In the days after the attacks on September 11, 2001, the National Security Agency underwent a transformation from an organization that operated on a "need to know" basis to a "need to share" culture. In the process, the agency threw out many of the procedures and controls that might have stopped Edward Snowden from walking out the door with thousands of secret documents.

But after the WikiLeaks scandal, the NSA began trying to ratchet back on its internal promiscuity with information classified at the highest level—Top Secret/Sensitive Compartmented Information (TS/SCI). Ironically, it was part of this effort that allowed then-contractor systems administrator Snowden to download thousands of documents from the agency's highly classified internal Web servers—documents that were openly available to him because of his security clearance and duties assigned. Most of Snowden's scripting skills were used not to hack into systems within the NSA but to simply manage bulk transfers of data between systems.

"He didn't need to be a sysadmin to get to [the data]," NSA Director of Technology Lonny Anderson said in an interview with Benjamin Wittes and Robert Chesney of the Brookings Institute. "He just needed a TS/SCI clearance. Where I think we were negligent—if we were negligent—is that we allowed him some form of anonymity. So the lesson learned for us is that you've got to remove anonymity from the network."

According to one former NSA employee, that's a lesson that the NSA has resisted learning for much of the last decade. Jarrel Nowlin was fired by the agency in 2010 after losing his clearance, and he told Ars in a series of phone interviews and e-mail exchanges that he filed a complaint with the NSA's inspector general in 2006 over data sharing that he believed violated federal law. Nowlin also filed complaints that NSA employees were sharing access credentials for accounting systems and that employees were sharing data with contractors that allowed them to adjust bids for further work to win new work. Those complaints apparently fell on deaf ears.

From “need to know” to “need to share”

Before 2001, documents that bore a TS/SCI classification were handled on a "need to know" basis. Even if you were granted the highest clearance levels for classified information, you couldn't get access to TS/SCI data unless you were determined to be in a group of people who were required to have access in order to carry out your mission. And the data was generally heavily protected in a secure facility that only those working with the data had access to.

After the 9/11 terrorist attacks, NSA leadership moved to create a new information-sharing culture within the agency. The agency created "WebWorld," a TS/SCI-classified intranet. There was Wiki-based software that would allow employees to share information and post documents they created so anyone from across the agency could access it. "Seventy percent of our workforce was hired post-9/11," Anderson said in his interview. "All they know is share, share, share."

WebWorld was the response to this culture shift. It doesn't provide access to the raw "SIGINT" (signals intelligence) that NSA analysts use—it's a place for PowerPoint slides, Word documents, and other "finished" documents that are intended to be shared with other groups. It was created without access controls in mind, built assuming everyone who accessed it would have a TC/SCI clearance. Theoretically, there was no need for additional auditing beyond having an NSA badge.

But that sharing didn't stop with NSA employees. It included contractors (like Snowden) and anyone else with a clearance that worked alongside NSA employees in the field, according to Nowlin. In 2006, Nowlin filed a complaint with the NSA's inspector general, citing the sharing of data by an NSA employee in San Diego. "The agency has a person on site in San Diego, and when somebody walks in and asks them for something, they're getting it," he said. Nowlin also reported, "the Agency shared computer logins to perform official actions that were authorized without accountability due to the computer login reuse issue."

By December of 2006, Nowlin elevated his complaint, reporting the violation to the Defense Department Inspector General's Office under the provisions of the Intelligence Community Whistleblower Protection Act. He received a letter from the Department of Defense Inspector General's Office, stating that his complaint qualified as an "urgent concern"—defined by the law as a "serious or flagrant problem, abuse, violation of law or Executive order, or deficiency relating to the funding, administration, or operations of an intelligence activity involving classified information, but does not include differences of opinions concerning public policy matters."