Watchdog: NSA needs to boost insider-threat protocols

While the intelligence agency has implemented several of the Secure-the-Net initiatives launched in the wake of the Edward Snowden leak, additional steps are still needed.

Shutterstock image: breached lock.

The National Security Agency is still not fully implementing all necessary security protocols to minimize the potential of another Edward Snowden-like data breach, according to a newly declassified 2016 Pentagon watchdog report.

In the wake of the Snowden breach, the NSA outlined 40 privileged-access “Secure-the-Net” initiatives designed to guard against insider threats by tightening controls over data and monitoring of user access.

The Defense Department's Office of the Inspector General audited seven of the STN protocols and found that the NSA implemented or partially implemented four of the audit sample. Those related to developing a new system administration model, assessing the number of systems administrators, implementing two-stage authentication controls and deploying two-person access controls.

According to the heavily redacted report, the NSA culled the number of systems administrators and implemented a tiered system to take away privileged access from those who do not require it.  

The report states the NSA only partially implemented two-stage authentication and two-person access controls and “did not consistently secure server racks and other sensitive equipment” in data centers and machine rooms.  

The three audit initiatives where the NSA missed the mark were in reducing the number of privileged users and data transfer agents as well as fully implementing technology to oversee privileged-user activities.

“NSA did not effectively implement the three initiatives because it did not develop an STN strategy that detailed a structured framework and methodology to implement the initiatives and measure completeness,” states the audit. “As a result, NSA’s actions to implement STN did not fully meet the intent of decreasing the risk of insider threats to NSA operations and the ability of insiders to exfiltrate data.”

The report states that prior to 2013, the NSA did not know how many privileged users and data transfer agents it had, and that throughout 2014 the number of DTAs actually increased.

The report acknowledges that it is not possible to protect against all insider threats, but stresses that NSA must at least implement all of its own stated protocols.

“Although the NSA worked in a fluid situation, NSA should have developed a strategy that detailed a structured framework and methodology for implementing STN to ensure its actions were effective in mitigated vulnerabilities exploited during the security breach,” the report states.

The NSA’s woes did not end with the Snowden breach. In August 2016, a cryptic group or individual going by the name “TheShadowBrokers” announced it had acquired a trove of NSA hacking tools and has since been leaking some of the data in an attempt to seduce buyers to pay for the remaining stash.

It is still not clear whether the so-called ShadowBrokers obtained the data through an insider.

The DOD OIG report made three recommendations -- all of which were fully redacted -- and according to the document, the NSA agreed with the recommendations.

The NSA responded to questions about the audit from FCW with an email statement.

“The National Security Agency operates in one of the most complicated IT environments in the world,” the NSA stated. “Over the past several years, we have continued to build on internal security improvements while carrying out the mission to defend the nation and our allies around the clock.” 

According to the statement, the NSA has undertaken a “comprehensive and layered set of enterprise defensive measures to further safeguard operations and advance best practices across the Intelligence Community.”

“NSA has never stopped seeking and implementing ways to strengthen both security policies and internal controls,” the statement concluded.