NSA official warned of an insider threat 17 years before Snowden
WASHINGTON — Seventeen years before Edward Snowden began releasing secret documents on U.S. electronic spying, an analyst with the National Security Agency foresaw just such a threat.
"In their quest to benefit from the great advantages of networked computer systems, the U.S. military and intelligence communities have put almost all of their classified information 'eggs' into one very precarious basket: computer system administrators," the unidentified analyst wrote in a 1996 special edition of Cryptologic Quarterly, an NSA magazine.
Despite the warning, the NSA remained vulnerable. When Snowden's first disclosures became public last year, some of the agencies' computers were still equipped with USB ports where thumb drives could be used to copy files, according to a National Public Radio report in September.
Snowden was a systems analyst working as a contractor with Booz Allen Hamilton Holding Corp. at an NSA regional signals intelligence facility in Hawaii when he exploited his administrative access to copy thousands of top-secret documents before fleeing to Hong Kong and then Moscow.
"A relatively small number of system administrators are able to read, copy, move, alter, and destroy almost every piece of classified information handled by a given agency or organization," the analyst wrote in the 1996 article. "An insider-gone-bad with enough hacking skills to gain root privileges might acquire similar capabilities. It seems amazing that so few are allowed to control so much — apparently with little or no supervision or security audits."
The author's name remains classified. It was redacted in a declassified version of the article that was released in 2012.
"One thing we have done post-media leaks is lock those down hard, so those are all in two-person control areas," Lonny Anderson, the head of the NSA's Technology Directorate, told NPR.
In a speech at Fordham University in New York last year, Gen. Keith Alexander, the NSA's director, said the agency also has taken steps to reduce the number of systems administrators and those with privileged access.
Snowden's security breach wasn't unprecedented, according to the 1996 article, titled "Out of Control."
"In 1994, for example, a contractor employed at a Regional SIGINT Operations Center (RSOC) was caught accessing restricted files on a classified system," according to the article. It also cited "another incident at the same RSOC," the details of which were redacted when the article was declassified.
Nor was spying the only threat, according to the article. There was also simple sloppiness.
"In one incident at NSA, highly classified material printed out after hours on the wrong printer in the wrong room and was turned in by the cleaning crew!" the writer said. "In another incident at NSA, a large number of files sent to a printer at different times by different personnel in one office mysteriously ended up in the queue of another office's printer."
The article's author, who joined NSA in 1986 and was an analyst in the Information Systems Security Office's Threat Analysis Division, was primarily concerned about the danger that foreign intelligence services would try to recruit systems administrators.
Systems administrators, he said, "are likely to be targeted — increasingly targeted — by foreign intelligence services because of their special access to information."
He recalled the case in Germany of what were known as the "Hanover Hackers," who provided the Soviet KGB with "passwords, logon account identifications, source code and other information for unclassified U.S. government computer systems."
The KGB "considered the case a disaster because the hackers were unreliable and ended up exposing the whole operation," he recounts, citing "The Cuckoo's Egg," a book by Cliff Stoll, and by 1991 was "using the case as an example of how not to run an operation."
Nevertheless, the article continues: "The implication is that their Russian successor organization, the Russian Foreign Intelligence Service (SVR), is now more likely to target insider computer personnel rather than hackers. Of course, this does not prevent them from accepting 'walk-in' volunteers or using their own personnel to 'hack' into systems directly."
So far, there's no public evidence that Russian intelligence recruited or assisted Snowden before granting him asylum, and he has denied providing any of what he stole to his hosts.