NSA Pilots 2-Person Rule to Thwart Leaks

New Process Based on How Military Handles Nuclear Weapons
NSA Pilots 2-Person Rule to Thwart Leaks

The National Security Agency is piloting a new program, as a result of the Edward Snowden incident, in which systems administrators with top-secret clearance can access some of the nation's most secret documents only with the approval of another colleague.

See Also: Secureworks Named a Major Player in the 2024 IDC MDR Marketscape

The two-person rule, based on the model the military uses to handle nuclear weapons, requires that two systems administrators must approve jointly any access to systems and files containing highly classified materials.

The NSA director, Army General Keith Alexander, said the agency is piloting such an initiative for the Defense Department, where the NSA is situated, and the intelligence community.

Alexander, speaking at the Aspen Security Conference on July 18, said a system administrator who wants to enter a room with secure servers or transfer classified documents to a removable drive would need the concurrence of another employee with security clearance. "This makes our job more difficult," he said.

Rare, But Good Idea

Alan Paller, founder of the cybersecurity training school SANS, says such an approach is very rare within information security circles, but he believes it's a good method for limiting the insider threats. "The challenge will be making it convenient, meaning not slowing down important activity so much that people would just go around it," he says.

Alexander understands the challenges involved. "We also have to ensure that we make sure that people who need information to do their job have access to that information," he said. "That was one of the lessons learned, so we want to balance these two and get it exactly right. That's one of our jobs to fix, since this happened at our place on our watch ... we will fix this in our stuff."

The idea of the NSA expanding the two-person control process came from NSA Deputy Director John "Chris" Inglis, who told that House Permanent Select Committee on Intelligence last month that some analysts use the procedure to access classified materials [see NSA Outlines Steps to Reduce Leaks].

Insights Into Snowden Activities

At the Aspen conference, Alexander said the NSA has "good insights" into what specific materials Snowden took without authorization, but wouldn't go into details because of an FBI investigation.

Snowden, who leaked information about top-secret U.S. telephone and online surveillance programs, is in Moscow awaiting a response to his request for political asylum.

Alexander said Snowden downloaded the classified materials as a contract systems administrator who ran a SharePoint account at NSA. Snowden was employed by Booz Allen Hamilton at the time. "As a system administrator, he also had access to thumb drives and other tools," Alexander said. "So, what we had is a person who was given the responsibility and the trust to do this job, betrayed that responsibility and trust, and took this data."

The NSA director, who also serves as the commander of the Cyber Command, said the military has begun to deploy at least three cyberteams. Asked if the teams are defensive or will have some offensive capability to stage cyber-attacks, Alexander responded.

"It's both, both offense and defense. And we are biased toward defending our networks and the nation, first. That's our first mission. And so the teams that we're standing up first are ones that would defend this country and defend our networks."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.