Inspector General Says NSA Still Hasn't Implemented Its Post-Snowden Internal Security Measures
from the NSA,-where-the-'S'-stands-for-¯\_(ツ)_/¯ dept
In the immediate aftermath of an NSA contractor springing numerous leaks back in 2013, the NSA vowed this would never happen again. It has happened again and it hasn't just been documents. It's also been software exploits, which contributed to a worldwide plague of ransomware.
The NSA was going to make sure no one could just walk out of work with thousands of sensitive documents. It laid out a plan to exercise greater control over access and fail safe procedures meant to keep free-spirited Snowdens in check. The NSA is the world's most powerful surveillance agency. It is also a sizable bureaucracy. Over the past half-decade, the NSA has talked tough about tighter internal controls. But talk is cheap -- at least labor-wise. Actual implementation takes dedication and commitment. The NSA just doesn't have that in it, according to a recent Inspector General's report.
The nation's cyber spy agency is suffering from substantial cyber vulnerabilities, according to a first-of-its-kind unclassified audit overview from the agency's inspector general released Wednesday.
Those vulnerabilities include computer system security plans that are inaccurate or incomplete, removable media that aren't properly scanned for viruses, and an inadequate process for tracking the job duties of National Security Agency cyber defenders to ensure they're qualified for the highest-level work they do, according to the overview.
The anti-Snowden efforts are a key failure on the NSA's part. The NSA stated it would implement two-person access control to limit the amassing of sensitive documents/software. This would insure that, if nothing else, the NSA could try to press conspiracy charges against leakers. That hasn't happened. Towards the end of the Inspector General's long list of NSA investigations and recommendations [PDF], the IG notes this key proposal -- offered by Keith Alexander when he was still running the agency -- has yet to implemented. This damning note lies alongside the jarring fact the NSA does not scan removable media for viruses or malware. Considering its foremost place in the malware buyers market, it's inexcusable the NSA would act so carelessly with attack vectors it certainly utilizes.
Those two points -- closely related to the NSA's ongoing presence in daily news -- are only a small part of the 699 open recommendations from the Inspector General the NSA has yet to fully address. It's not a good look for any government agency, much less one that's supposed to be at the forefront of technology and security.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: ed snowden, inspector general, nsa, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
Rubix Cube
[ link to this | view in chronology ]
Media scanning
Uhh... scanning for malware is not the solution to this problem. Commercial scanners won't detect the NSA's malware unless the NSA gives copies in advance, which would defeat the purpose. A custom scanner would be a total waste of time: the time would be better spent fixing the bugs their malware exploits, even if they're never going to send those fixes upstream. And they certainly shouldn't be vulnerable to publically known bugs.
The only vulnerable machines should be those used for testing their malware. Instead of scanning storage media, they need to be scanning their network for vulnerable devices.
[ link to this | view in chronology ]
Re: Media scanning
[ link to this | view in chronology ]
Re: Re: Media scanning
The scanning, though, can be worse than a waste of time: it can itself have vulnerabilities. This is particularly bad if the scanner runs with administrative privilege, and some used to (still do?). It's the same root cause as we saw with a recent exploit on Linux, where some file manager would automatically spawn a Nintendo emulator (!) to create a thumbnail, and it was exploitable.... To scan every obscure file type, you've got to have a parser for each, thereby expanding your attack surface.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
As I've said before, the NSA is only concerned with attack potential of malware and exploits and doesn't give a single hoot about fixing or defending our interests against them. Heck, I don't even think they bother to look at the defensive side of the equation at all, other than as an obstacle to overcome.
I wouldn't mind this if there was another agency specifically devoted to defending against such problems, but the NSA is supposed to be doing both. Perhaps its time to make such an agency.
[ link to this | view in chronology ]
Re:
Don't worry, the FBI is protecting us all. They just need our encryption keys.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Who is leading the blind NSA?
Not all of it, but enough to slow up the systems necessary to stop the future Snowden from blowing the doors open, again.
Or it could be that ransomware has infiltrated the one server that has the plans to update the security.
[ link to this | view in chronology ]
Re: Who is leading the blind NSA?
They appear to be circling the drain as a shitty organization which has likely started to get shittier. Anyone with talent would have likely tried to go elsewhere while the reaction to saying you worked for the NSA reputation was "you must have been good at hacking" instead of "you must be an incompetent pervert without any morals".
[ link to this | view in chronology ]