The NSA: Even Worse Than You Think!

They’ve made you paranoid, but that doesn’t mean they’re doing their job.

People use masks with pictures of former NSA contractor Edward Snowden masks during the testimonial of Glenn Greenwald.

People use masks with pictures of former NSA contractor Edward Snowden in Brasilia, Brazil, on Aug. 6, 2013. Sadly, Snowden is the least of the NSA’s problems.

Photo by Ueslei Marcelino/Reuters

There is one secret Edward Snowden spilled that even the most hard-boiled anti-privacy security operative can’t ignore: The National Security Agency is broken. It is broken not just because it somehow let a contractor steal a voluminous portion of its secrets, but because many of those secrets paint a picture of a dysfunctional agency. The NSA not only can’t stop a leaker like Snowden; it’s uncertain that the NSA can do a good chunk of what’s in its job description.

Yet the agency has many brilliant projects under its belt. First and foremost, there is Stuxnet, the computer worm virus that infected over half of Iran’s computers and made its way into their Internet-isolated nuclear facilities—via some unknowing peon’s thumb drive—to sabotage Iran’s uranium-enrichment centrifuges and set their nuclear development back by months if not years. Based on White House leaks, David Sanger has reported that the NSA and Israel’s Unit 8200 co-developed Stuxnet. From a technical standpoint, it is the single most brilliant computer virus I have ever seen, precision-targeted yet flexible enough to spread through (needed) multiple vectors.  

The NSA has always been on the cutting edge of encryption, designing the widespread Secure Hash Algorithms and driving standardization of Suite B. I entirely believe that they may have made a cryptographic breakthrough allowing them to crack most encryption in use today. And their intelligence work within local combat contexts, as with the Iraq surge in 2007, has frequently been respectable.

The question, then, is how an organization capable of such technical brilliance could also fall prey to organizational incompetence such as giving unaudited root access to a sysadmin contractor like Edward Snowden. In light of the agency’s achievements and the default rah-rah attitude toward issues of national defense, it is tempting to give the NSA the benefit of the doubt when a Snowden happens. That would be wrong. As I saw in my time at Microsoft, great technical skill can exist uneasily within organizational structures that kill innovation.

Poor internal security is nothing new for the NSA, though it’s never suffered the humiliation of someone putting a Mickey Mouse sticker over his ID picture and waltzing in, as its British counterparts, the Government Communications Headquarters, did. That story comes from James Bamford’s 1983 book The Puzzle Palace, which also chronicles the 1980s-era paranoia at the NSA when polygraph tests of employees were instituted. Thousands of employees were “strapped to a machine and asked whether [they] have been selling secrets to the Russians or leaking information to the press,” Bamford wrote. Amazingly, the NSA still uses polygraph tests, despite decades of research showing their unreliability and their inadmissibility in court; NSA whistle-blower Russell Tice demonstrated last year just how easy it is to beat them. That the NSA has stuck with the polygraph smacks of desperation and the need to convince someone that security is being taken seriously, through pageantry rather than through effectiveness. It’s the same reasoning behind why we’re still taking off our shoes at airport security.

What the NSA appears to be, then, is a sclerotic organization with individual pockets of brilliance. Agencywide infrastructure appears to be the agency’s most difficult challenge, which would account for its admitted inability to process the dragnet of data it sweeps up. From all indications, from Dana Priest and William Arkin’s 2011 book Top Secret America to Snowden’s documents, the NSA has no trouble collecting petabytes of data, but is unable to organize it effectively. In the Washington Post in 2010, Arkin and Priest wrote, “Every day, collection systems at the National Security Agency intercept and store 1.7 billion e-mails, phone calls and other types of communications. The NSA sorts a fraction of those into 70 separate databases. The same problem bedevils every other intelligence agency, none of which have enough analysts and translators for all this work.” In Top Secret America, a senior intelligence official complains, “The data was outdated by the time it had arrived.” (This very Slate article will contribute to clogging the NSA’s data pipes.) In his 2010 book The Secret Sentry: The Untold History of the National Security Agency, Matthew Aid describes modernization plans that are constantly put off and an ever-increasing flood of information that the NSA is forever trying to get under control, even as it eagerly gulps down more.

The difficulty in information retrieval, or IR, the general theoretical field underpinning search engines, is primarily in the analysis and indexing of the data. It will not do just to have the raw data sitting around: It must be preprocessed en masse—using immensely complex algorithms—and filed away in a form amenable to being searched in exactly the ways the NSA wants to search it. Searching the raw data would be like trying to find a name in an unalphabetized phone book. For those who think Google just keeps duplicate copies of every Web page in their original form and scans them when someone does a search—I assure you, this is not how it works, ever. Every piece of intelligence needs to be analyzed, annotated, and classified as it is obtained, so that large-scale comparisons and analyses can be later performed with ease.

Google innovated brilliantly in indexing and analysis while under the constant threat of capitalist competition. The NSA has no competitors as such, which is one of many reasons why it trails Google quite badly. As law professor and technologist James Grimmelmann puts it, “The NSA has mountains of data and no clear sense of how to manage it effectively. The attitude is that there must be needles in there, and we’ll figure out a way to find them later.”

A general view of the large former monitoring base of the U.S. intelligence organization National Security Agency (NSA) during break of dawn in Bad Aibling south of Munich.
A large former monitoring base of the National Security Agency sits in Bad Aibling south of Munich on July 11, 2013.

Photo by Michael Dalder/Reuters

The best indicators we have as to the state of data management in the NSA is from its IT departments, and not just because that was where Snowden worked. The NSA spends nearly half its budget on operational IT, more than any other security agency. This week, Secret Sentry author Aid boggled at the numbers on his blog. Noting that the NSA spends 10 times as much on facilities and logistics as the CIA, he writes, “NSA’s top three budget line items, totaling more than $4.4 billion or 40 percent of NSA’s annual budget, have nothing to do with the agency’s core mission of SIGINT collection, processing, analysis and reporting, or protecting the security of the U.S. government and military’s computers and telecommunications systems.”

These budget numbers signal that the NSA is throwing more and more money at problems while failing to solve them. An outside audit would usually curb such spiraling numbers, but it seems that hasn’t happened. The Senate Select Committee on Intelligence reported that as of June 2009, “the NSA’s financial statements were not adequately supported by reliable accounting data and supporting information.” Marcy Wheeler reports that there has been no word of any improvement since.

Many IT positions tend to be contractor jobs with high turnover—hardly the place for dedicated civil servants with years of experience in the NSA. Yet they literally control the ability of everyone to get their jobs done, and the NSA gave some of these contractors the keys to the kingdom. “Start from the point that if the NSA had competent security, Snowden wouldn’t have been able to do a tenth of what he did,” Grimmelmann says. “You give sysadmins privileges on specific subsystems they administer. And you do not give them write access to the logs of their own activity. The NSA should be grateful that Snowden got there first, and not the Chinese.”

Snowden didn’t hack the NSA because there was no security to be hacked. That he and thousands of other low-level contractors had unfettered, untraceable access to the entirety of NSA systems is a security hole that makes Windows look like Fort Knox. It should have resulted in firings. The fact that NSA Director Keith Alexander still has a job signals that the government doesn’t really take the Snowden leak that seriously. Instead, Alexander has announced plans to eliminate 90 percent of its contractor sysadmins posthaste—about 900 people—by “automating” their work.  He fuzzily alluded to “transferring data [and] securing networks.” Since the NSA’s own network is not, as we have learned, secure, it will no doubt prove far more difficult to automate such a process than Alexander suggests.

Alexander’s plan does not seem to be a plan. It sounds more like frightened middle management trying to protect its position by saying, We don’t have anyone with Snowden’s job anymore. “The NSA actually employs people who could easily have identified the enormous gaps in its own security,” Grimmelmann says.  “Were they consulted? Did anyone listen if they were? The NSA has the knowledge and the budget. But it can’t deploy them to where they’re needed on the most basic level.”

And not even the best-run organization can automate 90 percent of its IT positions without foundational changes to how its systems work. The NSA’s IT infrastructure is already a teetering Jenga tower, and Alexander just demanded that the agency remove 900 blocks simultaneously. It could well result in worse security, not better security.

There is one thing, it seems, the NSA can easily do to look good: collect even more data! Even if it lies unprocessed in a dusty drive, the top brass will at least see the big numbers of how many intercepts are being made. But consider this hypothetical. Should, heaven forbid, some major terrorist attack occur, it’s quite likely the NSA will have vacuumed up something or other relating to the planning. (I’d wager the agency vacuumed up something on Dzhokhar Tsarnaev.) And should some disgusted intelligence analyst leak the fact that the NSA actually possessed intelligence on the terrorist activities before the attack but just never got around to analyzing it, how is that going to look?

For its own sake, the NSA should be searching for someone to come in and clean up shop. Remember, the NSA has people—its Tailored Access Operations department, for example—who could easily find every security hole in the agency; they just don’t have the power to do so. The government needs to freeze the NSA’s budget and clean out the complacent rot at the agency, starting with Alexander. It needs to install a more tech- and security-savvy chief who can recognize a gaping security hole and then honestly query the rank and file on what does and does not work, without them getting blamed for speaking out. The director of national intelligence and the president should then get a report of all the problems with the agency that haven’t yet been leaked to the world. What the NSA needs, in short, is basically the national-security equivalent of Marissa Mayer.

Julian Assange dreams of making security agencies so paranoid and sclerotic that they can no longer function effectively. Unless and until the NSA starts making real changes, he may be getting his wish.