Skip the navigation

Expanded '2-person rule' could help plug NSA leaks

June 18, 2013 03:54 PM ET

John Pescatore, director of emerging security trends at the SANS Institute and a former NSA agent said the two-person rule is available but rarely used as a security measure because it's cumbersome to implement.

At times, contract employees do need permission from a staffer to perform specific administrative tasks. But the rule isn't widely used as an influx of contract NSA employees in recent years has made it impractical. Such a rule slow routines tasks and makes it harder for systems administrators to do their jobs, he said.

The agency is likely looking to broaden such rules in some way to help ensure that administrators don't abuse access privileges, Pescarote said.

Alexander, Sean Joyce, Deputy Director of the FBI, and Deputy Attorney General James Cole downplayed concerns related to the data collection programs and insisted to the committee that they are vital to national security.

Alexander contended that that NSA phone data records collection program has played a key role in foiling at least 50 potential terrorist plots since the 2011 attacks on New York City and Washington D.C. At least 10 of the foiled plots directly targeted the United States, he said.

The security programs implemented over the past decade are "a direct result of the intelligence community's efforts to better connect the dots and learn from the mistakes that permitted those attacks to occur on 9/11," Alexander said.

Joyce said information found in the phone records of a known terrorist suspect in Yemen helped the FBI arrest a man in Kansas City who was hatching a plot to blow up the New York Stock Exchange. In another incident, the surveillance programs helped the FBI identify an individual in San Diego who was sending funds to a known terrorist group overseas, Joyce said.

Alexander insisted that NSA personnel does not listen to phone conversations or read emails of American citizens. The NSA also doesn't collect video or GPS data on American citizens, he added.

Alexander maintained that all data collected and all surveillance activities conducted under the phone data collection program were approved by Congress.

He denied that the agency was collects data directly servers at U.S. Internet companies, as described in the PRISM documents leaked by Snowden.

Alexander also downplayed concerns that the collected data is being misused to spy on people. Only 22 individuals at the NSA can authorize searches of an individual's phone record data, he said. There are multiple layers of oversight for each request to access such data, he added.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at Twitter@jaivijayan, or subscribe to Jaikumar's RSS feed Vijayan RSS. His email address is jvijayan@computerworld.com.

Read more about Privacy in Computerworld's Privacy Topic Center.



Our Commenting Policies
Consumerization of IT: Be in the know
consumer tech

Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!