NSA Hasn’t Implemented Post-Snowden Security Fixes, Audit Finds

Patrick Semansky/AP File Photo

The spy agency also fell short on numerous information security requirements, according to its first public audit overview.

The nation’s cyber spy agency is suffering from substantial cyber vulnerabilities, according to a first-of-its-kind unclassified audit overview from the agency’s inspector general released Wednesday.

Those vulnerabilities include computer system security plans that are inaccurate or incomplete, removable media that aren’t properly scanned for viruses, and an inadequate process for tracking the job duties of National Security Agency cyber defenders to ensure they’re qualified for the highest-level work they do, according to the overview.

Perhaps most striking, the agency has not properly implemented “two-person access controls” on its data centers and equipment rooms.

Former NSA Director Gen. Keith Alexander instituted the two-person access system after contractor Edward Snowden leaked reams of data about agency spy programs in 2013. The general idea is that no employee or contractor can access sensitive information unless another employee approves it.

Those information security weaknesses are described in the unclassified version of the NSA inspector general’s semiannual report to Congress. The inspector general previously only produced a classified version of the report.

The information security weaknesses above are all listed as “significant outstanding audit recommendations,” meaning they’re high priorities for the auditor and are all at least six months old.

As of March 31, NSA had 699 open inspector general recommendations, according to the report, 76 percent of which were overdue. It’s not clear how serious those recommendations are and many likely do not deal with information security or technology.

The report focuses primarily on new audits conducted between Oct. 1, 2017, and March 31, 2018. One key conclusion from those audits is that the agency is routinely failing to gather all the necessary documentation before it authorizes a computer system to operate.

That lack of due diligence raises the possibility those computer systems could malfunction or might contain coding vulnerabilities that could be exploited by hackers from adversary nation-states such as Russia and China.

During the six-month reporting period, auditors found at least some paperwork that was missing for every single system assessed for an “authority to operate,” according to the overview.

Auditors also discovered that NSA isn’t up to date on implementing information security guidance under the Federal Information Security Modernization Act and doesn’t have an authoritative inventory of its IT systems.

The auditors discovered flaws in three systems NSA uses to provide information online, which risk exposing classified information or leaking U.S. citizens’ personal information.  

Those flaws include not adhering to IT security policies.

“The goal of publicly issuing an unclassified version of the [semiannual report] is to be as transparent as possible about how the NSA OIG conducts rigorous independent oversight that detects and deters waste, fraud, abuse, and misconduct,” Inspector General Robert Storch said in a statement.

Auditors also found that NSA has put controls in place that stop agency offices and contractors from purchasing software without the required approvals but hasn’t put those same protections in place for hardware purchases.

They also found the agency’s process of retaining emails to comply with federal records laws is inadequate and ineffective. NSA isn’t storing the records it does have effectively and hasn’t developed sufficient guidance to fix the problem.

Two NSA contractors were accused of fraudulently charging the agency for more than 2,400 hours they didn’t actually work and costing the agency about $470,000. The contractors’ cases were referred to federal prosecutors in Maryland for possible prosecution.