Jun 13, 2013

    US security's weak link: IT guy

    IN THE vast, secretive world of United States intelligence - a realm of clandestine agents, voracious supercomputers and eagle-eyed satellites - the IT guy was the weakest link.

    That vulnerability has been exposed in the past week by revelations that Mr Edward Snowden, a 29-year-old contract worker at the National Security Agency, disclosed a secret court order and other classified information to two newspapers.

    The US authorities are now looking into how a low-level IT contractor managed to get hold of top-secret documents that are usually accessible to only a small number of insiders, experts say.

    Mr Snowden's bombshell leaks about National Security Agency spying included an order from the Foreign Intelligence Surveillance Court, which has kept its documents secret for more than three decades.

    "It's extraordinarily closely held," said Dr Robert Deitz, who served as general counsel for the National Security Agency and the Central Intelligence Agency.

    Fewer than 100 people likely would have permission to see such an order, said Dr Deitz, a professor of public policy at George Mason University.

    "Why is he gaining access to the crown jewels?" he said of Mr Snowden, who has no university degree or extensive intelligence training.

    The wide range of information Mr Snowden exposed, which covered separate programmes, raised the possibility he may have exceeded his authorised access to get his hands on the secret files, former officials said.

    He was not an intelligence analyst and "he was supposed to be maintaining the network, but he was possibly looking at the traffic", said Mr James Lewis, a former US official specialising in cybersecurity.

    The latest leak inevitably will bring a thorough review of internal cyber security at the spy agencies and of how employees, particularly contractors, are vetted and screened.

    While top-secret data is protected by high-level security clearances and hidden in a maze of "compartments", it is not unusual for low-level systems administrators such as Mr Snowden to have access to multiple databases, said Mr Dale Meyerrose, a former chief information officer for US intelligence agencies.

    He said: "Systems administrators typically have unfettered access within the system they operate."

    Mr Snowden's disclosure of programmes to collect Internet and telephone data has raised questions about the extent to which the technicians who run classified government and corporate networks can rummage through them and elude security measures.

    While classified systems use measures including keystroke monitoring to prevent unauthorised access to information, a network administrator can write rules to get around such safeguards, Mr Meyerrose said.

    He added that he does not know whether that was what Mr Snowden did.

    Increasingly, systems managers are the people "who are the holders of the keys", said Mr Harvey Rishikof, a former senior adviser to the national counter-intelligence executive branch.

    Mr Meyerrose said: "This is a human-security problem. This is not a systems-technology problem."