Oversight Report: World's Most Powerful Spy Agency Is An Insecure Mess That Can't Keep Tabs On Its Own Employees

from the holy-shit-these-are-one-way-mirrors! dept

The NSA's Inspector General has released its biannual report on its recent investigations. This report is delivered to its Congressional oversight which, let's face it, is generally uninterested in ensuring the Constitutionality of the agency's surveillance programs. Nevertheless, here it is [PDF].

Included are things we know… like the agency's inability to collect phone records correctly under the constraints imposed by the USA Freedom Act. The assumption was leaving the phone records in the control of telcos would reduce overcollection. The NSA proved us wrong. It led to more overcollection, rather than less, leading the NSA to conclude it was better off without this program.

Overcollection had never been considered a problem before, but perhaps the NSA felt there was only so much massive piles of unrelated data could tell it. It decided to can the phone records collection. But, unless Congress decides to codify this voluntary move, it could decide to start overcollecting again.

What is new is the NSA's inability to surveil itself. It has eyes and ears around the world (five at least!) but it can't seem to keep an eye on its own employees. There's a huge disconnect between the agency's surveillance powers and its ability to keep tabs on the staff. It would seem NSA staff would be about the smallest surveillance subset possible, but here we are.

We noticed this inadvertent irony several years ago. The NSA has the power to collect email metadata and content in bulk, but when it comes to responding to FOIA requests, it claims it simply doesn't have the skill set to search internal emails efficiently or accurately. The agency's massive budget apparently all goes to outbound searches. Asking it to find stuff its own employees discussed via email results in a shrug and mumbling about "archaic systems."

You will either be unsurprised or slightly more chagrined by what's contained in the latest report, given this foreshadowing. Exposed in the Snowden stash back in 2013 was the fact that the NSA did not just collect phone records in bulk. It also collected financial records in bulk, hoovering up credit card transactions with its "Follow the Money" program. The purpose was to trace money flowing to terrorists. To achieve this, the NSA approached credit card companies with FISA-approved warrants or subpoenas. No Constitutional protection is given to these third-party records, thanks to a court system that has consistently found that anything Americans share with others should be "shared" with the government.

Given this reach, you'd assume in-house tracking of purchases using… um… company[?] cards would be trivial. Well, that's why assumptions suck. NSA employees are blowing money on unapproved stuff and all the agency can offer is the same shrug it attached to its failed FOIA search.

Specifically, we found that Agency personnel did not adequately monitor cardholder activities, which may have permitted improper cash advances and other misuse of individually billed travel cards. We also made several other findings, including that the Agency did not reconcile centrally billed travel charge card accounts in a timely fashion, and that it failed to provide mandatory travel card training. These risks potentially impact the Agency’s financial liability and public trust in its stewardship of taxpayer dollars.

So… the other definition of "oversight." The NSA collects millions of financial records that may or may not ultimately result in the disruption of a terrorist attack. Meanwhile, back at home, credit cards records generated by its employees are a black box incapable of being scrutinized.

This is not the end of the bad/ironic news. The NSA's middle name is literally "Security." And yet…

In accordance with U.S. Office of Management and Budget guidance, the OIG is required to assess the effectiveness of information security programs on a maturity model spectrum, which ranges from Level 1 (ad hoc) to Level 5 (optimized). The review found that there is room for improvement in all eight IT security areas.

This is an understatement. The NSA's maturity level is easily surpassed by tween Fortnite players.

According to the OIG, "contingency planning" is where the NSA fails the hardest. Good thing, too, since it always seems to be surprised when someone runs off with a bunch of documents and hands them to journalists. A tight ship this is not.

From there, it's a parade of failures. Nearly a third of the $900,00 the agency spent on travel was "determined to be inappropriate." The NSA's Kent Island facility was found to be an insecure mess, although the OIG notes "23 of its 45 recommendations" were addressed immediately. Sole-source contractors were retained because they were "friends" of NSA employees. And, of course, a number of surveillance-related incidents.

The most powerful spy agency in the world can't keep an eye on its own employees. Thank god we're paying them so much off the (official) book to spy on everyone else.

Filed Under: 4th amendment, nsa, overcollection, surveillance


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    ECA (profile), 23 Jul 2019 @ 12:58pm

    Specific accounting.

    Its been known in the last 30 years, we cant get ALL the info on Who gets/pays/gets paid/Who pays from about 1/2-3/4 the money Taxed, used, created by our gov.

    CIA/IRS/others have OLD ways of doing things, as well as OLD computers and hardware to do the job, and have NEVER been updated/upgraded.. The Pentagon Couldnt tell you how much they have spent if they Even tried..

    I started suggesting that the persons we want to Run this country are bookkeepers...NOT Lawyers who cant Lawyer..

    NO ONE with any skill has ever been Kept to Update anything.. Those Perscribed the jobs, make recommendations and SOON GET FIRED.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jul 2019 @ 2:38pm

    And this report wont make a craps worth of difference. Things will carry on just the same with only ordinary citizens bring screwed, being set up, being convicted and jailed for decades!

    reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 25 Jul 2019 @ 10:12am

      Re:

      Things will carry on just the same

      "The NSA's Kent Island facility was found to be an insecure mess, although the OIG notes "23 of its 45 recommendations" were addressed immediately."

      reply to this | link to this | view in chronology ]

  • identicon
    Bobvious, 23 Jul 2019 @ 3:10pm

    Works on Contingency?

    NO! Money Down!!!
    ⠀⠀⠀⠀⠀⠀⚖

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jul 2019 @ 4:47pm

    This is why large government conspiracies like accusations it was behind 9/11 are ridiculous. Well, one of the reasons.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Jul 2019 @ 5:12am

    No Such Agency (et al.)

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Jul 2019 @ 5:15am

      Re: No Such Agency (et al.)

      Hmmm...image markdown seems to have escaped me. For the interested student, elide the spaces.

      i.imgur. com / e74Xi5Z. png

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Jul 2019 @ 11:43am

    No Search Ability

    So I'm starting to believe that even though they collect all this information, it's all in the hopes that they might be able to find some tidbit of evidence regarding something they already know about and this has all been about acquiring funding and never actually doing anything more than claiming to the folks that fund them that they can actually do they things they say.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.