Despite suffering multiple devastating security breaches and data exfiltrations over the past five years, the National Security Agency still isn’t taking sufficient measures to secure its digital troves of highly valuable information, according to a rare public report from the NSA’s inspector general. The report, released Wednesday, said investigators found “many instances of non-compliance” with internal rules to protect “computer networks, systems and data.” Those include “inaccurate or incomplete” security plans, unimplemented plans for multi-person access controls over “data centers and equipment rooms” and “removable media” like thumb drives “not [being] scanned for viruses.” In under a decade, a surveillance agency once thought nigh impregnable has experienced at least four catastrophic data breaches, including from whistleblower Edward Snowden; the Shadow Brokers disclosure of NSA digital weapons; a breach attributed to Kaspersky Lab software; and a former cybersecurity contractor who this year pleaded guilty to taking home thousands of agency documents. “Most operators knew how they could get anything they wanted out of the classified nets and onto the internet if they wanted to, even without the USB drives,” a former NSA employee told The Daily Beast last October, the beginning of the six-month period covered in the inspector general report.
—Spencer Ackerman
