Mark Blinch / Reuters

Investigative journalist Jason Leopold, a Freedom of Information Act ninja, has liberated documents that the Defense Intelligence Agency prepared after the Edward Snowden leaks. Newsworthy revelations are sprinkled throughout his Vice News exclusive, which leads with government efforts to discredit the NSA contractor. But the detail that grabbed my attention concerns the Department of Defense.

In a report shared with Congress, the DIA stated that Snowden took over 900,000 Defense Department files. There is no way to verify the accuracy of that number since the head of the DIA has muddied the distinction between documents that Snowden “touched” and documents that he downloaded and brought overseas. In any case, Snowden had access to at least 900,000 Pentagon files. And Leopold says newly released public records show that the DoD “first learned that Snowden took documents containing Department of Defense information on July 10, 2013, about a month after Snowden disclosed that he was the source of the leaks about the NSA's controversial surveillance programs.”

Isn’t that striking?

A systems administrator with broad access to state secrets announced to the world that he had fled abroad with countless highly sensitive documents. And even after that, it took the Department of Defense another month to figure out that some of their highly sensitive documents were implicated. Recall that  in August of 2013, the NSA then moved “to eliminate about 90 percent of its system administrators to reduce the number of people with access to secret information,” which certainly makes it seem like they had a gaping security vulnerability.

Once DoD knew its documents were compromised, a task force was set up with 200 to 250 people working on a typical day to assess the damage done. “By mid-November,” the DIA document states, “we had enough understanding of the problem to produce an initial assessment.” That’s five months after the leak.

A few thoughts:

  • National security officials have argued that we need not be concerned about NSA employees abusing their access to sensitive information about our private communications because their behavior can be audited 100 percent. But the system failed to stop a sort of unauthorized behavior that the national security bureaucracy had the greatest incentive to prevent. What are the chances that its systems were sufficient to protect us? After all, weeks after what was surely an unusually intense NSA audit of Snowden’s actions, officials were still unaware that DoD files were compromised. And once they were aware that he touched DoD files it took more than 5 months to generate an initial assessment of what was compromised. It sure sounds like the national-security bureaucracy got burned by giving its employees too much latitude with insufficient oversight.
  • One wonders if any of those same DoD files had ever been compromised by a cleared employee who quietly sold them to foreign adversaries rather than alerting high-profile journalists and then the American public to his actions. We surely cannot assume that the U.S. government would’ve noticed espionage of that sort when it took them a month to figure out what a whistleblower who outed himself was able to access within the system.
  • Put another way, say that there was a document that Snowden could have taken but didn’t, and the DoD was able to confirm that he didn’t. Should the assumption be that it has remained secure? Or should it be treated as compromised since Snowden revealed that some unknown number of employees could download such a document to a hard drive without anyone noticing?

We’ve heard Snowden vilified by President Obama, members of Congress, and bureaucrats. But we’ve yet to hear much criticism of the leaders who oversaw a system so vulnerable to having state secrets exposed that DoD documents were compromised without anyone noticing, even after Bradley Manning had recently managed his own massive leak of Pentagon secrets.

I’m glad for the Manning and Snowden leaks. But these new details from DIA documents are further confirmation that the national-security bureaucracy is neither able to protect the highly sensitive information that it retains on tens of millions of innocents nor to stop employees who are determined to break the rules. This is part of why it should never be trusted to act without oversight more intense than now exists or to wield the degree of power that it now possesses.

We want to hear what you think about this article. Submit a letter to the editor or write to letters@theatlantic.com.