What Snowden's thumb-drive stash of NSA secrets means for feds

The classified information leaked to media outlets by former National Security Agency contract employee Edward Snowden was smuggled out of an NSA facility using a thumb drive, according to a report by the Los Angeles Times.

The very thought of an individual strolling out of the confines of one of the most secure organizations in the world with an assortment of national secrets should be enough to send shivers down the back of any federal IT leader.

If it can happen to the NSA – which prohibits the use of flash drives and uses a bevy of digital and physical security measures to prevent information from leaving its networks – what does that mean for other agencies?

Yet Snowden's actions are an important reminder for federal agencies, according to A.N. Ananth, CEO of EventTracker, a company that specializes in security information and event management (SIEM) systems with major clients in the private and public sector.

In many ways, the technology designed to secure, protect and track information on a network is only as good and reliable as the people within the organization, and even the best defensive systems rely on trust. In general, federal agencies and contractors can use only thumb drives that meet FIPS 140-2 certification, part of a set of federal requirements written by the National Institutes of Standards and Technology. But even the most stringent standards cannot stand up to someone who is not forced to adhere to them.

In Snowden's case, NSA officials have yet to publicly confirm how he took classified secrets, leaked a few to the media and took the rest on a one-way trip to Hong Kong, but Ananth said the signs point to Snowden being trusted a little too much.

Snowden's job as a system administrator may have allowed him special use of thumb drives, but it appears nobody from the organization responsible for worldwide surveillance was keeping an eye on him.

"Everything about Snowden is special, he seems to have been trusted to do all kinds of things," Ananth said. "From the get-go, the rules that you expect to apply to him, he was exempted from. The NSA has every kind of technology to safeguard against this, but they weren't paying attention when the trusted guy plugged in that USB. The insider threat is difficult to guard against, and more than the technology, it appears that oversight was absent. And the fact of the matter is that any technology can be circumvented."

Ananth said Snowden "is a professional," representing the most dangerous of four types of internal threats federal agencies face. The others are:

• Disgruntled employees: A network manager passed over for a raise or an administrator who has received a pink slip are perfect examples. An upset employee with the ability to change server passwords can pose dangerous problems, and there are documented cases of personnel attempting to hold an organization hostage through passwords. Ananth said disgruntled employees are common threats.

• Opportunists: If a system administrator leaves payroll open, the opportunist might sweep in to glean information he or she is not authorized to see. Ananth said opportunists and disgruntled employees are the most common threats federal agencies face from within.

• "The Duhs:" The clueless folks who have no idea about security measures. These are the people who would insert a flash drive into their machines without knowing who it belonged to or where it came from and never understand the risk of doing so. These individuals too are common in federal agencies, Ananth said.

Yet while these other threats are more common, Anath noted that professionals like Snowden "know what they are looking for, and they are gone in 60 seconds."

How can federal agencies guard against that?

For a time, the Defense Department banned thumb drives outright after malicious code was introduced to DOD's U.S. Central Command. In this instance, DOD took what Ananth called the "lockdown approach," banning an incredibly important and useful tool to hopefully curtail any security threat it might come with.

Too many organizations, however, go to the other extreme and apply what Ananth called a "Kumbaya approach," where an organization essentially "assumes everyone is on the up-and-up." Even small departments with such an approach can cause major harm to the larger organizations of which they are a part.

He said the best approach is the one that former President Ronald Reagan described as "trust but verify." DOD relaxed its all-out ban on thumb drives in 2010 in favor of highly-controlled restrictions placed on thumb drive usage, in part because thumb drives were so useful.

Ananth said some private-sector companies have taken similar routes, "disavowing access entirely," issuing only company-produced USB sticks and auditing every instance a thumb drive is placed in a computer. The technological tools and policies already exist to give organizations the best chance at preventing data leaks or theft, Ananth said, but most organizations simply lack the discipline to implement them fully.

"It's like with a healthy diet, lots of people know what to do, but they'll still go for a burger and milkshake," Ananth said. "That discipline is not a question of whether they have the technology or whether they do or don't know how to use it – the government wrote the book on a lot of this stuff. But somehow the house is disorganized, and agencies are going to need to have discipline to clean it up."

And here again, the NSA may offer a useful example. Director Keith Alexander informed the House Intelligence Committee on June 18 that his agency plans to implement a "two-person" system to prevent the next Snowden from being able to copy data alone. Under the rule, anyone wishing to copy data to a portable device would be overseen by a second person.