When Mandiant came out with the APT1 report the world was shattered into two camps. In the first camp was a group of people who were happy to have more information on the bad guys entering their networks and doing bad stuff even if they were never targeted. In general most people reading the Mandiant report were not effected, nor were there any claims by Mandiant that those people would be effected, but there was a second group.
The second group knew they were being effected by APT1 and specifically targeted, so they already had a pretty good idea of the threat actors. They already had a pretty good idea of who and how they were being attacked because they could see it in their system logs. That information might have been classified so they didn’t discuss it in the open. That is the fundamental nature of classified data in information security. When you are defending you are interacting with the bad guy, but maybe you can’t talk about it. Merely mentioning an IP or indicator of compromise might be giving away a classified source or method. The Mandiant report allowed a larger community to discuss the problem. Without worry that classified sources and methods would be disclosed.
Today we are going to talk about Threat Actor Zero (TA0). Yes this is much like the patient zero that medical communities use to discuss the patient where a disease starts. Since 2005 this threat actor has engaged in a social engineering attack against the fundamental structure of the information communication technology plane. To be explicit the threat actor has used guile, lies, misdirection, and fear to create a rift upon which he could operate. The threat actor is trained in intelligence gathering, counter intelligence practices, represents a national government and is a military officer. Consider that this threat actor has perpetrated a social engineering hack against the entire world for over a decade and you get an idea of how important this discussion becomes. The threat actor cut his teeth on counter terrorism feeding the dungeon at Guantanamo and worked his way to the top of one of the countries most secretive spy agencies. General Keith Alexander (ret.) is Threat Actor Zero.
Why would I be so peeved at a military professional who has served his country for so long? After all I have worked with and for the military most of my life. Why would I be so peeved at General Alexander specifically? He is a charismatic and very well thought of individual within his command. Why would I call foul on a man profiting in his retirement? General Alexander by all accounts is a highly skilled and very thoughtful person. I get angry when somebody creates a hole in the security of the nation with strategic and operational consequences and then uses the policy vacuum he created to personally profit. I get very angry when a great organization like the NSA is sullied through the wanton abuses of a boss who stumbles around blithely as only arrogance will allow. You can only hide behind the shiny patina of military services and General stars so long.
I admit there are only allegations at this point of fiduciary excesses, and the partisanship of the allegations is a direct and obvious issue. I admit that I have had no direct interaction with any of the parties involved. Yet, when I read that a four star general is auctioning off his services for a million dollars and perhaps you can get a great deal and they will only be 600 hundred thousand dollars a MONTH. Well. I guess I am more than peeved. Where would companies have gotten the idea that they had so much to fear that they would throw piles of cash at a consultant? Why from the consultant. For over a decade General Alexander has briefed in public, in private, and in various leadership forums that we should be afraid. We should be very afraid. He has led organizations and his subordinates have gone out into some of these very industries to carry the fear flag. Be afraid.
Let’s inject a little reality here. If you are running a large enterprise and have the ability to filter logs and pull security events from your systems. Then you can sit there and know that information security is difficult and a constant problem. If you can look at the infrastructure of the Internet and the ICT components of the various infrastructures you know that there are risks. You likely have experience and understand the impacts that certain attacks can have on your business operations. Your leadership does not have that real world experience. Those sitting in the celebrity zone of information assurance and security are looking with star envy to associate themselves and your organization with a person who supposedly reflects the security of a nation.
General Alexander did not do a lot of interviews but his talking points over the last decade were pretty consistent.
- The Internet is not secure and was never designed to be secure
- Cybercrime represent real relevant threats and huge monetary losses
- Companies should be required to fortify against attacks (aka regulation)
- Cyberwar could lead to real war
- The government needs more power to stop bad guys
A United States General has spent the last decade saying all of these risks exist to the corporate enterprise. At the same time he is promoting specific regulatory standards of conduct. On the one hand he says the Internet is not secure and on the other hand he runs the vary agency chartered to secure the ICT infrastructures. If the career ambition was to secure the nation and enhance national security how does his credibility fare? He was the head of the NSA during two of the nations largest exfiltrations of information in history. Between what we thought was bad “Bradley Manning” and the now infamous and really horrendous exfiltration by Edward Snowden national security was tragically compromised. We have a leader who failed at his fundamental mission within his supposed area of consultant expertise. The repercussion of having lost containment on information snatched by Edward Snowden is still working its way throughout the political process.
So, as a consultant what does somebody who absolutely failed to secure the very assets that his agency was the supposedly expert entity to secure offer that is worth a million dollars a month? After all this former general officer had not one but two abysmal failures, eroded trust in the executive branch, and the purported loss of information was fundamental to the security of the nation. These breaches would reflect losses that are the absolute worse disclosures (volume and content) in history according to James Clapper the Director of National Intelligence. As a corporation you are going to spend millions of dollars on a consultant who headed up an organization that had the worst information breach in the history of the United States?
I understand that holding General Alexander accountable for Bradley Manning is a wobbly stool for logic to sit upon. Though, it was his agency and his subordinates charged with the protection of the information and the investigation afterwards. Holding a leader accountable for all of their subordinates actions and evaluating them on their command culture seems difficult at best. Except we do hold leaders accountable in all of the services and the executive branch which the exception being the NSA. Numerous Navy leaders have been fired for command failures where the leader had no direct interaction with the subordinate. Senior leaders in the Air Force were both fired for a series of command failures. Mission arrogance within a command leadership can have direct influence on all subordinates which will often be evidenced by mission failure and abysmal behaviors. The issues in my opinion comes from a paradigm of collect not protect. This paradigm is at direct odds to the corporate working world where operational requirements (the use of information to profit) is the driving force and protecting information is a requirement of regulation.
As a direct example of command influence and an example of credibility regarding General Alexander I offer the “crisis in hiring hackers” talking point he trots out. The concept that the NSA or any government agency has a crisis in hiring information security professionals as a supply and demand problem is ludicrous. You have General Alexander stating that there is a problem yet the government itself is not quite so sure the problem is a supply issue. If the hiring issue is actually a broken human resources pipeline or an issue with the people you have on hand then that is a leadership issue. If you as a leader have a human resources process where you can put your hands on all of the people involved and you are unable to fix that program. Then you should not be allowed anywhere near my billion dollar information infrastructure where things are quite more complex. Comparing the human resources process and legislation issues to the information security and legal issues may seem ludicrous. It likely is ludicrous. In the way that if you can not handle the simplistic issues of human resources you should not be allowed anywhere near a complex information enterprise.
What are you going to get for your dollars from a consultant who ran one of the most secretive spy agencies on the planet? Though the partisanship is fairly obvious General Alexander has been warned by congress to not disclose classified information in his consulting and a congressman is asking some pretty pointed questions. That is the final crux to the problem. If what Manning and Snowden did was so catastrophic and wrong (in my opinion they are both traitors and should be hanged). Then what allows General Alexander to do the same thing? Just like the people who had access to classified information about APT1 could take no action to secure their unclassified networks, and they also could not discuss the relevant details of the impacts. General Alexander will have little he should be able to discuss. His mere concerns of information activities and his choices of source material as context provide a significant and relevant leakage of what is likely information based on classified sources and methods. His choice in computer or smart phone might be considered leaking a preference based on sources and methods that are classified.
There are principles of information leakage most people in the information security practice recognize as side-channel attacks, and correlation (or aggregation) of information to illuminate information hidden from others. Each reported statement by General Alexander was closely vetted while he was Director of the NSA. Every briefing he gave was evaluated for the both the political baggage and the perceived level of information leakage inherent in his statements. If General now consultant Keith Alexander walks into a room and states as he has concerns about the provenance of an information asset it can only be ascertained that the information is based upon his classified knowledge. This is a swarming thicket of bees ready to sting at every corner. One that every former highly placed intelligence official has had to deal with and why most used to retire to simple lives of leisure.
There is a new value of measurement known as the General Alexander Unit, or to explicate that measurement, one GMU is equal to one million dollars. I hope that the consultancy and the big dollars are all a large joke. I to be honest am less concerned with the dollar amount than I am the profiting from creating a culture of fear, uncertainty, and doubt. If you took it upon yourself to create a rampant level of fear while hiding behind the umbrella of “evidence is classified”. Then to see that person profit makes it look like they abused their position, abused the trust of the people, and sullied the uniform and agency. Perhaps this is all a big misunderstanding, but right now all of General Alexanders past and current motives are reasonably suspect.
Ladies and gentleman of the Internet. May I please introduce you to General Keith Alexander (ret.) now know as Threat Actor Zero (TA0).
Special note: If you are working at the NSA my hat is off to you and I hope you don’t take to much offense. And, if you get the joke of TA0 I hope you have a good laugh.