Book Review: How America Lost Its Secrets

Cybersecurity Canon Candidate Book Review: “How America Lost Its Secrets: Edward Snowden, The Man and The Theft,” by Edward Jay Epstein (Published: January 17, 2017)

Book reviewed by: M. K. Palmore, Field CSO (Americas), Palo Alto Networks.

Bottom Line: I don’t recommend this book for the Cybersecurity Canon Hall of Fame, but if you are interested in the topic, this is a good one to read.

Review: 

Espionage exists in a world all its own, especially as it relates to maintaining and securing national secrets. The training, mindset and experiential learning of anyone immersed in this world of cloak-and-dagger outcomes are unique and not widely understood. This book provides a high-level look into this world. As a career intelligence community official, I get an image of the Emperor wearing no clothes when I read about the boldness of the activity of Edward Snowden and the inability of our agencies to identify and track the activities of an employee and contractor. 

In “How America Lost Its Secrets,” author Edward Jay Epstein dives deeply into the circumstances of the Edward Snowden affair and provides the necessary details for anyone to walk away with a better understanding of what is being called the most devastating blow to U.S. Intelligence since the creation of our modern-day security apparatus. The first thing you realize in Epstein’s undertaking is that he intends to fill the reader’s information, timing and general knowledge gaps. This is refreshing for both the casual Snowden observer and those of us who expect that we know much of what is in the common domain about Edward Snowden’s data theft. Epstein presents a figure whose image at the end is not necessarily shrouded in secrecy, but also not fully clear. This is the nature of all matters of espionage.

As I digest the structure of “How America Lost Its Secrets,” I see the book in terms of four phases (my dissection, not Epstein’s). In what I will call Phase I, Epstein does an admirable job laying out the background of Edward Snowden as a rather unfocused intelligence community aspirant. Snowden is shown to be rather unremarkable in the traditional academic arena. Like most young people on the internet, Snowden cultivates an image of himself that does not necessarily align with reality. His short stint as an employee with the CIA comes to a surprising close when he is found to be tampering with access to digital information – a precursor to future endeavors. This highlights the rather glowing gap in the hiring practices of our intelligence agencies, as information is not shared from one entity to the next in the hiring or background process. The circumstances of the departure should have made Snowden ineligible for further employment, with both intelligence agencies and their overly trusted contract entities.

Phase II shows a rather determined individual taking affirmative steps to gain access to higher levels of intelligence through discernable patterns of deception. This ultimately succeeds. For example, he moved from Dell, where he served as a contract system administrator working on NSA systems with access to low-level classified information, to Booz Allen Hamilton, where his access was compartmented and carried increased risk. This, again, should have raised warning bells, as he was given access to more closely guarded materials. The remainder of this section should serve as a roadmap for security practitioners as they look to identify tools that would have signaled Snowden’s activities and may have prevented such large-scale data theft. “How America Lost Its Secrets” covering the possible methods that an individual could have used to gain access to more than 20 sensitive compartments, without appropriate credentials, and then transfer that information to a thumb-drive. Reading this would make any security professional want to shut down any and all simple data transfer methods in their environment. 

In Phase III, we are presented with unanswered questions that will likely continue to go unanswered. We have Snowden’s statements, the statements of others and the facts of the situation. These provide some, but not all, of the answers necessary to understand how this happened in one of the more restrictive work environments ever. 

In the final phase of the examination, we are brought back to where we started. How could this have happened? Is Snowden a privacy hero, spy or a co-conspirator? Epstein noticeably avoids making any judgments concerning Snowden’s status as either Whistleblower or Wanted Criminal and Spy. As the reader, you are left to draw your own conclusions. What is clear is that in the end, we are left with questions which can only be answered by Edward Snowden and the others he potentially conspired with to carry out this data theft.

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!