Edward Snowden took a lot of stuff from the NSA: The latest estimate is 1.7 million documents, a figure Rick Ledgett, the head of the task force investigating the leaks, told CBS he "would not dispute." And today, the New York Times reports that investigators might never know exactly what Snowden grabbed before heading for Hong Kong, in part because the software his Hawaii NSA office used to monitor its employees' digital movements was not up to date.
In the wake of Chelsea Manning's 2010 disclosures to WikiLeaks, the Obama administration ordered upgrades to the agency's "insider threat" system for detecting "unusual computer activity" by its workers, but, one intelligence official explained, "We weren’t able to flip a switch and have all of those changes made instantly." Officials also told the paper that Snowden, who would have known that the Hawaii facility wasn't behind the times, "further covered his tracks by logging into classified systems using the passwords of other security agency employees, as well as by hacking firewalls installed to limit access to certain parts of the system."
"Snowden hit at a really opportune time. For him — not for us," Ledgett said in an interview with Reuters. He also said he believed Snowden did, in fact, still have access to a previously hinted-at "doomsday cache" of super-secret files that have not been made public by reporters. Ledgett added that the prospect of the release of those materials troubled him enough to consider "a conversation" about granting Snowden amnesty, though he "would need assurances that the remainder of the data could be secured, and my bar for those assurances would be very high." However, NSA chief Keith Alexander told CBS that's not going to happen. "This is analogous to a hostage-taker taking 50 people hostage, shooting 10 and then say 'You give me full amnesty and I'll let the other 40 go,'" he said.
Whatever happens to Snowden, the NSA is now working to ensure that its data is no longer vulnerable to sticky-fingered employees. Per Reuters:
The NSA is taking 41 specific technical measures to control data by tagging and tracking it, to supervise agency networks with controls on activity, and to increase oversight of individuals.
Measures include requiring two-person control of every place where someone could access data and enhancing the security process that people go through and requiring more frequent screenings of systems administrative access, Ledgett said.
The changes may not be too little, but they do seem to be too late.