As you’ve likely read, NSA’s Chief Technology Officer has so little to keep him busy he’s also planning on working 20 hours a week for Keith Alexander’s new boondoggle.
Under the arrangement, which was confirmed by Alexander and current intelligence officials, NSA’s Chief Technical Officer, Patrick Dowd, is allowed to work up to 20 hours a week at IronNet Cybersecurity Inc, the private firm led by Alexander, a retired Army general and his former boss.
The arrangement was approved by top NSA managers, current and former officials said. It does not appear to break any laws and it could not be determined whether Dowd has actually begun working for Alexander, who retired from the NSA in March.
Dowd is the guy with whom Alexander filed 7 patents for work developed at NSA.
During his time at the NSA, Alexander said he filed seven patents, four of which are still pending, that relate to an “end-to-end cybersecurity solution.” Alexander said his co-inventor on the patents was Patrick Dowd, the chief technical officer and chief architect of the NSA. Alexander said the patented solution, which he wouldn’t describe in detail given the sensitive nature of the work, involved “a line of thought about how you’d systematically do cybersecurity in a network.”
That sounds hard to distinguish from Alexander’s new venture. But, he insisted, the behavior modeling and other key characteristics represent a fundamentally new approach that will “jump” ahead of the technology that’s now being used in government and in the private sector.
Presumably, bringing Dowd on board will both make Alexander look more technologically credible and let Dowd profit off all the new patents Alexander is filing for, which he claims don’t derive from work taxpayers paid for.
Capitalism, baby! Privatizing the profits paid for by the public!
All that said, I’m wondering whether this is about something else — and not just greed.
Yesterday, as part of a bankster cybersecurity shindig, one of Alexander’s big named clients, SIFMA, rolled out its “Cybersecurity Regulatory Guidance.” It’s about what you’d expect from a bankster organization: demands that the government give what it needs, use a uniform light hand while regulating, show some flexibility in case that light hand becomes onerous, and never ever hold the financial industry accountable for its own shortcomings.
Bullet point 2 (Bullet point 1 basically says the US government has a big role to play here which may be true but also sounds like a demand for a handout) lays out the kind of public-private partnership SIFMA expects.
Principle 2: Recognize the Value of Public–Private Collaboration in the Development of Agency Guidance
Each party brings knowledge and influence that is required to be successful, and each has a role in making protections effective. Firms can assist regulators in making agency guidance better and more effective as it is in everyone’s best interests to protect the financial industry and the customers it serves.
The NIST Cybersecurity Framework is a useful model of public-private cooperation that should guide the development of agency guidance. NIST has done a tremendous job reaching out to stakeholders and strengthening collaboration with financial critical infrastructure. It is through such collaboration that voluntary standards for cybersecurity can be developed. NIST has raised awareness about the standards, encouraged its use, assisted the financial sector in refining its application to financial critical infrastructure components, and incorporated feedback from members of the financial sector.
In this vein, we suggest that an agency working group be established that can facilitate coordination across the agencies, including independent agencies and SROs, and receive industry feedback on suggested approaches to cybersecurity. SIFMA views the improvement of cybersecurity regulatory guidance and industry improvement efforts as an ongoing process.
Effective collaboration between the private and public sectors is critical today and in the future as the threat and the sector’s capabilities continue to evolve.
Again, this public-private partnership may be necessary in the case of cybersecurity for critical infrastructure, but banks have a history of treating such partnership as lucrative handouts (and the principle document’s concern about privacy has more to do with hiding their own deeds, and only secondarily discusses the trust of their customers). Moreover, experience suggests that when “firms assist regulators in making agency guidance better,” it usually has to do with socializing risk.
In any case, given that the banks are, once again, demanding socialism to protect themselves, is it any wonder NSA’s top technology officer is spending half his days at a boondoggle serving these banks?
And given the last decade of impunity the banks have enjoyed, what better place to roll out an exotic counter-attacking cybersecurity approach (except for the risk that it’ll bring down the fragile house of finance cards by mistake)?
Alexander said that his new approach is different than anything that’s been done before because it uses “behavioral models” to help predict what a hacker is likely to do. Rather than relying on analysis of malicious software to try to catch a hacker in the act, Alexander aims to spot them early on in their plots.
One of the most recent stories on the JP Morgan hack (which actually appears to be the kind of Treasuremapping NSA does of other country’s critical infrastructure all the time) made it clear the banksters are already doing the kind of data sharing that Keith Alexander wailed he needed immunity to encourage.
The F.B.I., after being contacted by JPMorgan, took the I.P. addresses the hackers were believed to have used to breach JPMorgan’s system to other financial institutions, including Deutsche Bank and Bank of America, these people said. The purpose: to see whether the same intruders had tried to hack into their systems as well. The banks are also sharing information among themselves.
So clearly SIFMA’s call for sharing represents something more, probably akin to the kind of socialism it benefits from in its members’ core business models.
In the intelligence world, they use the term “sheep dip” to describe how they stick people subject to one authority — such as the SEALs who killed Osama bin Laden — under a more convenient authority — such as CIA’s covert status. Maybe that’s what’s really going on here: sheep dipping NSA’s top tech person into the private sector where his work will evade even the scant oversight given to NSA.
If SIFMA’s looking for the kind of socialistic sharing akin to free money, then why should we be surprised the boondoggle at the center of it plans to share actual tech personnel?
Update: Reuters reports the deal’s off. Apparently even Congress (beyond Alan Grayson, who has long had questions about Alexander’s boondoggle) had a problem with this.
Map the entire Internet — any device, anywhere, all the time. — NSA TREASUREMAP PPT
Last week, The Intercept and Spiegel broke the story of NSA’s TREASUREMAP, an effort to map cyberspace, relying on both NSA’s defensive (IAD) and offensive (TAO) faces.
As Rayne laid out, it aspires to map out cyberspace down to the device level. As all great military mapping does, this will permit the US to identify strategic weaknesses and visualize a battlefield — even before many of adversaries realize they’re on a battlefield.
Against that background, NYT provided more details on the penetration of JP Morgan’s networks that has been blamed on Russia. The new details make it clear this was about reconnaissance, not — at least not yet — theft.
Over two months, hackers gained entry to dozens of the bank’s servers, said three people with knowledge of the bank’s investigation into the episode who spoke on the condition of anonymity. This, they said, potentially gave the hackers a window into how the bank’s individual computers work.
They said it might be difficult for the bank to find every last vulnerability and be sure that its systems were thoroughly secured against future attack.
The hackers were able to review information about a million customer accounts and gain access to a list of the software applications installed on the bank’s computers. One person briefed said more than 90 of the bank’s servers were affected, effectively giving the hackers high-level administrative privileges in the systems.
Hackers can potentially crosscheck JPMorgan programs and applications with known security weaknesses, looking for one that has not yet been patched so they can regain access.
Though the infiltrators did observe metadata — which, the NSA assures us, is not really all that compromising.
A fourth person with knowledge of the matter, also speaking on condition of anonymity, said hackers had not gained access to account holders’ financial information or Social Security numbers, and may have reviewed only names, addresses and phone numbers.
I’m not trying to make light of the mapping of one of America’s most important banks. Surely, such surveillance may enable the same kind of sophisticated attack we launched against Iran, having done similar kind of preparation.
But we should keep in mind what the US has been doing as we consider these reports. If and when Russia or Germany catch us conducting similar reconnaissance on the networks of their private companies, they will surely make a big stink, as we have been with JP Morgan (though the response to the Spiegel story has been muted enough I suspect Germany’s intelligence services knew about that one, particularly given NSA’s reliance on Germany for targets in Africa).
But if the US is going to treat digital reconnaissance as routine spying (and the President’s cyberwar Presidential Policy Directive makes it pretty clear we consider our own similar reconnaissance to be mere clandestine spying), then we should expect the same treatment of our most lucrative targets.
That doesn’t make it legal or acceptable. But that does make it equivalent to what we’re doing to the rest of the world.
One final point. If you’re going to map the entire Internet, any device, anywhere, by definition you need to map America’s Internet as well. Are we so sure our own Intelligence Community hasn’t been snooping in JP Morgan’s networks?
On Sunday I asked who was crying wolf — JP Morgan itself, or Mike Rogers — about the claimed JP Morgan attack that might not be a serious attack at all and had been attributed to Russia without yet proof of that.
So who should crawl out of his sinecure but Keith Alexander?
Keith Alexander, the NSA director from 2005 until last March, said he had no direct knowledge of the attack though it could have been backed by the Russian government in response to sanctions imposed by the U.S. and EU over the crisis in Ukraine.
“How would you shake the United States back? Attack a bank in cyberspace,” said Alexander, a retired U.S. Army general who has started his own cybersecurity company to sell services to U.S. banks. “If it was them, they just sent a real message: ‘You’re vulnerable.’”
The hackers who attacked JPMorgan, the biggest U.S. bank, were “a group with exceptional skills or a nation-state backed group,” Alexander said in an interview yesterday at Bloomberg’s Washington bureau.
“If you wanted to send a message, do you think that was significant enough for the U.S. government to say one of the best banks that we have from a cybersecurity perspective was infiltrated by somebody?” Alexander asked. “And if they could get in to do that, even if they never use it, they could get in and collapse it. Does that cause you concern?”
Note how Alexander admits he has no personal knowledge of the attack but then opines about the skills of the hackers and goes from there to hypothesize how this was a response from Russia?
So maybe it wasn’t JP Morgan or Mike Rogers crying wolf. It sure looks like Alexander is willingly feeding the poorly evidenced claims about this hack.
But don’t worry, Keith Alexander doesn’t have a conflict of interest at all.
There was a weird spate of reporting on the cyberthreat to banks last week. Normally, security firms (and occasionally really good tech journalists) report under their own name on such attacks — after all, they have businesses to run! But not the story — first reported by Bloomberg Wednesday evening – that Russia had attacked JP Morgan. At first, these reports appeared to be coming from FBI — given that the FBI investigation served as the lede of the story.
Russian hackers attacked the U.S. financial system in mid-August, infiltrating and stealing data from JPMorgan Chase & Co. (JPM) and at least one other bank, an incident the FBI is investigating as a possible retaliation for government-sponsored sanctions, according to two people familiar with the probe.
The attack resulted in the loss of gigabytes of sensitive data, said the people, who asked not to be identified because the probe is still preliminary.
But over the course of the story — and two more sources introduced with no description beyond that they had been briefed on the probe — the FBI officially gave no comment.
The sophistication of the attack and technical indicators extracted from the banks’ computers provide some evidence of a government link. Still, the trail is muddy enough that investigators are considering the possibility that it’s cyber criminals from Russia or elsewhere in Eastern Europe. Other federal agencies, including the National Security Agency, are now aiding the investigation, a third person familiar with the probe said.
J. Peter Donald, an FBI spokesman in New York, declined to comment.
In at least one of the attacks, the hackers grabbed sensitive data from the files of bank employees, including executives, according to a fourth person briefed on the probe, who, like the other individuals with knowledge of the matter, declined to divulge the name of victims other than JPMorgan. Some data related to customers may also have been accessed, the person said.
The NYT’s version of the story, published later on Wednesday, also cited a bunch of people described only as “briefed on the continuing investigation.”
A number of United States banks, including JPMorgan Chase and at least four others, were struck by hackers in a series of coordinated attacks this month, according to four people briefed on a continuing investigation into the crimes.
The hackers infiltrated the networks of the banks, siphoning off gigabytes of data, including checking and savings account information, in what security experts described as a sophisticated cyberattack.
The motivation and origin of the attacks are not yet clear, according to investigators. The F.B.I. is involved in the investigation, and in the past few weeks a number of security firms have been brought in to conduct forensic studies of the penetrated computer networks.
According to two other people briefed on the matter, hackers infiltrated the computer networks of some banks and stole checking and savings account information from clients.
I’m in the middle of a deep dive in the Section 215 White Paper — expect plenty of analysis on it in coming attractions!
But I want to make a discrete point about this passage, which describes what happen to query results.
Results of authorized queries are stored and are available only to those analysts trained in the restrictions on the handling and dissemination of the metadata. Query results can be further analyzed only for valid foreign intelligence purposes. Based on this analysis of the data, the NSA then provides leads to the FBI or others in the Intelligence Community. For U.S. persons, these leads are limited to counterterrorism investigations.
The Primary Order released several weeks back calls these stored query results “the corporate store.” As ACLU laid out, the government can do pretty much whatever it wants with this corporate store — and their analysis of it is not audited.
All of this information, the primary order says, is dumped into something called the “corporate store.” Incredibly, the FISC imposes norestrictions on what analysts may subsequently do with the information. The FISC’s primary order contains a crucially revealing footnote stating that “the Court understands that NSA may apply the full range of SIGINT analytic tradecraft to the result of intelligence analysis queries of the collected [telephone] metadata.” In short, once a calling record is added to the corporate store, anything goes.
More troubling, if the government is combining the results of all its queries in this “corporate store,” as seems likely, then it has a massive pool of telephone data that it can analyze in any way it chooses, unmoored from the specific investigations that gave rise to the initial queries. To put it in individual terms: If, for some reason, your phone number happens to be within three hops of an NSA target, all of your calling records may be in the corporate store, and thus available for any NSA analyst to search at will.
But it’s even worse than that. The primary order prominently states that whenever the government accesses the wholesale telephone-metadata database, “an auditable record of the activity shall be generated.” It might feel fairly comforting to know that, if the government abuses its access to all Americans’ call data, it might eventually be called to account—until you read footnote 6 of the primary order, which exempts entirely the government’s use of the “corporate store” from the audit-trail requirement.
The passage from the White Paper seems to suggest there are limits (though it doesn’t explain where they come from, because they clearly don’t come from FISC).
This analysis must have a valid foreign intelligence purpose — which can include political information, economic information, espionage information, military information, drug information, and the like. Anything other countries do, basically.
But if the data in the corporate store pertains to US persons, the FBI can only get a lead “for counterterrorism purposes.”
At one level, this is (small) comfort, because it provides a level of protection on the dragnet use.
But it also may explain why HSBC’s US subsidiary didn’t get caught laundering al Qaeda’s money, or why JP Morgan always gets to self-disclose its support for Iranian “terrorism.” So long as the government chooses not to treat banks laundering money for terrorists as material support for terror, then they can consider these links (which surely they’ve come across in their “corporate store!) evidence of a financial crime, not a terrorist one, and just bury it.
I would be curious, though, whether the government has ever used the “corporate store” to police Iran sanctions. Does that count as a counterterrorism purpose? And if so, is that why Treasury “finds” evidence of international bank violations so much more often than it does American bank violations?
Citing this line from Lanny Breuer in last week’s Frontline program,
I think I and prosecutors around the country, being responsible, should speak to regulators, should speak to experts, because if I bring a case against institution, and as a result of bringing that case, there’s some huge economic effect — if it creates a ripple effect so that suddenly, counterparties and other financial institutions or other companies that had nothing to do with this are affected badly — it’s a factor we need to know and understand.
Sherrod Brown and Chuck Grassley have sent a list of questions they want Eric Holder to answer by February 8.
The questions are:
I’m interested in their focus on contractors. Has someone like Promontory Financial Group been making these decisions too?
In any case I await Holder’s non-responsive answer with bated breath.
Yesterday, the Office of the Comptroller of the Currency issued two orders to JP Morgan Chase, one related to its London Fail Whale, the other related to failures in its Bank Secrecy Act/Anti-Money Laundering compliance. With respect to latter order, OCC said, in part:
(1) The OCC’s examination findings establish that the Bank has deficiencies in its BSA/AML compliance program. These deficiencies have resulted in the failure to correct a previously reported problem and a BSA/AML compliance program violation under 12 U.S.C. § 1818(s) and its implementing regulation, 12 C.F.R. § 21.21 (BSA Compliance Program). In addition, the Bank has violated 12 C.F.R. § 21.11 (Suspicious Activity Report Filings).
(2) The Bank has failed to adopt and implement a compliance program that adequately covers the required BSA/AML program elements due to an inadequate system of internal controls, and ineffective independent testing. The Bank did not develop adequate due diligence on customers, particularly in the Commercial and Business Banking Unit, a repeat problem, and failed to file all necessary Suspicious Activity Reports (“SARs”) related to suspicious customer activity.
(3) The Bank failed to correct previously identified systemic weaknesses in the adequacy of customer due diligence and the effectiveness of monitoring in light of the customers’ cash activity and business type, constituting a deficiency in its BSA/AML compliance program and resulting in a violation of 12 U.S.C. § 1818(s)(3)(B).
That last one is the real peach. You see, in spite of the fact the order includes 22 pages of things JPMC “shall” do to fix this problem, the order did not include any fine. Remember, it has been less than 18 months since JPMC got caught–among other things–sending a ton of gold bullion to Iran in violation of sanctions. That time, at least, Treasury’s Office of Foreign Asset Controls fined JPMC, if only $88.3 million.
Still, here were are a year and a half later, with JPMC still refusing to police what it is helping its customers do, and the government is letting JPMC off with no fine.
Compare that to the treatment of Karen Gasparian, the manager of the G&A Check Cashing company out in LA. Today, he got sentenced to five years in prison for doing precisely what Jamie Dimon did: fail to comply with BSA/AML law. In his sentencing, he even submitted record of all the big banks that have skated for doing what he did, including HSBC’s 1.9 Billion wrist slap, and noted the disparity in treatment.
An even greater problem with the Government’s seeking a sentence of incarceration in this case is the disparity when compared to other instances of the same offense, or instances involving even more egregious conduct, such as much larger financial institutions conducting business with drug trafficking organizations and terroristic regimes like Iran. Time and time again, the United States Government has offered deferred prosecution agreements (and fines) to financial institutions whose conduct was exponentially more egregious than the conduct at issue here. Mr. Gasparian’s offense, while serious, was still far short of the conduct committed by these other institutions. Any sentence of incarceration in this case would be a loud proclamation that the rich and powerful receive one type of justice, while those less powerful receive another type.
The government, of course, insisted on enhancements to Gasparian’s sentence because his crime amounted to over $100,000 in a one year period (the government sent two confidential witnesses to cash checks at G&A, which is how they proved that amount).
Remember HSBC provided over $990 million in cash to a terrorist bank over a four year period. All that’s before you consider their money laundering for Mexican cartels and probable Russian mafia. Not a single HSBC employee was so much as indicted, much less sent to jail for five years or for a lifetime for material support for terrorism.
And now JPMC–and its “manager,” Jamie Dimon–not only get off without indictments, but without even a fine (at least not from OCC–OFAC may end up fining them).
The government submitted a bunch of sealed documents explaining why Gasparian should be treated so much more harshly than the big banks. I’m just going to assume the government explained what great intelligence work the big banks are doing to avoid being subjected to the rule of law.
Predictably, Lanny Breuer
waved his dick around boasted about this conviction.
“Karen Gasparian, Humberto Sanchez and their company G&A Check Cashing purposefully thwarted the Bank Secrecy Act, making it easier for others to use G&A to commit illegal activity,” said Assistant Attorney General Breuer. “They knew they were required to report transactions over $10,000, but deliberately failed to do so. As this case shows, check cashing businesses must adhere to our anti-money laundering rules, or else pay the consequences.”
This is the guy who, just one month ago, failed to even mention he was letting a bank that sent hundreds of millions in cash to a terrorist bank off without any charges.
At this point, it’s beginning to look like DOJ’s disparate treatment is not just about preserving his buddies the CEOs. But it’s about eliminating the little competitors like G&A so the equally corrupt big banks can take over their markets.
Update: Adding this from the government’s sentencing motion. The government insisted that Gasparian do time … as a deterrent.
Because there are hundreds of check cashers in Los Angeles as well as an underlying health care fraud problem, it is more important that the sentence here be sufficient to promote respect for the law and general deterrence for the types of criminal activities defendant engaged in as well as the health care fraudsters. A significant sentence is also necessary to reflect the serious [sic] of the offense, deter criminal conduct, and protect the public from defendant.
It has been less than 18 months since JP Morgan Chase was fined $88.3 million for–among other things–sending a ton of gold bullion to Iran.
Yet JPMC’s regulators are about to scold JPMC–and demand it improve the compliance programs it promised to improve 18 months ago–again.
Only, having found JPMC didn’t implement the promised compliance programs after being fined, JPMC’s regulators this time will not fine the bank for violating US law.
A U.S. regulatory probe of JP Morgan Chase & Co is expected to result in an order that the bank correct lapses in how it polices suspect money flows, in an action expected as soon as Friday, people familiar with the situation said.
The action would be in the form of a cease-and-desist order, whichregulators use to force banks to improve compliance weaknesses, the sources said.
The order is expected to be issued by the Office of the Comptroller of the Currency and the Federal Reserve.
JP Morgan is not expected to pay a monetary penalty, according to one person familiar with the situation.
This is what counts as seriousness from US bank regulators–ever quieting peeps when American banks openly flout the law (they’re a bit harsher with European banks, though still believe in forgiving such banks for things like material support to terrorism).
A teenager busted for shoplifting would pay more in fines than JPMC reportedly will pay for helping crooks–even alleged assassins–do their crime.
When I first read that the government was going to investigate JP Morgan Chase ∂for money laundering, I thought this was another case where the government continued to give wrist slaps–in the form of softball fines–to banks for behavior that never really changed. And to some degree that will be the case. After all, little more than a year ago Treasury’s Office of Foreign Assets Control accused Jamie Dimon’s company of a whole slew of things, including sending Iran a ton (literally) of gold bullion. And in spite of the fact OFAC said JPMC substantially cooperated with their investigation so they could give it a softball fine, the settlement actually made it clear they had done anything but. (Though the softball fine may have also had something to do with what I suspect was cooperation on setting up the Scary Iran Plot.)
So here we are again, investigating JPMC for money laundering. Again.
But I wonder whether this doesn’t reflect an effort on the part of the Office of Comptroller and Currency, which the NYT says is leading the probe, to improve on its past willful neglect in this area.
Regulators, led by the Office of the Comptroller of the Currency, are close to taking action against JPMorgan Chase for insufficient safeguards, the officials said. The agency is also scrutinizing several other Wall Street giants, including Bank of America.
The comptroller’s office could issue a cease-and-desist order to JPMorgan in coming months, an action that would force the bank to plug any gaps in oversight, according to several people knowledgeable about the matter. But the agency, which oversees the nation’s biggest banks, has not yet completed its case. JPMorgan is in the spotlight partly because federal authorities accused the bank last year of transferring money in violation of United States sanctions against Cuba and Iran.
Since OFAC let JPMC off with a wrist slap last year, the OCC has gotten a new confirmed head, Thomas Curry, from FDIC, and gotten rid of a corrupt Chief Counsel, Julie Williams. OCC also got hammered in Carl Levin’s report on HSBC’s money laundering.
To carry out [its oversight] mission, in the words of the OCC, it conducts “regular examinations to ensure that institutions under our supervision operate safely and soundly and in compliance with laws and regulations,” including AML laws. However, the HSBC case history, like the Riggs Bank case history examined by this Subcommittee eight years ago, provides evidence that the current OCC examination system has tolerated severe AML deficiencies for years and given banks great leeway to address targeted AML problems without ensuring the effectiveness of their AML program as a whole. As a result, the current OCC examination process has allowed AML issues to accumulate into a massive problem before an OCC enforcement action is taken.
As DDay noted earlier, Treasury will ignore that Standard Chartered signed a settlement confirming that it had hidden $250 billion worth of transfers by gaming its documentation so that it can sign a softball unified settlement with everyone else.
It’s more important that SCB get its softball settlement, I guess, than Treasury maintain even a shred of credibility.
But in addition to simply ignoring that earlier settlement, Treasury is also giving this excuse for its softball settlement.
Prosecutors and Treasury officials will also assess a smaller penalty because the bank came forward voluntarily with information about its transactions and compliance with United States sanctions, according to the law enforcement officials.
Remember this, from Benjamin Lawsky’s original settlement?
At a meeting in May 2010, SCB assured the Department that it would take immediate corrective action. Notwithstanding that promise, the Department‟s last regulatory examination of the New York branch in 2011 identified continuing and significant BSA/AML
- An OFAC compliance system that lacked the ability to identify misspellings and variations of names on the OFAC sanctioned list.
- No documented evidence of investigation before release of funds for transactions with parties whose names matched the OFAC-sanctioned list.
- Outsourcing of the entire OFAC compliance process for the New York branch to Chennai, India, with no evidence of any oversight or communication between the Chennai and the New York offices. [my emphasis]
As of last year, SCB wasn’t even doing what they claimed they were doing to fix this problem. More troubling, they had replicated what they and other banks had done before, simply send the office engaging in this fraud so far away from the US so as to offer the US branch plausible deniability.
That’s what counts as “voluntary” cooperation in TurboTax Timmeh Geithner’s Treasury Department: ongoing efforts to continue engaging in the same kind of games.