Report: Snowden Took Documents Out Of Secure Location On Thumb Drive

Edward Snowden

Mimicking in some ways BradleyManning, Edward Snowden was apparently able to smuggle classified documents from his work location using a thumb drive:

WASHINGTON — Former National Security Agency contract employee Edward Snowden used a computer thumb drive to smuggle highly classified documents out of an NSA facility in Hawaii, using a portable digital device supposedly barred inside the cyber spying agency, U.S. officials said.

Investigators “know how many documents he downloaded and what server he took them from,” said one official who would not be named while speaking about the ongoing investigation.

Snowden worked as a system administrator, a technical job that gave him wide access to NSA computer networks and presumably a keen understanding of how those networks are monitored for unauthorized downloads.

“Of course, there are always exceptions” to the thumb drive ban, a former NSA official said, particularly for network administrators. “There are people who need to use a thumb drive and they have special permission. But when you use one, people always look at you funny.”

(…)

Confirmation of a thumb drive solved one of the central mysteries in the case: how Snowden, who worked for contracting giant Booz Allen Hamilton, physically removed classified material from an spy agency famous for strict security and ultra-secrecy.

He acknowledged on Sunday that he gave two news organizations details of secret NSA surveillance programs on telephones and the Internet, but did not say how he had transferred the data. He is believed to be hiding in Hong Kong.

Officials said they still don’t know how Snowden got access to an order marked “Top Secret” from the Foreign Intelligence Surveillance Court, or a highly-classified directive from President Obama authorizing a military target list for cyber attacks. Neither document would be widely shared, or normally available to a low-level NSA employee.

Bradley Manning, of course, smuggled classified documents out of a secure Army location in Iraq using both thumb drives and either DYD-Rom’s or CD-Rom’s, and when that was revealed it caused many to wonder why there wasn’t more physical and software security on the terminals used to access classified data. While eliminating the ability to use either data storage method completely may not be possible, one would think that there ought to be a way to restrict its use, or monitor when someone was copying data to offline storage for no apparent reason. The fact that Snowden was apparently a Systems Analyst of some kind, of course, may have given him the ability to mask his copying activities, but that’s just pure speculation on my part. We require the people who work for the NSA and other agencies to take oaths regarding the proper use of classified data, but it seems to me that may be time to look at the computer systems themselves to try to ensure that it becomes much more difficult for them to do so.

FILED UNDER: Intelligence, National Security, Quick Takes, Science & Technology
Doug Mataconis
About Doug Mataconis
Doug holds a B.A. in Political Science from Rutgers University and J.D. from George Mason University School of Law. He joined the staff of OTB in May 2010 and contributed a staggering 16,483 posts before his retirement in January 2020.

Comments

  1. James Joyner says:

    Clearly, we turned responsibility for security over to the Afghans prematurely.

  2. Mikey says:

    There’s quite a lot that needs done before a contractor’s information system can be accredited to process classified information. This is all governed by the National Industrial Security Program.

    Thumb drives aren’t supposed to enter areas where classified information is processed, but it’s a hard rule to enforce. I generally disable any USB ports not used to connect a keyboard and mouse, but even that is not 100% assurance. And like the quoted NSA official said, there are exceptions to the no thumb drives rule in certain circumstances.

    Snowden being a systems admin meant he had administrator-level access to at least some systems, and was then able to gain access to other systems that stored the files he wanted.

  3. superdestroyer says:

    Many federal organizations has been dealing with the thumb drive problem by eliminating all of the USB ports on their computers. Of course, I assume that the systems administrators have access to the few computers that have usable thumb drive in order to load software.

  4. Mikey says:

    @superdestroyer: They can’t eliminate all of them, because nobody builds PS/2 keyboards and mice anymore. They’re all USB.

    Many computers allow the disabling of the front-panel USB ports while leaving the ones the keyboard and mouse are plugged into active. So that’s what we do in my organization.

    Of course, a sysadmin would be able to access the computer’s BIOS and turn them back on temporarily.

    And as a sysadmin, Snowden was able to mask his espionage activities as normal sysadmin duties.

  5. Jenos Idanian says:

    The last time I bought a mouse, it came with a PS/2 adapter — which I used to keep my USB ports available. Could that be a solution?

    Conversely, could one use a PS/2 adapter with a flash drive? Would that still work?

  6. Ben says:

    @Mikey:

    @superdestroyer: They can’t eliminate all of them, because nobody builds PS/2 keyboards and mice anymore. They’re all USB.

    Many computers allow the disabling of the front-panel USB ports while leaving the ones the keyboard and mouse are plugged into active. So that’s what we do in my organization.

    Of course, a sysadmin would be able to access the computer’s BIOS and turn them back on temporarily.

    And as a sysadmin, Snowden was able to mask his espionage activities as normal sysadmin duties.

    It’s even easier than that. Just unplug the mouse, plug in a USB hub, and then plug your mouse and the thumb drive(s) into the hub. No BIOS tweaked needed.

  7. Mikey says:

    @Ben: And for just that reason, it’s actually easier to get a USB thumb drive approved than a USB hub.

  8. John Burgess says:

    I’m sort of mystified by this. Better than ten years ago, State Dept. would not allow any computer that processed classified info to even have USB ports. The only connections permitted were a wired mouse, the wired monitor, a wired, parallel-port printer, and the single network port. They didn’t even have floppy drives. The intent was to preclude any unauthorized offloading of data.

    While one could get inside to remove the hard drive, that would be noticed. And while one could also attempt to e-mail info, that stream was monitored for any heavy traffic.

  9. Gromitt Gunn says:

    @Mikey: I find it very hard to believe that the Federal Government couldn’t find a manufacturer willing to contract to make PS/2 keyboards and mice to spec.

  10. Mikey says:

    @John Burgess:

    Better than ten years ago, State Dept. would not allow any computer that processed classified info to even have USB ports.

    Better than ten years ago, you could still find computers that didn’t have them.

    Now Congress is looking at legislation to somehow limit contractor access to highly-classified information, as if that’s the problem. Hanssen (FBI agent), Pollard (Navy intel analyst), Ames (CiA analyst), Montes (DIA analyst), et al., were not contractors, and their espionage was far more extensive, and damaging, than what Snowden has done.

  11. Mikey says:

    @Gromitt Gunn: You’d think they would, but they don’t. Government is big on COTS (commercial off-the-shelf) these days because it’s a lot cheaper.

  12. john personna says:

    A sysadmin could access USB ports directly on the motherboard.

  13. DC Loser says:

    I find it very hard to believe that the Federal Government couldn’t find a manufacturer willing to contract to make PS/2 keyboards and mice to spec

    Low bidder wins. NSA uses off the shelf Dells (probably with Chinese parts). Snowden had access to NSAnet, its internal Top Secret IT system, that’s also tied into worldwide JWICS system that DoD uses.

  14. John H says:

    It is entirely possible to selectively block the use of USB thumb drives without requiring all USB ports to be disabled or removed. We do it to protect our organization’s proprietary information throughout our global enterprise, and you can be sure that information is a lot less sensitive than “top secret”. The problem is that you cannot have a system without administrative access. It’s amusing/disturbing that the same security organizations that will implement the most petty and detailed security policies for the public, can’t properly implement the management structure and oversight required to prevent the security nightmare that is sufficient administrative rights, physical access, and bad intent.

  15. Gromitt Gunn says:

    @Mikey: That seems both foolish and unsurprising. Heh.

  16. Mikey says:

    @Gromitt Gunn: Perhaps, but on the other hand, having manufacturers dedicate time and resources to building computers with such obsolete technology specifically for the government would doubtless be very expensive, and probably fail a cost/benefit analysis. Incidents such as Snowden’s are really quite rare.

    Even if it were possible to eliminate the “insider” threat–and it isn’t–doing so would be far more costly than its worth. And we’d be hearing an endless stream of news stories about “the computer that cost taxpayers $5000 that you can get at Best Buy for $499” and such.

  17. Davebo says:

    You’ll never be able to totally secure such IT systems.

    The only possible answer is to prosecute those who break the law to the furthest extent possible.

    It’s not a perfect deterrent but it’s all we have.