And why was he taking "ethical hacking" classes there?
- By Shane Harris
Shane Harris is a senior staff writer at Foreign Policy, covering intelligence and cyber security. He is the author of The Watchers: The Rise of America's Surveillance State, which chronicles the creation of a vast national security apparatus and the rise of surveillance in America. The Watchers won the New York Public Library’s Helen Bernstein Book Award for Excellence in Journalism, and the Economist named it one of the best books of 2010. Shane is the winner of the Gerald R. Ford Prize for Distinguished Reporting on National Defense. He has four times been named a finalist for the Livingston Awards for Young Journalists, which honor the best journalists in America under the age of 35. Prior to joining Foreign Policy, he was the senior writer for The Washingtonian and a staff correspondent at National Journal.
Nearly three years before he revealed himself as the source of leaked documents about NSA surveillance, Edward Snowden traveled to New Delhi, India. There, he spent six days taking courses in computer hacking and programming at a local professional school, according to school officials and people familiar with Snowden’s trip. Working with a private instructor, Snowden, who was then a contractor for the spy agency, took a course in "ethical hacking," where he learned advanced techniques for breaking into computer systems and exploiting flaws in software. The class’s ostensible purpose is to train students to protect computers and their contents from thieves and spies. But in order to do that, they learn how to break into computers and steal information. Snowden also inquired about methods to reverse-engineer the world’s most popular kits for committing widespread online crime.
Snowden didn’t disclose his India trip to investigators when renewing his top-secret security clearance the following year. It was that clearance, NSA officials say, that gave Snowden access to the 1.7 million classified files he later stole from the agency’s computer networks and databases. U.S. intelligence officials have faulted the company that conducted Snowden’s background check for not more thoroughly questioning him about overseas travel and what foreign nationals he may have met with, which is standard procedure for detecting whether someone is spying for a foreign power. They have characterized the background check as flawed and incomplete.
But Foreign Policy has learned that Snowden’s trip to India should not have been a mystery to the U.S. government or intelligence agencies. Snowden was in the country in his capacity as an NSA contractor "to assist as a technical expert" at the U.S. embassy in New Delhi, according to an individual with knowledge of the situation who asked not to be identified. Snowden also told his computer instructor that he worked for the NSA and that he was in the city "on business," said Rohit Aggarwal, the CEO and founder of the school, Koenig Solutions. Government employees and contractors are not required to disclose foreign trips of an official nature, and may even be instructed not to, in order to avoid compromising intelligence operations and programs, according to two former U.S. intelligence officials.
Snowden’s time in India has been covered in the Indian press but has received little attention in the United States. The travels offer a rare glimpse into his activities in the years before he became arguably the most famous leaker of classified secrets in American history.
Precisely what work Snowden did at the embassy in New Delhi is unclear. At the time, he worked as a technology specialist for Dell Inc. at an NSA facility in Japan. U.S. intelligence personnel are often stationed in American embassies, so it’s conceivable that Snowden could have been working on surveillance equipment in New Delhi. Among the documents that Snowden disclosed were those describing a program called Stateroom, which gathers electronic communications using equipment based in U.S. embassies around the world. Other documents Snowden released showed that the NSA may have spied on the Indian embassy in Washington and on the country’s mission to the United Nations.
Calls and emails to the U.S. embassy in New Delhi were not returned. Spokespersons for the NSA, the CIA, and the Office of the Director of National Intelligence all declined to comment for this article.
According to officials at the Koenig school, Snowden flew to India from Japan, arriving on Sept. 2, 2010, and staying for one night at New Delhi’s Hyatt Regency hotel. A Koenig representative picked him up at the hotel on Sept. 3 and then drove Snowden to a lodging facility provided by the school. He stayed there until Sept. 9 while he took classes, and then returned for one more night at the Hyatt before leaving India on Sept. 11, the school said. (Indian news publications, citing official travel and immigration documents, also show that Snowden was in the country during this period.)
Snowden’s instructor said he made no secret about his work for the NSA. While he didn’t describe the specific purpose of his visit, he did say he wanted to squeeze in some computer coursework while he was in town. The U.S. embassy is only six miles from the Koenig school. Snowden paid the $2,000 tuition and lodging fee himself, using a personal credit card, Aggarwal said.
Snowden’s instructor described him as quiet and diligent. He didn’t take many breaks. And he already had a high-level of knowledge about computer science, hacking, and programming.
Had background investigators inquired about Snowden’s travels, they likely would have asked if he’d had any contact with foreign nationals while he was abroad. All security clearance holders are required to disclose significant contact with foreigners. But any instructors and students Snowden met probably wouldn’t have risen to that level, a former intelligence official said. A Koenig spokesman said the school could only vouch for Snowden’s whereabouts while he was taking courses during the day. "Other than our people and students we would have no idea whom he met," said the spokesman, Somit Biswas.
In addition to the ethical hacking course, Snowden took a class in the Java computer programming language. Snowden said the course "would help him in ‘organizing a team who does’ work on Java" at Dell, a Koenig spokesperson said, citing a questionnaire that Snowden was required to fill out before he came to the school.
"His stated goal for coming to train at Koenig … was ‘getting knowledge and evaluating Koenig’s training program for my company. Certification might be nice, but it is not necessary,’" Biswas said. "He had also stated that his employers had approved Koenig as a training provider and that he would also be writing a review of the training experience which would help his company to evaluate Koenig as a future training partner and might be mutually beneficial to both."
David Frink, a spokesperson for Dell, declined to comment. "We have not discussed Mr. Snowden’s role with Dell and don’t plan to," he said. The Wall Street Journal reported last year that Snowden’s "work supervisor" informed investigators performing his background check that he had gone to India, but that they failed to clarify the purpose of the trip, resulting in a report that "did not present a comprehensive picture of Mr. Snowden," according to an intelligence documents.
Biswas said Snowden also inquired about courses in the analysis and reverse engineering of malicious computer code, such as the the ZeuS, Fragus, and SpyEye crimeware kits. That was a curious request, and potentially at odds with his interest in ethical hacking. Understanding malware is important for defending against it. But these are not ordinary malware. ZeuS is the world’s premier toolbox for custom-building online crime campaigns. It has been used to infect millions of computers around the world. All three programs have been used by criminals to commandeer individuals’ computers and to steal financial information. SpyEye allows criminals to create fake bank web pages, in order to trick people into entering their login and password, which the criminal then steals and uses to enter, and empty, their accounts. Last year, Microsoft filed a civil complaint alleging that clusters of computers infected with ZeuS have been used to steal more than $100 million.
It’s not clear why Snowden wanted to know about reverse engineering financial crime malware, but his resume indicates he may have been working on cyber security-related projects while a contractor with Dell. Koenig told Snowden that it didn’t offer courses along the lines he was interested in, but that it was considering adding them to its curriculum.
Snowden abruptly ended his coursework before completing a final portion of his training, Aggarwal said, in computer hacking forensics and an administrator course in the Linux operating system. "He was supposed to come back one morning, but he didn’t. He sent an email saying, please cancel the rest of my courses. I have a medical condition and need to go back to Japan for medical advice," according to Aggarwal. Snowden spent the night of September 10 at the Hyatt Regency, and then left India the next day, he said.
U.S. officials have said that Snowden began downloading secret NSA files while he was working for Dell, in April 2012. He went to work for another NSA contractor, Booz Allen Hamilton, the following year. Snowden told the South China Morning Post that he took the job in order to access classified NSA documents.
"My position with Booz Allen Hamilton granted me access to lists of machines all over the world the NSA hacked," Snowden said. "That is why I accepted that position about three months ago." Snowden worked for the company only a few months, at a facility in Hawaii. There, he took more documents before ultimately fleeing to Hong Kong. He is currently living in Russia, where the government has granted him temporary asylum.
A computer security training professional in the United States said it’s not unusual for Americans to take courses abroad, particularly in India, where the tuition is a fraction of what it can cost in the United States. But the expert criticized the teaching of so-called "ethical hacking."
"They can call it ‘ethical,’ it’s still hacking. You’re teaching someone how to break into a system," the expert said.
Aggarwal, the Koening CEO, said it’s not unusual to find U.S. intelligence employees taking courses at his school, and that between 50 and 100 American military service personnel take courses there each year, as well as at a location in Dubai. A Defense Department spokesman could not confirm that military personnel have taken courses at the school, or that it’s been approved by the Pentagon as a training facility. But personnel responsible for protecting the department’s computer systems are required to obtain commercial certificaitons, including in ethical hacking.