A new government report shows that National Security Agency (NSA) officials failed to tighten security controls and follow mandates to reduce the number of users with access to its most top-secret data after Edward Snowden’s high-profile leaks in 2013.
The declassified report was publicly released earlier this week, albeit heavily redacted, in response to a Freedom of Information Act lawsuit filed by The New York Times.
According to the report, an investigation by the Defense Department’s inspector general completed in August 2016, the NSA failed to lock racks of servers and data center rooms that stored highly sensitive data.
In addition to its many security pitfalls, the agency was portrayed in the report as having negligent internal controls before the Snowden leaks and “did not fully meet the intent of decreasing the risk of insider threats to its operations and the ability of insiders to exfiltrate data.”
The initiatives to cut the number of people with access to classified data were part of a broader post-Snowden measure, called “Secure the Net,” to strengthen protections of its sensitive surveillance and hacking methods.
The inspector general found that the agency had failed to substantially reduce the number of officials and contractors who were granted access to download data classified as top secret, as well as the number of “privileged” users, who were given access to NSA’s most sensitive computer systems.
Furthermore, NSA officials admitted they were clueless as to how many employees or contractors were designated data transfer agents prior to Snowden’s leaks because they lost a “manually kept spreadsheet” that tracked the number of privileged users after the inspector general repeatedly requested the agency furnish documents identifying the initial number.
The NSA then sought to reduce access by “arbitrarily removing” privileged access from users and instructed them to reapply for authorization.
While this measure allowed for the agency to determine how many users are currently granted privileged access, it did not answer the question of how many users had access prior to losing their clearance. In short, the agency has no way of knowing how many reductions were actually made.
The NSA’s “manually kept list” tracking the number of agents authorized to use removable devices to transfer data to and from the agency’s servers was “corrupted” leading up to Snowden’s leaks.
To make matters even worse, the report also claims the NSA also did not implement software to track the activities of its users with access to sensitive data during that time.
With the report finalized in August 2016, it remains unclear what steps have been taken since then to reduce the number of employees and contractors with access to its top secret data.
NSA spokeswoman Vanee Vines issued the following statement on the report’s findings:
“We welcome the observations and opportunities for improvement offered by the U.S. Defense Department’s Inspector General,” she said. “NSA has never stopped seeking and implementing ways to strengthen both security policies and internal controls.”
JOIN THE MOVEMENT to SAVE THE NATIONAL ANTHEM
Please join the thousands of DML readers who have purchased a bumper sticker. CLICK HERE.
If you would like to receive Breaking News text alerts on a smartphone or tablet, download the DML APP which is completely FREE and easy to use. Go to the Google Play Store or the IOS App Store and search for DML APP. Be sure to keep the app’s notifications setting on. Another way to receive alerts is to text to 40404 the following message: follow @realdennislynch (be sure to put a space between the word follow and the @ symbol).
To see more stories like this, sign up below for Dennis Michael Lynch’s email newsletter.
Sign up to get breaking news alerts from Dennis Michael Lynch.
Trump Tweet: Meeting with Modi