Tech firms seek former US government cyber warriors to get around Russia-cooption allegations
23 Oct 2017 - 22:46
By Gerrit De Vynck, Nafeesa Syeed & Chris Strohm / Bloomberg
Under siege for letting their platforms be co-opted by Russian hackers during the 2016 election, Silicon Valley companies are learning what many businesses with interests in Washington have long known: It pays to have staff with government security clearances.
Major players in technology are bolstering their workforces with former government employees holding top-secret and higher clearances needed to share classified information, as congressional probes and a federal investigation led by Special Counsel Robert Mueller continue to unearth information about Russia’s meddling in last year’s election.
“We are starting to see platforms in the social-media arena being used by bad actors -- in ways for which for they were never intended,” Ned Miller, chief technology strategist for the public sector for Intel Corp.’s McAfee, said in an interview. “So the folks that build those newer platforms are now demonstrating interest in acquiring talent that has a lot more cybersecurity resources and background.”
In doing so, companies such as Facebook Inc. are competing with defense contractors, financial firms and the U.S. government itself. Security clearances are a rare and valued commodity, whether at a bank trying to prevent hackers from stealing credit-card data and emptying accounts or at a manufacturer building parts for a stealth fighter or missile-defense radar system.
Bringing former government cyber warriors on board at companies can facilitate interactions with U.S. agencies like the NSA or CIA as well as help the firms understand how to build stronger systems on their own.
“They have the tradecraft,” said Ronald Sanders, a former associate director of the Office of the Director of National Intelligence and now director of the school of public affairs at the University of South Florida. “And the trade craft is some of the best in the world.”
One shared lesson from the 2016 election attacks and high-profile breaches at companies such as Sony Corp. and Equifax Inc., analysts say, is that companies need to be more proactive in boosting their security.
Read more: How the U.S. Lags Behind China in Spotting Cyberthreats
“You have to hunt threats, otherwise threats will hunt you,’’ said Eric O’Neill, a national security strategist at cyber firm Carbon Black. O’Neill is also a former FBI agent and national security lawyer who worked on security clearances.
But finding skilled employees who come with clearances isn’t easy.
Applicants for clearances fill out a standard form, known as the SF-86, that requires listing every residence where the person has lived going back 10 years, including the name and current contact information for a “neighbor or other person” who knew them at that location.
Then they do the same for every job they’ve had over a decade. If the applicant was ever fired from a job, or left because of unsatisfactory performance reviews, they have to explain that in detail. Are they divorced? If so, they have to spell out where records of that separation can be found.
And if the applicant is a dual citizen, ever traveled on a passport from a foreign country -- as many workers in the technology industry have -- or married someone from abroad, additional layers of questions apply. There’s even a section asking about any previous use of marijuana -- now legal in some states but illegal under federal law -- or any previous “misuse” of prescription drugs.
“Loyalty to the United States, strength of character, trustworthiness, honesty, reliability,’’ are among the attributes sought in the process, according to the U.S. State Department website.
Events in recent years have underscored that there’s good reason for such precaution on the government’s part -- and that the process doesn’t stop all bad actors from getting through.
The National Security Agency, which targets foreign communications, has been the subject of at least three major breaches in recent years, including the classified disclosures by contractor Edward Snowden in 2013. An NSA contractor arrested last year was accused of stealing more than 50,000 gigabytes, or 500 million pages, of classified data and storing it at home and in his vehicle.
In September 2013, a gunman with a security clearance and valid identification card entered Washington’s Navy Yard facility and killed or wounded 20 people before being shot by police. Afterward, investigators found he had received a 10-year security clearance despite being arrested years earlier for a firearm violation.
The Office of Personnel Management estimates completing the SF-86 form takes 2 1/2 hours. That might be conservative. After it’s filed, the government assigns investigators to go through it and reach out to current and former neighbors, friends, ex-spouses and employers.
Taking 311 Days
According to the National Counterintelligence and Security Center, each investigation conducted by the National Background Investigations Bureau costs about $6,000. And it’s seldom a speedy process: It took an average of 311 days for someone to obtain a top secret clearance, according to the most recently available data.
Top-secret clearance may not even be sufficient for many jobs. Specialized clearances, often required for the most highly sensitive information, can take even longer.
Yet having greater access to government information could help companies such as Facebook and Twitter Inc. go after suspicious accounts more proactively by comparing notes with the government’s intelligence agencies and getting a better idea of what to look for, something the companies have struggled with.
“My sense is they’re working with the government to figure out what happened, and they want their own people at the table,’’ O’Neill, the former FBI operative, said.
More than 3,000 ads that Facebook provided to congressional investigators in September have been linked to the Internet Research Agency, a secretive company based in Russia long known for pushing Kremlin propaganda. Twitter was able to find Russian-linked accounts on its own network only by comparing its user base to the Facebook data. Alphabet Inc.’s Google, in turn, used Twitter data to find accounts on its own websites that it believes may be linked to Russia.
Even though the companies are working together, things have fallen through the cracks. One group of videographers, which Twitter and Facebook shut down in August after finding a link to Russia, was still live on Google’s YouTube website two months later. It was pulled down only after the Daily Beast pointed it out on Oct. 8.
Tech companies’ progress in stopping hackers will be front and center on Capitol Hill on Nov. 1, when top lawyers for Facebook, Twitter and Google will face congressional committees investigating Russia’s election interference. Separately, senators from both parties have proposed a bill calling for strict record-keeping and disclosure of who’s paying for online political ads. To stave off regulatory moves in Washington, the companies must convince lawmakers they’re able to combat a reprise of what happened in last year’s campaign.
Former Secretary of State Condoleezza Rice, now a professor at Stanford University, said they’ve got some work to do.
In Silicon Valley, “we all want to protect privacy but we also want to protect the country, and that conversation isn’t going on in a very effective way,” Rice said Oct. 19 at a conference in New York. “From the Silicon Valley perspective, I think these companies are recognizing now their responsibilities.’’