NSA Insider Security Post-Snowden

According to a recently declassified report obtained under FOIA, the NSA’s attempts to protect itself against insider attacks aren’t going very well: The N.S.A. failed to consistently lock racks of servers storing highly classified data and to secure data center machine rooms, according to the report, an investigation by the Defense Department’s inspector general completed in 2016. […] The agency…

According to a recently declassified report obtained under FOIA, the NSA's attempts to protect itself against insider attacks aren't going very well:

The N.S.A. failed to consistently lock racks of servers storing highly classified data and to secure data center machine rooms, according to the report, an investigation by the Defense Department's inspector general completed in 2016.

[...]

The agency also failed to meaningfully reduce the number of officials and contractors who were empowered to download and transfer data classified as top secret, as well as the number of "privileged" users, who have greater power to access the N.S.A.'s most sensitive computer systems. And it did not fully implement software to monitor what those users were doing.

In all, the report concluded, while the post-Snowden initiative -- called "Secure the Net" by the N.S.A. -- had some successes, it "did not fully meet the intent of decreasing the risk of insider threats to N.S.A. operations and the ability of insiders to exfiltrate data."

Marcy Wheeler comments:

The IG report examined seven of the most important out of 40 "Secure the Net" initiatives rolled out since Snowden began leaking classified information. Two of the initiatives aspired to reduce the number of people who had the kind of access Snowden did: those who have privileged access to maintain, configure, and operate the NSA's computer systems (what the report calls PRIVACs), and those who are authorized to use removable media to transfer data to or from an NSA system (what the report calls DTAs).

But when DOD's inspectors went to assess whether NSA had succeeded in doing this, they found something disturbing. In both cases, the NSA did not have solid documentation about how many such users existed at the time of the Snowden leak. With respect to PRIVACs, in June 2013 (the start of the Snowden leak), "NSA officials stated that they used a manually kept spreadsheet, which they no longer had, to identify the initial number of privileged users." The report offered no explanation for how NSA came to no longer have that spreadsheet just as an investigation into the biggest breach thus far at NSA started. With respect to DTAs, "NSA did not know how many DTAs it had because the manually kept list was corrupted during the months leading up to the security breach."

There seem to be two possible explanations for the fact that the NSA couldn't track who had the same kind of access that Snowden exploited to steal so many documents. Either the dog ate their homework: Someone at NSA made the documents unavailable (or they never really existed). Or someone fed the dog their homework: Some adversary made these lists unusable. The former would suggest the NSA had something to hide as it prepared to explain why Snowden had been able to walk away with NSA's crown jewels. The latter would suggest that someone deliberately obscured who else in the building might walk away with the crown jewels. Obscuring that list would be of particular value if you were a foreign adversary planning on walking away with a bunch of files, such as the set of hacking tools the Shadow Brokers have since released, which are believed to have originated at NSA.

Read the whole thing. Securing against insiders, especially those with technical access, is difficult, but I had assumed the NSA did more post-Snowden.

from https://www.schneier.com/blog/

The Dangers of Secret Law

Last week, the Department of Justice released 18 new FISC opinions related to Section 702 as part of an EFF FOIA lawsuit. (Of course, they don’t mention EFF or the lawsuit. They make it sound as if it was their idea.) There’s probably a lot in these opinions. In one Kafkaesque ruling, a defendant was denied access to the previous…

Last week, the Department of Justice released 18 new FISC opinions related to Section 702 as part of an EFF FOIA lawsuit. (Of course, they don't mention EFF or the lawsuit. They make it sound as if it was their idea.)

There's probably a lot in these opinions. In one Kafkaesque ruling, a defendant was denied access to the previous court rulings that were used by the court to decide against it:

...in 2014, the Foreign Intelligence Surveillance Court (FISC) rejected a service provider's request to obtain other FISC opinions that government attorneys had cited and relied on in court filings seeking to compel the provider's cooperation.

[...]

The provider's request came up amid legal briefing by both it and the DOJ concerning its challenge to a 702 order. After the DOJ cited two earlier FISC opinions that were not public at the time -- one from 2014 and another from 2008­ -- the provider asked the court for access to those rulings.

The provider argued that without being able to review the previous FISC rulings, it could not fully understand the court's earlier decisions, much less effectively respond to DOJ's argument. The provider also argued that because attorneys with Top Secret security clearances represented it, they could review the rulings without posing a risk to national security.

The court disagreed in several respects. It found that the court's rules and Section 702 prohibited the documents release. It also rejected the provider's claim that the Constitution's Due Process Clause entitled it to the documents.

This kind of government secrecy is toxic to democracy. National security is important, but we will not survive if we become a country of secret court orders based on secret interpretations of secret law.

from https://www.schneier.com/blog/

Baltimore FD Withholds Data on Staffing, Response Times

The Baltimore Sun asked the city’s fire department for basic data on response times, dispatch errors and paramedic staffing rates. The city says it doesn’t have the information. But a government watchdog says, “This data has to be somewhere.”

City lawyers are refusing to release information about the Baltimore Fire Department’s response times, dispatch errors and paramedic staffing rates, reports the Baltimore Sun. Benjamin A. Bor, a special assistant solicitor in the city’s Law Department, says he denied two Public Information Act requests from the newspaper on grounds that the agency did not have the documents to provide. Councilman Brandon M. Scott, chairman of the Public Safety Committee, is convening a hearing Tuesday to seek similar data from Fire Department officials.

Damon Effingham, legal and policy director for Common Cause Maryland, said he was surprised city lawyers said the Fire Department did not have some of the records requested. “It is unfortunate if they’re not keeping it, and if they are, the point of the Public Information Act is for the public and legislators to review data and fine-tune polices and solutions,” Effingham said. “There are very few places where that is more important than emergency services. This data has to be somewhere.”

from https://thecrimereport.org

After Shooting, Harrisburg PD Reveals Use-of-Force Policy

PennLive asked to view the 13-page policy under the state Right to Know Law following an Aug. 7 shooting by police in Harrisburg. The policy follows many law enforcement standards, banning neck restraints and hog-tying and restricting officers from firing at moving vehicles except under very limited circumstances.

The Harrisburg, Penn., Police Department's use of force policy bans several controversial practices, such as neck restraints or hog-tying suspects, and it restricts officers from firing at moving vehicles except under very limited circumstances. The city provided the policy to PennLive this week. The newspaper submitted a request to view the policy under the state's Right to Know Law after a Harrisburg police officer used deadly force in an Aug. 7 domestic incident involving Earl Shaleek Pinckney, 20, who reportedly had been threatening to kill his mother with a knife. The shooting, which remains under investigation, generated interest in the training, policies and guidance provided to police officers.

The 13-page policy bans the controversial practices of neck restraints, sometimes known as chokeholds, and hog-tying of suspects by handcuffing their hands and feet behind their back. Both techniques have been associated with arrest-related deaths across the country. The restrictions on firing at moving vehicles also addresses another controversial practice that can increase risks to bystanders as well as inflate the number of people killed by police.

from http://thecrimereport.org