NSA Implementing Fix To Prevent Snowden-Like Security Breach
RENEE MONTAGNE, HOST:
This is MORNING EDITION from NPR News. I'm Renee Montagne.
STEVE INSKEEP, HOST:
And I'm Steve Inskeep. It's been a little bit more than a year since the National Security Agency learned it had been had. Edward Snowden, the disgruntled former NSA contractor snatched many documents detailing many of the agency's classified programs. NPR's David Welna recently met with the NSA's top technology official and asked, could it happen again?
DAVID WELNA, BYLINE: One person above everyone else at the NSA is in charge of securing the eavesdropping agency's digitized secrets. He's Chief Information Officer Lonny Anderson. He's the one who got called on the carpet last year a dozen days after the world learned of Edward Snowden's heist.
LONNY ANDERSON: White House asked me on 17 June - do you have another Snowden? I answered as honestly as I could - I didn't know. I learned within seconds of saying that, that wasn't the answer they were looking for.
WELNA: The answer the White House wanted was no. Anderson says General Keith Alexander, who, at the time, was the NSA's director offered some advice.
ANDERSON: The director's guidance to me, Lonny, is lock it down. Figure it out, and lock it down.
WELNA: I meet with Anderson in the black tinted glass office block that's NSA's headquarters Washington, D.C. He tells me what he sees as the root of the agency's problem. Edward Snowden was actually authorized access to top-secret documents he took.
ANDERSON: He didn't breach. He didn't hack. His job was to move documents from a TS-high environment to a TS and additional authorization high document.
WELNA: TS means top secret.
ANDERSON: And that's what he did, and along the way, he decided that he would not only do that, but he would make a copy for himself.
WELNA: But a former insider says Snowden's security breach could have been prevented. Bill Binney was considered one of the NSA's most brilliant crypto mathematicians ever. He quit the agency 13 years ago, disgusted by what he calls it's disregard for American's right to privacy. As a technical director there, Binney says he developed an internal security program to monitor every keystroke made on NSA computers.
BILL BINNEY: The reason that Snowden was able to do what he did do is because NSA never accepted our proposal do that program in '92, '93. If they did, as Snowden downloaded it, we would've picked him out right away.
WELNA: The reason the NSA rejected his internal security program recess, Binney says, is it was considered far too intrusive.
BINNEY: They said, I don't want you monitoring me when I'm analyzing this data. You just go away. I'll do my job, you know. OK. We don't want that kind of big brother watching us.
WELNA: Spies didn't want to be spied on.
WELNA: The NSA has come up with a different fix to prevent another security breach like Snowden's. Anderson, the technology director, says once it's in place, a lone wolf at the agency would no longer to be able to act alone, as Snowden did, to access and remove documents.
ANDERSON: The process we're moving to - we're not completely there yet - is physically badge in with someone else. If you want access to a rack of equipment, you'll have to unlock that. Someone else will have to issue you that key. If you then want to change operating software, someone else you'll have to call. So it's not you and me. It's a series of two different people.
BINNEY: This is a crazy way to do it.
WELNA: That's former NSA technical director Binney's take on the plan requiring two persons to access a classified document. What the agency really needs for internal security, Binney says, is a computer program that, unlike humans, won't fall asleep or need a bathroom break.
BINNEY: What they try to do is plug really big complicated problems with people, and people just aren't good enough to do it.
WELNA: The NSA's Anderson concedes his agency simply does not have the resources for people to continuously monitor one another.
ANDERSON: We'd bring the agency to its knees if we tried to do that.
WELNA: Anderson insists that even if Bill Binney's keystroke monitoring program had been adopted, it would not have prevented the Snowden security breach.
ANDERSON: Is there a silver bullet here? You know there's not. You're never going to be completely secure. A trusted insider with a lot of skills can do damage.
WELNA: Still, Anderson says he would have a better answer now to what the White House asked him a year ago. Do you have another Snowden?
ANDERSON: I can tell you today, we don't have another Snowden.
WELNA: You're certain about that?
ANDERSON: I'm certain we don't have someone trying to do what Snowden did.
WELNA: At least not in the way Snowden did it, Anderson says. But he adds that he worries all the time someone else inside could try something else. David Welna, NPR News, Washington.
INSKEEP: And a clarification - yesterday we refered to the Council on American-Islamic relations, or CAIR, as having quote, "ties to Hamas which the U.S. considers a terrorist group." We should have been more specific - CAIR was once named as an unindicted co-conspirator in the prosecution of a group that allegedly supported Hamas. CAIR has denied that accusation saying they were not charged with a crime. Transcript provided by NPR, Copyright NPR.