top of page

Kaspersky, the NSA, and Data Breaches: Bad Security Practices

By Ryan Johnston – November 5, 2017

The NSA is one of the foremost agencies responsible for collecting data in the United States, but it has a big problem holding onto its own. It has recently come to light that in 2015 Russian agents stole highly classified NSA materials from a contractor’s personal computer. In this instance, the documents contained information on how the United States penetrates foreign computer networks and defends against cyber-attacks. This is the third major data breach to plague the NSA this decade after both the Edward Snowden leaks and the Harold T. Martin III incident. At the center of this debacle is cybersecurity firm Kaspersky labs. Accusations against Kaspersky range from the interception of data that tipped off Russian sponsored hackers, to the firm personally handing the data over to the Kremlin. The Wall Street journal reported that the hackers were alerted by Kaspersky’s software “to the presence of files that may have been taken from the NSA.” Given that Kaspersky may be the catalyst for this data breach the Department of Homeland Security issued a directive that no executive department or agency is to allow any Kaspersky Lab related product on a federal network. Furthermore, the retail giant Best Buy has stopped supplying Kaspersky’s products to the private sector. But the biggest nail in Kaspersky’s American sales coffin may be that the FBI has begun briefing private sector companies on intelligence claiming that Kaspersky is an unacceptable threat to national security and their products should not be used.

In an area where it is so hard to find the true culprit, it is very easy to find viable scapegoats; especially when a contractor takes data out of the NSA building and migrates that data to his personal computer that happens to have a Kaspersky product installed. This does not set a good precedent on how we treat private partners in the information security sector. In fact, we are still in the dark as to whether Kaspersky was even aware of the attack at the time it occurred. The alienation of a Russian information security firm without any tangible evidence of foul play could lead to Russia taking retaliatory measures against American technology companies, or so warns Philip Chertoff of the cybersecurity program at the GLOBSEC Policy Institute, a think tank sponsored by the European Union and NATO. It could lead to more damage to the United States than to Russia.

This is not the first time the United States has participated in a cyber witch hunt, in 2012 a report from the Permanent Select Committee on Intelligence in Congress articulated suspicion that the Chinese might build backdoors into Huawei products, but these suspicions were never substantiated. In a more recent case, in August, the Army banned the use Chinese drone maker DJI, saying it uncovered “cyber vulnerabilities” that made DJI products not secure and unreliable. It is currently unclear how this will affect the private sector market for their products.

Regardless of who is at fault, one of the largest national security threats we face is not whether the Russian government is stealing our secrets, or if they are getting help from an outside third party. Rather, the problem is that the porous data security practices employed by the NSA are allowing these breaches to occur in the first place. Tim Shorrock, author of Spies for Hire, focuses his writing on corruption in the intelligence-contractor industry. He writes that contractors account for 30 percent of agency staff, and 60 percent of their budgets, lamenting that the necessary oversight does not accompany these large expenditures.

Likewise, former NSA analyst, Dave Aitel, told Wired the NSA’s recent leaks stem from a more fundamental problem: the agency’s sheer scale, and a structure that doesn’t restrict its staffers to information on a “need-to-know” basis. “There’s something structurally wrong here,” Aitel said. “This is about scale and segmentation. It’s very hard to have a really big team where everyone’s read in on everything and not have it leak.”

With regards to steps that can be taken to prevent this in the future, while the NSA may not be able to eliminate the risk that a contractor will find a way to exfiltrate sensitive data, there are coercive elements Congress can use to force the NSA to reevaluate its relationship with its contractors, and its data security procedures. In this case, Congress could take measures to amend the National Defense Authorization Act for Fiscal Year 2018 to include a portion that requires the NSA to amend its data handling procedures, restructuring the organization’s informational distribution system to a more “need to know” basis. This would restrict cleared persons that information that they need to directly do their jobs, and would not leave large troves of data at the hands of literally anyone who knows where to look. Furthermore, according to a report from the Department of Defense’s Inspector General, the DoD found that the NSA had not

[f]ully implemented technology to oversee privileged user activities; effectively reduced the number of privileged access users; or effectively reduced the number of authorized data transfer agents. In addition, contrary to the “Secure the Net” initiatives, NSA did not consistently secure server racks and other sensitive equipment in data centers, and did not extend two-stage authentication controls to all high-risk users.

The report offered some recommendations for improving security practices, but they did not focus on reducing the NSA’s attack surface, or bettering their data security practices. The NSA has had three major security breaches in the last decade which would very likely have been avoided were there proper procedures for vetting of contractors, adequate data security practices, and controlled information management in place.

Lastly, and not incidentally, there are laws that govern securing classified data; laws that the NSA has clearly been failing to follow. Executive Order 13526 provides that sanctions can be levied against an agency for failure to comply with the stipulations of the order. Accordingly, this latest case shows that the contractor clearly violated section 4.1, “General Restrictions on Access,” subsection (d), wherein the law states that “[c]lassified information may not be removed from official premises without proper authorization.” Given the violation of 4.1(d), section 5.5(e)(1) states that an agency head or senior official must take appropriate and prompt corrective action and notify the Director of the Information Security Oversight Office (ISOO). However, there is little to no evidence that these procedures were followed by NSA leadership. Regardless of whether ISOO was notified, in this case, the NSA failed to take any corrective action according to the DOD’s IG report. Even more concerning is the NSA’s grossly negligent security practices have continued to allow these breaches to occur. Under 18 U.S.C. §793(f) any individual in the chain of command within an agency that deals in classified data may be held liable if they knew about a theft, or through some gross negligence allowed a theft to occur and did not promptly report it to a superior officer. Given the three data breaches the NSA has had, and the failure of the agency to comply with multiple directives, there should be more scrutiny placed on the NSA rather than allowing them to point fingers at third parties.


bottom of page