Cybersecurity

How Snowden exploited NSA IT security gaps

Edward Snowden

Media reports detail the access that allowed Edward Snowden to gather and leak National Security Agency documents. (Photo by The Guardian newspaper.)

Edward Snowden, the former National Security Agency contractor who leaked a trove of documents on secret U.S. spy programs, relied on his broad access as a system administrator and a leaky security structure around agency computers, according to a report by NBC News.

Snowden did not have to resort to sophisticated measures to cover his tracks as he pulled classified information from the NSA network, according to an intelligence official sourced in the report. Because of its highly classified nature, NSA's intranet, called NSANet, is disconnected from the wider Internet to prevent outside attacks. The use of such an "air gap" between the internal system and the Internet provides an access point for a system administrator. Snowden could have claimed to be copying and moving files among computers for a variety of plausible reasons. Snowden was authorized to move information across the gap, the intelligence official told NBC. Air gaps are a common security precaution for highly classified networks, and certain kinds of industrial command and control networks, including those used in the operation of nuclear power plants.

The existence of the air gap loophole on the NSA intranet dovetails with the kinds of documents Snowden obtained. Press reports based on documents leaked by Snowden offer a window into classified programs through the vantage of training slide shows that detail the sources of information available to NSA analysts – the kind of internal documents typically stored on an intranet.

Snowden's post in Honolulu also played to his advantage, because he was able to access the main NSA network in Fort Meade, Md., from a terminal after most agency employees were done for the day. Similarly, the isolated nature of the NSA intranet would have given him built-in cover for using a portable storage device such as a thumb drive. Snowden had access to the entire network. Any traces his activities left on the network would have been unaudited. The intelligence official said, "At certain levels, you are the audit."

Earlier this month, NSA Director Gen. Keith Alexander disclosed plans to reduce the number of system administrators on NSA networks by 90 percent. Alexander said, "what we've done is we've put people in the loop of transferring data, securing networks and doing things that machines are probably better at doing." For data access and transfer that requires human intervention, Alexander suggested the NSA would move to a two-key system, requiring two system administrators to be present for the handling of especially sensitive information.

About the Author

Adam Mazmanian is a staff writer covering Congress, the FCC and other key agencies. Connect with him on Twitter: @thisismaz.

The 2014 Federal 100

FCW is very pleased to profile the women and men who make up this year's Fed 100. 

Reader comments

Tue, Sep 3, 2013 Dr. Null Somewhere in Washington D.C.

Little is being reported on the widespread illegal gathering and leaking of the tax records, financial information, and donor lists of Republican and Tea Party candidates to the DNC and Obama Administration officials leading up to the 2012 elections.

Sun, Sep 1, 2013

Reason for data disclosure are trusted employees, agree trust being an important factor, but having a blind trust leaves organisation in such disastrous situation. The problem here I see is not monitoring system administrators activity. Monitoring access is different whereas detailed activity is an essential component in such highly classified networks.

Tue, Aug 27, 2013 Paul On the internet, somewhere

One of the things still not in the news is the congressional testimony of Mr Inglis regarding Snowden's use of Social engineering techniques. "Snowden made ruthless use of..." One of the things an Ethical Hacking course covers is how to trick people into giving you their password. (call them, pretend to be their ISP warning you if a potential outage, leave your number to call if something happens, then cut off their internet and wait for them to call you. Say to fix the problem I'll need your username and password. Then be a hero and fix the problem you created) Imagine how easy it would be to pull off if they already know perfectly well that you really are the sysadmin. Get your boss's password, maybe even a level beyond that.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above