I worked at the NSA for four years after 9/11 as an Arabic linguist. I’m proud of the work I did there. It included three months serving in Iraq in 2004, for which I was awarded the Global War on Terrorism Civilian Service Medal.
Immediately upon returning from Iraq, I was assigned to the Counter Terrorism Office, where I would serve for two more years, at which time I left the NSA to return to teaching. I’m currently a Latin teacher at a public high school in New Jersey. While in the Counter Terrorism Office I was honored to serve in the critical capacity of direct anti-terrorism efforts, which included, I’ll admit, being involved in the controversial Stellar Wind program, the so-called Warrantless-Wiretap Program.
I remember sitting one day in the Counter Terrorism branch and I looked at my computer. The NSA buys computers from standard vendors, such as Dell, but then connects them to a Classified Network that is unconnected to outside networks such as the Internet. I looked at my computer and realized, this is just like my computer at home. It’s got a thumb drive portal and even a CD burnable disk drive.
My boss happened by and I asked her, “Does this thumb drive on my computer work?”
She puzzled just for a moment over the question. “I assume so,” she finally replied.
“Well, it shouldn’t,” I said. “If I ever need to send a file on my computer to someone else, I attach it to an email.” (And, trust me, there are no file size restrictions inside the NSA.)
I remember her saying that whoever decided that our computers still have working thumb drives must know there must be a good reason. But I insisted there simply wasn’t a good reason. These things should be disabled, hell, they should just be removed before these computers are connected to the Classified Network.
I left the NSA in 2006. Four years later, Bradley Manning walked out of a Classified facility with hundreds of thousands of Classified documents. He had downloaded them and removed them from the Classified network on, you guessed it, thumb drives!!!!!
Now, you would imagine the government, trying to make sure that a leak like Bradley Manning could never happen again, would identify that functional thumb drives on Classified computers is simply a stupid idea. I mean, really, there is no reason for them. If you need to send a file from your computer to another person in the Classified network, you email it. You don’t move it from one computer to another on a thumb drive.
Now, you would imagine the government, trying to make sure that a leak like Bradley Manning could never happen again, would identify that functional thumb drives on Classified computers is simply a stupid idea. I mean, really, there is no reason for them. If you need to send a file from your computer to another person in the Classified network, you email it. You don’t move it from one computer to another on a thumb drive.
We jump to 2013. Edward Snowden walks out of NSA Hawaii with Classified material. Saved on, you guessed it, a thumb drive!!!
And so, what can we conclude? NSA Hawaii Classified computers have working thumb drive ports. This, after Bradley Manning proved an embarrassment to the Intelligence Community by stealing secrets off the Classified Network three years earlier.
I’ll repeat what I said all those years ago. Computers in the Classified Network should not have working thumb drives. And I’ve been told by friends who still work inside that following Snowden they were disabled. And so, the ability of a rogue agent to steal secrets was finally brought to an end.
Guess again. It’s 2017. An NSA contractor allegedly released a highly sensitive Top Secret document to the website The Intercept. She didn’t (allegedly) take it out of the building on a thumb drive. No, she (allegedly) simply printed it and walked out the door with it!
When I went to work every day, I drove past soldiers pointing machine guns at the passing cars. I walked past multiple security checks before I would eventually sit down at my work station and begin processing intelligence to try and keep America safe. And again, I’m proud of the work I did there. But the NSA security plan is stuck in the Cold War. The main security effort is designed to keep a Soviet agent from sneaking in. But recent news has shown that the greatest threat is some loser with a Top-Secret Security Clearance walking out the front door with information.
Here are some common sense things the NSA could do to prevent future leaks. It took not one, but two damaging leaks to fix the thumb drive problem. Now it seems we have a printing problem. This latest leak belies actually two matters that need attention. First, it should not be possible for an employee at the NSA to print something without that fact being logged and then the printed content being regularly audited for potential inappropriate action. But the more serious matter comes from the very fact that this Afghanistan analyst (allegedly) printed and then released an Intelligence Report regarding Russia.
Prior to 9/11, there was a strict sense that even within the Classified World, you saw things only on a need to know basis. Because of a new belief that potentially any analyst might just need to see a piece of the puzzle that another team has, there developed a sense of “need to share.” I’m now saying it’s time to admit that is misguided. The information of where Bin Laden was hiding was never going to be found as a seemingly unimportant factoid in a report on Colombian Drug Smugglers. And an Afghanistan analyst simply shouldn’t have access to reports on Russia, let alone be able to print them.
Also, there is a guard at the exits of a Classified facility like the NSA, who has the right to inspect all bags. In four years there I rarely saw it actually happen. People should see it happen and have it happen to them regularly enough that they would fear being caught smuggling something out.
If your corporation or business is handling secrets crucial to your success that you would not want your competitors to know about, you should be aware that your greatest danger is not that someone from the outside is hacking in. Your biggest worry needs to be the potential that someone on the inside pulls a Snowden. So how can you make that either impossible or at least much more unlikely?
For starters, examine all the ways secrets could exit the building. Even if you can’t make it impossible for something to be leaked out, making it more difficult is still worth the effort. In all honesty, when’s the last time someone did legitimately use that thumb drive that I’m sure works on your computer just as well as the ones at the NSA used to? Maybe they don’t all need to be disabled, but do they all really have to work?
It would seem an easy matter to take a sensitive document from a work computer and attach it to a message in a personal email account and thus silently remove it from the building. And that means you need to thoughtfully limit the number of people with access to such sensitive documents and also password protect them as an additional security measure.
If you have the ability to monitor employees’ computer use, it would be a good idea to make sure they know that you are using it. Something as relatively innocent as telling an employee that your monitoring indicates that they are spending too much time online in non-work-related matters will send word that what happens on that work computer may not be undetected. This will at least make a leaker more circumspect (and potentially either think twice or even screw up).
The final word in security is that something is always better than nothing. You can’t make leaks impossible, but making them even a bit more difficult could at least keep your secrets safer.