Reasonable people can disagree on what reforms should be made to the NSA's intelligence collection practices, but there's one reform I think almost everyone would agree is necessary: Improving internal security. There's no point in having a secret agency like the NSA if access to its sensitive data is so readily available to so many people.
It gets no press, but I certainly hope that the relevant congressional oversight committees are hitting the NSA brass hard on this matter. It's worth deprioritizing some of their core missions in order to get this right.
Months ago there were reports that Snowden got the documents he got because he had unrestricted access to a huge range of sensitive data for which he had no legitimate need. The same reports indicated that Snowden, a contract system administrator for the agency, was far from alone in this regard: "The NSA, which has as many as 40,000 employees, has 1,000 system administrators, most of them contractors."
It's a bit off the point, but I think it's also important to recognize that if Snowden was able to get such access and there really are a 1,000 people with such access, then surely one of them has taken the same data and sold it to the Russians or Chinese or, for that matter, the French or Israelis or anyone else willing to pay.
The original NBC News report I just quoted tried to claim that the vulnerability derived from the fact that Snowden was connecting to NSA systems through a "thin client," but this is nonsense. It's perfectly possible to have highly-secure thin clients; in fact, thin clients can be a great tool for securing access. What was wrong in Snowden's case, and what is harder to correct, is that he had such broad privileges to begin with.
I recently spoke to Marc Maffreit at BeyondTrust about the problem of excess privilege and what their company does to address it. A new survey is out today from Avecto which shows that the Snowden-NSA scandal has spooked IT decision makers into prioritizing privilege management.
The bread and butter business of companies like Avecto and BeyondTrust is to help the organization restrict the privileges of end users. The NSA here has it even harder: How to restrict the privileges of administrators. Any good system provides for segmenting the privileges of administrators into the domains for which they truly need control. The NBC News report made it sound as if there is just one level of administrator at the NSA, and the breadth of information stolen by Snowden makes this claim credible.
What about your own admins? Do you know if you can really trust them? If they abused their position, would you know? How bad could it get? After Snowden, these are things you have to think about, especially if you have a lot of people with privileged access.
The NSA is in an especially bad position here: On the one hand, clearly they need to control access to their data better. On the other, one of the major causes of the government's failure to anticipate the 9/11 attacks was excessive compartmentalization of intelligence data. Clearly these priorities are, broadly, in conflict.
Fixing the problem... Oy, what a mess. It's going to be hard. It's going to require substantial reworking of agency management and of their systems. And anyone who reads the news these days knows that the Federal Government doesn't do computer systems well.
Large bureaucracies like the NSA resist major reforms and usually implement them badly. Calling in a consultant to help is fraught with danger, not least because calling in a consultant is how they got Snowden in the first place. And it's also easy to see the agency resisting anything that impedes the core mission; if the world doesn't go to hell while their practices are changed, that's a reason to make the changes permanent.
Clearly some sort of major change has to happen to improve security. The fact that this plays out as the agency's practices are reconsidered can only complicate matters, but it really should be their highest priority.