A story quietly titled “Out of Control,” published in a special 1996 issue of the National Security Agency’s professional journal Cryptologic Quarterly, warns that one of the best ways into a computer system doesn’t involve any hacking at all. The article foresees exactly the kind of threat Edward Snowden would pose to the agency in 2013.
The report opens:
Snowden apparently sought out just such a job as a contractor with the NSA because, in his own words, “My position with Booz Allen Hamilton granted me access to lists of machines all over the world the NSA hacked.”
Thanks to the way electronic communication works, system administrators have access to a whole range of information stored on the networks they oversee. “Out of Control” also provides an almost quaint look at early 1990s use of systems like email and servers. The report is written for an audience that understood how to keep paper documents safe in the Cold War but needs help understanding the risks that come with new technology.
Curiously, the policy recommendations made at the end of the report might all be valid security techniques, but they radically reduce the usefulness of computers for the people using them. One recommendation is for personal passwords that system admins cannot access, with the acknowledged risk of reports permanently lost when the user forgets their own password. Beyond encryption, the report recommends that hard drives used by analysts be “encrypted and stored in a three-combo safe,” which would certainly make logging into work every morning a pleasant and totally enjoyable ordeal.
Another recommendation is that users be physically separated from the local network or the internet while working, only plugging the cables into the computer when needed to quickly send out messages and then staying offline the rest of the time. And, as with most any set of recommendations, there is a call for an increased budget. As the unknown author of “Out of Control” writes, budget cuts lead to low morale, and low morale makes it likelier a system administrator could be bribed by another country.
Finally, “Out of Control” hits at the main problem with private, compartmented, or secret information held somewhere outside the individual’s control:
Two different versions of this report are available online: one from the NSA, and another from George Washington University’s National Security Archive. Cryptome has a side-by-side comparison, so the differences in redactions are easy to see.