Inspector General Says NSA Still Hasn't Implemented Its Post-Snowden Internal Security Measures

from the NSA,-where-the-'S'-stands-for-¯\_(ツ)_/¯ dept

Wed, Aug 1st 2018 11:59am — Tim Cushing

In the immediate aftermath of an NSA contractor springing numerous leaks back in 2013, the NSA vowed this would never happen again. It has happened again and it hasn't just been documents. It's also been software exploits, which contributed to a worldwide plague of ransomware.

The NSA was going to make sure no one could just walk out of work with thousands of sensitive documents. It laid out a plan to exercise greater control over access and fail safe procedures meant to keep free-spirited Snowdens in check. The NSA is the world's most powerful surveillance agency. It is also a sizable bureaucracy. Over the past half-decade, the NSA has talked tough about tighter internal controls. But talk is cheap -- at least labor-wise. Actual implementation takes dedication and commitment. The NSA just doesn't have that in it, according to a recent Inspector General's report.

The nation's cyber spy agency is suffering from substantial cyber vulnerabilities, according to a first-of-its-kind unclassified audit overview from the agency's inspector general released Wednesday.

Those vulnerabilities include computer system security plans that are inaccurate or incomplete, removable media that aren't properly scanned for viruses, and an inadequate process for tracking the job duties of National Security Agency cyber defenders to ensure they're qualified for the highest-level work they do, according to the overview.

The anti-Snowden efforts are a key failure on the NSA's part. The NSA stated it would implement two-person access control to limit the amassing of sensitive documents/software. This would insure that, if nothing else, the NSA could try to press conspiracy charges against leakers. That hasn't happened. Towards the end of the Inspector General's long list of NSA investigations and recommendations [PDF], the IG notes this key proposal -- offered by Keith Alexander when he was still running the agency -- has yet to implemented. This damning note lies alongside the jarring fact the NSA does not scan removable media for viruses or malware. Considering its foremost place in the malware buyers market, it's inexcusable the NSA would act so carelessly with attack vectors it certainly utilizes.

Those two points -- closely related to the NSA's ongoing presence in daily news -- are only a small part of the 699 open recommendations from the Inspector General the NSA has yet to fully address. It's not a good look for any government agency, much less one that's supposed to be at the forefront of technology and security.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: ed snowden, inspector general, nsa, security

11 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

spikerman87, 1 Aug 2018 @ 12:07pm

Rubix Cube
You want to bet they don't allow Rubix Cubes or any other toys into the building?
[ link to this | view in chronology ]
Anonymous Coward, 1 Aug 2018 @ 12:34pm

Media scanning

This damning note lies alongside the jarring fact the NSA does not scan removable media for viruses or malware. Considering its foremost place in the malware buyers market, it's inexcusable the NSA would act so carelessly with attack vectors it certainly utilizes.

Uhh... scanning for malware is not the solution to this problem. Commercial scanners won't detect the NSA's malware unless the NSA gives copies in advance, which would defeat the purpose. A custom scanner would be a total waste of time: the time would be better spent fixing the bugs their malware exploits, even if they're never going to send those fixes upstream. And they certainly shouldn't be vulnerable to publically known bugs.

The only vulnerable machines should be those used for testing their malware. Instead of scanning storage media, they need to be scanning their network for vulnerable devices.
[ link to this | view in chronology ]
- nope, 1 Aug 2018 @ 3:04pm
  
  Re: Media scanning
  Media scanning on most machines is big waste of time effort and CPU cycles. Let scan for PC virus on non-X86 hardware.... because, oh you never know and the vendor wants to scare you into thinking you must scan on everything all the time.
  [ link to this | view in chronology ]
  - Anonymous Coward, 1 Aug 2018 @ 6:25pm
    
    Re: Re: Media scanning
    I think the idea there is to stop you from copying the file to a vulnerable system.
    
    The scanning, though, can be worse than a waste of time: it can itself have vulnerabilities. This is particularly bad if the scanner runs with administrative privilege, and some used to (still do?). It's the same root cause as we saw with a recent exploit on Linux, where some file manager would automatically spawn a Nintendo emulator (!) to create a thumbnail, and it was exploitable.... To scan every obscure file type, you've got to have a parser for each, thereby expanding your attack surface.
    [ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

Thad, 1 Aug 2018 @ 2:00pm

Replace unhinged, rambling subject lines with random song lyrics.
[ link to this | view in chronology ]
Anonymous Coward, 1 Aug 2018 @ 2:19pm

Considering its foremost place in the malware buyers market, it's inexcusable the NSA would act so carelessly with attack vectors it certainly utilizes.

As I've said before, the NSA is only concerned with attack potential of malware and exploits and doesn't give a single hoot about fixing or defending our interests against them. Heck, I don't even think they bother to look at the defensive side of the equation at all, other than as an obstacle to overcome.

I wouldn't mind this if there was another agency specifically devoted to defending against such problems, but the NSA is supposed to be doing both. Perhaps its time to make such an agency.
[ link to this | view in chronology ]
- Anonymous Coward, 1 Aug 2018 @ 3:23pm
  
  Re:
  
  Perhaps its time to make such an agency.
  
  Don't worry, the FBI is protecting us all. They just need our encryption keys.
  [ link to this | view in chronology ]
That Anonymous Coward (profile), 1 Aug 2018 @ 4:01pm

I'm not willing to read 41 pages that will just make me more sad... the only thing I want to know is how much we have already paid and are contractually bound to keep paying to outside vendors who sold them the tiger repelling rocks & just keep moving them around to get it just right.
[ link to this | view in chronology ]
Anonymous Coward, 1 Aug 2018 @ 5:21pm

"Says"...lol
[ link to this | view in chronology ]
Darkness Of Course (profile), 2 Aug 2018 @ 1:22pm

Who is leading the blind NSA?
What if, just bear with me, the new Snowdens are running part of the show?

Not all of it, but enough to slow up the systems necessary to stop the future Snowden from blowing the doors open, again.

Or it could be that ransomware has infiltrated the one server that has the plans to update the security.
[ link to this | view in chronology ]
- Anonymous Coward, 2 Aug 2018 @ 11:20pm
  
  Re: Who is leading the blind NSA?
  Well a lot of those measures are a pain in the ass and slow things down, and morale has been in the toilet as everyone thinks of them first and foremost as bad people and even the 'nothing to hide' crowd of toadies rightfully think they are incompetent given things like accidentally releasing a bunch of their malware on a completely unsecured server - just having their own servers hacked without several zero-days would be bad enough leaving it unsecured is literally completely inexcusable when even Amazon Cloud calls for crypto-key regulated direct server access.
  
  They appear to be circling the drain as a shitty organization which has likely started to get shittier. Anyone with talent would have likely tried to go elsewhere while the reaction to saying you worked for the NSA reputation was "you must have been good at hacking" instead of "you must be an incompetent pervert without any morals".
  [ link to this | view in chronology ]