When Edward Snowden stole the crown jewels of the National Security Agency, he didn’t need to use any sophisticated devices or software or go around any computer firewall.
All he needed, said multiple intelligence community sources, was a few thumb drives and the willingness to exploit a gaping hole in an antiquated security system to rummage at will through the NSA’s servers and take 20,000 documents without leaving a trace.
“It’s 2013 and the NSA is stuck in 2003 technology,” said an intelligence official.
Jason Healey, a former cyber-security official in the Bush Administration, said the Defense Department and the NSA have “frittered away years” trying to catch up to the security technology and practices used in private industry. “The DoD and especially NSA are known for awesome cyber security, but this seems somewhat misplaced,” said Healey, now a cyber expert at the Atlantic Council. “They are great at some sophisticated tasks but oddly bad at many of the simplest.”
As a Honolulu-based employee of Booz Allen Hamilton doing contract work for the NSA, Snowden had access to the NSA servers via "thin client" computer. The outdated set-up meant that he had direct access to the NSA servers at headquarters in Ft. Meade, Md., 5,000 miles away.
In a “thin client” system, each remote computer is essentially a glorified monitor, with most of the computing power in the central server. The individual computers tend to be assigned to specific individuals, and access for most users can be limited to specific types of files based on a user profile.
But Snowden was not most users. A typical NSA worker has a “top secret” security clearance, which gives access to most, but not all, classified information. Snowden also had the enhanced privileges of a “system administrator.” The NSA, which has as many as 40,000 employees, has 1,000 system administrators, most of them contractors.
As a system administrator, Snowden was allowed to look at any file he wanted, and his actions were largely unaudited. “At certain levels, you are the audit,” said an intelligence official.
He was also able to access NSAnet, the agency’s intranet, without leaving any signature, said a person briefed on the postmortem of Snowden’s theft. He was essentially a “ghost user,” said the source, making it difficult to trace when he signed on or what files he accessed.
If he wanted, he would even have been able to pose as any other user with access to NSAnet, said the source.
The “thin client” system and system administrator job description also provided Snowden with a possible cover for using thumb drives.
The system is intentionally closed off from the outside world, and most users are not allowed to remove information from the server and copy it onto any kind of storage device. This physical isolation – which creates a so-called “air gap" between the NSA intranet and the public internet -- is supposed to ensure that classified information is not taken off premises.
But a system administrator has the right to copy, to take information from one computer and move it to another. If his supervisor had caught him downloading files, Snowden could, for example, have claimed he was using a thumb drive to move information to correct a corrupted user profile.
“He was an authorized air gap,” said an intelligence official.
Finally, Snowden’s physical location worked to his advantage. In a contractor’s office 5,000 miles and six time zones from headquarters, he was free from prying eyes. Much of his workday occurred after the masses at Ft. Meade had already gone home for dinner. Had he been in Maryland, someone who couldn’t audit his activities electronically still might have noticed his use of thumb drives.
It’s not yet certain when Snowden began exploiting the gaps in NSA security. Snowden worked for Booz Allen Hamilton for less than three months, and says he took the job in order to have access to documents. But he may have begun taking documents many months before that, while working with the NSA via a different firm. According to Reuters, U.S. officials said he downloaded documents in April 2012, while working for Dell.
Snowden is thought to have made his initial attempt to offer documents to the media in late 2012, while at Dell. According to published accounts, he tried to contact Guardian journalist Glenn Greenwald in December and started talking to filmmaker Laura Poitras in January.
He began working for Booz Allen in March. In May, he told his supervisor he needed to take time off to deal with a health issue, and then flew to Hong Kong, where he met with Poitras and Greenwald, on May 20. He later told the Guardian that he was downloading documents on his last day at work. The revelations based on his documents started appearing in the Guardian and the Washington Post within weeks.
Snowden is currently living in Russia, where he’s been granted temporary asylum. The U.S. government has charged him with theft and violations of the Espionage Act.
U.S. intelligence officials said recently that they plan to significantly reduce the number of individuals with system administrator privileges.
“U.S. intelligence has invited so many people into the secret realm,” said an intelligence official. “There are potentially tons of Edward Snowdens. But most people aren’t willing to vacuum everything up and break the law.”
The NSA did not immediately respond to a request for comment.
Richard Esposito is the Senior Executive Producer for Investigations at NBC News. Matthew Cole is an investigative reporter at NBC News. He can be reached at firstname.lastname@example.org.
More from NBC News Investigations:
- US doesn't know what Snowden took, sources say
- Glenn Greenwald's partner detained by British security
- Lavabit.com owner: 'I could be arrested' for resisting surveillance order