Risk
6/19/2013
12:36 PM
Connect Directly
RSS
E-Mail
50%
50%

NSA Tests IT Access Control Restrictions

Could two-person access requirements and better automation prevent future leaks?

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
The National Security Agency (NSA) is studying new information security policies and technology to help the agency prevent future leaks.

Testifying before the House Intelligence Committee Tuesday, NSA director Gen. Keith Alexander said that measures under consideration include requiring two people, with comparable levels of authority and experience, to be present before any highly sensitive data can be accessed, even if only for systems administration purposes.

In his testimony, Alexander defended the agency's surveillance programs -- with names such as Mainway, for traffic analysis of cell phone calls; Prism, recording Internet-borne audio, email and video; Marina, for Internet traffic analysis; and Nucleon, for telephone content interception -- in the wake of details of the programs being leaked earlier this month by Edward Snowden.

[ How much do we really know about how Prism works? Read Defending NSA Prism's Big Data Tools. ]

While employed by Booz Allen Hamilton, Snowden worked as a contract NSA systems administrator. He wasn't unique; the agency relies heavily on IT contractors who hold top-secret clearances, as Snowden did. In fact, Alexander told the committee that about 1,000 of the agency's contract employees serve as systems administrators.

Now, however, Alexander said the agency is investigating whether it can use technology to automate more systems administrator responsibilities. Another proposal the NSA is considering to safeguard agency secrets against rogue employees is to put in place the two-man rule, which would require at least two people to be present before systems containing sensitive data could be accessed. The technique is already used to safeguard nuclear launches -- as portrayed in movies such as WarGames and The Hunt For Red October -- as well as to physically secure access to some types of sensitive information or systems. But according to information security experts, it's rarely used, because the technique slows down even routine tasks.

Despite the proposals being mentioned, Alexander told the committee that the NSA still didn't know how Snowden had gained access to the classified material that he leaked. "We are looking at where the oversight broke down," he said.

But the Los Angeles Times, quoting an unnamed U.S. official, recently reported that NSA investigators had identified which server Snowden accessed and which documents he copied onto a USB thumb drive. According to journalist Glenn Greenwald, who broke the story, Snowden leaked "thousands" of documents, of which "dozens" were newsworthy.

Despite those documents going missing, in the hearing, both House Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking member C.A. Dutch Ruppersberger (D-Mary.), who together co-authored the divisive CISPA bill, expressed their support for the NSA. Even the title of the hearing, "How Disclosed NSA Programs Protect Americans, and Why Disclosure Aids Our Adversaries," telegraphed the committee's prevailing viewpoint, with Alexander reportedly facing a warm reception.

That began with Rogers' opening remarks. "One of the more damaging aspects of selectively leaking incomplete information is that it paints an inaccurate picture and fosters distrust in our government," he said. "It is at times like these where our enemies within become almost as damaging as our enemies on the outside."

Some legislators did, however, press Alexander on program details, including how access to the collected information was protected, and if it might also be subject to leaks. "This is historically unprecedented in the extent of the data that is being collected on potentially all American citizens," said Rep. Jim Himes (D-Conn.). "We know that when a capability exists, there's a potential for abuse." But Alexander responded that access to captured metadata was highly restricted, and that any inappropriate access would lead to the rogue analyst being detected and caught.

Alexander further defended the surveillance programs, which were launched under a still-secret reading of the Patriot Act, by saying that they'd helped foil 50 terror plots, although that assertion wasn't backed up by any evidence. Under questioning, he said that intercepts of foreign Internet communications had helped in about half of the cases, while traffic analysis of phone calls had helped in 10 of those cases.

Critics of the NSA's surveillance programs, however, said that the hearing did little to probe those programs or address the implications of what Snowden described in a Q&A Monday as "the largest program of suspicionless surveillance in human history."

"This hearing isn't a fact-finding mission, it's a PR stunt," Michelle Richardson, legislative counsel at the American Civil Liberties Union, told The Wall Street Journal. "It's clear that leadership of the intelligence committees consider themselves part of the intelligence community, not an independent body tasked with its oversight."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7877
Published: 2014-10-30
Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors.

CVE-2014-3051
Published: 2014-10-29
The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before 7.2.0.3 IF28, 7.3 before 7.3.0.1 IF30, and 7.4 before 7.4.0.0 IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof s...

CVE-2014-3668
Published: 2014-10-29
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument t...

CVE-2014-3669
Published: 2014-10-29
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function ...

CVE-2014-3670
Published: 2014-10-29
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly exec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.