NSA Director Faces Cybersecurity Community At Black Hat
Gen. Keith Alexander aims to set the record straight on controversial NSA spying programs, calling out how leaked surveillance programs helped derail specific terror plots
LAS VEGAS -- BLACK HAT USA -- NSA director Keith Alexander in a keynote address here today spoke in rare detail about how the intelligence agency's recently leaked surveillance programs have helped the agency and the FBI "connect the dots" and stop terrorists and terrorist plots.
Alexander said the reason for his appearance was to set the record straight on reports about secret NSA spying activities and to solicit the security industry's input on how to balance national defense and the protection of civil liberties. "I promise to tell you the truth about what we know and what we're doing. What I cannot tell you ... is because we don't want to jeopardize our future defenses," he told attendees.
Alexander's appearance came on the day of yet another revelation from whistleblower Edward Snowden's leaks to The Guardian -- this time, of another tool reportedly called XKeyScore, which Snowden said collects everything a user does online, including email, social media, and browsing history. According to The Guardian report, NSA documents say the XKeyscore program encompasses "nearly everything a typical user does on the internet." That includes "the content of emails, websites visited and searches, as well as their metadata."
The NSA director did not mention XKeyScore in his presentation, nor did the program come up during the question-and-answer period when Alexander responded to queries that Black Hat organizers had gathered from the conference community in advance of the keynote. "The issue that stands before us today is one of what do we do next -- how do we start this discussion on defending our nation and protecting our civil liberties and privacy?" Alexander said. "The reason I'm here is you may have some ideas on how to do it better. We need to hear those ideas. But equally important from my perspective is that you get the facts."
NSA's additional surveillance programs came in the wake of the 9/11 terrorist attacks, which the independent 9/11 commission's report concluded was, in part, the result of a failure of the U.S. intelligence community to "connect the dots."
"So we had to come up with a way to help stop the attacks ... The Congress, administration, and the courts all joined together to come up with programs that meet our Constitution and help us connect those dots," Alexander said.
That led to the two now hotly debated programs, the so-called Section 215 Authority, a.k.a. the PRISM program, and Section 702 Authority, which allows the NSA to acquire content when needed. Alexander says the discussion surrounding those programs so far hasn't taken into consideration the oversight -- Congress, the courts, and the administration -- and compliance that goes hand in hand with them.
"It's not true that we are collecting everything," he said. He showed a screenshot of what he says NSA analysts actually can see under the Section 215 Authority under FISA, for counterterrorism efforts: date and time of a phone call, the calling number, the called number, the duration of the call, and the origin of the metadata. No voice calls, SMS text messages, names, or location information, he said. "This does not include the content of communications, your phone calls or mail, not my phone calls or emails.. There is no content: no names, addresses, in the database or locational information used," Alexander said.
A limited number of NSA employees can approve whether this information is gathered, he said. "Only 22 people can approve that [phone] number has been proven to meet the standards set by the court that it has a counterterrorism nexus ... Only then is that number added to a list that can be queried," he said, and only phone numbers on that list can be queried in that database. And just 35 specially trained NSA analysts are authorized to run those queries, he said.
He offered up some data, including that the NSA got approval for querying 300 phone numbers in a case of a terrorist who was residing in California, he said. "Those queries resulted in 12 reports to the FBI," Alexander said. "Those reports take less than 500 [phone] numbers, not millions. The intent of this was to find a terrorist actor and identify him to the FBI."
As for concerns about NSA employees abusing the use of this information, Alexander noted that the agency closely monitors its employees. "We can audit the actions 100 percent of our people, and we do," he said, on every query made.
The second program, FISA Amendment Act Section 702, of which PRISM is a part, is for intercepting communications of foreign threats. "This is not targeting U.S. persons ... this is our lawful intercept program," he said.
Alexander also addressed questions over whether NSA is abusing its power. He said the NSA is not authorized to listen in on communications, and pointed to a four-year congressional review of the program that found no violations by the NSA of that program. "They found no one at NSA has ever gone outside the boundaries of what we've been given. That's the fact," he said. "What you're hearing [in the press and other places] that they could -- but the fact is, they don't."
The agency's auditing tools would catch any such behavior, he said. "Their intent is not to go after our communications. The intent is to find the terrorist that walks among us," he said. "We have two programs that help us do that. One is on metadata, the least invasive method we could [use] ... it allows us to hone in and give the FBI greater insights into these actors," he said. "And we have this content program," which also is audited, he said.
He said at times he asks whether the programs are "too much." "Our people say it's the right thing to do. The nation needs to know we're going to do the right thing," he said. We comply with the court orders and do this exactly right, and if we make a mistake, report it."
The New York City bomb plot case in 2009 is a prime example of what the NSA programs do, Alexander explained. The agency used the PRISM/702 program to get a service provider to hand over the communications of phone number, which the FBI later identified as belonging to Najibullah Zazi and discovered discussions in his emails about an "imminent" terrorist attack, Alexander said. "That could have been the biggest attack in the U.S. since 9/11," he said. The ultimate capture of Zazi and his cohorts all started with an initial tip from PRISM data, he said.
Some 54 terrorist-related activities have been disrupted by the NSA programs, he said, 13 of which were in the U.S. and the rest in other nations.
Alexander, clad in his white military shirt, for the most part faced a mostly respectful audience, but was heckled by a couple of protesters who voiced their mistrust of the NSA. A carton of eggs was also confiscated from the sixth row prior to the commencement of the keynote.
Jeff Moss, the founder of Black Hat and former general manager of the hacking and security industry event, prior to Alexander's introduction applauded his coming to speak to the security community despite the rising tensions and debate over the scope of NSA's spying operations.
"I haven't sensed this much apprehension and tension in the community" since the Clipper chip debate in the '90s, Moss said. "A lot of us are wondering what comes next ... now we are starting to face those issues that had only been hinted at before. It would have been easy for [Alexander] to duck out and not speak to us. He's not here because he has to be -- he's here because he wants to be. His interest is engaging with the community."
Alexander's speaking engagement at DEF CON last year actually began the conversation between NSA and the security community on "shared values and civil liberties and privacy," Moss said.
Mark Weatherford, the former deputy undersecretary for cybersecurity at the Department of Homeland Security, says Alexander's speaking before the Black Hat crowd was significant. "He's never done this before another large group. That's pretty profound," says Weatherford, principal with The Chertoff Group in Washington, D.C.
"We've never seen some of that [information] before," Weatherford said of Alexander's presentation on the NSA's leaked surveillance programs. "But there is still only so much he can talk about. I think it was a good conversation. He's not used to talking to an audience like this, and one that's willing to say 'BS.'"
Marc Maiffret, chief technology officer at BeyondTrust, notes that information security basically monitors everything as well. "We know the benefit of that," he says, but the worry among critics of the NSA has been what the NSA's monitoring means to our personal information and the potential abuse of that power, he says.
Maiffret says Alexander's providing specifics of what the NSA programs have actually done for good is key, and what has been missing thus far from the agency.
The full video recording of Alexander's keynote is available here on Black Hat's website.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
Published: 2015-03-31 eGroupware before 1.8.006.20140217 allows remote attackers to conduct PHP object injection attacks, delete arbitrary files, and possibly execute arbitrary code via the (1) addr_fields or (2) trans parameter to addressbook/csv_import.php, (3) cal_fields or (4) trans parameter to calendar/csv_import.p...
Published: 2015-03-31 Stack-based buffer overflow in cifskey.c or cifscreds.c in cifs-utils before 6.4, as used in pam_cifscreds, allows remote attackers to have unspecified impact via unknown vectors.
Published: 2015-03-31 Unspecified vulnerability in HP Integrated Lights-Out (iLO) firmware 2 before 2.27 and 4 before 2.03 and iLO Chassis Management (CM) firmware before 1.30 allows remote attackers to gain privileges, execute arbitrary code, or cause a denial of service via unknown vectors.
Published: 2015-03-31 The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.