I
L
L
U
S
T
R
A
T
I
O
N
B
Y
P
E
T
E
R
C
R
O
W
T
H
E
R
A
S
S
O
C
I
A
T
E
S
one accesses and at what rate, and then
detect and limit this. It is astonishing,
both with the NSA’s breach and similar huge thefts of data such as Target’s
late-2013 loss of data for 40 million
credit cards (including mine), that nobody noticed and did anything. Decent
real-time monitoring and automated
response to events would have detected both events early on and could have
prevented most of each breach.
The open source Logcheck and Log-watch programs will generate alerts of
abnormal events in near real time, and
the Fail2Ban program will lock out the
attacker. All are free and easily can be
customized to detect excessive quantities of downloads of documents. There
are many comparable commercial applications, and the NSA certainly has
the budget to create its own.
No Internet Access or Homework
Whatsoever. Obvious, this policy is to
prevent classified data from leaving a
secure building. For after-hours problems, a sys admin either must drive to
the office or be on-site at all times. One
former CIA director nearly was fired for
taking classified data home to work on,
violating a strict policy against it. (He
was not stealing the data; he just wanted to work at home.) Snowden took
classified material home and worked
on it with a hood covering him and the
computer so that his girlfriend could
not see it.
19 Clearly, then, he could have
photographed the screen.
Prevent Removable Media from
Leaving the Building. Recall the rings
tered, unmonitored access to 1. 7 mil-
lion documents.
Also important is the Orange Book
concept of not trusting any one system
administrator. Instead, a role- 1 sys admin queues system changes, such as
new accounts or changes to an existing
accounts. A second person, in role 2,
cannot initiate such requests but must
approve the queued requests before
they can take effect. An Orange Book
OS also prevents use of a login simulator by displaying a special symbol when
soliciting a password that no other program can display. Snowden may have
used a login simulator.
How expensive might this two-person authorization have been? In 2013,
the NSA had approximately 40,000 employees and perhaps 40,000 contractors, including 1,000 system admins.
8, 25
Adding another 1,000 system administrators to watch the first set would have
increased the payroll by a trivial 1%.
Given this, is the NSA going to adopt
two-person authorization and the Orange Book policy that it created? No,
the NSA is going to fire 90% of its system administrators to limit human
access and put most of the servers in
the NSA’s own cloud.
1 A cloud is just
another name for a set of computers
remotely accessible over a network and
typically managed by others, usually
a vendor (a.k.a., contractor). Maybe it
will hire Booz Allen, Snowden’s former
employer, to manage this cloud.
Log Events and Monitor. The NSA
should monitor how many documents
of security. One ring would prevent re-
movable media from leaving the build-
ing. Every gas-station owner has fig-
ured this out, attaching a large object
to each restroom key. The NSA could
put each thumb drive inside a large
steel box, or it could replace the stan-
dard USB connectors and those of the
computers with custom-designed con-
nectors that are difficult to duplicate.
Creatively Use Encryption.
Consider that one of Snowden’s jobs was
copying large amounts of classified
data from one computer to a thumb
drive and then connecting that thumb
drive to another computer and downloading the data. He likely secreted
the thumb drive on his person after
downloading the data he wanted and
took it home. This theft could have
been prevented rather easily with the
use of public-key encryption.
33 In public-key encryption there are two related keys: a public key and a secret key,
also called a private key. If the original
“clear text” is encrypted with the public key, then it can be decrypted only
with the secret key, not with the public
key used to encrypt the data.
The NSA should have had a public/
secret-key pair created for each sys
admin needing to transfer data and a
separate account on each computer for
each sys admin to transfer this data.
The person generating this encrypted
data on the source computer (for example, Snowden) would have to provide
the ID of the public key of a different
sys admin—say, Julia—to the custom
program allowed to write to the USB
thumb drive; software would not allow his own public key to be used. The
set of sys admins allowed to do transfers of data would have no members
in common with the set of sys admins
on the source and destination computers with root access. In other words, a
“Data Transfer System Administrator”
such as Snowden would not have root
or physical access to computers and
sys admins having root or physical access would be prohibited from transferring data between systems. This
separation of responsibilities is critical. Only that custom program, not sys
admins, would be allowed to write to
the thumb drive. That computer would
encrypt the data with Julia’s public key
and write that encrypted data to the
thumb drive.