Former senior NSA official: Maybe only 30 or 40 agency officials had access to that FISA order that leaked

posted at 2:01 pm on June 11, 2013 by Allahpundit

Normally, this is where I’d say there are only two obvious possibilities: Either I’m right that he conspired with someone higher up the chain who fed him these highly sensitive documents or the guy’s some sort of master hacker who managed to slip past NSA’s internal security to lift top-secret stuff off their servers. But I can’t say that in this case because none of us really has any idea how NSA operates. Could the IT guy have had routine access to bombshell surveillance program data? I … don’t think so, but I … guess, maybe?

Even the intel guys can’t figure it out:

Among the questions is how a contract employee at a distant NSA satellite office was able to obtain a copy of an order from the Foreign Intelligence Surveillance Court, a highly classified document that would presumably be sealed from most employees and of little use to someone in his position.

A former senior NSA official said that the number of agency officials with access to such court orders is “maybe 30 or maybe 40. Not large numbers.”…

Officials questioned some of Snowden’s assertions in his interview with the Guardian, saying that several of his claims seemed exaggerated. Among them were assertions that he could order wiretaps on anyone from “a federal judge to even the president.”

“When he said he had access to every CIA station around the world, he’s lying,” said a former senior agency official, who added that information is so closely compartmented that only a handful of top-ranking executives at the agency could access it.

“Investigators also need to determine whether anyone else was involved in disclosing the information to reporters,” per WaPo’s sources. That’s one possibility — Snowden in cahoots with a more senior person who wants the information out but doesn’t want his fingerprints on it. In theory, though, security at NSA is so tight that there’s no way to access, let alone remove, information without leaving a cyber-fingerprint of some kind. That’s the whole point of PRISM, right? Finding even the faintest cyber-prints? An agency that can track people’s physical movements based on their use of electronic devices should, one would think, be able to track their own contracted employees’ virtual movements on their premises. And yet here we are, with Snowden safely decamped with the goods to Hong Kong and Glenn Greenwald promising even more revelations.

Theory two, then: Snowden’s a hacking genius who somehow beat NSA’s internal security. Marc Ambinder assesses the degree of difficulty:

According to several current and former officials who’ve worked on NSANet, every keystroke is logged and subject to random audits. “Screengrabs” are prohibited. Documents can be printed with special facilities but that, too, leaves a record. As a mission support specialist, Snowden would have had access as part of his jobs to the physical servers and hard drives that contain material.

If he did not want to leave an audit trail, he might have disconnected a hard drive containing temporarily cached documents, brought them into an area that included desktops and hardware not cleared for such access, connected them, and then printed documents out. It is also possible that he disabled, under the guise of fixing something, access privileges for auditors. He could have temporarily escalated his own access privileges, although this would have raised flags among his superiors.

In theory, this would have alerted NISIRT, the NSA’s Information Systems Incident Response Team, which maintains a 24/7 watch over the backend of NSANet. Operational branches, including Special Source Operations (domestic and compartmented collection programs), Global Access Operations (satellites and other international SIGINT platforms), and Tailored Access Operations (cyber) have their own NISIRT team.

The agency also has a counterspy team that looks at NSA employees — and contractors? — in hopes of anticipating who might be ready to leak. Evidently they missed the Ron-Paul-donating loner who’d apparently been in contact with Glenn Greenwald for months before he skipped town. And if Ambinder’s scenario is correct, they also missed one of their hard drives going offline. Would a powerpoint on PRISM and a FISA order authorizing phone-record harvesting even be on the same hard drive? I.e. did Snowden collect this stuff steadily over time, by accessing different NSA “compartments,” rather than in one grand heist? Because if so, that’s an even more catastrophic internal security breakdown. Could NSA counterspies have missed repeated breaches?

Hopefully we’ll be able to game all of this out as part of the great national debate on NSA spying that Obama supposedly welcomes but won’t lift a finger to actually make possible. (“If President Obama really welcomed a debate, there are all kinds of things he could do in terms of declassification and disclosure to foster it.”) Exit question: Why did Snowden claim he was making $200,000 a year if he was only making $122,000? Is he including benefits in measuring his compensation? Any lie he tells, however small, will raise doubts about his motives. Seems weird that he’d open himself up to a challenge on something as minor as that.


Related Posts:

Breaking on Hot Air

Blowback

Note from Hot Air management: This section is for comments from Hot Air's community of registered readers. Please don't assume that Hot Air management agrees with or otherwise endorses any particular comment just because we let it stand. A reminder: Anyone who fails to comply with our terms of use may lose their posting privilege.

Trackbacks/Pings

Trackback URL

Comments

Comment pages: 1 2

Maybe the NSA’s security systems “work by design” as well as Obamacare does. Why would the government actually be competent in this case?

RSbrewer on June 11, 2013 at 4:11 PM

I have been a network engineer for tech companies who have national and international users for 20 years. I work in silicon valley. I have never, ever, seen any outside “direct access” to anyone’s servers or any constant 100% monitoring of all traffic. That would be physically impossible. We would have to double the US bandwidth infrastructure to do it. It is not only wrong, it’s crazy. Please stop making things up in your heads and spewing it like it is fact. It’s nuts.

crosspatch on June 11, 2013 at 4:07 PM

It’s not 100% monitoring but it is 100% access and possibly collection. When they want the information they have it at the ready.

BoxHead1 on June 11, 2013 at 4:12 PM

The 100% access is supposedly to real time events and the data stores of most of the providers including all of your email stored by your provider…

BoxHead1 on June 11, 2013 at 4:15 PM

Why do you keep trying to refute this point? This is NOT what I said, nor anything related to what I argued. Not even close. I said that audit trails are for after-the-fact information, which they are. I gave you the analogy with video surveillance to help make that perfectly clear.

ThePrimordialOrderedPair on June 11, 2013 at 4:03 PM

I will amend my previous statement.

If you want to believe a multidimensional matrix of audit trail systems that allow cross validation of each individual audit trail system against multiple separate audit trail system are purely an after-the-fact prevention technique, you are welcome to your opinion.

PolAgnostic on June 11, 2013 at 4:15 PM

I have been a network engineer for tech companies who have national and international users for 20 years. I work in silicon valley. I have never, ever, seen any outside “direct access” to anyone’s servers or any constant 100% monitoring of all traffic. That would be physically impossible. We would have to double the US bandwidth infrastructure to do it. It is not only wrong, it’s crazy. Please stop making things up in your heads and spewing it like it is fact. It’s nuts.

crosspatch on June 11, 2013 at 4:07 PM

Other NSA whistle blowers have confirmed it.

the_nile on June 11, 2013 at 4:17 PM

Other NSA whistle blowers have confirmed it.

the_nile on June 11, 2013 at 4:17 PM

And no one in power has denied it.

BoxHead1 on June 11, 2013 at 4:21 PM

I have been a network engineer for tech companies who have national and international users for 20 years. I work in silicon valley. I have never, ever, seen any outside “direct access” to anyone’s servers or any constant 100% monitoring of all traffic.

What makes you think you would even be able to detect the access if it was there?

That would be physically impossible.

Congratulations. You just declared cyberwarfare and many other types of network intrusions “physically impossible”.

We would have to double the US bandwidth infrastructure to do it. It is not only wrong, it’s crazy.

We would have to double the US bandwidth to give remote access to bureaucrats? Were you a network engineer in the 1970s or something?

Please stop making things up in your heads and spewing it like it is fact. It’s nuts.

crosspatch on June 11, 2013 at 4:07 PM

Take your own advice, and stop making ridiculous statements about a concept which takes place thousands or even millions of times every day(unauthorized intrusions into secured systems).

MadisonConservative on June 11, 2013 at 4:25 PM

I have no idea, but I was talking with someone who does have a little more to offer. There are three theories:

1. The internal security system was not up to par. Ask yourself how a private stationed outside the nation could access State Dept cables and give them to Wiki? There could be an issue of who has what level of clearance and what that gives you.

2. The kid is a hacker or he intercepted the documents as they were emailed around. One of the things I learned from dealing with the bureaucracy is how sloppy they can be internally, once they are “inside the bubble” of security. You can have super secret stuff going on with sealed papers etc, background checks on everybody and I would see “Julio the janitor” just walking by with this dust mop and broom. I often wondered who vetted that guy, or the cafeteria worker etc.

3. His story is a bit odd. Either he is lying about who he is and his history or he is covering for the real leaker. What if the real source isn’t Snowden at all but someone he knew? He makes some huge claims that would seem to belong to someone with access and capabilities above him.

archer52 on June 11, 2013 at 4:49 PM

It would be physically impossible to 100% monitor all traffic to all ISPs as I am hearing people talking about. That would require a doubling of internet bandwidth infrastructure globally.

Cyberwarfare is different and you can not hide the data. In other words, most networks keep a pretty close eye on their traffic flows. You might be able to hide an intrusion, but you can not hide the movement of data. I might not know where the data is going at first, but I can see that there is data going somewhere. It would take me a few minutes to capture a few packets and learn where it is going. I don’t care if the contents of the packets are encrypted or not, they are still going to have a source/destination address.

ISPs don’t buy a bunch of excess capacity they don’t need. If they are doing 80Gig of traffic/day, they might have 150Gig of capacity. If that traffic suddenly spikes and causes congestion, they are going to notice it.

You seem keep trying to find ways rationalize in irrational conclusion. I will tell you as someone who works in that industry and has for decades that NSA does not have direct access to these systems. I have to deal with requests from various agencies for access to data at one time or another. It is much easier for your local county Sheriff to get your email than it is for NSA to get it. Your county Sheriff makes a phone call and faxes a subpoena from a county court and he gets the data. NSA can’t do that. It requires an act at the federal level for them to get anything from even a single account.

crosspatch on June 11, 2013 at 4:56 PM

archer52 on June 11, 2013 at 4:49 PM

There is also the possibility that the PRISM power point is an old marketing presentation from when contractors were pitching the system to NSA and doesn’t actually describe the system as it exists today.

crosspatch on June 11, 2013 at 4:59 PM

My information was also only supposed to be accessible by my 30 or 40 Facebook friends..

Surprise!

saus on June 11, 2013 at 5:04 PM

Crosspatch could be right. What I asked my friend was not what Snowden did, but how they all reacted. Sometimes it is the sore spot you hit that gives you the clue.

He may have had an old document, but it sure is close to what they are doing now. To have both Feinstein and Rodgers squeal like stuck pigs over “we don’t know what is really going on” tells me we do.

What they are going to protect now is their own reputations and then the operation.

The biggest trouble they will all face is speaking openly about we having no reason to worry when Clapper is stating openly he has lied about the program to Congress.

As my buddy pointed out- How does the select committee know he didn’t lie to them to protect the program.

At some point trust is the key and this administration has none.

archer52 on June 11, 2013 at 5:05 PM

It requires an act at the federal level for them to get anything from even a single account.

crosspatch on June 11, 2013 at 4:56 PM

So what are they putting in that huge data center in Utah? Are they building it to store the information that they’re not collecting?

hawksruleva on June 11, 2013 at 5:25 PM

As my buddy pointed out- How does the select committee know he didn’t lie to them to protect the program.

At some point trust is the key and this administration has none.

archer52 on June 11, 2013 at 5:05 PM

I’ve always thought the oversight role should be a bit more active, anyway. The NSA has every reason to tell Congress what Congress wants to hear. They have every motivation to make the money spent on them look like a wise investment.

hawksruleva on June 11, 2013 at 5:27 PM

crosspatch on June 11, 2013 at 4:56 PM

THey are not monitoring all of our activity in real time -DUH.

The claim is that they can access any 1(or 10 or x) individuals data. They supposedly have a back door to most of the stores and can compile a dossier of all emails/sites browsed/postings…. that the individual has in the stores + the PRISM software scrapes information of everyone that is mentioned or communicated with by the individual.

BoxHead1 on June 11, 2013 at 5:28 PM

So what are they putting in that huge data center in Utah? Are they building it to store the information that they’re not collecting?

hawksruleva on June 11, 2013 at 5:25 PM

WoW conventions…

…and Tetris contests.

Solaratov on June 11, 2013 at 5:33 PM

It would be physically impossible to 100% monitor all traffic to all ISPs as I am hearing people talking about.

crosspatch on June 11, 2013 at 4:56 PM

And the straw man strikes back. Nobody is claiming that all people are being watched at all times. The PRISM system is reported to have ACCESS to all records at all times. They look at my records today, yours tomorrow, Carrot Top’s on Thursday, and so on.

It’s as if I said a specific car can do 200MPH, and your argument is “It can’t go 200MPH the entire trip!” All that matters is that the car can reach that speed, and all that matters is that PRISM can reach, well…anyone. Anytime.

MadisonConservative on June 11, 2013 at 5:51 PM

$200k versus $122k? Easy, it’s called overtime. Base salary plus a lot of overtime can add up to $200k. Technically it’s not his actual salary as a company would see it but I don’t know an employee who doesn’t count OT as part of his/her salary.

willytvirgin on June 11, 2013 at 5:52 PM

an after-the-fact prevention technique,

PolAgnostic on June 11, 2013 at 4:15 PM

You’ll have to explain that one to me because, in English, it makes no sense.

This seems to be why you don’t understand what I am saying.

ThePrimordialOrderedPair on June 11, 2013 at 6:25 PM

I don’t understand. If NSA has, let’s just say, unlimited capability of its own, how is commercial bandwidth limitation a problem for the NSA if all they have to do is capture data?

And yes, what what I understand, Snowden is saying they capture all electronic data and send it to computers for the algorithm analyses.

flicker on June 11, 2013 at 6:35 PM

If he did not want to leave an audit trail, he might have disconnected a hard drive containing temporarily cached documents, brought them into an area that included desktops and hardware not cleared for such access, connected them, and then printed documents out.

Um, no. On servers as large as the ones used for such an operation, there is no “a hard drive” to be disconnected.

First – there would be an array of hard drives any one of which would contain only partial data that nothing “whole” could be reconstructed from.

Second, any removal (or failure) of any hard drive would raise an alarm that would be monitored by the Network Operations Center. High value systems are constantly monitored for such failures.

Third, physical access to such systems is strictly controlled and there would be video surveillance of the data center. Think “Fort Knox” here. I have never been inside of a classified data center, but I have been inside a few belonging to financial services firms. Armed guards aren’t uncommon.

Even if this guy did have physical access rights to the hardware, there is no way he was just going to walk off with anything.

climbnjump on June 11, 2013 at 6:37 PM

Third, physical access to such systems is strictly controlled and there would be video surveillance of the data center. Think “Fort Knox” here. I have never been inside of a classified data center, but I have been inside a few belonging to financial services firms. Armed guards aren’t uncommon.

climbnjump on June 11, 2013 at 6:37 PM

Let us not forget that Sandy Burgler was able to examine super-secret, highly classified documents, stuff them into his pants and underwear, and leave the “sooper-high security facility” with no problem, at all. And no one even knew that he had taken anything or what he actually took after it was made known. And then Sandy mistakenly used those highly classified documents as liner in his bird cages and had to throw them out …

ThePrimordialOrderedPair on June 11, 2013 at 6:44 PM

Even if this guy did have physical access rights to the hardware, there is no way he was just going to walk off with anything.
climbnjump on June 11, 2013 at 6:37 PM

03-19-13 FBI Arrests NASA Contractor Employee Trying to Flee to China

entagor on June 11, 2013 at 7:55 PM

Let us not forget that Sandy Burgler was able to examine super-secret, highly classified documents, stuff them into his pants and underwear, and leave the “sooper-high security facility” with no problem, at all. And no one even knew that he had taken anything or what he actually took after it was made known. And then Sandy mistakenly used those highly classified documents as liner in his bird cages and had to throw them out …

ThePrimordialOrderedPair on June 11, 2013 at 6:44 PM


Hmmmmmmmmm ….

There is more than tad bit of difference between the classified files section of the National Archives and ANY location dealing with code word or higher security documents …

… much less the FISA court document only 30 – 40 people in the entire government had access to in this case.

http://www.washingtonpost.com/wp-dyn/articles/A16706-2005Mar31.html

PolAgnostic on June 11, 2013 at 9:06 PM

Let us not forget that Sandy Burgler was able to examine super-secret, highly classified documents, stuff them into his pants and underwear, and leave the “sooper-high security facility” with no problem, at all.

Yes, but the National Archives folks did – belatedly – know who took the documents. He was caught when they confronted him about it. But I was responding to the theory that Snowden “unplugged a hard drive” and took it elsewhere, presumably without stuffing it in his underwear.

03-19-13 FBI Arrests NASA Contractor Employee Trying to Flee to China

Yes, from the link:

Jiang also is charged with making a false statement to federal law enforcement agents, including his attempt to conceal a “laptop, and old hard drive and a SIM card,” according to the FBI agent.

And from a follow up link: Former NASA contractor agrees to deportation

Do you think they’d just let him go if he REALLY had stolen classified info? Yes, he stole some important stuff, but it wasn’t on the level of what he was originally accused of. I’m not making excuses for the guy, just pointing out that there are different levels of security for different levels of data.

Snowden had only been on the job for 3 months. Given his age and backgound, it’s pretty unlikely that he’d been the level of access that he’s claiming. My guess is that he’s being used as a idealistic patsy and was fed this info by someone who did have access.

climbnjump on June 11, 2013 at 9:24 PM

The last Top Secret Layoff plans right after I left Lockheed was left on the photo copier…
Just saying, any security is only as strong as the dumbest F**K in the chain. I would imagine it being a Government agency there are a lot that fill that bill.

rgranger on June 11, 2013 at 10:44 PM

I think the answer to how Snowden obtained the classified information is pretty obvious.

Booz Allen Hamilton has been an NSA subcontractor on a number of NSA surveillance programs over the years, notably SWIFT, Pioneer Groundbreaker and Trailblazer. Given that they are a technology consulting firm it is most likely that they are the systems designers, implementers and administrators for all of the underlying computing infrastructure that supports these programs.

Snowden described himself as a systems engineer and a systems administrator. It is most likely that he had been employed by BAH and was acting in an administrative support role for one of these programs and had the required administrative privileges to access the information that he did.

For instance, In a previous role many, many years ago when I was fairly new to IT I was in a similar role working for a Federal statutory authority. As a systems administrator I could grant myself the ability to access any file held on the organisation file servers. I could also access the email accounts of anyone within the organisation.

The most likely explanation is that Snowden abused the administrative privileges he had been granted has part of his normal day to day responsibilities and took the opportunity to expose this classified information to the public.

bileduct on June 12, 2013 at 9:38 AM

Snowden had only been on the job for 3 months. Given his age and backgound, it’s pretty unlikely that he’d been the level of access that he’s claiming. My guess is that he’s being used as a idealistic patsy and was fed this info by someone who did have access.

climbnjump on June 11, 2013 at 9:24 PM

That’s just ridiculous. Snowden had previously obtained Top Secret clearance and had worked for the NSA previously, as well as the CIA and a NSA subcontractor – specifically in the field of network security.

The guy is 30 and he’s already cleared. There isn’t going to be some honeymoon period where he sits around doing nothing.

bileduct on June 12, 2013 at 9:50 AM

Who cares how he got the info? What matters is that we the people reign in this government before it’s too late. Sounds like the ruling class is trying to change the subject from their spying on the American people to how such info became public knowledge

bgibbs1000 on June 12, 2013 at 9:51 AM

Who cares how he got the info? What matters is that we the people reign in this government before it’s too late. Sounds like the ruling class is trying to change the subject from their spying on the American people to how such info became public knowledge

bgibbs1000 on June 12, 2013 at 9:51 AM

Exactly right.

All this Snowden talk is simply “Pay no attention to that man behind the curtain” type diversion.

The issue is the program … how much of what he leaked was true … and what we’re gonna do about it.

HondaV65 on June 12, 2013 at 10:01 AM

The South China Morning Post has another interview with Snowden to be released shortly.

MadisonConservative on June 12, 2013 at 10:49 AM

An NSA level facility has all of your proposed methods covered.

If you want to believe true audit trail systems can be bypassed, you are welcome to your opinion.

PolAgnostic on June 11, 2013 at 3:59 PM

Yes it is my opinion based on past job experience in SCIFs. Yes there are audit trails for such things. An audit trail can be subject to social engineering based on workflow and sign-offs. Perhaps the NSA has a giant degausser all personnel must pass through on the way out… wouldn’t surprise me, but it would play hell on pacemakers.

A large number of past breaches of security, both government and private, have been achieved by means of social engineering. You do not have to be a genius to perform social engineering, just observant and clever. Snowden appears to be relatively intelligent, perhaps not greatly observant but enough to handle a day-to-day workflow in a secure environment, and possibly clever, though that has yet to be proven.

If you think that there isn’t a human factor in any audit trail, you are welcome to your opinion.

When examining how data gets out of secure environments, the networks and servers, the actual hardware, while all high-tech and such, isn’t a good place to start. The work environment and social environment are an excellent place to start… if you want exact method you must examine the workplace, the people in it, who had other access to it and how the data flows through the system and what happens when problems crop up and how they are handled. As we don’t know exactly what job function Snowden had or at what site, there are possibilities in the data audit and accountability chain that will not be as strong as others. Walking out of the main office with a thumb drive is probably not the best place to start… although, strangely enough, that has been done and not figured out until long after the leak has happened. Apparently not all audit trails are all that robust.

And the least robust part of the system? The people involved. Which is why we are trying to think about how Snowden could have done it…

ajacksonian on June 12, 2013 at 11:58 AM

Snowden had only been on the job for 3 months. Given his age and backgound, it’s pretty unlikely that he’d been the level of access that he’s claiming. My guess is that he’s being used as a idealistic patsy and was fed this info by someone who did have access.

climbnjump on June 11, 2013 at 9:24 PM

That’s just ridiculous. Snowden had previously obtained Top Secret clearance and had worked for the NSA previously, as well as the CIA and a NSA subcontractor – specifically in the field of network security.

The guy is 30 and he’s already cleared. There isn’t going to be some honeymoon period where he sits around doing nothing.

bileduct on June 12, 2013 at 9:50 AM

bileduct has it right. When you get hired into a TS level position, and already have a TS clearance, you get read in to the program as quick as possible. Any time lost with a new hire sitting around without being read in, and therefore unable to do the job he was hired for, is lost money for the company and/or wasted time, productivity, and/or money the customer (NSA in this case).

He!! – it’s often easier for a younger person to get a clearance because they’ve got less history to investigate and had less time to mess up their lives with bad decisions.

dentarthurdent on June 12, 2013 at 1:14 PM

Exactly. Snowden is clearly lying. Conservatives need to stop rushing to his defense without all the facts.

Faramir on June 13, 2013 at 12:02 PM

Comment pages: 1 2