Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Government Privacy United States

Inspector General Says NSA Still Hasn't Implemented Its Post-Snowden Internal Security Measures (techdirt.com) 68

An anonymous reader quotes a report form Techdirt: In the immediate aftermath of an NSA contractor springing numerous leaks back in 2013, the NSA vowed this would never happen again. It has happened again and it hasn't just been documents. It's also been software exploits, which contributed to a worldwide plague of ransomware. The NSA was going to make sure no one could just walk out of work with thousands of sensitive documents. It laid out a plan to exercise greater control over access and fail safe procedures meant to keep free-spirited Snowdens in check. The NSA is the world's most powerful surveillance agency. It is also a sizable bureaucracy. Over the past half-decade, the NSA has talked tough about tighter internal controls. But talk is cheap -- at least labor-wise. Actual implementation takes dedication and commitment. The NSA just doesn't have that in it, according to a recent Inspector General's report: "The nation's cyber spy agency is suffering from substantial cyber vulnerabilities, according to a first-of-its-kind unclassified audit overview from the agency's inspector general released Wednesday. Those vulnerabilities include computer system security plans that are inaccurate or incomplete, removable media that aren't properly scanned for viruses, and an inadequate process for tracking the job duties of National Security Agency cyber defenders to ensure they're qualified for the highest-level work they do, according to the overview."
This discussion has been archived. No new comments can be posted.

Inspector General Says NSA Still Hasn't Implemented Its Post-Snowden Internal Security Measures

Comments Filter:
  • by Anonymous Coward

    most of the domains (including backchannel ones) are not secured via DNSSEC or have IPv6 address's which goes to show they cant run a network at the best of times...
    (excuses about simpler or that they are subject to DDOS are pretty pathetic)

  • Add more contractors who got a job without security considerations? The buddy system?
    Two contractors working together at all times? They both know one of them never got the needed security clearance?
    10 contractors on site and what % cant be trusted? Get the buddy system wrong and risk two people totally lacking in security clearances working together?
    One wants to sell NSA secrets? One wants to give away NSA secrets for politics? One is an anti war activist? One with split loyalty to another natio
    • by Anonymous Coward

      Gawd. Even the serious-looking responses are trolls.

    • At no time in history has the US Government been able to keep spies out of their systems. Compartmentalization and limiting access to "Need to Know" are required for any national intelligence agency. For the volume of secrets Snowden took, he should have needed to subborn thousands of people at the NSA.
    • by l0n3s0m3phr34k ( 2613107 ) on Thursday August 02, 2018 @07:42AM (#57055742)
      The NSA and other gov agencies just don't pay enough [glassdoor.com] for your laundry list. Working for "God and country" doesn't fit with the US capitalism idea very well. They are on the low end of almost all salary ranges; and that is BEFORE you eliminate about 95% of the potential people with your list.

      What does "politics" or "faith group" even mean in your post? Many would point to a good chunk of our currently elected lawmakers in the Federal government who are associated with Dominion theology [wikipedia.org], "end timers", and other now-deeply ingrained ideals. Are you wanting non-political persons only? According to the Eastern Orthodox church, every Christian religious group that is associated with the Baptists is considered a "heretical cult". One third of the current US population doesn't believe anything the US intelligence agencies say about foreign politics and blindly believes anything Trump says, another third think his actions are nearly treasonous, so the idea of a "political litmus test" is a very tricky barrier; and is probably illegal anyway (there are Supreme Court cases around this). We currently have POTUS staff who are potentially (I say this because there has yet to be hearings, trials, or such) in violation the Hatch Act, so even the very top of this food chain is contaminated.

      If you define a "criminal past" as the FBI does, that only eliminates around 29% of the US population. If you take it further, and cull out anyone with any negative relations with law enforcement, including non-felonies, then it's more like half of black males and almost 40 percent of white males [sagepub.com]. Combined with the low pay, and one ends up in the position we are currently in: not enough people to do the job.

      While I understand what your getting at, your idea would require a huge, non-partisan overhaul of the underlying "security form" system. We can't even manage to approve money to have a plan to secure our elections in any meaningful way, and your idea goes directly against the ideals of the current administration and many elected officials. They want people who believe in the scourge of the "Deep State", not people who are willing to go work for the Deep State...by which I define "deep state" as the unelected bureaucratic apparatus that keeps the government functional in it's day-to-day workings. Many of the appointed Cabinet heads have publicly said they want to dismantle the bulk of the Federal government, so good luck finding anyone that fits your list who is willing to take home 80% of the average wage for their position.
      • by AHuxley ( 892839 )
        The problem with a criminal past is other nations tend to be able to work that hidden lifestyle out to a new way to spy.
        Spies then become a new best friend enjoying that same lifestyle.
        Spies just go for the demand to spy to keep the secret.

        Thats why most advanced security services don't like criminals. Too much risk and too much talking to new friends.
      • by PPH ( 736903 )

        If you take it further, and cull out anyone with any negative relations with law enforcement,

        And if you grew up in a town where law enforcement is cozy with the "faith groups" and you are not, you've probably got a few points against you going in to a background check. But this isn't as much of a problem as you might think (or wasn't when I went through the process). The FBI* considers most of these police forces and courts as a bunch of hillbilly hicks, and takes what they say with a grain of salt.

        *I have no idea what the situation/policies are like now that OPM has taken over responsibilities fo

      • Used to be a time that the church, synogogue, or temple that you went to had little correlation to your political views. Today religion and politics are tightly tied together. Everything's political now, people will judge you on what type of coffee you drink.

    • They're copying what corporations do. The US government as a whole has gotten far to enamored by contractors. The reasons contractors are used in corporations is to get around corporate rules and procedures; easier to hire, easier to fire, interviews are waived, required trainings are bypassed, their decisions often must be accepted despite opposition from actual employees. You end up with less accountability. With government, there are similar issues. Contractors don't add in to head count so much depe

  • Flow of secrets (Score:3, Interesting)

    by Anonymous Coward on Wednesday August 01, 2018 @11:46PM (#57054360)

    NSA continues to spy on the rest of the world, with the help of 5 eyes countries. 5 Eyes countries are protected by 'agreements'. Agreements like 'trade-agreements', are not enforceable when dealing with a bad-actor. If he won't abide by trade-agreements, why would him and his boss in Moscow abide by no-spy agreements?

    https://www.usatoday.com/story/news/2017/01/26/report-arrested-russian-intel-officer-allegedly-spied-us/97094696/

    This is what happened to US spies, 6 days after Trump got to power, and got access to the unredacted names of the spies mentioned in the pee pee memos, he passed the names over to Putin as revenge:

    "A senior Russian intelligence officer and cybersecurity investigator arrested last month on treason charges allegedly was passing information to U.S. intelligence services, according to Russian media outlets. Sergei Mikhailov, who worked for the FSB, the successor to the KGB, was arrested in December, along with Ruslan Stoyanov, a top manager for Russia's largest cybersecurity firm, according to the economic newspaper Kommersant. Stoyanov was also charged with suspicion of treason. In addition, two other people, including Major Dmitry Dokuchaev, also an FSB officer, were arrested in connection with the case, according to Russia's REN-TV. The fourth person was not identified."

    Once you start stripped away the privacy protections and replace checks and balances with faith and trust, it only takes one bad actor in the right position to undermine the whole system. One foreign puppet and that's all it takes to flip a nation. Because the nation already did the work needed, and they'll always be people who'll sell out their country in pursuit of their party flag. Fox News (Hannity-Cohen payments), One America News (old man Robert Herring invited to Russia, married a hot sexy Russian woman and turned his news network into a pro-Russia fluff cable network) etc, etc,.

    You let NSA spy on everyone on a promise not to look at some of the data, and then you put someone above them who always lies, has dodgy foreign friends, and never keeps promises.

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Thursday August 02, 2018 @12:27AM (#57054474)
    Comment removed based on user account deletion
    • Re:SOP (Score:4, Insightful)

      by BlueStrat ( 756137 ) on Thursday August 02, 2018 @07:41AM (#57055728)

      Seeing what I have seen in regards to security vulnerabilities reported to institutions and the general paralysis that ensues when anyone brings up real security in just about any organization...none of this surprises me...at all. In fact, I would have predicted nothing would be done, especially given the tell where the institution focuses on a single perpetrator or incident when in fact that is not at all the problem. When their security sucks, and they don't get it and can't fix it because they suck, they spin the focus on Snowden or whatever evil hacker dujour.

      The issue is not the NSA's internal security. That's not what causes the leaks we've seen.

      The problem is the NSA itself performing domestic spying.

      The NSA will remain under attack by the NSA's own workers and the US's own citizens until that changes because the NSA has made itself the enemy.

      Strat

      • by Anonymous Coward

        the NSA has made itself the enemy.

        So much this.

        The NSA has turned into the exact threat it was supposedly instituted to guard against from foreign states.

    • It's not because "they suck", it's because it's too big of a job to do for the amount of personnel. For a real-world example, just take a look at the security technical implementation guides from DISA. Out of that list, I've identified around 70 of them apply to my company; that's over 5,000 rules. Just in the networking SRG scope alone, I've got about a dozen STIGs with around 500 rules. Combine that with, say, 100 networking devices, that's 5,000 "checks" I have to do. Most of these are potentially scrip
    • The US security services and armed forces did a huge, expensive effort to provide military-grade confidentiality years ago, implemented on Multics, and later on Solaris and HP-UX. More recently, on Linux. Thy even had an example of the 'net, Dockmaster.MIL

      They they decided not to use it, because it took a week course to learn how to administer a Trusted Solaris system.

      Too much work; didn't do.

  • by najajomo ( 4890785 ) on Thursday August 02, 2018 @12:28AM (#57054480)
    The nation's cyber spy agency is suffering from substantial cyber vulnerabilities .. removable media that aren't properly scanned for viruses

    Jesus tapdancing Christ on rollerskates, the FSB must be laughing into their soup :]
    • Do you think Russian intelligence has gotten lazy, having (reasonable assumption) FULL access to everything the American government is doing? Will it undermine their ability to get inteligence in places the Americans don't go?
    • by AHuxley ( 892839 )
      Re "must be laughing into their soup"
      For now many nations have great insight into US tasking and other agency thinking due to their well placed generations of human spies.
      As long as the spies don't go looking up projects they are not cleared for they can go on spying for decades.
      The NSA will find anyone internally searching for projects and terms beyond their approved projects.

      As USA only accepted very best into other agencies, that was a guaranteed way to totally understand thinking and top policy
  • And don't forget, kids: this is the agency which is constantly telling us we can safely backdoor encryption!

    (Well, maybe that's mainly the FBI, instead. But I still trust them just as much as I'd trust the NSA.)

  • Too busy (Score:2, Interesting)

    by dristoph ( 1207920 )

    Too busy pursuing their mission outside the mission itself and the bounds of constitutional practice.

    That said, I have trouble believing this, or really any offer of information to the public from government agencies. Sounds like a honeypot, or a false reveal of vulnerability. Who trusts any of them at face value?

    • Consider if NSA wasn't around to tell us all how terrible hackers are, how would they get any funding or political attention?
  • I hear the best person is available, he just needs a green light from the US to come back from Russia.
  • ... are there other circumstances hidden from the public?

    To me as an outsider it seems most government digital security agencies are more prioritized on spying civilians than actually securing the state they're operating for.
    So securing their own assets is not on top of the list as it is described in the article.
    But also contractors might have a deal in this, as soon as the security has been tightened they might not be able to perform duties or they're not necessary anymore.
    Perhaps a combination of a multi

  • Inspector General Says NSA Still Hasn't Implemented Its Post-Snowden Internal Security Measures

    Hey now, they've been pretty busy gathering intel on non standard presidential candidates and stuff.

    Sheesh, what's your hurry?

  • Spies Apply (Score:4, Insightful)

    by ripvlan ( 2609033 ) on Thursday August 02, 2018 @09:26AM (#57056356)

    Given that low level people can access info beyond their pay grade, I'd assume spies are everywhere within the system.

    If Snowden exposed anything - it's how poor the security is and that people could easily steal data and give it to foreign governments. Should the person desire to do that of course.

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...