It is not what Edward Snowden has said that has the United States government and its National Security Agency so nervous, it is what he has showed – or could still show – to other outside parties.
Nobody seems to know just what data he took with him on his flight to Hong Kong.
Without judging Mr. Snowden's actions as either right or wrong, it is clear that the NSA has issues with how its own employees use, store, and send data – and not just their ability to collect and analyze phone data from millions of other Americans.
NSA either does not know – and this makes them nervous – or they do know – and this gives them more reason to be nervous. Either way you look at it, Snowden was able to send a classified presentation from his office to The Guardian and the Washington Post. Whether this data traveled on a memory stick, was emailed, or was simply printed out at the office – these are all data leak channels that could have been blocked.
The data released so far – a combination of document files and Power Point presentations – has been enough to upset diplomatic relations between the United States and its European allies in addition to China and Russia. And there may be more upsets in the future.
Nobody is talking about what controls were or are in place at NSA.
I wonder why. Basic controls with data classification and limitations on copying and emailing documents are part of many Data Loss Prevention programs.
There are tools out there which enable Administrators to prevent files from being copied to memory sticks, burned onto a DVD, or emailed outside of the organization. There are tools and procedural steps to be taken for restricting employee access to data. And there are even tools which alert administrators when unusual numbers of files are being opened or copied. Properly applied, these could keep managers from having to read about a their data breach on the front page of the Guardian.
From the technical perspective of Safetica 5, the Snowden breach appears to have been largely preventable. It's not clear if the security processes were faulty – or if the needed processes and data protection measures were just not taken.