Insider Threat Special Report: Edward Snowden’s Access to Secrets

February 7, 2017 | By Steven Bay – NSA – The Newsletter

Among the least understood and considered elements of the Edward Snowden saga are the details around what his job was and what data he could actually access.  Did Snowden ever access or use Prism data?  Did he understand it and its protections?  Did he have long-term access to the signals intelligence (SIGINT) system thereby allowing him to have a thorough understanding of what the National Security Agency (NSA) was doing and how it was doing it?

Snowden started at NSA in 2009.  For all but one and a half months of his NSA career, he was aligned with the Technology Services Directorate supporting an IT contract. His job as systems administrator meant he would have had potential access to at least some of the workstations, servers, and network devices used by the Agency.  This also provided him access to network share drives and the backend of some databases.  While this certainly granted Snowden access to highly sensitive and critical data, it did not grant him access to raw SIGINT.

Nevertheless, according to the recently published unauthorized disclosure review by the U.S. House of Representatives, Snowden took advantage of his access to scrape numerous agency webpages, sift through and remove select data from user network drives, and convinced co-workers to provide him with their credentials to systems he could not otherwise access. This explains why so little, if any, of what Snowden disclosed was raw intelligence. Rather, most of it was PowerPoint presentations, training materials, or other secondhand sources with little to no context.

When Snowden joined my team in April 2013, he gained his first access to SIGINT systems as an intelligence analyst. Access to SIGINT data typically does not come with any system administrator rights or privileges – with good reason.  It would be extremely dangerous to grant an intelligence analyst administrator rights and vice versa, as doing so would essentially give that individual the keys to the kingdom.  What is not clear from the Congressional report or other reports out there is what happened to Snowden’s administrator privileges when he left the Technology Services Directorate and moved to the Signals Intelligence Directorate (SID).  It seems quite possible that the Technology Services Directorate did not revoke all his privileges when he left on a Friday and joined Booz Allen the next Monday.  If such circumstances were the case, Snowden would have maintained the ability to escalate his network privileges and access systems that he otherwise would not have had access to.

Before joining us in SID, Snowden had no access to SIGINT systems from a user perspective. He had no access to raw intelligence, no access to PRISM, no access to any other number of programs and systems that he leaked.  As such, he did not understand the programs, how they were used, and the protections in place.

This is especially true for the PRISM program, the subject of the first revelation in June 2013.  At no point in Ed’s career did he have access to the data that program produced.  As such, he was never fully trained on its intent, its use, or its proper handling procedures established by NSA’s Office of Oversight and Compliance to protect the data of U.S. persons.  In fact, the Congressional Report points out that, “he had failed NSA’s internal training course on how to handle information collected under FISA Section 702, the legal authority by which the government can target the communications of non-U.S. persons outside the United States.”  The extent of Ed’s expertise on the PRISM program came from a PowerPoint presentation that gave an overview of how it worked and possibly from word of mouth from NSA colleagues.

Looking back, it appears evident that among the reasons Snowden joined Booz Allen was because he specifically targeted the contract we supported so that he could presumably gain access to sensitive intelligence programs including PRISM.  However, his assigned team in Hawaii—we were both on the same project and I was his boss, but we supported different government teams—was not authorized to access PRISM data.  He twice asked me how he could get access to that data. These requests were not particularly out of the ordinary, as it made sense based on his job that he would want access, especially considering his parent team at NSA HQ was authorized access.

Nevertheless, Snowden generally had all the same access as any other standard SIGINT analyst.  He was not a senior analyst by any means nor held any sort of senior role. His job did not grant him any particularly unique accesses nor privileged position.

Snowden only worked as an intelligence analyst for a little over a month and half before departing for Hong Kong. This month and a half was the sum total of his career access to raw SIGINT data.  This is an important consideration, as one can hardly become an expert on SIGINT programs and operations in such a short amount of time.  He did not have access to Prism or other related data, he did not understand the oversight and compliance requirements placed upon those of us who did have access, and he did not recognize (or perhaps he intentionally disregarded) the importance the Agency placed on protecting U.S. persons’ information.

Those of us with such access were required to go through a rigorous training course before being granted access, annual trainings thereafter, and our managers (or at least mine) regularly discussed proper usage of those systems to ensure we were only using them for foreign intelligence and the purpose of doing our specific jobs.  On top of that, every intelligence analyst with the ability to search the SIGINT system had all of their searches audited by two auditors who were granted such a role by the Office of Oversight and Compliance.  These auditors were in place to both ensure the protection of U.S. persons’ information as well as to ensure that the data we were analyzing was job-related.

Ed did have access to the standard SIGINT system and did have two auditors monitoring his searches.  His auditors, however, would not have picked up on the searches and activities he was conducting outside of his job role, because Snowden did not appear to have stolen any raw SIGINT intelligence. Rather, he extracted PowerPoint presentations, finished and draft documents, and other resources that were obtainable outside the SIGINT system.

According to the Congressional report, Snowden stole upwards of 1.5 million files from the NSA and began his extraction in late spring of 2012, one year before departing to Hong Kong. Based upon a review of the actual access that he had and the type of data released thus far, it is clear that Snowden did not understand the information he stole, the safe-guards in place to protect Americans, and has significantly exaggerated his role and position in the Agency.

Disclaimer: The opinions expressed herein are purely those of the author and do not reflect the opinions or view of NSA/CSS.

The Author is Steven Bay

Steven Bay left Booz Allen Hamilton earlier this year after nine years with the management consulting firm.  He joined BAH in 2007 to work on a contract for the National Security Agency, and in 2011 was transferred to Hawaii to run its local NSA team.  Bay started his career in the Air Force as a Persian Farsi linguist.  He was stationed at Ft. Meade, Maryland where he translated Persian documents and later became a digital network intelligence analyst.  He has launched a cyber consulting firm… Read More