7 January 2014. Corrected date of document to 1991, published in 1996.
5 January 2014. A2 notes second version of the NSA document at the National
Security Archive with different redactions.
Comparison of the two:
4 January 2014
NSA Warns of Rogue System Administrators 1991
I was just searching through a list of declassified articles from the NSA's
Cryptologic Quarterly in-house journal and came across this extraordinary
and prescient gem from a 1996 issue about the unfettered power possessed
by intelligence agency IT system administrators.
In the very first paragraph, the unidentified author warns of the consequences
of the intel IT process should a system administrator turn rogue or be exploited:
"In their quest to benefit from the great advantages of networked computer
systems, the U.S, military and intelligence communities have put almost all
of their classified information "eggs" into one very precarious basket: computer
system administrators. A relatively small number of system administrators
are able to read, copy, move, alter, and destroy almost every piece of classified
information handled by a given agency or organization. An insider-gone-bad
with enough hacking skills to gain root privileges might acquire similar
capabilities. It seems amazing that so few are allowed to control so much
- apparently with little or no supervision or security audits. The system
administrators might audit users, but who audits them?"
This is fully 23 years before Edward Snowden purloined the NSA's Crown Jewels
from the NSA's Hawaii RSOC.
Remarkably, the article's author also later describes a 1994 incident at
an NSA RSOC when a contractor employee was caught accessing restricted files
on a classified system!
The author states, "From an individual's standpoint . . . access to electronic
versions of classified documents is out of control." [original emphasis]
Hence the title of the journal article: "Out of Control."
Although the author's identity has been redacted, the article bio states
he joined NSA in 1986 and was an intelligence analyst in the ISSO's Threat
Analysis Division (V52) where he was the primary editor of the National INFOSEC
Intelligence Review (NIIR) and the ISSO Global Threat Summary reference manual
- both published by NSA V52.
Reference: Author's name redacted, "Out of Control," Cryptologic Quarterly
15 (Special Edition, 1996), 263-269, Declassified from SECRET,
Here's a PDF of the entire article: