How Snowden got the NSA documents
It's been known for a while that Edward Snowden was a systems administrator for Booz Allen Hamilton doing contract work for the NSA when he obtained the documents which he subsequently leaked to the press. But how did he get at these documents? NBC News has an investigations story on "How Snowden did it" which purports to explain.
The story reveals the problem, although incidentally to their focus on a red herring. The culprit, according to the story, was Snowden's access to NSA systems, from his Honolulu location, through a "'thin client' computer". The story does not name the specific thin client technology used, but the most popular would be products by Citrix, such as their VDI-in-a-Box. These products allow a user to connect using a special client program to a server which runs numerous virtual desktop sessions, each of which appears to be a Windows desktop system. Windows Server comes with a similar, if less-capable technology.
It sounds as if Snowden had such a connection to NSA servers back at HQ in Ft. Meade, MD. He was able, using this connection, to download documents and place them on USB keys which he could then take elsewhere. It's all very much the way Bradley Manning did it many years before.
But there's nothing inherently insecure or old-fashioned about thin clients, as the NBC News story claims. Thin clients, properly managed, can be a very secure method with which to give limited access to users.
The problem in this case was not the client or access method, but the management policies. According to NBC News:
A typical NSA worker has a "top secret" security clearance, which gives access to most, but not all, classified information. Snowden also had the enhanced privileges of a "system administrator." The NSA, which has as many as 40,000 employees, has 1,000 system administrators, most of them contractors.As a system administrator, Snowden was allowed to look at any file he wanted, and his actions were largely unaudited. "At certain levels, you are the audit," said an intelligence official.
1,000 is a large number of people to grant such privileges. It's not clear what Snowden's duties for Booz Allen Hamilton were supposed to be with respect to NSA access, but it's unlikely that he would need such broad access.
The intelligent way to manage such a system is to have a multi-level hierarchy of administration, limiting the access of the vast bulk of administrators to documents and systems for which they have a legitimate need. The higher up the hierarchy you go, the more access an administrator would have, and the more closely security personnel could scrutinize their moves.
Right now, based on the NBC News article and what Snowden was able to get away with, it appears that very little scrutinizing is going on at the NSA. With 2 levels of security access, "Top Secret" and "Unfettered", it's surprising that a Snowden-like leak didn't happen long ago. Perhaps it has happened, but all of those leakers went straight to the Chinese and Russians and didn't bother with the press.
It's especially disturbing that Snowden was granted not only access to all the documents he wanted, but permission to copy them to local storage. For a long time, mainstream management systems have allowed enterprises to control whether clients, including thin clients, could copy data to local storage.
The analogy above to Bradley Manning is shockingly apt. In spite of a history which would give pause to anyone who examined it closely, Manning was given access to a huge library of sensitive materials and permissions to copy it to local storage. Same with Snowden.
It's long been a basic principle of security that you compartmentalize access to sensitive data. This goes back long before computers. 3 years went by between Manning's leaks and Snowden's, and nothing appears to have been done to restrict the access to sensitive data. It may be that the NSA has been negligent, but it may also be that there's just too much sensitive data. Probably both.