist attacks, the fiasco of nonexistent weapons of mass destruction in Iraq and the toll of constant reorganization, President George W. Bush asked him to be the second director of national intelligence from 2007 to 2009.
That was when he made his biggest mark, forcing a reluctant bureaucracy to invest heavily in cybercapability and overseeing “Olympic Games,” the development of the United States’ first truly sophisticated cyberweapon, which was used against Iran’s nuclear-enrichment program. When Bush needed someone to bring President-elect Obama up to speed on every major intelligence program he was about to inherit, he handed the task to McConnell.
Obama was not interested in keeping the previous team, and McConnell returned to Booz Allen in 2009. He earned more than $4.1 million his first year back, and $2.3 million last year. He is vice chairman, and the company describes him as the leader of its “rapidly expanding cyberbusiness.”
In Washington he is often Booz Allen’s public face, because of his ties to the intelligence agencies and his extensive and loyal network of federal intelligence officials who once worked with him.
Two months ago, the company announced the creation of a Strategic Innovation Group, staffed by 1,500 employees who are pursuing, among other projects, one of McConnell’s favorites: the development of “predictive” intelligence tools that its government clients can use to scour the Web for anomalies in behavior and warn of terrorist or cyberattacks. He has also hired a senior counterterrorism official to market products in the Middle East. This year, the company began working on a $5.6 billion, five-year intelligence analysis program for the Defense Intelligence Agency.
The company’s profits are up almost eightfold since it went public in late 2010. Its majority shareholder is the Carlyle Group, which matches private equity with a lot of Washington power, and its executives, chief among them McConnell, drum up business by warning clients about the potential effects of cyberweapons.
Changing the rules
As director of national intelligence, McConnell kept a giant world map propped up in front of his desk. Countries were sized by Internet traffic, and the United States ballooned bigger than all others, a fact that he told a visitor was at once “a huge intelligence advantage and a huge vulnerability.”
The advantage was that the U.S. role as the world’s biggest Internet switching center gave it an opportunity to sort through the vast troves of metadata — including phone records, Internet activity and banking transactions — enabling analysts to search for anomalies and look for attacks in the making. But he chafed at the legislative restrictions that slowed the process.
Changes in FISA
So in 2007, as the intelligence chief, he lobbied Congress for revisions to the Foreign Intelligence Surveillance Act, or FISA, to eliminate some of the most burdensome rules on the NSA, including that it obtain a warrant when spying on two foreigners abroad simply because they were using a wired connection that flowed through a computer server or switch inside the United States.
It made no sense in the modern age, he argued. “Now if it were wireless, we would not be required to get a warrant,” he told The El Paso Times that year.
The resulting changes in law and legal interpretations led to many of the steps — including the government’s collection of logs of telephone calls made in and out of the country — that have been debated since Snowden began revealing the extent of such programs. McConnell put the changes into effect.
In 2007, “Mike came back into government with a 100-day plan and a 500-day plan for the intelligence community,” said Stephen Hadley, Bush’s national-security adviser. “He brought a real sense of the private sector to the intelligence world, and it needed it.”
The new technologies created a flood of new work for the intelligence agencies — and huge opportunities for companies such as Booz Allen. It hired thousands of young analysts like Snowden. The intelligence agencies snapped them up, assigning them to sensitive, understaffed locales, including the Hawaii listening station where Snowden downloaded his materials.
Last month, the Navy awarded Booz Allen, among others, the first contracts in a billion-dollar project to help with “a new generation of intelligence, surveillance and combat operations.”
The new push is to take those skills to U.S. allies, especially at a time of reduced spending in Washington. So while the contract with the United Arab Emirates is small, it may be a model for other countries that see cyberdefense — and perhaps offense — as their future.
“They are teaching everything,” one Arab official familiar with the effort said. “Data mining, Web surveillance, all sorts of digital-intelligence collection.”
The company reported net income of $219 million in the fiscal year that ended March 31, up from net income of $25 million in 2010, shortly after McConnell returned to the company.
But the warnings at the end of its financial report offered a caution that the company could be hurt by “any issue that compromises our relationships with the U.S. government or damages our professional reputation.”
By Friday, shares of Booz Allen had slid almost 7 percent since the Snowden revelations. And a new job posting appeared on its website for a systems administrator in Hawaii, “secret clearance required.”