Chris Inglis on Snowden, 13 years on: the insider-threat lessons NSA learned in public

Dark Reading Confidential put Chris Inglis — NSA Deputy Director from 2006 to 2014, and the senior civilian in post on the day the Snowden documents broke — in front of a microphone yesterday for thirteen-years-on reflections on the most consequential insider-threat case the cybersecurity community has on record. The interview is worth the read. Inglis is openly partisan (“I’m not impartial,” he says up front), and the political question of whether Edward Snowden was a whistleblower or a traitor is not one he is going to resolve in a podcast. Skip past that debate; the operational lessons hold up regardless of where you sit on it.

Three of those lessons matter for anyone with high-privilege contractors inside their environment in 2026.

The contractor-enculturation problem. Snowden was a Booz Allen SharePoint system administrator with the access to categorise the tools NSA analysts used to do collection and production work. NSA brought him in because Congress had told the federal government that the private sector ran general-purpose IT more efficiently than government ever could, so contractors were how the work got done. The mistake, as Inglis tells it, was extending the same hiring path to “extraordinary privilege” without extending any of the cultural infrastructure that came with being a federal employee. NSA-badged staff get the museum tour on day one — the noble-purpose narrative, the long-arc institutional story, an assigned mentor. Contractors get told to sit down and start work, and to take complaints to their contractor boss. Inglis’s metaphor for what happened next — a smart, self-motivated person with some ego given that treatment — is “sodium and water.” It is the kind of thing every CISO inside a heavily outsourced enterprise should sit with for a minute. The contractor sysadmin holding domain-tier privilege in your environment is by definition the person you have given your highest blast radius to. You probably have not given them the museum tour.

The cross-signal detection failure. Inglis lays out three monitoring surfaces that should have been correlated and were not: physical (when and where the badge enters which campus), digital (login times, sessions, what gets touched), and HR (workplace incidents, performance flags). Snowden had a workplace incident in May 2012 — a year before the leak — that should have been the moment NSA tightened the focus on a sysadmin with extraordinary privilege. He also showed up at other campuses in NSA’s Hawaii complex at odd times of day and did not log on, because he was using borrowed credentials from other sysadmins. Physical-without-digital should have been a question. Digital-without-physical should have been a question. Personnel-flag-plus-extraordinary-privilege should have been a question. None of them were asked, because the three signals lived in three different silos. Inglis’s description of the operational signature is the part to underline: Snowden was “low and slow,” he knew the thresholds and he lived under them. No single tripwire fired because he had worked out the height of every tripwire. Cross-correlation across the three surfaces was the only thing that would have caught him.

The communications failure. This one is the most uncomfortable because it cuts against the security industry’s instincts. Inglis’s argument is that NSA had relied on its statutory oversight — the FISA court, the executive, the congressional intelligence committees — and had therefore assumed it owed the public no further explanation of what it was actually doing. The Stone commission later found that NSA had operated lawfully. Inglis’s point is that it did not matter. The Snowden version of the story landed first, the salacious framing took, and NSA spent years responding to a narrative that was already in market. His CISO translation: if there is a story someone can tell about you that is “interesting, titillating, malignant” about something you do, and you let them tell it first, the truth never quite catches up. Tell it first, even when you do not think you owe anyone the explanation. This is also the lesson that ages best — the post-breach disclosure cycle in 2026 looks identical, just with shorter half-lives.

The fourth and unstated lesson is that Inglis is the one writing the memoir, and the memoir is shaped accordingly. The Stone-commission finding has not closed the political debate, and the contracts-to-clearances pipeline that produced Snowden produced Reality Winner four years later under the same structural conditions. Take Inglis’s operational lessons; leave the partisan framing to the people who care to argue it.