How a single IT tech could spy on the world

June 10, 2013, at 7:56 PM

One of NSA contractor Edward Snowden's more stunning claims is that a single individual has the ability to eavesdrop on anyone in the world, and that he could access and download information about all of the C.I.A's station chiefs and undercover case officers.

If true, it means that the system the NSA has built to connect analysts with the data it collects and distributes is both extremely powerful, well beyond what is publicly known, and also, at the same quite, brittle, if it can truly be subject to single-point failures.

I don't know if Snowden's claim is accurate. As a systems administrator, he certainly is entitled to the benefit of the doubt when it comes to an assessment of the NSA's internal information security.

The NSA has, in fact, built a separate, secret internet for signals intelligence, one that relies on fiber and satellite channels that are segregated almost completely from the plain old telephone system. Called NSANet, it allows analysts deployed almost anywhere to access virtually everything the NSA's extremely vast databanks contain. It has its own bridges, routers, systems, and gateways.

According to several current and former officials who've worked on NSANet, every keystroke is logged and subject to random audits. "Screengrabs" are prohibited. Documents can be printed with special facilities but that, too, leaves a record. As a mission support specialist, Snowden would have had access as part of his jobs to the physical servers and hard drives that contain material.

If he did not want to leave an audit trail, he might have disconnected a hard drive containing temporarily cached documents, brought them into an area that included desktops and hardware not cleared for such access, connected them, and then printed documents out. It is also possible that he disabled, under the guise of fixing something, access privileges for auditors. He could have temporarily escalated his own access privileges, although this would have raised flags among his superiors.

In theory, this would have alerted NISIRT, the NSA's Information Systems Incident Response Team, which maintains a 24/7 watch over the backend of NSANet. Operational branches, including Special Source Operations (domestic and compartmented collection programs), Global Access Operations (satellites and other international SIGINT platforms), and Tailored Access Operations (cyber) have their own NISIRT team.

The NSA wants to figure out how Snowden subverted the systems he was paid to administer. The agency's counter-intelligence squad, known as Q Force, has an insider threat Task Force that uses predictive analytics and audit sampling to try and discover analysts and (I presume) support personnel who might be on the verge of a breaking point.

On some technical matters, Snowden's proficiency can't be questioned. But some of his assertions about the intelligence community are difficult to square with reality.

Can/would the CIA actually render him clandestinely?

John Schindler, a former technical director for one of the NSA's largest foreign intelligence programs and also a counter-intelligence expert who is now a professor at the Naval War College, tweeted a response: "Lemme put this out there. If [the intelligence community] were really assassinating [its] own personnel, do you realize how many spooks would go Greenwald?"

Could he access the identities of every CIA case officer and chief of station?

Perhaps as a contractor for the CIA's Office of Security. The Chiefs of Stations are generally well-known within the CIA; case officer identities aren't, even though both jobs are undercover. And identifying actual spies -- the sources for case officers -- were not included by Snowden in the set of powers he says he had at his disposals.

Can he access anyone's email or bring down the entire U.S. SIGINT system in a day?

Intelligence community sources say no. But let's give Snowden the benefit of the doubt. It's hard to see how one person could introduce a virus into NSANet and wouldn't be detected. And again, if he were at the right computer at the right time, he could change his permissions to give himself a super-user status and make an email search query (assuming he knew the email and assuming the email was part of the collected dataset), but again, the probabilities of someone being able to do this without being detected are slim and designed to be vanishingly so.






Subscribe to the Week