The Kunia Regional Signals Intelligence (SIGINT) Operations Center was a National Security Agency (NSA) facility located in Oahu, Hawaii. In May 2013, contracted employee Edward Snowden stole and then leaked a large number of top secret documents from the establishment to the press, revealing controversial mass surveillance programs being conducted by the NSA on American citizens. The security lapse at the center was caused by three notable factors.
First, Snowden was a Booz Allen contractor and worked at the base as a system administrator. This position allowed him the freedom to view and move a wider variety of files than a regular NSA employee. In addition, his work was completely unaudited and left almost no trails or logs of his actions. Second, the “thin client” system used at the facility allowed Snowden direct access to servers located at NSA headquarters in Fort Meade, Maryland. His position as a system administrator allowed him to access the NSA intranet (NSAnet) without leaving a signature, essentially making him a ghost user. His time zone in Hawaii also allowed him to access NSAnet after employees in Fort Meade had already left for the day. These two factors allowed for the third factor of social engineering, in which Snowden was able to transfer data onto external thumb drives and leave the premises. Normally, NSA policies force an “air gap” between NSAnet and the outside world that prevent employees from exporting any data. However, Snowden’s position as system administrator gave him a ready excuse to transfer files “internally within the intranet”, and so he bridged the “air gap” with minimal effort.
A general policy to fix these flaws include 1) tighter regulations and technologies for entering and exiting the facility (which will probably be unpopular among government employees). Policies more specific to this incident could be 2) requiring audits for system administrators or 3) requiring multiple administrators to work jointly together when handling or moving highly sensitive files.
From an ethical perspective, I admit that I can’t really give an informed opinion on Snowden’s actions. I personally can’t imagine myself doing the things he did, but that doesn’t necessarily mean it was unethical. Taking the situation at face value, stealing from one’s own government is wrong. Living in a country means respecting and abiding by that country’s rules, which includes not stealing from the government. “When in Rome” and all that. But what happens if the tables are turned? What if it is the government that is taking advantage of its people? From creation, governments have an obligation to protect and safeguard their citizens. This very responsibility is why they are trusted with societal power in the first place. Regardless of the truth, Snowden’s actions forced people to question these assumptions when they otherwise might have not. In this sense, it was good. From a security standpoint, it also forced the government to be more sensitive to attacks from the inside. This is also good. But there is always a dark side to progress. Although there were no doubt also negative effects, they have very low visibility to the American public because of factors like national security and will likely never see the light of day. I wouldn’t go so far as to label Snowden a paragon of virtue because of this, but one can’t deny there was some good to what he did – intended or otherwise.