Tuesday, February 25

Tale of NSA Department, Ed Snowden, the Magic Lamp and the Stovepipe

The NSA Department and the Magic Lamp

Set aside the techno-babble and the tale of the purloined password.(1)  Edward Snowden got access to top secret levels of surveillance at NSA through the most simple, nontechnical means imaginable, and all he got all the help he needed from one of human nature's most famous weaknesses.  Here's how it happened, as told to Forbes data privacy columnist Andy Greenberg by a colleague of Snowden's at NSA, whose name for understandable reasons had to be withheld for publication. If you're already familiar with the account, which was published December 16 under the title An NSA Co-Worker Remembers The Real Edward Snowden: "A Genius Among Geniuses," bear with me while I quote certain passages; I'm going to analyze them in a way I'm pretty sure hasn't been done before.
"Before coming to NSA Hawaii, Snowden had impressed NSA officials by developing a backup system that the agency had widely implemented in its codebreaking operations.

He also frequently reported security vulnerabilities in NSA software. Many of the bugs were never patched.[2] 
Snowden had been brought to Hawaii as a cybersecurity expert working for Dell’s services division but due to a problem with the contract was reassigned to become an administrator for the Microsoft intranet management system known as Sharepoint.

Impressed with his technical abilities, Snowden’s managers decided that he was the most qualified candidate to build a new web front-end for one of its projects, despite his contractor status. As his coworker tells it, he was given full administrator privileges, with virtually unlimited access to NSA data.

“Big mistake in hindsight,” says Snowden’s former colleague. “But if you had a guy who could do things nobody else could, and the only problem was that his badge was green [contractor] instead of blue [employee], what would you do?”
So those who've claimed that Snowden didn't have the "authorities" or technical ability to access certain NSA files were misinformed or dissembling.  Yes he did have the authorities, and there was no need for him to figure out how to break into any security level at NSA.  Snowden's managers simply handed him the keys to the kingdom.

This means there was no need for Snowden to work out subterfuges to access the files -- a point the colleague emphasized in another part in the account.

Here one can be forgiven for asking if his superiors were crazy to give that much power to a contractor (technically, a subcontractor). The answer in this particular case is that they didn't quite see him as a contractor.  They thought they'd stumbled across a magic lamp with a genie inside.  In a way, they had:
“That kid was a genius among geniuses,” says the NSA staffer. “NSA is full of smart people, but anybody who sat in a meeting with Ed will tell you he was in a class of his own …I’ve never seen anything like it.”
The colleague also said that Snowden kept a copy of the U.S. Constitution on his desk at NSA to reference when he argued about the legality of certain NSA surveillance methods, and it seems he argued frequently.  Didn't Snowden's superiors find this troubling?  So the genie blew off steam on occasion. Genies do such things.

Snowden also wore at work a hoodie with a logo that was a clear criticism of the agency's surveillance methods. Well, genies are known to dress strangely.
And while the colleague's account doesn't mention this, according to Snowden he did everything but rent a marching band to alert his superiors and coworkers at NSA to the kind of surveillance programs he was finding after he'd been given access to the most top secret files, and to explicitly state that he was deeply troubled by his findings.(3)  There is much in the public record to suggest his claim is true.

Even his postings over a period of years at Ars Technica website clearly indicate that this is someone who doesn't believe in stewing in silence. Once he got access to certain files it would have been completely in character for Snowden to show his superiors at NSA what he was finding and fume, 'Look at this! This is illegal!'

But of course matters of law are seen differently by a being whose home is a lamp.
While they didn't put it quite that way, that was how his superiors blinded themselves to the fact that Ed Snowden had "security risk" stamped all over him.  They'd become experts on genie behavior, you understand.
Translation: Snowden's superiors had stumbled across a brilliant "kid" who was going to help them pull off a special project, one that would put a feather in the cap of at least one department at the Hawaii branch office.

So at the bottom of the heist of the century is an ageless story, told in countless fables, fairy tales, myths and legends, of acquisitiveness overpowering caution.
Does this mean the supervisors in question shouldn't faulted for being human?  Actually every employee manual should provide instructions on what to do if you find a mysterious lamp in the parking garage.  Take it to a homeless shelter or a destitute widow; under no circumstances bring it into the office and say let's see what happens if we shake it.

If it wasn't in the manual, then technically the NSA human resources department is to blame for the whole thing. However, there was something else at work in addition to a magic lamp, something that would raise an eyebrow among those who constantly scan the horizon for Signs and Portents -- these types the least likely to read Forbes, this writer being an exception. Go over the NSA employee's account with a fine comb and you will note an astounding run of accidental incidents, convergences of events and coincidences,  a run that couldn't be replicated in a million years.

Here I'm reminded of a saying at NSA:  "In God we trust. All others we surveil."

Ah, but the question is whether God trusts NSA.

From that viewpoint, and considering the incredible and one might even say mysterious run of luck at Edward Snowden's back, I don't think his supervisors at the NSA Hawaii branch office should continue to beat themselves up for being fools.  There are times when the play's the thing and the best the players can do is avoid bumping into the stage sets.  If what happened at the Hawaii branch was one of those times, then Snowden was himself pointed to his chalk marks on the stage.
This said, and before I leave the topic of magic lamps, I think I can add to the lore on genies that the NSA Hawaii branch collected.  There are, according to the Quran, good genies and bad genies -- or jinn or djinn, as they're called in Arabic. But all the lore about genies, which predates the religion of the Mohammedans and even the Old Testament, agrees that they are very powerful. How, then, did genies get associated with a humble household lamp?  Why not a symbol of great worldly or supernatural power?
The answer is lost in the mists of prehistory, and Wikipedia is silent on the question. But we can always fall back on the little gray cells in the attempt to solve a mystery.  I'd guess genies are associated with a lamp because they are bringers of light.
The debate about whether Edward Snowden is a hero or traitor obscures the fact that his theft of NSA files was designed as a teaching mission.  Glenn Greenwald told Buzzfeed that the NSA files Snowden gave him were organized to an astonishing degree -- "almost scary."  Greenwald had been expecting to receive the kind of mess that Bradley Manning dumped on Wikileaks, which in turn dumped the mess on newspaper reporters, which after a passing attempt at organizing the huge of cache of files, dumped the hideous tangle of data on the public.
That is just why the incident blew over so quickly; the only people who could understand the implications of the massive dump of leaked files were hackers, and others who were very knowledgeable about highly technical IT matters. The public continued to remain in the dark.
It is actually Julian Assange, not Snowden, who sounded the alarm, as you can learn from the Wikipedia article about him. As early as 1998 he discovered patents that NSA was taking out, patents that spelled doom for human freedom.  Yet for all his technical skill with computers and intellectual brilliance, Assange couldn't communicate the implications of his discovery to the general public. Many others in the IT field also tried and failed. It would require the gifts of a teacher, an extraordinary teacher, one who could break down highly abstract concepts in such a way that all adults could understand, no matter what their level of knowledge about computer matters.

Snowden is just that teacher.  The way in which he presented the data was carefully designed to illustrate specific principles. And the stepwise sequence of leaks he arranged was in the manner of course work. This was so the journalists he chose to publish the NSA documents, and the general public, could absorb and understand the very complicated issues informing the technical aspects of NSA surveillance.
This doesn't mean he didn't copy data that could be very destructive to U.S. national security if released to the public.  The current estimate of defense officials is that the NSA data he copied only represent about 10 percent of the files at other defense agencies that he at least viewed if not copied. I wouldn't be surprised if he worked a kind of nuclear option into all the files he copied in case his teaching mission was cut short by his assassination or arrest. But his intent is clearly not to destroy; everything he's done is to bring light to where the darkness of great ignorance exists. In this he's been successful, and on a world scale.

And so when all is said and done, the NSA Hawaii branch office's blinkered belief in genies might be vindicated.  Maybe in the original meaning of the term Ed Snowden is indeed a genie, a real genie, a specially gifted teacher.

The NSA Department and the Stovepipe

Snowden maintains that his alerts and complaints were ignored by his superiors at NSA. Yet he also claims that the reactions of NSA employees he spoke to about his discoveries ranged from "greatly concerned" to "appalled" that NSA had very greatly exceeded its mandate.(3)

How could that be?  How could NSA employees be unaware of the extent of their own organization's surveillance?

The answer is that it's perfectly possible; indeed, it's standard practice in a large bureaucracy set up along military lines (or quasi-military lines) for only the top echelon to be aware in any detail of how the organization's many pieces fit together.
All such bureaucracies depend on something termed "stovepiping" of information gathered from within the organization; this in order to control knowledge of the big picture from within the organization.  From Wikipedia's discussion of a stovepipe organization:
A stovepipe organization is one where the structure of the organisation largely or entirely restricts the flow of information within the organisation to up-down through lines of control but inhibits or prevents cross organisational communication.
Another way to describe stovepiping is to say that it's an internalized form of guerrilla cell organization, where each cell is unaware of the activity of the other cells in the organization.  So it's very likely that the majority of NSA's employees were as surprised as the public about the big picture that Snowden's revelations painted.(4)

Stovepiping has many critics, as the Wikipedia article explains, and it contributes to the oligarchic aspect of bureaucratic organizations that Robert Michels decried in his dictum "Who says organization says oligarchy."  (See the Pundita post, The Devil and Departmentalization.)

The defenders of stovepiping argue that it's necessary for command and control in an organization, such as the military, which must keep many secrets. This argument goes out the window in an era when a bureaucracy such as NSA is opened up to hordes of outsiders.

From Ross Slutsky's The NSA’s Contractor Problem (VOA News blog, August 16, 2013):
In his book on the NSA, The Shadow Factory, intelligence journalist James Bamford claims that the size and scale of the NSA workforce exploded after 9/11.  “With the billions pouring in, [then-NSA director Michael Hayden] launched the largest recruiting drive in the agency’s history,” writes Bamford. “By 2008, 40 percent of the NSA’s workforce had been hired since 2001.” 
“At the same time Hayden was building his empire within Fort Meade, he was also creating a shadow NSA: of the $60 billion going to the intelligence community, most of it -- about $42 billion, an enormous 70 percent -- was going to outside contractors,” says Bamford.
James Bamford is not the only one to have made such claims about the size of the temp workforce in the U.S. intelligence community.  Angela Canterbury, Director of Public Policy, Project On Government Oversight, noted last year that there are "millions of contractors inside the nation's intelligence agencies," although to be precise she was also referring to subcontractors; i.e., employees of contracting firms.

And it's not only the IC that's overwhelmed by this tide of temp workers; the contracting firms, the ones that do high volume business with the U.S. government, haven't been able to keep up with vetting all the temps they employ.

Despite this, Congress and U.S. government and its advisers  -- and the intelligence agencies -- are playing ostrich.  I hesitated to quote from this November 7 Reuters report because its headliner claim (Exclusive: Snowden persuaded other NSA workers to give up passwords - sources) was disputed, not only by Ed Snowden but also by the NSA staffer who spoke to Andy Greenberg; indeed, a major reason the staffer risked being fired for speaking out was to dispute the claim.  However, there's much of interest in the report, especially this jaw dropper:
"In the classified world, there is a sharp distinction between insiders and outsiders. If you've been cleared and especially if you've been polygraphed, you're an insider and you are presumed to be trustworthy," said Steven Aftergood, a secrecy expert with the Federation of American Scientists. "What agencies are having a hard time grappling with is the insider threat, the idea that the guy in the next cubicle may not be reliable," he added.
With all respect to security experts at the federation they need to pay more attention to the present era.  Who has time to polygraph hordes of temps if nobody even has time to do adequate background checks?

There is no more 'insider outsider' distinction in U.S. government.  Yet there are enough people in government who want to believe there's still an "inside" that they go to lengths to keep up the pretense.
The situation provides a sound basis for the dispute that hactivists such as Julian Assange have with overweening attempts at secrecy in government.  The reasoning informing the attempts is outdated; it doesn't account for the fact that the rationale for cells, for stovepiping, collapses when the organization controlling the cells becomes a makeshift superhighway for outsiders.

Moreover, attempts to monitor traffic on the superhighway have led to over-classification of information as "secret" and to draconian nondisclosure agreements -- both of which discourage and also quash complaints from the people best positioned to warn about trouble in their department.

The outcome is that while the superhighway transports "inside" information about the organization to the "outside," stovepiping keeps many of employees in the dark about what's happening in their own organization!

1)  From the account provided to Andy Greenberg:
As further evidence that Snowden didn’t hijack his colleagues’ accounts for his leak, the NSA staffer points to an occasion when Snowden was given a manager’s password so that he could cover for him while he was on vacation. Even then, investigators found no evidence Snowden had misused that staffer’s privileges, and the source says nothing he could have uniquely accessed from the account has shown up in news reports.
The manager and the unnamed employee mentioned in the tale of the purloined password -- the February 10 NSA memo to a congressional oversight committee --  are the same person. As to how I can be sure of this, because if NSA could have scared up two employees who'd shared their password with Snowden, there would have been two sacrificial goats to haul to Capitol Hill, not one.

2) Security was so lax at NSA that it wouldn't be surprising if the agency had been hit repeatedly by industrial spies and even spies for foreign defense agencies. Snowden himself warned NSA that it was rife with security lapses that weren't being addressed, as the NSA staffer's account indicates.  As to the claim that security was tighter at NSA headquarters:  After Bradley Manning stole a huge cache of files the U.S. military instituted the "two-man rule" to ward against the unauthorized removal of computer files. Snowden claims that he recommended in 2009 that NSA institute the same rule, which is that two system administrators must be present when one accesses certain sensitive information. What's in the public record about Snowden's security warnings tends to support his claim. In any case NSA, its headquarters as well as branch offices, didn't even take this simple, nontechnical security measure until after Snowden struck.

3) From Wikipedia's article on Edward Snowden (see the webpage for links to the source notes): 
Using 'internal channels of dissent', Snowden said that he told multiple employees and two supervisors about his concerns. An NSA spokesperson responded, saying they had "not found any evidence to support Mr. Snowden's contention that he brought these matters to anyone's attention".(81)  Snowden elaborated in January 2014, saying "[I] made tremendous efforts to report these programs to co-workers, supervisors, and anyone with the proper clearance who would listen. The reactions of those I told about the scale of the constitutional violations ranged from deeply concerned to appalled, but no one was willing to risk their jobs, families, and possibly even freedom to go to through what [NSA whistleblower Thomas Drake] did." (79)
4)  Stovepiping might have been the key factor in Edward Snowden receiving an invisibility cloak from the next 'department' he worked for at NSA (Threat Operation Center, also at the Hawaii branch), after he switched employers from Dell to Booz Allen Hamilton.  While it's unlikely that a discussion of genie behavior would have figured in his performance review after he completed the special project, a free exchange of information about Snowden between the first and second departments would have raised a red flag for his new supervisors. No flag was raised:
"My position with Booz Allen Hamilton granted me access to lists of machines all over the world the NSA hacked," Snowden told the South China Morning Post, adding that this was exactly why he'd accepted it. He was one of around 1,000 NSA "sysadmins" allowed to look at many parts of this system. (Other users with top-secret clearance weren't allowed to see all classified files.) He could open a file without leaving an electronic trace. He was, in the words of one intelligence source, a "ghost user", able to haunt the agency's hallowed places.
This meant it wasn't possible for investigators to track which files he accessed or copied after he received the invisibility cloak!  This in turn means the outdated security software at the Hawaii branch wasn't the only factor in limiting the investigations.  It seems the only way the FBI and other investigators could hope to get an idea of what files he accessed while he wore the invisibility cloak was by reading the newspapers.

No comments: