Expanded '2-person rule' could help plug NSA leaks

NSA, FBI, DOJ officials tell Congress secret programs are vital to U.S. security; outline ways to keep sysadmins from leaking classified data

The National Security Agency is creating new processes aimed at making it harder for systems administrators to misuse privileged access to agency systems, NSA officials told the U.S. House Intelligence Committee Tuesday.

NSA director Keith Alexander told lawmakers that the agency may implement a so-called "two-person rule" to better control access to classified data and prevent the taking of data from agency systems without authorization.

The NSA is also exploring the use of new technologies that could minimize its need for system administrators to conduct certain tasks, Alexander said.

He didn't detail the new technologies or processes the agency is evaluating.

The intelligence committee called today's hearing to discuss fallout from from data leaks that disclosed a secret NSA phone data collection program and details about PRISM, a classified FBI/NSA data collection program.

Edward Snowden, a former employee of Booz Allen Hamilton acknowledged that he accessed documents about the programs while working as a contract employee for the NSA in Hawaii. He leaked the documents to multiple newspaper reporters and others.

The leaked documents included a secret court order requiring carrier Verizon to provide the NSA with daily call metadata records pertaining to all domestic and international calls made by its customers since at least April. The other classified document included a presentation explaining the PRISM program. Under the program described in a classified slide presentation, the NSA and FBI gathers information on foreign terror suspects directly from servers at Google, Microsoft, Skype, Facebook and other major Internet companies.

Snowden, currently in hiding in Hong Kong, released the documents to The Guardian and The Washington Post newspapers. The leaks fueled broad concerns about apparent widespread domestic surveillance by U.S. intelligence agencies.

The NSA is trying to learn how Snowden could gain access to the leaked data as a contract systems administrator, Alexander said.

"We are looking at where the oversight broke down," Alexander said.

The NSA director maintained that Snowden could only access certain portions of NSAs networks -- what the programs are and how they work, for example. Snowden could not access any data collected under the program, or query the data for any information, according to Alexander.

There are currently some 1,000 systems administrators, mostly contract employees, with similar access to NSA data, Alexander added,

Going forward, the NSA will put in place a two-person system for controlling access to certain systems and data, he said.

The agency is also waiting on a technology initiative led by the Director of National Intelligence that could help the NSA reduce its dependence on systems administrators, Alexander said

The two-person rule would stipulate that two individuals with similar roles and authority must act together to execute certain functions.

John Pescatore, director of emerging security trends at the SANS Institute and a former NSA agent said the two-person rule is available but rarely used as a security measure because it's cumbersome to implement.

At times, contract employees do need permission from a staffer to perform specific administrative tasks. But the rule isn't widely used as an influx of contract NSA employees in recent years has made it impractical. Such a rule slow routines tasks and makes it harder for systems administrators to do their jobs, he said.

The agency is likely looking to broaden such rules in some way to help ensure that administrators don't abuse access privileges, Pescarote said.

Alexander, Sean Joyce, Deputy Director of the FBI, and Deputy Attorney General James Cole downplayed concerns related to the data collection programs and insisted to the committee that they are vital to national security.

Alexander contended that that NSA phone data records collection program has played a key role in foiling at least 50 potential terrorist plots since the 2011 attacks on New York City and Washington D.C. At least 10 of the foiled plots directly targeted the United States, he said.

The security programs implemented over the past decade are "a direct result of the intelligence community's efforts to better connect the dots and learn from the mistakes that permitted those attacks to occur on 9/11," Alexander said.

Joyce said information found in the phone records of a known terrorist suspect in Yemen helped the FBI arrest a man in Kansas City who was hatching a plot to blow up the New York Stock Exchange. In another incident, the surveillance programs helped the FBI identify an individual in San Diego who was sending funds to a known terrorist group overseas, Joyce said.

Alexander insisted that NSA personnel does not listen to phone conversations or read emails of American citizens. The NSA also doesn't collect video or GPS data on American citizens, he added.

Alexander maintained that all data collected and all surveillance activities conducted under the phone data collection program were approved by Congress.

He denied that the agency was collects data directly servers at U.S. Internet companies, as described in the PRISM documents leaked by Snowden.

Alexander also downplayed concerns that the collected data is being misused to spy on people. Only 22 individuals at the NSA can authorize searches of an individual's phone record data, he said. There are multiple layers of oversight for each request to access such data, he added.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is jvijayan@computerworld.com.

Read more about privacy in Computerworld's Privacy Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Government ITNational Security AgencyBooz Allen Hamiltonsecurityintelfbiprivacy

More about FacebookFBIGoogleMicrosoftNational Security AgencyNSASANS InstituteSkypeStrategy&TopicVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place