The National Security Agency did not know how many officials were authorized to download and transfer top secret data from its servers prior to the high-profile leaks by former contractor Edward Snowden, according to a recently declassified government report.
The NSA was also unsuccessful in attempts to meaningfully cut the number of officials with “privileged” access to its most sensitive databases, the Department of Defense’s inspector general determined in the 2016 investigation. The heavily redacted report was obtained by the New York Times through a Freedom of Information Act lawsuit.
The agency struggled to achieve the mandated reductions because it had no idea how many employees or contractors were designated data transfer agents or privileged access users prior to the leaks.
NSA officials told the inspector general they lost a “manually kept spreadsheet” that tracked the number of privileged users after receiving multiple requests from the inspector general to provide documents identifying the initial number. The lapse made it impossible for the agency to determine its baseline of privileged users from which reductions would be made.
The report said the NSA then “arbitrarily removed” privileged access from users, who were told to reapply for the authorization. While this enabled the agency to determine how many personnel were granted special access, the NSA still had no way of measuring how many privileged users had lost the clearance.
The inspector general said the NSA should have used this new baseline as a “starting point” to reduce privileged users instead of using the number to declare a reduction in those personnel.
In the case of data transfer agents, the NSA’s “manually kept list” tracking the number of officials authorized to use removable devices, such as thumb drives, to transfer data to and from the agency’s servers was “corrupted” in the months leading up to the Snowden leaks, the report said.
Without a baseline to measure potential reductions, the NSA then mandated data transfer agents to reapply for the authorization. Again, though this allowed the agency to determine how many personnel were given the authority, the NSA still had no way of gauging how many reductions were made, if any.
The threat proved ongoing earlier this month when former contractor Reality Winner was charged with removing classified information from NSA facilities regarding the Russian election hacks and leaking it to the press.
The initiatives to cut the number of people with access to classified data were part of a broader post-Snowden measure, called “Secure the Net,” to strengthen protections of its sensitive surveillance and hacking methods.
The report determined that while the NSA made some progress in achieving reform, the agency “did not fully meet the intent of decreasing the risk of insider threats to its operations and the ability of insiders to exfiltrate data.”
NSA spokeswoman Vanee Vines acknowledged the report’s conclusions in a statement issued to the New York Times last week.
“We welcome the observations and opportunities for improvement offered by the U.S. Defense Department’s Inspector General,” she said. “NSA has never stopped seeking and implementing ways to strengthen both security policies and internal controls.”
It is unclear what steps the NSA has taken since the report was finalized in August 2016 to reduce the number of employees and contractors with access to its top-secret databases.