Saturday, June 28, 2014

The character assassination of Keith Alexander

According to these stories, a Congressman wants to know if former NSA chief Gen. Keith Alexander is selling classified info to banks. There is nothing to this story. It’s gossip based on upon rumor based on speculation based on innuendo. It’s such obvious character assassination that I shouldn’t have to write a blog post debunking it, but apparently you people have gone insane.

It all started with this Bloomberg story citing unnamed sources that Alexander offered his services to a banking association for $600,000 a month. This has led some to question what value Alexander can provide for that money. Cyber pundit Bruce Schneier speculated that the only thing Alexander could sell for that amount of money is classified information.

This was then quoted by Congressman Grayson calling for a probe into Alexander. This story was then picked up by “journalists” writing what are clearly hit pieces, furthering the character assassination.

Bruce Schneier is not Cyber’s Holy Prophet, as many in the media quote him. Schneier isn’t a "full cybersecurity" expert. He’s certainly a smart guy, and an expert in cryptography, but that’s only a small part of cybersecurity. Schneier has little expertise in firewalls, sysadmin, coding, pen-testing, and other important areas of cybersecurity. Cybersecurity is a big field -- nobody knows it all, and nobody is a 100% cybersecurity expert. His fame rests not on his expertise but his populism: people like what his says about evil corporations like Microsoft and the evil NSA.

Schneier’s speculation in this case is an example of his populism. His comment is based on his ignorance, not his expertise. He doesn't even claim that he has evidence for his assertion. Anybody with experience in such matters would know how Alexander can command that much money without divulging national secrets.

Alexander’s primary value is his rolodex: he’s got personal relationships up and own the intelligence community. By “up” I mean Alexander knows leaders. When he’s got something to sell, he can just call them directly, and they will trust him. By “down” I mean he knows the capability of people who have worked for him in the past, people he can pull together in an organization in order to create something to sell. He knows who wrote Stuxnet, he knows who has carried out TAO operations.

Because of his rolodex, Alexander is going to earn tens of millions of dollars over the next several years. I say “next several years” because his rolodex ages quickly. Personal relationships fade, people retire or move on. He’s like a young startlett whose beauty is fading fast. In the meantime, if you want lunch with Alexander, then it's going to cost you $5,000, because that's what his time is worthy right now.

It’s hard to know exactly how Alexander might exploit his rolodex. One way would to just go to work for an existing defense contractor like Booz-Allen. Another is to become a lobbyist, peddling influence. Another way is to start his own consulting company. Investors will line up to invest in such a company, so the funding wouldn’t be hard. From the rumors, that’s apparently what he’s done.

If he’s building his own consulting company, then it’s going to be a team of people that he sells. Alexander is a team leader, not an individual actor. Sure, he's probably absorbed a lot of technical knowledge, but when push comes to shove, he's going to need to refer to a member of his team on a subtle point. That $600,000 is for a team of people accomplishing some goal – it’s stupid to imagine it was just for him.

Alexander isn’t responding to this character assassination for two reasons. One of which is that the “journalists” involved are so obviously writing hit pieces that he knows they won't treat his comments fairly. The second is that his PR people want him to have a low profile in the press until he’s ready to make a splash announcing his new company.

Keith Alexander is a (former) General of the United States military. Honor and duty are drilled into him. Generals like him do no divulge secrets – at least, that’s been the track record of generals in the past. It takes someone of profound ignorance (i.e. Schneier) to imagine that such a thing could be remotely likely.
Update: Trevor Timm (@trevortimm) conclusively points out that the above paragraph is wrong, that Generals do leak national secrets, such as in this probe of Stuxnet, and Bob Woodward's book Obama's Wars. Those examples are all of leaks of political nature -- which I know happen a lot. I don't know of commercial leaks. I know a lot of former officers that could profit from selling confidential info (and get away with it), but who don't, because of that whole "honor and patriotism" thing.

I’m not sticking up for Alexander here. His prevarications in the Snowden Affair mark him as a bit of a douchebag. His tenure of 8 years as chief of the NSA (and Cyber Command) mark him as a corrupt tyrant. I’m betting he’ll get drawn into influence peddling and lobbying, even if he’s trying to create a non-Washington technical company.

I’m just trying to point out that these stories are bunk, and that apparently, none of you care about the truth or fairness of these stories, because you enjoy seeing a great man being taken down.

Update: People have criticized calling him a "great man". I'm quoting the Harry Potter movie here people, where the guy who sells Harry's wand points out that Voldermort was a great wizard, a great and terrible wizard. Gen. Alexander revamped cyber in the NSA and the military in his 8 years. For good or bad, it's still a "great" (huge) accomplishment.


Richard Steven Hack said...

"Schneier has little expertise in firewalls, sysadmin, coding, pen-testing, and other important areas of cybersecurity."

And a lot of people who have extensive experience in all those areas still don't know SQUAT about "SECURITY"...which Schneier DOES know pretty well. Certainly more than Keith Alexander...

Amir said...

I just don't think it's wise for you to disrespect Schneier. You're literally a nobody. He's one of the few people out there who truly understands and cares about security... "Cyber Pundit"??? have u seriously lost your mind???

adp113 said...
This comment has been removed by the author.