NSA cutting number of system administrators


In the wake of the revelations by Edward Snowden, the head of the NSA Keith Alexander has announced that he plans to reduce by 90% the number of system administrators (the job that Snowden had) that NSA employs, in an effort to limit the number of people with access to that kind of data.

Using technology to automate much of the work now done by employees and contractors would make the NSA’s networks “more defensible and more secure,” as well as faster, he said at the conference, in which he did not mention Snowden by name.

Other security measures that Alexander has previously discussed include requiring at least two people to be present before certain data can be accessed on the agency’s computer systems.

“At the end of the day it’s about people and trust,” Alexander said. He again defended his agency’s conduct, much of which he said had been “grossly mischaracterized” by the press.

“No one has willfully or knowingly disobeyed the law or tried to invade your civil liberties or privacies,” he said. “There were no mistakes like that at all.”

It really kills me when the people who have no compunction about secretly spying on everyone and lying about it left and right talk about the importance of trust

While this move will likely reduce the risk of leaks, it will not eliminate it. And it will likely make the spying operate less smoothly. There is a reason why we need human system administrators, because unexpected things come up all the time that require human judgment.

Comments

  1. colnago80 says

    What we don’t need is overpaid system administrators working for crooked contractors, aka the Beltway Bandits.

  2. lanir says

    That sort of automation is not something that can just be turned on. There are a number of different tools that can be used to do it, but what it effectively entails is software development. You have to develop the rulesets that then run your systems. And they tend to require upkeep. The less upkeep you want, the more you have to pre-emptively think of and automate your way out of problems. So if it’s slow going for them transitioning over to this kind of system, that’s why.

    It’s also frankly more likely to allow abuses. Automated systems do not have the same judgement abilities a person does. Access is a simple pass/fail system and any complexities or nuances have to be designed in a logical way by people. Whatever you think about the blatant overreach of the NSA, it’s fairly obvious they’ve engaged in some phenomenal organization-wide screw-ups. I personally don’t think they’ll do any better with this. Security is always a balance between locking everything down and allowing people enough freedom to continue to use whatever you are securing. There’s a point where security measures can increase the cost of your daily operations more than a theft would. Automation tends to create more “one size fits all” style security, which can give an organization less control over how they navigate that particular issue.

  3. markdowd says

    He is correct about one thing: Nothing the NSA has done so far was a “mistake”. Every last bit of it was completely thought out and deliberate.

    On top of that, I love how they’re going to be offloading it “to the cloud”. Do they even know WTF a “cloud” is? They’re going to be handing off their super-sensitive data to another contractor that (GUESS WHAT!) has sys-admins!

    So that net result of this will be….nothing changed. Some of the NSA brass probably got sweet-talked by an IT consultant and didn’t understand what was being said.

  4. says

    NSA, as the government’s computer security experts, should be expected to understand Trust and transitive Trust. They – literally – (Schaeffer, Bell, LaPadula, Walker, et al) wrote books on it. That they neglected their own hard-won common sense to depend on contractors is massive systemic FAIL. For that, the taxpayers can thank, um…. Mike McConnell and General Alexander. McConnell is now a principal at Booz Allen. Anyone want to set up a deadpool for when and where Alexander is going to exit through the revolving door?

  5. unbound says

    @markdowd – Where did they mention offloading it to the cloud? I can’t find it in the link. Was there another article about it somewhere? Even if they did mention it, you should be aware that most of the federal agencies have their own private clouds now, so offloading to the cloud doesn’t necessarily mean what you think it means.

    @Marcus Ranum – I agree completely. NIST standards require role separation, and there is no reason that a system administrator should have unfettered access to any data which, by the nature of the data, should have been encrypted. The fact that a system administrator could look at the data by poking around means that cybersecurity at NSA must be nothing more than a paper-pushing exercise.

    My guess from reading this is that NSA will actually enforce the required security model and create role separation. A few pieces of automation will be put in to move files and integrate some of the databases, but the big change will be that people will be dedicated to more individual roles such that most will not be exposed to enough information to put the pieces together. So while they be getting rid of 90% of the system administrators, the net effect will probably be more people involved in the operation.

  6. Corvus illustris says

    That they neglected their own hard-won common sense to depend on contractors is massive systemic FAIL.

    Common sense is hard to neglect, unless you are TOLD to neglect it. Any thoughts on the chain of command? And it’s clear where the General is going, up to isomorphism.

Leave a Reply

Your email address will not be published. Required fields are marked *