Former NSA Chief Warned Against Selling NSA Secrets 138
An anonymous reader writes Former NSA Chief General Keith Alexander has apparently started his own cybersecurity consulting firm, IronNet Cybersecurity, and approached the banking industry pitching his company's suite of services. Word from Wired indicates that his services cost $1 million per month with a special discount asking price of $600,000 per month. Congressman Alan Grayson (D-FL) expressed concern about General Alexander's activities to the banking industry, stating, "I question how Mr. Alexander can provide any of the services he is offering unless he discloses or misuses classified information, including extremely sensitive sources and methods....Without the classified information he acquired in his former position, he literally would have nothing to offer to you." (PDF) The congressman from the House of Representatives reminds the bankers (and General Alexander, should he be listening) that selling top secret information is a federal offense.
bridge for sale (Score:5, Insightful)
The whole Snowden affair demonstrated that they still managed some epic fails.
But sure
Re:bridge for sale (Score:5, Insightful)
This.
Detecting and stopping an insider from downloading a library of proprietary/classified info outside their job description? Fail.
Capable of searching emails to fulfill a court order for information? Fail.
Bringing a basic (if high-end) new datacenter online? Fail (for not securing a reliable source of electricity).
Obeying the rules that govern their core mission? Fail. Performing their core mission? Fail.
No doubt, the NSA remains every bit as scary as ever, but in more of a "CIA goon" sense than their traditional so-flawlessly-smooth-you-won't-even-know-what-happened reputational sense.
NSA = No Sensible Administration ? (Score:5, Insightful)
Michael Moore is a self-taught movie maker. His movie about U.S. government corruption in secret agencies, Fahrenheit 9/11 [boxofficemojo.com], made $222,446,882. It's not like extreme U.S. government corruption is unknown.
There is a HUGE conflict of interest, and the U.S. government seems to have no influential methods of dealing with conflicts of interest. If there is security, people who work for the NSA are less likely to be promoted, and may lose their jobs. That is a powerful reason for NSA employees and management, and other secret U.S. government agencies, to create more insecurity. Since they work entirely in secret, no one can stop them.
U.S. government policies allow many secret agencies. I find it odd that news stories assume that, other than doing things that almost no citizens want, the secret agencies are otherwise well-managed. Numerous examples show that they aren't. For example, Edward Snowden [wikipedia.org], an employee of an NSA sub-contractor, was able to walk away with all the data.
To me, it is also odd that news stories assume that the NSA works to improve security of the U.S. and U.S. citizens. For example, the book House of Bush, House of Saud [wikipedia.org] explains that the Bush and Cheney families worked for the Saudis, who paid them billions for their help. The U.S. taxpayer paid for the arms, military presence, and violence that supposedly was free security for the Saudi government, but actually was, as Saudi acquaintances I met in a gym said long before the 9/11 attack, Saudi government oppression of the Saudi people.
Why does the NSA record phone calls? Is it because learning about some of those calls makes money for someone in control? Investment information, perhaps?
The U.S. government's war in Iraq is now being called a "mistake". For example, Hans Blix: Iraq War was a terrible mistake and violation of U.N. charter [cnn.com]. It wasn't a "mistake", other articles say, it was deliberate deception. For example, Stop Calling the Iraq War a 'Mistake' [huffingtonpost.com].
NSA = No Sales for America. The NSA is a powerful advertisement that anything complicated made by a U.S. manufacturer may have intentional defects or surveillance methods.
Re: (Score:2)
Detecting and stopping an insider from downloading a library of proprietary/classified info outside their job description? Fail.
It seems like a lot of people seem to have ignored the detail that Snowden picked Hawaii because it didn't have access controls yet.
The NSA and DoD have been rolling out software upgrades across their facilities specifically to prevent another Manning.
Hawaii was not upgraded, Snowden knew this, and he used this knowledge to pilfer data without restrictions.
Re: (Score:2)
If I wanted security, the idea that Snowden just went where he knew the security was bad wouldn't really impress me.
Re: (Score:3)
You'd have to be a fool to think the NSA would keep dumping money and resources into programs that weren't yielding good intel.
I think you're the fool if you really think that. think about it. nobody, really nobody(is supposed to), is going to find out about the quality of the intel. people involved with the decisions are gettin money from the money dumping. so you really think they wouldn't keep dumping money and resources into programs that weren't producing good intel? they could always even argue to themselves that whatever bullshit program they're in charge of _might_ yield some intel some day maybe and thus it's worth dumpin
Re: (Score:1)
Somehow I seriously doubt that, there really is nothing Snowden leaked that was jaw dropping. It's pretty much information that some of Jane/Joe public knew about or suspected
Not really. Jane/Joe public is a moron, and trusts Jesus is looking out for them.
You can spel korectly and reason. You have no knowledge of Jane/Joe public.
Jane/Joe public is fighting to survive and pay the bills. Or fending off their spouse from beating them.
Or abusing their children. Or hooked on drugs.
Worrying about conspiracy theories is the last thing on their mind.
Jane/Joe public would gladly sign up for such a thing, because they need the money. There is no concept of "this is wrong" or "that's not h
Re:bridge for sale (Score:5, Interesting)
Actually I'm going to disagree with you there. Yes, Snowden was a loss for the NSA, but not a fatal loss.
Gen. Alexander presided over and participated in an epic expansion of the NSA budget, mandate, and importance. They achieved the nirvana of government existence: To become a mover and shaker. The NSA now overshadows the CIA and FBI in importance.
The Snowden disclosures threaten that status, but notice that none of the limitations on the NSA have actually happened yet. Lots of talk but little action. The government likes it's pervy magic database of secrets and private communications. Sure it's constitutionally infringing but hey, terr'ists!!
And even if the golden age of spying winds up being curbed, Gen. Alexander can always find a way to blame someone else, or say "it' was one unfortunate mistake, lessons were learned, I wasn't properly informed, etc."
Re: bridge for sale (Score:1)
Re: (Score:2)
Yes, Snowden was a loss for the NSA, but not a fatal loss.
That's perhaps what they think but it's a questionable. Without his disclosures they would never have fixed their utterly ridiculous internal security. If it took just one external consultant to grabb all this information, they cannot seriously believe that a foreign intelligence agency hadn't been capable of doing the same.
What is strange is that neither Clapper nor Alexander are being prosecuted for Contempt of Congress.
Re: (Score:3)
I was going to write a reply saying the banking industry comprises private--not government--money. But hilarity ensued as I struggled to word my post carefully enough to defeat trolls telling me I was overlooking the bank bailouts of half a decade ago. After a while I realized I couldn't make my case and decided you're right--it is government spending.
So congrats on being even more cynical than I am. Care for an ennui contest?
Not a good sales pitch: (Score:5, Insightful)
Re:Not a good sales pitch: (Score:5, Insightful)
Alexander's forte seems to be using brute force to break the security of others, not actually keeping an organization secure.
It sure is a good thing that the banking industry is a bunch of totally upstanding, honest, guys, steeped in a culture of prudent moderation, who definitely wouldn't have any interest in the potential applications of NSA-tested 'tailored access operations' for shareholder value, enhanced lobbying, and other exciting things; or the colossal hubris necessary to not even think twice about doing so.
Re: (Score:2)
You owe me a coffee! :-)
Re:Not a good sales pitch: (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Perhaps that's his pitch?
The best defense is a good offense. Instead of fixing your security flaws, just make sure that getting to important systems will take some time, and be detected. Then wait for attacks to start, counterattack, and wipe out the attacker
Re: (Score:2)
Didn't realize pentesting was a $1,000,000/mo subscription service.
I've obviously been undercharging.
Re: (Score:3)
The sort of services being offered are easily worth USD $1M/month when you consider who the clients are, the scale of their operations, the degree to which their systems are interconnected with those of other institutions (large and small), and the complexities involved with regulatory/legal/reputation compliance and management. Risk management and threat analysis are not simple subjects.
To put it simply, these aren't your sort of client engagements.
Poor guy... (Score:5, Insightful)
So the poor general can't participate in the usual dance of former Washington insiders who use cronyism and connections to enrich themselves after 'serving' in government?
There should be a name for that... like 401(c)... where c stands for crony capitalism.
Re: (Score:2)
So the poor general can't participate in the usual dance of former Washington insiders who use cronyism and connections to enrich themselves after 'serving' in government?
There should be a name for that... like 401(c)... where c stands for crony capitalism.
What's more hilarious is that, apparently, the only thing to General Alexander's credit as head of the NSA was his ability to keep secrets. He was literally "the most powerful cyber-lord in the world" (for lack of a better term) and his only qualification was keeping secrets? He didn't bring anything to the table in terms of management skills, best practices, or good judgement via foresight? Because that's what you have to read into a statement like "..Without the classified information he acquired in hi
Laugh-worthy (Score:2)
"Without the classified information he acquired in his former position, he literally would have nothing to offer to you."
Oh brother. A former work colleague saying "You'd be nothing without us!"
It's not like a person exists outside of their job, or can ever learn new things, right?
Re: (Score:1)
It's also blatantly not true. Even if he learned about some hundreds of network and OS vulnerabilities because he authorized NSA branded custom exploits to use them, the knowledge of the vulnerabilities is not classified, only the behavior of the NSA proprietary exploit tools. As long as he is fixing the exploits and not just tweaking them so the NSA toys can't use them (until the next internal revision), his knowledge is fair game for him to use for personal profit.
Re: (Score:2)
Exactly my point... If you learn a skill at your job, your employer cannot strip you of that skill when you leave.
Obviously selling government secrets is different from saying here's how you implement industry best practices to create security processes.
If the government had a secret security-bypassing technique, and had educated him on its use, he may or may not be obligated under his new employer to close the hole. And as a constituent of that government, I would approve of that use of that information.
Re: (Score:1)
Some employers try, with non-compete clauses.
Re: Laugh-worthy (Score:1)
The government has non-compete clauses.. With guns and jail!
Given all the things the "NSA cannot tell Congress" that are secret I'd think that most information this guy has is not usable. Because anything you learn working for the NSAis by definition secret until explicitly declassified ...
Re: (Score:1, Informative)
If he had knowledge of a secret security bypassing technique, closing the hole would (necessarily) disclose relevant classified information to the client. Which would be illegal...
Re: (Score:2)
That assumes that the existing client staff wouldn't have a clue about how to compare the systems baselines before his security changes with the state of the systems after. The diffferences between the two states would contain the "secret".
When someone who formerly dealt with highly classified information in
Re:Laugh-worthy (Score:5, Interesting)
It is? Odd that someone as insignificant as me has it in his contract that any kind of "internal knowledge" he gains (and, bluntly, if an exploit isn't considered internal knowledge in a TLA, what is?) must not be used outside of very well defined areas of work for at the very least 2 years, while someone as the NSA head honcho gets a free pass to use such knowledge as he pleases.
Re: (Score:3)
Nope. I've talked about this with many lawyers. It varies by state. In CA, non-compete clauses are basically unenforceable. In TX, where I live, they're the law of the land.
-Chris
Re: (Score:2)
Nope. I've talked about this with many lawyers. It varies by state. In CA, non-compete clauses are basically unenforceable. In TX, where I live, they're the law of the land.
-Chris
You need to talk to a better attorney then (if you're near Austin I can recommend Tom Nesbitt - IANAL but I do consult with them when I have questions like this). Even in Texas there's a long list of things that a company has to do in order to enforce a non-compete clause including but not limited to showing that your actions caused them real harm. I prefer to follow both the letter and the spirit of those agreements, but its always good to know how much is actually enforceable.
Your current company does n
Re: (Score:2)
It is? Odd that someone as insignificant as me has it in his contract that any kind of "internal knowledge" he gains (and, bluntly, if an exploit isn't considered internal knowledge in a TLA, what is?) must not be used outside of very well defined areas of work for at the very least 2 years, while someone as the NSA head honcho gets a free pass to use such knowledge as he pleases.
It's hard to imagine that the banking industry is seen as competing with the NSA (in the sense that a non-compete would be enforceable)... Or is it?
Re: (Score:2)
Well, both are propped up by the taxpayer and it's questionable whether they work in his interest, to the point where people are actually hitting the streets to protest against them, so, well, in a way...
Re: (Score:2)
The NSA should have put a clause in his employment contract preventing him from competing against them for the next X years.
Re: (Score:2)
Erh... that would be akin to a occupational ban. I mean, as soon as you even as much as reach towards anything that could remotely be considered "security" you are essentially in competition with the octopus the NSA is...
Re: (Score:2)
Sanity in laws? Were they drunk when they passed it? Didn't anyone check what they signed there, I mean, that's like so ... sensible and anti-corruption.
What's wrong with your government?
Re: (Score:2)
Re: (Score:2)
I believe their charter covers both securing US data and reading everybody's data.
Re: (Score:2)
Re: (Score:2)
I'm afraid I only have examples of where they weakened cryptosystems, not when they secured data. They may not actually be good at all of their jobs.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Yeah, the jumping back and forth doesn't happen when you wear the uniform, or did you miss the General part. Not defending General Alexander here just commenting on the lack of moving from government to industry and back.
Re: (Score:2)
Re:Laugh-worthy (Score:4, Insightful)
My point was merely that Alexander's CV has very little on it that isn't either irrelevant to his potential customers (at least I hope our financial sector isn't looking for armored warfare expertise...) or closely connected to a series of fed jobs that just keep getting more heavily classified as time goes on.
Hmm let's see if you can pick out the spot where he would be versed only in armored warfare expertise or looking at secret documents all day (this is his CV for the past 15 years):
Director of the National Security Agency (DIRNSA)
Chief of the Central Security Service (CHCSS)
Commander of the United States Cyber Command
Commanding General of the U.S. Army Intelligence and Security Command
Director of Intelligence (J-2), United States Central Command
Deputy Director for Intelligence (J-2) for the Joint Chiefs of Staff
Head of the Army Intelligence and Security Command
Do you think it's possible, after working (ostensibly successfully) as the head of so many organizations, that he knows nothing about management, leadership, best practices, and nonclassified security methodologies (of which there are many)? Do you honestly think he spent 10 years, as the head of these orgs, pushing top secret papers across his desk instead of having his underlings take care of all of that? Come on. Furthermore, I think a lot of commentators on this thread have a complete misunderstanding of what a high-level consulting firm does. Hint, it has nothing to do with configuring firewalls and antivirus apps. Big multinationals will gladly pay $1M for advice as simple as "choose off the shelf security package A, instead of B" as long as it comes from someone whose credentials are beyond repute. He doesn't have to say anything about top secret operations, techniques, or sources, he just has to put his name behind something.
Try him and not Snowden then (Score:5, Insightful)
Snowden didn't reveal NSA secrets for his personal profit.
Re: (Score:1)
Share knowledge with everyone, stuck in Russia indefinitely.
Share knowledge with the rich fat cats, profit immensely.
Same message, drastically different outcomes.
Sounds like the American way to me.
Re:Try him and not Snowden then (Score:5, Interesting)
It's very un-American to do something without the plan to profit from it!
Re: (Score:2)
If Jesus was so in favor of the poor, why did he spend his considerable income building a large, ornate church in Salt Lake City?
Re: (Score:2)
He didn't. That was his CEO and you bet that he's going to get pissed come review time.
There's a reason most US churches teaches you to fear the lord. They have reason to fear him. If you made a religion of peace, harmony and compassion and some people take it and turn it in a religion of hatred, control and bigotry, would you be pissed?
Now imagine how pissed you'd be if you were allmighty.
Re: (Score:2)
Snowden is cheaper (Score:1)
he'll give it to you for free .. you can put up the $1 Million towards wikileaks as donation ..
Re: (Score:2)
Selling it is a federal offense.
Giving it away is treason.
Re: Snowden is cheaper (Score:5, Insightful)
No, it merely means that for selling it you get to go on a trial where in the end you get to make some kind of deal with the state where you can keep half the profit and the other half disappears in some war purses for deals that you don't want to explain why you need funding for them.
If you hand it out for free you get to Gitmo. There's no profit in making a deal with you, you have no money you could offer.
Re: (Score:2)
You know, sometimes I absolutely hate it when you say things that make sense.
There's no profit in making a deal with you, you have no money you could offer.
This is one of those times.
Re: (Score:2)
Sorry. I promise to watch more Fox News 'til that last shred of sensibility is gone, too.
Depends... (Score:2)
On how guilty the ones accusing you of treason actually are, IMHO.
Who do you think is the traitor here, Snowden?
I certainly don't think so, and neither do a bunch of other people. We all get to vote this fall. :)
I realize all the good jobs are in the Govt; around here they get handed down from generation to generation, lol.
That doesn't make me any more supportive of the whole Gestapo-ization of America; I think that's a bad thing, personally.
Re: (Score:2)
Repeating Big Lies from authoritarians makes you either a fascist or a monarchist. Which is it?
Re: (Score:2)
Which one makes you not have a sense of humor?
Re: (Score:2)
Repeating state propaganda is funny?
Re: (Score:2)
Depending on how it's done, yeah.
In case it wasn't obvious mine was intended to be funny to show the disconnect in lines of thought, that somehow doing something illegal for personal gain is less serious than doing it because you think it's the right thing to do.
Smacks of Carmack (Score:2)
Re: (Score:2, Insightful)
Sure, secrets are secrets. But is *everything* they learned on the job is a secret?
No, not everything.
But if it's something you're trying to sell it for a million dollars a month, those parts are probably secret.
Re:Smacks of Carmack (Score:5, Insightful)
1. When you've worked at a very high level the NSA;
2. When you are selling security information/services; and
3. When your asking price is far higher than competitive services by people who've worked at it far longer than you outside of the NSA,
What do you imagine lies in between publicly known and classified that justifies the price premium? Was he developing security procedures on his own time or at his second job?
Re: (Score:1)
Sure, secrets are secrets. But is *everything* they learned on the job is a secret?
Ask the CIA -- they would probably stamp TOP SECRET on his forehead and mark him as classified if they were allowed. NSA, well, they're a part of the army AND part of national security. You're not dealing with standard trade secrets here, you're dealing with national secrets. Usually they err on the side of caution with those, as we've seen with all the denied/delayed/redacted FOIA requests lately.
He seems like a bright guy and knows his way around political circles, but starting a company that appears t
Re: (Score:2)
but zero audit flags. right? RIGHT?
Re: (Score:2)
Yup. He had no money to bargain with for a sweeter deal.
He doesn't need to reveal secrets (Score:3)
Re: (Score:3)
He needs to hire people who have the skills and experience addressing specific vulnerabilities. Ideally those people got that outside of TS work. He is the rainmaker that opens doors.
Judging by his cozy reception at last Defcon this shouldn't be a problem at all.
Re: (Score:2)
Exactly. He doesn't need to do squat. He's implicitly selling the idea that he will be using all those secrets to help out his clients, but it's a flim-flam; he doesn't actually have to do it. And he was the head of the NSA, an administrator...what's the chance he knows much in the way of recent technical details anyway?
Re: (Score:2)
Exactly. He doesn't need to do squat. He's implicitly selling the idea that he will be using all those secrets to help out his clients, but it's a flim-flam; he doesn't actually have to do it.
I wouldn't call it film-flam nor implicitly selling the idea that he will be using all those secrets. He brings an executive understanding of the types of threats and how to explain them in a way senior leaders can understand and offer a team that can help address the threats a company may face. His company can address them without ever revealing any secrets he learned during his stint at NSA.
And he was the head of the NSA, an administrator...what's the chance he knows much in the way of recent technical details anyway?
His technical skills are largely irrelevant, that's his staff's role. Being head of NSA, on the other hand, gives hi
Re: (Score:2)
Completely agreed. He can also use his network of (public) contacts to make introductions between threatened enterprises and the right people to fix them - or introducing peers who have had similar issues but aren't happy being completely public about that fact yet both trust him to use that knowledge for their benefit. Getting your security vendor wrong could be a very expensive mistake.
Future irony alert (Score:2)
remind me (Score:4, Interesting)
Am I confused, or is this the same amoral sack of shit who lied to Congress with a straight face about NSA activities???
Re:remind me (Score:5, Interesting)
Am I confused, or is this the same amoral sack of shit who lied to Congress with a straight face about NSA activities???
Yep. Circumventing the law, lying to Congress, sounds like a perfect match for the banking industry.
Re:remind me (Score:5, Interesting)
Re: (Score:1)
>Yes, I think it's the same sack of shit that was involved in directing funds to the IRA in the 80's.
And so part of the scum who tried to kill my mother [bbc.co.uk]. She's still alive and well by the way, but many others died.
Re: (Score:2)
protocals. They need to adhere to the Federal Enterprise Architecture Data Reference Model.
That is obviously misnamed, Data and Reference need to be reversed, so it's the "Federal Enterprise Architecture Reference Data Model", or to shorten it the "FEAR Data Model".
As opposed to someone that's crossed the line? (Score:1)
The congressman from the House of Representatives reminds the bankers (and Edward Snowden, should he be listening) that selling top secret information is a federal offense.
FTFY.
No no its ok (Score:2)
It is ok if a government official sells state secrets, or gives preferential treatment to industry for money. This is the reason why they get high power government jobs n the first place. Look at the FCC, for instance. Their chairman is directly owned by industry. It is only plebs like Snowden that get prosecuted.
$600,000 a month? (Score:2)
I could buy some needy obstetrician a malpractice policy for that amount.
Hush Money Perhaps? (Score:2)
Hmmm. The Director of the NSA might encounter all sorts of information about the Big Money Boys that they would rather not be known generally. Would that information necessarily be classified? But whether or not it is, being paid NOT to disclose it would surely not be a violation of security. Wall Streeters might regard a million a month mighty cheap insurance...
He already made the sale, this is just the collect (Score:2)
This venture, it seems to me, is just a way to legitimize the payback for services he has already rendered while he was at the NSA. His 'clients' already know who they are, and they will expect to get nothing more concrete for their million per month than his continuing influence (or perhaps silence) in certain matters.
The negative space isn't a national secret, (Score:2)
Release Manning and shove this guy in the cell (Score:2)
What? (Score:2)
So the Congress believes there's no art or science to computer security besides classified information? This is like saying that any soldier who ever went on a classified mission can never market to an employer that he has military experience. This is ludicrous.
What perjury? I don't remember him doing that... (Score:3)
Where did he conduct perjury? I don't think he did. He LIED plenty but that is not a crime. Contempt of Congress etc? Well, something they seem to love to do is to NOT swear in these officials "out of respect" so while you may testify to congress under oath and they may require you to do so, these people are allowed to skip the disrespectful procedure. (Besides they feel there are legitimate public lies these officials have to make from time to time... which they could simply decline or put it off for th