What we know for sure about Snowden's work in U.S. intelligence

(originally posted 29.12.2016 on Google+)


This is an update of a previous article[11], reflecting knew facts from the declassified HSPCI report[12]. Please note that I although correct a mistake in my former post: Snowden's ECSA training was 2010, not 2009.

Very much of Snowden's career at CIA, Dell and Booz Allen Hamilton (under the latter two he had access to the NSA) are still a mystery in big parts. This is because very little official statements are made by his former employers, very little documents about his jobs are released, and on the other side we should not simply rely on claims verified only by Snowden himself.

From the very beginning of the Snowden saga, there was always a dispute between the NSA (or the U.S. government), who said Snowden was only a low-level IT technician with no insight into NSA's SIGINT apparatus, and Snowden and his supporters, who maintained he was a senior-level spy who clearly understood the documents he copied and released to journalists. With this post, I will try to recap the facts we know for sure so far (or for which there is at least good evidence), and then deduce some conclusions.


Snowden's time at CIA

According to the declassified HSPCI report[1], Snowden's career in U.S. intelligence started as a CIA contractor for BAE Systems, and in August 2006 he converted to a CIA employee. He worked as an CIA employee until March/April 2009.

The HPSCI report[1] described him as an entry-level technician:

'He claimed to have worked for the CIA as a "senior advisor," which was a gross exaggeration of his entry-level duties as a computer technician.'

This statement was challenged by Barton Gellman, who answered[2]:

'Judge for yourself. Here are the three main roles Snowden played at the Central Intelligence Agency (CIA). (1) His entry level position, as a contractor, was system administrator (one among several) of the agency’s Washington metropolitan area network. (2) After that he was selected for and spent six months in training as a telecommunications information security officer, responsible for all classified technology in U.S. embassies overseas. The CIA deployed him to Geneva under diplomatic cover, complete with an alias identity and a badge describing him as a State Department attache. (3) In his third CIA job, the title on his Dell business card was “solutions consultant / cyber referent” for the intelligence community writ large—the company’s principal point of contact for cyber contracts and proposals. In that role, Snowden met regularly with the chiefs and deputy chiefs of the CIA’s technical branches to talk through their cutting edge computer needs.'

However, Gellman didn't prove his claims with references. It is unclear if he has these informations because Snowden simply told him, or because Snowden could prove it to him with documents. I personally am skeptical about Gellman's claims, because in the same post he said:

'Well, no. He tried to fly to Ecuador, and the U.S. government trapped him in the Moscow transit lounge by revoking his passport.'

And this is simply no more than just an unconsidered repetition of a Snowden claim, which in the meantime is proven wrong: The U.S. government revoked Snowden's passport while he still was in Hong Kong[3].

The declassified HSPCI report[12] even more emphasizes that Snowden just hold low-level technician positions at CIA:

'Snowden was not, as he would later claim, a "senior advisor" at CIA. Rather, his only position as a CIA employee was as a Telecommunications Information Systems Officer, or TISO. The job description for a TISO makes clear that the position is an entry-level IT support function, not a senior executive. TISOs "operate, maintain, install, and manage telecommunications systems," and "provide project management and systems integration for voice and data communications systems," including "support to customers after installation."'

The report also stated that Snowden applied for a more senior position, but his supervisor did not endorse him:

'A few months after starting in [redacted], Snowden asked to apply for a more senior position in [redacted] as a regional communications officer. His supervisor did not endorse his application.'

The HPSCI report describes Snowden was an unsatisfied employee who regularly had disputes with his supervisors; he is depicted as technical quite skilled, but obviously only in the Microsoft Windows domain.


Snowden's time at Dell

According to the HPSCI report, Snowden switched from CIA to Perot Systems (which was bought by Dell later in 2009) in April 2009. From May 2009 to February 2012, Snowden worked in a variety of roles and locations supporting IC contracts for Dell.

Something interesting happened in September 2010. Snowden returned to the U.S., likely from Japan. Dell tried to move him to an IT support position at CIA, but the CIA refused to grant him access (likely because of past experiences), so that Dell had to put him on leave for 3 months until eventually another position was found. On his way back, Snowden obviously stopped over at New Delhi to attend an ECSA hacking training and certification[4]. It is not clear whether he privately joined this training or whether it was sponsored/required by Dell, but at least it shows that Snowden was interested in hacking, and that at least he had some good basic knowledge (I will neither under- nor over-evaluate these kind of certifications).

Another interesting new fact from the declassified HPSCI report is that from August 31, 2011, to January 11, 2012, Snowden took a leave of absence from Dell. No details or reasons are publicly known so far.

After his leave, Snowden took a new position an NSA's Hawaii Cryptologic Center. In March 2012, he moved to Hawaii. His job remained similar:

'The job Snowden performed in Hawaii was similar to his duties during the previous three years with Dell. He was a field systems administrator, working in technical support office of NSA Hawaii.'

There are FOIA documents about Snowden's time in Hawaii[5], for example this one[6]. It clearly shows that Snowden was engaged in end user support. It is not untypical for Windows administrators that they are also responsible for end user support.

So we know that Snowden's job, at least until August 2012, most likely until his switch to Booz Allen Hamilton, was a Microsoft Windows / Sharepoint administrator, or something similar.

According to the declassified HPSCI report, Snowden began the unauthorized downloading in July/August 2012. They stated that "Snowden used several methods to gather information on NSA networks, none of which required advanced computer skills", that he used tools like "wget" or "DownThemAll!", that he searched personal network drives of co-workers, and that he asked co-workers for their credentials in order to take advantage of their higher privileges, but many details are redacted.
Interesting is that HPSCI emphasizes "none of which required advanced computer skills", but on the other side they write that NSA had triggers for abnormal network traffic, that workstations had auditing controls, that Snowden was well aware of this, and that he exploited "thin-on-thick" workstation vulnerabilities (details are redacted, so I could only speculate what this really means) -- but this clearly sounds that at least some basic hacking skills were needed to successfully steal the mass documents undetected.


Snowden's time at Booz Allen Hamilton

This time, and the circumstances that led to the job change, is likely the most interesting phase, albeit the time itself at Booz Allen Hamilton was very short: We know for sure that Snowden started on April 1st[7] (the declassified HPSCI report said "late March") and that he flew to Hong Kong May 20th.

Former NSA director Mike McConnell said about Snowden and his application for a new job[8]:

'He then broke into the agency’s system and stole the admittance test with the answers, Mr. McConnell said. Mr. Snowden took the test and aced it, Mr. McConnell said. “He walked in and said you should hire me because I scored high on the test.” The NSA then offered Mr. Snowden a position but he said didn’t think the level-called GS-13 was high enough and asked for a higher-ranking job. The NSA refused. In early 2013, Booz Allen hired Mr. Snowden.'

This is interesting for two reasons. First McConnell accused Snowden to have hacked the application test and its answers, thus scored high on it. Something similar was stated by HPSCI[1]:

'He also doctored his performance evaluations and obtained new positions at NSA by exaggerating his resume and stealing the answers to an employment test.'

It should be noted that Gellman challenged these claims. Currently it is not possible to verify whether the accusations are right or wrong, but it seems clear that Snowden passed this test with a very good result.

The second interesting thing is that McConnell said they offered Snowden a GS-13 ranking job. According to Wikipedia, GS-13 marks a "high-level technical specialist" position[9]. So this, indeed, points to a "senior-level" position that Snowden often claimed -- but also keep in mind it only refers to the last weeks before Snowden flew to Hong Kong. And Snowden refused this job.

It should be noted that in the declassified HPSCI report it is clearly stated that the test was for a TAO (Tailored Access Operations, NSA's "elite hacking" group) position, but they said Snowden was offered a GS-12 job, not GS-13. And they repeated that Snowden had hacked the test in advance.

It seems clear, that after this, Snowden applied at Booz Allen Hamilton, and his former boss Steven Bay also gave an interesting interview[7]:

'Snowden’s interview took place in February 2013, Bay said, and he and his technical director were impressed with the man who had moved to Hawaii to work at an NSA facility originally as a Dell employee. “His resume came across, it looked solid, and it had a lot of the good technical things I was looking for,” Bay said. “The other big challenge we had was there was just not a lot of good technical talent in Hawaii. When we interviewed him, we had a set standard of questions, technical questions, that we asked. And we asked most of those questions and it was pretty evident early on that the questions were very simple for him.”'

So apparently Snowden could also impress here with his technical (hacking) skills. However, please also note that he was asked a standard set of questions, so it cannot be ruled out that Snowden was very good prepared with the (possibly stolen) NSA test questions and answers. And note that Bay said it was very hard to find good technicians in Hawaii at all.

But, after all, Snowden was able to convince with technical skills and he got the job.

Bay continued:

'“He asked me two or three times on how to get access to what essentially was the PRISM data — we didn’t call it that internally, but that’s kind of what everyone knows it is. That’s one of the interesting things about his story is that people don’t realize, he never actually had access to any of that data. All of the quote domestic collection stuff that he revealed, he never had access to that. So he didn’t understand the oversight and compliance, he didn’t understand the rules for handling it, and he didn’t understand the processing of it,” Bay said. He just “simply grabbed some PowerPoints” and “released those to the world,” according to Bay.'

So while Bay said that Snowden was a good technician, he also very clearly stated that Snowden had no clue about the programs he revealed, that he had none practical experience with them, that he clearly didn't understand them.

He continued:

'“I get frustrated by things like people considering Ed an expert in all things NSA, even though he was kind of a junior analyst and had a relatively junior role there. He’s not the foremost expert on this stuff. He’s a smart guy, don’t get me wrong, and he had experience, but he wasn’t some senior level person,” Bay said. “And the second part is, in my mind, Ed’s not a hero.”'

This a bit contradicts what NSA director Mike McConnell said, that NSA offered Snowden a GS-13 job. Bay clearly said Snowden had a junior-level role. But this is maybe explainable with what Snowden himself said, that he accepted a pay cut in order to get the job at Booz Allen, to be able to download even more files. So it is likely that we speak about two different kinds of jobs here: The NSA offered Snowden a job as an IT professional (where he already had good references and passed a test with a high score), while the job at Booz Allen was as an analyst, where he had to start as a junior. This also fits to an FOIA document, where Snowden is described as an "analyst-in-training"[10].

The declassified HPSCI report offered a few more details about Snowden's short-time job as an analyst:

'He would be a SIGINT Development Analyst, meaning he analyzed foreign networks and cyber operators to help NSA's National Threat Operation Center (NTOC) in its cyber defense efforts.'

So this means that even while his very short time as an analyst, Snowden worked in NSA's defensive arm. He never was in touch with NSA's offensive SIGINT arm.


Conclusions

Still much remains a mystery, much because we only have reliable facts for the time June to August 2012 and April to May 2013. But we know for sure that in August 2012 his job was as a Microsoft Windows administrator (or something alike), so it is at least unlikely that he had some senior-level job before.

What we also know for sure is that even at his last job at Booz Allen (which lasted for less than two months), he had at best a first insight into the work as an intelligence analyst, so we can rule out that he is a reliable witness for NSA SIGINT operations or programs.

Regarding Snowden's technical skills, the view is still ambivalent. In the past I often doubted on Snowden's technical skills at all, but I'm not sure anymore about this. It is possible that he had quite good technical and hacking skills, but most likely he gained these skills privately, it is very unlikely that he ever had a corresponding position at the NSA. Maybe this was a reason why he got frustrated. Let's hope some more documents are FOIA-released soon and will clear this up.



[1] http://intelligence.house.gov/uploadedfiles/hpsci_snowden_review_-_unclass_summary_-_final.pdf
[2] https://tcf.org/content/commentary/house-intelligence-committees-terrible-horrible-bad-snowden-report/
[3] https://twitter.com/MichaelBKelley/status/786913039178145792
[4] http://timesofindia.indiatimes.com/india/Edward-Snowden-sharpened-his-hacking-skills-in-Delhi/articleshow/26811526.cms
[5] https://news.vice.com/article/edward-snowden-leaks-tried-to-tell-nsa-about-surveillance-concerns-exclusive
[6] https://twitter.com/twrweb/status/739558093630152710
[7] https://www.thecipherbrief.com/article/exclusive/first-cipher-brief-snowdens-boss-shares-lessons-learned-1095
[8] http://www.wsj.com/news/articles/SB10001424052702304626804579363651571199832?mod=rss_Politics_And_Policy
[9] https://en.wikipedia.org/wiki/General_Schedule_%28US_civil_service_pay_scale%29
[10] https://twitter.com/twrweb/status/740658013997010949
[11] https://plus.google.com/+RolfWeber/posts/J8vgV9Zfsau
[12] http://intelligence.house.gov/uploadedfiles/hpsci_snowden_review_declassified.pdf