On June 17, Chris Inglis, the deputy director of the National Security Agency, and Lonny Anderson, the agency's director of technology, went to the White House to brief officials on one of the biggest leaks of classified information in U.S. history. Eight days earlier, a former NSA contractor named Edward Snowden had publicly identified himself as the source of the leaks, which by that point had revealed some of the most secretive and controversial collection programs in the agency -- and more revelations were certainly to come.
White House officials asked Anderson, who manages the agency's computer networks, point blank: "Is there another Snowden?"
"I don't know," Anderson replied. As he recalled months later, "That wasn't the answer they were hoping to hear."
It was a frightening conclusion, but a logical one. That's because, contrary to much of what's been reported about Snowden's work at the NSA, it wasn't his position as a systems administrator and the broad access to networks and databases that came with it that allowed him to steal so many secrets. Rather, Anderson said, "the lion's share" of the information Snowden obtained was available to him because of his top-secret security clearance -- TS/SCI -- which allowed him to access so-called sensitive compartmented information.
That's an important distinction, because it means any number of the thousands of people at the NSA with the same clearance level could have done what Snowden did -- not just the smaller number of systems administrators, who have a kind of "super user" access that isn't granted to all other employees. That helps explain why Anderson couldn't tell the White House that there were no more Snowdens. Theoretically, there could have been thousands of them.
Anderson, who's part of the NSA's senior leadership team, is one of the few officials who knows what Snowden took, how he took it, and whether another individual could disclose the same amount of information. In a recent interview with the Lawfare blog, which will be aired on Wednesday as part of a podcast series, he offered fresh details about how Snowden made off with so many secrets, and how the NSA is dealing with the fallout.
The agency has greatly expanded the number of people with those high-level clearances in order to encourage employees to share information. Anderson said that 70 percent of NSA's current workforce joined after the Sept. 11 attacks, when it became the official policy of the intelligence community to expand access to secrets.
When it came time to remove NSA documents, "[Snowden's] tactics, techniques and procedures were pretty simple," Anderson said. One of Snowden's jobs was to move documents from one part of the NSA network to another, where they were to be "tagged," making it easier to keep track of who was reading the documents and sharing them. Ironically, this tagging process, which had been underway for some time, was done in part to know if personnel were improperly accessing or copying documents from the NSA networks.
"He set up a process that allowed him repeatedly to pull data off the system using his job to move data from one environment to another," Anderson said, using his job as a "cover for action."
The NSA wasn't clueless about what Snowden was doing, but apparently no one knew his motivations. "He was not a ghost. It's not like he was so stealthy that we didn't see his activities. But it was part of his job description" to move the documents from one place to another, Anderson said.
He added, "Where I think we were negligent -- if we were negligent -- where we were is that we allowed him some form of anonymity as he did that. Someone wasn't watching all of that. So the lesson learned for us is that you've got to remove anonymity from the network." Eventually, Anderson said, everyone on NSA's internal networks will be tracked. "Nobody on the network, from the director on down...can do anything on the network that's not observed," he said, a description that seems at odds with NSA's reputation for being able to track other people's movements.
In cases where Snowden did use his systems administrator privilege to obtain information, it was "to get access to some data that he normally wouldn't have been able to see," Anderson said. He made clear that this was a small portion of what Snowden ultimately took. But it points to another breakdown in the NSA's internal controls, and it's another reason why the agency has slashed the number of people with that kind of "privileged access" to the networks -- by 30 percent, Anderson said.
What Snowden could do as a systems administrator, as opposed to an employee without those privileges, was to "exfiltrate," or remove data from the NSA networks, Anderson said. "That, a normal user would not have been able to do." He acknowledged that the NSA's information control regime is not currently designed to alert officials when documents are being removed by a systems administrator. That's going to change, Anderson said. In the future, individuals will also be locked out of the networks if they remove data without authorization.
Anderson objected to some of Snowden's more alarming assertions about what else he was able to do while working at the secretive intelligence agency, namely that he had the ability to order up wiretaps on individual citizens, including President Obama.
"He couldn't have," Anderson said. Snowden didn't access raw signals intelligence -- the phone calls or e-mails that the NSA collects -- but rather documents about NSA programs and policies, Anderson explained.
Despite the shock to the system that Snowden created inside NSA, Anderson said that the agency will not revert to its earlier policies of more strictly limiting information. "We can't go back to pre 9/11 ‘need to know,'" unless "it's broader than what it was," Anderson said. Somewhere between restricting access to information to only a few people, and making it available to thousands, the NSA is going to have to find its sweet spot.
"Our whole approach has been, this happened, and now we're going to fix it," Anderson said.
Anderson said that employees at an NSA facility in Hawaii where Snowden worked and copied the secret documents "are particularly hard hit" by the revelations. "He sat next to them. They helped him become a better systems administrator. They helped him write script. They helped him learn how to use the tools that he used against us... because they thought he was one of them."
Anderson's message to the Hawaii employees reflects the broader reaction at the NSA to one of the most damaging security breaches in history: It could have happened to anyone. "Snowden could have happened anywhere," he told them. "He could have happened here. He could have happened at any other place at NSA. He could have happened at any place in the [intelligence community]. And he could have happened in any place across the government."
That remains to be seen. The NSA in still in the midst of an investigation into Snowden's leaks, led by Richard Ledgett, who's likely to become the next deputy director of the agency, replacing Chris Inglis, according to sources with knowledge of the matter. What recommendations for action he makes may have a lot to do with just how scathing a forthcoming report by a presidential review panel is about NSA's internal security. Reportedly, the panel has recommended "dozens of changes to structure, transparency and internal security."
NSA employees may be dusting themselves off after Snowden's leaks. But a house cleaning could also be in their future.