Expanded '2-person rule' could help plug NSA leaks
John Pescatore, director of emerging security trends at the SANS Institute and a former NSA agent said the two-person rule is available but rarely used as a security measure because it's cumbersome to implement.
At times, contract employees do need permission from a staffer to perform specific administrative tasks. But the rule isn't widely used as an influx of contract NSA employees in recent years has made it impractical. Such a rule slow routines tasks and makes it harder for systems administrators to do their jobs, he said.
The agency is likely looking to broaden such rules in some way to help ensure that administrators don't abuse access privileges, Pescarote said.
Alexander, Sean Joyce, Deputy Director of the FBI, and Deputy Attorney General James Cole downplayed concerns related to the data collection programs and insisted to the committee that they are vital to national security.
Alexander contended that that NSA phone data records collection program has played a key role in foiling at least 50 potential terrorist plots since the 2011 attacks on New York City and Washington D.C. At least 10 of the foiled plots directly targeted the United States, he said.
The security programs implemented over the past decade are "a direct result of the intelligence community's efforts to better connect the dots and learn from the mistakes that permitted those attacks to occur on 9/11," Alexander said.
Joyce said information found in the phone records of a known terrorist suspect in Yemen helped the FBI arrest a man in Kansas City who was hatching a plot to blow up the New York Stock Exchange. In another incident, the surveillance programs helped the FBI identify an individual in San Diego who was sending funds to a known terrorist group overseas, Joyce said.
Alexander insisted that NSA personnel does not listen to phone conversations or read emails of American citizens. The NSA also doesn't collect video or GPS data on American citizens, he added.
Alexander maintained that all data collected and all surveillance activities conducted under the phone data collection program were approved by Congress.
He denied that the agency was collects data directly servers at U.S. Internet companies, as described in the PRISM documents leaked by Snowden.
Alexander also downplayed concerns that the collected data is being misused to spy on people. Only 22 individuals at the NSA can authorize searches of an individual's phone record data, he said. There are multiple layers of oversight for each request to access such data, he added.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is email@example.com.
- NSA defends collecting data from U.S. residents not suspected of terrorist activities
- Groups fear bill would allow free flow of data between private sector and NSA
- Google's move into home automation means even less privacy
- Bill to require warrant for email searches gains ground in House
- Coming soon to a fridge near you -- targeted ads
- Snowden leaks prompt tech firms to tout privacy, transparency policies
- License reader lawsuit can be heard, appeals court rules
- Is EU's 'right to be forgotten' really the 'right to edit the truth'?
- Tails 1.0: A bootable Linux distro that protects your privacy
- Privacy jitters derail controversial K-12 big data initiative
Read more about Privacy in Computerworld's Privacy Topic Center.
- Confront consumerization with convergence Virtualization expert Elias Khnaser spotlights the security, compliance, and governance issues that arise when enterprise users "consumerize" with shadow IT and public cloud...
- Implementing Energy Efficient Data Centers This paper explains how to quantify the electricity savings and provides examples of methods that can greatly reduce electrical power consumption.
- Virtualization and Cloud Computing: Optimized Power, Cooling, and Management Maximizes Benefits The effects that the cloud and virtualization have on the data center are discussed and possible solutions or methods for dealing with them...
- Comparing Data Center Power Distribution Architectures Significant improvements in have been achieved in data center power distribution, increasing the options available for data centers. This paper compares five power...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different.... All Privacy White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!