A number of initiatives to strengthen security were mandated at the National Security Agency (NSA) following the leaks by Edward Snowden of 1.5 million documents, but implementation of those procedures lacked teeth, according to a report by the Department of Defense (DoD).
The 61-page report from the DoD's inspector general on the NSA's putting into practice of the “Secure-the-Net” (STN) initiative, faults the agency and, as security intelligence expert Christopher Burgess, writing for Sophos's Naked Security blog puts it, "the only image one can conjure up is that of the Katzenjammer Kids running amok."
Once the insider risk was presented by Snowden's leaks, the STN initiative was put into place offering 40 recommendations “focused on insider threats to NSA systems, data and infrastructure.”
Among that group of 40, seven directives specifically addressed “secure network access, protect against insider threats and provide increased oversight of the personnel with privileged access.”
The seven STN initiatives were:
- Develop and document a new system administration model
- Assess the number of system administrators across the enterprise
- Implement two-person access control over data centers and machine rooms
- Implement two-stage authentication control for system administration
- Reduce the number of persons with Privileged Access
- Reduce the number of authorized data transfer agents (those authorized to use removable media)
- Oversee privileged user activities
The report from the DoD examined the NSA's progress in putting these seven recommendations into place, based on its study between January and July 2016 of four facilities.
The DoD report, acquired by The New York Times under a FOIA request, "takes the NSA to the woodshed," Burgess wrote. While the NSA did attempt to implement the recommendations, it failed to do an effective job in carrying out implementation, Burgess said.
The NSA only partially got some operations in place, the report explained. One example regarded two-factor authentication, which was implemented for system administrators but not for others with credentials for privileged access (which was how Snowden was able to exfiltrate data).
Perhaps even more critical, the report found that the NSA could not determine who had elevated access privileges. In light of Snowden's actions and then the later acquisition by the Shadow Brokers of NSA materials, there is lax security within the agency, the DoD report stated.
The tightening up of its operations was the intent of the STN initiatives. While Burgess, a former CIA operations officer, said some good resulted – primarily an insider threat program initiated at all facilities – insiders are still capable of harvesting NSA data, as evidenced by the arrest in May of Reality Winner, another NSA contractor, who used her privileged access to remove NSA material regarding Russian interference in the U.S. presidential election and then provided it to the media.
"Reality Winner did not have need-to-know access," Burgess told SC Media on Wednesday. He pointed to one of the recommendations included in the seven STN initiatives: Oversee privileged user activities. Winner had privileged access, Burgess explained, but had no need to know about Russian meddling in the presidential election.
"Had monitoring activity been in place," Burgess said, "she would have been detected."
Clearly, Burgess concluded, some tweaking is still needed to the NSA's STN program to plug insiders' capabilities.