The NSA Hearing, by the Numbers
BY KIM ZETTER
Director of the National Security Agency (NSA), Gen. Keith B. Alexander, testifies about NSA surveillance before the Senate Appropriations Committee on Capitol Hill. Photo: Charles Dharapak/AP
A federal hearing today on NSA surveillance programs leaked by former NSA contractor Edward Snowden produced some interesting numbers about the scope of the data collections and other issues. We’ve produced a roundup below of some of the interesting stats and intelligence gleaned from the discussion.
The hearing, before Congress’s Select Committee on Intelligence, included NSA Director, General Keith Alexander; Deputy Attorney General James Cole; Deputy Director of the FBI Sean Joyce; and General Counsel Robert Litt, from the Office of the Director of National Intelligence General Counsel.
1) NSA Only Uses Section 215 of Patriot Act to Obtain Phone records. NSA Director Keith Alexander, responding to questions about the kinds of business records the agency obtains using this power granted by the Patriot Act, said that the agency only uses it to obtain phone records from companies. This would seem to contradict a recent Wall Street Journal story, which disclosed that the agency was collecting credit card transactions. But Alexander’s statement doesn’t rule out that the FBI is collecting credit card transactions and providing data pertaining to foreign intelligence cases to the NSA. The vast majority of business records requests under Section 215 are done by the FBI and other federal agencies, not the NSA.
2) Phone Records Obtained by NSA under Section 215 Are Destroyed After 5 Years. ODNI General Counsel Robert Litt asserted that the records are not kept indefinitely. Nor are they used for general data mining and pattern analysis, according to Alexander. He stated that the records are only used to perform individual “queries” against specific phone numbers. Presumably this means that pattern analysis likely would be done on those targeted phone numbers that are under investigation in order to ascertain any and all phone numbers that have communicated with the targeted number.
3) Only 22 People at NSA Can Authorize Queries of Phone Records Database. This number includes 20 analysts and two supervisors. Among the 22 people who can authorize such queries of the phone records database are Gen. Alexander himself and Litt.
4) Records/Data Obtained under 215 and Section 702 of FISA Thwarted 50 Potential Terrorist Plots. NSA Director Alexander and FBI Deputy Director Sean Joyce said that at least 50 cases they investigated used data obtained under the two surveillance programs that Snowden exposed. Section 702 of FISA can cover real-time emails and chats, IP addresses and other data. Asked by Rep. Jim Himes (D-Connecticut), how many of these 50 episodes “would have occurred but for your ability to use 702″ (or “How essential are these authorizations to stopping these attacks?”), Alexander said that he believed that in at least half of these cases, the data obtained under Section 702 of FISA was “critical.” He said that of the cases involving the use of phone records obtained under Section 215 of the Patriot Act, a little more than 10 of these cases involved some kind of “domestic nexus” — meaning they involved a U.S. citizen overseas or in the U.S. The vast majority of these cases “had a contribution from the business records requests.”
5) Snowden Worked for the NSA for 15 Months at Time of Leaks. Although it’s been reported that Snowden had only been working for defense contractor Booz Allen Hamilton for three months at the time of the leaks, and had only been stationed at the NSA’s Hawaii facility a few weeks prior to leaking, Alexander noted that Snowden had actually been working for the NSA under a different contractor during the 12 months prior to moving to Booz Allen Hamilton, which would have given him more time to scope out the network and determine which data he wanted to take.
6) NSA Plans to Institute a Two-Person Rule to Govern Activities of SysAdmins This would presumably involve requiring a shadow for every sysadmin to ensure that no one operator can download the kind of data Snowden obtained without authorization from another operator, or change auditing and logging instructions on the system to hide their tracks. Alexander noted that Snowden, as a systems administrator, had great authority to access parts of the network that are not accessible to regular analysts. The sysadmin also has the ability to set the auditing conditions on a portion of the network. “This is a huge problem,” Alexander said. “We’re coming up with a two-person rule to make sure we have a way to block” someone from taking information out of the system. “This is a work in progress,” he said.
7) NSA Has About 1,000 SysAdmins Worldwide. Alexander said the NSA has about 1,000 system administrators that have, in certain sections, the level of authority comparable to what Snowden had to access data. This number seems small, and Alexander said they were working on trying to get a more exact figure, but he noted that the majority of these system administrators were contract workers.
Finally, something else of note that Alexander said in the hearing today. The NSA apparently doesn’t yet know how Snowden obtained access to the court order that authorized Verizon to hand over the phone records of millions of American customers. He noted that to access the kind of data collected under the program required special “certificates” or keys to gain access to areas where the data was stored. Certificates and keys can refer to digital access to walled-off areas of data on a server, but Alexander also seemed to imply that Snowden would have needed physical access to a room where the data was stored.
“To get to any data like business records under 215, that’s in controlled area,” Alexander said. “You need specific certificates to get in to that. I’m not aware that Snowden had any certificates to get into that.” He later noted that by “certificates” he meant keys, meaning presumably electronic door access keys.
“In this case, what the system administrator had access to is what we’ll call the public web forums that NSA operates, and these are the things that talk about how we do our business, not necessarily what’s being collected as a results of that,” Alexander said. “Nor does it necessarily give them the insights that the training and the other issues that training and certification process and accreditation that our folks go through to actually do this. So those are in separate programs and require other certificates to get into.”
When asked if this meant Snowden did not have the certificates necessary to leave that public forum, Alexander replied, “So each set of data that we would have, and in this case let’s say the business records, FISA, you have to have specific certificates … because this is a cordoned off, so that would be extremely difficult for him to. . . he’d have to get up to NSA and get into that room to do. Others require certificates for you to be working in this area to have that. He would have to get one of those certificates to actually enter that area…. In other words, it’s a key.”
Following the hearing, reporters in the room cornered Alexander for further explanation about this, during which Alexander reportedly said that the NSA believes Snowden obtained access to the court order while he was undergoing orientation and training at the NSA’s headquarters at Ft. Meade.
“The FISA warrant was on a web server that he had access to as an analyst coming into the Threat Operations Center,” Alexander told Politico. “It was in a special classified section that as he was getting his training he went to.”
668 total views, 1 views today