Edward Snowden’s success in leaking NSA data was chalked up in part to the agency’s own security lapses, so you’d think that the agency would have tightened up its procedures in the past five years… right? Apparently not. The NSA Inspector General’s office has published an audit indicating that many of the Snowden-era digital security policies still haven’t been addressed, at least as of the end of March 2018. It hasn’t correctly implemented two-person access controls for data centers and similar rooms, doesn’t properly check job duties and has computer security plans that are either unfinished or inaccurate.
The audit also showed that the NSA hasn’t implemented the latest federal security guidance, doesn’t have a complete inventory of its IT framework and isn’t gathering all the documentation it needs before it gives a computer system the go-ahead. And while Snowden didn’t rely on malware, the NSA isn’t thoroughly scanning for viruses on USB thumb drives and other removable media.
The Inspector General’s report only includes audits between October 1st, 2017 and March 31st, 2018, indicating that many of these issues are relatively fresh and hadn’t been fixed as of earlier this year.
It’s not certain what the NSA is doing to address the problems. However, there’s certainly an incentive to take the audit seriously. The NSA has grappled with more than one person leaking its info to the public in recent years — while stricter policies wouldn’t definitively prevent further leaks, they might discourage such incidents.