On Monday the Justice Department charged a 25-year-old woman with leaking classified intelligence to the media. Say what you will about the woman’s patriotism, brains, or motivation. Compliance and audit executives have plenty of lessons to learn in this case-study of security controls in the modern era.
The woman is Reality Leigh Winner. As you likely already know by now, Winner is charged with leaking intelligence about Russian attempts to influence the 2016 elections to The Intercept, one of those online news organizations doing great work that few people actually read. According to court documents, Winner worked for a government contractor, Pluribus International Corp., and obtained a top secret National Security Agency report about the Russian hacking attempts. She printed out a copy and mailed it to The Intercept.
The Intercept then asked the NSA for comment about the report, and showed a copy of the document to NSA officials. The NSA alerted the FBI, which identified Winner as the suspected leaker. She was charged yesterday under the Espionage Act, about one hour after The Intercept published its story on the Russian meddling.
For compliance and audit executives, the document worth reading is the FBI affidavit filed in support of the charges against Winner. The affidavit tells how agents started with one scrap of evidence—a copy of the document that Winner sent to The Intercept—and within a matter of days, worked their way back to Winner as the suspected leaker.
The FBI’s sleuthing started with the copy of the intelligence report that The Intercept provided. The copy had creases along the top and sides, suggesting that someone had sent a paper copy of the report to The Intercept. An NSA audit then determined that only six people printed a copy of the intelligence report between May 5, the day it was generated; and May 30, the day that The Intercept asked the NSA for comment about it. Winner was one of the six.
NSA auditors then examined the computer workstations of those six people. They found evidence that Winner had been communicating by email with The Intercept, and she was the only person among the six suspects who had.
After that, FBI agents visited Winner at her home in Augusta, Ga., and she gave them a full confession: that she found and printed the intelligence report, despite having no reason to do so; that she knew it was classified top secret; and that she then removed it from her government offices and mailed it to The Intercept.
Winner now faces up to 10 years in prison. On the bright side, according to her Instagram account, she took a nice vacation in Belize at the end of May. At least she enjoyed her last few days of freedom in a lovely place.
The Internal Control Lessons
The importance of end-user controls. The heart of this case was Winner’s printing of a top secret document. Her ability to print the document put things into motion, and the NSA’s ability to audit who printed the document brought them to a close. It was a battle between the end-user and the organization’s end-user controls.
Here in the corporate world, weaknesses in end-user controls usually manifest as an inability to control data that employees manipulate via their desktop computers: data exported as a spreadsheet, documents printed as PDFs and emailed, and so forth.
With sophisticated software (usually running from the cloud), you can thwart at least some of those risks—but, clearly, not all of them. And what’s the balancing act between tight end-user controls that disable desktop functions, and frustrated employees who can’t do their jobs? People use desktop software so often for a reason, after all: because it’s cheap, easy, and universal.
Security, both physical and electronic. For all our hysteria these days about cybersecurity, we would do well to remember that the real risk is security, period—both physical and electronic. Winner pulled off her leak because she smuggled sensitive data out the front door, not over an Internet connection.
Controls for physical security are intrusive: bans on cell phones, metal detectors, keypad entry codes at the door, stern-looking doormen. And let’s not even contemplate security risks 20 years from now, when we all have iPhone or Google cameras embedded in our eyeballs.
Access controls matter. Yes, Winner had a top secret security clearance to do her job with the NSA. According to an FBI search warrant related to the case, that clearance meant that Winner could access intelligence reports such as the May 5 document she copied. But the individual intelligence reports were need-to-know material, and at least this specific report was unrelated to her job duties—that is, Winner had no need to see this particular report.
Still, not only did Winner have access to the May 5 report; she had the ability to print a copy. (See end-user controls, total pain in the neck; above.)
The ability to create an audit trail matters, too. Kudos to the NSA’s IT and audit teams, for creating an IT infrastructure that allowed the agency to track Winner’s activity so quickly. As much as compliance officers might like to stress the importance of a strong control environment, control activities and monitoring are crucial parts of effective internal control system for a reason. When you blend them together correctly, they can shine a path to straight to the cause of an internal control failure.
Third-party vetting. A compliance professional’s instinct is to say that this is one area where the NSA and its staffing contractor, Pluribus, should have done better. Winner started working for the NSA in February, well after you-know-who won the White House. Even a cursory examination of her social media posts show that she was no fan of Donald Trump.
On a practical basis, however, how much weight do we want to give political loyalties when vetting potential employees? Should every disagreeable political statement be grounds to bar someone from employment? Sure, we all know that Trump would love that idea—but here in the real world, how invasive and prejudicial do we want to be? What does that say about our democratic society, which isn’t doing too well right now as things are?
I don’t know. I suspect, however, that Winner’s case isn’t the last time we’re going to go through something like this.