“Admiral Rogers has made security of information a top priority during his tenure. The NSA operates in one of the most complicated IT environments in the world,” the spokesperson says. “Over the past several years, we have continued to build on internal security improvements while carrying out our mission to defend the nation and our allies around the clock. We are not relying only on one initiative. Instead we have undertaken a comprehensive and layered set of enterprise defensive measures to further safeguard operations and advance best practices across the intelligence community.”
The NSA press office declined to elaborate on those measures, or provide more detail.
The NSA’s two most recent leaks may in fact have already had massively damaging, observable consequences: Many in the security community speculate—but have not confirmed—that the Shadow Brokers, a group of unidentified hackers who released a series of stolen NSA hacking tools over the last year, obtained that hacking arsenal from one of the two post-Snowden insider leaks. Those tools have already been reused by malicious criminal and state-sponsored hackers to spread the WannaCry ransomware worm as well as the NotPetya malware, to install crypto-currency mining malware on victims’ machines, and to harvest usernames and passwords from high-value spying targets via hotel Wi-Fi.
And yet the leaks continue. That’s possibly because as dangerous as the “insider threat” problem may be, it has no easy solution, says Susan Hennessey, a former NSA attorney who now serves as a fellow at the Brookings Institution. If someone wants to ferret secrets out of their own office, there are simply too many ways to do it, perhaps most straightforwardly on a USB drive in their pocket.
“You can’t run a large federal agency like an airport, where every single person is patted down and screened coming in and out,” Hennessey says. “Hiring practices and clearance investigations and computer security can address some concerns, but at the end of the day intelligence agencies necessarily have to vest a lot of trust in their employees. So effective insider threat measures have to begin with a recognition that some risks can’t be eliminated, only managed.”
But the NSA’s cozy relationship with contractors bears much of the blame, too, says Tim Shorrock, the author of the book Spies for Hire, which focuses on corruption in the intelligence-contractor industry. He notes that contractors account for close to 30 percent of agency staff, and 60 percent of their budgets. He sees the three recent breaches as evidence that those massive payouts aren’t accompanied by proper oversight. “They’re leaving way too much authority to the contractors to police themselves and it’s clear that system is failing,” Shorrock says. “There needs to be some kind of mechanism to police the contractors.”
Shorrock also points to a lack of consequences for the companies who supplied the contractors behind the recent breaches. He argues that stems in part from the revolving door of officials between the intelligence agencies and the private sector; both the directors of national intelligence under Presidents Obama and George W. Bush had previously worked for Booz Allen, for instance.
But former NSA analyst Aitel believes the cultural issues at the NSA run deeper than contractors alone. He says it was common during his time at the agency to see core NSA staffers do work at home, too—albeit not with actual classified documents—reading news stories and public sources of information security reports, digging up technical information, and even talking on the phone with each other in vague or coded terms, which he considers especially unwise.
Aitel argues that the NSA’s recent leaks stem from a more fundamental problem: The agency’s sheer scale, and a structure that doesn’t restrict its staffers often enough to information on a “need-to-know” basis. “There’s something structurally wrong here,” Aitel says. “This is about scale and segmentation. It’s very hard to have a really big team where everyone’s read in on everything and not have it leak.”