NSA Moves to Prevent Snowden-Like Leaks

Agency Implementing 2-Person Rule, Increasing Encryption Use
NSA Moves to Prevent Snowden-Like Leaks

The National Security Agency has taken 41 actions to prevent leaks by insiders in the wake of disclosures of highly classified documents about the agency's surveillance programs by former agency contractor Edward Snowden, NSA Director Gen. Keith Alexander says.

See Also: Roadmap for Identity Management in the Modern Organization

Appearing before the Senate Judiciary Committee on Dec. 11, Alexander was unapologetic about the mass data collection programs that some critics contend violate Americans' privacy and civil liberties, saying he's willing to work with Congress and industry to develop better surveillance methods as long as they don't compromise the nation's security.

To prevent future Snowden-like leaks, Alexander says the NSA is implementing the so-called two-person rule, which requires that two systems administrators approve jointly any access to systems and files containing highly classified materials (see NSA Pilots 2-Person Rule to Thwart Leaks).

The NSA also will increase the use of encryption to keep sensitive data secret from unauthorized individuals, Alexandar says. The 4-star Army general, who also heads the military's cyber command, didn't provide the committee with any more information about the 41 actions, but promised to furnish the panel with details on all those steps by Dec. 18.

Snowden Leak Details

In his testimony, Alexander also furnished more insight about how Snowden leaked the documents.

"His job was to move data," the NSA director says. "He was the person to move the books from point A to point B; he was the SharePoint webserver administrator. His job was to do what he did. Therein lies part of the problem. We had one individual who had responsibility to move that data, who betrayed that trust. We believed [he] would execute that duty and in a manner that everybody agreed to be done."

Citing a letter to President Obama and Congress from eight information technology companies calling for reforms of government surveillance programs, Alexander says he's willing to meet with them to hear their ideas (see Online Firms Blast NSA's Tactics).

"They ought to be players here," he says. "They have been hurt by this, unfairly hurt. ... Industry has some technical capabilities that may be better than we have. If they have ideas about what we can do better to protect the nation and protect our civil liberties and privacy, we should put them on the table. I think that we should have a way to bring government and industry together for the good of the nation and we ought to take those steps."

Patriot Act Provisions

The NSA's data collection programs are authorized under Section 215 of the Patriot Act, which permits the government to apply to the secret Foreign Intelligence Surveillance Act courts to compel businesses to hand over metadata of non-U.S. citizens. Another provision of the act, Section 702, allows the collection of communications data on foreigners located overseas. Some critics, though, contend information about Americans has been collected as well.

Committee Chairman Patrick Leahy, D-Vt., asked Alexander how many Americans had communications information collected under Section 215. Alexander responded the NSA has identified fewer than 200 telephone numbers searched under that provision.

Sen. Al Franken, D-Minn., sought a ballpark figure for the number of Americans whose communications information was collected under Section 702. But Alexander didn't provide a figure, responding: "I don't mean to hedge. Let me tell you the difficulties. If a terrorist we're going after is talking to another person, in that communication, there is nothing that says, 'I'm an American and here's my Social Security number.' The fact is that when we are tracking a terrorist, if they're talking to five people and one of those is an American, the chances of us knowing that [he is an American] is very small. If we find out they are an American, then there are procedures the attorney general and courts have given us that we have to do to minimize that data [collection] on that American."

Franken has introduced a bill that would require the NSA to estimate the number of Americans whose information had been searched by the government.

"The American people are skeptical of executive power. When there's a lack of transparency they tend to suspect abuse," Franken says. "Part of the reason to have transparency is for people to make their decisions based on some real information about whether or not this power is being abused."

Alexander says he agrees with Franken and wants to work with Congress to create more transparency. "I think this is the right thing to do," he says. "The number isn't that big, and I think that if we can bring it to the American people and ... when the American people understand that, they'll know what we're doing is right."

About the Author

Eric Chabrow

Eric Chabrow

Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.

Around the Network