NSA's Alexander to Black Hats: Trust us, we need you
- By William Jackson
- Aug 05, 2013
National Security Agency director Gen. Keith Alexander’s appeal last week to a gathering of hackers, security professionals and researchers at the Black Hat Briefings in Las Vegas reflected not only the significance of intell-gathering programs but the weight the cybersecurity community carries with the NSA.
The importance he placed on the Black Hat venue was illustrated by the fact that Alexander chose to appear at the conference, while sending a deputy to testify before a Senate Judiciary Committee hearing that same morning at which declassified information about the programs was presented. He said the cybersecurity community’s understanding was essential to supporting the NSA’s credibility.
Alexander travelled to what he called “the world’s technical center of gravity” to plead his case that controversial surveillance programs established after Sept. 11, 2001, are targeted, limited and governed by strong technical controls, agency policy and judicial oversight that limit the ability of analysts to access data being gathered on domestic phone calls.
“The controls that go onto this database” are greater than on any other maintained by NSA, Alexander said in his keynote address. The agency gathers only metadata about domestic phone calls, he said. “They do not include the contents of the call,” or names and addresses or participants.
The programs, first leaked by expatriate and former NSA contractor Edward Snowden, have been described in news articles and congressional hearings, but Alexander said, “all the facts are not on the table,” and “I promise you the truth,” although not necessarily the whole truth. He added some details about how the programs are administered and controlled and their role in thwarting a dozen terrorist attacks in the United States.
He said the Snowden leaks have done “significant and irreversible” damage to national security.
“If you are not satisfied with the current situation, help us find a better solution,” he said.
Despite some skepticism, the talk was well received by the packed ballroom. There was a shouted expletive indicating disbelief when Alexander said “we stand for freedom,” which received scattered applause, but the greatest applause was for his measured response to the few hecklers.
Alexander described the limitations of the two programs. The Foreign Intelligence Surveillance Act Amendments Act of 2008 allows the NSA to sweep up metadata of phone calls from U.S. service providers, including the time of the call, the number called and the number called from, its duration and its origin. This is used to help connect the dots in information gathered from the second program, known as PRISM, under Section 702 of the act, a lawful intercept program that can be used to listen in on communications of foreign nationals.
Queries of the domestic call database must be authorized. Alexander said only 22 people at NSA can place a U.S. telephone number on the list of numbers that can be queried, and only 35 analysts are authorized to query those numbers. Alexander said that fewer than 300 numbers were placed on the query list in 2012, and these resulted in 12 reports to the FBI for follow-up within the United States.
“We stopped 13 terrorist related activities in the United States,” since the programs began in 2007, Alexander said. Twelve of those investigations used phone data gathered under the Section 215 program, which provided “good information” in eight of those cases.
One of the cases involved the 2009 arrest of Najibullah Zazi in a plot to bomb the New York subway system. Alexander said Zazi was identified when the NSA notified the FBI that a suspected terrorist in Pakistan had called Zazi’s Colorado phone number.
Alexander said repeatedly, “These are facts,” and emphasized that the surveillance programs are under strict oversight by the NSA’s own directory of compliance as well as the secret FISA Court and Congress. He said a Senate Select Intelligence Committee study of four years of operations found no NSA violations. “No one at NSA has ever gone outside the boundaries we’ve been given,” he said.
He offered little documented information about the classified programs to support his assertions, but the presentation generally received high marks, even if it did not convince everyone.
“There is nothing that he could do to persuade” hardcore skeptics in the audience, said John Dickson, former Air Force security officer and CTO of the Denim Group, an application security consultancy. But he did a good job of steering a middle path between preaching to the choir and confronting hostile listeners. “I thought he made a forceful argument,” Dickson said.
William Jackson is freelance writer and the author of the CyberEye blog.