EDWARD SNOWDEN, WHILE a contractor for the U.S.
National Security Agency (NSA) at Booz Allen Hamilton
in Hawaii, copied up to 1. 7 million top-secret and
above documents, smuggling copies on a thumb
drive out of the secure facility in which he worked and
releasing many of those documents to the press.
has altered the relationship of the U.S. government
with the American people, as well as with other
countries. This article examines the computer-security
aspects of how the NSA could have prevented this
from happening, perhaps the most damaging breach
of secrets in U.S. history.
19 The accompanying sidebar
looks at the Constitutional, legal, and moral issues.
According to Presidential Executive Order 13526,
“‘Top Secret’ shall be applied to information, the
unauthorized disclosure of which reasonably could
be expected to cause exceptionally grave
damage to the national security.”
There are clearance levels above top
secret, such as SCI (sensitive compart-
mented information), SAP (special ac-
cess programs), and CNWDI (critical
nuclear weapon design information).
The British equivalent to top secret is
What Did Snowden Do?
Snowden was a computer system administrator. Guarding against rogue
system administrators (a.k.a sys admins) is more difficult than guarding against users, but it can be done.
Note that the NSA has an almost infinite budget and resources, and thus
could have been following good security practices all along. In the words
of White House cybersecurity adviser
Richard Clarke, “If you spend more
on coffee than on IT security, you will
be hacked. What’s more, you deserve
to be hacked.”
National Public Radio’s “All Things
Considered” last December 17 stated
the stolen documents were on Microsoft’s SharePoint document-manage-ment system. Of the 1. 7 million documents likely copied, Snowden shared
up to 200,000 documents with reporters; the NSA did not dispute this.
Rick Ledgett, head of the NSA’s task
force accessing the “damage” done
by Snowden, claimed “system admin-istrators…have passwords that give
them the ability to go around those…
security measures, and that’s what
That the NSA’s Ledgett claims to
be unaware of the past 30 years of
computer-security techniques and
technology for preventing a system
administrator from stealing data is
10, 15, 29 This is discussed later
in the section “Orange Book and Two-Person Authorization.” The NSA no
longer uses SharePoint for this purpose, which begs the question, why did
the NSA abandon secure Orange Book
compliance and other good security
practices for computer systems that
handle classified data?
Article development led by
How good security at the NSA
could have stopped him.
BY BOB TOXEN