Vulnerabilities / Threats
6/11/2013
10:03 AM
Connect Directly
RSS
E-Mail
50%
50%

NSA Prism Relies Heavily On IT Contractors

NSA whistleblower Snowden likely enjoyed access to Prism program details as a contracted NSA IT administrator. Systems administrators remain an important link in your security chain.

How did a Booz Allen contractor get his hands on top secret details about National Security Agency (NSA) intelligence operations?

Edward J. Snowden, 29, leaked confidential information to Britain's Guardian about the so-called NSA Prism program that conducts surveillance of online communications to and from foreigners, and leaked data to The Washington Post about the NSA's access to U.S. phone call metadata. According to Glenn Greenwald, a Brazil-based American who reports on civil liberties issues for the Guardian, Snowden has provided him with "thousands" of documents, of which "dozens" are newsworthy.

The leaks have highlighted how the NSA relies on an army on consultants to help it sift through the massive quantities of data it collects. According to information released this year by the Office of the Director of National Intelligence, 1.2 million Americans hold top-secret clearances, and 38% of those clearances are held by private contractors.

As that suggests, a substantial amount of U.S. intelligence work is now handled by private contractors. Naval War College professor John Schindler, a former NSA counterintelligence officer, said that the-post Sept. 11 launch of massive data-gathering operations -- for counterterrorism purposes -- required a commensurate increase in the number of people tasked with keeping those classified-data systems running.

[ Learn what Prism shows about cloud security. Read NSA Dragnet Debacle: What It Means To IT. ]

"It's hard to think of a single thing the intelligence community can do on its own anymore without a contractor being involved in some way, from the most mundane of data crunching to the pointy end of the black ops side," Peter Singer, director of the Center for 21st Century Security and Intelligence at the Brookings Institution, told The Wall Street Journal.

But how did Snowden access the confidential information in the first place, which includes a top secret Foreign Intelligence Surveillance Court order? A former senior NSA official told the Post that only 30 or 40 people in the world would have had access to that data.

Government investigators are "working with the NSA and others around the intelligence community to understand exactly what information this individual had access to, and how that individual was able to take that information outside the community," a senior U.S. intelligence official told the Post.

The NSA would have determined which specific systems Snowden would have been able to access, according to contractors interviewed by the Journal.

Given Snowden's biography and job description -- serving as an "infrastructure analyst" employed by Booz Allen, but working at an NSA satellite office in Hawaii -- many security experts believe that he didn't just have top secret clearance, but served as an information security or IT administrator tasked with keeping confidential systems running.

That might explain Snowden's remarks to the Guardian that he had "full access to the rosters of everyone working at the NSA, the entire intelligence community and undercover assets all around the world, the locations of every station we have, what their missions are and so forth."

A former senior official at the NSA told the Post, however, that Snowden's access claims are overblown. "When he said he had access to every CIA station around the world, he's lying," he said.

Then again, someone had to be maintaining the computer networks and related systems for those stations; what if it was Snowden?

The data leak situation further suggests that NSA officials might not have known the extent to which either private contractors or IT administrators were privy to highly confidential information.

Of course, no system is 100% secure, because a rogue or malicious insider can always decide to leak stored data. To put that another way, the security of any IT system -- no matter how clandestine -- hinges on trusting one's system administrator.

"They can be a critical security gap because they see everything," Naval War College professor Schindler told the Times. "They're like code clerks were in the 20th century. If a smart systems administrator went rogue, you'd be in trouble."

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
proberts551
50%
50%
proberts551,
User Rank: Apprentice
6/11/2013 | 5:27:45 PM
re: NSA Prism Relies Heavily On IT Contractors
"1.2 million Americans holdtop-secret clearances, and 38% of those clearances are held by privatecontractors." Why should the Government not be the same as Corporate America?
I would like to see the percentage for contactors vs employed direct for I.T. people in Corporate America. I work as a contractor for a fortune 500 company, employed, love my job...but, . 90% are contractors because they got rid of the full time employees, and cut staff to the bone. I have heard from friends in the industry, that their fortune 500 companies did the same thing.
The jobs that seem to stay, are management positions, who are deciding what
"workers" get the axe. All are trying to save their own skin. I.T. struggles to function because of that very situation. Thus, my job was created and I work for the department to keep up production because I.T. cannot handle it. Even employees that have been employed for 20+ years are not safe....if they are workers. I know of data centers that closed, moved to India for warehousing and IT server services. It is all about Money folks, and human resources is just that. Not personnel. No longer are you safe doing a great job for an employer. There is no loyalty anywhere unless you know someone high up that can save you.
KawiMan
50%
50%
KawiMan,
User Rank: Apprentice
6/12/2013 | 5:59:50 PM
re: NSA Prism Relies Heavily On IT Contractors
Amen! As an IT professional for 30 years, I have no pity for employers that cut staff and outsource. Loyalty is a word of the past. Employers don't give it to their staff, so why should employers expect it from their staff? They won't get it because they don't give it.
2sense
50%
50%
2sense,
User Rank: Apprentice
6/11/2013 | 7:32:44 PM
re: NSA Prism Relies Heavily On IT Contractors
If you want loyalty, buy a dog.
majenkins
50%
50%
majenkins,
User Rank: Apprentice
6/11/2013 | 7:39:38 PM
re: NSA Prism Relies Heavily On IT Contractors
"It's hard to think of a single thing the intelligence community can do on its own anymore without a contractor being involved in some way, . . .

So what you are saying is that long before Jason Bourne jumped off of that yacht some contractor would have blown the whistle on the whole shebang.
builder7
50%
50%
builder7,
User Rank: Apprentice
6/24/2013 | 3:11:09 AM
re: NSA Prism Relies Heavily On IT Contractors
So, if this is true that there are 1.1 million contractors then that means that this privatization initiative started in the 1980's 'to save money and make the government smaller' actually increased the governments size by 1.1 million, high-paid private contractors and the companies that rake in the profit. No wonder our government is going broke!
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4734
Published: 2014-07-21
Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter.

CVE-2014-4960
Published: 2014-07-21
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php.

CVE-2014-5016
Published: 2014-07-21
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to appl...

CVE-2014-5017
Published: 2014-07-21
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter...

CVE-2014-5018
Published: 2014-07-21
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.