Featured eBooks
2023 State Budget Trends
Software Bills of Materials
What's Happening in Health Tech
Nextgov

Eyes on Spies

John DeLong, the National Security Agency’s first-ever compliance director, keeps citizens out of the crosshairs.

Aliya Sternstein

|
Aliya Sternstein
Aliya Sternstein
Senior Correspondent

At the National Security Agency, compliance with information-sharing policies and privacy laws means protecting civil liberties. That’s where John DeLong comes in. In 2009, he filled a new position at NSA: compliance director. The gig involves coordinating with analysts throughout the chain of command to pre-empt potential violations, as well as cooperating with other NSA oversight managers to avoid stepping on toes. 

“We’re nothing if we lose the confidence of the American people,” DeLong says. “The creation of this position is a very outward sign of an inward focus—a focus that existed before the creation of my position. We’re constantly learning. We’re constantly trying to draw best practices externally, and . . . we’re trying to also contribute and be part of that discussion about compliance best practices.”

DeLong, 37, also must ensure inanimate surveillance tools follow the rules. Seems like that should be a breeze for a man who holds degrees in law, physics and math from Harvard University. Government Executive recently sat down with DeLong to find out. The following are edited excerpts from that conversation.  

Q: Critics have accused NSA of being a rogue organization doing its own thing. But there are checks and balances for collecting U.S. communications, correct? 

A: We are not a free agent that’s just out there, waking up and deciding what to do every day. We are really heavily regulated both by requirements that come in—a majority of them externally—and then also very specific authorizations. We have to make sure those authorizations pass from human to human and from machine to machine very carefully.

Q: The Defense Department already had an inspector general, and NSA had a privacy officer. What were you brought in to do that was different? 

A: We work with the inspector general, and we both focus on safeguards around the underlying laws and policy. A privacy officer might be more in the policy space trying to make sure the fundamental legal and policy rules themselves are protective of privacy. The compliance folks then are really focused on bringing those rules to life. We very much are in the training cycles. We’re in the building of systems. We’re in the certification of systems. 

From the perspective of an analyst or a person who builds technology it could sometimes look like a spaghetti bowl of rules or organizations, but really I like to use the term ecosystem because when everyone plays their position here—when the lawyers provide the legal advice, when the policy folks provide that policy overlay, when the compliance folks are down proactively rolling our sleeves up and helping, and when the oversight is doing that independent oversight—it all kind of works together.

Q: What’s the biggest misperception citizens have about NSA’s surveillance powers? And what would you like to tell them to clear up that fallacy? 

A: The ecosystem part. There is a tremendous amount of external oversight, ranging from executive branch, Department of Justice, Office of the Director of National Intelligence to Congress (the House Permanent Select Committee on intelligence and other committees), and then from the judicial branch with the Foreign Intelligence Surveillance Court.

Q: How do you help make sure everyone follows the rules?

A: I walk down the halls, knock on every door. That was a joke. The one thing I like to make sure is that people don’t think of compliance as just the people with clipboards who are sort of spying on the spies, or overseeing everything. We’re down with the technology folks, with the lawyers, with the analysts, with the people who make policy . . . making sure that a change in one area is synchronized with a change in another area.

Q: What steps do you take when a person is on the verge of invading someone’s civil liberties?  

A: We want people to report. In fact they are under an obligation to report. What we find is really a systems view rather than a personal view. This is a tremendously complex environment, so when somebody does raise their hand on the assembly line and say, “Wait, I need some help here,” the first thing we’ll do is try to get a quick understanding of what’s involved. The second thing will be to actually mitigate any ongoing activity that might be noncompliant. We then sort of bifurcate and take two steps. One is we focus on the particular issue at hand, the other is we take a step back and really take a systems view versus a single person view.

Q: Former NSA officials have alleged the agency compiles dossiers on U.S. citizens. Does your job extend to protecting these whistleblowers?

A: [Our reporting] in the lingo, is known as intelligence oversight reporting. It’s really our way of allowing people to raise their hands . . . We use it really for trend analysis. The whistle-blowing is of a different nature and that’s not something my office would handle. That’s I believe more handled by the inspector general. 

Q: You were previously a deputy director of the national cybersecurity division at the Homeland Security Department. Did the Pentagon want a civilian compliance director rather than a military officer? 

A: I don’t think military or civilian was a factor. When I was “voluntold” to take this position, in fact, this was a position I was eager to step into. That may sound a little crazy. It had to do with the multiple perspectives. I spent a lot of my early years, with the physics and math degrees, doing a lot of technology and system development. I then went and got a law degree. So I put one foot into the legal world. At DHS, working on more programmatic things, I learned a lot of  program management techniques from some of the great leaders down there. Whether I’m at NSA, DHS or whether I’m at an interagency forum, there’s really not a distinction about who cares about privacy more, who cares about privacy less. 

Q: How do you make sure personnel are safeguarding data without slowing down investigations? 

A: I wouldn’t use the term slow down. The name of the game is probably  precision . . . In some cases, we literally have the legal and policy rules embedded in the technology such that the technology will only do those things. There are obviously some decisions that you can’t automate. You have to rely on a human for judgment. And we have lots of training. We have places where those decisions get double-checked, triple-checked, even quadruple-checked. I kid you not. And those are all commensurate with the import of that decision, how that decision percolates through the process.

Q: An inspector general typically checks periodically to make sure computer systems are compliant. Do you alternate with the IG on audits? 

A: The path between the IG and me is well-worn. We’re always talking. We don’t get to dictate what they do. They don’t get to dictate what we do. But we do work together to make sure they are focused on maybe some deeper dives. Part of the benefit of being a compliance organization is we can make a one-week decision cycle, turn it around and  make recommendations.

NEXT STORY: Powering Down

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.