> insider.breach —— target: National Security Agency —— date: 2013-06-05 —— classification: TOP SECRET//SI —— status: catastrophic_exfiltration<span class="cursor-blink">_</span>_
On the 5th of June 2013, The Guardian published a story that would alter the global understanding of government surveillance, reshape international relations, ignite a worldwide debate about privacy and security, and fundamentally redefine how every organisation — public and private — thinks about the insider threat. The story revealed that the United States National Security Agency was collecting the telephone records of millions of American citizens under a secret court order. The source was a 29-year-old NSA contractor named Edward Snowden.
What followed was the largest and most consequential unauthorised disclosure of classified information in the history of the United States intelligence community. Over the following weeks and months, thousands of top-secret documents were published by media organisations around the world, exposing the full scope and architecture of global surveillance programmes operated by the NSA and its Five Eyes partners — the UK's GCHQ, Canada's CSE, Australia's ASD, and New Zealand's GCSB.
Three months on from the initial disclosure, we at Hedgehog Security believe it is essential to examine this breach not through the lens of the political, legal, or ethical debates it has ignited — important as those debates are — but through the lens of information security. How did a single contractor, working at a regional NSA facility in Hawaii, manage to access, copy, and exfiltrate up to 1.7 million classified documents from the most powerful and technologically sophisticated signals intelligence agency on Earth? What security controls failed, what controls were absent, and what practical measures could have prevented or substantially mitigated this catastrophic loss of classified information?
This article examines the timeline of events, the methods by which Snowden accessed and extracted the documents, the scope of the information compromised, and the security failures that made the breach possible. We shall then assess how regular penetration testing — with particular emphasis on insider threat assessments — and the principles embodied in the UK's Cyber Essentials Plus certification would have reduced the likelihood and severity of this breach.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping CallUnderstanding the Snowden breach requires an appreciation of both its timeline and the unique position that Snowden occupied within the NSA's infrastructure. This was not a spontaneous act — it was a deliberate, carefully planned operation carried out over a period of months by a technically skilled individual who understood precisely how the systems he was tasked with administering could be exploited.
| Phase | Timeframe | Activity |
|---|---|---|
| Career Progression & Access | 2006–2013 | Snowden worked for the CIA from 2006, then moved to Dell in 2009 as an NSA contractor, managing computer systems at various NSA facilities including Japan. His role as a systems administrator gave him broad, privileged access across multiple systems and classifications. |
| Initial Document Access | April 2012 onwards | Intelligence officials later testified that Snowden began downloading documents in April 2012 — over a year before the first publication. He made contact with journalist Glenn Greenwald in late 2012, and with documentary filmmaker Laura Poitras in January 2013. |
| Strategic Job Move | March 2013 | Snowden took a new contractor position with Booz Allen Hamilton at the same NSA facility in Hawaii. He later told the South China Morning Post that he did so specifically to obtain additional access to classified documents he intended to leak. He worked at Booz Allen for approximately two months. |
| Final Exfiltration | May 2013 | Snowden began sending documents to Poitras, Greenwald, and Barton Gellman of The Washington Post. He told his NSA supervisor he needed leave for epilepsy treatment. On the 20th of May, he flew from Hawaii to Hong Kong. |
| First Publication | 5th June 2013 | The Guardian published the first story: a secret FISA court order requiring Verizon to hand over telephone metadata for all domestic calls. The following day, The Guardian and The Washington Post revealed the PRISM programme — NSA access to data from major technology companies. |
| Snowden Identified | 9th June 2013 | Snowden identified himself publicly as the source in a video interview with The Guardian, filmed in his Hong Kong hotel room. Booz Allen Hamilton fired him the same day. |
| Criminal Charges | 14th June 2013 | US prosecutors charged Snowden with theft of government property and two counts under the Espionage Act — unauthorised communication of national defence information and willful communication of classified intelligence. He faced up to 30 years in prison. |
| Flight to Russia | 23rd June – 1st August 2013 | Snowden left Hong Kong for Moscow. He spent over a month in the transit zone of Sheremetyevo Airport before Russia granted him one year of temporary asylum on the 1st of August 2013. |
Snowden was downloading classified documents for over a year before the first publication. During that time, he accessed up to 1.7 million files, copied them to a USB thumb drive, and physically removed them from a secure NSA facility. His activity was not detected at any point by the NSA's security systems, monitoring tools, or supervisory processes. This is arguably the most significant insider threat failure in the history of modern intelligence.
The documents Snowden disclosed revealed a global surveillance apparatus of extraordinary scope and sophistication. For the purposes of this analysis, the specific programmes exposed are relevant because they illustrate the breadth of classified information that a single contractor was able to access — information that should have been compartmentalised, access-controlled, and monitored.
Understanding how Snowden extracted the documents is critical for any organisation seeking to defend against insider threats. The specific methods he used — and the controls that failed to detect or prevent them — provide a detailed case study in insider threat failure.
The NSA Director, General Keith Alexander, admitted that part of Snowden's job was to transfer large amounts of classified data between NSA computer systems. This provided the perfect cover for his exfiltration activities. He was, in essence, authorised to do exactly what he was doing — the only difference being that the data's final destination was a personal USB drive rather than another NSA system.
The Snowden breach exposed a series of fundamental security failures that are directly relevant to every organisation, regardless of whether it operates in the intelligence community, the private sector, or the public sector. These failures are all the more remarkable given that the NSA is, by mandate and expertise, one of the world's foremost authorities on information security.
| Failure | What Went Wrong | What Should Have Been in Place |
|---|---|---|
| 1. No Two-Person Rule | Snowden operated as a lone systems administrator with root access across multiple systems. No second person was required to authorise, witness, or verify his actions. He could access, copy, and remove classified data entirely on his own. | A mandatory two-person integrity rule for all privileged operations — no single individual should be able to access, copy, or transfer classified data without a second authorised person present. The NSA implemented this control after the breach; it should have been in place long before. |
| 2. Unenforced Removable Media Policy | The NSA had a policy prohibiting USB thumb drives. This policy was not enforced. USB ports on Snowden's systems were not disabled, and no physical or technical controls prevented him from connecting a USB device and copying data to it. | USB ports physically disabled or removed. Device control software preventing unauthorised removable media. Physical screening (metal detectors, bag searches) at facility exits. Monitoring and alerting on any USB device connection events. |
| 3. Excessive Privileged Access | As a systems administrator, Snowden had root-level access across multiple systems — far more access than was necessary for any single role. His admin privileges allowed him to access documents above his own clearance level, to edit audit logs, and to create self-signed certificates for authentication. | Principle of least privilege rigorously enforced. Privileged access management (PAM) solutions vaulting and monitoring all admin credentials. Just-in-time access provisioning. Separation of duties ensuring no single admin can access, copy, and conceal activity simultaneously. |
| 4. Credential Sharing Unchallenged | Snowden reportedly convinced up to 25 colleagues to share their usernames and passwords under the pretext that he needed them for his admin duties. None of these individuals reported the request as suspicious, and no system flagged the use of multiple different credentials from Snowden's workstation. | A culture in which credential sharing is understood to be a dismissible offence. Technical controls preventing the same physical workstation from authenticating with multiple different user credentials in rapid succession. Anomaly detection for credential usage patterns. |
| 5. No Effective Monitoring or DLP | Snowden's copying and downloading activities — spanning over a year and involving up to 1.7 million files — were never detected. No data loss prevention system flagged the mass transfer of classified documents. No user behaviour analytics identified the anomalous access patterns. | Data loss prevention (DLP) solutions monitoring all data movement, particularly to removable media and external destinations. User and entity behaviour analytics (UEBA) establishing baseline patterns and alerting on deviations. Real-time monitoring of privileged user activities. |
| 6. Audit Log Integrity Not Protected | Snowden was able to edit and delete audit logs to conceal his activities. This is a catastrophic failure — if a privileged user can modify the very logs that are supposed to detect their misconduct, the entire monitoring and accountability framework collapses. | Write-once, append-only audit logs stored on systems that administrators cannot modify. Centralised logging with integrity verification (cryptographic hashing). Separation between the systems being administered and the systems that record and monitor that administration. |
| 7. Inadequate Vetting and Continuous Evaluation | Snowden held a top-secret clearance despite a relatively thin career history, an incomplete educational background, and — as emerged after the breach — a supervisor at the CIA had previously placed a critical note in his personnel file expressing suspicion that he had attempted to access files beyond his authorisation. This warning was not acted upon. | Continuous evaluation of cleared personnel — not just periodic reinvestigation. Behavioural indicators programme monitoring for signs of disgruntlement, ideology, financial stress, or anomalous behaviour. Action on security concerns raised by supervisors, with mandatory follow-up and documentation. |
| 8. Contractor Access Equivalent to Staff | Snowden was a contractor — employed by Booz Allen Hamilton, not by the NSA directly. Yet his access to classified systems was functionally equivalent to that of a government employee. At the time, approximately 854,000 contractors held top-secret clearances across the US federal government. | Differentiated access for contractors with additional monitoring, time-limited access, and more frequent review. Reduced scope of contractor admin privileges. Enhanced logging and monitoring for all contractor activities. |
The Snowden breach was an insider threat — and it is in the domain of insider threat assessment that penetration testing offers perhaps its greatest and most underappreciated value. A well-designed penetration testing programme does not only assess external defences; it also evaluates the organisation's resilience against internal attackers operating with legitimate access.
We estimate that a comprehensive penetration testing programme with a dedicated insider threat assessment component would have reduced the likelihood of a breach of this nature by approximately 60–70%. This reflects the very high probability that testing would have identified the critical failures in removable media controls, audit log integrity, DLP, and privilege management. The estimate acknowledges that a determined insider with the technical skills of a systems administrator represents an exceptionally challenging adversary.
It may seem incongruous to apply the UK's Cyber Essentials Plus framework — designed primarily for commercial organisations — to the National Security Agency. However, the principles embodied in CE+ are universal, and several of the controls map directly to the failures that enabled the Snowden breach.
| CE+ Control | Relevance to the Snowden Breach |
|---|---|
| User Access Control | The most directly relevant control. CE+ requires that administrative privileges are granted only to those who genuinely need them and are not used for routine tasks. Had this principle been rigorously applied, Snowden's access would have been scoped far more narrowly, credential sharing would have been technically prevented, and the separation between administrative and operational access would have created barriers to mass exfiltration. |
| Secure Configuration | CE+ requires systems to be configured securely with unnecessary services and capabilities removed. This includes disabling USB ports where removable media is not required for legitimate business purposes. Had USB ports been disabled and device control policies enforced — as the written policy required but the technical configuration did not — Snowden's primary exfiltration method would have been blocked. |
| Malware Protection | Whilst the Snowden breach did not involve traditional malware, the broader CE+ requirement for controls preventing unauthorised software execution is relevant. Application whitelisting and endpoint monitoring would have detected the use of unauthorised tools for data copying and encryption. |
| Patch Management | Timely patching reduces the attack surface available for privilege escalation and lateral movement. Whilst less directly relevant to the Snowden breach than other controls, a well-patched environment is a component of the defence-in-depth approach that makes any adversary's task more difficult. |
| Firewalls & Internet Gateways | Internal firewalling and network segmentation — consistent with the spirit of the CE+ firewall control — would have limited Snowden's ability to reach systems beyond his immediate area of responsibility. Microsegmentation between classified enclaves would have required him to traverse additional monitored boundaries. |
We estimate that rigorous application of CE+ principles — particularly user access control and secure configuration — would have reduced the likelihood of a breach of this nature by approximately 35–45%. This is lower than our estimate for the Sony breach because CE+ is primarily designed to address external internet-based threats, whereas the Snowden breach was a sophisticated insider attack. Nevertheless, the user access control and secure configuration requirements directly address two of the most critical failures.
The combined effect of comprehensive penetration testing (including insider threat assessment) and CE+ principles would have reduced the likelihood by approximately 70–80%. The remaining 20–30% reflects the exceptional difficulty of defending against a technically skilled, determined insider with legitimate privileged access and extended time to plan and execute — the most challenging adversary profile in all of information security.
The Snowden breach differs from external cyber attacks — such as the Sony Pictures breach we analysed previously — in a fundamental way that has profound implications for defensive strategy. An external attacker must first find a way into your network, then navigate an unfamiliar environment, avoid detection, locate valuable data, and extract it — all whilst operating from a position of relative ignorance. An insider, by contrast, begins from a position of trust, knowledge, and access. They already know where the data is stored, how the systems are configured, what monitoring exists, and where the blind spots are. They have legitimate credentials. They understand the organisational culture, the security policies, and — critically — which policies are enforced and which are merely written.
This asymmetry makes insider threats orders of magnitude harder to defend against than external attacks. The traditional perimeter-defence model — firewalls, intrusion detection, network segmentation — is designed to keep outsiders out. It offers little protection against an individual who is already inside, already authorised, and already trusted. Defending against insider threats requires a fundamentally different approach: one centred on monitoring behaviour rather than blocking access, on detecting anomalies rather than matching signatures, and on limiting the damage any single individual can cause rather than preventing all unauthorised access.
The Snowden breach also illustrates a particular subcategory of insider threat that is exceptionally challenging: the ideologically motivated insider. Unlike a financially motivated insider who steals data for personal gain, or a disgruntled insider who causes damage out of revenge, an ideologically motivated insider believes they are acting in the public interest. They are typically more careful, more deliberate, and more willing to accept personal consequences. They plan methodically, take precautions to avoid detection, and may spend months or years positioning themselves for maximum impact. Snowden's decision to take a new job at Booz Allen Hamilton specifically to access additional documents — and his willingness to abandon his life, his career, his home, and his relationship in pursuit of his objective — demonstrates a level of determination that makes detection and prevention extremely difficult.
At the time of the Snowden breach, approximately 854,000 contractors held top-secret clearances across the US federal government. This figure is staggering — and it represents a threat surface of enormous proportions. Each of those contractors is a potential insider threat, yet the security controls applied to their access were, in many cases, no more stringent than those applied to permanent government employees.
The use of contractors for sensitive IT functions — including systems administration — creates a specific set of risks that organisations must understand and manage. Contractors may have divided loyalties between their employer, their client, and their own interests. Their employment relationships are typically less stable than those of permanent staff, creating a higher risk of disgruntlement during contract transitions or terminations. Their vetting may be less thorough, particularly if conducted by the contracting company rather than the client organisation. And the speed with which contractors can be onboarded — as demonstrated by Snowden's two-month tenure at Booz Allen Hamilton before executing his plan — may outpace the organisation's ability to assess their trustworthiness.
This is not an argument against using contractors. Modern organisations, including government agencies, depend on contractor expertise for functions ranging from IT administration to specialised engineering. But it is an argument for applying enhanced controls — additional monitoring, time-limited access, reduced privilege scope, more frequent review, and explicit separation of duties — whenever contractors are granted privileged access to sensitive systems and data. The fact that Snowden's access as a Booz Allen contractor was functionally equivalent to that of an NSA government employee represents a failure of risk management that extends far beyond any one individual.
One of the tragic ironies of the Snowden breach is that the very systems he exploited were designed to address a previous intelligence failure. After the 9/11 attacks, the intelligence community was criticised for its failure to 'connect the dots' — different agencies held different pieces of the puzzle, but information-sharing barriers prevented anyone from seeing the complete picture. In response, new file-sharing systems were created on classified intranets to enable analysts across agencies to access and discuss intelligence more broadly.
These systems — including the SharePoint repositories from which Snowden accessed many of his documents — represented a deliberate decision to prioritise information sharing over information compartmentalisation. The pendulum had swung from excessive secrecy to excessive accessibility, and the insider threat controls necessary to manage the increased risk had not been implemented to match.
This tension between sharing and security is not unique to the intelligence community. Every organisation faces the same trade-off. Making data more accessible improves productivity, collaboration, and decision-making — but it also increases the potential impact of a breach, whether from an insider or an external attacker who compromises an authorised account. The solution is not to choose one extreme or the other, but to implement graduated access controls that make data accessible to those who need it for legitimate purposes whilst maintaining monitoring, accountability, and the ability to detect and respond to misuse.
| Priority | Recommendation | Detail |
|---|---|---|
| Critical | Implement the two-person rule for sensitive operations | No single individual should be able to access, copy, or transfer the most sensitive data without a second authorised person. This applies to systems administrators, database administrators, and anyone with privileged access to critical systems. |
| Critical | Enforce removable media controls technically | Disable USB ports. Implement device control software. Screen personnel at facility exits. Monitor and alert on any removable media connections. Do not rely on policy alone — enforce through technology. |
| Critical | Deploy data loss prevention | Monitor all data movement — to removable media, to external email, to cloud services, to printers. Alert on bulk data transfers. Block unauthorised exfiltration. DLP must cover both network and endpoint channels. |
| High | Protect audit log integrity | Write-once, append-only storage for all security logs. Centralised logging infrastructure separated from the systems being monitored. Cryptographic hash chains for integrity verification. No administrator should be able to edit their own audit trail. |
| High | Implement privileged access management | Vault all admin credentials. Require check-out and check-in. Record all privileged sessions. Implement just-in-time access — privileges granted only when needed and automatically revoked when the task is complete. |
| High | Deploy user behaviour analytics | Establish baselines for normal behaviour. Alert on anomalies — unusual access times, unusual data volumes, access to systems outside normal scope, credential usage from unexpected locations. Behavioural analytics is the most effective technical control against determined insiders. |
| High | Conduct regular insider threat assessments | Include insider threat scenarios in penetration testing engagements. Test whether a privileged user can exfiltrate sensitive data undetected. Test policy enforcement, DLP, monitoring, and audit log integrity. Act on findings. |
| Medium | Differentiate contractor access | Apply enhanced monitoring, time-limited access, reduced privilege scope, and more frequent review to all contractor and third-party access. Contractors should not have the same access as permanent staff without additional oversight. |
The Snowden breach stands as the most significant insider threat incident in the history of modern intelligence. It demonstrated that even the world's most powerful and well-resourced signals intelligence agency — an organisation whose entire mission revolves around the collection, protection, and analysis of classified information — was vulnerable to a single determined insider exploiting fundamental security weaknesses.
The failures that enabled the breach — the absence of a two-person rule, unenforced removable media policies, excessive privileged access, unprotected audit logs, absent monitoring, and unchallenged credential sharing — are not unique to the NSA. They exist, to varying degrees, in organisations of every size and sector. Every organisation that employs systems administrators, database administrators, or any individual with privileged access to sensitive data is potentially vulnerable to the same category of attack.
The most important lesson of the Snowden breach is not that trust is misplaced — organisations must trust their employees and contractors to function. The lesson is that trust must be accompanied by verification, monitoring, and technical controls that ensure no single individual has unchecked, unmonitored power over an organisation's most sensitive information. Trust, but verify — and monitor.
This article is the first in a two-part series examining the Snowden breach. An update examining subsequent developments, including the NSA's remediation measures and the broader impact on the technology industry, will be published in March 2014.
Our insider threat assessments test the controls that matter most — privileged access management, data loss prevention, removable media controls, audit log integrity, and monitoring effectiveness. We simulate the realistic insider threat scenarios that keep security leaders awake at night, and provide actionable recommendations to close the gaps.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call