Posts

Keith Alexander’s Cyber Circle Jerk Gets Worse

As I noted earlier today, last year Keith Alexander’s CyberCommand forces got their asses handed to them by civilians in a cyber war game.

“They were pretty much obliterated,” said one Capitol Hill staffer who attended the exercise. “The active-duty team didn’t even know how they’d been attacked.”

Nevertheless, here is one of the things he told Ken Dilanian in his second “exclusive” interview attempting to explain why he should get rich in the private sector capitalizing on 9 years of fear-mongering about cyber.

“If I retired from the Army as a brain surgeon, wouldn’t it be OK for me to go into private practice and make money doing brain surgery?” he asked. “I’m a cyber guy. Can’t I go to work and do cyber stuff?”

Alexander’s story has changed a bit since his last attempt  to explain himself, to Shane Harris. The number of patents he’ll get expanded from 9 to 10.

His firm is developing as many as 10 patents, he said, and has secured contracts with three clients he declines to name.

And he claims — after apparently not challenging the underlying $1 million a month claim to Harris — that his rates were always overblown.

Reports of his firm charging $1 million a month for consulting services are not accurate, he said, though he declined to disclose his firm’s fees.

“That number was inflated from the beginning,” he said.

But that’s not the best bit. In addition to revolving door shadow regulator Promontory Financial Group (which goes unmentioned in both stories) and the Chertoff Group, Dilanian reveals who gave Alexander the advise he could get rich off serving the last 9 years in a top national security position: Someone who spent those same years in a top national security position.

Lawyers at NSA and his private lawyers— including former FBI Director Robert Mueller, now with the Wilmer Hale law firm in Washington — have told him he is on firm legal footing, Alexander said.

These exclusives are all well and nice, but both of them ignore the reports about Alexander serving as the lead to set up a public-private partnership between the banksters and the national security state to infringe our privacy in order to keep the banks safe (heck neither mentions his known contract with SIFMA).

Until exclusives actually ask Alexander about the known thrust of this program, they’re going to help his credibility no more than the exclusives with the same journalists explaining NSA spying did.

How Much Does Keith Alexander’s Patented Solution for Creating Fear Depend on CISA?

Keith Alexander has attempted to explain his million dollar salary demands for cyber consulting to Shane Harris. This story doesn’t necessary hang together any better than his claims about NSA’s spying.

Alexander is worth a million a month, he says (though he already dropped his price to $600K) because he has a unique approach to detecting persistent threats that he plans to patent.

The answer, Alexander said in an interview Monday, is a new technology, based on a patented and “unique” approach to detecting malicious hackers and cyber-intruders that the retired Army general said he has invented, along with his business partners at IronNet Cybersecurity Inc., the company he co-founded after leaving the government and retiring from military service in March.

Alexander developed the technologies behind these patents — which Alexander says would address precisely the kind of attacks he facetiously argues have carried out the greatest transfer of wealth in history, the ones attacking the US — in his spare time.

A source familiarly [sic] with Alexander’s situation, who asked not to be identified, said that the former director developed this new technology on his private time, and that he addressed any potential infractions before deciding to seek his patents.

To which Harris asked the obvious question: if this solution is so great, then why not implement it while he was still in government? Why not save America from that greatest transfer of wealth in history?

Alexander then added that his solution relies on behavioral analysis one of his partners contributed.

Alexander said that his new approach is different than anything that’s been done before because it uses “behavioral models” to help predict what a hacker is likely to do.

[snip]

Alexander said the key insight about using behavior models came from one of his business partners, whom he also declined to name, and that it takes an approach that the government hadn’t considered. It’s these methods that Alexander said he will seek to patent.

Perhaps the best (anonymous) quote Harris includes in his story is a “former national security official with decades of experience in security technology” who says such behavioral models are highly speculative and have never before worked. 

So it’s possible that Keith Alexander is simply going to sell his new approach to a bunch of chumps who have gotten rich trading off of algorithms — proof behavioral models “work” even if they don’t work! — and therefore believe they will work to find persistent threats.

The guy who couldn’t find Edward Snowden absconding with thousands of files and his friends the big banks are going to start policing their networks by using algos to find suspicious behavior.

Harris sort of alludes to one problem with this scheme. Alexander used his perch at DIRNSA to create this market. As Harris points out, that’s in part because Wiper — a variant of the StuxNet attack developed under Alexander’s tenure — is what the banks are so afraid of.

That will come as a supreme irony to many computer security experts, who say that Wiper is a cousin of the notorious Stuxnet virus, which was built by the NSA — while Alexander was in charge — in cooperation with Israeli intelligence.

That is, Alexander will get rich helping banks defeat the weapons he released in the first place.

More generally, too, this fear exists because Alexander sowed it. The banks are responding to the intelligence claims Alexander has been making for years, whether or not a real threat exists behind it (and whether not resilience would be a better defense than Alexander’s algos).

One more thing: as far as we know, in addition to inventing this purportedly new technology in his free time, Alexander was consulting with his partners — which as far as we know include Promontory Financial Group and Chertoff — while he was DIRNSA. So it’s not just the underlying technology, but the discussions of partnership, that likely derive from Alexander’s time at DIRNSA.

And that seems to be the fourth part of Alexander’s magic sauce (in addition to the tech developed on the government dime, his ability to sow fear, and partnerships laid out while still in the private sector). After all, with Alexander out of his NSA, where will he and his profitable partners get the data they need to model threats? How much of this model will depend on the Cyber Information sharing plan that Alexander has demanded for years? How much will Alexander’s privatized solutions to the problem he couldn’t solve at NSA depend on access to all the information the government has, along with immunity?

To what degree is CISA about making Keith Alexander rich?

 

Alan Grayson: Is Keith Alexander Selling Classified Information to the Banks?

I’ve been tracking Keith Alexander’s utterly predictable new gig, getting rich off of having drummed up cybersecurity concerns for the last several years, while at the same time shacking up with the most dubious of shadow bank regulators, Promontory Financial Group.

Apparently, I’m not the only one. Alan Grayson just sent some of the entities that Alexander has been drumming up business with — the Security Industries and Financial Markets Association, Consumer Bankers Association, and Financial Services Roundtable — a letter asking how the former NSA Director can be making a reported $600,000 a month. He cites Bruce Schneier wondering whether part of the deal is that Alexander will share classified information he learned while at NSA.

Security expert Bruce Schneier noted that this fee for Alexander’s services is on its face unreasonable. “Think of how much actual security they could buy with that $600K a month.Unless he’s giving them classified information.” Schneier also quoted Recode.net, which headlined this news as: “For another million, I’ll show you the back door we put in your router.”

[snip]

Disclosing or misusing classified information for profit is, as Mr. Alexander well knows, a felony. I question how Mr. Alexander can provide any of the services he is offering unless he discloses or misuses classified information, including extremely sensitive sources and methods. Without the classified information that he acquired in his former position, he literally would have nothing to offer to you.

Please send me all information related to your negotiations with Mr. Alexander, so that Congress can verify whether or not he is selling military and cybersecurity secrets to the financial services industry for personal gain.

Alexander is just the latest of a long line of people who profit directly off driving up the cybersecurity threat. But — as Recode.net notes — he’s also got the kind of inside information that could be particularly valuable.

As the Intelligence Industrial Complex and the Banking industry hop into bed together, there ought to be some transparency about just what kind of deals are being made. There’s simply too much immunity handed out to this community to let boondoggles like Alexander’s slide.

The intelligence community is subjecting every low level clearance holder to intense scrutiny right now. But thus far, there has not been a peep from those quarters that the former DIRNSA could command these fees for the expertise gained while overseeing the nation’s secrets.

Keith Alexander to Earn $600,000 a Month for Preventing DDos Attacks

When Politico reported that Keith Alexander was shacking up with shadow regulator Promontory Financial Group to profit off his cyber fear-mongering, I knew he’d be raking in the bucks.

Bloomberg provides more details on how much: his asking price starts at $1M a month, from which he negotiates down to a mere $600,000.

Alexander, 62, said in the interview he was invited to give a talk to the Securities Industry and Financial Markets Association, known as Sifma, shortly after leaving the NSA and starting his firm, IronNet Cybersecurity Inc. He has met with other finance groups including the Consumer Bankers Association, the Financial Services Roundtable and The Clearing House.

At the sessions, Alexander discussed destructive computer programs such as Wiper, which the U.S. government said was notable because attacks using it appeared to originate from North Korea and Iran. “I told them I did think they could defend against that,” Alexander said.

Still, despite the banks’ growing investments in computer security, Alexander said, “many of them aren’t really confident they’re getting their money’s worth.”

[snip]

Sifma Meeting

Alexander offered to provide advice to Sifma for $1 million a month, according to two people briefed on the talks. The asking price later dropped to $600,000, the people said, speaking on condition of anonymity because the negotiation was private.

Alexander declined to comment on the details, except to say that his firm will have contracts “in the near future.”

The article talks in terms of the DDoS attacks launched against US bank websites last year, as well as Wiper, which is allegedly tied to the StuxNet family (and therefore is something with which ALexander ought to be intimately familiar).

What he doesn’t seem to be promising he can fix are things like the recent hack of a hedge fund’s High Frequency Trading algorithms (about which I am simply failing not to laugh hysterically at … sorry, hedgies).

No wonder the banks doubt they’re getting their money’s worth.

It’s hard to read this as anything but a scam. Not only has Alexander spent the last year talking up the risk of cyberattacks, not only has he had access to whatever bank secrets haven’t been encrypted for the last 8 years, plus the double dipping in SWIFT databases. But he also knows what holes NSA hasn’t fixed.

Ultimately, though, this all serves to obscure the fact that these banks are rickety all by themselves, with or without a hacker’s help (which is one reason I’m laughing at that HFT hack). There’s only so much you can do to harden that target, and the banks won’t do it.

Lying Keith Alexander to Shack up with Promontory and Profit Off His Fearmongering

Man, I knew Keith Alexander was going to cash in after he retired. And I probably would have placed all my chips on him profiting off his cyber fearmongering.

Former National Security Agency chief Gen. Keith Alexander is launching a consulting firm for financial institutions looking to address cybersecurity threats, POLITICO has learned.

Less than two months since his retirement from the embattled agency at the center of the Edward Snowden leak storm, the retired four-star general is setting up a Washington-based operation that will try to attract clients based on his four decades of experience in the military and intelligence — and the continued levels of access to senior decision-makers that affords.

But the part of this story that even I couldn’t have predicted — but makes so much sense it brings tears to my eyes — is that he’s shacking up with Promontory Financial Group, the revolving door regulator to hire that has been caught underestimating its clients’ crimes for big money.

Alexander will lease office space from the global consulting firm Promontory Financial Group, which confirmed in a statement on Thursday that it plans to partner with him on cybersecurity matters.

“He and a firm he’s forming will work on the technical aspects of these issues, and we on the risk-management compliance and governance elements,” said Promontory spokesman Chris Winans.

I’m impressed, Lying Keith: You’ve done my very low expectations even one better!

Lanny Breuer Deputizes Banks Rather than Prosecuting Them

Back when DOJ’s head of criminal prosecutions, Lanny Breuer, let HSBC off without indictments, I noted that he didn’t even mention HSBC’s significant ties to funding terrorists.

When it came to one of the world’s biggest banks, the Assistant Attorney General chose to simply ignore the threat DOJ’s been singularly dedicated to defeating since 9/11, terrorism.

But the Statement of Facts on the HSBC settlement wasn’t quite as reticent as Breuer himself. It said this about HSBC’s ties to terrorist financing:

In addition to the cooperative steps listed above, HSBC Bank USA has assisted the Government in investigations of certain individuals suspected of money laundering and terrorist financing.

That is, the court documents on the settlement talk about HSBC helping to investigate terrorist financing, rather than HSBC playing a key role in making up to a billion dollars available for terrorist financing. DOJ turned HSBC’s complicity in the central threat of our time into purported assistance pursuing it.

Poof! DOJ turned a criminal bank into a law enforcement partner, all through the secret exercise of so-called prosecutorial discretion.

Which is important background for the story about DOJ with which NPR’s Carrie Johnson has begun the year, describing how Lanny Breuer is asking banks–the same banks who crashed the economy with a bunch of criminal scams that have gone unpunished–to serve as “quasi cops.”

Every year, banks handle tens of millions of transactions. Some of them involve drug money, or deals with companies doing secret business with countries like Iran and Syria, in defiance of trade sanctions.

But if the Justice Department has its way, banks will be forced to change — to spot illegal transactions and blow the whistle before any money changes hands.

[snip]

But [former OCC head Eugene] Ludwig, who now consults for banks at the Promontory Financial Group [which makes huge money not finding crimes for the banks], says prosecutors and bank regulators can’t catch all the fraud, so they’re depending on the banks themselves to do a better job.

“Banks are not set up historically really to be kind of quasi law enforcement enterprises, which is really what the U.S. government’s asking of them,” he says.

Every time a financial institution makes a fix, criminals try to work around it. Ludwig calls it a cat-and-mouse game. “Fair or not, it’s what the government is demanding of our enterprises, and everybody has to face up to that reality, I think,” he says.

Ludwig may be publicly complaining. But his firm has already gotten consulting fees to hide the scale of Standard Chartered Bank’s fraud, and the government is about to give up on the badly-conflicted foreclosure abuse review for which Promontory consulted with Bank of American and Wells Fargo. It seems clear that Promontory will get rich whitewashing bank crimes so Lanny Breuer can pretend banks are cops, not robbers.

But that’s not the most lucrative scam here. After all, HSBC was able to reap billions because it served a key role in providing cash that went, in part, to terrorists. And yet it, unlike Muslim men, seems guaranteed under Lanny Breuer to wipe that slate clean by flipping on their former clients at a convenient time (and given that DOJ has taken no action against Al Rajhi bank, in only a limited fashion).

All this remains unstated. In fact, I guarantee you if it were ever asked, DOJ would refuse to divulge precisely what kind of quasi cop HSBC is playing, as it could under a law enforcement exception to FOIAs. Even Carl Levin’s otherwise meticulous report on HSBC was silent about what happened when Treasury’s former Under Secretary for Terrorist Finance went to HSBC.

But as part of the scam, it appears both a criminal bank and our buddies the Saudis have avoided any punishment for funding terrorism.

Which is how it works when the crooks get deputized rather than prosecuted.

 

 

Promontory Financial Group Describes a New “Risk-Based” Approach to Anti-Money Laundering

In light of the recent Standard Chartered Bank flap, Saturday’s report that Deutsche Bank is under investigation for similar behavior, and today’s report that RBS (as well as two other banks, one of which is Sumitomo Mitsui) is as well, I want to look at an article on Anti-Money Laundering enforcement a Promontory Financial Group exec, Michael Dawson, published in American Banker just one week before NY’s Superintendent of Financial Services, Benjamin Lawsky, filed an order against SCB alone.

Around the same time Dawson was writing this, remember, his company was involved in a review of SCB’s laundering of Iranian funds that would show a tiny fraction of the total exposure that SCB would ultimately admit to. That is, Dawson’s comments probably provide a glimpse into what PFG was seeing not just in Citibank and Commerzbank enforcement actions, which he discusses, but also in SCB. And it might help to explain why other regulators were so intent on crafting an SCB settlement based on just $14 million in violations rather than $250 billion.

Dawson reports seeing a change in recent AML/BSA enforcement actions, away from a “rules-based approach” toward a “risk-based approach.” He suggests that regulators are demanding not a broad-based examination of the scope of AML violations, but instead more targeted information about who posed the biggest risk laundering money and what they were doing.

Instead of requiring expensive reviews of extended periods of time for a broad range of potential suspicious activity, the latest enforcement actions emphasize a risk-based approach to AML compliance, with several of the actions requiring a risk assessment or enhancements to an existing assessment.

[snip]

The level of specificity required is noteworthy and includes, among other things, detail on the volumes and types of transactions and services by country or geographic location as well as detail on the numbers of customers that typically pose higher BSA/AML risk. The actions also require a more holistic approach, requiring the results of the bank’s Customer Identification Program and Customer Due Diligence program to be integrated in the risk assessment. [my emphasis]

This sounds like the regulators are interested not in discovering how banks are complicit in money laundering, but rather using the banks to get details on key people who money launder and the tactics just those key people (terrorists, cartel kingpins, mean Iranians) use. (Note, I think something similar, but even more significant, happened last year when JPMC got busted for trading with Iran, but no one seems to remember that happened.)

After making these broad statements about the general direction of AML enforcement, Dawson distinguishes between what the Office of the Comptroller of the Currency is requiring and what the Fed is. OCC has not only shortened the period which it requires banks to examine problematic behavior, but it has also permitted banks to conduct their own reviews (which seems to have Dawson worried about losing the business of providing such services for banks).

Where the OCC required lookbacks, it asked for risk-based, targeted reviews, rather than comprehensive look-backs that were sometimes found in earlier enforcement actions. The recent actions either specify a shorter look-back period than has been specified in the past or, in the case of the Citibank action, no explicitly specified period, subject to the ability of the regulator to expand the look-back depending on the results of the more limited period.

Also, the OCC actions allowed the institutions to conduct the review themselves and either do not explicitly mention an independent consultant or limit the role of the independent consultant to “supervising and certifying” the look-back.

The OCC, at least, doesn’t sound like it’s doing “smarter” enforcement, but rather doing lax enforcement. Remember, though, that OCC got a newly-confirmed Comptroller during this period, who talked aggressively at the recent Permanent Subcommittee on Investigations hearing on HSBC’s egregious AML problems–though that talk partly echoed what Dawson has to say about “flexibility” and a “holistic” approach.

Meanwhile, according to Dawson, the Fed doesn’t seem to be offering quite as much flexibility. Dawson describes the Fed employing this new risk-based approach, but it is still requiring longer reviews (though not all that long, at 16 months) and outside consultants to complete the reviews.

The Fed, in its action against Commerzbank requiring a lookback, also showed some flexibility. Read more

Standard Chartered Bank Admits Promontory’s Estimates of Its Iran Business Were Wrong

Standard Chartered just settled with NY’s Superintendent of Financial Services. The settlement–for $340 250 million and a monitor of SFS’ choosing–is less than some reports said the settlement might have been.

But here’s the detail I’m most interested in:

The New York State Department of Financial Services (“DFS”) and Standard Chartered Bank (“Bank”) have reached an agreement to settle the matters raised in the DFS Order dated August 6, 2012. The parties have agreed that the conduct at issue involved transactions of at least $250 billion. [my emphasis]

Just a .14% fine, so not that big. But an admission that the scope of the fraud and the Iran business really did amount to $250 billion.

I find that interesting for two reasons. First, because it’s going to cause all kinds of headaches for the folks at Treasury who would like to let SCB off easy but ordinarily base settlements on the amount of the underlying activity.

More importantly, for me, because it demonstrates what a sham the Get Out of Jail Free industry is. A former OCC head and his minions at Promontory Financial Group claimed to have added it all up and determined that SCB only hid $14 million of transactions from Iran. SCB now says that Promontory was wrong.

By orders of magnitude.

Granted, SCB–and most of the people who pay Promontory to soft-pedal their crimes and risk–tried not to admit it had gotten that estimate from Promontory. Going forward, I expect we’ll see Promontory’s clients hide their involvement even more.

Still, this is a useful demonstration of how corrupt the Get Out of Jail Free industry is.

Update: Once again, I got my numbers wrong. The settlement is for $340 million.