NSA Has Done Little To Prevent The Next Edward Snowden

When Edward Snowden walked out of the NSA in 2013 with thumb drives full of its most secret files, the agency didn't have a reliable list of people, like Snowden, who had privileged access to its networks.

Nor did it have a reliable list of those who were authorised to use removable media to transfer data to or from an NSA system.

That's one of the alarming revelations in a Department of Defense Inspector General report from last year. The report, which was ordered by Congress, reviewed whether the NSA had completed some of the most important initiatives it has started in response to the Snowden leak to make its data more secure.

The most shocking detail in the report is that even at the new National Security Agency data center in Utah, "NSA did not consistently secure server racks and other sensitive equipment" in data centers and machine rooms. At the Utah Data Center and two other facilities, the report stated, "we observed unlocked server racks and sensitive equipment."

The finding that the NSA wasn't locking down all its server racks was first disclosed and reported in a House Intelligence Committee Report on Edward Snowden's leaks released in December.

But the more fundamental problem revealed in the report is that the NSA has done little to limit the number of people who have access to what are supposed to be the most protected hardware the NSA has.

The IG report examined seven of the most important out of 40 "Secure the Net" initiatives rolled out since Snowden began leaking classified information. Two of the initiatives aspired to reduce the number of people who had the kind of access Snowden did: those who have privileged access to maintain, configure, and operate the NSA's computer systems (what the report calls PRIVACs), and those who are authorised to use removable media to transfer data to or from an NSA system (what the report calls DTAs).

The government's apparent lack of curiosity is fairly alarming

But when DOD's inspectors went to assess whether NSA had succeeded in doing this, they found something disturbing. In both cases, the NSA did not have solid documentation about how many such users existed at the time of the Snowden leak.

With respect to PRIVACs, in June 2013 (the start of the Snowden leak), "NSA officials stated that they used a manually kept spreadsheet, which they no longer had, to identify the initial number of privileged users."

The report offered no explanation for how NSA came to no longer have that spreadsheet just as an investigation into the biggest breach thus far at NSA started. With respect to DTAs, "NSA did not know how many DTAs it had because the manually kept list was corrupted during the months leading up to the security breach."

There seem to be two possible explanations for the fact that the NSA couldn't track who had the same kind of access that Snowden exploited to steal so many documents. Either the dog ate their homework: Someone at NSA made the documents unavailable (or they never really existed). Or someone fed the dog their homework: Some adversary made these lists unusable.

The former would suggest the NSA had something to hide as it prepared to explain why Snowden had been able to walk away with NSA's crown jewels. The latter would suggest that someone deliberately obscured who else in the building might walk away with the crown jewels.

Obscuring that list would be of particular value if you were a foreign adversary planning on walking away with a bunch of files, such as the set of hacking tools the Shadow Brokers have since released, which are believed to have originated at NSA.

The government's apparent lack of curiosity, at least in this report, about which of these was the case is fairly alarming, because it is a critically important question in assessing why NSA continues to have serious data breaches.

For example, it would be important to know if Hal Martin, the Booz Allen Hamilton contractor accused of stealing terabytes of NSA data in both hard copy and digital form, showed up on these lists or if he simply downloaded data for decades without authorisation to do so.

Even given the real concern that Russia or someone else might have reason to want to make the names of PRIVACs and DTAs inaccessible at precisely the time the NSA reviewed the Snowden breach, the NSA's subsequent action does provide support for the likelihood the agency itself was hiding how widespread PRIVAC and DTA access was.

For both categories, DOD's Inspector General found NSA did not succeed in limiting the number of people who might, in the future, walk away with classified documents and software.

With PRIVACs, the NSA simply "arbitrarily" removed privileged access from some number of users, then had them reapply for privileged access over the next 3 months. The NSA couldn't provide DOD's IG with "the number of privileged users before and after the purge or the actual number of users purged." After that partial purge, though, NSA had "a continued and consistent increase in the number of privileged users."

As with PRIVACs, the NSA "could not provide supporting documentation for the total number of DTAs before and after the purge" and so was working from an "unsubstantiated" estimate. After the Snowden leak, the NSA purged all DTAs and made them reapply, which they did in 2014.

The NSA pointed to the new number of DTAs and declared it a reduction from its original "unsupported" estimate. When asked how it justified its claim that it had reduced the number of people who could use thumb drives with NSA's networks when it didn't know how many such people it had to begin with, the NSA explained, "although the initiative focused on reducing the number of DTA, the actions taken by NSA were not designed to reduce the number of DTAs; rather they were taken to overhaul the DTA process to identify and vet all DTAs." The IG Report notes that the NSA "continued to consistently increase the number of DTAs throughout the next 12 months."

When, in 2008, someone introduced a worm into DOD's networks via a thumb drive, it decreed that it would no longer use removable media. Then, after Chelsea Manning exfiltrated a bunch of documents on a Lady Gaga CD, the government again renewed its commitment to limiting the use of removable media.

This report reveals that only in the wake of the Snowden leaks did the NSA get around to developing a vetted list of those who could use thumb drives in NSA's networks.

Yet as recently as last year, Reality Winner (who, as an Air Force translator, was presumably not a privileged access user at all) stuck some kind of removable media into a Top Secret computer, yet the government claims not to know what she downloaded or whether she downloaded anything at all (it's unclear whether that Air Force computer came within NSA's review).

When contacted with specific questions about its inability to track privileged users, the NSA pointed to its official statement on the DOD IG Report. "The National Security Agency operates in one of the most complicated IT environments in the world. Over the past several years, we have continued to build on internal security improvements while carrying out the mission to defend the nation and our allies around the clock." The Office of Director of National Intelligence did not immediately respond with comment to my questions.

Yet this issue pertains not just to the recent spate of enormous data breaches, which led last month to the worldwide WannaCry ransomware attack using NSA's stolen tools. It also pertains to the privacy of whatever data on Americans the NSA might have in its repositories.

If, three years after Snowden, the NSA still hasn't succeeded in limiting the number of people with the technical capability to do what he did, how can NSA ensure it keeps Americans' data safe?

Motherboard:

You Might Also Read:

US Intelligence Agencies Fear Insiders As Much As Spies:

Snowden: NSA Should Have Prevented WannaCry Attacks:

 

« Key Concepts For Understanding Artificial Intelligence
Trump Tells US Cyber Command To Get More Aggressive »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Herjavec Group

Herjavec Group

Herjavec Group's Managed Security Services practice defends your organization from increasingly sophisticated, targeted cybercrime threats.

Wireless Logic

Wireless Logic

Wireless Logic delivers a range of secure and resilient value-added M2M/IoT managed services that empower remote devices to communicate cost-effectively, two ways.

Tevora

Tevora

Tevora is a specialized management consultancy focused on cyber security, risk, and compliance services.

Abion

Abion

At Abion (formerly BRANDIT), we empower your business by providing comprehensive brand protection and web security services.

AmWINS Group

AmWINS Group

AmWINS are a global specialty insurance distributor with expertise in property, casualty and professional lines including cyber liability.

CENSUS

CENSUS

CENSUS is a Cybersecurity services provider offering services to multiple industries worldwide such as Security Testing, Code Auditing, Secure SDLC, Vulnerability Research and Consulting Services.

HB-Technologies

HB-Technologies

HB-Technologies is pioneer in Africa, in digital security, embedded electronic and IT solutions based on highly secure smart cards that comply with international standards and norms.

CerraCap Ventures

CerraCap Ventures

CerraCap Ventures invest globally into early-stage B2B companies in Healthcare, Enterprise AI and Cyber Security.

Nisos

Nisos

Nisos provides unrivaled protection of your reputation and assets through the practice of Active Defense.

6clicks

6clicks

6clicks is an easy way to implement your risk and compliance program or achieve compliance with ISO 27001, SOC 2, PCI-DSS, HIPAA, NIST, FedRAMP and many other standards.

Strata Identity

Strata Identity

Strata is pioneering identity orchestration to unify on-premises and cloud-based authentication and access systems for consistent identity management in multi-cloud environments.

Blockfence

Blockfence

Blockfence are a seasoned crew versed in enterprise-grade cybersecurity and crypto, on a mission to collaboratively shape the future of Web3 security.

CNF Technologies

CNF Technologies

CNF Technologies is an award-winning cyber company providing technology-focused research and development to commercial, federal, and Department of Defense clients.

Mindflow

Mindflow

Mindflow is dedicated to bringing answers to the challenges the cybersecurity field and beyond face today.

Options Technology

Options Technology

Options is a global leader in financial technology, specialising in Capital Markets technology and enterprise-grade solutions.

DigitalXForce

DigitalXForce

DigitalXForce is the Digital Trust Platform for the New Era – SaaS based solution that provides Automated, Continuous, Real Time Security & Privacy Risk Management.