Four years after National Security Agency contractor Edward Snowden leaked domestic surveillance data and weeks after the 2016 breach of NSA’s own hacking tools were traced to Russian sources, the agency was still behind in its strategy for securing its internet-based collections systems from insider threats, a watchdog found.
In an August 2016 secret report, a redacted version of which was released Monday in response to a Freedom of Information Act request, the Defense Department inspector general said NSA lacked a strategy and detailed implementation plan for completing its “secure-the-net initiatives” aimed at protecting classified information from malfeasant employees and contractors with access to the data.
Among other things, NSA failed to consistently secure server racks and other sensitive equipment and had not fully implemented two-stage authentication for its high-level administrators, the IG found. The auditors focused on seven specific initiatives they believed “presented the highest risk to NSA’s ability to secure network access, protect against insider threats, and provide increased oversight of personnel with privileged access.”
The IG identified internal control weaknesses at NSA labs in Washington, D.C., Texas, Utah and North Carolina, although auditors acknowledged improvements in recent years.
The failure to employ an overall strategy to create a structured framework, the IG said, means the agency’s actions to date “did not fully meet the intent of decreasing the risk of insider threats to NSA operations and the ability of insiders to exfiltrate data,” it said.
Based on previous related reports, the auditors said, NSA’s information security team had implemented four of seven key steps—developing a documented plan for a new system model; assessing the number of system administrators at NSA; implementing two-person access controls at data centers and machine rooms; and installing two-stage authentication controls for administrators.
However, NSA failed to “fully implement technology to oversee privileged user activities; effectively reduce the number of privileged access users; and effectively reduce the number of authorized data transfer agents.”
The report recommended that the director of NSA’s technology directorate, who also serves as the central security chief information officer, update procedures requiring data and machine room managers to effectively manage keys to server racks. It also recommended the CIO develop a strategy to expand the two-stage authentication controls and implement automated, technology-based monitoring for all administrators.
That official agreed, though the IG said he still had not fully documented his strategy.