On Thursday, U.S. intelligence sources told NBC News that Edward Snowden used his position as a system administrator for the NSA to impersonate the electronic identities of top agency officials, which he used to gain access to 20,000 classified government documents.
"This is why you don't hire brilliant people for jobs like this," the official told NBC News. "You hire smart people. Brilliant people get you in trouble."
Snowden might be brilliant, but he also had another thing going for him: He was, as Slate's Farhad Manjoo once put it, "the IT guy."
As an employee hired by contractor Booz Allen Hamilton, Snowden only had "top secret" access, which left the most sensitive NSA documents out of reach. But Snowden reportedly solved that problem by creating and modifying profiles for employees who had more access than he did.
The sysadmin rarely draws attention — you probably don't know the name of your company's sysadmin — but he or she knows everything and sees everything. The sysadmin is in charge of setting account permissions, creating and deleting accounts, and routing information to the correct people and places. If a corporation is a giant organism, the sysadmin is the cerebrum — the part that allows the rest to move. [New York]
As anyone who has let a systems administrator remotely take over his computer knows, it's perfectly customary for Snowden types to don the identity of another user. As journalist Joshua Foust argued on Twitter:
This isn't "brilliance," it's common. SysAdmins routinely impersonate network users for testing purposes. Sigh.
— joshuafoust (@joshuafoust) August 29, 2013
Once Snowden had access to sensitive documents, his position as a system administrator allowed him to do what other NSA employees couldn't — download files onto an external hard drive, in Snowden's case multiple thumb drives that he then took to Hong Kong.
As ZDNet's Larry Seltzer notes, with only two levels of "security access, 'Top Secret' and 'Unfettered', it's surprising that a Snowden-like leak didn't happen long ago."
The intelligent way to manage such a system is to have a multi-level hierarchy of administration, limiting the access of the vast bulk of administrators to documents and systems for which they have a legitimate need. The higher up the hierarchy you go, the more access an administrator would have, and the more closely security personnel could scrutinize their moves. [ZDNet]
It also didn't help that the "NSA is stuck in 2003 technology," as an intelligence official told NBC News.
Now the NSA is trying to deal with the aftermath, which includes efforts to find out which officials Snowden impersonated and cutting 90 percent of its system administrators and replacing them with computers.