After Harold Martin case, intelligence community seeks answers

The case is causing leaders on Capitol Hill and in the Office of the Director of National Intelligence to re-examine exactly how the government defends against insider threats.
(Getty Images)

The arrest and then recent indictment of Harold T. Martin III, a 20-year veteran of the intelligence community who is accused of carrying out the biggest theft of classified information in U.S. history, is causing leaders on Capitol Hill and in the Office of the Director of National Intelligence to re-examine exactly how the government defends against insider threats.

But with other battles on the immediate horizon — including perhaps most notably an investigation into Russian hacking operations aimed at the 2016 presidential election — it remains unclear whether either the House or Senate intelligence committees will take any oversight action even though the Martin case is unprecedented.

The 52-year-old Martin stole “irreplaceable classified material on a breathtaking scale,” roughly amounting to 50 terabytes worth of digital information, a federal prosecutor said during a detention hearing in October. The investigation into Martin’s career conduct is ongoing, an FBI spokesperson confirmed Monday to CyberScoop. A separate request for comment sent to the NSA went unanswered.

“The fact that the Martin case occurred at all is sign of a serious security failure not just in itself but also failing to learn lessons from past breaches,” said historian Steven Aftergood, who runs the Secrecy News blog.


A longtime defense contractor who was most recently employed by Booz Allen Hamilton, Martin was originally arrested in late August at his home in Glen Burnie, Maryland, where investigators found media storage devices containing sensitive content and piles of classified documents. This material was spread throughout Martin’s home, garden shed and personal vehicle.

“You’re seeing [insider threat issues] with what seems to be an increased frequency,” said Brett Freedman, counsel for the Senate Intelligence Committee’s Democrats. “From a congressional oversight perspective, the attention thus far at least with respect to both [Edward] Snowden and Martin is that you have two instances, both involving contractors, both involving contractors which happen to be from the same company.”

Freedman, who spoke last week alongside other aides at the Hoover Institute, said that there is a “distinct line,” a boundary, by which the government must respect the rights of its employees while also remaining vigilant of potential insider threats.

“You don’t want [Congress] to take a look at [just] the last incident. Because the last incident is not necessarily going to dictate what the next incident is going to be,” said Freedman, “Yes, Congress is looking at [it]. But there’s a difference between looking at them and putting together legislative solutions that are going to become law.”

With cases like Martin’s, it is standard practice for the House Intelligence Committee to “look into security practices just as general oversight,” said Allen Souza, counsel for the panel’s Republican majority.


“Quite frankly, I think you’re going to see a lot of rhetoric, a lot of discussion, a lot of perhaps hearings, and other engagements, but beyond that I am not sure where things will go [in 2017 when it comes to insider threat issues],” Freedman said.

Court documents suggest that Martin “willfully” retained information pertaining to national security, which includes classified NSA and U.S. Cyber Command files, documents and other data. If convicted, he faces a maximum sentence of 10 years in prison for each of the 20 counts of willful retention of national defense information.

Freedman says he is unsure whether Senate Intelligence will open a specific investigation in response to the Martin incident. When asked the same question, Souza declined to comment on “any committee business.”

NCSC study

Subsequent to Martin’s arrest, President Barack Obama asked the National Counterintelligence and Security Center to do a study on what happened, said agency Director William Evanina at an event hosted last week by the Institute for Critical Infrastructure Technology, a cybersecurity think tank. Founded in 2014, the NCSC, which is organized within the ODNI’s larger framework, works to identify and counter foreign espionage operations aimed at U.S. agencies and private businesses.


The Martin study cannot be completed until the FBI investigation is finished. NCSC was tasked with a similar study after the Snowden leaks.

“[After] Snowden we put all kinds of programs in place to stop not only someone from taking all the things he took but also to stop the bleeding if he got anything good. So what we found after this major study was that you could have the best of all that stuff but you can’t stop someone from walking out of the building with something. It’s just not going to happen,” Evanina said.

It remains unclear if, how and to what degree the intelligence community has instituted new protections in the aftermath of Martin.

Aftergood said he would expect the NSA, Martin’s last post, to respond by conducting — at minimum — a counterintelligence investigation into Martin’s contacts, a damage assessment to understand the consequences of the compromised information and a “security lessons-learned effort” to draw appropriate conclusions to stop future threats.

“The goal is stop them, he or she, before they even decide to do [what Snowden or Martin did],” Evanina said, in general terms, about countering insider threats. “We have to find a way to identify Martin ahead of time and say ‘hey listen I know things are rough, you’re having problems, but there are other options and those other options are not putting stuff in the Washington Post’s dropbox.”


He added, “we haven’t perfected [insider threat detection] in the government at all, okay. We have some agencies that are there and we have some that have a long way to go. We have minimum requirements for insider threat programs [introduced by NISPOM Change 2] … not everyone in the government has that yet.”

The NCSC, over the last two years, has been able to successfully spot federal employees that were exhibiting characteristics typical of a leaker, Evanina said. He did not elaborate on those specific cases except to say the results have been conveyed to Congress and that in 2015 the NCSC prevented a “double digit” number of insider threats. In the last two months alone, however, there were two major incidents, Evanina explained in vague terms, including one case where a U.S. defense contractor leaked 250GB worth of unclassified data to a foreign military.

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts