The National Security Agency (NSA) is the font of information security wisdom for the US defense and intelligence communities. But apparently, the NSA’s own network security is so weak that a single administrator was able to hijack the credentials of a number of NSA employees with high-level security clearances and use them to download data from the agency’s internal networks. That administrator was Edward Snowden.
Under Department of Defense (DOD) Directive 8500.2, the director of the NSA, Gen. Keith Alexander, is tasked with approving all the cryptographic hardware and software used by the DOD. The NSA also provides “information assurance” and information system security engineering services to DOD branches and agencies. And along with the National Institute of Standards and Technology, the NSA maintains the master guide for DOD information security systems: the Information Assurance Technical Framework (IATF).
But in what appears to be a case of “do as I say, not as I do,” the NSA’s internal IT security schemes allowed Snowden, a contractor sysadmin, to pull off a classic insider attack on the agency. An investigation by NBC found that Snowden had used the digital identities of several upper-level NSA officials to log into NSAnet, the agency’s intranet—giving him access to data far beyond the needs of a lowly system administrator.