July 4, 2013
Resume Shows Snowden Honed Hacking Skills
By CHRISTOPHER DREW and SCOTT SHANE
In 2010, while working for a National Security Agency contractor, Edward J. Snowden learned to be a hacker.
He took a course that trains security professionals to think like hackers and understand their techniques, all with the intent of turning out "certified ethical hackers" who can better defend their employers' networks.
But the certification, listed on a resume that Mr. Snowden later prepared, would also have given him some of the skills he needed to rummage undetected through N.S.A. computer systems and gather the highly classified surveillance documents that he leaked last month, security experts say.
Mr. Snowden's resume, which has not been made public and was described by people who have seen it, provides a new picture of how his skills and responsibilities expanded while he worked as an intelligence contractor. Although federal officials offered only a vague description of him as a "systems administrator," the resume suggests that he had transformed himself into the kind of cybersecurity expert the N.S.A. is desperate to recruit, making his decision to release the documents even more embarrassing to the agency.
"If he's looking inside U.S. government networks for foreign intrusions, he might have very broad access," said James A. Lewis, a computer security expert at the Center for Strategic and International Studies. "The hacker got into the storeroom."
In an age when terabytes of data can be stashed inside palm-size devices, the new details about Mr. Snowden's training and assignments underscore the challenges that the N.S.A. faces in recruiting a new generation of free-spirited computer experts with diverse political views.
Mr. Snowden, who is now marooned at an airport in Moscow waiting to see if another country will grant him asylum, has said he leaked the documents to alert the public to the sweeping nature of the American government's surveillance. He took a job as an "infrastructure analyst" with Booz Allen Hamilton in April at an N.S.A. facility in Hawaii, he has said, to gain access to lists of computers that the agency had hacked around the world.
Mr. Snowden prepared the resume shortly before applying for that job, while he was working in Hawaii for the N.S.A. with Dell, the computer maker, which has intelligence contracts. Little has been reported about his four years with Dell, but his resume, as described, says that he rose from supervising computer system upgrades for the spy agency in Tokyo to working as a "cyberstrategist" and an "expert in cyber counterintelligence" at several locations in the United States.
In what may have been his last job for Dell in Hawaii, he was responsible for the security of "Windows infrastructure" in the Pacific, he wrote, according to people who have seen his resume. He had enough access there to start making contacts with journalists in January and February about disclosing delicate information. His work for Dell may also have enabled him to see that he would have even more access at Booz Allen.
Some intelligence experts say that the types of files he improperly downloaded at Booz Allen suggest that he had shifted to the offensive side of electronic spying or cyberwarfare, in which the N.S.A. examines other nations' computer systems to steal information or to prepare attacks. The N.S.A.'s director, Gen. Keith B. Alexander, has encouraged workers to try their skills both defensively and offensively, and moving to offense from defense is a common career pattern, officials say.
Whatever his role, Mr. Snowden's ability to comb through the networks as a lone wolf -- and walk out the door with the documents on thumb drives -- shows how the agency's internal security system has fallen short, former officials say.
"If Visa can call me and say, 'Are you in Dakar, Senegal?' when they see a purchase that doesn't fit my history, then we ought to be able to detect something like this," said Michael V. Hayden, a former director of the N.S.A. and the C.I.A. "That continuous monitoring does not seem to have been in place."
But Michael Maloof, a software developer who supplied internal monitoring systems to private companies, said that with Mr. Snowden's training in hacking, he "would have known to keep his probes low and slow, a little bit here, a little bit there, so there was nothing to detect."
If alarms went off as he grabbed documents, Mr. Maloof said, Mr. Snowden might have been able to explain away the alerts by saying that he was merely testing the protections as part of his security job.
Mr. Snowden grew up in Baltimore's southern suburbs, where many of his neighbors would have been tech-savvy N.S.A. employees working at the agency's headquarters at Fort Meade. Conventional schooling did not agree with him, and he dropped out of high school and eventually sought technical training in a series of courses.
As early as 2003, when he was 20, he showed interest in the skills, prized by hackers, required to operate anonymously online. "I wouldn't want God himself to know where I've been, you know?" he, or someone identified as him from his screen name and other details, wrote on a forum on the tech news site Ars Technica.
Three years later, about the time he joined the C.I.A., he had discovered the long list of jobs available to anyone with computer expertise who could pass a detailed "lifestyle" polygraph test and get a security clearance. "If you're cleared, have a lifestyle, and have specialized I.T. skills, you can go anywhere in the world right now," he wrote under the screen name TheTrueHOOHA.
By the next year, he was a C.I.A. technician posted in Geneva, operating under cover as a "diplomatic attache," as his resume calls the job. His C.I.A. job appears to have been standard I.T. work, though in an exotic high-security setting.
He was "called upon repeatedly" for TDYs, he wrote, using government jargon for temporary duty, "including support of U.S. president." That reference, government officials say, is probably related to assistance with computer security or other routine assignments during presidential trips to Europe.
Mr. Snowden said he got "six months of classified technical training," and he claimed to have served as "technical adviser to 3rd countries across the region," presumably meaning Europe.
Evidently still in Switzerland in early 2009, Mr. Snowden referred to the United States' aggressive high-tech spying, but with a sarcastic edge.
"We love that technology," he wrote in a chat later published by Ars Technica.  "Helps us spy on our citizens better."
By 2010, he had switched agencies and moved to Japan to work for Dell as an N.S.A. contractor, and he led a project to modernize the backup computer infrastructure, he said on the resume. That year also appears to have been pivotal in his shift toward more sophisticated cybersecurity.
He gained his certification as an "ethical hacker" by studying materials that have helped tens of thousands of government and corporate security workers around the world learn how hackers gain access to systems and cover their tracks.
The program, operated by a company called EC-Council, has a code of honor that requires ethical hackers to keep private any confidential information that they obtain in checking systems for vulnerabilities. Sanjay Bavisi, the company's president, said he knew of only one person who had lost his certification for making information public.
For years, N.S.A. officials have visited hacker gatherings to promote the agency and recruit workers. General Alexander, the director, gave the keynote address a year ago at Defcon, a large hacker conference, in Las Vegas. But Mr. Snowden's profile will now be carefully studied by intelligence officials for clues about how to hire skilled young hackers without endangering the agency's secrets.
John R. Schindler, a former N.S.A. official who now teaches at the Naval War College, said that the background investigation for Mr. Snowden's security clearance was clearly flawed. "For years, N.S.A. and now the Cyber Command have struggled with how to relate to the hacker community," he added. "It's obvious that some sort of arrangement to allow hackers to work for N.S.A. and the intelligence community in a systematic way is needed."