by Tim Cushing

Filed Under:
cybersecurity, ed snowden, nsa, security

Oversight Report Shows NSA Failed To Secure Its Systems Following The Snowden Leaks

from the NSA-officials:-'feel-good-story-of-2015,-etc.' dept

It appears the NSA hasn't learned much since Ed Snowden left with several thousands of its super-secret documents. Agency officials were quick to claim the leaks would cause untold amounts of damage, but behind the scenes, not much was being done to make sure it didn't happen again.

A Defense Department Inspector General's report obtained via FOIA lawsuit by the New York Times shows the NSA fell short of several security goals in the post-Snowden cleanup. For an agency that was so concerned about being irreparably breached, the NSA still seems primed for more leakage. Charlie Savage reports:

The N.S.A. failed to consistently lock racks of servers storing highly classified data and to secure data center machine rooms, according to the report, an investigation by the Defense Department’s inspector general completed in 2016. The report was classified at the time and made public in redacted form this week in response to a Freedom of Information Act lawsuit by The New York Times.

The agency also failed to meaningfully reduce the number of officials and contractors who were empowered to download and transfer data classified as top secret, as well as the number of “privileged” users, who have greater power to access the N.S.A.’s most sensitive computer systems. And it did not fully implement software to monitor what those users were doing.

Let's not forget the NSA wants to be engaged in ensuring the cybersecurity of the nation. It's repeatedly asked for more power and a better seat in the CyberWar room. But it doesn't even take its OWN security seriously. The NSA told its oversight it was engaging in 40 "Secure the Net" initiatives, directly after the first Snowden leak. Two years later, it told Congress it had completed 34 of 40 STN initiatives. The term "completion" apparently has multiple definitions, depending on who's using the word. The IG sampled only seven of the initiatives and found four were mostly done and three were nowhere near completed. Extrapolating from the sampling, it's safe to assume the NSA's internal security efforts are only slightly more than half-baked.

The three the NSA failed to implement are of crucial importance, especially if it's looking to keep its in-house documents safe at home. From the report [PDF]:

NSA officials did not effectively implement three PRIVAC [Privileged Access]-related STN initiatives:

- fully implement technology to oversee privileged user activities;

- effectively reduce the number of privileged users; and

- effectively reduce the number of authorized DTAs [Data Transfer Agents].

First off, the NSA -- prior to the Snowden leaks -- had no idea how many users had privileged access. Post-Snowden, things hardly improved. Considering the tech capabilities of the agency, it's incredibly amusing to see how the NSA "tracked" privileged users.

NSA officials stated they used a manually kept spreadsheet, which they no longer had, to identify the initial number of privileged users.

Pretty much useless, considering this number the NSA couldn't verify (thanks to its missing spreadsheet) was supposed to be used to establish a baseline for the planned reduction in privileged users. Despite missing this key data, the NSA moved ahead, "arbitrarily revoking access" and asking users to reapply for privileged status. It then reported a reduction by citing the number of users it denied restoration of access privileges. It did not factor in any new users it granted privileged access to or tally up the number of accounts it never bothered to revoke.

As the fully-redacted chart presumably points out (according to the text above it), the NSA had a "continued and consistent increase in the number of privileged users once the [redacted] enrollment process began."

The NSA also claimed it had reduced the number of DTAs. And again, the NSA had no receipts.

Although repeatedly requested, NSA officials could not provide supporting documentation for the total number of DTAs before and after the purge or the actual number of users purged.

The NSA's objectively-terrible internal controls (again) ensured no number could be verified.

NSA did not know how many DTAs it had because the manually kept list was corrupted during the months leading up to the security breach.

The NSA handled these missing numbers the same way it had privileged users: it made up a new baseline, arbitrarily decided it could show a downtrend in DTAs, and delivered this as "proof" of another completed security initiative.

The report points out repeatedly the NSA's failure to provide documentation backing its STN claims -- either from before the initiatives took force or after they supposedly hag been completed. The IG's comments note the NSA's response to the report ignored its detailed description of multiple failures in order to spin this as a "win" for the agency.

Although the Director, Technology Directorate NSA/CSS Chief Information Officer, agreed, he did not address all the specifics of the recommendation. Therefore, we request that the director provide additional comments on the final report that identify specific actions NSA will take.

Here's how the NSA portrayed the report's findings:

While the Media Leak events that led to Secure the Net (STN) were both unforeseen and serious, we consider the extensive progress we made in a short time to be a "good news" story.

Sure, if you consider a half-done job securing NSA assets to be "good news," rather than just an ongoing series of security holes left halfway unplugged while agency officials testify before Congressional oversight in front of a "MISSION ACCOMPLISHED" banner backdrop.

Reader Comments

Subscribe: RSS

View by: Time | Thread

  • identicon
    Anonymous Coward, 20 Jun 2017 @ 4:07am

    >Let's not forget the NSA wants to be engaged in ensuring the cybersecurity of the nation.

    And they are treating their own (in)security with as much zeal as they want others to tackle their security.

    reply to this | link to this | view in chronology ]

  • icon
    TheResidentSkeptic (profile), 20 Jun 2017 @ 5:44am

    But it was just easier..

    ... to threaten leakers with espionage charges than to fix leaks...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Jun 2017 @ 6:10am

    The main problem

    Their main problem is that the employee many genius level people who could literally code circles around their bosses. The people in charge have no idea what is happening.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Jun 2017 @ 6:45am

    The NSA isn't stupid

    they just want to make sure no leakers can be identified. That way they control who gets ratted out and when with impunity.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Jun 2017 @ 7:30am

    National Insecurity Agency

    reply to this | link to this | view in chronology ]

  • identicon
    M.S. Rogers, 20 Jun 2017 @ 7:50am

    Look, we're the NSA. It's our job to monitor people who don't know we're monitoring them. When we monitor ourselves, we know that we were doing it: this type of information-gathering is not within our normal scope of responsibilities. In implementing internal controls, the only way we know what we're doing is by not knowing what we we're doing. Our lack of improved security is, in fact, evidence that we have improved security.

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 20 Jun 2017 @ 8:37am

    These motherfuckers weaponized some of the worst exploits, hid them to keep them from being patched, then lost them into the wild.

    Somehow you expected an agency that always gets its budget requests is going to bother doing anything to be better?
    They've been fucking around for decades & anytime anyone rattles their cage they roll out the 'but the terrorists' & everyone caves.

    If we wanted to see Congress reign them in, someone would have to exfiltrate data on Congress & publish it. I'm sure they would be thrilled to have the public fully aware of how cozy they are with lobbyists and corporations.

    reply to this | link to this | view in chronology ]

  • icon
    David (profile), 20 Jun 2017 @ 12:14pm

    Server security begins at the door.

    If you don't have the door *itself* secured then you do not have a secure system.

    Everything else is hand-waving until the door is secured.

    reply to this | link to this | view in chronology ]

  • icon
    Seegras (profile), 21 Jun 2017 @ 1:37am

    It's what happens when you value Spying too muich

    reply to this | link to this | view in chronology ]

    • icon
      Seegras (profile), 21 Jun 2017 @ 1:44am

      Re: It's what happens when you value Spying too much

      And now with contents:

      The problem is, surveillance and security are diametrically opposed. And having your own security compromised is what happens when you're too much occupied with spying on everyone else.

      If the NSA would really want to be number one in Cybersecurity, it would need to redefine its mission to pure defence in the first place. No more surveillance and spying (which is supposed the domain of the CIA anyway), just counter-intelligence and securing infrastructure, publishing(!) vulnerabilities, eradicating zero-day exploits.

      But with the prevailing mindset within the NSA right now, the NSA is firmly a black-hat with no hope of getting their own security right.

      reply to this | link to this | view in chronology ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.