Within the last few years the National Security Agency learned it was not immune from the insider threat. In fact, we have seen a number of prosecutions as a result of NSA information finding its way outside the highly protected environment being promulgated by the security regimes of NSA. The NSA has felt the sting of Harold Martin, Reality Winner and Nghia Pho all of whom secreted classified materials out of NSA in both electronic, as well as hard copy format.
Martin, is known as the individual who arguably collected and exfiltrated the largest corpus of classified information from the NSA. This year we saw Martin accept a plea deal with the Department of Justice, a deal which gave Martin 9 years in prison. Winner and Pho were both sentenced to five years in prison.
NSA Inspector General Report
The recent report from NSA’s own Inspector General notes that the NSA’s attention to the insider threat needs improvement. NSA’s inspector general’s report to congress covering the period of October 2018 through March 2019 highlights three specific areas where NSA has been directed to make improvements and had failed to implement changes.
“The NSA’s inspection teams find many instances of non-compliance with rules and regulations designed to protect computer networks, systems, and data,” the report states. Inspection findings included:
- System Security Plans are often inaccurate or incomplete
- Two-person access (TPA) controls are not properly implemented for data centers and equipment rooms
- Removable media are not properly scanned for viruses
Identified Insider Threat Shortcomings
These three identified shortcomings put their insider threat program at risk and make conducting a counterespionage function (looking for those who are working for a foreign power or themselves) difficult.
Ironically, the U.S. government doctrine surrounding System Security Plans (SSP) which can be found within the Federal Risk and Authorization Management Program (FedRAMP) identify the SSP as, “the main document of a security package in which a CSP (communications service provider) describes all the security controls in use on the information system and their implementation.” One would think that the infrastructure of NSA would be among the most secure in the world.
Harold Martin was so successful in his efforts to identify, acquire, and exfiltrate data that piqued his interest. He didn’t simply take a document or two, no, Martin took over 50 terabytes of classified information over the course of 20 years. Was it the lack of two-person access controls?
The report mentions removable media not being scanned for viruses. To this mind’s eye it conjures up an image of the “parking lot hook” where a malicious adversary drops USB drives in various parking lots in the hopes that someone will pick it up and take it into the restricted access environment and put it into a machine to see who owns the USB. Or perhaps it was a subtle reference to Pho, whose work was compromised and identified via Kaspersky? Regardless, NSA apparently has a problem.
Winner and Pho were both identified through thorough investigations initiated after their action had occurred and damage done. The idea behind robust insider threat programs is to identify those who are a threat before they can do damage. One may posit, better late than never.
With the report in hand, let’s see if the congressional recipients are comfortable with that strategy.