USIS and Contractor Security Lapses Exposed as Potential Vector for Chinese and Russian Espionage

167 alleged that USIS employees often “flushed,” or ended cases before completing a full investigation, to meet corporate-imposed quotas for getting bonuses. One employee said in an email cited in the government’s complaint “Flushed everything like a dead goldfish.” As a result, some of information specialists entering the NSA through the back door of outside contractors were not fully vetted. (On August 20, 2015 USIS agreed to forfeit $30 million in fees to settle the law suit.) USIS was also opened to sophisticated hacking attacks by outsiders. For example, in August 2014, the Department of Homeland Security’s counterintelligence unit discovered such a massive and persistent breach in USIS that it shut down its entire exchange of data with USIS. The intrusion into USIS records in this case was attributed to hackers in China most likely linked to the Chinese intelligence service. Such massive intrusions dated back to 2011. USIS’ lack of security in its website left a gaping hole through which outside parties, including Chinese and Russian hackers, could learn both the identity and background of information specialists applying for jobs at the NSA. These private companies had one further security weakness. They did sufficiently protect the personal data of their off-premise employees working at the NSA. Consider, for example, the successful 2011 attack on the Booz Allen Hamilton servers. The previously-mentioned hackers' group “Anonymous” took credit for it. It not only breached the security of Booz Allen servers but cracked the algorithms it used to protect its employees. It next injected so-called Trojan- horse viruses and other malicious codes on Booz Allen servers that allowed it to have future entry. Presumably, if amateur hackers such as Anonymous could break into the computers of the NSA’s largest contractor, so could the state espionage services with far more advanced hacking tools such as those of Russia and China. From these sites, an adversary intelligence service could obtain all the job applications and personal resumes submitted to contractors such as Booz Allen. It could then compile a list of the candidates looking to work at the NSA. These deficiencies in the private sector were compounded by the failure of security in the government’s own Office of Personnel Management. It used a computer system called E-QIP in which intelligence employees with security clearances, including outside contractors, updated their computerized records to maintain or upgrade their security clearances. For example, Snowden updated his clearance in 2011. To do so, these employees constantly updated their financial and personal information. As it turned out, there was a major hole in the E-QIP system. It was repeatedly hacked since 2010 by unknown parties. In 2015, the US government told Congress that China was most likely responsible but Russia and other nations with sophisticated cyber services could have also participated in the hacking. In any case, the records of over 19 million employees, including intelligence workers, became available to a hostile intelligence service. This breach would allow hostile services a great deal of information about independent contractors working at the NSA. They could then use this data to follow the movements of movement of any of these intelligence workers they deemed of interest. HOUSE_OVERSIGHT_020319