Expanded '2-person rule' could help plug NSA leaks
NSA, FBI, DOJ officials tell Congress secret programs are vital to U.S. security; outline ways to keep sysadmins from leaking classified data
Computerworld - The National Security Agency is creating new processes aimed at making it harder for systems administrators to misuse privileged access to agency systems, NSA officials told the U.S. House Intelligence Committee Tuesday.
NSA director Keith Alexander told lawmakers that the agency may implement a so-called "two-person rule" to better control access to classified data and prevent the taking of data from agency systems without authorization.
The NSA is also exploring the use of new technologies that could minimize its need for system administrators to conduct certain tasks, Alexander said.
He didn't detail the new technologies or processes the agency is evaluating.
The intelligence committee called today's hearing to discuss fallout from from data leaks that disclosed a secret NSA phone data collection program and details about PRISM, a classified FBI/NSA data collection program.
Edward Snowden, a former employee of Booz Allen Hamilton acknowledged that he accessed documents about the programs while working as a contract employee for the NSA in Hawaii. He leaked the documents to multiple newspaper reporters and others.
The leaked documents included a secret court order requiring carrier Verizon to provide the NSA with daily call metadata records pertaining to all domestic and international calls made by its customers since at least April. The other classified document included a presentation explaining the PRISM program. Under the program described in a classified slide presentation, the NSA and FBI gathers information on foreign terror suspects directly from servers at Google, Microsoft, Skype, Facebook and other major Internet companies.
Snowden, currently in hiding in Hong Kong, released the documents to The Guardian and The Washington Post newspapers. The leaks fueled broad concerns about apparent widespread domestic surveillance by U.S. intelligence agencies.
The NSA is trying to learn how Snowden could gain access to the leaked data as a contract systems administrator, Alexander said.
"We are looking at where the oversight broke down," Alexander said.
The NSA director maintained that Snowden could only access certain portions of NSAs networks -- what the programs are and how they work, for example. Snowden could not access any data collected under the program, or query the data for any information, according to Alexander.
There are currently some 1,000 systems administrators, mostly contract employees, with similar access to NSA data, Alexander added,
Going forward, the NSA will put in place a two-person system for controlling access to certain systems and data, he said.
The agency is also waiting on a technology initiative led by the Director of National Intelligence that could help the NSA reduce its dependence on systems administrators, Alexander said
The two-person rule would stipulate that two individuals with similar roles and authority must act together to execute certain functions.
- Franken presses Ford on location data collection practices
- Justices let stand appeals court decision on border searches of laptops
- California lawmakers move to bar state help to NSA
- Appeals court again nixes Google's bid to overturn Street View case
- Older Mac webcams can spy without activating warning light
- Update: Judge rules NSA spy efforts may be unconstitutional
- Perspective: Privacy concerns could keep Amazon delivery drones grounded
- NSA collects data from millions of cellphones daily
- Perspective: Curbing data use is key to reining in NSA
- Lavabit-DOJ dispute zeroes in on encryption key ownership
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Applications Case Study: 8 Billion Transactions a Day The story documents how the online brokerage company tradeMONSTER created a custom mobile app and the success gleaned from this initiative. Also covered...
- Who's afraid of the big (data) bad wolf? Survive the big data storm by getting ahead of integration and governance functional requirements This paper provides a detailed review of the best practices clients should consider before embarking on their big data integration projects.
- Understanding big data so you can act with confidence Automating information integration and governance and employing it at the point of data creation helps organizations boost confidence in their big data.
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After... All Privacy White Papers | Webcasts