Snowden-Proofing the NSA
How is the National SECURITY Agency so bad at securing its own information? They're better at snooping than securing, I guess.
This article has an explanation: NSA leaker Ed Snowden used banned thumb-drive, exceeded access.
From the article:
Edward Snowden, the contract employee who leaked details of the agency's broad-scale data gathering on Americans, exceeded his authorized access to computer systems and smuggled out Top Secret documents on a USB drive â€” a thumb-sized data storage device banned from use on secret military networks.
“He should not have been able to do either of those things” without setting off alarm bells, said one private sector IT security specialist who has worked on U.S. government classified networks. He spoke on condition of anonymity because of the sensitivities of his current employer.
Here's a perfect example of a policy not being policed or followed very well. The same might be true in a factory (there's a policy that safety glasses must be worn) or in a hospital (a policy says staff members always wash or disinfect their hands before entering/leaving a patient room). The written policy is pretty meaningless if it's not being followed.
The NY Times said he was “left loosely supervised” by the NSA and the contractor Booz Allen Hamilton. It sounds like there was some poor management or other systemic breakdowns that helped allow Snowden to get away with this.
I don't know how the NSA or other agencies police this, but one idea would be supervisors or security being on the lookout for such devices. When one is seen, corrective action must be taken (just as supervisors have a responsibility to speak up if somebody's not wearing their glasses or washing their hands).
Compared to glasses and hands, it might be easier to mistake proof against the use of USB devices.
Again, from the Washington Times:
A number of commercially available programs can switch off the USB port of every computer on the network.
“There is easily available software to do that,” said the security specialist…
There are different ways of blocking USB port access, with pros and cons (as written about here).
The Washington Times article talks not only about software fixes, but also physical (hardware) prevention:
“I have seen places where they used a hot glue gun to block it,” he said of the USB port.
While this article calls that a “dumb” tactic, it seems that physically blocking or damaging the port might be pretty effective (and inexpensive). I'm surprised that big vendors, like Dell, for example, don't offer PCs with zero USB ports built in to be sold to high-security environments.
While physically disabling the port might qualify as a kaizen-style idea (being more clever than expensive), there could be side effects, such as the ports not being available for legitimate uses.
Either way, why is the NSA apparently so ineffective at monitoring its own staff and contractors, yet alone monitoring the entire world's communications?