Cybersecurity

Keith Alexander Wants to Patent Having No Knowledge

Have you noticed that every time someone covers all the patents Keith Alexander is getting for his cybersecurity boondoggle, the number of patents grows?

In this installment, it is 10.

IronNet is working with lawyers to draft as many as 10 patent applications in which the NSA would have no stake. Alexander said the “real key” to the patents was a person who never worked for the agency.

[snip]

In addition to dispensing advice, IronNet is working with lawyers to draft as many as 10 patent applications that will include Alexander as co-inventor on one and “maybe a few others,” he said. 

Of course, no matter how many patents it will be, Alexander is still left with the problem of explaining either why this isn’t stuff taxpayers paid for at NSA, or why Alexander didn’t implement these whiz-bang solutions while in charge of NSA.

So he’s inching closer and closer to one that might work: he’s going to patent having no knowledge.

Current cybersecurity strategies assume the defender knows what threats are present, and can quickly identify them by their digital profile, known as their signature. Alexander said IronNet’s approach is to counter those attacks as quickly as possible, without that prior knowledge.

“All the patents and stuff that people work on today assume knowledge of the threat,” he said. “What it means is a new approach. Something that’s never been used.”

It’s surely a novel approach — attacking perceived threats before you’re sure what that threat is. I’m just not sure how well it’s going to work.

While Alexander is busy shoring up his 10, 11, 12 patents, I think I’ll rush to copyright my new novel, in which a hubristic cybersecurity profiteer takes down the entire banking system by attacking core finance functions he identifies as attacks.

The Article 5 Cyber-Trap

The other day, I noted the dodginess of the evidence behind claims that Russia had launched a sophisticated cyberattack on JP Morgan. I suggested one reason people like Mike Rogers might be crying wolf was to support a plan to reimburse the banks in case of a massive attack.

But there’s another, even more obvious explanation.

NATO just added cyberattacks to its definition of attacks that would merit a unified response. Citing Russia’s Special Forces tactics (the same ones we’re using in something like 80 places around the world), including its cyberattacks, General Phillip Breedlove today ratcheted up the fear of Russia. (h/t Joanne Leon)

Russia’s utilization of troops without national uniforms — the so-called “little green men” — and perhaps “the most amazing information warfare blitzkrieg we have ever seen in the history of information warfare” were part of the first Russian push in Ukraine, Breedlove said.

NATO members, especially the Baltic states that border Russia, must take into account such tactics as allies prepare for future threats, he said. That means steps should be taken to help build the capacity of other arms of government, such as interior ministries and police forces, to counter unconventional attacks, including propaganda campaigns, cyberassaults or homegrown separatist militias.

So go back to the alleged JP Morgan attack no one seems to have any evidence to substantiate. It was often attributed as arising somewhere in Eastern Europe. Which could be Russia — or Ukraine. Both countries, in fact, have significant numbers of organized criminals that launch fairly sophisticated cyberattacks.

How convenient, then, to ratchet up the cyberfear when unattributable attacks from the general region have been made a casus belli for the entire alliance.

Lying Keith the Kapitalist

On Sunday I asked who was crying wolf — JP Morgan itself, or Mike Rogers — about the claimed JP Morgan attack that might not be a serious attack at all and had been attributed to Russia without yet proof of that.

So who should crawl out of his sinecure but Keith Alexander?

Keith Alexander, the NSA director from 2005 until last March, said he had no direct knowledge of the attack though it could have been backed by the Russian government in response to sanctions imposed by the U.S. and EU over the crisis in Ukraine.

“How would you shake the United States back? Attack a bank in cyberspace,” said Alexander, a retired U.S. Army general who has started his own cybersecurity company to sell services to U.S. banks. “If it was them, they just sent a real message: ‘You’re vulnerable.’”

[snip]

The hackers who attacked JPMorgan, the biggest U.S. bank, were “a group with exceptional skills or a nation-state backed group,” Alexander said in an interview yesterday at Bloomberg’s Washington bureau.

[snip]

“If you wanted to send a message, do you think that was significant enough for the U.S. government to say one of the best banks that we have from a cybersecurity perspective was infiltrated by somebody?” Alexander asked. “And if they could get in to do that, even if they never use it, they could get in and collapse it. Does that cause you concern?”

Note how Alexander admits he has no personal knowledge of the attack but then opines about the skills of the hackers and goes from there to hypothesize how this was a response from Russia?

So maybe it wasn’t JP Morgan or Mike Rogers crying wolf. It sure looks like Alexander is willingly feeding the poorly evidenced claims about this hack.

But don’t worry, Keith Alexander doesn’t have a conflict of interest at all.

Internet Cats, Weaponized: US Defense Contractor Consulted on Targeted Network Injection Surveillance for Commercial Sales Abroad

[photo: liebeslakritze via Flickr]

[photo: liebeslakritze via Flickr]

First, a caveat: I would not click on the links embedded in the story I’m recommending (I’m this || close to swearing off embedded links forever). I don’t trust traffic to them not to be monitored or exploited.

But as Jeremy Scahill tweeted last evening, read this piece by WaPo’s Barton Gellman on malicious code insertion. This news explains recent changes by Google to YouTube once it had been disclosed to the company that exploits could be embedded in video content as CitizenLab.org explains:

“… the appliance exploits YouTube users by injecting malicious HTML-FLASH into the video stream. …”
“… the user (watching a cute cat video) is represented by the laptop, and YouTube is represented by the server farm full of digital cats. You can observe our attacker using a network injection appliance and subverting the beloved pastime of watching cute animal videos on YouTube. …”

The questions this piece shake loose are Legion, but as just as numerous are the holes. Why holes? Because the answers are ugly and complex enough that one might struggle with them. Gellman’s done the best he can with nebulous material.

An interesting datapoint in the first graf of the story is timing — fall 2009.

You’ll recall that Google revealed the existence of a cyber attack code named Operation Aurora in January 2010, which Google said began in mid-December 2009.

You may also recall news of a large batch of cyber attacks in July of 2009 on South Korean targets.

The U.S. military had already experienced a massive uptick in cyber attacks in 1H2009, more than double the rate of the entire previous year.

And neatly sandwiched between these waves and events is a visit by a defense contractor CloudShield Technologies engineer from California, to Munich, Germany with British-owned Gamma Group. Continue reading

NSA’s Plans to Excuse Their Hacker Fuck-Ups: Blame Israel

Wired has a very fascinating interview with Edward Snowden. You should go read the whole thing, among other things, for the swell picture of Snowden posing with Michael Hayden at some black tie event in 2011.

But I wanted to point to this incident.

One day an intelligence officer told him that TAO—a division of NSA hackers—had attempted in 2012 to remotely install an exploit in one of the core routers at a major Internet service provider in Syria, which was in the midst of a prolonged civil war. This would have given the NSA access to email and other Internet traffic from much of the country. But something went wrong, and the router was bricked instead—rendered totally inoperable. The failure of this router caused Syria to suddenly lose all connection to the Internet—although the public didn’t know that the US government was responsible. (This is the first time the claim has been revealed.)

Inside the TAO operations center, the panicked government hackers had what Snowden calls an “oh shit” moment. They raced to remotely repair the router, desperate to cover their tracks and prevent the Syrians from discovering the sophisticated infiltration software used to access the network. But because the router was bricked, they were powerless to fix the problem.

Fortunately for the NSA, the Syrians were apparently more focused on restoring the nation’s Internet than on tracking down the cause of the outage. Back at TAO’s operations center, the tension was broken with a joke that contained more than a little truth: “If we get caught, we can always point the finger at Israel.”

I assume — but am not certain — this was the outage in question. If so, the response is instructive. At least 3 US-based Internet security firms reported that Syria had brought down the Internet. Were they making stuff up, unable to determine what really happened, or just repeating something US officials told them?

I’m just as interested that — just 6 months after David Sanger’s reporting on how the Israelis let StuxNet escape…

An error in the code, they said, had led it to spread to an engineer’s computer when it was hooked up to the centrifuges. When the engineer left Natanz and connected the computer to the Internet, the American- and Israeli-made bug failed to recognize that its environment had changed. It began replicating itself all around the world. Suddenly, the code was exposed, though its intent would not be clear, at least to ordinary computer users.

“We think there was a modification done by the Israelis,” one of the briefers told the president, “and we don’t know if we were part of that activity.”

NSA’s hackers joked they might hide a major fuck-up by blaming Israel.

I’m sure that’s all just a coinkydink, though.

Keith Alexander’s Cyber Circle Jerk Gets Worse

As I noted earlier today, last year Keith Alexander’s CyberCommand forces got their asses handed to them by civilians in a cyber war game.

“They were pretty much obliterated,” said one Capitol Hill staffer who attended the exercise. “The active-duty team didn’t even know how they’d been attacked.”

Nevertheless, here is one of the things he told Ken Dilanian in his second “exclusive” interview attempting to explain why he should get rich in the private sector capitalizing on 9 years of fear-mongering about cyber.

“If I retired from the Army as a brain surgeon, wouldn’t it be OK for me to go into private practice and make money doing brain surgery?” he asked. “I’m a cyber guy. Can’t I go to work and do cyber stuff?”

Alexander’s story has changed a bit since his last attempt  to explain himself, to Shane Harris. The number of patents he’ll get expanded from 9 to 10.

His firm is developing as many as 10 patents, he said, and has secured contracts with three clients he declines to name.

And he claims — after apparently not challenging the underlying $1 million a month claim to Harris — that his rates were always overblown.

Reports of his firm charging $1 million a month for consulting services are not accurate, he said, though he declined to disclose his firm’s fees.

“That number was inflated from the beginning,” he said.

But that’s not the best bit. In addition to revolving door shadow regulator Promontory Financial Group (which goes unmentioned in both stories) and the Chertoff Group, Dilanian reveals who gave Alexander the advise he could get rich off serving the last 9 years in a top national security position: Someone who spent those same years in a top national security position.

Lawyers at NSA and his private lawyers— including former FBI Director Robert Mueller, now with the Wilmer Hale law firm in Washington — have told him he is on firm legal footing, Alexander said.

These exclusives are all well and nice, but both of them ignore the reports about Alexander serving as the lead to set up a public-private partnership between the banksters and the national security state to infringe our privacy in order to keep the banks safe (heck neither mentions his known contract with SIFMA).

Until exclusives actually ask Alexander about the known thrust of this program, they’re going to help his credibility no more than the exclusives with the same journalists explaining NSA spying did.

The President Who Demanded Stanley McChrystal’s Resignation Is Not Sheltering the NatSec Bureaucracy

As I have repeatedly noted, I think President Obama will protect John Brennan — and the CIA more generally — because of the mutual complicity built in between CIA and the White House over covert ops.

It’s not just that CIA knows the full details of the drone killings Obama authorized on his sole authority. It’s also that the CIA is still protecting the Office of the Presidency’s role in torture by withholding from the Senate documents over which the White House might — but did not formally — claim Executive Privilege. Obama did the same thing when he went to some lengths to prevent a very short phrase making it clear torture was Presidentially-authorized from being released in 2009; it wasn’t just the Finding that still authorized his drone strikes the President was protecting, but the Office that George Bush sullied by approving torture.

I also think Obama will stand by Brennan because they have worked closely so long Brennan is one of Obama’s guys.

Bloomberg View’s Jonathan Bernstein doesn’t agree, however. After dismissing Conor Friedersdorf’s version of the mutual incrimination argument, he suggests Obama is simply demonstrating to the national security bureaucracy he’s on their side.

Obama is concerned -– in my view, overly so -– with demonstrating to the intelligence bureaucracy, the broader national security bureaucracy, and the bureaucracy in general, that he is on their side. The basic impulse to stand up for the people he appointed isn’t a bad one; nor is the impulse to demonstrate to the intelligence community that he is no wild-eyed peacenik softie who opposes the work they do. For one thing, he’s more likely to effect change in national security areas if experts in the government believe he’s at least sympathetic to them as individuals and to their basic goals, even if he questions some of the George W.Bush-era (or earlier) methods. For another, the ability of bureaucrats to hurt the president with leaks doesn’t depend on the existence of deep dark secrets. Every president is vulnerable to selective leaks and a drumbeat of steady negative interpretations from the bureaucracy.

And yet, overdoing support for the bureaucracy can have severe costs. On torture, for example, emphasizing the good intentions of those faced with difficult choices during the last decade makes sense. But failing to take action, and leaving bureaucrats with serious liabilities because the status of their past actions is unresolved, only may have made reassuring them of presidential support increasingly necessary. That’s not a healthy situation.

Again: some of the incentive to (at least at first) stand up for presidential appointees is inherent in the presidency, and a healthy thing to do even when the president believes people have misbehaved and should go. But throughout his presidency, Obama has been overly skittish when it comes to potentially crossing his national security bureaucracy, and I strongly suspect that torture and other Bush-era abuses are both part of the original cause and will cause more of that timidity down the road.

Obama has been overly skittish when it comes to crossing his NatSec bureaucracy?

First, as I have already noted, Obama was perfectly happy demanding David Petraeus’ resignation for fucking his biographer. While I have my doubts whether that was really the reason — and while by firing him, Obama undercut a potential 2012 rival — he didn’t shy away from firing a man with some of the best PR in DC.

You might also ask the 19 top Generals and Admirals Obama has fired (most with the help of Bob Gates; also note the 20th on this list is Petraeus) — so many that conservatives accuse him of “purging” — whether he’s squeamish about crossing the NatSec bureaucracy. And while Micah Zenko’s comment on Twitter is correct that intelligence officials have largely escaped this treatment, Obama seemed happy to use  Michael Leiter’s National Counterterrorism Center’s failure to stop the UndieBomb attack to fire then Director of National Intelligence Dennis Blair.

President Obama is not a man afraid to fire members of the national security bureaucracy.

The starkest contrast with Brennan’s treatment comes from the case of Stanley McChrystal.

Obama demanded McChrystal’s resignation not because his night raids were exacerbating extremism in Afghanistan. Not because many service members felt he had left them exposed. Not because, even then, it was clear the surge in Afghanistan was going to fail.

Obama demanded McChrystal’s resignation because Michael Hastings exposed McChrystal and his top aides (including Michael Flynn, who quit in April because of differences on policy) being insubordinate. Obama demanded McChrystal’s resignation because doing so was necessary to maintain the primacy of civilian control — like separation of powers, one of the bedrocks ensuring national security doesn’t trump democracy.

That, to me, is the important takeaway from comparing McChrystal’s fate with Brennan’s.

When a top member of the national security bureaucracy challenged the control of the civilian executive, he got canned, appropriately, in my opinion.

But when the Director of the CIA permitted his Agency to strike at the core of the separation of powers by investigating its overseers, Obama offered his support. Obama may have fired a top general for threatening Executive authority, but he has supported a top aide after he threatened Legislative authority.

You can come up with any number of explanations why Obama did that. But being afraid of taking on his National Security bureaucracy — as distinct from taking on the intelligence agencies, as Obama chose not to do when Clapper lied or when Keith Alexander oversaw the leaking of the family jewels even while getting pwned in his core cyberdefense capacity — is not the explanation.

Obama has proven to have no qualms about upsetting his national security bureaucracy. Just that part of it run covertly.

If CyberCom Can’t Beat Reservists, Why Not Split NSA?

ArmyTimes has a story about how CyberCommand service members took on a team of civilian reservists in a cyber war game last year, the civilians handed the active duty team their ass.

When the military’s top cyberwarriors gathered last year inside a secretive compound at Fort Meade, Maryland, for a classified war game exercise, a team of active-duty troops faced off against several teams of reservists.

And the active-duty team apparently took a beating.

“They were pretty much obliterated,” said one Capitol Hill staffer who attended the exercise. “The active-duty team didn’t even know how they’d been attacked.”

ArmyTimes uses the shellacking to raise questions about the mix between active duty and reservists CyberCommand should be using.

But it seems the exercise ought to also undermine one justification for keeping NSA’s Information Assurance Division, its spying, and CyberCommand unified.

One argument behind doing so is that’s the only way to make the appropriate measure of which vulnerabilities the government should sit on and exploit for their own spying and offensive capabilities, and which they should disclose and patch. The unified CyberCommander — first Keith Alexander and now Admiral Mike Rogers — are the only ones who can appropriately measure the trade-offs.

If the military hierarchy — and the article suggests the hierarchy is part of the problem — doesn’t serve the understanding of cyberwar very well, then how is the guy at the top of the hierarchy going to be best able to understand the trade-offs? If his subordinates don’t “even know they’d been attacked,” then how are they able to judge what exploits might be attackable?

Everything about this article, particularly the complementarity of the civilian and military skills it describes, suggests we’d be better served by having some who recognizes an attack as an attack in charge of keeping our networks safe.

Hackers Did Not Flood LA’s Critical Infrastructure

Yesterday, a water main broke at UCLA, causing flooding and the tremendous waste of drought-era CA’s scarcest resource, water.

The rupture of the 90-year-old main sent a geyser shooting 30 feet in the air and deluged Sunset Boulevard and UCLA with 8 million to 10 million gallons of water before it was shut off more than three hours after the pipe burst, city officials said.

The water main ruptured shortly before 3:30 p.m. in the 10600 block of Sunset Boulevard, fire officials said, sending a geyser shooting 30 feet in the air. The main, which delivers 75,000 gallons a minute, was finally shut down about 7 p.m., officials said.

But by then, Sunset Boulevard and UCLA had been deluged. Sunset was closed in both directions from Marymount Place to Westwood Plaza, snarling traffic.

[snip]

Thousands of gallons of water trapped five people in their cars as they tried to drive out of the flood zone, according to the Los Angeles Fire Department.

Water was seen inside the J.D. Morgan Center, which houses athletic staff and administration offices, the George Kneller Academic Center, UCLA’s Athletic Hall of Fame and the John Wooden Center.

Water pipes are precisely the kind of critical infrastructure the government always worries will be vulnerable to hackers or (because water is pretty low tech) terrorists.

But it’s likely neither of those had a hand in this break. Simple neglected infrastructure did.

And yet that — our crumbling infrastructure that results in the waste of millions of gallons of water during an acute drought — doesn’t get the same kind of urgent attention. It’s okay, it seems, for neglect to lead to such catastrophes on its own, just not if hackers or terrorists help such catastrophes along.

How Much Does Keith Alexander’s Patented Solution for Creating Fear Depend on CISA?

Keith Alexander has attempted to explain his million dollar salary demands for cyber consulting to Shane Harris. This story doesn’t necessary hang together any better than his claims about NSA’s spying.

Alexander is worth a million a month, he says (though he already dropped his price to $600K) because he has a unique approach to detecting persistent threats that he plans to patent.

The answer, Alexander said in an interview Monday, is a new technology, based on a patented and “unique” approach to detecting malicious hackers and cyber-intruders that the retired Army general said he has invented, along with his business partners at IronNet Cybersecurity Inc., the company he co-founded after leaving the government and retiring from military service in March.

Alexander developed the technologies behind these patents — which Alexander says would address precisely the kind of attacks he facetiously argues have carried out the greatest transfer of wealth in history, the ones attacking the US — in his spare time.

A source familiarly [sic] with Alexander’s situation, who asked not to be identified, said that the former director developed this new technology on his private time, and that he addressed any potential infractions before deciding to seek his patents.

To which Harris asked the obvious question: if this solution is so great, then why not implement it while he was still in government? Why not save America from that greatest transfer of wealth in history?

Alexander then added that his solution relies on behavioral analysis one of his partners contributed.

Alexander said that his new approach is different than anything that’s been done before because it uses “behavioral models” to help predict what a hacker is likely to do.

[snip]

Alexander said the key insight about using behavior models came from one of his business partners, whom he also declined to name, and that it takes an approach that the government hadn’t considered. It’s these methods that Alexander said he will seek to patent.

Perhaps the best (anonymous) quote Harris includes in his story is a “former national security official with decades of experience in security technology” who says such behavioral models are highly speculative and have never before worked. 

So it’s possible that Keith Alexander is simply going to sell his new approach to a bunch of chumps who have gotten rich trading off of algorithms — proof behavioral models “work” even if they don’t work! — and therefore believe they will work to find persistent threats.

The guy who couldn’t find Edward Snowden absconding with thousands of files and his friends the big banks are going to start policing their networks by using algos to find suspicious behavior.

Harris sort of alludes to one problem with this scheme. Alexander used his perch at DIRNSA to create this market. As Harris points out, that’s in part because Wiper — a variant of the StuxNet attack developed under Alexander’s tenure — is what the banks are so afraid of.

That will come as a supreme irony to many computer security experts, who say that Wiper is a cousin of the notorious Stuxnet virus, which was built by the NSA — while Alexander was in charge — in cooperation with Israeli intelligence.

That is, Alexander will get rich helping banks defeat the weapons he released in the first place.

More generally, too, this fear exists because Alexander sowed it. The banks are responding to the intelligence claims Alexander has been making for years, whether or not a real threat exists behind it (and whether not resilience would be a better defense than Alexander’s algos).

One more thing: as far as we know, in addition to inventing this purportedly new technology in his free time, Alexander was consulting with his partners — which as far as we know include Promontory Financial Group and Chertoff — while he was DIRNSA. So it’s not just the underlying technology, but the discussions of partnership, that likely derive from Alexander’s time at DIRNSA.

And that seems to be the fourth part of Alexander’s magic sauce (in addition to the tech developed on the government dime, his ability to sow fear, and partnerships laid out while still in the private sector). After all, with Alexander out of his NSA, where will he and his profitable partners get the data they need to model threats? How much of this model will depend on the Cyber Information sharing plan that Alexander has demanded for years? How much will Alexander’s privatized solutions to the problem he couldn’t solve at NSA depend on access to all the information the government has, along with immunity?

To what degree is CISA about making Keith Alexander rich?

 

Emptywheel Twitterverse
emptywheel @Krhawkins5 Most transparent torturers Evah™
11mreplyretweetfavorite
emptywheel RT @Krhawkins5: UN committee against torture recommendations to US. #15 all about abuse of secrecy http://t.co/DMHzDsFXwI
12mreplyretweetfavorite
emptywheel Such claims only help Vlad Putin RT @EliLake: Let’s be real. Star Wars doesn’t really hold up nearly 40 years later.
17mreplyretweetfavorite
bmaz @kdrum And you STILL refuse to tell me where to get a big screen teevee.
35mreplyretweetfavorite
bmaz RT @SarahKnuckey: UN Committee against Torture: "deep concern at frequent police shootings of unarmed black individuals" #Ferguson http://t…
37mreplyretweetfavorite
emptywheel RT @SarahKnuckey: UN Committee against Torture: US should review Appendix M of the Army Field Manual & "abolish" some of its provisions htt…
39mreplyretweetfavorite
bmaz RT @SarahKnuckey: UN Committee against Torture "calls for the declassification and prompt public release" of the torture report http://t.co
42mreplyretweetfavorite
bmaz RT @jdakwar: BREAKING: UN Committee Against Torture releases scathing report on U.S. compliance with anti-Torture treaty. http://t.co/A01YV
43mreplyretweetfavorite
JimWhiteGNV Seven Month Extension of P5+1 Negotiations? We’d Be Lucky With Seven Weeks https://t.co/KMg5zmn8Ai
58mreplyretweetfavorite
emptywheel RT @SarahKnuckey: UN Committee against Torture: there is "an ongoing failure" in the US to "fully investigate allegations of torture" http:…
1hreplyretweetfavorite
bmaz Oops: After Threatening Hacker With 440 Years, Prosecutors Settle for a Misdemeanor | WIRED http://t.co/BjOkNbK7p5
8hreplyretweetfavorite
bmaz @PatrickCToomey @csoghoian @WSJ @dannyyadron Jeebus, the All Writs Act?? Owsley is right though, notable that magistrate issued opinion.
9hreplyretweetfavorite
November 2014
S M T W T F S
« Oct    
 1
2345678
9101112131415
16171819202122
23242526272829
30