Nice intranet you’ve got there. Shame if something should happen to it.
In the nearly nine years that made Gen. Keith Alexander the longest-ever-serving head of the National Security Agency, he spent a lot of time sounding the alarm about impending cyber attacks on America’s private financial infrastructure (AKA the folks that brought you the 2008 economic collapse).
“We’ve seen the attacks on Wall Street over the last six months grow significantly,” Alexander told Congress in March of 2013, a year before his retirement.
Now a private consultant, Alexander has made news this summer by seeking six- or seven-figure sums for hacker-proofing private computer networks. But this raised a number of eyebrows, and not just because of the price.
First, Alexander partnered with Promontory Financial Group, a regulatory compliance consultancy for the financial industry that almost every report out there can’t help but call “shadowy.” Promontory has made a science out of classic Washington revolving-door regulation — building a kind of 400-resident strong retirement home for ex-government employees, where the guys who wrote the rules then cash in by showing banks how to flout them.
Then, Alexander, who filed seven cybersecurity patents while he was at NSA, offered to help large corporations fend off malicious hackers with his new “behavioral models” for spotting pre-crime (patent pending — seriously — nine of them, says Alexander).
The former DIRNSA says that his new cyber-consulting in no way trades on the classified information he perused during his long tenure as a spymaster (that, of course, would be illegal), and that his new way to stop cybercrime did not come to him till just after he left his government job, thanks to input from an unnamed business associate.
That was all a little too pat for Rep. Alan Grayson, D-Fla., who wrote to some of Alexander’s potential clients in June [PDF], asking just what the former NSA chief was offering in exchange for his hefty fees.
“I question how Mr. Alexander can provide any of the services he is offering unless he discloses or misuses classified information, including extremely sensitive sources and methods,” Grayson wrote. “Without the classified information that he acquired in his former position, he literally would have nothing to offer to you.”
One of the recipients of this letter was SIFMA, the Securities Industry and Financial Markets Association, a trade group representing banks, securities firms and asset managers. SIFMA responded to Grayson in July [PDF] — sort of.
“Thank you for your inquiry about our efforts concerning cyber security,” starts the letter from SIFMA to Grayson. “I am glad that you share our interest in this important issue. Cyber attacks are increasingly a major threat to our financial system. As such, enhancing cybersecurity is a top priority for the financial services industry. SIFMA believes we have an obligation to do everything possible to protect the integrity of our markets and the millions of Americans who use financial services every day.”
To be clear, as has been noted by Marcy Wheeler, this is not about, say, protecting consumers from thefts of credit card data, like that which befell Target customers last year (because Target had not actually implemented its own cybersecurity plan). Those Americans in the financial markets to whom SIFMA refers are actually high-volume, high-frequency traders — i.e. the banks and brokerages represented by SIFMA.
And to be clearer, SIFMA’s language in this letter reflects its lobbying efforts on behalf of a public-private mind meld of grand proportions:
We know that a strong partnership between the private sector and the government is the most efficient way to address this growing threat. Industry and investors benefit when the private sector and government agencies can work together to share relevant threat information. We would like to see more done in Congress to eliminate the barriers to legitimate information sharing, which will enable this partnership to grow stronger, while protecting the privacy of our customers.
That “more done in Congress” part? Most likely, that’s a reference to CISA, the Cyber Information Sharing Act, which won approval from the Senate Select Committee on Intelligence last month. CISA, like its House sibling CISPA (the “P” stands for “Protection” … really), has drawn the ire of civil liberties groups, but it also drew the solid advocacy of a recent NSA director — back when he was still NSA director.
SIFMA has retained Alexander to “facilitate” the coming joint effort, and Alexander brought in former Department of Homeland Security chief Michael Chertoff to assure extra facilitating.
The unprecedented sharing with private industry of classified government intelligence on cyberthreats is the kind of data essential to consultant Alexander’s for-profit security model. You know, assuming he doesn’t just use the classified information he accrued during his time as the head of U.S. Cyber Command.
Because, as noted, that would be illegal.
To further probe the provenance of the former intelligence official’s official intelligence, journalist Jason Leopold (who has written for Al Jazeera on other topics) has sued the NSA over Alexander’s financial disclosure forms.
As a matter of policy, government officials are supposed to make information on their income and investments publicly available. The only exception to that rule is for intelligence personnel, and only if the President of the United States determines that “due to the nature of the office or position occupied by such individual, public disclosure of such report would, by revealing the identity of the individual or other sensitive information, compromise the national interest of the United States.”
It is already known who is involved here — Alexander — and what his job was, but even so, there is no indication from the government that the president has made any ruling pursuant to the law. The NSA is just refusing to make Alexander’s financial disclosure forms available.
But whatever Alexander was making, he is undoubtedly poised to make much more now. Still, the question remains, “Why?” Alexander is, after all, the man who was at the head of the NSA when a private contractor named Edward Snowden downloaded a treasure-trove of top-secret information, and did so without ever being detected.
And to this day, the NSA has made it clear it has no idea as to the total amount, scope or nature of the data Snowden copied.
Alexander is probably not talking much about that in his sales pitch. What he is talking about, it seems, is something called “Wiper,” a vicious bit of malware that targeted the Iranian Oil Ministry in 2012, erasing large amounts of data.
The irony here, according to security experts, is that is that “Wiper is a cousin of the notorious Stuxnet virus, which was built by the NSA — while Alexander was in charge — in cooperation with Israeli intelligence. The program disabled centrifuges in a nuclear plant in Iran in a classified operation known as Olympic Games.”
The U.S. has never officially acknowledged involvement with Stuxnet.
But the idea of a man selling cybersecurity based on a threat his former agency likely had a hand in at least hyping and, most likely, launching, sounds suspiciously like a protection racket.
Or maybe it is just extortion. Legal minds can hash that out, but the whole seamy business led one observer to channel Alexander and comment, “For another million, I'll show you the back door we put in your router.”
Basing a $1 million-per-month charge on the NSA’s actual investigative work during Alexander’s tenure might be a tough sell. An analysis of a decade of NSA bulk surveillance programs revealed that their contribution to stopping terrorism was, at best, minimal. But offering a conduit to classified government information, that might be worth something. Throw in a little insider knowledge on the design of the threat and maybe some added, erm, protection, and Alexander might be pitching a deal at that.