Expanded '2-person rule' could help plug NSA leaks
John Pescatore, director of emerging security trends at the SANS Institute and a former NSA agent said the two-person rule is available but rarely used as a security measure because it's cumbersome to implement.
At times, contract employees do need permission from a staffer to perform specific administrative tasks. But the rule isn't widely used as an influx of contract NSA employees in recent years has made it impractical. Such a rule slow routines tasks and makes it harder for systems administrators to do their jobs, he said.
The agency is likely looking to broaden such rules in some way to help ensure that administrators don't abuse access privileges, Pescarote said.
Alexander, Sean Joyce, Deputy Director of the FBI, and Deputy Attorney General James Cole downplayed concerns related to the data collection programs and insisted to the committee that they are vital to national security.
Alexander contended that that NSA phone data records collection program has played a key role in foiling at least 50 potential terrorist plots since the 2011 attacks on New York City and Washington D.C. At least 10 of the foiled plots directly targeted the United States, he said.
The security programs implemented over the past decade are "a direct result of the intelligence community's efforts to better connect the dots and learn from the mistakes that permitted those attacks to occur on 9/11," Alexander said.
Joyce said information found in the phone records of a known terrorist suspect in Yemen helped the FBI arrest a man in Kansas City who was hatching a plot to blow up the New York Stock Exchange. In another incident, the surveillance programs helped the FBI identify an individual in San Diego who was sending funds to a known terrorist group overseas, Joyce said.
Alexander insisted that NSA personnel does not listen to phone conversations or read emails of American citizens. The NSA also doesn't collect video or GPS data on American citizens, he added.
Alexander maintained that all data collected and all surveillance activities conducted under the phone data collection program were approved by Congress.
He denied that the agency was collects data directly servers at U.S. Internet companies, as described in the PRISM documents leaked by Snowden.
Alexander also downplayed concerns that the collected data is being misused to spy on people. Only 22 individuals at the NSA can authorize searches of an individual's phone record data, he said. There are multiple layers of oversight for each request to access such data, he added.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is firstname.lastname@example.org.
- Franken presses Ford on location data collection practices
- Justices let stand appeals court decision on border searches of laptops
- California lawmakers move to bar state help to NSA
- Appeals court again nixes Google's bid to overturn Street View case
- Older Mac webcams can spy without activating warning light
- Update: Judge rules NSA spy efforts may be unconstitutional
- Perspective: Privacy concerns could keep Amazon delivery drones grounded
- NSA collects data from millions of cellphones daily
- Perspective: Curbing data use is key to reining in NSA
- Lavabit-DOJ dispute zeroes in on encryption key ownership
Read more about Privacy in Computerworld's Privacy Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Gartner 2013 Magic Quadrant for Enterprise Backup/Recovery Software See why CommVault was positioned as the #1 leader in Gartner's 2013 Magic Quadrant for Enterprise Backup/Recovery software for the 3rd year in...
- Forrester Report: CommVault is a Leader in Enterprise Backup and Recovery In this report, Forrester takes a deep dive into the evaluation criteria, how CommVault is positioned and the features and functionality that make...
- Forrester Wave for Enterprise Backup and Recovery Read this report to see how CommVault continues to outpace its competitors and why Forrester positioned CommVault Simpana as the top backup and...
- Architecting the Network of the Future Networks need to change, as does the way IT thinks about and manages them. In addition to reliability, IT must now add higher...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Four Myths of High-Productivity App Dev Debunked Debunk the main myths surrounding high-productivity application development and how both platforms have overcome them. All Privacy White Papers | Webcasts