N.S.A. Leak Puts Focus on System Administrators - NYTimes.com

Edward J. Snowden, the former National Security Agency contractor who leaked details about American surveillance, personifies a debate at the heart of technology systems in government and industry: can the I.T. staff be trusted?

Gen. Keith B. Alexander, the director of the N.S.A.

More Tech Coverage

News from the technology industry, including start-ups, the Internet, enterprise and gadgets.On Twitter: @nytimesbits.

An N.S.A. data center in Bluffdale, Utah. The agency is adding a security rule akin to requiring two keys to unlock a safe.

As the N.S.A., some companies and the city of San Francisco have learned, information technology administrators, who are vital to keeping the system running and often have access to everything, are in the perfect position if they want to leak sensitive information or blackmail higher-level officials.

“The difficulty comes in an environment where computer networks need to work all the time,” said Christopher P. Simkins, a former Justice Department lawyer whose firm advises companies, including military contractors, on insider threats.

The director of the N.S.A., Gen. Keith B. Alexander, acknowledged the problem in a television interview on Sunday and said his agency would institute “a two-man rule” that would limit the ability of each of its 1,000 system administrators to gain unfettered access to the entire system. The rule, which would require a second check on each attempt to access sensitive information, is already in place in some intelligence agencies. It is a concept borrowed from the field of cryptography, where, in effect, two sets of keys are required to unlock a safe.

From government agencies to corporate America, there is a renewed emphasis on thwarting the rogue I.T. employee. Such in-house breaches are relatively rare, but the N.S.A. leaks have prompted assessments of the best precautions businesses and government can take, from added checks and balances to increased scrutiny during hiring.

“The scariest threat is the systems administrator,” said Eric Chiu, president of Hytrust, a computer security company. “The system administrator has godlike access to systems they manage.”

Asked Sunday about General Alexander’s two-man rule, Dale W. Meyerrose, a former chief information officer for the director of national intelligence, said, “I think what he’s doing is reasonable.”

“There are all kinds of things in life that have two-man rules,” added Mr. Meyerrose, who now runs a business consulting firm. “We’ve had a two-man rule ever since we had nuclear weapons. And when somebody repairs an airplane, an engineer has to check it.”

John R. Schindler, a former N.S.A. counterintelligence officer who now teaches at the Naval War College, agreed that the “buddy system” would help. “But I just don’t see it as a particularly good long-term solution,” he said.

“Wouldn’t it be easier to scrub all your I.T.’s for security issues,” he asked, “and see if there is another Snowden?”

The two-man rule “has existed in other areas of the intelligence community for certain exceptionally sensitive programs where high risk was involved,” he said, “but it’s not a standard procedure.”

Mr. Meyerrose and Mr. Schindler both said that software monitoring systems can also help, though they can be evaded by a knowledgeable systems administrator. The biggest issue for government and industry, they said, is to vet the I.T. candidates more carefully and to watch for any signs of disillusionment after they are hired.

“It’s really a personal reliability issue,” Mr. Meyerrose said.

Insiders of all types going rogue have become a problem for the government and industry over the last decade. One of the most prominent is Pfc. Bradley Manning, who downloaded a vast archive of American military and diplomatic materials from his post in Iraq and gave it to WikiLeaks. But there have been others, including scientists and software developers who stole secrets from American companies where they worked and provided them to China.

Now the spotlight is on the system administrators, who are often the technology workers with the most intimate knowledge of what is moving through their employers’ computer networks.