The Inspector General of the National Security Agency, Robert P. Storch, published the unclassified Semi-Annual Report to Congress (April 1 to September 30 2021) conducted by his office on January 31. The results of his office’s inspection indicate that the NSA has more than a little room for improvement. Storch also attests, in his report, that the Agency was fully cooperative and did not attempt to interfere with the work of the IG’s office. The IG made 469 recommendations to NSA leadership, with NSA management agreeing to all of the recommendations. Of key import are three areas, targeting, FISA 702 and insider threat.
NSA’s Rules Based Targeting
The first is the means by which NSA uses their “Rules-Based Targeting” tools “complies with NSA’s SIGINT (Signals Intelligence) collection authorities and policies.”
The IG made 17 recommendations to address identified shortcomings. These shortcomings included,
- The targeting distribution process contained critical control gaps
- Lack of sufficient controls concerning to ensure U.S. controlled collectors were tasked
- Validation issues re targeting packages to include lack of personnel to affect the two-person validation
- Lack of tools to allow NSA to review the targeting configurations in a systematic manner
- Information used for targeting was not managed in an efficient, accurate manner
- NSA relies on systems with “incomplete information to obtain data and execute … and manage the NSA RBT controls.
FISA Section 702 support
The second area of import concerns the support to the FISA Section 702, which involves the means by which the NSA identifies U.S. Persons.
- Queries using U.S. Person selectors did not always follow NSA processes and policy requirements
- Lack of consistency within the NSA tools with respect to supporting FISA query module
- Tool failure to prevent queries of known U.S. person “selectors” from executing automatically.
- The IG made 13 recommendations, of which seven were closed out prior to January 31, 2022
The report notes that FISA Section 702 compliance is of the utmost import and that the IG understands, NSA is working to have a “pre-query compliance control” in place by June 2022. A pre-query control is designed to limit the likelihood of an out-of-policy collection on a U.S. person.
Lastly, an important area to every insider threat program is the ability to audit removable media, which during the timeframe of the IG’s review showed that NSA had not yet acted on prior recommendations on the policing and management of the use of removable media within the Agency, with a review to have commenced by December 30, 2021. Additionally, three specific shortcomings to the NSA’s insider threat program were highlighted:
- System Security Plans are often inaccurate and/or incomplete.
- Two-person access controls are not properly implemented for data centers and equipment rooms.
- Removable media are not properly scanned for viruses.
Read the entire 48-page report.