NSA failed to implement security measures, says damning report

After reading through the 61 pages of redacted content of the August 2016 DOD Inspector General’s report on the National Security Agency’s (NSA) implementation of the “Secure-the-Net” initiative, acquired by The New York Times via a Freedom of Information Act (FOIA) request, the only image one can conjure up is that of the Katzenjammer Kids running amok.

The NSA data protection (or lack thereof) was thrust into the spotlight when Edward Snowden, then a contractor in Hawaii, purloined 1.5m documents. How Snowden carried out his massive data collection is interesting, as he used his natural access and then conned his colleagues into giving up their internal access credentials in his role as the system admin. In the months that followed there were no shortage of opinions on how the NSA could or should tighten up its ship.

The “Secure-the-Net” (STN) initiative was launched post-Snowden, which included 40 specific recommendations “focused on insider threats to NSA systems, data, and infrastructure”. Seven of those recommendations were designed to “secure network access, protect against insider threats and provide increased oversight of the personnel with privileged access”.

The seven STN initiatives were:

  • Develop and document a new system administration model
  • Assess the number of system administrators across the enterprise
  • Implement two-person access control over data centers and machine rooms
  • Implement two-stage authentication control for system administration
  • Reduce the number of persons with Privileged Access
  • Reduce the number of authorized data transfer agents (those authorized to use removable media)
  • Oversee privileged user activities

The Department of Defense (DOD) report reviewed the NSA’s progress on tightening up its ship with respect to the seven STN recommendations.  The audit was conducted at four facilities between January and July of 2016.

The DOD report takes the NSA to the woodshed. Not because the NSA didn’t attempt to implement, but rather, because they did a half-ass job in the implementation.

The report’s scorching verbiage surrounds this partial implementation of the recommendations: for example, the

NSA did not effectively implement the three privileged access related STN initiatives … because it did not develop an STN strategy that detailed a structured framework and methodology to implement the initiatives and measure completeness.

For example, with respect to two-factor authentication (2FA), the NSA implemented it for system admins, but not for those with privileged access. It is well documented how Snowden bypassed the then present privileged access controls and conned his colleagues into giving him their credentials – which he then went on to use to expand his access.

A 2FA requirement would have required the owner of the credentials to have been participatory in Snowden’s use of their credentials. NSA implementation as described in the report shows how they opted to leave open the very window that Snowden climbed through to harvest the data he stole.

Furthermore, the report goes on to chastise the NSA for not having a clue about how many individuals had privileged access in 2014, nor in 2016, and nor could the NSA document how the purge/pruning had been carried out. That meant the inspection team couldn’t find out exactly how many people had privileged access.

While focus has largely been on the trusted insider gone bad, Edward Snowden, the Shadow Brokers’ acquisition of NSA’s Office of Tailored Access Operations (TAO) collection tools compromise clearly indicates a need by the NSA to continue to place their focus on locking down their own house.

How the TAO compromise occurred remains a mystery. It could have been an insider (contractor or staff) or it might have been a result of the contractor alleged to have built the exposed tools, the Equation Group, having themselves been hacked. Coincidentally, the inspector general report was published the week after the Shadow Brokers offered the TAO tools for auction. An active August 2016  indeed.

But what of the NSA contractor Harold Martin, another NSA insider? Martin, who worked for Booz Allen Hamilton, he was found to have hoarded up to 50 terabytes of NSA information. The indictment on Martin was sealed until October 2016, but he was arrested on 27 August 2016, yes two days prior to the arrival of the inspectors general report. August 2016 was truly a busy month in the world of espionage and counterespionage.

Is it hard to catch an insider? Yes, it is. If the individual does not exceed their natural access, process and procedures, they will be difficult to detect, and while it is safe to say that 100% is not achievable, there are steps which can be taken to secure the environment to bring the risk as close to zero as possible. This was the intent of the STN.

Has there been any good to come out of the STN? Absolutely, the National Industrial Security Program of the United States, marshaled by the Defense Security Service, has brought into play their mandatory insider threat program at all cleared facilities and contractors. These programs became mandatory on June 1 2017.

One might recall the recent arrest of NSA contractor, Reality Winner, who took a highly classified document assessing and discussing the Russian military intelligence entity’s (the GRU) hand in meddling in the US election. Winner, using her privileged access, printed out the report, and then mailed it to a media outlet. Once the NSA saw the document, they quickly determined who had had access, who had printed the document and then who had had contact with a media outlet.

What they apparently weren’t able to do was to determine how and why Winner had privileged access to information to information about which she had no “need to know”.

One could argue this rapid-fire capability used to identify Winner would not have been present without the STN initiatives. On the other hand, one might surmise the privileged access portion of NSA’s STN program continues to need tweaking.