Forgot your password?
typodupeerror
Politics

Former NSA Chief Warned Against Selling NSA Secrets 138

Posted by Unknown Lamer
from the alan-grayson-hates-freedom-and-puppies dept.
An anonymous reader writes Former NSA Chief General Keith Alexander has apparently started his own cybersecurity consulting firm, IronNet Cybersecurity, and approached the banking industry pitching his company's suite of services. Word from Wired indicates that his services cost $1 million per month with a special discount asking price of $600,000 per month. Congressman Alan Grayson (D-FL) expressed concern about General Alexander's activities to the banking industry, stating, "I question how Mr. Alexander can provide any of the services he is offering unless he discloses or misuses classified information, including extremely sensitive sources and methods....Without the classified information he acquired in his former position, he literally would have nothing to offer to you." (PDF) The congressman from the House of Representatives reminds the bankers (and General Alexander, should he be listening) that selling top secret information is a federal offense.
This discussion has been archived. No new comments can be posted.

Former NSA Chief Warned Against Selling NSA Secrets

Comments Filter:
  • bridge for sale (Score:5, Insightful)

    by mindcandy (1252124) on Thursday June 26, 2014 @04:08PM (#47327605)
    I don't know if I'd brag about my tenure there in the context of selling security consulting.

    The whole Snowden affair demonstrated that they still managed some epic fails.

    But sure .. 600k? .. I'll take two, because that's how we roll with government spending.
    • Re:bridge for sale (Score:5, Insightful)

      by pla (258480) on Thursday June 26, 2014 @04:46PM (#47327901) Journal
      I don't know if I'd brag about my tenure there in the context of selling security consulting.

      This.

      Detecting and stopping an insider from downloading a library of proprietary/classified info outside their job description? Fail.
      Capable of searching emails to fulfill a court order for information? Fail.
      Bringing a basic (if high-end) new datacenter online? Fail (for not securing a reliable source of electricity).
      Obeying the rules that govern their core mission? Fail. Performing their core mission? Fail.

      No doubt, the NSA remains every bit as scary as ever, but in more of a "CIA goon" sense than their traditional so-flawlessly-smooth-you-won't-even-know-what-happened reputational sense.
      • It seems to me that the entire purpose of any secret government agency is to benefit the secret government agency.

        Michael Moore is a self-taught movie maker. His movie about U.S. government corruption in secret agencies, Fahrenheit 9/11 [boxofficemojo.com], made $222,446,882. It's not like extreme U.S. government corruption is unknown.

        There is a HUGE conflict of interest, and the U.S. government seems to have no influential methods of dealing with conflicts of interest. If there is security, people who work for the NSA are less likely to be promoted, and may lose their jobs. That is a powerful reason for NSA employees and management, and other secret U.S. government agencies, to create more insecurity. Since they work entirely in secret, no one can stop them.

        U.S. government policies allow many secret agencies. I find it odd that news stories assume that, other than doing things that almost no citizens want, the secret agencies are otherwise well-managed. Numerous examples show that they aren't. For example, Edward Snowden [wikipedia.org], an employee of an NSA sub-contractor, was able to walk away with all the data.

        To me, it is also odd that news stories assume that the NSA works to improve security of the U.S. and U.S. citizens. For example, the book House of Bush, House of Saud [wikipedia.org] explains that the Bush and Cheney families worked for the Saudis, who paid them billions for their help. The U.S. taxpayer paid for the arms, military presence, and violence that supposedly was free security for the Saudi government, but actually was, as Saudi acquaintances I met in a gym said long before the 9/11 attack, Saudi government oppression of the Saudi people.

        Why does the NSA record phone calls? Is it because learning about some of those calls makes money for someone in control? Investment information, perhaps?

        The U.S. government's war in Iraq is now being called a "mistake". For example, Hans Blix: Iraq War was a terrible mistake and violation of U.N. charter [cnn.com]. It wasn't a "mistake", other articles say, it was deliberate deception. For example, Stop Calling the Iraq War a 'Mistake' [huffingtonpost.com].

        NSA = No Sales for America. The NSA is a powerful advertisement that anything complicated made by a U.S. manufacturer may have intentional defects or surveillance methods.
      • by TubeSteak (669689)

        Detecting and stopping an insider from downloading a library of proprietary/classified info outside their job description? Fail.

        It seems like a lot of people seem to have ignored the detail that Snowden picked Hawaii because it didn't have access controls yet.

        The NSA and DoD have been rolling out software upgrades across their facilities specifically to prevent another Manning.
        Hawaii was not upgraded, Snowden knew this, and he used this knowledge to pilfer data without restrictions.

        • If I wanted security, the idea that Snowden just went where he knew the security was bad wouldn't really impress me.

    • Re:bridge for sale (Score:5, Interesting)

      by Anonymous Coward on Thursday June 26, 2014 @07:40PM (#47329221)

      Actually I'm going to disagree with you there. Yes, Snowden was a loss for the NSA, but not a fatal loss.

      Gen. Alexander presided over and participated in an epic expansion of the NSA budget, mandate, and importance. They achieved the nirvana of government existence: To become a mover and shaker. The NSA now overshadows the CIA and FBI in importance.

      The Snowden disclosures threaten that status, but notice that none of the limitations on the NSA have actually happened yet. Lots of talk but little action. The government likes it's pervy magic database of secrets and private communications. Sure it's constitutionally infringing but hey, terr'ists!!

      And even if the golden age of spying winds up being curbed, Gen. Alexander can always find a way to blame someone else, or say "it' was one unfortunate mistake, lessons were learned, I wasn't properly informed, etc."

      • Or if he can learn from his mistakes, then maybe he is an expert.
      • Yes, Snowden was a loss for the NSA, but not a fatal loss.

        That's perhaps what they think but it's a questionable. Without his disclosures they would never have fixed their utterly ridiculous internal security. If it took just one external consultant to grabb all this information, they cannot seriously believe that a foreign intelligence agency hadn't been capable of doing the same.

        What is strange is that neither Clapper nor Alexander are being prosecuted for Contempt of Congress.

    • by Oswald (235719)

      I was going to write a reply saying the banking industry comprises private--not government--money. But hilarity ensued as I struggled to word my post carefully enough to defeat trolls telling me I was overlooking the bank bailouts of half a decade ago. After a while I realized I couldn't make my case and decided you're right--it is government spending.

      So congrats on being even more cynical than I am. Care for an ennui contest?

  • by king neckbeard (1801738) on Thursday June 26, 2014 @04:09PM (#47327617)
    THe banking industry is probably wanting a step up in security, while the NSA under Alexander had horrible internal security. Alexander's forte seems to be using brute force to break the security of others, not actually keeping an organization secure.
    • by fuzzyfuzzyfungus (1223518) on Thursday June 26, 2014 @04:23PM (#47327731) Journal

      Alexander's forte seems to be using brute force to break the security of others, not actually keeping an organization secure.

      It sure is a good thing that the banking industry is a bunch of totally upstanding, honest, guys, steeped in a culture of prudent moderation, who definitely wouldn't have any interest in the potential applications of NSA-tested 'tailored access operations' for shareholder value, enhanced lobbying, and other exciting things; or the colossal hubris necessary to not even think twice about doing so.

    • by Arker (91948)
      "THe banking industry is probably wanting a step up in security, while the NSA under Alexander had horrible internal security. Alexander's forte seems to be using brute force to break the security of others, not actually keeping an organization secure."

      Perhaps that's his pitch?

      The best defense is a good offense. Instead of fixing your security flaws, just make sure that getting to important systems will take some time, and be detected. Then wait for attacks to start, counterattack, and wipe out the attacker
  • Poor guy... (Score:5, Insightful)

    by jasno (124830) on Thursday June 26, 2014 @04:10PM (#47327637) Journal

    So the poor general can't participate in the usual dance of former Washington insiders who use cronyism and connections to enrich themselves after 'serving' in government?

    There should be a name for that... like 401(c)... where c stands for crony capitalism.

    • by jeffmeden (135043)

      So the poor general can't participate in the usual dance of former Washington insiders who use cronyism and connections to enrich themselves after 'serving' in government?

      There should be a name for that... like 401(c)... where c stands for crony capitalism.

      What's more hilarious is that, apparently, the only thing to General Alexander's credit as head of the NSA was his ability to keep secrets. He was literally "the most powerful cyber-lord in the world" (for lack of a better term) and his only qualification was keeping secrets? He didn't bring anything to the table in terms of management skills, best practices, or good judgement via foresight? Because that's what you have to read into a statement like "..Without the classified information he acquired in hi

  • "Without the classified information he acquired in his former position, he literally would have nothing to offer to you."

    Oh brother. A former work colleague saying "You'd be nothing without us!"

    It's not like a person exists outside of their job, or can ever learn new things, right?

    • by Anonymous Coward

      It's also blatantly not true. Even if he learned about some hundreds of network and OS vulnerabilities because he authorized NSA branded custom exploits to use them, the knowledge of the vulnerabilities is not classified, only the behavior of the NSA proprietary exploit tools. As long as he is fixing the exploits and not just tweaking them so the NSA toys can't use them (until the next internal revision), his knowledge is fair game for him to use for personal profit.

      • by djdanlib (732853)

        Exactly my point... If you learn a skill at your job, your employer cannot strip you of that skill when you leave.

        Obviously selling government secrets is different from saying here's how you implement industry best practices to create security processes.

        If the government had a secret security-bypassing technique, and had educated him on its use, he may or may not be obligated under his new employer to close the hole. And as a constituent of that government, I would approve of that use of that information.

        • by dosius (230542)

          Some employers try, with non-compete clauses.

          • by Anonymous Coward

            The government has non-compete clauses.. With guns and jail!

            Given all the things the "NSA cannot tell Congress" that are secret I'd think that most information this guy has is not usable. Because anything you learn working for the NSAis by definition secret until explicitly declassified ...

        • Re: (Score:1, Informative)

          by Anonymous Coward

          If he had knowledge of a secret security bypassing technique, closing the hole would (necessarily) disclose relevant classified information to the client. Which would be illegal...

      • Re:Laugh-worthy (Score:5, Interesting)

        by Opportunist (166417) on Thursday June 26, 2014 @04:51PM (#47327949)

        It is? Odd that someone as insignificant as me has it in his contract that any kind of "internal knowledge" he gains (and, bluntly, if an exploit isn't considered internal knowledge in a TLA, what is?) must not be used outside of very well defined areas of work for at the very least 2 years, while someone as the NSA head honcho gets a free pass to use such knowledge as he pleases.

        • by jeffmeden (135043)

          It is? Odd that someone as insignificant as me has it in his contract that any kind of "internal knowledge" he gains (and, bluntly, if an exploit isn't considered internal knowledge in a TLA, what is?) must not be used outside of very well defined areas of work for at the very least 2 years, while someone as the NSA head honcho gets a free pass to use such knowledge as he pleases.

          It's hard to imagine that the banking industry is seen as competing with the NSA (in the sense that a non-compete would be enforceable)... Or is it?

          • Well, both are propped up by the taxpayer and it's questionable whether they work in his interest, to the point where people are actually hitting the streets to protest against them, so, well, in a way...

    • by Qzukk (229616)

      The NSA should have put a clause in his employment contract preventing him from competing against them for the next X years.

      • Erh... that would be akin to a occupational ban. I mean, as soon as you even as much as reach towards anything that could remotely be considered "security" you are essentially in competition with the octopus the NSA is...

      • But the NSA (apparently) isn't in the data securing business. They're in the learning secrets business. A non-compete clause would prevent him from working for the CIA or the Defense Intelligence Agency or someone else in the learning secrets business. If a court says that securing the data of people engaged in lawful behavior is competing with the NSA, then they're saying that knowing everything about the doings of the people engaged in lawful behavior is properly within the NSA's purview. The NSA migh
        • I believe their charter covers both securing US data and reading everybody's data.

          • Perhaps they could provide an example of where they successfully secured some data ]~_^} But, more seriously, securing commercial data still isn't in competition with the NSA, as the NSA's data securing activities have zero presence in that market. I'm sure he couldn't use copies of software developed at his old job. But, making sure that security software developed at his new job is sufficiently robust, and knowing under what circumstances security should be stronger, and under what other circumstances
            • I'm afraid I only have examples of where they weakened cryptosystems, not when they secured data. They may not actually be good at all of their jobs.

              • From where I sit, it looks like there's too much stuff classified as secret and too little compartmentalization of the stuff that really ought to be kept secret. But, when I was making the example request, partly it was a complaint about them failing to declassify, not because the actual information still needs to be secret, but because public scrutiny might affect the agency budget or the career of someone still employed there - or just from not wanting to make the effort to determine whether they're done
    • Unless being NSA directory is a surprisingly cushy position, leaving ample time for personal development and cultivation, I'd be skeptical in this case. Aside from his 1978 BU MBA, there is approximately fuck all on his CV that doesn't involve either armored vehicles or classified (and not always licit) signals intelligence and surveillance work for Uncle Sam. He doesn't even appear to be one of the revolving-door guys who hops back and forth between a stint with the feds, a stint with Spydyne LLC, back to
      • Yeah, the jumping back and forth doesn't happen when you wear the uniform, or did you miss the General part. Not defending General Alexander here just commenting on the lack of moving from government to industry and back.

        • I don't have a problem with not being a revolving door hack (indeed, it's generally better than the alternative). My point was merely that Alexander's CV has very little on it that isn't either irrelevant to his potential customers (at least I hope our financial sector isn't looking for armored warfare expertise...) or closely connected to a series of fed jobs that just keep getting more heavily classified as time goes on. I am notably unsympathetic to the "zOMG! Noncompete! your employer owns every idea an
          • Re:Laugh-worthy (Score:4, Insightful)

            by jeffmeden (135043) on Friday June 27, 2014 @10:34AM (#47332587) Homepage Journal

            My point was merely that Alexander's CV has very little on it that isn't either irrelevant to his potential customers (at least I hope our financial sector isn't looking for armored warfare expertise...) or closely connected to a series of fed jobs that just keep getting more heavily classified as time goes on.

            Hmm let's see if you can pick out the spot where he would be versed only in armored warfare expertise or looking at secret documents all day (this is his CV for the past 15 years):
            Director of the National Security Agency (DIRNSA)
            Chief of the Central Security Service (CHCSS)
            Commander of the United States Cyber Command
            Commanding General of the U.S. Army Intelligence and Security Command
            Director of Intelligence (J-2), United States Central Command
            Deputy Director for Intelligence (J-2) for the Joint Chiefs of Staff
            Head of the Army Intelligence and Security Command

            Do you think it's possible, after working (ostensibly successfully) as the head of so many organizations, that he knows nothing about management, leadership, best practices, and nonclassified security methodologies (of which there are many)? Do you honestly think he spent 10 years, as the head of these orgs, pushing top secret papers across his desk instead of having his underlings take care of all of that? Come on. Furthermore, I think a lot of commentators on this thread have a complete misunderstanding of what a high-level consulting firm does. Hint, it has nothing to do with configuring firewalls and antivirus apps. Big multinationals will gladly pay $1M for advice as simple as "choose off the shelf security package A, instead of B" as long as it comes from someone whose credentials are beyond repute. He doesn't have to say anything about top secret operations, techniques, or sources, he just has to put his name behind something.

  • by Rosco P. Coltrane (209368) on Thursday June 26, 2014 @04:14PM (#47327665)

    Snowden didn't reveal NSA secrets for his personal profit.

    • by Anonymous Coward

      Share knowledge with everyone, stuck in Russia indefinitely.

      Share knowledge with the rich fat cats, profit immensely.

      Same message, drastically different outcomes.

      Sounds like the American way to me.

      • by Opportunist (166417) on Thursday June 26, 2014 @04:53PM (#47327983)

        It's very un-American to do something without the plan to profit from it!

    • by arklite (3537129)
      If profit is personal advantage, and Snowden is advancing an agenda based on ideals, then yes, he is advantaged and therefore profited. Not all people are motivated by money; for some, power, fame, or influence suffice. I'd say he did it for wholly selfish reasons: "He knew better than the State"
  • by Anonymous Coward

    he'll give it to you for free .. you can put up the $1 Million towards wikileaks as donation ..

    • by Calydor (739835)

      Selling it is a federal offense.
      Giving it away is treason.

      • by Uberbah (647458)

        Selling it is a federal offense.
        Giving it away is treason.

        Repeating Big Lies from authoritarians makes you either a fascist or a monarchist. Which is it?

        • by Calydor (739835)

          Which one makes you not have a sense of humor?

          • by Uberbah (647458)

            Repeating state propaganda is funny?

            • by Calydor (739835)

              Depending on how it's done, yeah.

              In case it wasn't obvious mine was intended to be funny to show the disconnect in lines of thought, that somehow doing something illegal for personal gain is less serious than doing it because you think it's the right thing to do.

  • This smacks of the same crap Id is trying to pull off on Carmack (http://popcultureblog.dallasnews.com/2014/05/zenimax-and-id-software-have-filed-a-lawsuit-against-oculus-vr-and-dallas-based-john-carmack-is-in-the-middle.html/). Apparently employers think they own any knowledge an employee gains while on the job. Sure, secrets are secrets. But is *everything* they learned on the job is a secret?
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Sure, secrets are secrets. But is *everything* they learned on the job is a secret?

      No, not everything.

      But if it's something you're trying to sell it for a million dollars a month, those parts are probably secret.

    • by DRJlaw (946416) on Thursday June 26, 2014 @04:57PM (#47328017)

      But is *everything* they learned on the job is a secret?

      1. When you've worked at a very high level the NSA;
      2. When you are selling security information/services; and
      3. When your asking price is far higher than competitive services by people who've worked at it far longer than you outside of the NSA,

      What do you imagine lies in between publicly known and classified that justifies the price premium? Was he developing security procedures on his own time or at his second job?

    • Sure, secrets are secrets. But is *everything* they learned on the job is a secret?

      Ask the CIA -- they would probably stamp TOP SECRET on his forehead and mark him as classified if they were allowed. NSA, well, they're a part of the army AND part of national security. You're not dealing with standard trade secrets here, you're dealing with national secrets. Usually they err on the side of caution with those, as we've seen with all the denied/delayed/redacted FOIA requests lately.

      He seems like a bright guy and knows his way around political circles, but starting a company that appears t

  • by Registered Coward v2 (447531) on Thursday June 26, 2014 @04:30PM (#47327795)
    He needs to hire people who have the skills and experience addressing specific vulnerabilities. Ideally those people got that outside of TS work. He is the rainmaker that opens doors.
    • He needs to hire people who have the skills and experience addressing specific vulnerabilities. Ideally those people got that outside of TS work. He is the rainmaker that opens doors.

      Judging by his cozy reception at last Defcon this shouldn't be a problem at all.

    • by russotto (537200)

      Exactly. He doesn't need to do squat. He's implicitly selling the idea that he will be using all those secrets to help out his clients, but it's a flim-flam; he doesn't actually have to do it. And he was the head of the NSA, an administrator...what's the chance he knows much in the way of recent technical details anyway?

      • Exactly. He doesn't need to do squat. He's implicitly selling the idea that he will be using all those secrets to help out his clients, but it's a flim-flam; he doesn't actually have to do it.

        I wouldn't call it film-flam nor implicitly selling the idea that he will be using all those secrets. He brings an executive understanding of the types of threats and how to explain them in a way senior leaders can understand and offer a team that can help address the threats a company may face. His company can address them without ever revealing any secrets he learned during his stint at NSA.

        And he was the head of the NSA, an administrator...what's the chance he knows much in the way of recent technical details anyway?

        His technical skills are largely irrelevant, that's his staff's role. Being head of NSA, on the other hand, gives hi

        • by rjstanford (69735)

          Completely agreed. He can also use his network of (public) contacts to make introductions between threatened enterprises and the right people to fix them - or introducing peers who have had similar issues but aren't happy being completely public about that fact yet both trust him to use that knowledge for their benefit. Getting your security vendor wrong could be a very expensive mistake.

  • One day soon, "Congressman Alan Grayson (D-FL)" will be a lobbyist. Welcome to revolving-door government, Congressman.
  • remind me (Score:4, Interesting)

    by sribe (304414) on Thursday June 26, 2014 @04:50PM (#47327945)

    Am I confused, or is this the same amoral sack of shit who lied to Congress with a straight face about NSA activities???

  • The congressman from the House of Representatives reminds the bankers (and Edward Snowden, should he be listening) that selling top secret information is a federal offense.

    FTFY.

  • It is ok if a government official sells state secrets, or gives preferential treatment to industry for money. This is the reason why they get high power government jobs n the first place. Look at the FCC, for instance. Their chairman is directly owned by industry. It is only plebs like Snowden that get prosecuted.

  • I could buy some needy obstetrician a malpractice policy for that amount.

  • Hmmm. The Director of the NSA might encounter all sorts of information about the Big Money Boys that they would rather not be known generally. Would that information necessarily be classified? But whether or not it is, being paid NOT to disclose it would surely not be a violation of security. Wall Streeters might regard a million a month mighty cheap insurance...

  • This venture, it seems to me, is just a way to legitimize the payback for services he has already rendered while he was at the NSA. His 'clients' already know who they are, and they will expect to get nothing more concrete for their million per month than his continuing influence (or perhaps silence) in certain matters.

  • only the exact demarcation of its extent. If I know the NSA has a secret underground mole robot tapping in to buried data lines, I'm not giving away a national secret if I tell my client, "Y'know, lets run our data lines on phone poles," so long as I don't tell them exactly why I like that idea.
  • The difference between Manning and this prick is that this prick is making a profit out of selling the secrets.
  • So the Congress believes there's no art or science to computer security besides classified information? This is like saying that any soldier who ever went on a classified mission can never market to an employer that he has military experience. This is ludicrous.

"Your mother was a hamster, and your father smelt of elderberrys!" -- Monty Python and the Holy Grail

Working...