Risk
7/31/2013
05:38 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

NSA Director Faces Cybersecurity Community At Black Hat

Gen. Keith Alexander aims to set the record straight on controversial NSA spying programs, calling out how leaked surveillance programs helped derail specific terror plots

LAS VEGAS -- BLACK HAT USA -- NSA director Keith Alexander in a keynote address here today spoke in rare detail about how the intelligence agency's recently leaked surveillance programs have helped the agency and the FBI "connect the dots" and stop terrorists and terrorist plots.

Click here for more of Dark Reading's Black Hat articles.

Alexander said the reason for his appearance was to set the record straight on reports about secret NSA spying activities and to solicit the security industry's input on how to balance national defense and the protection of civil liberties. "I promise to tell you the truth about what we know and what we're doing. What I cannot tell you ... is because we don't want to jeopardize our future defenses," he told attendees.

Alexander's appearance came on the day of yet another revelation from whistleblower Edward Snowden's leaks to The Guardian -- this time, of another tool reportedly called XKeyScore, which Snowden said collects everything a user does online, including email, social media, and browsing history. According to The Guardian report, NSA documents say the XKeyscore program encompasses "nearly everything a typical user does on the internet." That includes "the content of emails, websites visited and searches, as well as their metadata."

The NSA director did not mention XKeyScore in his presentation, nor did the program come up during the question-and-answer period when Alexander responded to queries that Black Hat organizers had gathered from the conference community in advance of the keynote. "The issue that stands before us today is one of what do we do next -- how do we start this discussion on defending our nation and protecting our civil liberties and privacy?" Alexander said. "The reason I'm here is you may have some ideas on how to do it better. We need to hear those ideas. But equally important from my perspective is that you get the facts."

NSA's additional surveillance programs came in the wake of the 9/11 terrorist attacks, which the independent 9/11 commission's report concluded was, in part, the result of a failure of the U.S. intelligence community to "connect the dots."

"So we had to come up with a way to help stop the attacks ... The Congress, administration, and the courts all joined together to come up with programs that meet our Constitution and help us connect those dots," Alexander said.

That led to the two now hotly debated programs, the so-called Section 215 Authority, a.k.a. the PRISM program, and Section 702 Authority, which allows the NSA to acquire content when needed. Alexander says the discussion surrounding those programs so far hasn't taken into consideration the oversight -- Congress, the courts, and the administration -- and compliance that goes hand in hand with them.

"It's not true that we are collecting everything," he said. He showed a screenshot of what he says NSA analysts actually can see under the Section 215 Authority under FISA, for counterterrorism efforts: date and time of a phone call, the calling number, the called number, the duration of the call, and the origin of the metadata. No voice calls, SMS text messages, names, or location information, he said. "This does not include the content of communications, your phone calls or mail, not my phone calls or emails.. There is no content: no names, addresses, in the database or locational information used," Alexander said.

A limited number of NSA employees can approve whether this information is gathered, he said. "Only 22 people can approve that [phone] number has been proven to meet the standards set by the court that it has a counterterrorism nexus ... Only then is that number added to a list that can be queried," he said, and only phone numbers on that list can be queried in that database. And just 35 specially trained NSA analysts are authorized to run those queries, he said.

He offered up some data, including that the NSA got approval for querying 300 phone numbers in a case of a terrorist who was residing in California, he said. "Those queries resulted in 12 reports to the FBI," Alexander said. "Those reports take less than 500 [phone] numbers, not millions. The intent of this was to find a terrorist actor and identify him to the FBI."

As for concerns about NSA employees abusing the use of this information, Alexander noted that the agency closely monitors its employees. "We can audit the actions 100 percent of our people, and we do," he said, on every query made.

The second program, FISA Amendment Act Section 702, of which PRISM is a part, is for intercepting communications of foreign threats. "This is not targeting U.S. persons ... this is our lawful intercept program," he said.

Alexander also addressed questions over whether NSA is abusing its power. He said the NSA is not authorized to listen in on communications, and pointed to a four-year congressional review of the program that found no violations by the NSA of that program. "They found no one at NSA has ever gone outside the boundaries of what we've been given. That's the fact," he said. "What you're hearing [in the press and other places] that they could -- but the fact is, they don't."

The agency's auditing tools would catch any such behavior, he said. "Their intent is not to go after our communications. The intent is to find the terrorist that walks among us," he said. "We have two programs that help us do that. One is on metadata, the least invasive method we could [use] ... it allows us to hone in and give the FBI greater insights into these actors," he said. "And we have this content program," which also is audited, he said.

He said at times he asks whether the programs are "too much." "Our people say it's the right thing to do. The nation needs to know we're going to do the right thing," he said. We comply with the court orders and do this exactly right, and if we make a mistake, report it."

The New York City bomb plot case in 2009 is a prime example of what the NSA programs do, Alexander explained. The agency used the PRISM/702 program to get a service provider to hand over the communications of phone number, which the FBI later identified as belonging to Najibullah Zazi and discovered discussions in his emails about an "imminent" terrorist attack, Alexander said. "That could have been the biggest attack in the U.S. since 9/11," he said. The ultimate capture of Zazi and his cohorts all started with an initial tip from PRISM data, he said.

Some 54 terrorist-related activities have been disrupted by the NSA programs, he said, 13 of which were in the U.S. and the rest in other nations.

Alexander, clad in his white military shirt, for the most part faced a mostly respectful audience, but was heckled by a couple of protesters who voiced their mistrust of the NSA. A carton of eggs was also confiscated from the sixth row prior to the commencement of the keynote.

Jeff Moss, the founder of Black Hat and former general manager of the hacking and security industry event, prior to Alexander's introduction applauded his coming to speak to the security community despite the rising tensions and debate over the scope of NSA's spying operations.

"I haven't sensed this much apprehension and tension in the community" since the Clipper chip debate in the '90s, Moss said. "A lot of us are wondering what comes next ... now we are starting to face those issues that had only been hinted at before. It would have been easy for [Alexander] to duck out and not speak to us. He's not here because he has to be -- he's here because he wants to be. His interest is engaging with the community."

Alexander's speaking engagement at DEF CON last year actually began the conversation between NSA and the security community on "shared values and civil liberties and privacy," Moss said.

[The Dark Tangent's post stirs heated debate within the hacker, security community. See DEF CON Founder Urges Feds To Take A 'Time Out' From The Hacker Conference .]

Mark Weatherford, the former deputy undersecretary for cybersecurity at the Department of Homeland Security, says Alexander's speaking before the Black Hat crowd was significant. "He's never done this before another large group. That's pretty profound," says Weatherford, principal with The Chertoff Group in Washington, D.C.

"We've never seen some of that [information] before," Weatherford said of Alexander's presentation on the NSA's leaked surveillance programs. "But there is still only so much he can talk about. I think it was a good conversation. He's not used to talking to an audience like this, and one that's willing to say 'BS.'"

Marc Maiffret, chief technology officer at BeyondTrust, notes that information security basically monitors everything as well. "We know the benefit of that," he says, but the worry among critics of the NSA has been what the NSA's monitoring means to our personal information and the potential abuse of that power, he says.

Maiffret says Alexander's providing specifics of what the NSA programs have actually done for good is key, and what has been missing thus far from the agency.

The full video recording of Alexander's keynote is available here on Black Hat's website.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.