Inspector General Says NSA Still Hasn't Implemented Its Post-Snowden Internal Security Measures

from the NSA,-where-the-'S'-stands-for-¯\_(ツ)_/¯ dept

In the immediate aftermath of an NSA contractor springing numerous leaks back in 2013, the NSA vowed this would never happen again. It has happened again and it hasn't just been documents. It's also been software exploits, which contributed to a worldwide plague of ransomware.

The NSA was going to make sure no one could just walk out of work with thousands of sensitive documents. It laid out a plan to exercise greater control over access and fail safe procedures meant to keep free-spirited Snowdens in check. The NSA is the world's most powerful surveillance agency. It is also a sizable bureaucracy. Over the past half-decade, the NSA has talked tough about tighter internal controls. But talk is cheap -- at least labor-wise. Actual implementation takes dedication and commitment. The NSA just doesn't have that in it, according to a recent Inspector General's report.

The nation's cyber spy agency is suffering from substantial cyber vulnerabilities, according to a first-of-its-kind unclassified audit overview from the agency's inspector general released Wednesday.

Those vulnerabilities include computer system security plans that are inaccurate or incomplete, removable media that aren't properly scanned for viruses, and an inadequate process for tracking the job duties of National Security Agency cyber defenders to ensure they're qualified for the highest-level work they do, according to the overview.

The anti-Snowden efforts are a key failure on the NSA's part. The NSA stated it would implement two-person access control to limit the amassing of sensitive documents/software. This would insure that, if nothing else, the NSA could try to press conspiracy charges against leakers. That hasn't happened. Towards the end of the Inspector General's long list of NSA investigations and recommendations [PDF], the IG notes this key proposal -- offered by Keith Alexander when he was still running the agency -- has yet to implemented. This damning note lies alongside the jarring fact the NSA does not scan removable media for viruses or malware. Considering its foremost place in the malware buyers market, it's inexcusable the NSA would act so carelessly with attack vectors it certainly utilizes.

Those two points -- closely related to the NSA's ongoing presence in daily news -- are only a small part of the 699 open recommendations from the Inspector General the NSA has yet to fully address. It's not a good look for any government agency, much less one that's supposed to be at the forefront of technology and security.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    spikerman87, 1 Aug 2018 @ 12:07pm

    Rubix Cube

    You want to bet they don't allow Rubix Cubes or any other toys into the building?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Aug 2018 @ 12:34pm

    Media scanning

    This damning note lies alongside the jarring fact the NSA does not scan removable media for viruses or malware. Considering its foremost place in the malware buyers market, it's inexcusable the NSA would act so carelessly with attack vectors it certainly utilizes.

    Uhh... scanning for malware is not the solution to this problem. Commercial scanners won't detect the NSA's malware unless the NSA gives copies in advance, which would defeat the purpose. A custom scanner would be a total waste of time: the time would be better spent fixing the bugs their malware exploits, even if they're never going to send those fixes upstream. And they certainly shouldn't be vulnerable to publically known bugs.

    The only vulnerable machines should be those used for testing their malware. Instead of scanning storage media, they need to be scanning their network for vulnerable devices.

    reply to this | link to this | view in chronology ]

    • identicon
      nope, 1 Aug 2018 @ 3:04pm

      Re: Media scanning

      Media scanning on most machines is big waste of time effort and CPU cycles. Let scan for PC virus on non-X86 hardware.... because, oh you never know and the vendor wants to scare you into thinking you must scan on everything all the time.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 1 Aug 2018 @ 6:25pm

        Re: Re: Media scanning

        I think the idea there is to stop you from copying the file to a vulnerable system.

        The scanning, though, can be worse than a waste of time: it can itself have vulnerabilities. This is particularly bad if the scanner runs with administrative privilege, and some used to (still do?). It's the same root cause as we saw with a recent exploit on Linux, where some file manager would automatically spawn a Nintendo emulator (!) to create a thumbnail, and it was exploitable.... To scan every obscure file type, you've got to have a parser for each, thereby expanding your attack surface.

        reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Thad, 1 Aug 2018 @ 2:00pm

    Replace unhinged, rambling subject lines with random song lyrics.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Aug 2018 @ 2:19pm

    Considering its foremost place in the malware buyers market, it's inexcusable the NSA would act so carelessly with attack vectors it certainly utilizes.

    As I've said before, the NSA is only concerned with attack potential of malware and exploits and doesn't give a single hoot about fixing or defending our interests against them. Heck, I don't even think they bother to look at the defensive side of the equation at all, other than as an obstacle to overcome.

    I wouldn't mind this if there was another agency specifically devoted to defending against such problems, but the NSA is supposed to be doing both. Perhaps its time to make such an agency.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Aug 2018 @ 3:23pm

      Re:

      Perhaps its time to make such an agency.

      Don't worry, the FBI is protecting us all. They just need our encryption keys.

      reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 1 Aug 2018 @ 4:01pm

    I'm not willing to read 41 pages that will just make me more sad... the only thing I want to know is how much we have already paid and are contractually bound to keep paying to outside vendors who sold them the tiger repelling rocks & just keep moving them around to get it just right.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Aug 2018 @ 5:21pm

    "Says"...lol

    reply to this | link to this | view in chronology ]

  • icon
    Darkness Of Course (profile), 2 Aug 2018 @ 1:22pm

    Who is leading the blind NSA?

    What if, just bear with me, the new Snowdens are running part of the show?

    Not all of it, but enough to slow up the systems necessary to stop the future Snowden from blowing the doors open, again.

    Or it could be that ransomware has infiltrated the one server that has the plans to update the security.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Aug 2018 @ 11:20pm

      Re: Who is leading the blind NSA?

      Well a lot of those measures are a pain in the ass and slow things down, and morale has been in the toilet as everyone thinks of them first and foremost as bad people and even the 'nothing to hide' crowd of toadies rightfully think they are incompetent given things like accidentally releasing a bunch of their malware on a completely unsecured server - just having their own servers hacked without several zero-days would be bad enough leaving it unsecured is literally completely inexcusable when even Amazon Cloud calls for crypto-key regulated direct server access.

      They appear to be circling the drain as a shitty organization which has likely started to get shittier. Anyone with talent would have likely tried to go elsewhere while the reaction to saying you worked for the NSA reputation was "you must have been good at hacking" instead of "you must be an incompetent pervert without any morals".

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.