The Complex

NSA’s Top Geek: ‘I Don’t Know’ If There’s Another Snowden

On June 17, Chris Inglis, the deputy director of the National Security Agency, and Lonny Anderson, the agency's director of technology, went to the White House to brief officials on one of the biggest leaks of classified information in U.S. history. Eight days earlier, a former NSA contractor named Edward Snowden had publicly identified himself as the source of the leaks, which by that point had revealed some of the most secretive and controversial collection programs in the agency -- and more revelations were certainly to come.

White House officials asked Anderson, who manages the agency's computer networks, point blank: "Is there another Snowden?"

"I don't know," Anderson replied. As he recalled months later, "That wasn't the answer they were hoping to hear."

It was a frightening conclusion, but a logical one. That's because, contrary to much of what's been reported about Snowden's work at the NSA, it wasn't his position as a systems administrator and the broad access to networks and databases that came with it that allowed him to steal so many secrets. Rather, Anderson said, "the lion's share" of the information Snowden obtained was available to him because of his top-secret security clearance -- TS/SCI -- which allowed him to access so-called sensitive compartmented information.

That's an important distinction, because it means any number of the thousands of people at the NSA with the same clearance level could have done what Snowden did -- not just the smaller number of systems administrators, who have a kind of "super user" access that isn't granted to all other employees. That helps explain why Anderson couldn't tell the White House that there were no more Snowdens. Theoretically, there could have been thousands of them.

Anderson, who's part of the NSA's senior leadership team, is one of the few officials who knows what Snowden took, how he took it, and whether another individual could disclose the same amount of information. In a recent interview with the Lawfare blog, which will be aired on Wednesday as part of a podcast series, he offered fresh details about how Snowden made off with so many secrets, and how the NSA is dealing with the fallout.

The agency has greatly expanded the number of people with those high-level clearances in order to encourage employees to share information. Anderson said that 70 percent of NSA's current workforce joined after the Sept. 11 attacks, when it became the official policy of the intelligence community to expand access to secrets.

When it came time to remove NSA documents, "[Snowden's] tactics, techniques and procedures were pretty simple," Anderson said. One of Snowden's jobs was to move documents from one part of the NSA network to another, where they were to be "tagged," making it easier to keep track of who was reading the documents and sharing them. Ironically, this tagging process, which had been underway for some time, was done in part to know if personnel were improperly accessing or copying documents from the NSA networks.

"He set up a process that allowed him repeatedly to pull data off the system using his job to move data from one environment to another," Anderson said, using his job as a "cover for action."

The NSA wasn't clueless about what Snowden was doing, but apparently no one knew his motivations. "He was not a ghost. It's not like he was so stealthy that we didn't see his activities. But it was part of his job description" to move the documents from one place to another, Anderson said.

He added, "Where I think we were negligent -- if we were negligent -- where we were is that we allowed him some form of anonymity as he did that. Someone wasn't watching all of that. So the lesson learned for us is that you've got to remove anonymity from the network." Eventually, Anderson said, everyone on NSA's internal networks will be tracked. "Nobody on the network, from the director on down...can do anything on the network that's not observed," he said, a description that seems at odds with NSA's reputation for being able to track other people's movements.

In cases where Snowden did use his systems administrator privilege to obtain information, it was "to get access to some data that he normally wouldn't have been able to see," Anderson said. He made clear that this was a small portion of what Snowden ultimately took. But it points to another breakdown in the NSA's internal controls, and it's another reason why the agency has slashed the number of people with that kind of "privileged access" to the networks -- by 30 percent, Anderson said.

What Snowden could do as a systems administrator, as opposed to an employee without those privileges, was to "exfiltrate," or remove data from the NSA networks, Anderson said. "That, a normal user would not have been able to do." He acknowledged that the NSA's information control regime  is not currently designed to alert officials when documents are being removed by a systems administrator. That's going to change, Anderson said. In the future, individuals will also be locked out of the networks if they remove data without authorization.

Anderson objected to some of Snowden's more alarming assertions about what else he was able to do while working at the secretive intelligence agency, namely that he had the ability to order up wiretaps on individual citizens, including President Obama.

"He couldn't have," Anderson said. Snowden didn't access raw signals intelligence -- the phone calls or e-mails that the NSA collects -- but rather documents about NSA programs and policies, Anderson explained.

Despite the shock to the system that Snowden created inside NSA, Anderson said that the agency will not revert to its earlier policies of more strictly limiting information. "We can't go back to pre 9/11 ‘need to know,'" unless "it's broader than what it was," Anderson said. Somewhere between restricting access to information to only a few people, and making it available to thousands, the NSA is going to have to find its sweet spot.

"Our whole approach has been, this happened, and now we're going to fix it," Anderson said.

Anderson said that employees at an NSA facility in Hawaii where Snowden worked and copied the secret documents "are particularly hard hit" by the revelations. "He sat next to them. They helped him become a better systems administrator. They helped him write script. They helped him learn how to use the tools that he used against us... because they thought he was one of them."

Anderson's message to the Hawaii employees reflects the broader reaction at the NSA to one of the most damaging security breaches in history: It could have happened to anyone. "Snowden could have happened anywhere," he told them. "He could have happened here. He could have happened at any other place at NSA. He could have happened at any place in the [intelligence community]. And he could have happened in any place across the government."

That remains to be seen. The NSA in still in the midst of an investigation into Snowden's leaks, led by Richard Ledgett, who's likely to become the next deputy director of the agency, replacing Chris Inglis, according to sources with knowledge of the matter. What recommendations for action he makes may have a lot to do with just how scathing a forthcoming report by a presidential review panel is about NSA's internal security. Reportedly, the panel has recommended "dozens of changes to structure, transparency and internal security."

NSA employees may be dusting themselves off after Snowden's leaks. But a house cleaning could also be in their future.

The Complex

Army Wants New High-Tech Gear for Tunnel Warfare

For more than a decade, the United States has targeted insurgents from the sky with increasingly advanced drones, launching air strikes in Iraq, Afghanistan, Pakistan, Yemen and other volatile countries. But the practice may be contributing to a new trend: foreign militaries and insurgents are using tunnels and other underground networks more and more to hide and gain a tactical advantage -- and that increases the likelihood that U.S. forces will face them below ground in the future.

The U.S. Army just issued a warning about tunnel warfare as part of a new effort seeking high-tech robotics, communications gear and other equipment. Army officials requested industry's help on Thursday, saying "the growing use of tunnels and underground facilities by military and irregular forces to gain a tactical advantage is becoming more sophisticated and increasingly effective, making the likelihood of U.S Forces encountering military-purposed subterranean structures on future battlefields high."

The Army did not identify any specific country in which they expect tunnel warfare will occur, but said the Middle East is full of ancient and modern underground systems that can be used by enemy forces. Examples include Syria, where rebels have used them extensively; Iraq, where they are rumored to stretch for miles; and Egypt, where the military flooded many of them with sewage earlier this year, before President Mohamed Morsi was removed from power.

Tunnel networks stretch well beyond the Middle East, however. In southern Afghanistan, Taliban fighters have used them to hide weapons and to disappear after ambushing U.S. forces. In South Korea, military officials fear their North Korean counterparts have dug a series of deep tunnels that will allow them to launch a fierce invasion of their U.S.-aligned neighbor. And in Mexico, tunnels have been dug underneath the country's border with the United States to smuggle in massive quantities of cocaine and marijuana.

Historically, tunnel warfare also played a prominent role in World War II, where U.S. forces fought Japanese troops who were deeply entrenched in bunkers connected by a series of tunnels on Pacific islands like Iwo Jima. U.S. troops used flame throwers, small arms and grenades to root them out, but the Japanese were frequently able to sneak back into areas that had been cleared through tunnels the Americans did not know existed.

Army officials said in the notice to industry that it needs not only specialized equipment for underground combat operations, but to have personnel available with specialized training in it. Some of the equipment it says it needs for tunnel warfare comes into play in just about any combat environment -- ballistic shields, for example. Other needs are specific to life underground, however. For example, the service is interested in equipment that can map out underground environments, even when a GPS signal is not available, and radios that work underground.

The Army also asked for information about breaching gear that can cut or blow holes into new walls, breathing devices for when oxygen is scarce, and gear that will allow soldiers to see in the dark. They could include light sources, thermal imaging devices, or items that can create light after being thrown. The Army asked private companies to submit white papers outlining their suggestions, and suggested they would begin hosting demonstrations for the effort beginning as soon as February.