Oversight Report: World's Most Powerful Spy Agency Is An Insecure Mess That Can't Keep Tabs On Its Own Employees

from the holy-shit-these-are-one-way-mirrors! dept

The NSA's Inspector General has released its biannual report on its recent investigations. This report is delivered to its Congressional oversight which, let's face it, is generally uninterested in ensuring the Constitutionality of the agency's surveillance programs. Nevertheless, here it is [PDF].

Included are things we know… like the agency's inability to collect phone records correctly under the constraints imposed by the USA Freedom Act. The assumption was leaving the phone records in the control of telcos would reduce overcollection. The NSA proved us wrong. It led to more overcollection, rather than less, leading the NSA to conclude it was better off without this program.

Overcollection had never been considered a problem before, but perhaps the NSA felt there was only so much massive piles of unrelated data could tell it. It decided to can the phone records collection. But, unless Congress decides to codify this voluntary move, it could decide to start overcollecting again.

What is new is the NSA's inability to surveil itself. It has eyes and ears around the world (five at least!) but it can't seem to keep an eye on its own employees. There's a huge disconnect between the agency's surveillance powers and its ability to keep tabs on the staff. It would seem NSA staff would be about the smallest surveillance subset possible, but here we are.

We noticed this inadvertent irony several years ago. The NSA has the power to collect email metadata and content in bulk, but when it comes to responding to FOIA requests, it claims it simply doesn't have the skill set to search internal emails efficiently or accurately. The agency's massive budget apparently all goes to outbound searches. Asking it to find stuff its own employees discussed via email results in a shrug and mumbling about "archaic systems."

You will either be unsurprised or slightly more chagrined by what's contained in the latest report, given this foreshadowing. Exposed in the Snowden stash back in 2013 was the fact that the NSA did not just collect phone records in bulk. It also collected financial records in bulk, hoovering up credit card transactions with its "Follow the Money" program. The purpose was to trace money flowing to terrorists. To achieve this, the NSA approached credit card companies with FISA-approved warrants or subpoenas. No Constitutional protection is given to these third-party records, thanks to a court system that has consistently found that anything Americans share with others should be "shared" with the government.

Given this reach, you'd assume in-house tracking of purchases using… um… company[?] cards would be trivial. Well, that's why assumptions suck. NSA employees are blowing money on unapproved stuff and all the agency can offer is the same shrug it attached to its failed FOIA search.

Specifically, we found that Agency personnel did not adequately monitor cardholder activities, which may have permitted improper cash advances and other misuse of individually billed travel cards. We also made several other findings, including that the Agency did not reconcile centrally billed travel charge card accounts in a timely fashion, and that it failed to provide mandatory travel card training. These risks potentially impact the Agency’s financial liability and public trust in its stewardship of taxpayer dollars.

So… the other definition of "oversight." The NSA collects millions of financial records that may or may not ultimately result in the disruption of a terrorist attack. Meanwhile, back at home, credit cards records generated by its employees are a black box incapable of being scrutinized.

This is not the end of the bad/ironic news. The NSA's middle name is literally "Security." And yet…

In accordance with U.S. Office of Management and Budget guidance, the OIG is required to assess the effectiveness of information security programs on a maturity model spectrum, which ranges from Level 1 (ad hoc) to Level 5 (optimized). The review found that there is room for improvement in all eight IT security areas.

This is an understatement. The NSA's maturity level is easily surpassed by tween Fortnite players.

According to the OIG, "contingency planning" is where the NSA fails the hardest. Good thing, too, since it always seems to be surprised when someone runs off with a bunch of documents and hands them to journalists. A tight ship this is not.

From there, it's a parade of failures. Nearly a third of the $900,00 the agency spent on travel was "determined to be inappropriate." The NSA's Kent Island facility was found to be an insecure mess, although the OIG notes "23 of its 45 recommendations" were addressed immediately. Sole-source contractors were retained because they were "friends" of NSA employees. And, of course, a number of surveillance-related incidents.

The most powerful spy agency in the world can't keep an eye on its own employees. Thank god we're paying them so much off the (official) book to spy on everyone else.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 4th amendment, nsa, overcollection, surveillance