I couldn’t resist posting on this since it ties in with a number of things I’ve mentioned over the years here. The LA Times is reporting that Edward Snowden, Glenn Greenwald’s informant on the secret NSA data-mining projects, smuggled his info out of the NSA facilities on a thumb drive:
WASHINGTON — Former National Security Agency contract employee Edward Snowden used a computer thumb drive to smuggle highly classified documents out of an NSA facility in Hawaii, using a portable digital device supposedly barred inside the cyber spying agency, U.S. officials said.
Investigators “know how many documents he downloaded and what server he took them from,†said one official who would not be named while speaking about the ongoing investigation.
Snowden worked as a system administrator, a technical job that gave him wide access to NSA computer networks and presumably a keen understanding of how those networks are monitored for unauthorized downloads.
“Of course, there are always exceptions†to the thumb drive ban, a former NSA official said, particularly for network administrators. “There are people who need to use a thumb drive and they have special permission. But when you use one, people always look at you funny.â€
My clients who are genuinely concerned about security have disabled all USB ports on workstations, have banned Bluetooth, don’t have writable CD or DVD drives on workstations, and, generally, don’t allow any removable device on workstations. Being looked at “funny” as the primary deterrent sounds like a pretty low level of security to me.
How is it that low-level employees (since, by all accounts, Snowden was a low-level employee) are in a position to dictate policy? Where is the enforcement? There is an obvious management problem that has not received nearly enough attention in this affair. We’re seeing quite a bit of that these days.
There’s a certain amount of cognitive dissonance involved on the part of those defending the federal government’s surveillance and data-mining projects. On the one hand you’ve got to believe the government will keep all of this data and analysis perfectly secure while we have the testimony of our sense that’s not the case. We wouldn’t be having this discussion if the government had been able to keep the information perfectly secure.
The NSA’s case is similar. They need all of this information to prevent attacks but if there’s one thing the Boston Marathon Bombing proves it’s that however much they’re gathering it isn’t enough.
There’s a case to be made (not a case I agree with, mind you) that if gathering, collating, and analyzing every sort of electronic communication makes us even a little bit safer, then gather away! What if it doesn’t make us a bit safer? What if it exposes us to new insecurities as, for example, if hackers get hold of the data or the analyses?
George Bush used the security angle during his presidency too. That OBL tape that surfaced, just before his 2nd term election, was suspect, IMO. However, to the credit of the press, Bush was called on practices and decisions that had the appearances of overreach. This current president, though, for the most part, is not. For, the only actions on surveillance Obama has taken, is to double down on them. And, while there is much yet to understand about Snowden’s part in the NSA’s data mining schemes, the very fact that it has exploded into the public’s consciousness is important.
Like a lurking shadow, I just don’t think people are aware of the encroachment of Big Brother, in the form of big government, that has been created over the years. From Wilson, to FDR, Johnson, Bush and now Obama, we are exchanging civil rights and freedoms to soothe government-created fears for our safety. I personally don’t believe such an exchange is either worthy or wise.
Have you ever studied economics? It’s all about opportunity costs, which in this application means that the more we spend with diminishing returns on security, the less we have to spend on other important things, like water, food and liberty.
Furthermore, “we want accidents to happen” is an important motto, which in this application means that we can’t afford perfect security if imperfect security, considering the costs of failure, is cheaper.
“There is an obvious management problem that has not received nearly enough attention in this affair. We’re seeing quite a bit of that these days.” “On the one hand you’ve got to believe the government will keep all of this data and analysis perfectly secure while we have the testimony of our sense that’s not the case.”
Given that, I’ve got a smashing idea.
Let’s turn over the healthcare system to government.
What possibly could wrong?
I wouldn’t consider him a “low level” employee. It appears he was a system administrator, which is a role that would, naturally, give him greater access to the computer systems than a regular user. On government networks there are pretty severe restrictions on any portable media. I am not able to, for example, use any kind of USB media, burn CD’s, etc. They not only ban things like bluetooth, but they remove the bluetooth and wireless hardware from the computers. There is very good port security, switches are in sealed, locked cabinets, etc.
That said, needs are mission-dependent and some people do require the ability to use portable drives or burn CD’s. However, that is only possible if one has a definite need and is willing to do the necessary paperwork and follow the procedures (both of which are a pretty big disincentive by themselves).
So to me it’s pretty obvious Snowden exploited his sysadmin access in order to use a thumb drive. It’s also pretty obvious that he would have been caught had he not come out thanks to logs that are reviewed regularly (speaking from personal experience here).
Snowden is a-typical because most people who steal classified information do not want to get caught. The security protocols in place are generally pretty good at catching “moles” who intend to be a long-term source of classified information for a third party. Combined with personal security measures (the clearance process), it’s very effective but, of course, not perfect. Someone like Snowden is more problematic because he didn’t care about getting caught. The ability to steal classified information one time to dump it is much harder to defend against from a practical standpoint, especially when that person has administrator access to the network.
After Bradley Manning, there were several network security changes that made life more difficult for typical analysts like me. I’m already dreading what the comm Nazi’s have in store thanks to Snowden.
@andy, I hope to hear more about how Snowden got his position. Its a bit condescending to point out he is a high-school dropout and recently worked as a security guard, but it is an unconventional leap to a $200k job and high-level security access. Its probably a mistake to focus on Snowden, who has an unconventional psyche, but instead we should be scrutinizing his employer.
In essence, that’s what I’ve been suggesting in the various threads on the subject over at OTB. I’ve mentioned my skepticism over Snowden’s wage and procedures and policies at Booz Allen Hamilton.
What I haven’t mentioned there is that in all likelihood BAH is working on a cost-plus contract, possibly with a directed bid. That would mean that they have every incentive to pay excessive wages and maintain it’s the going rate.
There are probably a dozen regular commenters at OTB who are better qualified than Snowden and probably make half that or less. My general impression is that the commenters are disproportionately in IT or at least were.
The security clearance isn’t that big a deal. Heck, I went through the process once upon a time. It was about forty years ago but still.
There was an interesting back-and-forth at OTB from people who sound like they work in this area about whether or not (and why not) the computers USB have ports. Older computers might, but it sounds like special wiring is not something that the government wants to pay for. I don’t know if the discussion continued, but I find that rationale implausible for contract work. The government may not want to pay for it, but I’ve seen government contract bid documents, that’s an easy line to insert and let the contractor worry about the details.
PD,
The fact that he dropped out is irrelevant since he got his GED. What matters are the computer certifications which are typically required for system administrators and, of course, the clearance. Contractors won’t hire people who need a clearance unless there is no other choice. Dave’s experience about the clearance process is dated. It typically takes 1-2 years to get a top-level (SCI) clearance and it costs $20-30k. Besides the usual background, credit and agency checks, they send out agents to interview your friends, family, associates, previous employers, neighbors etc. For a first-time clearance they go back 7 years. A clearance is good for 5 years before it must be renewed using largely the same process in what’s called a periodic review. Some particularly sensitive positions also require regular polygraphs. The Office of Personnel Management runs the clearance process.
I think this has almost nothing to do with BAH. I have a lot of experience with intelligence contractors and, for the most part, they are usually “embedded” in the organization they are supporting. In this case it was the NSA. Snowden wasn’t working at a BAH office, he was working in an NSA facility. Management relationships can be complex in these cases with a lot of variability – there is often an administrative management chain through the company and an operational management chain through the supported organization. It’s hard to say how things worked with BAH and Snowden without more information, but Snowden would be required to follow whatever security rules were in place at the facility where he worked.
Finally, the government generally orders pretty generic windows-based computers and I haven’t seen any without USB ports. For classified networks there have been plans to move to client-server based systems with “dumb” terminals, but that hasn’t happened yet.
Andy- I see a lot of complaining about the NSA, but few people offering alternative views on what should be done to balance security vs civil liberties. Any ideas or have you read anyone who has written on the topic, preferably someone with real knowledge about national security and intel issues.
Steve
steve,
Unfortunately I don’t have any recommendations. This last week kind of sucked because I was sick and had a crap-load of work, so I didn’t read a lot on this topic. And, frankly, what I did read was more frustrating than anything. It’s tough, though. Those who really have the kind of knowledge to really inform the discussion are hesitant because they don’t want to inadvertently discuss something they shouldn’t. Intel people are kind of bred to not talk about such things.
One thing I did do over the weekend was a bit of research on the history of wiretaps, which is a lot more interesting than I thought and probably relevant today. Congress and the courts were faced with a new technology and over the course of several decades muddled through until the 1930’s when the foundations for what we have today really began.
As for my own ideas, there is what I think will happen and what I’d like to see happen. On the former, I think we’ll probably muddle through and get to some kind of consensus at some point down the road. On the latter I’d like to see Congress really examine this issue and come up with something that’s better than what we have now. Hard to do that when half of Congress doesn’t even bother to attend briefings on the topic when it’s big news; I’m sure attendance is normally much less than that. Unless it involves fundraising or bringing home the federal bacon, most of Congress isn’t interested. This just the kind of topic they don’t like and would rather ignore for quite a few reasons. This is just another example, IMO, of Congress neglecting it’s duties.
One suggestion I would make is to give the Congressional Research Service a staffed “classified reading room” with cleared, knowledgeable personnel to really inform Congress. In short, dig a well even if the horse won’t drink from it.
Hard to do that when half of Congress doesn’t even bother to attend briefings on the topic when it’s big news;
Andy,
The fact that such a large swath of Congress blew out of town, rather than attend a meeting discussing the NSA in more detail was shocking to me. I don’t understand their disinterest in something, as you say, is relevant and “big news” today.
Government is completely and totally out of control.
“Any person that gives up some freedom for greater security deserves neither” Ben Franklin
I will go with Ben Franklin.
Most of the security measures and laws are already in place. The reason we are where we are is that 20 folks in 2001 that should have been deported or detained were not. We keep being told that more measures need to be put in place. What ever happened to the prudent man theory. Go about your business and be alert to your surroundings. Instead we are apparently all morons that cant help.