How Much Does Keith Alexander’s Patented Solution for Creating Fear Depend on CISA?

Keith Alexander has attempted to explain his million dollar salary demands for cyber consulting to Shane Harris. This story doesn’t necessary hang together any better than his claims about NSA’s spying.

Alexander is worth a million a month, he says (though he already dropped his price to $600K) because he has a unique approach to detecting persistent threats that he plans to patent.

The answer, Alexander said in an interview Monday, is a new technology, based on a patented and “unique” approach to detecting malicious hackers and cyber-intruders that the retired Army general said he has invented, along with his business partners at IronNet Cybersecurity Inc., the company he co-founded after leaving the government and retiring from military service in March.

Alexander developed the technologies behind these patents — which Alexander says would address precisely the kind of attacks he facetiously argues have carried out the greatest transfer of wealth in history, the ones attacking the US — in his spare time.

A source familiarly [sic] with Alexander’s situation, who asked not to be identified, said that the former director developed this new technology on his private time, and that he addressed any potential infractions before deciding to seek his patents.

To which Harris asked the obvious question: if this solution is so great, then why not implement it while he was still in government? Why not save America from that greatest transfer of wealth in history?

Alexander then added that his solution relies on behavioral analysis one of his partners contributed.

Alexander said that his new approach is different than anything that’s been done before because it uses “behavioral models” to help predict what a hacker is likely to do.

[snip]

Alexander said the key insight about using behavior models came from one of his business partners, whom he also declined to name, and that it takes an approach that the government hadn’t considered. It’s these methods that Alexander said he will seek to patent.

Perhaps the best (anonymous) quote Harris includes in his story is a “former national security official with decades of experience in security technology” who says such behavioral models are highly speculative and have never before worked. 

So it’s possible that Keith Alexander is simply going to sell his new approach to a bunch of chumps who have gotten rich trading off of algorithms — proof behavioral models “work” even if they don’t work! — and therefore believe they will work to find persistent threats.

The guy who couldn’t find Edward Snowden absconding with thousands of files and his friends the big banks are going to start policing their networks by using algos to find suspicious behavior.

Harris sort of alludes to one problem with this scheme. Alexander used his perch at DIRNSA to create this market. As Harris points out, that’s in part because Wiper — a variant of the StuxNet attack developed under Alexander’s tenure — is what the banks are so afraid of.

That will come as a supreme irony to many computer security experts, who say that Wiper is a cousin of the notorious Stuxnet virus, which was built by the NSA — while Alexander was in charge — in cooperation with Israeli intelligence.

That is, Alexander will get rich helping banks defeat the weapons he released in the first place.

More generally, too, this fear exists because Alexander sowed it. The banks are responding to the intelligence claims Alexander has been making for years, whether or not a real threat exists behind it (and whether not resilience would be a better defense than Alexander’s algos).

One more thing: as far as we know, in addition to inventing this purportedly new technology in his free time, Alexander was consulting with his partners — which as far as we know include Promontory Financial Group and Chertoff — while he was DIRNSA. So it’s not just the underlying technology, but the discussions of partnership, that likely derive from Alexander’s time at DIRNSA.

And that seems to be the fourth part of Alexander’s magic sauce (in addition to the tech developed on the government dime, his ability to sow fear, and partnerships laid out while still in the private sector). After all, with Alexander out of his NSA, where will he and his profitable partners get the data they need to model threats? How much of this model will depend on the Cyber Information sharing plan that Alexander has demanded for years? How much will Alexander’s privatized solutions to the problem he couldn’t solve at NSA depend on access to all the information the government has, along with immunity?

To what degree is CISA about making Keith Alexander rich?

 

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

9 replies
  1. bloopie2 says:

    When an employee invents something that is directly related to his work, even in his spare time, that invention is owned by the employer. Basic law. Especially if the employee is a high level manager; they owe a fiduciary duty to their company. So if Alexander invented as he says he did, the government owns it, and he should be paying royalties to the government – assuming they give him a license to practice the invention.

    Otherwise, it’s simple thievery – and not the cyber kind.

    • sb says:

      Might not always be true: One example is that of a courtesy clerk/bagger employed by grocery store: he invented and patented a better cart. As I recall, the court held it was not his job to design grocery carts so check-out bagger guy fended off the corporate lawsuit. But I do agree with your conclusion: in a similar sense, it was the General’s job to do exactly that and supervise-invent a better cart. So it now certainly seems a theft of public property, and the “doing it on his own time” is patently ridiculous and doesn’t cut it. When was he ever “off the clock?” Even more important is the strange possibility and perception of a shake-down threat of being “wiped” if one does not subscribe. It makes the case for a cooling off period, once again, from the intelligence complex to the private sector. Racketeering, indeed. It’s OOC.

    • Steve Gardner says:

      Unfortunately the law doesn’t seem to apply anymore. There is a class of banker, hedge fund manager, politician, and government official to which laws are not relevant. Surely you have noticed. Bin Ladin wrote the get out of jail card for all of then. 911 was when the law died in this country.

  2. TarheelDem says:

    When does Keith Alexander cross the line on the espionage laws?

    How likely is he to have espionage charges brought against him when he does?

    Do people like Keith Alexander get stripped of clearances when they leave or does the old boy (and girl) network ensure that he is kept in the know with impunity no matter what he exposes?

    Now, members of Congress, can we strip this whole charade of secrecy and classification away from this rotten commercial racket conducted under the cover of “national security”?

    • Steve Gardner says:

      People as connected as Alexander don’t cross lines. They draw them. I think I see the birth of a whole new genre of joke—along the lines of a Chuck Norris joke.

  3. edge says:

    I wonder if he gathered market research while in office. I’m not accusing him of targeting american companies for the purpose of his future business ventures. But, if info on particular companies, or employees of those companies, that were wanting seeking this kind of help were to happen to come to his attention during his duties. he couldn’t be expected to forget that sort of information. If perhaps he had the numbers of wall street personell who called security researchers, or attended security conferences, that info could do nothing but help him now.

  4. Ernest Fuentes says:

    Marcy:

    The legal/intellectual prop part of me just noticed: Reminder to change your copyright to 2014 at bottom of blog.

  5. Kevin says:

    I don’t fault this dude for wanting to be a tech entrepreneur. That’d be a decent thing to do–contribute value to the world, take a risk, and make some cash along the way. However, it looks like the revolving door starts spinning while these guys are still doing their “selfless” and super serious public service work protecting us from hoards of faceless bad guys.

    Using his “official” position to propel his private venture is just gross.

    I think the appropriate response to these people–many of whom appear to be grown-up cosplay enthusiasts (star trek command center, chest full of medals/merit badges)–that fuel their hobbies and enthusiasms with public dough–is mockery.

  6. sarah says:

    The very definition of a racket…creating a problem and then charging an exorbitant price for the solution.

Comments are closed.