When Edward Snowden walked out of the NSA in 2013 with thumb drives full of its most secret files, the agency didn't have a reliable list of peoplelike Snowdenwho had privileged access to its networks. Nor did it have a reliable list of those who were authorized to use removable media to transfer data to or from an NSA system.
That's one of the alarming revelations in a Department of Defense Inspector General report from last year. The report, which was ordered by Congress, reviewed whether the NSA had completed some of the most important initiatives it has started in response to the Snowden leak to make its data more secure. The New York Times obtained the DOD IG report via FOIA.
The most shocking detail in the report is that even at the new National Security Agency data center in Utah, "NSA did not consistently secure server racks and other sensitive equipment" in data centers and machine rooms. At the Utah Data Center and two other facilities, the report stated, "we observed unlocked server racks and sensitive equipment." The finding that the NSA wasn't locking down all its server racks was first disclosed and reported in a House Intelligence Committee Report on Edward Snowden's leaks released in December.
But the more fundamental problem revealed in the report is that the NSA has done little to limit the number of people who have access to what are supposed to be the most protected hardware the NSA has.
The IG report examined seven of the most important out of 40 "Secure the Net" initiatives rolled out since Snowden began leaking classified information. Two of the initiatives aspired to reduce the number of people who had the kind of access Snowden did: those who have privileged access to maintain, configure, and operate the NSA's computer systems (what the report calls PRIVACs), and those who are authorized to use removable media to transfer data to or from an NSA system (what the report calls DTAs).
The government's apparent lack of curiosity is fairly alarming
But when DOD's inspectors went to assess whether NSA had succeeded in doing this, they found something disturbing. In both cases, the NSA did not have solid documentation about how many such users existed at the time of the Snowden leak. With respect to PRIVACs, in June 2013 (the start of the Snowden leak), "NSA officials stated that they used a manually kept spreadsheet, which they no longer had, to identify the initial number of privileged users." The report offered no explanation for how NSA came to no longer have that spreadsheet just as an investigation into the biggest breach thus far at NSA started. With respect to DTAs, "NSA did not know how many DTAs it had because the manually kept list was corrupted during the months leading up to the security breach."
There seem to be two possible explanations for the fact that the NSA couldn't track who had the same kind of access that Snowden exploited to steal so many documents. Either the dog ate their homework: Someone at NSA made the documents unavailable (or they never really existed). Or someone fed the dog their homework: Some adversary made these lists unusable. The former would suggest the NSA had something to hide as it prepared to explain why Snowden had been able to walk away with NSA's crown jewels. The latter would suggest that someone deliberately obscured who else in the building might walk away with the crown jewels. Obscuring that list would be of particular value if you were a foreign adversary planning on walking away with a bunch of files, such as the set of hacking tools the Shadow Brokers have since released, which are believed to have originated at NSA.
NSA headquarters in Maryland. Image: MJB/Flickr
The government's apparent lack of curiosityat least in this reportabout which of these was the case is fairly alarming, because it is a critically important question in assessing why NSA continues to have serious data breaches. For example, it would be important to know if Hal Martin, the Booz Allen Hamilton contractor accused of stealing terabytes of NSA data in both hard copy and digital form, showed up on these lists or if he simply downloaded data for decades without authorization to do so.
Even given the real concern that Russia or someone else might have reason to want to make the names of PRIVACs and DTAs inaccessible at precisely the time the NSA reviewed the Snowden breach, the NSA's subsequent action does provide support for the likelihood the agency itself was hiding how widespread PRIVAC and DTA access was. For both categories, DOD's Inspector General found NSA did not succeed in limiting the number of people who might, in the future, walk away with classified documents and software.
With PRIVACs, the NSA simply "arbitrarily" removed privileged access from some number of users, then had them reapply for privileged access over the next 3 months. The NSA couldn't provide DOD's IG with "the number of privileged users before and after the purge or the actual number of users purged." After that partial purge, though, NSA had "a continued and consistent increase in the number of privileged users."
As with PRIVACs, the NSA "could not provide supporting documentation for the total number of DTAs before and after the purge" and so was working from an "unsubstantiated" estimate. After the Snowden leak, the NSA purged all DTAs and made them reapply, which they did in 2014. The NSA pointed to the new number of DTAs and declared it a reduction from its original "unsupported" estimate. When asked how it justified its claim that it had reduced the number of people who could use thumb drives with NSA's networks when it didn't know how many such people it had to begin with, the NSA explained, "although the initiat[iv]e focused on reducing the number of DTA, the actions taken by NSA were not designed to reduce the number of DTAs; rather they were taken to overhaul the DTA process to identify and vet all DTAs." The IG Report notes that the NSA "continued to consistently increase the number of DTAs throughout the next 12 months."
When, in 2008, someone introduced a worm into DOD's networks via a thumb drive, it decreed that it would no longer use removable media. Then, after Chelsea Manning exfiltrated a bunch of documents on a Lady Gaga CD, the government again renewed its commitment to limiting the use of removable media. This report reveals that only in the wake of the Snowden leaks did the NSA get around to developing a vetted list of those who could use thumb drives in NSA's networks. Yet as recently as last year, Reality Winner (who, as an Air Force translator, was presumably not a privileged access user at all) stuck some kind of removable media into a Top Secret computer, yet the government claims not to know what she downloaded or whether she downloaded anything at all (it's unclear whether that Air Force computer came within NSA's review).
When contacted with specific questions about its inability to track privileged users, the NSA pointed to its official statement on the DOD IG Report. "The National Security Agency operates in one of the most complicated IT environments in the world. Over the past several years, we have continued to build on internal security improvements while carrying out the mission to defend the nation and our allies around the clock." The Office of Director of National Intelligence did not immediately respond with comment to my questions.
Yet this issue pertains not just to the recent spate of enormous data breaches, which led last month to the worldwide WannaCry ransomware attack using NSA's stolen tools. It also pertains to the privacy of whatever data on Americans the NSA might have in its repositories. If, three years after Snowden, the NSA still hasn't succeeded in limiting the number of people with the technical capability to do what he did, how can NSA ensure it keeps Americans' data safe?
Excerpt from:
The NSA Has Done Little to Prevent the Next Edward Snowden ... - Motherboard
- WikiLeaks' Julian Assange: NSA critics got lucky because agency had no PR strategy - April 26th, 2014 [April 26th, 2014]
- National Speakers Association New Jersey Chapter NSA - April 26th, 2014 [April 26th, 2014]
- National Security Agency - Wikipedia, the free encyclopedia - April 26th, 2014 [April 26th, 2014]
- NSA - Satu Hari Di Bulan Juni (TULUS) (COVER) - Video - April 26th, 2014 [April 26th, 2014]
- Hong Kong: Protesters blow whistles for NSA whistle blower - Video - April 26th, 2014 [April 26th, 2014]
- An Inside Look at the NSA With Whistleblower William Binney (Part 2 of 2) - Video - April 26th, 2014 [April 26th, 2014]
- UK: China will offer fig leaves to US exposed by NSA leaker - Assange - Video - April 26th, 2014 [April 26th, 2014]
- NSA ~ (Autodidactism) Whistleblowing - Video - April 27th, 2014 [April 27th, 2014]
- Dropping #NSA Knowledge Like a Clumsy Librarian - Video - April 27th, 2014 [April 27th, 2014]
- Full Show: Disband The NSA or; Corruption in the Capitol FO SHIZZLE {aTV002} - Video - April 27th, 2014 [April 27th, 2014]
- NSA DOCUMENTARY SIX YEARS BEFORE SNOWDEN - Video - April 27th, 2014 [April 27th, 2014]
- ShmooCon 2014: The NSA: Capabilities and Countermeasures - Video - April 27th, 2014 [April 27th, 2014]
- NSA Knew Of Heartbleed Bug, Refused To Protect Americans - Video - April 27th, 2014 [April 27th, 2014]
- Former NSA Head To Become Columnist For Conservative Paper To Discuss Intelligence - Video - April 27th, 2014 [April 27th, 2014]
- An Inside Look at the NSA With Whistleblower William Binney (Part 1 of 2) - Video - April 27th, 2014 [April 27th, 2014]
- Keynote Address by Shri Shivshankar Menon, NSA at International Seminar on Kautilya - Video - April 27th, 2014 [April 27th, 2014]
- NSA Wiretapping: A 4th Amendment Violation?: Blake Norvell at TEDxSMU - Video - April 27th, 2014 [April 27th, 2014]
- Hang with Rand: Email Privacy, NSA Spying, and Defending Our Civil Liberties - Video - April 27th, 2014 [April 27th, 2014]
- NSA Surveillance and What To Do About It - Bruce Schneier - Video - April 27th, 2014 [April 27th, 2014]
- READER SUBMITTED: NSA CT April 2014 Meeting - April 28th, 2014 [April 28th, 2014]
- MVI 1847 Obama's NSA Denies FOIA About MH 370! - Video - April 28th, 2014 [April 28th, 2014]
- George Galloway's Sputnik: Ewen MacAskill on Guardian / Edward Snowden NSA leaks (26Apr14) - Video - April 28th, 2014 [April 28th, 2014]
- CIA & NSA DIRECTED ENERGY WEAPON ATTACK ON WHISTLE BLOWER - Video - April 28th, 2014 [April 28th, 2014]
- Book TV - 2014 San Antonio Book Festival: Panel on the NSA, Big Brother, and Democracy - Video - April 28th, 2014 [April 28th, 2014]
- NSA Throwdown: John Oliver v. 60 Minutes - April 29th, 2014 [April 29th, 2014]
- NSA will sit on security vulnerabilities because of terrorism - April 29th, 2014 [April 29th, 2014]
- New water records show NSA Utah Data Center likely behind schedule - April 29th, 2014 [April 29th, 2014]
- MVI 1871 NSA Might Be OnTo Me! - Video - April 29th, 2014 [April 29th, 2014]
- ZyXEL NSA 325 v2 Hands On - Deutsch / German notebooksbilliger.de - Video - April 29th, 2014 [April 29th, 2014]
- German opposition says US should destroy Merkel's NSA file - Video - April 29th, 2014 [April 29th, 2014]
- Germany: NSA spying "unacceptable" says SPD - Video - April 29th, 2014 [April 29th, 2014]
- NSA Surveillance 2 - Video - April 29th, 2014 [April 29th, 2014]
- NSA Surveillance Panel 1 - Video - April 29th, 2014 [April 29th, 2014]
- Chalk Talk How Snowden Breached NSA Security - Video - April 29th, 2014 [April 29th, 2014]
- NSA reveals some cyber security flaws are left secret - April 30th, 2014 [April 30th, 2014]
- NSA data center uses less water than expected - April 30th, 2014 [April 30th, 2014]
- April 2014 Breaking News Do you use Google or Yahoo? NSA Intercepts Google And Yahoo Traffic - Video - April 30th, 2014 [April 30th, 2014]
- Supreme Court could weigh in on NSA case, justice says - May 1st, 2014 [May 1st, 2014]
- New NSA chief: Agency has lost trust - May 1st, 2014 [May 1st, 2014]
- NSA on Heartbleed: 'We're not legally allowed to lie to you' - May 1st, 2014 [May 1st, 2014]
- What's The NSA Doing Now? Training More Cyberwarriors - May 1st, 2014 [May 1st, 2014]
- Anonymous NSA - Video - May 1st, 2014 [May 1st, 2014]
- Cutting off H2O to the NSA - Video - May 1st, 2014 [May 1st, 2014]
- Brazil: Greenwald slams US media, shares tips to avoid NSA - Video - May 1st, 2014 [May 1st, 2014]
- NSA IS TRYINGG 2 KILL ME FAMS - Video - May 1st, 2014 [May 1st, 2014]
- What was more popular on Twitter, NSA, NRA or NBA..today? - Video - May 1st, 2014 [May 1st, 2014]
- CIS111: NSA Uncovered - Video - May 1st, 2014 [May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (6/6) - Video - May 1st, 2014 [May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (4/6) - Video - May 1st, 2014 [May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (3/6) - Video - May 1st, 2014 [May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (2/6) - Video - May 1st, 2014 [May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (1/6) - Video - May 1st, 2014 [May 1st, 2014]
- Germany: NSA may have accidentally outed secret base - Video - May 1st, 2014 [May 1st, 2014]
- ZyXEL NSA 325 v2 Installations-Wizard - Deutsch / German notebooksbilliger.de - Video - May 1st, 2014 [May 1st, 2014]
- Tech firms to increase alerts about police requests for data -- report - May 2nd, 2014 [May 2nd, 2014]
- German Chancellor Angela Merkel visits US, after the NSA eavesdropping scandal - Video - May 2nd, 2014 [May 2nd, 2014]
- NSA spies on more US citizens than Russians Snowden - May 3rd, 2014 [May 3rd, 2014]
- THE NEXT NSA?Police under scrutiny for using spying technology - May 3rd, 2014 [May 3rd, 2014]
- Ukraine and NSA will test Merkel - Video - May 3rd, 2014 [May 3rd, 2014]
- The Latest Attacks On NSA Whistleblower Edward Snowden - Kevin Gosztola Discusses - Video - May 3rd, 2014 [May 3rd, 2014]
- Still Report #246 - NSA Classifies MH370 Material - Video - May 4th, 2014 [May 4th, 2014]
- Code Talker Induction into NSA Hall of Honor - Video - May 4th, 2014 [May 4th, 2014]
- NSA ( National Security Agency ) refusal to release documents on UFO's - Video - May 4th, 2014 [May 4th, 2014]
- Obama & NSA Refuse FOIA Request on Malaysia Flight deemed classified - Video - May 4th, 2014 [May 4th, 2014]
- Kafkawinstons World`s Channel Terminated NSA is replacing Channel`s with Sockpuppet Channel`s - Video - May 4th, 2014 [May 4th, 2014]
- NSA Volunteer Justin Hall at the NSA Comedy Tour February 2014 - Video - May 4th, 2014 [May 4th, 2014]
- Barack Obama on NSA Surveillance I'd Be Concerned Too If I Wasn't in Government - Video - May 4th, 2014 [May 4th, 2014]
- GBPPR Vision #26: Overview of the NSA's TAWDRYYARD Radar Retro-Reflector - Video - May 4th, 2014 [May 4th, 2014]
- NSA proof phone Case - Video - May 5th, 2014 [May 5th, 2014]
- 2014 NSA 2014 Million Dollar Publisher's Lab - Video - May 5th, 2014 [May 5th, 2014]
- Gen. Michael Hayden - the Former Director of NSA and the CIA - Video - May 5th, 2014 [May 5th, 2014]
- REVEALED: Here's The Solution To That Encoded NSA Puzzle Tweet - May 5th, 2014 [May 5th, 2014]
- Michael Hayden's Unwitting Case Against Secret Surveillance - May 5th, 2014 [May 5th, 2014]
- NSA's Encrypted Tweet: We're Hiring Code Breakers - May 5th, 2014 [May 5th, 2014]
- Russ Tice: Life as a NSA Whistleblower - Video - May 5th, 2014 [May 5th, 2014]
- What Is Going on at NSA These Days - Video - May 5th, 2014 [May 5th, 2014]
- What is the Role of the NSA? AFF Dallas Debates - Video - May 5th, 2014 [May 5th, 2014]
- Edward Snowden said CIA , and NSA had 52. 6 Billion for black budget - Video - May 5th, 2014 [May 5th, 2014]
- NSA looks to appeal to young cryptographers through coded ads - May 6th, 2014 [May 6th, 2014]
- Code Cracked: Mysterious NSA Tweet Is Decrypted in Seconds - May 6th, 2014 [May 6th, 2014]