I’ve been tracking Keith Alexander’s utterly predictable new gig, getting rich off of having drummed up cybersecurity concerns for the last several years, while at the same time shacking up with the most dubious of shadow bank regulators, Promontory Financial Group.
Apparently, I’m not the only one. Alan Grayson just sent some of the entities that Alexander has been drumming up business with — the Security Industries and Financial Markets Association, Consumer Bankers Association, and Financial Services Roundtable — a letter asking how the former NSA Director can be making a reported $600,000 a month. He cites Bruce Schneier wondering whether part of the deal is that Alexander will share classified information he learned while at NSA.
Security expert Bruce Schneier noted that this fee for Alexander’s services is on its face unreasonable. “Think of how much actual security they could buy with that $600K a month.Unless he’s giving them classified information.” Schneier also quoted Recode.net, which headlined this news as: “For another million, I’ll show you the back door we put in your router.”
Disclosing or misusing classified information for profit is, as Mr. Alexander well knows, a felony. I question how Mr. Alexander can provide any of the services he is offering unless he discloses or misuses classified information, including extremely sensitive sources and methods. Without the classified information that he acquired in his former position, he literally would have nothing to offer to you.
Please send me all information related to your negotiations with Mr. Alexander, so that Congress can verify whether or not he is selling military and cybersecurity secrets to the financial services industry for personal gain.
Alexander is just the latest of a long line of people who profit directly off driving up the cybersecurity threat. But — as Recode.net notes — he’s also got the kind of inside information that could be particularly valuable.
As the Intelligence Industrial Complex and the Banking industry hop into bed together, there ought to be some transparency about just what kind of deals are being made. There’s simply too much immunity handed out to this community to let boondoggles like Alexander’s slide.
The intelligence community is subjecting every low level clearance holder to intense scrutiny right now. But thus far, there has not been a peep from those quarters that the former DIRNSA could command these fees for the expertise gained while overseeing the nation’s secrets.
Bloomberg provides more details on how much: his asking price starts at $1M a month, from which he negotiates down to a mere $600,000.
Alexander, 62, said in the interview he was invited to give a talk to the Securities Industry and Financial Markets Association, known as Sifma, shortly after leaving the NSA and starting his firm, IronNet Cybersecurity Inc. He has met with other finance groups including the Consumer Bankers Association, the Financial Services Roundtable and The Clearing House.
At the sessions, Alexander discussed destructive computer programs such as Wiper, which the U.S. government said was notable because attacks using it appeared to originate from North Korea and Iran. “I told them I did think they could defend against that,” Alexander said.
Still, despite the banks’ growing investments in computer security, Alexander said, “many of them aren’t really confident they’re getting their money’s worth.”
Alexander offered to provide advice to Sifma for $1 million a month, according to two people briefed on the talks. The asking price later dropped to $600,000, the people said, speaking on condition of anonymity because the negotiation was private.
Alexander declined to comment on the details, except to say that his firm will have contracts “in the near future.”
The article talks in terms of the DDoS attacks launched against US bank websites last year, as well as Wiper, which is allegedly tied to the StuxNet family (and therefore is something with which ALexander ought to be intimately familiar).
What he doesn’t seem to be promising he can fix are things like the recent hack of a hedge fund’s High Frequency Trading algorithms (about which I am simply failing not to laugh hysterically at … sorry, hedgies).
No wonder the banks doubt they’re getting their money’s worth.
It’s hard to read this as anything but a scam. Not only has Alexander spent the last year talking up the risk of cyberattacks, not only has he had access to whatever bank secrets haven’t been encrypted for the last 8 years, plus the double dipping in SWIFT databases. But he also knows what holes NSA hasn’t fixed.
Ultimately, though, this all serves to obscure the fact that these banks are rickety all by themselves, with or without a hacker’s help (which is one reason I’m laughing at that HFT hack). There’s only so much you can do to harden that target, and the banks won’t do it.
Man, I knew Keith Alexander was going to cash in after he retired. And I probably would have placed all my chips on him profiting off his cyber fearmongering.
Former National Security Agency chief Gen. Keith Alexander is launching a consulting firm for financial institutions looking to address cybersecurity threats, POLITICO has learned.
Less than two months since his retirement from the embattled agency at the center of the Edward Snowden leak storm, the retired four-star general is setting up a Washington-based operation that will try to attract clients based on his four decades of experience in the military and intelligence — and the continued levels of access to senior decision-makers that affords.
But the part of this story that even I couldn’t have predicted — but makes so much sense it brings tears to my eyes — is that he’s shacking up with Promontory Financial Group, the revolving door regulator to hire that has been caught underestimating its clients’ crimes for big money.
Alexander will lease office space from the global consulting firm Promontory Financial Group, which confirmed in a statement on Thursday that it plans to partner with him on cybersecurity matters.
“He and a firm he’s forming will work on the technical aspects of these issues, and we on the risk-management compliance and governance elements,” said Promontory spokesman Chris Winans.
I’m impressed, Lying Keith: You’ve done my very low expectations even one better!
Back when DOJ’s head of criminal prosecutions, Lanny Breuer, let HSBC off without indictments, I noted that he didn’t even mention HSBC’s significant ties to funding terrorists.
When it came to one of the world’s biggest banks, the Assistant Attorney General chose to simply ignore the threat DOJ’s been singularly dedicated to defeating since 9/11, terrorism.
But the Statement of Facts on the HSBC settlement wasn’t quite as reticent as Breuer himself. It said this about HSBC’s ties to terrorist financing:
In addition to the cooperative steps listed above, HSBC Bank USA has assisted the Government in investigations of certain individuals suspected of money laundering and terrorist financing.
That is, the court documents on the settlement talk about HSBC helping to investigate terrorist financing, rather than HSBC playing a key role in making up to a billion dollars available for terrorist financing. DOJ turned HSBC’s complicity in the central threat of our time into purported assistance pursuing it.
Poof! DOJ turned a criminal bank into a law enforcement partner, all through the secret exercise of so-called prosecutorial discretion.
Which is important background for the story about DOJ with which NPR’s Carrie Johnson has begun the year, describing how Lanny Breuer is asking banks–the same banks who crashed the economy with a bunch of criminal scams that have gone unpunished–to serve as “quasi cops.”
Every year, banks handle tens of millions of transactions. Some of them involve drug money, or deals with companies doing secret business with countries like Iran and Syria, in defiance of trade sanctions.
But if the Justice Department has its way, banks will be forced to change — to spot illegal transactions and blow the whistle before any money changes hands.
But [former OCC head Eugene] Ludwig, who now consults for banks at the Promontory Financial Group [which makes huge money not finding crimes for the banks], says prosecutors and bank regulators can’t catch all the fraud, so they’re depending on the banks themselves to do a better job.
“Banks are not set up historically really to be kind of quasi law enforcement enterprises, which is really what the U.S. government’s asking of them,” he says.
Every time a financial institution makes a fix, criminals try to work around it. Ludwig calls it a cat-and-mouse game. “Fair or not, it’s what the government is demanding of our enterprises, and everybody has to face up to that reality, I think,” he says.
Ludwig may be publicly complaining. But his firm has already gotten consulting fees to hide the scale of Standard Chartered Bank’s fraud, and the government is about to give up on the badly-conflicted foreclosure abuse review for which Promontory consulted with Bank of American and Wells Fargo. It seems clear that Promontory will get rich whitewashing bank crimes so Lanny Breuer can pretend banks are cops, not robbers.
But that’s not the most lucrative scam here. After all, HSBC was able to reap billions because it served a key role in providing cash that went, in part, to terrorists. And yet it, unlike Muslim men, seems guaranteed under Lanny Breuer to wipe that slate clean by flipping on their former clients at a convenient time (and given that DOJ has taken no action against Al Rajhi bank, in only a limited fashion).
All this remains unstated. In fact, I guarantee you if it were ever asked, DOJ would refuse to divulge precisely what kind of quasi cop HSBC is playing, as it could under a law enforcement exception to FOIAs. Even Carl Levin’s otherwise meticulous report on HSBC was silent about what happened when Treasury’s former Under Secretary for Terrorist Finance went to HSBC.
But as part of the scam, it appears both a criminal bank and our buddies the Saudis have avoided any punishment for funding terrorism.
Which is how it works when the crooks get deputized rather than prosecuted.
In light of the recent Standard Chartered Bank flap, Saturday’s report that Deutsche Bank is under investigation for similar behavior, and today’s report that RBS (as well as two other banks, one of which is Sumitomo Mitsui) is as well, I want to look at an article on Anti-Money Laundering enforcement a Promontory Financial Group exec, Michael Dawson, published in American Banker just one week before NY’s Superintendent of Financial Services, Benjamin Lawsky, filed an order against SCB alone.
Around the same time Dawson was writing this, remember, his company was involved in a review of SCB’s laundering of Iranian funds that would show a tiny fraction of the total exposure that SCB would ultimately admit to. That is, Dawson’s comments probably provide a glimpse into what PFG was seeing not just in Citibank and Commerzbank enforcement actions, which he discusses, but also in SCB. And it might help to explain why other regulators were so intent on crafting an SCB settlement based on just $14 million in violations rather than $250 billion.
Dawson reports seeing a change in recent AML/BSA enforcement actions, away from a “rules-based approach” toward a “risk-based approach.” He suggests that regulators are demanding not a broad-based examination of the scope of AML violations, but instead more targeted information about who posed the biggest risk laundering money and what they were doing.
Instead of requiring expensive reviews of extended periods of time for a broad range of potential suspicious activity, the latest enforcement actions emphasize a risk-based approach to AML compliance, with several of the actions requiring a risk assessment or enhancements to an existing assessment.
The level of specificity required is noteworthy and includes, among other things, detail on the volumes and types of transactions and services by country or geographic location as well as detail on the numbers of customers that typically pose higher BSA/AML risk. The actions also require a more holistic approach, requiring the results of the bank’s Customer Identification Program and Customer Due Diligence program to be integrated in the risk assessment. [my emphasis]
This sounds like the regulators are interested not in discovering how banks are complicit in money laundering, but rather using the banks to get details on key people who money launder and the tactics just those key people (terrorists, cartel kingpins, mean Iranians) use. (Note, I think something similar, but even more significant, happened last year when JPMC got busted for trading with Iran, but no one seems to remember that happened.)
After making these broad statements about the general direction of AML enforcement, Dawson distinguishes between what the Office of the Comptroller of the Currency is requiring and what the Fed is. OCC has not only shortened the period which it requires banks to examine problematic behavior, but it has also permitted banks to conduct their own reviews (which seems to have Dawson worried about losing the business of providing such services for banks).
Where the OCC required lookbacks, it asked for risk-based, targeted reviews, rather than comprehensive look-backs that were sometimes found in earlier enforcement actions. The recent actions either specify a shorter look-back period than has been specified in the past or, in the case of the Citibank action, no explicitly specified period, subject to the ability of the regulator to expand the look-back depending on the results of the more limited period.
Also, the OCC actions allowed the institutions to conduct the review themselves and either do not explicitly mention an independent consultant or limit the role of the independent consultant to “supervising and certifying” the look-back.
The OCC, at least, doesn’t sound like it’s doing “smarter” enforcement, but rather doing lax enforcement. Remember, though, that OCC got a newly-confirmed Comptroller during this period, who talked aggressively at the recent Permanent Subcommittee on Investigations hearing on HSBC’s egregious AML problems–though that talk partly echoed what Dawson has to say about “flexibility” and a “holistic” approach.
Meanwhile, according to Dawson, the Fed doesn’t seem to be offering quite as much flexibility. Dawson describes the Fed employing this new risk-based approach, but it is still requiring longer reviews (though not all that long, at 16 months) and outside consultants to complete the reviews.
The Fed, in its action against Commerzbank requiring a lookback, also showed some flexibility. Continue reading
Standard Chartered just settled with NY’s Superintendent of Financial Services. The settlement–for $340
250 million and a monitor of SFS’ choosing–is less than some reports said the settlement might have been.
But here’s the detail I’m most interested in:
The New York State Department of Financial Services (“DFS”) and Standard Chartered Bank (“Bank”) have reached an agreement to settle the matters raised in the DFS Order dated August 6, 2012. The parties have agreed that the conduct at issue involved transactions of at least $250 billion. [my emphasis]
Just a .14% fine, so not that big. But an admission that the scope of the fraud and the Iran business really did amount to $250 billion.
I find that interesting for two reasons. First, because it’s going to cause all kinds of headaches for the folks at Treasury who would like to let SCB off easy but ordinarily base settlements on the amount of the underlying activity.
More importantly, for me, because it demonstrates what a sham the Get Out of Jail Free industry is. A former OCC head and his minions at Promontory Financial Group claimed to have added it all up and determined that SCB only hid $14 million of transactions from Iran. SCB now says that Promontory was wrong.
By orders of magnitude.
Granted, SCB–and most of the people who pay Promontory to soft-pedal their crimes and risk–tried not to admit it had gotten that estimate from Promontory. Going forward, I expect we’ll see Promontory’s clients hide their involvement even more.
Still, this is a useful demonstration of how corrupt the Get Out of Jail Free industry is.
Update: Once again, I got my numbers wrong. The settlement is for $340 million.