Communications of the ACM
The NSA and Snowden: Securing the All-Seeing Eye
Credit: Peter Crowther Associates
Edward Snowden, while a contractor for the U.S. National Security Agency (NSA) at Booz Allen Hamilton in Hawaii, copied up to 1.7 million top-secret and above documents, smuggling copies on a thumb drive out of the secure facility in which he worked and releasing many of those documents to the press.2 This has altered the relationship of the U.S. government with the American people, as well as with other countries. This article examines the computer-security aspects of how the NSA could have prevented this from happening, perhaps the most damaging breach of secrets in U.S. history.19 The accompanying sidebar looks at the Constitutional, legal, and moral issues.
According to Presidential Executive Order 13526, " 'Top Secret' shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security."24 There are clearance levels above top secret, such as SCI (sensitive compartmented information), SAP (special access programs), and CNWDI (critical nuclear weapon design information).9 The British equivalent to top secret is most secret.
Comments
Ajoy Bhatia
Just goes to show that sometimes, some entity not following good security practices can be good for the people.
Harry Moore
There are a couple of corrections needed in the opening section.
1. There are no clearance levels above Top Secret. SCI and SAP are not clearance levels but special programs with access restrictions. CNWDI is category of classified restricted data.
2. THE UKs equivalent to US Top Secret is Top Secret as well. The old term of most secret was replaced on April 2, 2014 by the revision of HM Government Security Classifications Guide.
I have not read the entire article so I am not sure if there are any other mistakes.
Raju K
Secureness is undisturbed as long as everyone refrains from doing what they are not supposed to do. The moment someone deviates from this principle, what we have is a system that has been compromised. Snowden's actions led to an insecure environment as he did what he was not supposed to do. However, security consciousness should not be tied to people and their practices. If a piece of software or hardware cannot be refrained from doing things it is not supposed to do, then too, we have a compromised system. How do we ensure that software or hardware components are not indulging in activities that they are not supposed to do ? It is here that accessibility to software sources and accessibility to hardware design details play a crucial role in ensuring a secure environment. With proprietary binary-only software or with a proprietary closed-design hardware, therefore, we can never guarantee a fool-proof secure environment to users. It is here that Snowden-exposed documents become significant - these documents go on to elaborate on how proprietary software binaries could be tweaked for doing insecure or even unlawful things. Without Snowden, such a possibility for committing security breaches would have remained invalidated for long.
CACM Administrator
The following letter was published in the Letters to the Editor of the July 2014 CACM (http://cacm.acm.org/magazines/2014/7/176205).
--CACM Administrator
I wish reality were as simple as Bob Toxen made it out to be in his article "The NSA and Snowden: Securing the All-Seeing Eye" (May 2014) where he said, "A simple one-minute scan on the way out by a handheld metal detector 'wanding,' as used by the Transportation Security Administration and at courthouses would have found any flash memory device." However, flash devices have shrunk to minuscule size, even as their capacity has increased dramatically. Consider the micro-SD flash storage device in a typical smartphone; it can store more than 32GB and be small enough to be hidden practically anywhere. Moreover, its small mass makes detection especially difficult for a typical handheld metal detector. A spy could even attach one with chewing gum to a tooth, defeating practically any routine check.
So the real problem in the case of Edward J. Snowden is not that Snowden carried a flash memory device in and out of National Security Agency facilities but that he was able to transfer sensitive data to the device in the first place.
In most secure environments, it is extremely difficult, if not impossible, to attach an external device to a secure system. If it could be done, the system would no longer be secure, as the device would be able to transfer malware to, as well as steal data from, the secure system.
In 2008, an infected USB flash drive was famously connected to a military laptop. The malicious code uploaded itself to a secure network under the control of U.S. Central Command. This incident should have alerted the NSA to the dangers inherent in the use of removable memory devices. Moreover, the Stuxnet affair, two years later, demonstrated that U.S. security services were clearly aware that removable memory devices are potential attack vectors. The NSA should have anticipated these risks and taken necessary measures well in advance of Snowden's leaks.
The reason for the apparent indifference to such risks is that insider attacks are particularly difficult to address. The esprit-de-corps culture prevalent in the NSA made it essentially unthinkable that one in their midst could betray the organization, and is why Snowden was able, apparently, to convince coworkers to grant him additional access.
Security is an overhead; by controlling access, security makes it inherently difficult for people to carry out their work, so a compromise between utility and security must be established. In the Snowden case, though the compromise went too far toward utility, it would be a mistake to go to the other extreme by imposing security procedures that impede the NSA's useful work.
Vassilis Prevelakis
Braunschweig, Germany
AUTHOR'S RESPONSE:
Wanding would have caught a USB memory stick due to the metal in its plug. No security ring is perfect. Defeating the rings involving encryption, physical access to systems, and software limiting the number of documents one may access would be extremely difficult. I demonstrated that stopping even system administrator insider attacks can be done reasonably easily. The reason Prevelakis claimed for NSA "indifference" is unsubstantiated. Aldrich Ames, Robert Hanssen, and other convicted American traitors should have convinced the NSA (and the CIA) to avoid unlimited trust. (I do not consider Snowden a traitor, as he was alerting Americans to the apparently unconstitutional and illegal actions of the government.)
Bob Toxen
Duluth, GA
CACM Administrator
The following letter was published in the Letters to the Editor of the July 2014 CACM (http://cacm.acm.org/magazines/2014/7/176205).
--CACM Administrator
I was disturbed by the cover headline "The NSA and Snowden: How better security measures could have stopped the leak" publicizing Bob Toxen's article (May 2014) for implying that Snowden simply produced "leaks" that should have been "stopped." Moreover, I found it odd that the article focused on how the NSA's poor security allowed these leaks to take place. It would have been more appropriate to acknowledge the alternative interpretation, that Snowden's revelations brought to light abhorrent violations of privacy on the part of the U.S. and U.K. governments. After all, the constitutionality of the NSA's spying was critiqued in the article's sidebar. Why not follow through to address the apparent contradiction between "good security practices" and the supposed "transparency" of agencies with the power to tap all our communications (including this one)?
William Gaver
London U.K.
Displaying all 5 comments