NSA’s Grand Plan to Snowden-Proof Its Data Using the Cloud

Almost two years ago, the National Security Agency forever lost its “No Such Agency” nickname at the hands of one of its contractors -- a once-trusted insider by the name of Edward Snowden.

Snowden’s stream of leaked NSA secrets about classified surveillance programs shined the public spotlight on the clandestine government organization. Though the stream has now dissipated to a trickle, the impact to the intelligence community continues.

To privacy activists, Snowden’s leaks were a godsend. They forced a national discussion on government surveillance and even coaxing the likes of Director of National Intelligence James Clapper to admit the intelligence community needs to be more transparent.

Yet, the leaks have “had a material impact” on NSA’s ability to generate intelligence around the world, NSA Director Michael Rogers said back in February.

Within NSA’s Fort Meade, Maryland, headquarters, no one wants to face another Snowden. With NSA’s widespread adoption of cloud computing, the spy agency may not have to.

Could the Cloud Have Stopped Snowden?

NSA bet big on cloud computing as the solution to its data problem several years ago.

Following expanded legal authorities enacted after the Sept. 11, 2001, terrorist attacks, NSA and the other 16 agencies within the intelligence community began to collect a gargantuan amount of intelligence data: Internet traffic and emails that traverse fiber optic cables; telephone call metadata; and satellite reconnaissance.

Much of that intelligence piled up in various repositories that had to stock up on servers to keep up with demand.  

NSA’s GovCloud -- open-source software stacked on commodity hardware -- creates a scalable environment for all NSA data. Soon, most everything NSA collects will end up in this ocean of information.

At first blush, that approach seems counterintuitive. In a post-Snowden world, is it really a good idea to put everything in one place -- to have analysts swimming around in an ocean of NSA secrets and data?

It is, if that ocean actually controls what information analysts in the NSA GovCloud can access. That’s analogous to how NSA handles security in its cloud.

NSA built the architecture of its cloud environment from scratch, allowing security to be baked in and automated rather than bolted on and carried out by manual processes. Any piece of data ingested by NSA systems over the last two years has been meta-tagged with bits of information, including where it came from and who is authorized to see it in preparation for the agency’s cloud transition.

Data in the GovCloud doesn’t show up to analysts if they aren’t authorized, trained or cleared to see it, according to NSA Chief Information Officer Lonny Anderson.

“While putting data to the cloud environment potentially gives insiders the opportunity to steal more, by focusing on securing data down at cell level and tagging all the data and the individual, we can actually see what data an individual accesses, what they do with it, and we can see that in real time,” Anderson told Nextgov. “So we think this actually dramatically enhances our capability.”

NSA cloud strategist Dave Hurry further clarified NSA’s approach to securing data within GovCloud.

“We don’t let people just see everything; they’re only seeing the data they are authorized to see,” Hurry told Nextgov.

What about adventurous, negligent or potentially nefarious insiders? How exactly Snowden ferreted out NSA’s secrets for months across numerous databases and evaded detection remains uncertain. But what is clear is that his actions should have thrown up some Utah Data Center-sized red flags. They didn’t.

GovCloud’s other baked-in security features are likely to deter all but the boldest of would-be rogue insiders. In the past, Anderson said, disparate data repositories contained log files to track user behavior, but those logs “had to be manually reviewed.”

That’s not a good recipe to catch malicious behavior. GovCloud automates those monitoring processes and flags network security personnel, Anderson said, when a user attempts to “exceed limits of authority.”

In other words, if NSA had this cloud-based system in place two years ago, Snowden wouldn’t have made off with what NSA Deputy Director Richard Ledgett in a 2013 interview called the agency’s “keys to the kingdom.” According to NSA officials, if GovCloud works as they believe it will, Snowden may have never left Hawaii, where he lived and worked, without his actions raising alarm bells.

“The [GovCloud] system could prevent it,” Anderson said. “But what it would have immediately done is highlighted and told our network security heads that someone is pulling a lot of data.”

That information would “allow us to visit the individual,” or “we could shut it down at the point we saw it,” Anderson said.

“It would have prevented what Mr. Snowden did,” Anderson added.

More Than Just Security

More than simply Snowden-proofing its data, GovCloud’s other features make it even more attractive to analysts and top agency officials charged with protecting national security interests.

GovCloud’s architecture has a “fact-of” function that alerts analysts that additional data on a query may be available but inaccessible based on the analyst’s access controls.

“That’s what will tell you there is other data available; you just aren’t authorized to see it,” Anderson said. “And if you need to see it, here is who to contact.”

NSA’s cloud migration will also significantly beef up the agency’s ability to comply with a plethora of legal rules, mandates and executive orders. Just as security is automated in NSA’s cloud, so too are compliance measures such as data preservation orders or data retention rules.

“We think from a compliance standpoint, moving from a whole mess of stovepipes into a central cloud that has a lot more functionality gives us more capability,” said Tom Ardisana, technology directorate compliance officer at NSA.

Old repositories operating on legacy architecture predate many more recent laws and policy changes. The USA Patriot Act of 2001, for example, was authored into law after some of NSA’s existing legacy repositories were built, so NSA’s only option to adhere to evolving policies was to “bolt on compliance,” Anderson said.

“Whenever you bolt on compliance to address a particular issue, there is always a second- and third-order effect for doing that,” Anderson said. “It’s an extremely manual process. There is risk built in all over that we try to address. The cloud architecture allows us to build those issues in right from the start and in automated fashion address them."

As NSA further transitions to using cloud, analysts will make better use of their time, making queries against one database instead of repeated ones against dozens of relational databases.

NSA’s centralized cloud will also alleviate uncertainty regularly faced by analysts when they query databases.

After running a query, analysts sometimes wonder whether they are actually authorized to view certain data. That kind of doubt influences what and how analysts generate intelligence reports. With the GovCloud, on the other hand, analysts will have near certainty that they’re only seeing information they are supposed to see.

Moving More than Data to the Cloud

NSA has been slowly migrating users to its new cloud architecture to ease the transition, but the pace has begun to pick up speed. Three weeks ago, Anderson said NSA transitioned users off three of the biggest legacy repositories into its cloud environment. Those users include NSA personnel, Defense Department and other intelligence community personnel.

“It’s a huge step forward,” Anderson said.

It’s important to note it's not just data moving to the cloud.

A big part of the process is also transitioning NSA’s applications and tools to the new environment. Even the way analysts interact with data is changing. The agency, Hurry said, has gone to great lengths to ensure a “minimum viable functionality” for its cloud architecture, orchestrating trial periods in which analysts conduct all their work in the cloud.

“Advantages we’re seeing include a faster time to market and improved analysis and analytics,” Hurry said.

The move has not come without obstacles. The cloud organizes data differently than old repositories, and some analyst methods do not translate to NSA’s cloud model. However, the agency is training analysts on new methodologies.

“One of the challenges we have had to work through is mixing new features and making sure there is no break in service for existing features analysts depend on,” Hurry said.

Closing down repositories filled with untold racks of servers the way NSA did three weeks ago will also save the agency money in operations and maintenance. Some of those systems are decades old. Servers housed in closed repositories will be destroyed and their data deleted, Anderson said.

In the coming years, closed repositories will come to signal the success of NSA’s bet on cloud computing. Will it prevent the next Edward Snowden-like attack? NSA officials are counting on it -- but they’re counting on the cloud for a lot more than that.