Oversight Report: World's Most Powerful Spy Agency Is An Insecure Mess That Can't Keep Tabs On Its Own Employees

from the holy-shit-these-are-one-way-mirrors! dept

The NSA’s Inspector General has released its biannual report on its recent investigations. This report is delivered to its Congressional oversight which, let’s face it, is generally uninterested in ensuring the Constitutionality of the agency’s surveillance programs. Nevertheless, here it is [PDF].

Included are things we know… like the agency’s inability to collect phone records correctly under the constraints imposed by the USA Freedom Act. The assumption was leaving the phone records in the control of telcos would reduce overcollection. The NSA proved us wrong. It led to more overcollection, rather than less, leading the NSA to conclude it was better off without this program.

Overcollection had never been considered a problem before, but perhaps the NSA felt there was only so much massive piles of unrelated data could tell it. It decided to can the phone records collection. But, unless Congress decides to codify this voluntary move, it could decide to start overcollecting again.

What is new is the NSA’s inability to surveil itself. It has eyes and ears around the world (five at least!) but it can’t seem to keep an eye on its own employees. There’s a huge disconnect between the agency’s surveillance powers and its ability to keep tabs on the staff. It would seem NSA staff would be about the smallest surveillance subset possible, but here we are.

We noticed this inadvertent irony several years ago. The NSA has the power to collect email metadata and content in bulk, but when it comes to responding to FOIA requests, it claims it simply doesn’t have the skill set to search internal emails efficiently or accurately. The agency’s massive budget apparently all goes to outbound searches. Asking it to find stuff its own employees discussed via email results in a shrug and mumbling about “archaic systems.”

You will either be unsurprised or slightly more chagrined by what’s contained in the latest report, given this foreshadowing. Exposed in the Snowden stash back in 2013 was the fact that the NSA did not just collect phone records in bulk. It also collected financial records in bulk, hoovering up credit card transactions with its “Follow the Money” program. The purpose was to trace money flowing to terrorists. To achieve this, the NSA approached credit card companies with FISA-approved warrants or subpoenas. No Constitutional protection is given to these third-party records, thanks to a court system that has consistently found that anything Americans share with others should be “shared” with the government.

Given this reach, you’d assume in-house tracking of purchases using… um… company[?] cards would be trivial. Well, that’s why assumptions suck. NSA employees are blowing money on unapproved stuff and all the agency can offer is the same shrug it attached to its failed FOIA search.

Specifically, we found that Agency personnel did not adequately monitor cardholder activities, which may have permitted improper cash advances and other misuse of individually billed travel cards. We also made several other findings, including that the Agency did not reconcile centrally billed travel charge card accounts in a timely fashion, and that it failed to provide mandatory travel card training. These risks potentially impact the Agency’s financial liability and public trust in its stewardship of taxpayer dollars.

So… the other definition of “oversight.” The NSA collects millions of financial records that may or may not ultimately result in the disruption of a terrorist attack. Meanwhile, back at home, credit cards records generated by its employees are a black box incapable of being scrutinized.

This is not the end of the bad/ironic news. The NSA’s middle name is literally “Security.” And yet…

In accordance with U.S. Office of Management and Budget guidance, the OIG is required to assess the effectiveness of information security programs on a maturity model spectrum, which ranges from Level 1 (ad hoc) to Level 5 (optimized). The review found that there is room for improvement in all eight IT security areas.

This is an understatement. The NSA’s maturity level is easily surpassed by tween Fortnite players.

According to the OIG, “contingency planning” is where the NSA fails the hardest. Good thing, too, since it always seems to be surprised when someone runs off with a bunch of documents and hands them to journalists. A tight ship this is not.

From there, it’s a parade of failures. Nearly a third of the $900,00 the agency spent on travel was “determined to be inappropriate.” The NSA’s Kent Island facility was found to be an insecure mess, although the OIG notes “23 of its 45 recommendations” were addressed immediately. Sole-source contractors were retained because they were “friends” of NSA employees. And, of course, a number of surveillance-related incidents.

The most powerful spy agency in the world can’t keep an eye on its own employees. Thank god we’re paying them so much off the (official) book to spy on everyone else.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Oversight Report: World's Most Powerful Spy Agency Is An Insecure Mess That Can't Keep Tabs On Its Own Employees”

Subscribe: RSS Leave a comment
ECA (profile) says:

Specific accounting.

Its been known in the last 30 years, we cant get ALL the info on Who gets/pays/gets paid/Who pays from about 1/2-3/4 the money Taxed, used, created by our gov.

CIA/IRS/others have OLD ways of doing things, as well as OLD computers and hardware to do the job, and have NEVER been updated/upgraded.. The Pentagon Couldnt tell you how much they have spent if they Even tried..

I started suggesting that the persons we want to Run this country are bookkeepers…NOT Lawyers who cant Lawyer..

NO ONE with any skill has ever been Kept to Update anything.. Those Perscribed the jobs, make recommendations and SOON GET FIRED.

Anonymous Coward says:

No Search Ability

So I’m starting to believe that even though they collect all this information, it’s all in the hopes that they might be able to find some tidbit of evidence regarding something they already know about and this has all been about acquiring funding and never actually doing anything more than claiming to the folks that fund them that they can actually do they things they say.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...