Snowden-Proofing the NSA

1
5

USB Flash DriveRegardless of whether you think the NSA leaks that Edward Snowden admitted to make him a hero or a traitor, it begs the question:

How is the National SECURITY Agency so bad at securing its own information? They're better at snooping than securing, I guess.

This article has an explanation:  NSA leaker Ed Snowden used banned thumb-drive, exceeded access.

From the article:

Edward Snowden, the contract employee who leaked details of the agency's broad-scale data gathering on Americans, exceeded his authorized access to computer systems and smuggled out Top Secret documents on a USB drive — a thumb-sized data storage device banned from use on secret military networks.

He should not have been able to do either of those things” without setting off alarm bells, said one private sector IT security specialist who has worked on U.S. government classified networks. He spoke on condition of anonymity because of the sensitivities of his current employer.

Here's a perfect example of a policy not being policed or followed very well. The same might be true in a factory (there's a policy that safety glasses must be worn) or in a hospital (a policy says staff members always wash or disinfect their hands before entering/leaving a patient room). The written policy is pretty meaningless if it's not being followed.

The NY Times said  he was “left loosely supervised” by the NSA and the contractor Booz Allen Hamilton. It sounds like there was some poor management or other systemic breakdowns that helped allow Snowden to get away with this.

I don't know how the NSA or other agencies police this, but one idea would be supervisors or security being on the lookout for such devices. When one is seen, corrective action must be taken (just as supervisors have a responsibility to speak up if somebody's not wearing their glasses or washing their hands).

Compared to glasses and hands, it might be easier to mistake proof  against the use of USB devices.

Again, from the Washington Times:

A number of commercially available programs can switch off the USB port of every computer on the network.

“There is easily available software to do that,” said the security specialist…

There are different ways of blocking USB port access, with pros and cons (as written about here).

The Washington Times article talks not only about software fixes, but also physical (hardware) prevention:

“I have seen places where they used a hot glue gun to block it,” he said of the USB port.

While this article calls that a “dumb” tactic, it seems that physically blocking or damaging the port might be pretty effective (and inexpensive). I'm surprised that big vendors, like Dell, for example, don't offer PCs with zero USB ports built in to be sold to high-security environments.

While physically disabling the port might qualify as a kaizen-style idea (being more clever than expensive), there could be side effects, such as the ports not being available for legitimate uses.

Either way, why is the NSA apparently so ineffective at monitoring its own staff and contractors, yet alone monitoring the entire world's communications?


What do you think? Please scroll down (or click) to post a comment. Or please share the post with your thoughts on LinkedIn – and follow me or connect with me there.

Did you like this post? Make sure you don't miss a post or podcast — Subscribe to get notified about posts via email daily or weekly.


Check out my latest book, The Mistakes That Make Us: Cultivating a Culture of Learning and Innovation:

Get New Posts Sent To You

Select list(s):
Previous articleStuff I’m Reading – June 14, 2013: Sleepy Banker, Concerned Workers, Cost Diversity, Conference Diversity
Next articleGuest Post: Technology, Value, and the Human Touch
Mark Graban
Mark Graban is an internationally-recognized consultant, author, and professional speaker, and podcaster with experience in healthcare, manufacturing, and startups. Mark's new book is The Mistakes That Make Us: Cultivating a Culture of Learning and Innovation. He is also the author of Measures of Success: React Less, Lead Better, Improve More, the Shingo Award-winning books Lean Hospitals and Healthcare Kaizen, and the anthology Practicing Lean. Mark is also a Senior Advisor to the technology company KaiNexus.

5 COMMENTS

  1. From LinkedIn:

    Barry Alexander: Simple do as they did in securing nuclear secrets. No USB ports, removable hard drives that are in safes and must be signed out, no internet, no burners, in short no way to move data other than your brain. Oh and no cell phones or coverage. Simple!!

  2. I think that’s a liiiiiiiittle extreme, but I do have a couple of notes to add.

    One, one of my clients has software that prevents the use of any USB device not “formatted” to their systems. I tried to transfer data from one of their computers to mine for a presentation and it did not take. We instead emailed the files, but there’s at least a “paper trail” for such sharing of information.

    Two, I have a grad school classmate who worked for a company that would be hired by larger firms to attempt to hack into their systems. His job was to find all potential workarounds and potential security vulnerabilities, finding ways to get to sensitive data (but not actually take it). You’d think the NSA would be using such companies to test themselves against such vulnerabilities like this. I bet they would have frowned on the use of outside USB devices like this.

    • There’s a lot of sensitivity around this in the defense industry, where my wife works (private sector). They all receive a lot of training about not using USB drives… one of the old infiltration attempts would be for somebody to drop a USB drive somewhere. A well intentioned person finds it and, of course, plugs it into a computer to try to identify the owner. Oops, you’ve infected your computer and network with a virus.

      (I actually lost a USB drive about 10 years ago and a person called me to let me know they had found it, identifying me based on the files that were on the drive).

  3. I found this article that says Snowden, as an IT administrator, was probably in a job where the use of USB drives would have been permitted:

    Thumb Drive Security: Snowden 1, NSA 0

    In general, the use of removable USB storage devices is prohibited inside the agency. “Of course, there are always exceptions” to that rule, said the official. “There are people who need to use a thumb drive and they have special permission. But when you use one, people always look at you funny.”

    One job role that would require using removable storage, however, would be that of IT or systems administrator, which was Snowden’s job at the NSA, although he was a contractor employed by Booz Allen Hamilton.

    The article says the security is based on “trust.”

  4. Mark, many failures are evident when one examines what happened here. You hit the nail on the head. It’s not just about having access, but what data one can accumulate and take out the door. This Snowden problem is relevant to all organizations, not just the NSA, and could have been avoided with a few simple fixes.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.