Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:38 PM
Connect Directly

NSA Director Faces Cybersecurity Community At Black Hat

Gen. Keith Alexander aims to set the record straight on controversial NSA spying programs, calling out how leaked surveillance programs helped derail specific terror plots

LAS VEGAS -- BLACK HAT USA -- NSA director Keith Alexander in a keynote address here today spoke in rare detail about how the intelligence agency's recently leaked surveillance programs have helped the agency and the FBI "connect the dots" and stop terrorists and terrorist plots.

Click here for more of Dark Reading's Black Hat articles.

Alexander said the reason for his appearance was to set the record straight on reports about secret NSA spying activities and to solicit the security industry's input on how to balance national defense and the protection of civil liberties. "I promise to tell you the truth about what we know and what we're doing. What I cannot tell you ... is because we don't want to jeopardize our future defenses," he told attendees.

Alexander's appearance came on the day of yet another revelation from whistleblower Edward Snowden's leaks to The Guardian -- this time, of another tool reportedly called XKeyScore, which Snowden said collects everything a user does online, including email, social media, and browsing history. According to The Guardian report, NSA documents say the XKeyscore program encompasses "nearly everything a typical user does on the internet." That includes "the content of emails, websites visited and searches, as well as their metadata."

The NSA director did not mention XKeyScore in his presentation, nor did the program come up during the question-and-answer period when Alexander responded to queries that Black Hat organizers had gathered from the conference community in advance of the keynote. "The issue that stands before us today is one of what do we do next -- how do we start this discussion on defending our nation and protecting our civil liberties and privacy?" Alexander said. "The reason I'm here is you may have some ideas on how to do it better. We need to hear those ideas. But equally important from my perspective is that you get the facts."

NSA's additional surveillance programs came in the wake of the 9/11 terrorist attacks, which the independent 9/11 commission's report concluded was, in part, the result of a failure of the U.S. intelligence community to "connect the dots."

"So we had to come up with a way to help stop the attacks ... The Congress, administration, and the courts all joined together to come up with programs that meet our Constitution and help us connect those dots," Alexander said.

That led to the two now hotly debated programs, the so-called Section 215 Authority, a.k.a. the PRISM program, and Section 702 Authority, which allows the NSA to acquire content when needed. Alexander says the discussion surrounding those programs so far hasn't taken into consideration the oversight -- Congress, the courts, and the administration -- and compliance that goes hand in hand with them.

"It's not true that we are collecting everything," he said. He showed a screenshot of what he says NSA analysts actually can see under the Section 215 Authority under FISA, for counterterrorism efforts: date and time of a phone call, the calling number, the called number, the duration of the call, and the origin of the metadata. No voice calls, SMS text messages, names, or location information, he said. "This does not include the content of communications, your phone calls or mail, not my phone calls or emails.. There is no content: no names, addresses, in the database or locational information used," Alexander said.

A limited number of NSA employees can approve whether this information is gathered, he said. "Only 22 people can approve that [phone] number has been proven to meet the standards set by the court that it has a counterterrorism nexus ... Only then is that number added to a list that can be queried," he said, and only phone numbers on that list can be queried in that database. And just 35 specially trained NSA analysts are authorized to run those queries, he said.

He offered up some data, including that the NSA got approval for querying 300 phone numbers in a case of a terrorist who was residing in California, he said. "Those queries resulted in 12 reports to the FBI," Alexander said. "Those reports take less than 500 [phone] numbers, not millions. The intent of this was to find a terrorist actor and identify him to the FBI."

As for concerns about NSA employees abusing the use of this information, Alexander noted that the agency closely monitors its employees. "We can audit the actions 100 percent of our people, and we do," he said, on every query made.

The second program, FISA Amendment Act Section 702, of which PRISM is a part, is for intercepting communications of foreign threats. "This is not targeting U.S. persons ... this is our lawful intercept program," he said.

Alexander also addressed questions over whether NSA is abusing its power. He said the NSA is not authorized to listen in on communications, and pointed to a four-year congressional review of the program that found no violations by the NSA of that program. "They found no one at NSA has ever gone outside the boundaries of what we've been given. That's the fact," he said. "What you're hearing [in the press and other places] that they could -- but the fact is, they don't."

The agency's auditing tools would catch any such behavior, he said. "Their intent is not to go after our communications. The intent is to find the terrorist that walks among us," he said. "We have two programs that help us do that. One is on metadata, the least invasive method we could [use] ... it allows us to hone in and give the FBI greater insights into these actors," he said. "And we have this content program," which also is audited, he said.

He said at times he asks whether the programs are "too much." "Our people say it's the right thing to do. The nation needs to know we're going to do the right thing," he said. We comply with the court orders and do this exactly right, and if we make a mistake, report it."

The New York City bomb plot case in 2009 is a prime example of what the NSA programs do, Alexander explained. The agency used the PRISM/702 program to get a service provider to hand over the communications of phone number, which the FBI later identified as belonging to Najibullah Zazi and discovered discussions in his emails about an "imminent" terrorist attack, Alexander said. "That could have been the biggest attack in the U.S. since 9/11," he said. The ultimate capture of Zazi and his cohorts all started with an initial tip from PRISM data, he said.

Some 54 terrorist-related activities have been disrupted by the NSA programs, he said, 13 of which were in the U.S. and the rest in other nations.

Alexander, clad in his white military shirt, for the most part faced a mostly respectful audience, but was heckled by a couple of protesters who voiced their mistrust of the NSA. A carton of eggs was also confiscated from the sixth row prior to the commencement of the keynote.

Jeff Moss, the founder of Black Hat and former general manager of the hacking and security industry event, prior to Alexander's introduction applauded his coming to speak to the security community despite the rising tensions and debate over the scope of NSA's spying operations.

"I haven't sensed this much apprehension and tension in the community" since the Clipper chip debate in the '90s, Moss said. "A lot of us are wondering what comes next ... now we are starting to face those issues that had only been hinted at before. It would have been easy for [Alexander] to duck out and not speak to us. He's not here because he has to be -- he's here because he wants to be. His interest is engaging with the community."

Alexander's speaking engagement at DEF CON last year actually began the conversation between NSA and the security community on "shared values and civil liberties and privacy," Moss said.

[The Dark Tangent's post stirs heated debate within the hacker, security community. See DEF CON Founder Urges Feds To Take A 'Time Out' From The Hacker Conference .]

Mark Weatherford, the former deputy undersecretary for cybersecurity at the Department of Homeland Security, says Alexander's speaking before the Black Hat crowd was significant. "He's never done this before another large group. That's pretty profound," says Weatherford, principal with The Chertoff Group in Washington, D.C.

"We've never seen some of that [information] before," Weatherford said of Alexander's presentation on the NSA's leaked surveillance programs. "But there is still only so much he can talk about. I think it was a good conversation. He's not used to talking to an audience like this, and one that's willing to say 'BS.'"

Marc Maiffret, chief technology officer at BeyondTrust, notes that information security basically monitors everything as well. "We know the benefit of that," he says, but the worry among critics of the NSA has been what the NSA's monitoring means to our personal information and the potential abuse of that power, he says.

Maiffret says Alexander's providing specifics of what the NSA programs have actually done for good is key, and what has been missing thus far from the agency.

The full video recording of Alexander's keynote is available here on Black Hat's website.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...