NSA failed to implement security measures, says damning report

By Christopher Burgess, Sophos

June 21, 2017

After reading through the 61 pages of redacted content of the August 2016 DOD Inspector General’s report on the National Security Agency’s (NSA) implementation of the “Secure-the-Net” initiative, acquired by The New York Times via a Freedom of Information Act (FOIA) request, the only image one can conjure up is that of the Katzenjammer Kids running amok.

The NSA data protection (or lack thereof) was thrust into the spotlight when Edward Snowden, then a contractor in Hawaii, purloined 1.5m documents. How Snowden carried out his massive data collection is interesting, as he used his natural access and then conned his colleagues into giving up their internal access credentials in his role as the system admin. In the months that followed there were no shortage of opinions on how the NSA could or should tighten up its ship.

The “Secure-the-Net” (STN) initiative was launched post-Snowden, which included 40 specific recommendations “focused on insider threats to NSA systems, data, and infrastructure”. Seven of those recommendations were designed to “secure network access, protect against insider threats and provide increased oversight of the personnel with privileged access”.

The seven STN initiatives were:

  • Develop and document a new system administration model
  • Assess the number of system administrators across the enterprise
  • Implement two-person access control over data centers and machine rooms
  • Implement two-stage authentication control for system administration
  • Reduce the number of persons with Privileged Access
  • Reduce the number of authorized data transfer agents (those authorized to use removable media)
  • Oversee privileged user activities

The Department of Defense (DOD) report reviewed the NSA’s progress on tightening up its ship with respect to the seven STN recommendations.  The audit was conducted at four facilities between January and July of 2016.

Terms of Use | Copyright © 2002 - 2017 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement