We Now Know A Lot More About Edward Snowden's Epic Heist - And It's Troubling
Edward Snowden's in-depth interview with James Bamford of Wired offers details about his last job as a contractor for the NSA in Honolulu, which raise disconcerting questions about the motives of the former systems administrator.
While working at two consecutive jobs in Hawaii from March 2012 to May 2013, the 31-year-old allegedly stole about 200,000 "tier 1 and 2" documents, which mostly detailed the NSA's global surveillance apparatus and were given to American journalists Glenn Greenwald and Laura Poitras in June 2013. The government believes Snowden also took up to 1.5 million "tier 3" documents potentially detailing U.S. capabilities and NSA offensive cyber operations, the whereabouts of which are unknown.
We now know more about the larger and more sensitive cache of classified documents. Furthermore, a close reading of relevant reporting and of statements made by Snowden suggests that much of what the rogue NSA employee intentionally took involved operational information unrelated to civil liberties.
While the tier 3 material appears to have not been shared with American journalists, some of it was shown to a Chinese newspaper. And 14 months later, given the uncertain fate of the documents, it is not unreasonable to ask whether they could have fallen into the hands of an adversarial foreign intelligence service.
'The Time Had Come To Act'
Snowden had worked as an NSA contractor for Dell since 2009, and in March 2012 he began working as a systems administrator for the NSA's information-sharing office at the Kunia Regional Security Operations Center (known as "the Tunnel") on the main island of Oahu. Over time, he became increasingly alarmed by what he viewed as serious U.S. governmental violations of Americans' constitutional liberties, as well as general disregard for privacy rights of foreign citizens.
American officals told Reuters that Snowden began making illegal downloads about U.S. and U.K. eavesdropping programs in April 2012. (The NSA later told Vanity Fair that the downloading began in the summer of 2012.)
By early 2013, "Snowden believed he had no choice but to take his thumb drives and tell the world what he knew," Bamford writes in Wired. "The only question was when."
Snowden says that moment came on March 13, 2013, when he read about Director of National Intelligence James Clapper's appearance before a Senate committee, during which he testified that intelligence officials did not "wittingly" collect data on Americans.
Clapper's statement and the subsequent lack of concern among his NSA colleagues at the Tunnel "convinced him that the time had come to act," Bamford writes.
Snowden quit Dell on March 15, according to reporting by Edward Jay Epstein of The Wall Street Journal, and landed a job with Booz Allen as an infrastructure analyst at the National Threat Operations Center in Honolulu.
So two days after Clapper's testimony, and three months after he began working with Poitras, Snowden set his sights on what Bamford describes as "that last cache of secrets."
New Job, More Secrets
Snowden transferred to Booz Allen to gather information on "the NSA's aggressive cyberwarfare activity around the world," Bamford writes, adding that the talented technician "became immersed in the highly secret world of planting malware into systems around the world and stealing gigabytes of foreign secrets."
That kind of hacking - employing the most sensitive of clandestine NSA cyberspying techniques - is carried out by the NSA's Office of Tailored Access Operations (TAO). Current and former intelligence officials told investigative reporter Matthew Aid that "TAO has been enormously successful over the past 12 years in covertly inserting highly sophisticated spyware into the hard drives of over 80,000 computer systems around the world, although this number could be much higher."
Snowden's new position gave him deep access into the NSA's emerging cyber-espionage capabilities.
"Infrastructure analysts like Mr. Snowden, in other words, are not just looking for electronic back doors into Chinese computers or Iranian mobile networks to steal secrets," Scott Shane and David Sanger of The New York Times reported in June 2013. "They have a new double purpose: building a target list in case American leaders in a future conflict want to wipe out the computers' hard drives or shut down the phone system."
Basically, Snowden gained the opportunity he sought.
"My position with Booz Allen Hamilton granted me access to lists of machines all over the world the NSA hacked," he told the South China Morning Post (SCMP) on June 12, 2013. "That is why I accepted that position about three months ago."
For example, Snowden told NYT in October he had "access to every target, every active operation" mounted by the NSA against the Chinese. "Full lists of them."
Tier 1 and 2 vs. Tier 3
"He is a whistleblower in the case of some documents, and not a whistleblower in the case of other documents," Epstein of WSJ said in a recent interview with Scott Johnson of Powerline.
Epstein reported that Snowden's job with Dell in Hawaii "gave him access to the NSA Net, from which he pilfered most of the documents he later gave to journalists, including the ones about NSA domestic operations that have preoccupied the world's media."
These documents, which comprise tier 1 and tier 2 of the intelligence community's damage assessment, "can be called whistleblowing, whistleblowing [documents] that say he's a man of conscience and he revealed what he thought ... the public should know," Epstein explained to Powerline. "But these constituted only a small portion because then he transferred to Booz Allen on March 15, 2013."
Epstein wrote that Snowden went to Booz Allen to "get access to the crown jewels, the lists of computers in four adversary nations - Russia, China, North Korea and Iran - that the agency had penetrated."
These proverbial keys to the kingdom are considered the most sensitive of the potentially massive cache of tier 3 documents that Snowden may have obtained but did not give to American journalists.
Epstein also reported that some documents "were taken from at least 24 supersecret compartments that stored them on computers, each of which required a password that a perpetrator had to steal or borrow, or forge an encryption key to bypass."
Snowden denies scamming passwords, but former colleagues have admitted to inadvertently providing Snowden a password to access information he was not authorized to see.
Epstein told Powerline that the theft at Booz was "basically a work of espionage: Taking documents that reveal sources and methods. He's never given these documents, with one exception, to any journalist, and no one knows where these documents are.
"So in the case of his work [for Booz Allen] at the National Threat Operations Center, he is not in my book under any theory a whistleblower," Epstein concluded. "At Dell, he could be a whistleblower. These are two different jobs and two different phases."
What Happened To The Tier 3 Documents?
After he flew to Hong Kong on May 20, Snowden gave an estimated 200,000 documents to Greenwald and Poitras. Significantly, from what has been reported, that portion of the information Snowden took does not seem to include "lists of machines all over the world the NSA hacked."
Two days after parting ways with the Americans on June 10, however, Snowden provided documents revealing "operational details of specific attacks on computers, including internet protocol (IP) addresses, dates of attacks and whether a computer was still being monitored remotely" to Lana Lam of SCMP.
"I did not release them earlier because I don't want to simply dump huge amounts of documents without regard to their content," Snowden told the Hong Kong paper in a June 12 interview. "I have to screen everything before releasing it to journalists."
Greenwald subsequently told the Daily Beast that he would not have "disclosed the specific IP addresses in China and Hong Kong the NSA is hacking."
Though based in the "special administrative region" of Hong Kong, the South China Morning Post operates under the jurisdiction of the Chinese government, particularly when it comes to matters of national security.
Dr. Wolff Heintschel von Heinegg, one of the coauthors of NATO's Tallinn Manual on the International Law Applicable to Cyber Warfare, told Business Insider in June 2013 that the NSA cyberspying Snowden reportedly divulged to SCMP detailed "either espionage or some other interference with the cyber infrastructure in another state.
"Let's be quite clear," Dr. von Heinegg added. "Intruding into another state's systems in order to figure out what's in there - that's simply espionage, everybody's doing it."
Consequently, Snowden's decision to steal and share such details of the NSA's snooping on a foreign government is not a simple matter of exposing illegality or relative wrongdoing, but suggests something far more serious.
NSA whistleblower William Binney - a hero of Snowden's - told USA Today that the SCMP leaks marked a "[transition] from whistleblower to a traitor."
And it's unclear how much of the tier 3 material, if any, may have been shown to anyone else.
In October James Risen of the Times reported that the former CIA technician said "he gave all of the classified documents he had obtained to journalists he met in Hong Kong." (ACLU lawyer and Snowden legal adviser Ben Wizner subsequently told Business Insider that the report was inaccurate.)
In May 2014, Snowden then told NBC's Brian Williams in Moscow that he "destroyed" all documents in his possession while in Hong Kong.
So, as Epstein noted, no one knows what happened to the tier 3 information that Snowden, "a genius among geniuses," managed to steal while immersed in NSA offensive cyber operations at Booz Allen.
Interestingly, in the German newspaper Der Spiegel, Poitras and "American WikiLeaks Hacker" Jacob Appelbaum reported detailed information about the NSA's elite TAO hackers and published a catalog of tools, created by TAO's technical expert division (known as ANT), used to hack into computers.
But the reports do not specify where the classified NSA documents came from.
Appelbaum, a close friend of Poitras, whom she brought in to vet Snowden, also presented the ANT catalog in December 2013 at a computer conference in Germany. (In December 2012, Snowden threw a Crypto Party with Appelbaum's former colleague at the Tor project, Runa Sandvik.)
Stuck In Moscow
After outing himself on June 9, Snowden reached out to WikiLeaks for help finding asylum. On June 15, the U.S. asked Hong Kong to provisionally arrest Snowden for the purposes of extradition and subsequently revoked his passport on June 22.
On June 23, Beijing allowed Snowden to board a flight to Moscow using a "refugee document of passage" obtained by WikiLeaks founder Julian Assange from the Ecuadorian consul in London. But the document wasn't even signed - meaning that Snowden had no valid travel documents when he landed on Russian soil.
The fact that Snowden ended up in Moscow was "no accident from the Russian point of view," Epstein told Powerline, noting that Putin offered to consider Snowden's asylum request on June 11. For Russia, an American systems administrator with granular knowledge of offensive U.S. cyber operations would be an extraordinary prize.
For his part, Assange has stated multiple times that he advised Snowden to stay in Russia, as opposed to attempting to obtain asylum in Venezuela and Ecuador.
"In Russia, he's safe, he's well-regarded, and that is not likely to change," the Australian publisher told Janet Reitman of Rolling Stone. "That was my advice to Snowden, that he would be physically safest in Russia."
Epstein, citing a U.S. official he spoke with in Hong Kong, reported that "Snowden had been observed on CCTV cameras entering the skyscraper that housed the Russian consulate on three occasions" in June.
It is not known when in June Snowden visited the Russian officials in Hong Kong, but the circumstances may inform the fate of the tier 3 documents.
On June 12, Snowden told SCMP that he wanted to make more documents available to journalists if he had "time to go through this information." If Snowden had access to the tier 3 cache when he first met with the Russians in Hong Kong, it would explain their willingness to give him a safe refuge and protect him.
A Whistleblower - And a Spy
While Snowden can legitimately claim to be a whistleblower based on the tier 1 and 2 material he gave to Poitras, Greenwald, and Barton Gellman of The Washington Post, the larger cache of information about America's cyberintelligence capabilities and activities around the world is another story.
Snowden's audacious theft of tier 3 documents, which included acquiring colleagues' passwords that gave him access to secret files, could potentially put him in another category altogether. Taking that information would in theory make him a renegade spy - and possessing it would make him an especially welcome guest of the Kremlin.
"These secrets he took from [from Booz Allen] are of value to no one but Russia, China, and maybe North Korea, because these secrets are basically the lists of computers in Russia, China, and North Korea which [the U.S.] managed to compromise and tap into," Epstein asserted to Powerline. "And not only that, ... it would take a very sophisticated counterintelligence service to reverse engineer and to figure out where all of the pieces of the puzzle fit together.
"So the strange thing about what he did at the National Threat [Operations] Center is what he took is ... only of use to two countries. Have they made use of them? I don't know. But they are of no use to journalists. If he supplied these to journalists, they would have nothing to publish [besides lists of compromised computers]."
Fifteen months after his epic heist, we still don't know if Snowden was telling the truth when he said he destroyed the tier 3 documents between June 12 (the SCMP leak) and June 23 (the flight to Moscow).
"The only thing that Russia and China certainly have in common is that they both want to deny American primacy," Epstein noted to Powerline. "Certainly if you can find a list of everything in your country that has been tapped, whoever you are, even if you were the Mafia, that list would be valuable to you."
As important as Snowden's exposure of illegal domestic spying undoubtedly has been, questions about the tier 3 documents - why he sought them; whom he shared them with; and where they are now - cast a dark shadow on his prominence as a hero.