Reform the NSA to stop future Snowdens

Reform the NSA to stop future Snowdens

Summary: An agency like the NSA can't operate if all its work is going to be exposed to the world. Whatever reforms we make to their practices, the NSA must tighten their internal security first.


Reasonable people can disagree on what reforms should be made to the NSA's intelligence collection practices, but there's one reform I think almost everyone would agree is necessary: Improving internal security. There's no point in having a secret agency like the NSA if access to its sensitive data is so readily available to so many people.

It gets no press, but I certainly hope that the relevant congressional oversight committees are hitting the NSA brass hard on this matter. It's worth deprioritizing some of their core missions in order to get this right.

Edward Snowden, System Administrator

Months ago there were reports that Snowden got the documents he got because he had unrestricted access to a huge range of sensitive data for which he had no legitimate need. The same reports indicated that Snowden, a contract system administrator for the agency, was far from alone in this regard: "The NSA, which has as many as 40,000 employees, has 1,000 system administrators, most of them contractors."

It's a bit off the point, but I think it's also important to recognize that if Snowden was able to get such access and there really are a 1,000 people with such access, then surely one of them has taken the same data and sold it to the Russians or Chinese or, for that matter, the French or Israelis or anyone else willing to pay.

The original NBC News report I just quoted tried to claim that the vulnerability derived from the fact that Snowden was connecting to NSA systems through a "thin client," but this is nonsense. It's perfectly possible to have highly-secure thin clients; in fact, thin clients can be a great tool for securing access. What was wrong in Snowden's case, and what is harder to correct, is that he had such broad privileges to begin with.

I recently spoke to Marc Maffreit at BeyondTrust about the problem of excess privilege and what their company does to address it. A new survey is out today from Avecto which shows that the Snowden-NSA scandal has spooked IT decision makers into prioritizing privilege management.

The bread and butter business of companies like Avecto and BeyondTrust is to help the organization restrict the privileges of end users. The NSA here has it even harder: How to restrict the privileges of administrators. Any good system provides for segmenting the privileges of administrators into the domains for which they truly need control. The NBC News report made it sound as if there is just one level of administrator at the NSA, and the breadth of information stolen by Snowden makes this claim credible.

What about your own admins? Do you know if you can really trust them? If they abused their position, would you know? How bad could it get? After Snowden, these are things you have to think about, especially if you have a lot of people with privileged access.

The NSA is in an especially bad position here: On the one hand, clearly they need to control access to their data better. On the other, one of the major causes of the government's failure to anticipate the 9/11 attacks was excessive compartmentalization of intelligence data. Clearly these priorities are, broadly, in conflict.

Fixing the problem... Oy, what a mess. It's going to be hard. It's going to require substantial reworking of agency management and of their systems. And anyone who reads the news these days knows that the Federal Government doesn't do computer systems well.

Large bureaucracies like the NSA resist major reforms and usually implement them badly. Calling in a consultant to help is fraught with danger, not least because calling in a consultant is how they got Snowden in the first place. And it's also easy to see the agency resisting anything that impedes the core mission; if the world doesn't go to hell while their practices are changed, that's a reason to make the changes permanent.

Clearly some sort of major change has to happen to improve security. The fact that this plays out as the agency's practices are reconsidered can only complicate matters, but it really should be their highest priority.

Topics: Security, Government US

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Reform The NSA

    To reign in the NSA.
    Alan Smithie
    • Close the NSA

      The NSA is ruining America.

      The NSA's spying and eavesdropping is making people and companies scared to use the internet cloud. We know that any data we put up in the cloud is likely to get snooped upon by the NSA. The loss of confidence is costing the US economy billions.

      It seems Larry Seltzer doesn't like whistleblowers like Edward Snowden, Chelsea Manning or Julian Assange.

      However, those whistleblowers actually revealed that the government was involved in illegal activity. The aerial blasting of news journalists was illegal. The wiretapping of millions of people's phone lines was illegal.

      I think if you ask the people on the streets of America, "do you want to know if the NSA is eavesdropping on millions of people?", the answer would be yes. The American people want to know what the whistleblowers have revealed.
      • America needs a signal intelligence asset

        Anyone with any clue of military operations would know this. Intelligence saves lives and can even prevent war. If you shut down the NSA you might as well shut down the Army, Marines, Air Force, and Navy too. Without signal intelligence all they would be capable of is walking blind into war never knowing where the enemy is and if the enemy is tracking them.
        • We Are Not the Enemy

          Of course the nation needs to gather intelligence about its adversaries. That's not the issue.

          The issue is whether every American is to be treated as an actual or potential enemy, and therefore a proper subject for continual surveillance.

          The evidence to date is that the domestic spying has produced no actionable intelligence that has aided in the disruption of domestic terrorist activity. All it has done is to allow law enforcement to connect the dots after the fact with respect to known law-breakers. For that, traditional subpoenas and warrants would have done the job without the collateral unwarranted collection of data from ordinary citizens.
        • Key word is "military" needs the signal asset

          The press is finally picking up discussion of how useless omnivorous spying is. It lacks focus. And of course it provides the ultimate tool for political suppression.
          Military strength - Yes, creepy guys trying to mold everyone into their idea of a perfect citizen - Creepy.
        • That is a logical fallacy

          We had our armed forces and intelligence units within those forces long before the NSA came along. How has the NSA helped? Data consolidation for our armed forces to access is one thing but to spy on our own? That's pure steaming BS.
          • The NSA has been around for a long time

            Since the Department of Defense was first created after WWII, I think. And as long as it sticks to the task it was created to perform (signals intelligence for the military), then I have no objection to its existence.
            John L. Ries
      • Excessive monitoring not restricted to the NSA

        There are a myriad of government agents using a multitude of snooping tools. Even your average detective uses Google on a daily basis. Whether they use stronger, government proprietary tools, I can't say. But I do know that I had an "interview" with a couple of fellows from the U.S. Marshalls about a rather strongly worded posting I made about my opinion of what should have happened to a certain attorney who facilitated Fast and Furious, and blocked law enforcement officials from arresting some of the worst gun and explosive runners in their "pet project".

        Of course the NSA has the best snooping tools in the world, and those tools AREN'T publicly available, which means we don't have equal ability to monitor our government; a necessary condition for proper functioning of a democratic Republic.

        I'm not saying that we should do away with the NSA, or publish everything they collect. But only a fool would think that they are being overseen and controlled properly by judicial officials with access to that level of information.
        • I have no objection to federal employees using search engines...

          ...or other publicly available sources of information to do their jobs. I don't even object to their infiltrating organizations that are reasonably suspected of illegal activity. It's the surreptitious stuff that is illegal for private citizens to do that should require a warrant.
          John L. Ries
      • Well Said

        I concur with the body of your message, but closing the NSA would be an over-reaction.

        What the NSA needs is better oversight and a narrower charter.

        The FISA Court needs to be reorganized by Congress to give a voice to a public advocate anytime a warrant is presented that requests mass data collection. The one-sided presentations by national security officials put FISA Court judges in the untenable position of having to rule on sweeping Constitutional issues without the benefit of opposing arguments.

        The nation would also greatly benefit if our elected officials would stand up and protect us, the citizens. Right now we are in the terrible situation where the Republicans seem unable to admit there is enough military and enough security, while the Democrats are scared to oppose any limits on any activity lest they be portrayed at the next election as soft on national security.
    • Had Hitler reformed Gestapo 3rd Reich might have never fallen

      My honest take of the article
      • Evil leaders are all the same.

        Should we encourage drug lords, gangs, and crime bosses to increase their security, too? The NSA is committing crimes on a larger scale than any of those organizations. It's as if the author hates the fact that somebody pulled his head out of the sand. He must long for his "ignorance is bliss" existence prior to the NSA revelations. Obviously some sheeple want the government to shield them from uncomfortable truths. Too much thinking for themselves must hurt their brain.

        I also found it funny that the author doesn't know the administration had full knowledge of 9/11 for at least a month prior to the event. There is vast evidence that everyone in the entire decision chain knew well in advance and had already worked out their response. Some of the statements issued following the event were created days before the event even occurred. The document creation dates in the files showed this.

        The uncomfortable fact is, 9/11 was allowed to happen in order to ram through the Patriot Act, create the DHS (new armed force to be used against citizens,) bypass warrants, shift toward a police state, and increase intelligence budgets, among other things. Want proof? There were fighter jets following the airliners, ready to shoot them down long before they entered metropolitan areas and those fighter jets were ordered to stand down. Only one person in the administration had the authority to override the military response to a terrorist threat. The fact is, the stand down order was issued, and then confirmed again just before the airliners entered metropolitan air space.

        Our government has fascist intentions and the author hiding his head in the sand won't change that fact.
  • Agreed in full

    If you don't think the NSA should exist, then advocate its abolition, but given that it does and most people think it has some legitimate functions, then a spook agency that can't keep secrets is more useful to foreign governments than its own.
    John L. Ries
    • One thing the federal CIO should be doing... creating standards for securing systems that contain classified information. He wouldn't have the authority to impose them himself, but the President whose computer guru he is could do it for him with an executive order.
      John L. Ries
  • More Snowdens not Less

    We need more Snowdens, not Less.
    • Agreed

      It is one thing for the NSA government spies to spy on other governments, which in this world is unfortunately necessary, but it is quite another for the spies of the government to do wholesale surveillance of millions of American citizens. Mr. Snowden did us all a service by revealing that the spy agency had gone beyond their legal boundaries. The NSA needs reform all right, not so much in security, but to do only the job for which they were created and not go beyond that. That job is to spy on foreign governments.
    • We do need more Snowdens.

      If our government was actually following the rules we set for them in the Bill of Rights, we wouldn't need whistle blowers. The reality is, our government is systematically breaking the law and arbitrarily eliminating the restrictions we placed on their power when our forefathers created the government. Our government is moving toward the same type of fascist police state the Nazi party created in Germany. If there had been whistle blowers like Snowden in the Nazi regime, the world might have been able to take action to prevent WWII.

      The simple-minded sheeple are yelling that Snowden should not have leaked government secrets. They're trying to paint the situation as black and white. They think the government should always be allowed to keep their activities secret. They somehow believe the government is always right. Even more naively, they believe their government is looking out for their best interests. The U.S. government may have started out that way, but their altruism faded at least a century ago in favor of catering to special interests with deep pockets and closely held long term agendas.

      The reality these sheeple are ignoring is the fact that Snowden didn't leak all of the government secrets he knew. He only leaked information about the illegal activities of the government. Since when is exposing illegal activity a bad thing? Nobody is above the law. Snowden is a modern patriot. Real patriots don't blindly follow the orders of leaders who are committing crimes against humanity. He exposed the illegal activities, and human rights violations of our police state government. He showed that our hypocritical government is no better than China in its monitoring and control of their population. The only difference is our government is better at hiding their multitude of violations.

      The simpletons who view everything as black and white also think we want to eliminate all government secrecy. The answer isn't to abolish government secrecy. Secrecy is appropriate in specific situations. The real answer is to restore the checks and balances which ensure government activities are not violating the Bill of Rights or any other laws. FISA and the Patriot Act were created specifically to bypass the checks and balances. Since those Acts were passed, illegal government activity has increased exponentially. Our government is out of control and needs to be reigned in. FISA and the Patriot Act need to be abolished, not secrecy.
  • Be carefull what you wish for.

    Depending on the point of view this actually might lead to the loss for humanity.
    • OK

      So we abolish government secrecy entirely. Or do you have an alternative proposal that would leave future Snowdens free to expose whatever secrets shouldn't be kept.
      John L. Ries
      • Actually... yes.

        The problem with the current system is the complete lack of transparency and accountability along the chain. The NSA is only accountable to FISA specified agencies. But they're not accountable to anyone. Heck, they barely have to report to anyone. So there's a wall between the NSA and the public, or even, for the most part. elected officials representing them.

        There should be a council of representatives who are selected from congress and the senate to be involved in these activities and who can intercede when it looks like the NSA or CIA is doing something wrong. Right now, it's a closed loop; we need to open it up a bit more with a system that has checks and balances (like, regularly rotating out the elected reps who are in the council to avoid partisan contamination).