A declassified report from the Defense Department Inspector General has been released, according to the New York Times.
The 60-page report commissioned by Congress assesses 7 of the 40 components that the National Security Agency outlined for their "Secure the Net" initiative. This initiative was put forth to help improve the security of sensitive systems after the Snowden disclosures in 2013.
The NSA, according to the inspector general's report, had some successes, but the overall initiative "did not fully meet the intent of decreasing the risk of insider threats to NSA operations and the ability of insiders to exfiltrate data."
According to the Times, the report details how their efforts fell short, including the failure to reduce the number of privileged users who can access sensitive computer systems; their failure to consistently keep data center machine rooms secure, as well as failing to lock the server racks containing highly classified data; and the failure to fully implement software that would monitor users.
The report also noted the agency's failure to declare an exact number of people with abilities to transfer data. The lists containing this information were kept on spreadsheets that were corrupted and are no longer available.
The inspector general's report noted that NSA CIO Gregory Smithberger told the inspector general that the elimination of all insider risks and threats is not feasible. He told the Times, "While the media leak events that led to Secure the Net (STN) were both unforeseen and serious, we consider the extensive progress we made in a short time to be a 'good news' story."
The importance of securing classified information, as the report warns, was underscored the same month the inspector general's report was produced, according to the Times. In August 2016, a group called the Shadow Brokers obtained and auctioned off classified hacking tools allegedly from the NSA — some of which were dumped online. Those tools were later seen as part of the global WannaCry ransomware attack.
"We welcome the observations and opportunities for improvement offered by the U.S. Defense Department's Inspector General," Vanee Vines, spokesperson for the NSA told the Times. "NSA has never stopped seeking and implementing ways to strengthen both security policies and internal controls."