Who cares when or if the United States government ever catches Edward Snowden and brings him to trial for charges of espionage? The damage is already done. I can understand why the U.S. government will continue to pursue him. They have to show all those thousands of contractors, and federal employees working in those programs that there will be Consequences. But honestly, is apprehending Edward Snowden going to change anyone’s attitude about the lack of security at the NSA? Is hauling Edward Snowden off to jail going to make anyone change their attitude about the NSA programs that are building huge electronic dossiers about every thing we do? I think not. What’s most important about the Snowden leak is what it reveals about the real insider threat at the NSA.
Snowden’s First Revelation
A lot has come out over the past few weeks about what Snowden has leaked. But let’s focus just on the first one, because it’s the one that’s most relevant to insider threat and abuse. As I understand it, the first revelation came on June 6 in “NSA PRISM program taps in to user data of Apple, Google and others” by Glenn Greenwald of The Guardian. The article is fascinating. It claims to be based on a 41 slide presentation from the NSA. The Guardian claims to have verified that it is authentic. The lede of the article, based on this slide in the leaked presentation, says:
“The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants, according to a top secret document obtained by The Guardian.
The NSA access is part of a previously undisclosed program called Prism, which allows officials to collect material including search history, the content of emails, file transfers and live chats, the document says.”
The Guardian also shows us this slide from the presentation which seems to verify the claim.
Greenwald’s article goes on to claim that:
“The Prism (sic) program allows the NSA, the world’s largest surveillance organisation, to obtain targeted communications without having to request them from the service providers and without having to obtain individual court orders.
With this program, the NSA is able to reach directly into the servers of the participating companies and obtain both stored communications as well as perform real-time collection on targeted users.”
The Guardian article does not show pictures of any slides that back up this claim and the companies that are shown on the slides as participating have avowed that they have no knowledge of the PRISM program. This might be because the PRISM program specifically says it uses the FBI as an intermediary in communicating with the companies. A company spokesperson can truthfully claim that they haven’t heard of the NSA program because all of their communication has been through the FBI, possibly under a different program name. I wish someone had asked he same companies about the nature of their work with the FBI.
This leaves it up to every individual to interpret that slide from The Guardian. The slide says that “E-mail” is one of the things they will receive from companies. What does that mean, exactly? Interestingly, no one at the NSA has clarified or added any detail. But according to the Greenwald article:
“A senior administration official said in a statement: “The Guardian and Washington Post articles refer to collection of communications pursuant to Section 702 of the Foreign Intelligence Surveillance Act. This law does not allow the targeting of any US citizen or of any person located within the United States.
The program is subject to oversight by the Foreign Intelligence Surveillance Court, the Executive Branch, and Congress. It involves extensive procedures, specifically approved by the court, to ensure that only non-US persons outside the US are targeted, and that minimize the acquisition, retention and dissemination of incidentally acquired information about US persons.”
It appears to me that the “senior administration official” is not denying any of the claims made by the Greenwald article.
Finally, the Snowden leak busts the myth that the NSA is collecting information only on non-US citizens. As Greenwald put it:
“In short, where previously the NSA needed individual authorisations, and confirmation that all parties were outside the USA, they now need only reasonable suspicion that one of the parties was outside the country at the time of the records were collected by the NSA.” This is what raises the specter of the insider threat.
The Insider Threat
What shocks me the most is the collection of information about “US persons.” If all the NSA has to do is have a reasonable suspicion that one of the parties of the communication is outside of the US, I’m willing to bet that covers every single person in the United States. How many people have never, ever communicated with someone outside of the United States? Even if you don’t personally know someone who lives outside of the United States, have you ever talked to a friend or relative on Skype or phone who was outside of the US at the time? Have you ever called the customer service number of a company whose call center was located in India or some other country?
Note that the “senior administration official” quoted above notes that the program’s procedures “minimize the acquisition, retention and dissemination of incidentally acquired information about US persons,” tacitly acknowledging that such information is collected about US citizens. The only issue is who, how much, and when. Given that no court orders are needed for these collection requests, it’s unclear who gets to decide what is “reasonable suspicion” and how far the NSA is willing to stretch the definition of the the word “incidental.” But I will note for the record that the same government includes cryptography on its official “US Munitions List.” It’s no stretch of imagination to think that the NSA defines “incidental” to include everything they can get their hands on.
Given the lack of restrictions and over sight on what constitutes “reasonable suspicion,” and given their history of defining common words to mean whatever they need them to mean, I’ve got to conclude that the NSA can rationalize collecting anything on anybody at any time.
Which leads me to the insider threat problem, which is what I really want to take note of. The NSA, at least by reputation, is one of the most secretive and secure organizations on the planet. And they were unable to put the necessary IT security controls in place to prevent Snowden from having access to the information.
The first question on my mind is, what IT controls failed that allowed this leak to happen.? Was there a misconfigured access control list somewhere? Were hacked credentials involved? Did Snowden have access to the network infrastructure that allowed him to bypass the security controls?
Snowden worked at Booz Allen Hamilton, which is one of the companies contracted to run the program. “Job Title Key to Inner Access Held by Snowden” by Scott Shane and David E. Sanger of the New York Times dives into the issue of whether Snowden was truly a “systems administrator” as claimed by the NSA or if his job title was “infrastructure analyst,” the government job title term for someone who figures out how to break into IT systems. But let’s take the government’s claim at face value and assume Snowden was a systems administrator.
If it’s true that Snowden was a systems administrator, it seems to me that the most likely explanation for how Snowden obtained the presentation he revealed to the world is that he abused his administrative access to the IT systems. The New York Times article claims that Snowden took a pay cut to get into the position that he did so he could collect more information to leak, including ” lists of machines all over the world the N.S.A. hacked.”
No IT security control in the world can prevent an authorized insider from having a change of conscience. Once that change of conscience occurs, that person changes hats from “good guy” system administrator to “threat agent” or “attacker.” How many IT organizations in the world can design a functioning IT data center and secure it with the assumption that any of the system administrators, at any time, could be an attacker? That is a nearly impossible task, even, apparently, for the NSA.
And at some level, they don’t have to. The legal consequences of doing things the way Snowden did are more than enough to keep systems administrators from revealing the information they have access to. But the Snowden revelations show that sometimes, people’s consciences get the best of them and it makes them risk everything. It is often said in the hacker community that “information wants to be free.” But sometimes the cost is very high.
What I fear most about the NSA data collection is the petty abuse that might go undetected. The newspapers are rife with stories about low level bureaucrats digging up dirt about ex-girlfriends and obnoxious neighbors by trolling through DMV records or other agency records. Remember during the 2008 campaign when a completely innocent man, “Joe the Plumber,” had his state records hacked by a government employee when he became famous after talking to the President? The Washington Post has a pretty good summary in “Ohio IG Report: Joe the Plumber’s records were improperly searched.” And at the federal level, we’re in the midst of a major scandal at the IRS, another federal agency that’s supposed to have unimpeachable trust and security, in which the power of the IRS was used to harass political opponents. There is no dispute that it happened. The only dispute is from how high up the chain of command the orders came from. The TaxProf blog has a good round up of the evolution of this scandal. But the bottom line is that the IRS agents harassed organizations and denied their tax-exempt status during the height of the Presidential campaign when they could have had an effect on the election.
Who’s to say that the NSA PRISM program won’t be used for capricious political attacks on the enemies of whoever is in power at the White House? That’s the real insider threat that Snowden has revealed.