General Keith Alexander has tried to shore up support for the National Security Agency by claiming the activities of its employees are closely monitored and that there is "100 percent audibility," as if Americans need not worry about rogue actions by staffers. "The assumption is our people are just out there wheeling and dealing. Nothing could be further from the truth," he said of the agency he directs. "We have tremendous oversight over these programs. We can audit the actions of our people 100 percent, and we do that."
So how does he explain the latest news? A weekend story in the New York Times cites senior Obama Administration officials declaring that they may never know the full extent of what contractor Edward Snowden took before leaving the United States for Hong Kong.
"Investigators remain in the dark about the extent of the data breach partly because the N.S.A. facility in Hawaii where Mr. Snowden worked ... was not equipped with up-to-date software that allows the spy agency to monitor which corners of its vast computer landscape its employees are navigating at any given time," the newspaper reports. "Six months since the investigation began, officials said Mr. Snowden had further covered his tracks by logging into classified systems using the passwords of other security agency employees, as well as by hacking firewalls installed to limit access to certain parts of the system."
The story goes on to quote an NSA official by name:
Lonny Anderson, the N.S.A.’s chief technology officer, said in a recent interview that much of what Mr. Snowden took came from parts of the computer system open to anyone with a high-level clearance. And part of his job was to move large amounts of data between different parts of the system. But, Mr. Anderson said, Mr. Snowden’s activities were not closely monitored and did not set off warning signals.
“So the lesson learned for us is that you’ve got to remove anonymity” for those with access to classified systems, Mr. Anderson said during the interview with the Lawfare blog, part of a podcast series the website plans to run this week.
This Times story isn't the first indication that Alexander was misleading us with his "100 percent audibility" remarks. I noted Alexander's comments back in August, and quoted former Bush Administration official Jack Goldsmith:
How is the NSA Director Alexander’s claim that “we can audit the actions of our people 100%” (thus providing an important check against abuse) consistent with (a) stories long after Snowden’s initial revelations that the White House does not “know with certainty” what information Snowden pilfered, (b) reported NSA uncertainty weeks after the initial disclosure about what Snowden stole, (c) Alexander’s own assertion (in June) that NSA was “now putting in place actions that would give us the ability to track our system administrators”?
What the latest Times story seems to confirm is that some NSA workers—recall that Snowden technically worked for Booz Allen Hamilton—weren't just able to access extremely sensitive secrets, breach firewalls, and hide their identity while doing so. They were able to do that without anyone noticing or being able to reconstruct their unauthorized behavior even after the fact. That suggests that the agency storing sensitive information on millions of American citizens was both negligent and vulnerable to an employee in their midst perpetrating abuses.