The best indicators we have as to the state of data management in the NSA is from its IT departments, and not just because that was where Snowden worked. The NSA spends nearly half its budget on operational IT, more than any other security agency. This week, Secret Sentry author Aid boggled at the numbers on his blog. Noting that the NSA spends 10 times as much on facilities and logistics as the CIA, he writes, “NSA’s top three budget line items, totaling more than $4.4 billion or 40 percent of NSA’s annual budget, have nothing to do with the agency’s core mission of SIGINT collection, processing, analysis and reporting, or protecting the security of the U.S. government and military’s computers and telecommunications systems.”
These budget numbers signal that the NSA is throwing more and more money at problems while failing to solve them. An outside audit would usually curb such spiraling numbers, but it seems that hasn’t happened. The Senate Select Committee on Intelligence reported that as of June 2009, “the NSA’s financial statements were not adequately supported by reliable accounting data and supporting information.” Marcy Wheeler reports that there has been no word of any improvement since.
Many IT positions tend to be contractor jobs with high turnover—hardly the place for dedicated civil servants with years of experience in the NSA. Yet they literally control the ability of everyone to get their jobs done, and the NSA gave some of these contractors the keys to the kingdom. “Start from the point that if the NSA had competent security, Snowden wouldn't have been able to do a tenth of what he did,” Grimmelmann says. “You give sysadmins privileges on specific subsystems they administer. And you do not give them write access to the logs of their own activity. The NSA should be grateful that Snowden got there first, and not the Chinese.”
Snowden didn’t hack the NSA because there was no security to be hacked. That he and thousands of other low-level contractors had unfettered, untraceable access to the entirety of NSA systems is a security hole that makes Windows look like Fort Knox. It should have resulted in firings. The fact that NSA Director Keith Alexander still has a job signals that the government doesn’t really take the Snowden leak that seriously. Instead, Alexander has announced plans to eliminate 90 percent of its contractor sysadmins posthaste—about 900 people—by “automating” their work. He fuzzily alluded to “transferring data [and] securing networks.” Since the NSA’s own network is not, as we have learned, secure, it will no doubt prove far more difficult to automate such a process than Alexander suggests.
Alexander’s plan does not seem to be a plan. It sounds more like frightened middle management trying to protect its position by saying, We don’t have anyone with Snowden’s job anymore. “The NSA actually employs people who could easily have identified the enormous gaps in its own security,” Grimmelmann says. “Were they consulted? Did anyone listen if they were? The NSA has the knowledge and the budget. But it can't deploy them to where they're needed on the most basic level.”
And not even the best-run organization can automate 90 percent of its IT positions without foundational changes to how its systems work. The NSA’s IT infrastructure is already a teetering Jenga tower, and Alexander just demanded that the agency remove 900 blocks simultaneously. It could well result in worse security, not better security.
There is one thing, it seems, the NSA can easily do to look good: collect even more data! Even if it lies unprocessed in a dusty drive, the top brass will at least see the big numbers of how many intercepts are being made. But consider this hypothetical. Should, heaven forbid, some major terrorist attack occur, it’s quite likely the NSA will have vacuumed up something or other relating to the planning. (I’d wager the agency vacuumed up something on Dzhokhar Tsarnaev.) And should some disgusted intelligence analyst leak the fact that the NSA actually possessed intelligence on the terrorist activities before the attack but just never got around to analyzing it, how is that going to look?
For its own sake, the NSA should be searching for someone to come in and clean up shop. Remember, the NSA has people—its Tailored Access Operations department, for example—who could easily find every security hole in the agency; they just don’t have the power to do so. The government needs to freeze the NSA’s budget and clean out the complacent rot at the agency, starting with Alexander. It needs to install a more tech- and security-savvy chief who can recognize a gaping security hole and then honestly query the rank and file on what does and does not work, without them getting blamed for speaking out. The director of national intelligence and the president should then get a report of all the problems with the agency that haven’t yet been leaked to the world. What the NSA needs, in short, is basically the national-security equivalent of Marissa Mayer.
Julian Assange dreams of making security agencies so paranoid and sclerotic that they can no longer function effectively. Unless and until the NSA starts making real changes, he may be getting his wish.