Oversight Report Shows NSA Failed To Secure Its Systems Following The Snowden Leaks

from the NSA-officials:-'feel-good-story-of-2015,-etc.' dept

It appears the NSA hasn’t learned much since Ed Snowden left with several thousands of its super-secret documents. Agency officials were quick to claim the leaks would cause untold amounts of damage, but behind the scenes, not much was being done to make sure it didn’t happen again.

A Defense Department Inspector General’s report obtained via FOIA lawsuit by the New York Times shows the NSA fell short of several security goals in the post-Snowden cleanup. For an agency that was so concerned about being irreparably breached, the NSA still seems primed for more leakage. Charlie Savage reports:

The N.S.A. failed to consistently lock racks of servers storing highly classified data and to secure data center machine rooms, according to the report, an investigation by the Defense Department’s inspector general completed in 2016. The report was classified at the time and made public in redacted form this week in response to a Freedom of Information Act lawsuit by The New York Times.

The agency also failed to meaningfully reduce the number of officials and contractors who were empowered to download and transfer data classified as top secret, as well as the number of “privileged” users, who have greater power to access the N.S.A.’s most sensitive computer systems. And it did not fully implement software to monitor what those users were doing.

Let’s not forget the NSA wants to be engaged in ensuring the cybersecurity of the nation. It’s repeatedly asked for more power and a better seat in the CyberWar room. But it doesn’t even take its OWN security seriously. The NSA told its oversight it was engaging in 40 “Secure the Net” initiatives, directly after the first Snowden leak. Two years later, it told Congress it had completed 34 of 40 STN initiatives. The term “completion” apparently has multiple definitions, depending on who’s using the word. The IG sampled only seven of the initiatives and found four were mostly done and three were nowhere near completed. Extrapolating from the sampling, it’s safe to assume the NSA’s internal security efforts are only slightly more than half-baked.

The three the NSA failed to implement are of crucial importance, especially if it’s looking to keep its in-house documents safe at home. From the report [PDF]:

NSA officials did not effectively implement three PRIVAC [Privileged Access]-related STN initiatives:

– fully implement technology to oversee privileged user activities;

– effectively reduce the number of privileged users; and

– effectively reduce the number of authorized DTAs [Data Transfer Agents].

First off, the NSA — prior to the Snowden leaks — had no idea how many users had privileged access. Post-Snowden, things hardly improved. Considering the tech capabilities of the agency, it’s incredibly amusing to see how the NSA “tracked” privileged users.

NSA officials stated they used a manually kept spreadsheet, which they no longer had, to identify the initial number of privileged users.

Pretty much useless, considering this number the NSA couldn’t verify (thanks to its missing spreadsheet) was supposed to be used to establish a baseline for the planned reduction in privileged users. Despite missing this key data, the NSA moved ahead, “arbitrarily revoking access” and asking users to reapply for privileged status. It then reported a reduction by citing the number of users it denied restoration of access privileges. It did not factor in any new users it granted privileged access to or tally up the number of accounts it never bothered to revoke.

As the fully-redacted chart presumably points out (according to the text above it), the NSA had a “continued and consistent increase in the number of privileged users once the [redacted] enrollment process began.”

The NSA also claimed it had reduced the number of DTAs. And again, the NSA had no receipts.

Although repeatedly requested, NSA officials could not provide supporting documentation for the total number of DTAs before and after the purge or the actual number of users purged.

The NSA’s objectively-terrible internal controls (again) ensured no number could be verified.

NSA did not know how many DTAs it had because the manually kept list was corrupted during the months leading up to the security breach.

The NSA handled these missing numbers the same way it had privileged users: it made up a new baseline, arbitrarily decided it could show a downtrend in DTAs, and delivered this as “proof” of another completed security initiative.

The report points out repeatedly the NSA’s failure to provide documentation backing its STN claims — either from before the initiatives took force or after they supposedly hag been completed. The IG’s comments note the NSA’s response to the report ignored its detailed description of multiple failures in order to spin this as a “win” for the agency.

Although the Director, Technology Directorate NSA/CSS Chief Information Officer, agreed, he did not address all the specifics of the recommendation. Therefore, we request that the director provide additional comments on the final report that identify specific actions NSA will take.

Here’s how the NSA portrayed the report’s findings:

While the Media Leak events that led to Secure the Net (STN) were both unforeseen and serious, we consider the extensive progress we made in a short time to be a “good news” story.

Sure, if you consider a half-done job securing NSA assets to be “good news,” rather than just an ongoing series of security holes left halfway unplugged while agency officials testify before Congressional oversight in front of a “MISSION ACCOMPLISHED” banner backdrop.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Oversight Report Shows NSA Failed To Secure Its Systems Following The Snowden Leaks”

Subscribe: RSS Leave a comment
M.S. Rogers says:

Look, we’re the NSA. It’s our job to monitor people who don’t know we’re monitoring them. When we monitor ourselves, we know that we were doing it: this type of information-gathering is not within our normal scope of responsibilities. In implementing internal controls, the only way we know what we’re doing is by not knowing what we we’re doing. Our lack of improved security is, in fact, evidence that we have improved security.

That Anonymous Coward (profile) says:

These motherfuckers weaponized some of the worst exploits, hid them to keep them from being patched, then lost them into the wild.

Somehow you expected an agency that always gets its budget requests is going to bother doing anything to be better?
They’ve been fucking around for decades & anytime anyone rattles their cage they roll out the ‘but the terrorists’ & everyone caves.

If we wanted to see Congress reign them in, someone would have to exfiltrate data on Congress & publish it. I’m sure they would be thrilled to have the public fully aware of how cozy they are with lobbyists and corporations.

Seegras (profile) says:

Re: It's what happens when you value Spying too much

And now with contents:

The problem is, surveillance and security are diametrically opposed. And having your own security compromised is what happens when you’re too much occupied with spying on everyone else.

If the NSA would really want to be number one in Cybersecurity, it would need to redefine its mission to pure defence in the first place. No more surveillance and spying (which is supposed the domain of the CIA anyway), just counter-intelligence and securing infrastructure, publishing(!) vulnerabilities, eradicating zero-day exploits.

But with the prevailing mindset within the NSA right now, the NSA is firmly a black-hat with no hope of getting their own security right.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...