NSA Hasn’t Implemented Post-Snowden Security Fixes, Audit Finds

The nation’s cyber spy agency is suffering from substantial cyber vulnerabilities, according to a first-of-its-kind unclassified audit overview from the agency’s inspector general released Wednesday. Those vulnerabilities include computer system security plans that are inaccurate or incomplete, removable media that aren’t properly scanned for viruses, and an inadequate process for tracking the job duties of National Security Agency cyber defenders to ensure they’re qualified for the highest-level work they do, according to the overview. Perhaps most striking, the agency has not properly implemented “two-person access controls” on its data centers and equipment rooms. Former NSA Director Gen. Keith Alexander instituted the two-person access system after contractor Edward Snowden leaked reams of data about agency spy programs in 2013. The general idea is that no employee or contractor can access sensitive information unless another employee approves it. Those information security weaknesses are described in the unclassified version of the NSA inspector general’s semiannual report to Congress. The inspector general previously only produced a classified version of the report. The information security weaknesses above are all listed as “significant outstanding audit recommendations,” meaning they’re high priorities for the auditor and are all at least six months old. As of March 31, NSA had 699 open inspector general recommendations, according to the report, 76 percent of which were overdue. It’s not clear how serious those recommendations are and many likely do not deal with information security or technology. The report focuses primarily on new audits conducted between Oct. 1, 2017, and March 31, 2018. One key conclusion from those audits is that the agency is routinely failing to gather all the necessary documentation before it authorizes a computer system to operate. (Read more)

---