Expanded '2-person rule' could help plug NSA leaks
John Pescatore, director of emerging security trends at the SANS Institute and a former NSA agent said the two-person rule is available but rarely used as a security measure because it's cumbersome to implement.
At times, contract employees do need permission from a staffer to perform specific administrative tasks. But the rule isn't widely used as an influx of contract NSA employees in recent years has made it impractical. Such a rule slow routines tasks and makes it harder for systems administrators to do their jobs, he said.
The agency is likely looking to broaden such rules in some way to help ensure that administrators don't abuse access privileges, Pescarote said.
Alexander, Sean Joyce, Deputy Director of the FBI, and Deputy Attorney General James Cole downplayed concerns related to the data collection programs and insisted to the committee that they are vital to national security.
Alexander contended that that NSA phone data records collection program has played a key role in foiling at least 50 potential terrorist plots since the 2011 attacks on New York City and Washington D.C. At least 10 of the foiled plots directly targeted the United States, he said.
The security programs implemented over the past decade are "a direct result of the intelligence community's efforts to better connect the dots and learn from the mistakes that permitted those attacks to occur on 9/11," Alexander said.
Joyce said information found in the phone records of a known terrorist suspect in Yemen helped the FBI arrest a man in Kansas City who was hatching a plot to blow up the New York Stock Exchange. In another incident, the surveillance programs helped the FBI identify an individual in San Diego who was sending funds to a known terrorist group overseas, Joyce said.
Alexander insisted that NSA personnel does not listen to phone conversations or read emails of American citizens. The NSA also doesn't collect video or GPS data on American citizens, he added.
Alexander maintained that all data collected and all surveillance activities conducted under the phone data collection program were approved by Congress.
He denied that the agency was collects data directly servers at U.S. Internet companies, as described in the PRISM documents leaked by Snowden.
Alexander also downplayed concerns that the collected data is being misused to spy on people. Only 22 individuals at the NSA can authorize searches of an individual's phone record data, he said. There are multiple layers of oversight for each request to access such data, he added.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is email@example.com.
- NSA defends collecting data from U.S. residents not suspected of terrorist activities
- Groups fear bill would allow free flow of data between private sector and NSA
- Google's move into home automation means even less privacy
- Bill to require warrant for email searches gains ground in House
- Coming soon to a fridge near you -- targeted ads
- Snowden leaks prompt tech firms to tout privacy, transparency policies
- License reader lawsuit can be heard, appeals court rules
- Is EU's 'right to be forgotten' really the 'right to edit the truth'?
- Tails 1.0: A bootable Linux distro that protects your privacy
- Privacy jitters derail controversial K-12 big data initiative
Read more about Privacy in Computerworld's Privacy Topic Center.
- Combating Identity Theft in a Mobile, Social World Offering identity theft protection and remediation allows businesses to give their workforce the confidence to efficiently engage while bringing financial reward to the...
- After a Breach: Managing Identity Theft Effectively This white paper from LifeLock Business Solutions notes that FIs in addition to managing fraud should strive to turn a negative event for...
- Combating Identity Fraud in a Virtual World This slide presentation reveals findings from the Javelin Strategy & Research 2012 Identity Fraud Report about mobile and social trends, the real risks...
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will... All Privacy White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!