SAN FRANCISCO–Working in the security field offers ample opportunity to learn from your mistakes, and perhaps no organization has had to go through that process more publicly and painfully than the National Security Agency.
The failures that led to Edward Snowden walking out the door with a massive cache of NSA data four years ago were not the kind that normally make their way into the public’s line of sight. Those failures were organizational, technical, and procedural, and the agency had to take a hard look at itself in the aftermath of Snowden’s theft, the NSA’s former deputy director said.
“If you’d asked me in the spring of 2013 what’s the state of your defense of the business, I would’ve said it’s good but not perfect. We don’t take our eye off the ball, we don’t assume we can chase everything down. We’d have said we vet the insiders the old-fashioned way,” Chris Inglis, the former deputy director of NSA, said in a talk at the RSA Conference here Thursday.
“The controls were relatively low on Snowden’s job.”
Snowden was a contractor for the NSA, but had significant privileges in his role. Inglis said that insiders like Snowden have the unique opportunity to take advantage of the trust their organizations have to place in them, allowing them to do more damage than outside attackers in many cases.
“The fatal assumption is that between the time you did whatever it is you’ve done and the time we caught you that you didn’t constitute an existential threat to us. Bad assumption,” he said. “You have to act on the assumption that adversaries are on your network. Segmentation isn’t just an architectural concept, it’s an organizational one.”
After Snowden’s actions became public and the revelations about the NSA’s surveillance activities turned into a daily story, the agency found itself having to defend its work both in the press and on Capitol Hill. Inglis said that as painful as that process was for the agency, there was value in it as well.
“Whether you think Snowden did the right thing or the wrong thing, was an agent for a foreign power or any of that, all of it was secondary to the conversation that took place that summer about privacy and national security,” he said. “The NSA was always going second in that conversation. We failed miserably at sufficient transparency.”
The lessons from that summer can be applied in any organization, Inglis said, not just in the intelligence community or government.
“The controls were relatively low on Snowden’s job. What he did was a low probability even but it was extraordinarily high consequences,” Inglis said.