When the House this week voted in favor of curtailing NSA surveillance activities, few people in the U.S. intelligence community were watching more closely than John DeLong.
That’s because DeLong is the agency’s rules enforcer. And the USA Freedom Act, which passed by a vote of 303-121, would fundamentally alter the current set of rules governing NSA’s bulk collection of telephone metadata. If the measure passes the Senate and becomes law, it will fall to DeLong to ensure NSA employees understand the new legal limits governing their actions.
As NSA’s director of compliance, DeLong gets paid to worry about the conduct of NSA’s estimated 35,000 code-breakers, analysts and staff (the actual number is classified). The 300 members of DeLong’s office conduct employee training, staff hotlines to answer questions, develop and test IT systems for privacy compliance and conduct spot-checks on processes and procedures. And contrary to the claims of NSA detractors, the compliance effort at the agency is high-profile and has the attention of the most senior agency leaders.
“I work directly for the director [of NSA], so I’m able to walk in and advise and consult and have access to what I need to carryout my functions,” said DeLong in an exclusive interview with FedScoop at the National Cryptologic Museum, across from NSA headquarters at Fort Meade, Md. “The inspector general and I are right down the hall from each other — very much peers.”
DeLong also works closely with the agency’s chief counsel and the newly-created Civil Liberties and Privacy Office. “It’s really a team approach to keeping NSA accountable and building quality [into the system] and making sure we can prove that we’re acting in accordance with the rules, authorities and permissions,” DeLong said.
A graduate of Harvard with a degree in physics and mathematics, DeLong has served as NSA’s compliance director since 2009. The five years he’s been at NSA have included some of the most difficult times in the agency’s 62 year history. But it was one particular day in 2014 – Jan. 17, to be exact – when the rules changed suddenly. That was the day President Barack Obama responded to the national outcry over the bulk data collection authorities granted to NSA by Congress with an executive order that placed new restrictions on NSA. DeLong remembers the day as an example of NSA’s commitment to privacy and accountability.
“The next hour, folks were in the conference room next to my office and we implemented those changes that day,” DeLong said. “That, I would call an accountable organization. The minute [the rules] change, we’re responsive to that change.”
Many more changes have occurred since then, many of them focused on internal security and protecting privacy. Certain systems now require two person control for access, DeLong said. In addition, the agency has deployed enhanced insider threat monitoring capabilities and developed what DeLong calls a “hierarchy of control” to focus on what system administrators can and cannot do with data.
NSA is also actively working with several universities to develop technologies that will enable the agency to integrate privacy protections and compliance controls into the hardware and software used throughout the agency.
“If an action is not permitted, or if we’re not permitted to collect something, the technology should just not allow that,” DeLong said. “We’ve kind of, I think, hit the sweet spot in many of those areas, figuring out how to make sure the laws and the policies get encoded directly into the machines and the computer systems we have, such that they’re as much a part of the compliance team as the people we talk to when they walk in the doors.”
But that sweet spot isn’t only about technology. “We’re going to still train people on their obligations,” DeLong said. “We’re going to do both.” He calls it the “belt and suspenders approach” to having overlapping safeguards.
As for NSA’s ability to stop another Edward Snowden from stealing and exposing tens of thousands of classified documents to the public and to America’s enemies, DeLong isn’t willing to say every security gap has been eliminated. But he is willing to say NSA employees have options for reporting abuses or privacy violations without having to betray the nation. And those options – reporting it to the compliance office, inspector general and general counsel, among others – were in place when Snowden chose to go to the media, DeLong said.
“This is one of those times. It’s a dynamic time. There’s a lot changing,” DeLong said. “What doesn’t change is accountability, respect for the law and the rule of law.”