Edward Snowden and the NSA: The Insider Who Changed the World
NSA contractor Edward Snowden used his privileged sysadmin access to exfiltrate an estimated 1.5 million classified documents, revealing global surveillance programmes to journalists and triggering a worldwide debate on privacy.
Background
The NSA's signals intelligence infrastructure relied on a small number of system administrators who held extraordinarily broad access to move data between classified networks. Snowden had worked as an NSA contractor for Booz Allen Hamilton, stationed in Hawaii.
The Attack
Snowden used his legitimate sysadmin credentials to access and download files far outside his job function. He collected documents by copying them to SD cards and physical drives. He exploited a lack of monitoring on data exfiltration — the NSA's internal systems were not designed to detect insiders abusing legitimate access. Snowden then flew to Hong Kong and shared documents with journalists Glenn Greenwald and Laura Poitras.
Response
The NSA overhauled its insider threat programme, implementing a "two-person rule" for accessing sensitive systems and deploying user activity monitoring. The Intelligence Community launched a broad review of contractor access. Congress passed the USA FREEDOM Act in 2015, placing new limits on bulk data collection.
Outcome
The Snowden disclosures revealed PRISM, XKeyscore, MUSCULAR, and dozens of other programmes, prompting major tech companies to adopt end-to-end encryption, triggering EU-US data sharing disputes, and permanently changing public discourse on government surveillance.
Key Takeaways
- Privileged access must be subject to the principle of least privilege — even sysadmins
- User activity monitoring and anomaly detection is essential for detecting insider threats
- The two-person rule for sensitive operations reduces single-point-of-failure risk
- Contractor access deserves the same scrutiny and controls as direct employee access