Fool NSA once…third time with a rogue contractor leak

Fool me once, shame on you; fool me twice, shame on me

For the third time in three years, expensive NSA (Nationa Security Agency) security has been undone by one of its own contract employees simply carrying those secrets out the door.

Following up on the fools and shame saying, I think if you are fooled a third time it is not just shame but you are the fool. The NSA is like Moe Szyslak, bartender in the Simpsons who is also tricked by Bart.

In 2013, NSA contractor named Edward Snowden walked out of the agency’s building in Oahu, Hawaii, carrying a USB drive full of thousands of top-secret documents.

In 2016, a 53-year-old Booz Allen contractor for the NSA named Hal Martin was arrested last year for taking 50 terabytes out of the agency over a period as long two decades.

On Thursday, the Wall Street Journal reported that in 2015, a third contract employee of the NSA in as many years took home a trove of classified materials that included both software code and other information that the agency uses in its offensive hacking operations, as well as details of how it protects US systems from hacker adversaries.

That classified data, which wasn’t authorized to be removed from the perimeter of the facility where that contractor worked, was then stolen from the contractor’s home computer by Russian spies, who exploited the unnamed employee’s installation of antivirus software from Kaspersky, a Russian company. And while that revelation has raised yet another round of serious concerns and unanswered questions about Kremlin spying and the role of Kaspersky’s widely used commercial software, it also points to a more fundamental security problem for the NSA: The own-goals it has committed, as a series of its paid employees spill some of its most sensitive secrets—including its intensely guarded and dangerous hacking techniques.

Mitigating policies
* no working from home. Do not provide the means to log onto NSA systems remotely
* no USB ports. Perhaps only dumb terminals
* Auto-encrypting information that goes onto external drives or devices

Former NSA analyst Aitel believes the cultural issues at the NSA run deeper than contractors alone. He says it was common during his time at the agency to see core NSA staffers do work at home, too—albeit not with actual classified documents—reading news stories and public sources of information security reports, digging up technical information, and even talking on the phone with each other in vague or coded terms, which he considers especially unwise.

Aitel argues that the NSA’s recent leaks stem from a more fundamental problem: The agency’s sheer scale, and a structure that doesn’t restrict its staffers often enough to information on a “need-to-know” basis. “There’s something structurally wrong here,” Aitel says. “This is about scale and segmentation. It’s very hard to have a really big team where everyone’s read in on everything and not have it leak.”

Contractors account for close to 30 percent of agency staff, and 60 percent of their budgets. He sees the three recent breaches as evidence that those massive payouts aren’t accompanied by proper oversight. “They’re leaving way too much authority to the contractors to police themselves and it’s clear that system is failing,” Shorrock says. “There needs to be some kind of mechanism to police the contractors.”

“What are the hell are these people thinking?” asks Aitel. “Leaving the NSA with top-secret documents and putting them on your home machine is the very first thing they tell you not to do. Why it keeps happening is a mystery to me, and probably to the management at NSA.”