Inspector General Says NSA Still Hasn't Implemented Its Post-Snowden Internal Security Measures

In the immediate aftermath of an NSA contractor springing numerous leaks back in 2013, the NSA vowed this would never happen again. It has happened again and it hasn't just been documents. It's also been software exploits, which contributed to a worldwide plague of ransomware.

The NSA was going to make sure no one could just walk out of work with thousands of sensitive documents. It laid out a plan to exercise greater control over access and fail safe procedures meant to keep free-spirited Snowdens in check. The NSA is the world's most powerful surveillance agency. It is also a sizable bureaucracy. Over the past half-decade, the NSA has talked tough about tighter internal controls. But talk is cheap -- at least labor-wise. Actual implementation takes dedication and commitment. The NSA just doesn't have that in it, according to a recent Inspector General's report.

The nation's cyber spy agency is suffering from substantial cyber vulnerabilities, according to a first-of-its-kind unclassified audit overview from the agency's inspector general released Wednesday.

Those vulnerabilities include computer system security plans that are inaccurate or incomplete, removable media that aren't properly scanned for viruses, and an inadequate process for tracking the job duties of National Security Agency cyber defenders to ensure they're qualified for the highest-level work they do, according to the overview.

The anti-Snowden efforts are a key failure on the NSA's part. The NSA stated it would implement two-person access control to limit the amassing of sensitive documents/software. This would insure that, if nothing else, the NSA could try to press conspiracy charges against leakers. That hasn't happened. Towards the end of the Inspector General's long list of NSA investigations and recommendations [PDF], the IG notes this key proposal -- offered by Keith Alexander when he was still running the agency -- has yet to implemented. This damning note lies alongside the jarring fact the NSA does not scan removable media for viruses or malware. Considering its foremost place in the malware buyers market, it's inexcusable the NSA would act so carelessly with attack vectors it certainly utilizes.

Those two points -- closely related to the NSA's ongoing presence in daily news -- are only a small part of the 699 open recommendations from the Inspector General the NSA has yet to fully address. It's not a good look for any government agency, much less one that's supposed to be at the forefront of technology and security.