Communications of the ACM

I L L U S T R A T I O N B Y P E T E R C R O W T H E R A S S O C I A T E S

one accesses and at what rate, and then detect and limit this. It is astonishing, both with the NSA’s breach and similar huge thefts of data such as Target’s late-2013 loss of data for 40 million credit cards (including mine), that nobody noticed and did anything. Decent real-time monitoring and automated response to events would have detected both events early on and could have prevented most of each breach.

The open source Logcheck and Log-watch programs will generate alerts of abnormal events in near real time, and the Fail2Ban program will lock out the attacker. All are free and easily can be customized to detect excessive quantities of downloads of documents. There are many comparable commercial applications, and the NSA certainly has the budget to create its own.

No Internet Access or Homework Whatsoever. Obvious, this policy is to prevent classified data from leaving a secure building. For after-hours problems, a sys admin either must drive to the office or be on-site at all times. One former CIA director nearly was fired for taking classified data home to work on, violating a strict policy against it. (He was not stealing the data; he just wanted to work at home.) Snowden took classified material home and worked on it with a hood covering him and the computer so that his girlfriend could not see it. 19 Clearly, then, he could have photographed the screen.

Prevent Removable Media from
Leaving the Building. Recall the rings
tered, unmonitored access to 1. 7 mil-
lion documents.

Also important is the Orange Book concept of not trusting any one system administrator. Instead, a role- 1 sys admin queues system changes, such as new accounts or changes to an existing accounts. A second person, in role 2, cannot initiate such requests but must approve the queued requests before they can take effect. An Orange Book OS also prevents use of a login simulator by displaying a special symbol when soliciting a password that no other program can display. Snowden may have used a login simulator.

How expensive might this two-person authorization have been? In 2013, the NSA had approximately 40,000 employees and perhaps 40,000 contractors, including 1,000 system admins. 8, 25 Adding another 1,000 system administrators to watch the first set would have increased the payroll by a trivial 1%.

Given this, is the NSA going to adopt two-person authorization and the Orange Book policy that it created? No, the NSA is going to fire 90% of its system administrators to limit human access and put most of the servers in the NSA’s own cloud. 1 A cloud is just another name for a set of computers remotely accessible over a network and typically managed by others, usually a vendor (a.k.a., contractor). Maybe it will hire Booz Allen, Snowden’s former employer, to manage this cloud.

Log Events and Monitor. The NSA
should monitor how many documents
of security. One ring would prevent re-
movable media from leaving the build-
ing. Every gas-station owner has fig-
ured this out, attaching a large object
to each restroom key. The NSA could
put each thumb drive inside a large
steel box, or it could replace the stan-
dard USB connectors and those of the
computers with custom-designed con-
nectors that are difficult to duplicate.

Creatively Use Encryption. Consider that one of Snowden’s jobs was copying large amounts of classified data from one computer to a thumb drive and then connecting that thumb drive to another computer and downloading the data. He likely secreted the thumb drive on his person after downloading the data he wanted and took it home. This theft could have been prevented rather easily with the use of public-key encryption. 33 In public-key encryption there are two related keys: a public key and a secret key, also called a private key. If the original “clear text” is encrypted with the public key, then it can be decrypted only with the secret key, not with the public key used to encrypt the data.

The NSA should have had a public/ secret-key pair created for each sys admin needing to transfer data and a separate account on each computer for each sys admin to transfer this data. The person generating this encrypted data on the source computer (for example, Snowden) would have to provide the ID of the public key of a different sys admin—say, Julia—to the custom program allowed to write to the USB thumb drive; software would not allow his own public key to be used. The set of sys admins allowed to do transfers of data would have no members in common with the set of sys admins on the source and destination computers with root access. In other words, a “Data Transfer System Administrator” such as Snowden would not have root or physical access to computers and sys admins having root or physical access would be prohibited from transferring data between systems. This separation of responsibilities is critical. Only that custom program, not sys admins, would be allowed to write to the thumb drive. That computer would encrypt the data with Julia’s public key and write that encrypted data to the thumb drive.