The National Security Agency, as it turns out, is just as reactive when it comes to information security as 99 percent of the enterprises out there.
America’s top spy agency gives out too much privileged access to employees and contractors, allows removable storage devices in sensitive areas, and has no system of checks and balances with regard to those employees with privileged access. And only when the stuff hits the fan, as it has with Edward Snowden, does it amp up its security.
NSA Technology Directorate Lonny Anderson was interviewed on National Public Radio yesterday and told the world that the agency’s investigators have figured out how Edward Snowden got his hands on all those sensitive documents.
“We have an extremely good idea of exactly what data he got access to and exactly how he got access to it,” Anderson told NPR’s Morning Edition.
So does everyone else: You gave it to him. And now in true reactive fashion, the NSA has tightened up its loose policies and clamped down on privileged access. Let the next Snowden try that again.
Vilified by some as a traitor and hailed by others as hero for outing the depths of the NSA’s surveillance of Americans in the name of national security, Snowden should serve as the poster child for the damage one insider with the right password can do to any organization. Here’s a Booz Allen contractor hired by the NSA as a system administrator who walked away with enough secret information to rock the faith of a nation in its Constitution, the notion of privacy each American is supposed to treasure, and corrupt the trust Americans have in the government.
U.S. senators such as Dick Durbin (D-Ill.) have grilled NSA officials including director Keith Alexander about Snowden and why the agency would give someone with relatively little experience—Snowden is a high school and community college dropout with a GED who once worked as a security guard for the NSA—clearance and access to classified information.
“I have great concerns over the process and access he had,” Alexander said in June before the Senate Appropriations Committee. “We have to look into it and fix it across the intelligence community. We have to look at the processes and oversight of those processes, determine where it went wrong and how we’re going to fix it.”
Could it all have been avoided? Sure, I suppose. But human nature being what it is, most of us don’t put measures in place to fix problems before they happen. We wait until our teeth hurt to go to the dentist. We put on 20 pounds too many before we watch what we eat. And we give out too much access and assign too many system permissions until documents go missing and people double up on their mistrust of the government.
Two unnamed officials also talked to NPR, saying that the access Snowden had was part and parcel of his job as a system admin. He had access to a NSA intranet page where documents, memos, PowerPoint slides and other data were stored in order for analysts to read and discuss them online. Snowden had secret compartmented clearance to the data; ironically enough it was his job to move those documents from the Intranet to a secure location for analysts to access them. Worse, NSA officials knew Snowden was accessing the data, but just figured he was doing his job, the NPR report said.
Anderson, the NSA CTO and CIO, said policies and procedures on the site have changed.
“Someone today could get access to that Intranet because it still exists,” Anderson said. “Could someone today do what he did? No.”
Back in June when the leaks were made public in the Guardian—and long before—Anderson acknowledged that NSA laptops had USB drives and analysts and admins had the ability to insert thumb drives and store data on removable media.
“One thing we have done post media leaks is lock those down hard so that those are all in two-person control areas,” Anderson said, referring to a new two-person rule implemented by the NSA post-Snowden. Details are scarce, but two NSA employees with similar roles must work together to perform certain tasks.
“It’s impossible to work on their own now,” Anderson said. “If you’ve got privileged access on our networks like a system administrator, you’re being given a privilege that very few people have. You’re not going to be doing anything alone.”
He also said that the NSA is tagging data, likely through some kind of rights management technology, enabling NSA leaders not only to determine who gets access to documents, but to monitor the data as it is being accessed.
The NSA should serve as an object lesson to any organization about the risks posed by privileged insiders. Resources exist from places such as Carnegie Mellon’s Software Engineering Institute that help you spot shady insiders and other trends in people and behavior that can limit potential damage. But will it make a difference? Probably not, because while most enterprises talk a good game about security, the fact is that most are doing just enough in order to comply with an industry regulation and loose policies will continue to be the norm.
Understand too that while it’s easier to be reactive when bad things happen than to anticipate every possibility and every outcome, remember that bad guys are really good at winning cat and mouse games; in fact, anyone intent on gaming any system is likely to be always be a step ahead of the good guy.