from the perfect-audits? dept
Following on our earlier story about how Ed Snowden
covered his tracks -- showing that the NSA's vaunted "auditability" of its systems is a complete joke -- comes the news that there are approximately
one thousand sys admins with Snowden's authority, who can basically go through any document without any trace. Even more incredible: they can "appear as" anyone else when doing things on the system. In other words if a sys admin wanted to frame an NSA analyst, it sounds like that would be quite easy. The report also notes that, for all of the talk about how great the NSA is at cybersecurity, and the fact that part of the point of CISPA was to try to have the NSA in charge of the nation's cybersecurity, the agency does a piss poor job protecting itself:
“It’s 2013 and the NSA is stuck in 2003 technology,” said an intelligence official.
Jason Healey, a former cyber-security official in the Bush Administration, said the Defense Department and the NSA have “frittered away years” trying to catch up to the security technology and practices used in private industry. “The DoD and especially NSA are known for awesome cyber security, but this seems somewhat misplaced,” said Healey, now a cyber expert at the Atlantic Council. “They are great at some sophisticated tasks but oddly bad at many of the simplest.”
That last sentence really means: "they are great at hacking stuff, but crap at protecting stuff."
As for the thousand or so sys admins on staff, it appears that they have no restrictions or tracking of what they do:
As a system administrator, Snowden was allowed to look at any file he wanted, and his actions were largely unaudited. “At certain levels, you are the audit,” said an intelligence official.
He was also able to access NSAnet, the agency’s intranet, without leaving any signature, said a person briefed on the postmortem of Snowden’s theft. He was essentially a “ghost user,” said the source, making it difficult to trace when he signed on or what files he accessed.
If he wanted, he would even have been able to pose as any other user with access to NSAnet, said the source.
Remember how the NSA at one point said that there were only 35 analysts who could run certain queries? And that all of the queries were tracked and audited. It seems they left out the thousand or so sys admins who could do whatever they wanted with no tracking at all. Does anyone honestly think that none of those sys admins ever was involved in a
"LOVINT" situation? Or something much worse?
Oh, and people will remember that the NSA's new plan to "fix" this it to
get rid of about 900 of those sys admins, rather than fix the actual problem. And, of course, if you know anything about how this stuff works, you'd know that the NSA probably
can't actually automate away 90% of what its sys admins do.
So we're left with an agency that collects a ridiculous amount of info, and has around 1,000 employees (who are mostly actually employed by outside contractors) who can look through anything with no tracking, leaving no trace, and we're told that the data isn't abused. Really? Do Keith Alexander, James Clapper, President Obama, Dianne Feinstein and Mike Rogers really believe that none of those 1,000 sys admins have ever abused the system? And, do they believe that none of the people whom those thousand sys admins are friends with haven't had their friend "check out" information on someone else? Hell, imagine you were someone at the NSA who understood all of this already. If you wanted to abuse the system, why not befriend a sys admin and let him or her do the dirty work for you -- knowing that there would be no further trace?
Basically, it seems clear that the NSA has simply no idea how many abuses there were, and there are a very large number of people who had astounding levels of access and absolutely no controls or way to trace what they were doing.
Filed Under: audits, cybersecurity, ed snowden, keith alexander, nsa, nsa surveillance, security, sys admins
